From mboxrd@z Thu Jan  1 00:00:00 1970
From: Erik Kapfer <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 3/3] ovpn_reorganize_encryption: Integrate LZO from global to
 advanced section
Date: Sat, 27 Apr 2019 16:05:51 +0200
Message-ID: <20190427140551.10647-3-ummeegge@ipfire.org>
In-Reply-To: <20190427140551.10647-1-ummeegge@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4712582959486701658=="
List-Id: <development.lists.ipfire.org>

--===============4712582959486701658==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Fixes: #11819

- Since the Voracle vulnerability, LZO is better placed under advanced sectio=
n cause under specific circumstances it is exploitable.
- Warning/hint has been added in the option defaults description.

Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index d7895e600..c5eac26a9 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -785,6 +785,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}=
) {
     $vpnsettings{'MAX_CLIENTS'} =3D $cgiparams{'MAX_CLIENTS'};
     $vpnsettings{'REDIRECT_GW_DEF1'} =3D $cgiparams{'REDIRECT_GW_DEF1'};
     $vpnsettings{'CLIENT2CLIENT'} =3D $cgiparams{'CLIENT2CLIENT'};
+    $vpnsettings{'COMPLZO'} =3D $cgiparams{'DCOMPLZO'};
     $vpnsettings{'ADDITIONAL_CONFIGS'} =3D $cgiparams{'ADDITIONAL_CONFIGS'};
     $vpnsettings{'DHCP_DOMAIN'} =3D $cgiparams{'DHCP_DOMAIN'};
     $vpnsettings{'DHCP_DNS'} =3D $cgiparams{'DHCP_DNS'};
@@ -2654,6 +2655,9 @@ ADV_ERROR:
     $checked{'REDIRECT_GW_DEF1'}{'off'} =3D '';
     $checked{'REDIRECT_GW_DEF1'}{'on'} =3D '';
     $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} =3D 'CHECKE=
D';
+    $checked{'DCOMPLZO'}{'off'} =3D '';
+    $checked{'DCOMPLZO'}{'on'} =3D '';
+    $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} =3D 'CHECKED';
     $checked{'ADDITIONAL_CONFIGS'}{'off'} =3D '';
     $checked{'ADDITIONAL_CONFIGS'}{'on'} =3D '';
     $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} =3D 'CH=
ECKED';
@@ -2732,7 +2736,7 @@ print <<END;
 	</tr>
=20
 	<tr>
-		<td width=3D'20%'></td> <td width=3D'15%'> </td><td width=3D'15%'> </td><t=
d width=3D'15%'></td><td width=3D'35%'></td>
+		<td width=3D'20%'></td> <td width=3D'15%'> </td><td width=3D'20%'> </td><t=
d width=3D'20%'></td><td width=3D'35%'></td>
 	</tr>
=20
 	<tr>
@@ -2745,6 +2749,11 @@ print <<END;
 		<td><input type=3D'checkbox' name=3D'REDIRECT_GW_DEF1' $checked{'REDIRECT_=
GW_DEF1'}{'on'} /></td>
 	</tr>
=20
+    <tr><td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'comp-lzo'}</td>
+        <td><input type=3D'checkbox' name=3D'DCOMPLZO' $checked{'DCOMPLZO'}{=
'on'} /></td>
+        <td>$Lang::tr{'openvpn default'}: off <font color=3D'red'>($Lang::tr=
{'attention'} exploitable via Voracle)</font></td>
+    </tr>
+
 	<tr>
 		<td class=3D'base'>$Lang::tr{'ovpn add conf'}</td>
 		<td><input type=3D'checkbox' name=3D'ADDITIONAL_CONFIGS' $checked{'ADDITIO=
NAL_CONFIGS'}{'on'} /></td>
@@ -5248,8 +5257,6 @@ END
 				<option value=3D'CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC =
(128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 			</select>
 		</td>
-    <tr><td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'comp-lzo'}</td>
-        <td><input type=3D'checkbox' name=3D'DCOMPLZO' $checked{'DCOMPLZO'}{=
'on'} /></td>
 	</tr>
=20
     <tr><td colspan=3D'4'><br></td></tr>
--=20
2.12.2


--===============4712582959486701658==--