Development January 2021

development@lists.ipfire.org

18 participants
78 discussions

[PATCH] BUG11695: Adding/editing rules with preset broken
by Alexander Marx 15 Jul '21

15 Jul '21

added another check to fill same ports in source and destination when a custom service is selected. Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org> Reported-by: erik(a)vanlinsteeict.nl --- html/cgi-bin/firewall.cgi | 1 + 1 file changed, 1 insertion(+) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 499f279..d17afab 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -757,6 +757,7 @@ sub checkrule } } if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;} + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'cust_srv'){$fwdfwsettings{'dnatport'}=$custsrvport;} } #check if DNAT port is multiple if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ -- 2.7.4

3 2

[PATCH] python3-msgpack: update to 1.0.0
by Peter Müller 04 Jun '21

04 Jun '21

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/rootfiles/packages/python3-msgpack | 14 +++++++------- lfs/python3-msgpack | 10 +++++----- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/config/rootfiles/packages/python3-msgpack b/config/rootfiles/packages/python3-msgpack index a25f071b8..b82cd4faf 100644 --- a/config/rootfiles/packages/python3-msgpack +++ b/config/rootfiles/packages/python3-msgpack @@ -1,12 +1,12 @@ #usr/lib/python3.8/site-packages/msgpack +#usr/lib/python3.8/site-packages/msgpack-1.0.0-py3.8.egg-info +#usr/lib/python3.8/site-packages/msgpack-1.0.0-py3.8.egg-info/PKG-INFO +#usr/lib/python3.8/site-packages/msgpack-1.0.0-py3.8.egg-info/SOURCES.txt +#usr/lib/python3.8/site-packages/msgpack-1.0.0-py3.8.egg-info/dependency_links.txt +#usr/lib/python3.8/site-packages/msgpack-1.0.0-py3.8.egg-info/top_level.txt usr/lib/python3.8/site-packages/msgpack/__init__.py -usr/lib/python3.8/site-packages/msgpack/_packer.cpython-38-MACHINE-linux-gnu.so -usr/lib/python3.8/site-packages/msgpack/_unpacker.cpython-38-MACHINE-linux-gnu.so +usr/lib/python3.8/site-packages/msgpack/_cmsgpack.cpython-38-MACHINE-linux-gnu.so usr/lib/python3.8/site-packages/msgpack/_version.py usr/lib/python3.8/site-packages/msgpack/exceptions.py +usr/lib/python3.8/site-packages/msgpack/ext.py usr/lib/python3.8/site-packages/msgpack/fallback.py -#usr/lib/python3.8/site-packages/msgpack_python-0.5.6-py3.8.egg-info -#usr/lib/python3.8/site-packages/msgpack_python-0.5.6-py3.8.egg-info/PKG-INFO -#usr/lib/python3.8/site-packages/msgpack_python-0.5.6-py3.8.egg-info/SOURCES.txt -#usr/lib/python3.8/site-packages/msgpack_python-0.5.6-py3.8.egg-info/dependency_links.txt -#usr/lib/python3.8/site-packages/msgpack_python-0.5.6-py3.8.egg-info/top_level.txt diff --git a/lfs/python3-msgpack b/lfs/python3-msgpack index dc764f5b3..5f539eda3 100644 --- a/lfs/python3-msgpack +++ b/lfs/python3-msgpack @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,15 +24,15 @@ include Config -VER = 0.5.6 +VER = 1.0.0 -THISAPP = msgpack-python-$(VER) +THISAPP = msgpack-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = python3-msgpack -PAK_VER = 2 +PAK_VER = 3 DEPS = @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 6d644c06a87a5a111bbbf5b34b4be440 +$(DL_FILE)_MD5 = c35ee8f991dad3969884e9585e56ebba install : $(TARGET) -- 2.26.1

2 2

Question regarding legitimate loading of kernel modules during runtime
by Peter Müller 06 Apr '21

06 Apr '21

Hello development folks, just to make sure I am not about to submit another breaking patch: Is there any legitimate reason why a non-privileged user shall load kernel modules on an IPFire machine during its runtime? Personally, I am only aware of some connection tracking stuff, but these require a reboot, thus being out of scope. Unless I overlooked something else, I would like to file a patch turning dev.tty.ldisc_autoload to 0. :-) (Further information is available at https://lkml.org/lkml/2019/4/15/890) Thanks, and best regards, Peter Müller

2 6

[PATCH] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled
by Peter Müller 06 Apr '21

06 Apr '21

This is recommended by the Kernel Self Protection Project, and although we do not take advantage of the BPF JIT at this time, we should set this nevertheless in order to avoid potential security vulnerabilities. Fixes: #12384 Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/etc/sysctl.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 7e7ebee44..3f4c828f9 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1 fs.protected_symlinks = 1 fs.protected_hardlinks = 1 +# Turn on BPF JIT hardening, if the JIT is enabled. +net.core.bpf_jit_harden = 2 + # Minimal preemption granularity for CPU-bound tasks: # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) kernel.sched_min_granularity_ns = 10000000 -- 2.26.2

2 4

[PATCH] dhcpcd: Update to 9.4.0
by Matthias Fischer 15 Mar '21

15 Mar '21

For details see: https://roy.marples.name/archives/dhcpcd-discuss/0003420.html Former patch for Bug #12552 is now included. Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/dhcpcd | 7 ++-- ...r_SECCOMP_as_it_just_uses_socketcall.patch | 36 ------------------- 2 files changed, 2 insertions(+), 41 deletions(-) delete mode 100644 src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch diff --git a/lfs/dhcpcd b/lfs/dhcpcd index 4e34e19d5..352308692 100644 --- a/lfs/dhcpcd +++ b/lfs/dhcpcd @@ -24,7 +24,7 @@ include Config -VER = 9.3.4 +VER = 9.4.0 THISAPP = dhcpcd-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = badb02dfc69fe9bbeec35a02efcdb4db +$(DL_FILE)_MD5 = c36715fc629bc40aa94aae06fa1724c2 install : $(TARGET) @@ -70,9 +70,6 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch - cd $(DIR_APP) && ./configure --prefix="" --sysconfdir=/var/ipfire/dhcpc \ --dbdir=/var/ipfire/dhcpc \ --libexecdir=/var/ipfire/dhcpc \ diff --git a/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch b/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch deleted file mode 100644 index 9efcde219..000000000 --- a/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff --git a/src/privsep-linux.c b/src/privsep-linux.c -index 050a30cf..d31d720d 100644 ---- a/src/privsep-linux.c -+++ b/src/privsep-linux.c -@@ -32,6 +32,7 @@ - - #include <linux/audit.h> - #include <linux/filter.h> -+#include <linux/net.h> - #include <linux/seccomp.h> - #include <linux/sockios.h> - -@@ -304,6 +305,23 @@ static struct sock_filter ps_seccomp_filter[] = { - #ifdef __NR_sendto - SECCOMP_ALLOW(__NR_sendto), - #endif -+#ifdef __NR_socketcall -+ /* i386 needs this and demonstrates why SECCOMP -+ * is poor compared to OpenBSD pledge(2) and FreeBSD capsicum(4) -+ * as this is soooo tied to the kernel API which changes per arch -+ * and likely libc as well. */ -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT4), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_LISTEN), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT), /* overflow */ -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECV), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVFROM), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVMSG), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SEND), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDMSG), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDTO), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), -+#endif - #ifdef __NR_shutdown - SECCOMP_ALLOW(__NR_shutdown), - #endif -- 2.18.0

3 2

[PATCH 1/3] OpenVPN: Introduce advanced encryption section
by ummeegge 09 Mar '21

09 Mar '21

- The whole crypto section has been outsorted from the global section to an extra page. - Since --cipher is deprecated and will be handled via --data-cipher-fallback, the VAR name and the index has been kept but renamed from --cipher to --data-cipher-fallback. Old default AES-256-CBC has also been kept. - The new directive --data-ciphers has been introduced for RWs which negotiates now between the GCM family and the new CHACHA20-POLY1305. All ciphers can be combined. - The new directive --data-ciphers substitutes --ncp-disable, there --ncp-disable has been removed which fixes the deprecation warning in the updated OpenVPN-2.5.0. - While client generation the client version can be set which enables, if client is >=2.5.0 a full cipher negotiation. Existing clients can also subsequently be enhanced via edit. - The new ciphers and HMACs as been completely integrated into N2N environment without further modification. Code for update process via update.sh needs to be integrated: /usr/local/bin/openvpnctrl -k > /dev/null if grep -q 'cipher' /var/ipfire/ovpn/server.conf; then sed -i 's/cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf fi /usr/local/bin/openvpnctrl -s > /dev/null Signed-off-by: ummeegge <erik.kapfer(a)ipfire.org> --- html/cgi-bin/ovpnmain.cgi | 330 ++++++++++++++++++++++++++++---------- langs/de/cgi-bin/de.pl | 11 +- langs/en/cgi-bin/en.pl | 11 +- 3 files changed, 269 insertions(+), 83 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 68a70d147..fc4c6193a 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -75,6 +75,7 @@ my $name; my $col=""; my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; +my @advcipherchar=(); &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; @@ -98,6 +99,7 @@ $cgiparams{'number'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; +$cgiparams{'DATACIPHERS'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -325,8 +327,16 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; - print CONF "cipher $sovpnsettings{DCIPHER}\n"; + print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n"; + + # Data channel encryption + # Set seperator for data ciphers + @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g); + # Add also algorithm from --cipher directive + if ($sovpnsettings{'DATACIPHERS'} ne '') { + print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -911,6 +921,28 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { &writeserverconf();#hier ok } +### +### Save Advanced encryption +### + +if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + + $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; + $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; + + # --data-ciphers needs at least one cipher + if ($cgiparams{'DATACIPHERS'} eq '') { + $errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'}; + goto ADV_ENC_ERROR; + } + + &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); + &writeserverconf(); +} + +### End Save advanced encryption + ### # m.a.d net2net ### @@ -982,10 +1014,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "# Cipher\n"; print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n"; - # If GCM cipher is used, do not use --auth + # If AEAD cipher is used, do not use --auth if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || - ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') || + ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) { print SERVERCONF unless "# HMAC algorithm\n"; print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { @@ -1087,10 +1120,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; - # If GCM cipher is used, do not use --auth + # If AEAD cipher is used, do not use --auth if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || - ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') || + ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) { print CLIENTCONF unless "# HMAC algorithm\n"; print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { @@ -1214,7 +1248,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; - $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable @@ -2344,7 +2377,15 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0 + if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') { + @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g); + print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n"; + } else { + print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2859,7 +2900,169 @@ END &Header::closebigbox(); &Header::closepage(); exit(0); - + +### +### Advanced encryption settings +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn advanced encryption'}) { + %cgiparams = (); + %confighash = (); + my @temp=(); + my $disabled; + &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); + + my $key = $cgiparams{'KEY'}; + if (! $key) { + $key = &General::findhasharraykey (\%confighash); + foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; } + } + $confighash{$key}[40] = $cgiparams{'DCIPHER'}; + $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; + +ADV_ENC_ERROR: + + # Set default for data-cipher-fallback (the old --cipher directive) + if ($cgiparams{'DCIPHER'} eq '') { + $cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40] + } + $checked{'DCIPHER'}{'AES-256-CBC'} = ''; + $checked{'DCIPHER'}{'AES-192-CBC'} = ''; + $checked{'DCIPHER'}{'AES-128-CBC'} = ''; + $checked{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $checked{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $checked{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $checked{'DCIPHER'}{'SEED-CBC'} = ''; + $checked{'DCIPHER'}{'DES-EDE3-CBC'} = ''; + $checked{'DCIPHER'}{'DESX-CBC'} = ''; + $checked{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $checked{'DCIPHER'}{'BF-CBC'} = ''; + $checked{'DCIPHER'}{'CAST5-CBC'} = ''; + @temp = split('\|', $cgiparams{'DCIPHER'}); + foreach my $key (@temp) {$checked{'DCIPHER'}{$key} = "selected='selected'"; } + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42]; + } + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = ''; + $checked{'DATACIPHERS'}{'AES-256-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} = ''; + @temp = split('\|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + + # Save settings and display default if not configured + if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; + $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; + } else { + $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; + $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; + } + +ADV_ENC_ERROR: + + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print " </class>"; + &Header::closebox(); + } + if ($warnmessage) { + &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:"); + print "<class name='base'>$warnmessage"; + print " </class>"; + &Header::closebox(); + } + print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>"; + &Header::openbox('100%', 'left', "$Lang::tr{'ovpn advanced encryption'}:"); + print<<END + + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + + <table width='100%'> + <thead> + <tr> + <th width="15%"></th> + <th>$Lang::tr{'ovpn data channel'}</th> + <th>$Lang::tr{'ovpn data channel fallback'}</th> + </tr> + </thead> + <tbody> + <tr> + <td class='boldbase' width="27%">$Lang::tr{'ovpn data encryption'}</td> + <td class='boldbase'> + <select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'> + <option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option> + <option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option> + <option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option> + <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option> + </select> + </td> + + <td class='boldbase'> + <select name='DCIPHER' size='6' style='width: 100%'> + <option value='AES-256-CBC' $checked{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option> + <option value='AES-192-CBC' $checked{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option> + <option value='AES-128-CBC' $checked{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option> + <option value='CAMELLIA-256-CBC' $checked{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option> + <option value='CAMELLIA-192-CBC' $checked{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option> + <option value='CAMELLIA-128-CBC' $checked{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option> + <option value='SEED-CBC' $checked{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option> + <option value='DES-EDE3-CBC' $checked{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='DESX-CBC' $checked{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='DES-EDE-CBC' $checked{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='BF-CBC' $checked{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='CAST5-CBC' $checked{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option> + </select> + </td> + </tr> + </tbody> + </table> + <hr> +END +; + if ( -e "/var/run/openvpn.pid") { + print" <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>$Lang::tr{'server restart'}<br><br><hr>"; + print<<END; + <table width='100%'> + <tr> + <td> </td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' disabled='disabled' /></td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td> + <td> </td> + </tr> + </table> + </form> +END +; + + } else { + print<<END; + <table width='100%'> + <tr> + <td> </td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' /></td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td> + <td> </td> + </tr> + </table> + </form> +END +; + + } + + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit(0); + +### END advanced encryption # A.Marx CCD Add,delete or edit CCD net @@ -3595,6 +3798,8 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; + # Index from [39] to [44] has been reserved by advanced encryption + $cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); @@ -4338,6 +4543,8 @@ if ($cgiparams{'TYPE'} eq 'net') { if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { $confighash{$key}[41] = "no-pass"; } + # Index from [39] to [44] has been reserved by advanced encryption + $confighash{$key}[45] = $cgiparams{'CLIENTVERSION'}; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -4508,28 +4715,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; - $selected{'DCIPHER'}{'AES-256-GCM'} = ''; - $selected{'DCIPHER'}{'AES-192-GCM'} = ''; - $selected{'DCIPHER'}{'AES-128-GCM'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; - $selected{'DCIPHER'}{'AES-256-CBC'} = ''; - $selected{'DCIPHER'}{'AES-192-CBC'} = ''; - $selected{'DCIPHER'}{'AES-128-CBC'} = ''; - $selected{'DCIPHER'}{'DESX-CBC'} = ''; - $selected{'DCIPHER'}{'SEED-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; - $selected{'DCIPHER'}{'CAST5-CBC'} = ''; - $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'DES-CBC'} = ''; - # If no cipher has been chossen yet, select - # the old default (AES-256-CBC) for compatiblity reasons. - if ($cgiparams{'DCIPHER'} eq '') { - $cgiparams{'DCIPHER'} = 'AES-256-CBC'; - } - $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; $selected{'DAUTH'}{'whirlpool'} = ''; $selected{'DAUTH'}{'SHA512'} = ''; $selected{'DAUTH'}{'SHA384'} = ''; @@ -4595,11 +4780,12 @@ if ($cgiparams{'TYPE'} eq 'net') { print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>"; } - # If GCM ciphers are in usage, HMAC menu is disabled + # If AEAD ciphers are in usage, HMAC menu is disabled my $hmacdisabled; if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') || ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') || - ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) { + ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM') || + ($confighash{$cgiparams{'KEY'}}[40] eq 'ChaCha20-Poly1305')) { $hmacdisabled = "disabled='disabled'"; }; @@ -4673,9 +4859,10 @@ if ($cgiparams{'TYPE'} eq 'net') { <tr><td class='boldbase'>$Lang::tr{'cipher'}</td> <td><select name='DCIPHER' id="n2ncipher" required> - <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option> - <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option> - <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option> + <option value='ChaCha20-Poly1305' $selected{'DCIPHER'}{'ChaCha20-Poly1305'}>CHACHA20-POLY1305 (256 $Lang::tr{'bit'})</option> + <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option> + <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option> + <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option> <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option> <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option> <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option> @@ -4693,10 +4880,15 @@ if ($cgiparams{'TYPE'} eq 'net') { <td class='boldbase'>$Lang::tr{'ovpn ha'}:</td> <td><select name='DAUTH' id="n2nhmac" $hmacdisabled> - <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> + <option value='BLAKE2b512' $selected{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option> + <option value='BLAKE2s256' $selected{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option> + <option value='SHA3-512' $selected{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option> + <option value='SHA3-384' $selected{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option> + <option value='SHA3-256' $selected{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option> <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option> <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option> <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option> + <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> @@ -4713,7 +4905,7 @@ print<<END; <script> var disable_options = false; document.getElementById('n2ncipher').onchange = function () { - if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) { + if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM"||this.value == "CHACHA20-POLY1305")) { document.getElementById('n2nhmac').setAttribute('disabled', true); } else { document.getElementById('n2nhmac').removeAttribute('disabled'); @@ -4749,6 +4941,7 @@ if ($cgiparams{'TYPE'} eq 'host') { print"</td></tr></table><br><br>"; my $name=$cgiparams{'CHECK1'}; $checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED'; + $checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED'; if (! -z "${General::swroot}/ovpn/ccd.conf"){ print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>"; @@ -4884,7 +5077,13 @@ if ($cgiparams{'TYPE'} eq 'host') { print <<END; <table border='0' width='100%'> - <tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr> + + <tr><td width='30%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr> + <tr> + <td width='30%'>$Lang::tr{'ovpn client version 25 cipher negotiation'}:</td> + <td colspan='3'><input type='checkbox' name='CLIENTVERSION' $checked{'CLIENTVERSION'}{'on'} /> + <font color='red'> $Lang::tr{'ovpn client version 25 warning'}</font></td> + </tr> <tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr> <tr><td colspan='4'>&nbsp</td></tr> <tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'> @@ -5061,9 +5260,6 @@ END } #default setzen - if ($cgiparams{'DCIPHER'} eq '') { - $cgiparams{'DCIPHER'} = 'AES-256-CBC'; - } if ($cgiparams{'DDEST_PORT'} eq '') { $cgiparams{'DDEST_PORT'} = '1194'; } @@ -5105,24 +5301,6 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; - $selected{'DCIPHER'}{'AES-256-GCM'} = ''; - $selected{'DCIPHER'}{'AES-192-GCM'} = ''; - $selected{'DCIPHER'}{'AES-128-GCM'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; - $selected{'DCIPHER'}{'AES-256-CBC'} = ''; - $selected{'DCIPHER'}{'AES-192-CBC'} = ''; - $selected{'DCIPHER'}{'AES-128-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; - $selected{'DCIPHER'}{'DESX-CBC'} = ''; - $selected{'DCIPHER'}{'SEED-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; - $selected{'DCIPHER'}{'CAST5-CBC'} = ''; - $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; - $selected{'DAUTH'}{'whirlpool'} = ''; $selected{'DAUTH'}{'SHA512'} = ''; $selected{'DAUTH'}{'SHA384'} = ''; @@ -5138,6 +5316,13 @@ END $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; + if ($cgiparams{'CLIENTVERSION'} = '' ) { + $cgiparams{'CLIENTVERSION'} = 'off'; + } + $checked{'CLIENTVERSION'}{'off'} = ''; + $checked{'CLIENTVERSION'}{'on'} = ''; + $checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED'; + # m.a.d $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; @@ -5245,26 +5430,6 @@ END <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> - - <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td> - <td><select name='DCIPHER'> - <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option> - <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option> - <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option> - <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option> - <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option> - <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option> - <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option> - <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - </select> - </td> </tr> <tr><td colspan='4'><br></td></tr> @@ -5280,12 +5445,14 @@ END if ( $srunning eq "yes" ) { print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />"; - print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />"; + print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />"; + print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>"; } else{ print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />"; + print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />"; if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && -e "${General::swroot}/ovpn/ca/dh1024.pem" && -e "${General::swroot}/ovpn/certs/servercert.pem" && @@ -5818,3 +5985,4 @@ END &Header::closepage(); + diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 2fb46e741..614f8a16c 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1901,10 +1901,17 @@ 'override mtu' => 'Überschreibe Standard-MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Erweiterte Konfiguration', +'ovpn advanced encryption' => 'Erweiterte Kryptografie Einstellung', +'ovpn client version 25 cipher negotiation' => 'Verschlüsselung aushandeln', +'ovpn client version 25 warning' => 'Erst ab Client Version 2.5.0 verfügbar', 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik', 'ovpn config' => 'OVPN-Konfiguration', 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', +'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', +'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation', +'ovpn data channel' => 'Daten-Kanal', +'ovpn data channel fallback' => 'Daten-Kanal Fallback', 'ovpn device' => 'OpenVPN-Gerät', 'ovpn dh' => 'Diffie-Hellman-Parameter-Länge', 'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen', @@ -1913,6 +1920,7 @@ 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', +'ovpn errmsg invalid data cipher input' => 'Der Daten-Kanal benötigt mindestens einen Algorithmus', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', 'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>', 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', @@ -2163,6 +2171,7 @@ 'save error' => 'Konfigurationsarchiv-Datei konnte nicht gespeichert werden', 'save settings' => 'Einstellungen speichern', 'save-adv-options' => 'Erweiterte Optionen speichern', +'save-enc-options' => 'Kryptografie Optionen speichern', 'script name' => 'Skriptname:', 'search' => 'Suchen', 'secondary dns' => 'Sekundärer DNS-Server:', @@ -2853,7 +2862,7 @@ 'vpn subjectaltname missing' => 'SubjectAlternativeName darf nicht leer bleiben.', 'vpn wait' => 'WARTE', 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).', -'vpn weak' => 'schwach', +'vpn weak' => 'Unsicher', 'vulnerability' => 'Verwundbarkeit', 'vulnerable' => 'Verwundbar', 'waiting to synchronize clock' => 'Bitte warten, die Uhr wird synchronisiert', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index b5284effa..714d7c81e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1933,10 +1933,17 @@ 'override mtu' => 'Override default MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Additional configuration', +'ovpn advanced encryption' => 'Advanced encryption settings', +'ovpn client version 25 cipher negotiation' => 'Negotiate encryption', +'ovpn client version 25 warning' => 'Available with client version 2.5.0 and higher', 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', +'ovpn data encryption' => 'Data-Channel encryption', +'ovpn data channel authentication' => 'Data and channel authentication', +'ovpn data channel' => 'Data-Channel', +'ovpn data channel fallback' => 'Data-Channel fallback', 'ovpn device' => 'OpenVPN device:', 'ovpn dh' => 'Diffie-Hellman parameters length', 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters', @@ -1945,6 +1952,7 @@ 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', +'ovpn errmsg invalid data cipher input' => 'The data cipher needs at least one cipher', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', 'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>', 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', @@ -2196,6 +2204,7 @@ 'save error' => 'Unable to save configuration archive file', 'save settings' => 'Save settings', 'save-adv-options' => 'Save advanced options', +'save-enc-options' => 'Save encryption options', 'script name' => 'Script name:', 'search' => 'Search', 'secondary dns' => 'Secondary DNS:', @@ -2897,7 +2906,7 @@ 'vpn subjectaltname missing' => 'SubjectAlternativeName cannot be emtpy.', 'vpn wait' => 'WAITING', 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).', -'vpn weak' => 'Weak', +'vpn weak' => 'Insecure', 'vulnerability' => 'Vulnerability', 'vulnerable' => 'Vulnerable', 'waiting to synchronize clock' => 'Waiting to synchronize clock', -- 2.20.1

6 24

Pending patches for upcoming Core Update 154
by Peter Müller 05 Feb '21

05 Feb '21

Hello *, to avoid redundancies: I am currently working on Postfix 3.5.9 and (more important) sudo 1.9.5p2 for upcoming Core Update 154. Both fix some security issues; I am pretty sure you have heard of CVE-2021-3156 affecting the latter by now. There might be some minor stuff (USB/PCI database files, etc.) to do as well, but I have not checked that, yet. :-) Thanks, and best regards, Peter Müller

5 22

Problem with updating ddrescue addon
by Adolf Belka 02 Feb '21

02 Feb '21

Hallo all, I saw that ddrescue addon was a version from 2010 so I thought it was about time to be updated. However since 2013 gnu has only been using lzip for the tarballs and stopped providing gzip versions. IPFire does not have lzip available at the moment. The options seem to me to be:- - remove ddrescue from the addon list - leave ddrescue at the 2010 version - v1.12 - update ddrescue to the last .gz tarball version in 2012 - v1.16 - build lzip into the IPFire build system and update to latest ddrescue version from March 2020 - v1.25 should it go into the toolchain where the other compression packages seem to be (how to do that?) should it go into the build part of IPFire Looking through the changelog from v1.13 to 1.25 there are a lot of new options added but also some changes to the code itself that look to be fixing problems. I can't easily see how important these are. No changes have been marked as critical bug fixes or even marked as a bug fix. My view would be to update to the latest version or remove ddrescue from the addons, as 11 years old seems a long time in computing terms. I am open to taking any guidance on the best approach for this. Regards, Adolf.

2 3

For information - changed rootfiles found for linux and samba
by Adolf Belka 01 Feb '21

01 Feb '21

Hi all, I have been updating some packages and while doing that I am continuously seeing two messages about rootfile changes for packages I have not worked on. In all cases I have run a git pull before doing the builds. The messages are:- Checking Logfiles for new Files Changes in linux-4.14.212-ipfire check rootfile! Changes in samba-4.13.1 check rootfile! For Linux there is the following additional line in the logfile +lib/modules/4.14.212-ipfire/modules.builtin.alias.bin For Samba here is the following additional line in the logfile +var/ipfire/samba/samba-change-password Are these missing in the builds for these packages or do I have something wrong in my build setup Regards, Adolf.

3 3

[PATCH] libseccomp: update to 2.5.1
by Peter Müller 31 Jan '21

31 Jan '21

Release notes as per https://github.com/seccomp/libseccomp/releases/tag/v2.5.1: Version 2.5.1 - November 20, 2020 Fix a bug where seccomp_load() could only be called once Change the notification fd handling to only request a notification fd if the filter has a _NOTIFY action Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage Clarify the maintainers' GPG keys Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/rootfiles/packages/libseccomp | 8 +++++++- lfs/libseccomp | 8 ++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/config/rootfiles/packages/libseccomp b/config/rootfiles/packages/libseccomp index 214c14328..fb0b35d31 100644 --- a/config/rootfiles/packages/libseccomp +++ b/config/rootfiles/packages/libseccomp @@ -4,7 +4,7 @@ usr/bin/scmp_sys_resolver #usr/lib/libseccomp.la #usr/lib/libseccomp.so usr/lib/libseccomp.so.2 -usr/lib/libseccomp.so.2.4.4 +usr/lib/libseccomp.so.2.5.1 #usr/lib/pkgconfig/libseccomp.pc #usr/share/man/man1/scmp_sys_resolver.1 #usr/share/man/man3/seccomp_api_get.3 @@ -21,6 +21,12 @@ usr/lib/libseccomp.so.2.4.4 #usr/share/man/man3/seccomp_init.3 #usr/share/man/man3/seccomp_load.3 #usr/share/man/man3/seccomp_merge.3 +#usr/share/man/man3/seccomp_notify_alloc.3 +#usr/share/man/man3/seccomp_notify_fd.3 +#usr/share/man/man3/seccomp_notify_free.3 +#usr/share/man/man3/seccomp_notify_id_valid.3 +#usr/share/man/man3/seccomp_notify_receive.3 +#usr/share/man/man3/seccomp_notify_respond.3 #usr/share/man/man3/seccomp_release.3 #usr/share/man/man3/seccomp_reset.3 #usr/share/man/man3/seccomp_rule_add.3 diff --git a/lfs/libseccomp b/lfs/libseccomp index b04fda5de..38d7a7dde 100644 --- a/lfs/libseccomp +++ b/lfs/libseccomp @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2021 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 2.4.4 +VER = 2.5.1 THISAPP = libseccomp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = libseccomp -PAK_VER = 4 +PAK_VER = 5 DEPS = @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 05013a9e372f822f41ac4cb3f18703c0 +$(DL_FILE)_MD5 = 59f5563c532d3fa1df9db0516b36b1cd install : $(TARGET) -- 2.26.2

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development January 2021