[PATCH 1/6] ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password
- At long last I have re-visited the patch submission for bug #11048 and fixed the issues that caused the problems last time I evaluated it in Testing. - The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the connection is a host and if the first password entry is a null. Then it adds no-pass to ovpnconfig. - The same block of code is also used for when he connection is edited. However at this stage the password entry is back to null because the password value is only kept until the connection has been saved. Therefore doing an edit results in the password value being taken as null even for connections with a password. - This fix enters no-pass if the connection type is host and the password is null, pass if the connection type is host and the password has characters. If the connection type is net then no-pass is used as net2net connections dop not have encrypted certificates. - The code has been changed to show a different icon for unencrypted and encrypted certificates. - Separate patches are provided for the language file change, the provision of a new icon and the code for the update.sh script for the Core Update to update all existing connections, if any exist, to have either pass or no-pass in index 41. - This patch set was a joint collaboration between Erik Kapfer and Adolf Belka - Patch set, including the code for the Core Update 180 update.sh script has been tested on a vm testbed
Fixes: Bug#11048 Tested-by: Adolf Belka adolf.belka@ipfire.org Suggested-by: Adolf Belka adolf.belka@ipfire.org Suggested-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 75 +++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 31 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5afe54f55..eb89c5095 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4370,9 +4370,15 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'};
- if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { - $confighash{$key}[41] = "no-pass"; - } + if ($confighash{$key}[41] eq "") { + if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] = "no-pass"; + } elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) { + $confighash{$key}[41] = "pass"; + } elsif ($cgiparams{'TYPE'} eq 'net') { + $confighash{$key}[41] = "no-pass"; + } + }
$confighash{$key}[42] = 'HOTP/T30/6'; $confighash{$key}[43] = $cgiparams{'OTP_STATE'}; @@ -5512,20 +5518,24 @@ END }
- print <<END; - <td align='center' $col1>$active</td> + if ($confighash{$key}[41] eq "pass") { + print <<END; + <td align='center' $col1>$active</td>
- <form method='post' name='frm${key}a'><td align='center' $col> - <input type='image' name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' /> - <input type='hidden' name='KEY' value='$key' /> - </td></form> + <form method='post' name='frm${key}a'><td align='center' $col> + <input type='image' name='$Lang::tr{'dl client arch'}' src='/images/openvpn_encrypted.png' + alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' /> + <input type='hidden' name='MODE' value='secure' /> + <input type='hidden' name='KEY' value='$key' /> + </td></form> END - ;
- if ($confighash{$key}[41] eq "no-pass") { + ; } elsif ($confighash{$key}[41] eq "no-pass") { print <<END; - <form method='post' name='frm${key}g'><td align='center' $col> + <td align='center' $col1>$active</td> + + <form method='post' name='frm${key}a'><td align='center' $col> <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' /> <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' /> @@ -5533,7 +5543,7 @@ END <input type='hidden' name='KEY' value='$key' /> </td></form> END - } else { + ; } else { print "<td $col> </td>"; }
@@ -5609,30 +5619,33 @@ END # If the config file contains entries, print Key to action icons if ( $id ) { print <<END; - <table border='0'> - <tr> + <table width='85%' border='0'> + <tr> <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td> - <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> - <td class='base'>$Lang::tr{'click to disable'}</td> + <td> <img src='/images/openvpn.png' alt='?RELOAD'/></td> + <td class='base'>$Lang::tr{'dl client arch insecure'}</td> + <td> <img src='/images/openvpn_encrypted.png' alt='?RELOAD'/></td> + <td class='base'>$Lang::tr{'dl client arch'}</td> <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> <td class='base'>$Lang::tr{'show certificate'}</td> + <td> <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td> + <td class='base'>$Lang::tr{'show otp qrcode'}</td> + </tr> + <tr> + <td> </td> + <td> <img src='/images/media-floppy.png' alt='?FLOPPY' /></td> + <td class='base'>$Lang::tr{'download certificate'}</td> + <td> <img src='/images/off.gif' alt='?OFF' /></td> + <td class='base'>$Lang::tr{'click to enable'}</td> + <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> + <td class='base'>$Lang::tr{'click to disable'}</td> + <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td> <td class='base'>$Lang::tr{'edit'}</td> <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> <td class='base'>$Lang::tr{'remove'}</td> - </tr> - <tr> - <td> </td> - <td> <img src='/images/off.gif' alt='?OFF' /></td> - <td class='base'>$Lang::tr{'click to enable'}</td> - <td> <img src='/images/media-floppy.png' alt='?FLOPPY' /></td> - <td class='base'>$Lang::tr{'download certificate'}</td> - <td> <img src='/images/openvpn.png' alt='?RELOAD'/></td> - <td class='base'>$Lang::tr{'dl client arch'}</td> - <td> <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td> - <td class='base'>$Lang::tr{'show otp qrcode'}</td> - </tr> - </table><br> + </tr> + </table><br> END ; }
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- langs/de/cgi-bin/de.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 0c2f1af53..140806130 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -818,7 +818,7 @@ 'display hostname in window title' => 'Hostname im Fenstertitel anzeigen', 'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen', 'display webinterface effects' => 'Überblendeffekte einschalten', -'dl client arch' => 'Client Paket herunterladen (zip)', +'dl client arch' => 'Verschlüsseltes Client Paket herunterladen (zip)', 'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches',
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- langs/en/cgi-bin/en.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 90d6f7739..7bbf7cd32 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -859,7 +859,7 @@ 'display hostname in window title' => 'Display hostname in window title', 'display traffic at home' => 'Display calculated traffic on startpage', 'display webinterface effects' => 'Activate effects', -'dl client arch' => 'Download Client Package (zip)', +'dl client arch' => 'Download Encrypted Client Package (zip)', 'dl client arch insecure' => 'Download insecure Client Package (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'DMZ pinhole configuration',
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- langs/nl/cgi-bin/nl.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index 4da924a74..898d42d28 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -731,7 +731,8 @@ 'display hostname in window title' => 'Toon hostnaam in venstertitel', 'display traffic at home' => 'Toon netwerkverkeer op startpagina', 'display webinterface effects' => 'Activeer effecten', -'dl client arch' => 'Download clientpakket (zip)', +'dl client arch' => 'Download versleuteld clientpakket (zip)', +'dl client arch insecure' => 'Download onveilig clientpakket (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'DMZ pinhole configuratie', 'dmz pinhole rule added' => 'DMZ pinhole regel toegevoegd; DMZ regel wordt herstart.',
- This uses a padlock icon from https://commons.wikimedia.org/wiki/File:Encrypted.png - The license for this image is the following:- This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See version 2.1 and version 3 of the GNU Lesser General Public License for more details. - Based on the above license I believe it can be used by IPFire covered by the GNU General Public License that is used for it. - The icon image was made by taking the existing openvpn.png file and superimposing the padlock icon on top of it as a 12x12 pixel format and naming it openvpn_encrypted.png
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/common/web-user-interface | 1 + html/html/images/openvpn_encrypted.png | Bin 0 -> 7004 bytes 2 files changed, 1 insertion(+) create mode 100644 html/html/images/openvpn_encrypted.png
diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/common/web-user-interface index 52f879d35..6c2a40cc2 100644 --- a/config/rootfiles/common/web-user-interface +++ b/config/rootfiles/common/web-user-interface @@ -235,6 +235,7 @@ srv/web/ipfire/html/images/off.gif srv/web/ipfire/html/images/on.gif srv/web/ipfire/html/images/openvpn.gif srv/web/ipfire/html/images/openvpn.png +srv/web/ipfire/html/images/openvpn_encrypted.png srv/web/ipfire/html/images/package-x-generic.png srv/web/ipfire/html/images/printer-error.png srv/web/ipfire/html/images/printer.png diff --git a/html/html/images/openvpn_encrypted.png b/html/html/images/openvpn_encrypted.png new file mode 100644 index 0000000000000000000000000000000000000000..873c6c46113df0b973022c9c0f3a01cba19c0fbd GIT binary patch literal 7004 zcmeHKc{J4h_aFOO_9gXbnigAQHq4kzw!tXMmaH)=BQwLyFry?{LbM1GQiyih+AL9) z$W{_XNGVHsEM-gb`%q6$&+qp==XaiSe!u^kIiKym?|r@Reck)M=lzbe+hw&%QcV&B z0<E$p;2nUc?D8cp3f$L!S|S3ETL+w6xDG@fIDpNf(fz4lZb$$XOy$#QAP~RX)6R5t z4OqH-Na>(ig!z#n_^qUwNZjFklfBAuwQ*3fQ*S?oHReWBRZeQLs6EL8bvrK$yB<tN zWqdhnm8-Cob1$}9&gE&3Q%qQ^t%}Aq{3J~;wTH8L3T*Zbr568$sVF`}blS2WOWeLM zXjpBYcWPJs&YlDJWQ-<LX9!AW7;igT^#Y_+$f>izpU`1%ZnMj!y61AJ!0SJ4j!8q` zxPd^DSh~5not-a>%i{R50>IYh=6{6(1dw^|4A04_OF5>kl6N4x1+J)NK3=&BT#3HY zjwhzA@zxYtjnXUHkRvE(ffrUXjev+I9EB7?jzx!iKTtmfzEJC}Xm1~aDt6|+dsms7 z+P~iC(Ejt4vpApeL!D)yQx%K%D!49^;d)u&>)*WFaWdgpK6ybvdIBWW4Dv2Uq6E!w zHQ|Kq>denJi3)QN@o+S+RtJPWUJ*IWomjF?PkEpc+b$gUBBG^{5_i|G_R7l$>7qlH zwH<Sch#F1ACkrvfqKY&Hm6sDGZIEs8XV2A><6T1EO9!jDH{&3E>6-^*RVP&f?UhrL zpl{qEoi<AOffiq#*JacbX@cR9xG}-iI@Y!MkS&unX0PxSilB8`lR77sj)`QhJ2L0M z99eTOlu0@rUeMH@oAI(6Ioy}|(dmSVw_+_N4?gc-=6=9UG$~c8`pr4xot7T%WtST| zX}3E&E#KGEyp%?(nBQ#U4we&cMi|dZ=S&|eT1@defCDAC+B1Sfi|WQjE|5{6soAO* zdNP7wtx@-d>b<ksaYLJ}!3~8dL}P2K!F#q#{hNqy*-Il6=+Dn*6Y563Y0C7TOR84P zmmGdmR@CnJEIRZ6O*E-4d+lOK>{8%suk$tVsHExv4nHS0;AwJTNL)_vrxzXq=yO&> zQ{NmFmWVITmtwjg_G;S&{H`NTsa+5p?AjilBP$@!F)0;Ve2P9Cijl3V5Pu$5cW-Iy zaDT}|>YL3;8FPlM&`k-g@>3<sv$bvV7X$<dg4%W<Z4;qk!HwRl{ljqqqUzNu!Vz#; z5oZBqf*?Iyrr31*3-Mzn5-$XTBmL~8)Jzn71vE^=FspRKn_gq@3NRzZyoD1YhrC5A z1U|_M6E`67M-;((2vW%K<_)5Q;vpvA?8FsC>P+KgW#rA~pKQ4-tQ~VT8+%#ei#k@s zGrYho@(IpYF+CzIrmsfaCgMsV^7^WbYUvjuGm$l~Qvx6rYORq{17iV79y04Adj_N? zg60g21dU^S<icg;)N+ohZji2BC4tXL6plK1-TYYMj*IGa)3Q_h2Dcz1Y&MSDsVa(C zSgpzaXy14Fou;y%zTY2L755y+M)+AxUts1~+M_P-_C>l$Fv4$}FI?F8G;Y|RD_17p z8_P8JGV8ZIncMFTS5>nVBS%iw<B6vc`{8+Mi)qfyA<bZ#G%CK1q*N&CBIXZ16Q|@I zUwE+SQQ=Ub`HR4h?(5_(9YZ||d6N@p<RMTX&r{?nqoXpaTi)hPxbe4zg0qgd)uj%s zo$#C!_=*Y30^2^>fRTMD-WYW}O503oKz?AufKnpCNuygnGS1_TC`oA&GbtIEJa=M~ zdAr8FL=wTQJ-D6N9@36$*Fm1WZX3MCDoJE;Y;enz#T0qUUE)|&QPfFccTy$(IKI60 zRIQYC#l<rh;|H}HjT(0}CY=^K{mg-{#n3`)<#%AOs9kY%sBtK1SEQpxOh)uZ97b~6 z_vUF(3z6MOb)^4Uv$N(%6>7bvxJBd}OQOAjy_#mK=36J}Ju#!^w)to5s&Z!>eJE54 zlv+dOQ1(;W8csZsO*d$XIkQ72_uPfv?8;QfGn~Y?4UDAyiEB@1BzZx`x3(q1&ahId zpiBFX6uizpl~d@LZ9b3)*<tU6a6!0FhQHZdH?p~7^UO|{oySr$UD#d{&h2|8?cH*@ zge$x0&aM_OcN&_9+?=v_M^{QeR<fgbNAzRY6s<kSuI6g*y=69?If^RV+8dp<<7Uq6 z6Q7Rcj*90|enEbVexF9MqfO7HI^3VHr_1W8s!6CRsr9O%(yyiqq|c|fq|e@(aFf2V z=?2cN(v8!N?Uw6yFWpwE5i}SS%AMk-2dR&q4m!u(`=RqgUwh3k;<Ll&nGd~BVy16= zPWrt6vzWBE(0-wU2Vs$>=B3#;HnbJ?1-yu*43d(m9sYWLHmDi2F8oh;7%_(~&nSL& zv1>5tN(%idJ#s_{wFc!?B3PnZ(%&-O;`(0y{hh51%2~=EpjhZWH#HabRvDMRTRAQw zE{vkl+h2Sc<d!?kqO9VlrEw)MeNfF8kP)hR2|BlZ-S_rP-@e4?f9cvI@p0FSMH-88 zo^-e)jD4lmp|$;J9(ncXYMU5rjGR>&IrFXQBRLIyjeN(-X9_;6d~S1cKSjl7?JRCW zq^cC;7ld{hbQz+z-MPga>XqZcW=XSQGHXu0Q-7|0689XZfXl%7R9vs<<e!_hJh%`t z{#kv-eug-&H{U$hJy$S2Ho0*=`pcdL++^46&;n1STHwAwxuCl4Gq-y8PC0SGLxMb! z?UL;hZhw3x!?$2G?{1l+$GQ^22rSLbdIq0;hcn<^g~f$pO+l$rsl1q-M;}F@quVU* zS|wX0;M4I1$1BwHRO^n9Ce&NTSfMT33MO2N4%YD#_So1rpG(2&aGdvf=H1l}dVbcW z(S`Q05ySPszj}ICrrCss;~4a5gn50HZaRJ|W;%1MxxjmO;5y8^%sAngsHvz%d`zup zoTK$F>lEu}9%!ciEVY=&W=whP@P0gy9NiJy(W&R*=FzQ{B@K)2N-8*=m9#yLc*;H* zQQXa({_{C1)Hsa1CHWq*#L+})(PmmAC^{oL*Y$*}zALMwreybf!q5c!3wxS#=iRQs zkoSkmMQ<IwmA}mkdYJre*e&%|(1!~_lOM{u_Fsp27~g-ezb5f`)N!q~hqd8QO&GsY zi{!XBn>}#!VNuJzjEwkA$L1_*+&|vwU|KNVF~|C8MU3&=yX!u_*}pk|bIRuRJ6!X+ z?jsiRM>C?wBzhK_t~agzSpD(!*xiz6^r1xd$W+Btk*7d;x6ZIqozhL-qd)Jv(Oq53 zV+yVA`doZmb(M4TecvAkjh!_1^cMu)p!Z%XW%b;@xA<|<Tr5+jv_re=OvioW1|0uR z>$QT)edYJ3WZ&C$W?x!0u&S~jd7t6u<iC~vm7m7r4-y&@v$ka9=jZOQYDyoV5kGYl zrIFG1IZFj4b(ixBQaat(>(;5LAD%h%YL>Ta?%eS9M$F5p$WEDsZcRqrnB76<f{m5K zBZ809&}*%J$6n7FPlmDD5`V6=dn6rI?DM!)zEwHP6O+ng&V<&_k4VL-)R&RV*Lx&X z@ULmyy|i??KTjtW2lM(EG=k&R4LlyX7QA=2C)wk}UFM<6%C@UF$26{;@BVUQp-0SL z6w7+iH>~D?<p(#=hacL`W~8#_UzLR&d^z@DThsWfKTfPszt?nsTL^5ruW7+`c4)mn zKQ_$eD`C|B9XapOwDE_<S6C8`P3t&RI&M9jBu2hoG*m_THbtzM(3+>eiyFm0yEs2M zqSba~ZJV>v+QV6sp<!jidq=!xE1w*itYNiQO}F4%6RHNQJmxAtr#!q?a}(;tYZGnR z9+osi3oDqr@vvv(xa#<UeyfV}X>H%a7wx9)$H`q9Rl8+W+Le{Ri3p{A`f9LFrXAQG z^Xb4g*u~ZcOJ*^2i4+!zs>^2t0Q+MQ$jF!<KqT*{a=|3351omFjF(qIz;p@@vRB_0 zZW~}u^`#RIu&Is*b~%v`>?a#iAjaDzjrdpqfI;OF!F+~4lY`~sAS<|7;C)#PgMe35 zxchMs7h5~9Ig3pN>*?z0!l4#?dN2~QT@q}>rqHksc*`FUz!whU%jE`OVK5$#r^`d> zve-T_grT7!432~$kx)Pb$_Zg|iF_!NvvC>XI|iQ0A+zZLTsn&hUdAMnSV3GI1OkkM z|MHI!U~Bsmp2_*a0>B51PYi$|bm1@t1NN&0hiefGfc$XiKU#2{fYSubfy!Y8vB^}6 zU@DWl@mB~6`KNtA5Ziwx910mm^`|lbRSqyK;vZ95S=-wEv{<IVht3FCu>#2chbEU! z`<twP__jQ<63(xV0Omh&|DpX?>?_KEmaQ!o&mspcyJwBZL6+yoQdnd<1-tSJN01E+ zFl00o2`3ps^=JqR6hkHfH=;fjV*p1O67`9{Kv^?6Tq2W9U4{a{b?E>O(Ey1?Q_#SM zfwBx?NTxtZBpMNFK+;2_C<p`wMMeGsv71c?s*>pct5?fV6ab2X(lbO;_4T1hA_flC zBf<5dL^u)+r5IqSR1(bqi9w@RpeSUlC5z1<0_mhPh(1(U0Mln>V3}~Nshu?rg4Bio zEwS?_a%q484q`)R2J!zMaH2D)j$Gn0n+OAp9twdlK<OD^^bO$OCtAUCrm{IeB`#wk z;JPTi74zk^V1Zx&Vu{Oj3IMFgfmpESY$}n<Vmq-|{y4}o1bEr<=ddlXoG3&t5l`e& z0Z=#+g@x;55ojj_9E*fwQAiy)5)1!DpGBe5LjE`H<;4Rw`krzEode7tvLgDvq8zD# z-@m?p`qNjI5*WO)D6mBG_YgS5U@B$BPXO!t5ZRZ=^q~UX<43vvC8z&~QXm;n^?+QF zp>RDakUxF2KGcv(G=!qaWCJP!rB5Ow{u?@nMdR{_Y^tdbz$3sFP@XGXfi+hWrS(r= zc)rx-EC7T-fztS!Fufmy!F~h`TkaWuMQjB7ADkGiDE!i70K4xppm_nk5cabf{@`r6 z?fgIfe&pi+aRvbT_ay&{-`{lort4oZ@UN7ASJ!X4{uKlNO8Iwn{h!e#`S)>($^>>n zJm9cY0ym2X4qBq5omP0z((?a8<)tJ*A`w7v<$yp^3d@%OC_PgZ5Q=fFZ7sxxMC8O3 zA@Zx{*MLBR`>gS%PM9V}(r$tiQL*lD|7;ej8{@2rPbYY<UUU_9wT}--v>5YqWU%GT zZsgf!<bY4*Fc^X=q-%nv+S1&_qb?nGt~5Vs-THMgX@RuNknx3Qq-JzJFK8h1;Gc#n z1(>kKmz*2Z7LTbCSBv}QlN?q*>FXVr*|lkGDKE*fbL}DDO7!fFT{g^z3rB|-2YFRN z0;MnSHm^UNVB8*`8}AJr?N!Lk^^9um^&CpOwMIhxMiA&C&2D35L+7*DEUnrWy6?DI z)wp@vNs*n&`&3Lus*hx;TaH4)9zpxUcEP^{st0`(MS4VjGf<o;6{v<vsg`zPP6!E3 zl_DnxR9^0pc@#MRc@M{~KGwP3gY){##<VH;>(X-@w!2=?UW`=uV@NC6sJO(jS>N-0 z!;$yZN06pbkJmmaJZX3-%Y_4dnX>LMGQ=(Td7)D;2&!@C{*kJD=jI_oOI=)d|L~W} zyVsiVd(>b~@gCNNdTV|3Q+pv1NRNZ?dM#YTbDi>g+y~(Yj-0n9HOfzUq?6^5H&s>r z-UekSb>^2n-sm?WNysqMRB0f7l6qCXc-q5s^0JT2!$4D~fw`d9D)!p);&VI538vx# zc_Okp;w25={y0-Xmdo2j5GWSis!Fy?kxRI(N-kVojZBkHK69nbZ`9}lR=Q_XtgLvv zzFNPG@I+{|j(~83MPW!RKeO^#19qombsYp=|5|6y(TlPQljj?2it4-l+Lg;IB{x7! zgbgZlg<OIy&5sC?89tDdHC{HC$d6Y=FPv8woE#^P)$hJNaY(CK#W<x4vQ@bGtB8WG Wi<pASU;<ElAZv?V_yRNUi2nlR@?R_f
literal 0 HcmV?d00001
- The code checks first if ovpnconfig exists and is not empty. - Then it makes all net2net connections no-pass since they do not use encryption - Then it cycles through all .p12 files and checks with openssl if a password exists or not. If a password is present then pass is added to index 41 and if not then no-pass is added to index 41 - I had to add a blank line to the top of the ovpnconfig file otherwise the awk code treated the first line as a blank line and missed it out of the update. This was the problem that was discovered during the previous Testing Release evaluation. Tested out this time with several existing entries both encrypted and insecure and with additional entries of both added in afterwards and all connection entries were maintained - road warrior and net2net. - This code should be left in update.sh for future Core Updates in case people don't update with Core Update 175 but leave it till later. This code works fine on code that already has pass or no-pass entered into index 41 in ovpnconfig
Fixes: Bug#11048 Suggested-by: Erik Kapfer ummeegge@ipfire.org Suggested-by: Adolf Belka adolf.belka@ipfire.org Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/core/180/update.sh | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
diff --git a/config/rootfiles/core/180/update.sh b/config/rootfiles/core/180/update.sh index b538832bf..1f74e2f98 100644 --- a/config/rootfiles/core/180/update.sh +++ b/config/rootfiles/core/180/update.sh @@ -65,6 +65,33 @@ fi /etc/rc.d/init.d/udev restart /etc/rc.d/init.d/suricata restart
+## Modify ovpnconfig according to bug 11048 for pass, no-pass modification in ovpnconfig index +# Check if ovpnconfig exists and is not empty +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then + # Add blank line at top of ovpnconfig otherwise the first roadwarrior entry is treated like a blank line and missed out from update + awk 'NR==1{print ""}1' /var/ipfire/ovpn/ovpnconfig > /var/ipfire/ovpn/tmp_file && mv /var/ipfire/ovpn/tmp_file /var/ipfire/ovpn/ovpnconfig + + # Make all N2N connections 'no-pass' since they do not use encryption + awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new + + # Evaluate roadwarrior connection names for *.p12 files + for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do + # Sort all unencrypted roadwarriors out and set 'no-pass' in [43] index + if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted data') ]]; then + awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new + fi + # Sort all encrypted roadwarriors out and set 'pass' in [43] index + if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'verify error') ]]; then + awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new + fi + done +fi + +# Replace existing ovpnconfig with updated index +mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig +# Set correct ownership +chown nobody:nobody /var/ipfire/ovpn/ovpnconfig + # This update needs a reboot... #touch /var/run/need_reboot
Hi All,
Yesterday I submitted this updated patch set for bug#11048 (better late than never).
One of the patches is adding update code for the fix to the update.sh script in Core Update 180, as that was still the version in next.
As CU180 has now been released for Testing, then that update code will likely need to be in the update.sh script for CU181.
Do I need to resubmit a v2 version of my patch set, once next has been updated to CU181, or can the patch set still be merged without problems as it is?
Regards,
Adolf
On 25/09/2023 18:41, Adolf Belka wrote:
- At long last I have re-visited the patch submission for bug #11048 and fixed the issues that caused the problems last time I evaluated it in Testing.
- The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the connection is a host and if the first password entry is a null. Then it adds no-pass to ovpnconfig.
- The same block of code is also used for when he connection is edited. However at this stage the password entry is back to null because the password value is only kept until the connection has been saved. Therefore doing an edit results in the password value being taken as null even for connections with a password.
- This fix enters no-pass if the connection type is host and the password is null, pass if the connection type is host and the password has characters. If the connection type is net then no-pass is used as net2net connections dop not have encrypted certificates.
- The code has been changed to show a different icon for unencrypted and encrypted certificates.
- Separate patches are provided for the language file change, the provision of a new icon and the code for the update.sh script for the Core Update to update all existing connections, if any exist, to have either pass or no-pass in index 41.
- This patch set was a joint collaboration between Erik Kapfer and Adolf Belka
- Patch set, including the code for the Core Update 180 update.sh script has been tested on a vm testbed
Fixes: Bug#11048 Tested-by: Adolf Belka adolf.belka@ipfire.org Suggested-by: Adolf Belka adolf.belka@ipfire.org Suggested-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
html/cgi-bin/ovpnmain.cgi | 75 +++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 31 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5afe54f55..eb89c5095 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4370,9 +4370,15 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'};
- if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
$confighash{$key}[41] = "no-pass";- }
if ($confighash{$key}[41] eq "") {if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {$confighash{$key}[41] = "no-pass";} elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) {$confighash{$key}[41] = "pass";} elsif ($cgiparams{'TYPE'} eq 'net') {$confighash{$key}[41] = "no-pass";}}$confighash{$key}[42] = 'HOTP/T30/6'; $confighash{$key}[43] = $cgiparams{'OTP_STATE'};
@@ -5512,20 +5518,24 @@ END }
- print <<END;
<td align='center' $col1>$active</td>
if ($confighash{$key}[41] eq "pass") {print <<END;<td align='center' $col1>$active</td>
<form method='post' name='frm${key}a'><td align='center' $col>
<input type='image' name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' /><input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' /><input type='hidden' name='KEY' value='$key' /></td></form>
<form method='post' name='frm${key}a'><td align='center' $col><input type='image' name='$Lang::tr{'dl client arch'}' src='/images/openvpn_encrypted.png'alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' /><input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' /><input type='hidden' name='MODE' value='secure' /><input type='hidden' name='KEY' value='$key' /></td></form>
;
if ($confighash{$key}[41] eq "no-pass") {
; } elsif ($confighash{$key}[41] eq "no-pass") {
<form method='post' name='frm${key}g'><td align='center' $col>
<td align='center' $col1>$active</td><form method='post' name='frm${key}a'><td align='center' $col> <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' /> <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />@@ -5533,7 +5543,7 @@ END <input type='hidden' name='KEY' value='$key' /> </td></form> END
- } else {
- ; } else { print "<td $col> </td>"; }
@@ -5609,30 +5619,33 @@ END # If the config file contains entries, print Key to action icons if ( $id ) { print <<END;
<table border='0'>
<tr>
<table width='85%' border='0'><tr><td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>
<td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td><td class='base'>$Lang::tr{'click to disable'}</td>
<td> <img src='/images/openvpn.png' alt='?RELOAD'/></td><td class='base'>$Lang::tr{'dl client arch insecure'}</td><td> <img src='/images/openvpn_encrypted.png' alt='?RELOAD'/></td><td class='base'>$Lang::tr{'dl client arch'}</td><td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> <td class='base'>$Lang::tr{'show certificate'}</td>
<td> <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td><td class='base'>$Lang::tr{'show otp qrcode'}</td></tr><tr><td> </td><td> <img src='/images/media-floppy.png' alt='?FLOPPY' /></td><td class='base'>$Lang::tr{'download certificate'}</td><td> <img src='/images/off.gif' alt='?OFF' /></td><td class='base'>$Lang::tr{'click to enable'}</td><td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td><td class='base'>$Lang::tr{'click to disable'}</td><td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td> <td class='base'>$Lang::tr{'edit'}</td> <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> <td class='base'>$Lang::tr{'remove'}</td>
</tr>
<tr>
<td> </td><td> <img src='/images/off.gif' alt='?OFF' /></td><td class='base'>$Lang::tr{'click to enable'}</td><td> <img src='/images/media-floppy.png' alt='?FLOPPY' /></td><td class='base'>$Lang::tr{'download certificate'}</td><td> <img src='/images/openvpn.png' alt='?RELOAD'/></td><td class='base'>$Lang::tr{'dl client arch'}</td><td> <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td><td class='base'>$Lang::tr{'show otp qrcode'}</td></tr></table><br>
</tr></table><br>
Hello Adolf,
No problem. I took care of this when merging the patchset.
-Michael
On 27 Sep 2023, at 09:20, Adolf Belka adolf.belka@ipfire.org wrote:
Hi All,
Yesterday I submitted this updated patch set for bug#11048 (better late than never).
One of the patches is adding update code for the fix to the update.sh script in Core Update 180, as that was still the version in next.
As CU180 has now been released for Testing, then that update code will likely need to be in the update.sh script for CU181.
Do I need to resubmit a v2 version of my patch set, once next has been updated to CU181, or can the patch set still be merged without problems as it is?
Regards,
Adolf
On 25/09/2023 18:41, Adolf Belka wrote:
- At long last I have re-visited the patch submission for bug #11048 and fixed the issues that caused the problems last time I evaluated it in Testing.
- The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the connection is a host and if the first password entry is a null. Then it adds no-pass to ovpnconfig.
- The same block of code is also used for when he connection is edited. However at this stage the password entry is back to null because the password value is only kept until the connection has been saved. Therefore doing an edit results in the password value being taken as null even for connections with a password.
- This fix enters no-pass if the connection type is host and the password is null, pass if the connection type is host and the password has characters. If the connection type is net then no-pass is used as net2net connections dop not have encrypted certificates.
- The code has been changed to show a different icon for unencrypted and encrypted certificates.
- Separate patches are provided for the language file change, the provision of a new icon and the code for the update.sh script for the Core Update to update all existing connections, if any exist, to have either pass or no-pass in index 41.
- This patch set was a joint collaboration between Erik Kapfer and Adolf Belka
- Patch set, including the code for the Core Update 180 update.sh script has been tested on a vm testbed
Fixes: Bug#11048 Tested-by: Adolf Belka adolf.belka@ipfire.org Suggested-by: Adolf Belka adolf.belka@ipfire.org Suggested-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
html/cgi-bin/ovpnmain.cgi | 75 +++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 31 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5afe54f55..eb89c5095 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4370,9 +4370,15 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'};
- if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
- $confighash{$key}[41] = "no-pass";
- }
if ($confighash{$key}[41] eq "") {if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {$confighash{$key}[41] = "no-pass";} elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) {$confighash{$key}[41] = "pass";} elsif ($cgiparams{'TYPE'} eq 'net') {$confighash{$key}[41] = "no-pass";}} $confighash{$key}[42] = 'HOTP/T30/6';@@ -5512,20 +5518,24 @@ END }
- print <<END;
<td align='center' $col1>$active</td>
if ($confighash{$key}[41] eq "pass") {print <<END;<td align='center' $col1>$active</td>
<form method='post' name='frm${key}a'><td align='center' $col>
- <input type='image' name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
- <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
<input type='hidden' name='KEY' value='$key' />
</td></form>
<form method='post' name='frm${key}a'><td align='center' $col><input type='image' name='$Lang::tr{'dl client arch'}' src='/images/openvpn_encrypted.png'alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' /><input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' /><input type='hidden' name='MODE' value='secure' /><input type='hidden' name='KEY' value='$key' /></td></form>END
- ;
- if ($confighash{$key}[41] eq "no-pass") {
; } elsif ($confighash{$key}[41] eq "no-pass") {
<form method='post' name='frm${key}g'><td align='center' $col>
<td align='center' $col1>$active</td><form method='post' name='frm${key}a'><td align='center' $col>@@ -5533,7 +5543,7 @@ END
<input type='hidden' name='KEY' value='$key' /> </td></form> END - } else { + ; } else { print "<td $col> </td>"; } @@ -5609,30 +5619,33 @@ END # If the config file contains entries, print Key to action icons if ( $id ) { print <<END; - <table border='0'> - <tr> + <table width='85%' border='0'> + <tr> <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td> - <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> - <td class='base'>$Lang::tr{'click to disable'}</td> + <td> <img src='/images/openvpn.png' alt='?RELOAD'/></td> + <td class='base'>$Lang::tr{'dl client arch insecure'}</td> + <td> <img src='/images/openvpn_encrypted.png' alt='?RELOAD'/></td> + <td class='base'>$Lang::tr{'dl client arch'}</td> <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> <td class='base'>$Lang::tr{'show certificate'}</td> + <td> <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td> + <td class='base'>$Lang::tr{'show otp qrcode'}</td> + </tr> + <tr> + <td> </td> + <td> <img src='/images/media-floppy.png' alt='?FLOPPY' /></td> + <td class='base'>$Lang::tr{'download certificate'}</td> + <td> <img src='/images/off.gif' alt='?OFF' /></td> + <td class='base'>$Lang::tr{'click to enable'}</td> + <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> + <td class='base'>$Lang::tr{'click to disable'}</td> + <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td> <td class='base'>$Lang::tr{'edit'}</td> <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> <td class='base'>$Lang::tr{'remove'}</td> - </tr> - <tr> - <td> </td> - <td> <img src='/images/off.gif' alt='?OFF' /></td> - <td class='base'>$Lang::tr{'click to enable'}</td> - <td> <img src='/images/media-floppy.png' alt='?FLOPPY' /></td> - <td class='base'>$Lang::tr{'download certificate'}</td> - <td> <img src='/images/openvpn.png' alt='?RELOAD'/></td> - <td class='base'>$Lang::tr{'dl client arch'}</td> - <td> <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td> - <td class='base'>$Lang::tr{'show otp qrcode'}</td> - </tr> - </table><br> + </tr> + </table><br> END ; }
-
Adolf Belka -
Michael Tremer