[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 87fb870b5edc65d6323f1ef2eb4dba8e6ef8045d

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, next has been updated via 87fb870b5edc65d6323f1ef2eb4dba8e6ef8045d (commit) via b6f571fa88735dcde1dfa8b4c584220fb14bf143 (commit) via 6411f1baa6e3d1a89df72327b7c8b5cb2fa8202a (commit) via b22d8aaf4ad26840cc6907580e6bd0cfea73b160 (commit) via 71af643cda77f02a006613f3fcc1a223a88f01a6 (commit) via 3045d6abde3e8eff0d1dac4fe8afe397f65f66cd (commit) via 93a08fe26132b91bc3d47d83e13bf79a3b4c5c77 (commit) from 123205fdbf2624a78449044c11cff5e77dd3f8e3 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 87fb870b5edc65d6323f1ef2eb4dba8e6ef8045d Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 4 21:18:13 2015 +0000

core95: Ship updated packages

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit b6f571fa88735dcde1dfa8b4c584220fb14bf143 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Nov 1 15:30:01 2015 +0100

snort: Update to 2.9.7.6

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 6411f1baa6e3d1a89df72327b7c8b5cb2fa8202a Author: Erik Kapfer erik.kapfer@ipfire.org Date: Tue Jul 7 13:13:36 2015 +0200

lzo: Update to version 2.09

Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit b22d8aaf4ad26840cc6907580e6bd0cfea73b160 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Oct 30 15:47:22 2015 +0000

openvpn: Embed the certificate and key file into configuration

This will allow to import just the configuration file into iOS and establish the VPN connection. Also works with many other OpenVPN clients.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 71af643cda77f02a006613f3fcc1a223a88f01a6 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Oct 30 15:47:21 2015 +0000

openvpn: Add option to download a client package with PEM files

This patch adds the option to download a client package that comes with a regular PEM and key file instead of a PKCS12 file which is easier to use with clients that don't support PKCS12 (like iOS) opposed to converting the file manually.

This requires that the connection is created without using a password for the certificate. Then the certificate is already stored in an insecure way.

This patch also adds this to the Core Update 95 updater.

Fixes: #10966

Signed-off-by: Michael Tremer michael.tremer@ipfire.org CC: Alexander Marx alexander.marx@ipfire.org

commit 3045d6abde3e8eff0d1dac4fe8afe397f65f66cd Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Oct 30 16:00:28 2015 +0000

openvpn: Apply static routes when N2N connection comes up

Fixes: #10968

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 93a08fe26132b91bc3d47d83e13bf79a3b4c5c77 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Nov 3 18:51:32 2015 +0100

dma: Update to 0.10

Sorry, I borked the PATCH from yesterday...second try:

dma: Update to 0.10 Changes: dns.c, do not treat unreachable DNS server as permanent error See: https://github.com/corecode/dma/commit/1a1306df018bd62cf1c5feb2e6e664f656bc9...

Deleted unnecessary blank lines in 'mail.cgi'

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/rootfiles/common/lzo | 17 ++-- .../{oldcore/94 => core/95}/filelists/dma | 0 config/rootfiles/core/95/filelists/files | 2 + .../{oldcore/81 => core/95}/filelists/lzo | 0 .../{oldcore/89 => core/95}/filelists/snort | 0 html/cgi-bin/ids.cgi | 6 +- html/cgi-bin/mail.cgi | 15 --- html/cgi-bin/ovpnmain.cgi | 110 ++++++++++++++++++++- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + lfs/dma | 6 +- lfs/lzo | 15 ++- lfs/snort | 8 +- 13 files changed, 138 insertions(+), 43 deletions(-) copy config/rootfiles/{oldcore/94 => core/95}/filelists/dma (100%) copy config/rootfiles/{oldcore/81 => core/95}/filelists/lzo (100%) copy config/rootfiles/{oldcore/89 => core/95}/filelists/snort (100%)

Difference in files: diff --git a/config/rootfiles/common/lzo b/config/rootfiles/common/lzo index 6d746bd..4ebc05c 100644 --- a/config/rootfiles/common/lzo +++ b/config/rootfiles/common/lzo @@ -12,16 +12,15 @@ #usr/include/lzo/lzoconf.h #usr/include/lzo/lzodefs.h #usr/include/lzo/lzoutil.h -#usr/lib/liblzo2.a #usr/lib/liblzo2.la usr/lib/liblzo2.so usr/lib/liblzo2.so.2 usr/lib/liblzo2.so.2.0.0 -#usr/share/doc/lzo -#usr/share/doc/lzo/AUTHORS -#usr/share/doc/lzo/COPYING -#usr/share/doc/lzo/LZO.FAQ -#usr/share/doc/lzo/LZO.TXT -#usr/share/doc/lzo/LZOAPI.TXT -#usr/share/doc/lzo/NEWS -#usr/share/doc/lzo/THANKS +#usr/share/doc/lzo-2.09 +#usr/share/doc/lzo-2.09/AUTHORS +#usr/share/doc/lzo-2.09/COPYING +#usr/share/doc/lzo-2.09/LZO.FAQ +#usr/share/doc/lzo-2.09/LZO.TXT +#usr/share/doc/lzo-2.09/LZOAPI.TXT +#usr/share/doc/lzo-2.09/NEWS +#usr/share/doc/lzo-2.09/THANKS diff --git a/config/rootfiles/core/95/filelists/dma b/config/rootfiles/core/95/filelists/dma new file mode 120000 index 0000000..60f4682 --- /dev/null +++ b/config/rootfiles/core/95/filelists/dma @@ -0,0 +1 @@ +../../../common/dma \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files index d9aeaa7..ab8f1a8 100644 --- a/config/rootfiles/core/95/filelists/files +++ b/config/rootfiles/core/95/filelists/files @@ -9,7 +9,9 @@ srv/web/ipfire/cgi-bin/connections.cgi srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/firewall.cgi +srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat +srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/routing.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi diff --git a/config/rootfiles/core/95/filelists/lzo b/config/rootfiles/core/95/filelists/lzo new file mode 120000 index 0000000..8e11e78 --- /dev/null +++ b/config/rootfiles/core/95/filelists/lzo @@ -0,0 +1 @@ +../../../common/lzo \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/snort b/config/rootfiles/core/95/filelists/snort new file mode 120000 index 0000000..9406ce0 --- /dev/null +++ b/config/rootfiles/core/95/filelists/snort @@ -0,0 +1 @@ +../../../common/snort \ No newline at end of file diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 5ada911..f17b16a 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -263,9 +263,9 @@ if (-e "/etc/snort/snort.conf") { ####################### End added for snort rules control #################################

if ($snortsettings{'RULES'} eq 'subscripted') { - $url=" https://www.snort.org/rules/snortrules-snapshot-2970.tar.gz?oinkcode=$snorts..."; + $url=" https://www.snort.org/rules/snortrules-snapshot-2976.tar.gz?oinkcode=$snorts..."; } elsif ($snortsettings{'RULES'} eq 'registered') { - $url=" https://www.snort.org/rules/snortrules-snapshot-2970.tar.gz?oinkcode=$snorts..."; + $url=" https://www.snort.org/rules/snortrules-snapshot-2976.tar.gz?oinkcode=$snorts..."; } elsif ($snortsettings{'RULES'} eq 'community') { $url=" https://www.snort.org/rules/community"; } else { diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi index be663a6..a72f923 100755 --- a/html/cgi-bin/mail.cgi +++ b/html/cgi-bin/mail.cgi @@ -328,18 +328,3 @@ sub error { &Header::closebox(); } } - - - - - - - - - - - - - - - diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9e252a9..2eff2e0 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -926,6 +926,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; print SERVERCONF "# Client Gateway Network\n"; print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n"; + print SERVERCONF "up /etc/init.d/static-routes start\n"; print SERVERCONF "# tun Device\n"; print SERVERCONF "dev tun\n"; print SERVERCONF "#Logfile for statistics\n"; @@ -2265,9 +2266,41 @@ else print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } + my $file_crt = new File::Temp( UNLINK => 1 ); + my $file_key = new File::Temp( UNLINK => 1 ); + my $include_certs = 0; + if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { - print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + if ($cgiparams{'MODE'} eq 'insecure') { + $include_certs = 1; + + # Add the CA + print CLIENTCONF ";ca cacert.pem\r\n"; + $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; + + # Extract the certificate + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; + print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; + + # Extract the key + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; + print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + } else { + print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + } } else { print CLIENTCONF "ca cacert.pem\r\n"; print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; @@ -2282,6 +2315,9 @@ else print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; } if ($vpnsettings{'TLSAUTH'} eq 'on') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } print CLIENTCONF "tls-auth ta.key\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; } @@ -2306,6 +2342,53 @@ else print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; } } + + if ($include_certs) { + print CLIENTCONF "\r\n"; + + # CA + open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem"); + print CLIENTCONF "<ca>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</ca>\r\n\r\n"; + close(FILE); + + # Cert + open(FILE, "<$file_crt"); + print CLIENTCONF "<cert>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</cert>\r\n\r\n"; + close(FILE); + + # Key + open(FILE, "<$file_key"); + print CLIENTCONF "<key>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</key>\r\n\r\n"; + close(FILE); + + # TLS auth + if ($vpnsettings{'TLSAUTH'} eq 'on') { + open(FILE, "<${General::swroot}/ovpn/certs/ta.key"); + print CLIENTCONF "<tls-auth>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</tls-auth>\r\n\r\n"; + close(FILE); + } + } + # Print client.conf.local if entries exist to client.ovpn if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { open (LCC, "$local_clientconf"); @@ -4251,6 +4334,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'};

+ if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] = "no-pass"; + } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", %confighash); if ($cgiparams{'CHECK1'} ){ @@ -5127,7 +5214,7 @@ END <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> - <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th> + <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th> </tr> END } @@ -5141,7 +5228,7 @@ END <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> - <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th> + <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th> </tr> END } @@ -5240,6 +5327,21 @@ END </td></form> END ; + + if ($confighash{$key}[41] eq "no-pass") { + print <<END; + <form method='post' name='frm${key}g'><td align='center' $col> + <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png' + alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' /> + <input type='hidden' name='MODE' value='insecure' /> + <input type='hidden' name='KEY' value='$key' /> + </td></form> +END + } else { + print "<td $col>&nbsp;</td>"; + } + if ($confighash{$key}[4] eq 'cert') { print <<END; <form method='post' name='frm${key}b'><td align='center' $col> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index da9b885..2bca854 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -731,6 +731,7 @@ 'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen', 'display webinterface effects' => 'Überblendeffekte einschalten', 'dl client arch' => 'Client Paket herunterladen (zip)', +'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches', 'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt; Starte DMZ-Schlupfloch neu', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 56238ed..4c52392 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -756,6 +756,7 @@ 'display traffic at home' => 'Display calculated traffic on startpage', 'display webinterface effects' => 'Activate effects', 'dl client arch' => 'Download Client Package (zip)', +'dl client arch insecure' => 'Download insecure Client Package (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'DMZ pinhole configuration', 'dmz pinhole rule added' => 'DMZ pinhole rule added; restarting DMZ pinhole', diff --git a/lfs/dma b/lfs/dma index 977efc8..cf264ea 100644 --- a/lfs/dma +++ b/lfs/dma @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2011 IPFire Team info@ipfire.org # +# Copyright (C) 2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@

include Config

-VER = 0.9.1 +VER = 0.10

THISAPP = dma-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 56afaf438ba34d4ff9c8879dc29a16b1 +$(DL_FILE)_MD5 = 91f521b0749e16f5d78e139e717245ea

install : $(TARGET)

diff --git a/lfs/lzo b/lfs/lzo index 19ad090..2afc89f 100644 --- a/lfs/lzo +++ b/lfs/lzo @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@

include Config

-VER = 2.06 +VER = 2.09

THISAPP = lzo-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 95380bd4081f85ef08c5209f4107e9f8 +$(DL_FILE)_MD5 = c7ffc9a103afe2d1bba0b015e7aa887f

install : $(TARGET)

@@ -70,9 +70,14 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/lzo-2.06-CVE-2014-4607.patch - cd $(DIR_APP) && ./configure --prefix=/usr --enable-shared + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --enable-shared \ + --disable-static \ + --docdir=/usr/share/doc/lzo-2.09 + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/snort b/lfs/snort index 373e53c..148f539 100644 --- a/lfs/snort +++ b/lfs/snort @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@

include Config

-VER = 2.9.7.0 +VER = 2.9.7.6

THISAPP = snort-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -36,11 +36,11 @@ TARGET = $(DIR_INFO)/$(THISAPP) # Top-level Rules ###############################################################################

-objects = $(DL_FILE) +objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = c2a45bc56441ee9456478f219dd8d1e2 +$(DL_FILE)_MD5 = 65349f3272c4de5b3210f77f1f7ab0e6

install : $(TARGET)

hooks/post-receive -- IPFire 2.x development tree