This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 30b1c1c72855e469034d9f7a6d4410367fa3069c (commit) via 4be45949e9629cc141401957e291e1e5206adb39 (commit) via 53ce51761fb21c630ce547660cc0b2778835d210 (commit) via 754066e6c3c6c1185fc25f8ae25b5e90c6e11f99 (commit) from e3b5a052ecd0eb5c53f669c5218f360b016fe128 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 30b1c1c72855e469034d9f7a6d4410367fa3069c Author: Michael Tremer michael.tremer@ipfire.org Date: Sun May 18 13:35:02 2014 +0200
Re-add missing language string "DNS Servers".
commit 4be45949e9629cc141401957e291e1e5206adb39 Author: Erik Kapfer erik.kapfer@ipfire.org Date: Sat May 17 21:59:45 2014 +0200
openvpn: Changed directioning and added additional generation for ta.key.
Deleted the direction parameter 0 and 1 in ta.key directive for compatibility purposes. Added the ta.key generation also in PKI build process. Replaced the ta.key to /certs instead of /ca and adapted the apropriate paths.
commit 53ce51761fb21c630ce547660cc0b2778835d210 Author: Erik Kapfer erik.kapfer@ipfire.org Date: Sat May 17 21:48:50 2014 +0200
openvpn: Drop unused code from cgi file.
Deleted the following unused functions:
* checkportfw * checkportoverlap * checkportinc * disallowreserved
commit 754066e6c3c6c1185fc25f8ae25b5e90c6e11f99 Author: Erik Kapfer erik.kapfer@ipfire.org Date: Sat May 17 21:32:55 2014 +0200
openvpn: Deleted double entries for TLSAUTH and DAUTH.
Also drop remaining if clauses for Engines.
-----------------------------------------------------------------------
Summary of changes: doc/language_issues.de | 1 - doc/language_issues.en | 1 - doc/language_missings | 4 ++ html/cgi-bin/ovpnmain.cgi | 153 +++++++--------------------------------------- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 6 files changed, 28 insertions(+), 133 deletions(-)
Difference in files: diff --git a/doc/language_issues.de b/doc/language_issues.de index 650d415..2140296 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -615,7 +615,6 @@ WARNING: untranslated string: addons WARNING: untranslated string: bytes WARNING: untranslated string: community rules WARNING: untranslated string: dead peer detection -WARNING: untranslated string: dns servers WARNING: untranslated string: downlink WARNING: untranslated string: emerging rules WARNING: untranslated string: first diff --git a/doc/language_issues.en b/doc/language_issues.en index 732e2aa..3a0a4c7 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -647,7 +647,6 @@ WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs WARNING: untranslated string: bytes -WARNING: untranslated string: dns servers WARNING: untranslated string: downlink WARNING: untranslated string: first WARNING: untranslated string: fwhost err hostip diff --git a/doc/language_missings b/doc/language_missings index 7a55460..2def481 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -92,6 +92,7 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dns servers < dpd delay < dpd timeout < drop action @@ -607,6 +608,7 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dns servers < dpd delay < dpd timeout < drop action @@ -1114,6 +1116,7 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dns servers < dpd delay < dpd timeout < drop action @@ -1600,6 +1603,7 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dns servers < dpd delay < dpd timeout < drop action diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 907e8c0..0e8fad8 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -172,105 +172,6 @@ sub deletebackupcert unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); } } -sub checkportfw { - my $DPORT = shift; - my $DPROT = shift; - my %natconfig =(); - my $confignat = "${General::swroot}/firewall/config"; - $DPROT= uc ($DPROT); - &General::readhasharray($confignat, %natconfig); - foreach my $key (sort keys %natconfig){ - my @portarray = split (/|/,$natconfig{$key}[30]); - foreach my $value (@portarray){ - if ($value =~ /:/i){ - my ($a,$b) = split (":",$value); - if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){ - $errormessage= "$Lang::tr{'source port in use'} $DPORT"; - } - }else{ - if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){ - $errormessage= "$Lang::tr{'source port in use'} $DPORT"; - } - } - } - } - return; -} - -sub checkportoverlap -{ - my $portrange1 = $_[0]; # New port range - my $portrange2 = $_[1]; # existing port range - my @tempr1 = split(/:/,$portrange1); - my @tempr2 = split(/:/,$portrange2); - - unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} - unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} - - unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} - unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} - - return 1; # Everything checks out! -} - -# Darren Critchley - we want to make sure that a port entry is not within an already existing range -sub checkportinc -{ - my $port1 = $_[0]; # Port - my $portrange2 = $_[1]; # Port range - my @tempr1 = split(/:/,$portrange2); - - if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { - return 1; - } else { - return 0; - } -} - -# Darren Critchley - certain ports are reserved for IPFire -# TCP 67,68,81,222,444 -# UDP 67,68 -# Params passed in -> port, rangeyn, protocol -sub disallowreserved -{ - # port 67 and 68 same for tcp and udp, don't bother putting in an array - my $msg = ""; - my @tcp_reserved = (81,222,444); - my $prt = $_[0]; # the port or range - my $ryn = $_[1]; # tells us whether or not it is a port range - my $prot = $_[2]; # protocol - my $srcdst = $_[3]; # source or destination - if ($ryn) { # disect port range - if ($srcdst eq "src") { - $msg = "$Lang::tr{'rsvd src port overlap'}"; - } else { - $msg = "$Lang::tr{'rsvd dst port overlap'}"; - } - my @tmprng = split(/:/,$prt); - unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } - unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } - } - } - } else { - if ($srcdst eq "src") { - $msg = "$Lang::tr{'reserved src port'}"; - } else { - $msg = "$Lang::tr{'reserved dst port'}"; - } - if ($prt == 67) { $errormessage="$msg 67"; return; } - if ($prt == 68) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - if ($prange == $prt) { $errormessage="$msg $prange"; return; } - } - } - } - return; -} -
sub writeserverconf { my %sovpnsettings = (); @@ -369,7 +270,7 @@ sub writeserverconf { print CONF "auth $sovpnsettings{'DAUTH'}\n"; } if ($sovpnsettings{'TLSAUTH'} eq 'on') { - print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n"; + print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; } if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; @@ -810,13 +711,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; }
- # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/ca/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key") - } - } - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { @@ -915,6 +809,16 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; goto ADV_ERROR; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ERROR; + } + } + }
&General::writehash("${General::swroot}/ovpn/settings", %vpnsettings); &writeserverconf();#hier ok @@ -1131,11 +1035,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg } } if ($errormessage) { goto SETTINGS_ERROR; } - - if ($cgiparams{'ENABLED'} eq 'on'){ - &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'}); - } - if ($errormessage) { goto SETTINGS_ERROR; }
if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) { $errormessage = $Lang::tr{'ovpn subnet is invalid'}; @@ -1944,7 +1843,14 @@ END goto ROOTCERT_ERROR; # } else { # &cleanssldatabase(); - } + } + # Create ta.key for tls-auth + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + &cleanssldatabase(); + goto ROOTCERT_ERROR; + } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR: @@ -2286,8 +2192,8 @@ else print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; } if ($vpnsettings{'TLSAUTH'} eq 'on') { - print CLIENTCONF "tls-auth ta.key 1\r\n"; - $zip->addFile( "${General::swroot}/ovpn/ca/ta.key", "ta.key") or die "Can't add file ta.key\n"; + print CLIENTCONF "tls-auth ta.key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; } if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; @@ -2511,20 +2417,8 @@ ADV_ERROR: if ($cgiparams{'DAUTH'} eq '') { $cgiparams{'DAUTH'} = 'SHA1'; } - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; - } - if ($cgiparams{'ENGINES'} eq '') { - $cgiparams{'ENGINES'} = 'disabled'; - } if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} = 'off'; - } - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; - } - if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} = 'off'; + $cgiparams{'TLSAUTH'} = 'off'; } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; @@ -4927,9 +4821,6 @@ END if ($cgiparams{'DAUTH'} eq '') { $cgiparams{'DAUTH'} = 'SHA1'; } - if ($cgiparams{'ENGINES'} eq '') { - $cgiparams{'ENGINES'} = 'disabled'; - } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index aee46df..6d27012 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -739,6 +739,7 @@ 'dns saved' => 'Erfolgreich gespeichert!', 'dns saved txt' => 'Die beiden eingegebenen DNS-Server-Adressen wurde erfolgreich gespeichert.<br/>Um die Änderung wirksam zu machen, müssen Sie neustarten oder wiederverbinden!', 'dns server' => 'DNS Server', +'dns servers' => 'DNS-Server', 'dns title' => 'Domain Name System', 'dnsforward' => 'DNS-Weiterleitung', 'dnsforward add a new entry' => 'Neuen Eintrag hinzufügen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 20e9db3..f7bfcd8 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -764,6 +764,7 @@ 'dns saved' => 'Successfully saved!', 'dns saved txt' => 'The two entered DNS server addresses have been saved successfully.<br />You have to reboot or reconnect that the changes have effect!', 'dns server' => 'DNS Server', +'dns servers' => 'DNS Servers', 'dns title' => 'Domain Name System', 'dnsforward' => 'DNS Forwarding', 'dnsforward add a new entry' => 'Add a new entry',
hooks/post-receive -- IPFire 2.x development tree