From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 87fb870b5edc65d6323f1ef2eb4dba8e6ef8045d Date: Wed, 04 Nov 2015 22:21:29 +0100 Message-ID: <20151104212130.3F65021445@argus.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5507157888984563003==" List-Id: --===============5507157888984563003== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 87fb870b5edc65d6323f1ef2eb4dba8e6ef8045d (commit) via b6f571fa88735dcde1dfa8b4c584220fb14bf143 (commit) via 6411f1baa6e3d1a89df72327b7c8b5cb2fa8202a (commit) via b22d8aaf4ad26840cc6907580e6bd0cfea73b160 (commit) via 71af643cda77f02a006613f3fcc1a223a88f01a6 (commit) via 3045d6abde3e8eff0d1dac4fe8afe397f65f66cd (commit) via 93a08fe26132b91bc3d47d83e13bf79a3b4c5c77 (commit) from 123205fdbf2624a78449044c11cff5e77dd3f8e3 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 87fb870b5edc65d6323f1ef2eb4dba8e6ef8045d Author: Michael Tremer Date: Wed Nov 4 21:18:13 2015 +0000 core95: Ship updated packages =20 Signed-off-by: Michael Tremer commit b6f571fa88735dcde1dfa8b4c584220fb14bf143 Author: Matthias Fischer Date: Sun Nov 1 15:30:01 2015 +0100 snort: Update to 2.9.7.6 =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 6411f1baa6e3d1a89df72327b7c8b5cb2fa8202a Author: Erik Kapfer Date: Tue Jul 7 13:13:36 2015 +0200 lzo: Update to version 2.09 =20 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit b22d8aaf4ad26840cc6907580e6bd0cfea73b160 Author: Michael Tremer Date: Fri Oct 30 15:47:22 2015 +0000 openvpn: Embed the certificate and key file into configuration =20 This will allow to import just the configuration file into iOS and establish the VPN connection. Also works with many other OpenVPN clients. =20 Signed-off-by: Michael Tremer commit 71af643cda77f02a006613f3fcc1a223a88f01a6 Author: Michael Tremer Date: Fri Oct 30 15:47:21 2015 +0000 openvpn: Add option to download a client package with PEM files =20 This patch adds the option to download a client package that comes with a regular PEM and key file instead of a PKCS12 file which is easier to use with clients that don't support PKCS12 (like iOS) opposed to converting the file manually. =20 This requires that the connection is created without using a password for the certificate. Then the certificate is already stored in an insecure way. =20 This patch also adds this to the Core Update 95 updater. =20 Fixes: #10966 =20 Signed-off-by: Michael Tremer CC: Alexander Marx commit 3045d6abde3e8eff0d1dac4fe8afe397f65f66cd Author: Michael Tremer Date: Fri Oct 30 16:00:28 2015 +0000 openvpn: Apply static routes when N2N connection comes up =20 Fixes: #10968 =20 Signed-off-by: Michael Tremer commit 93a08fe26132b91bc3d47d83e13bf79a3b4c5c77 Author: Matthias Fischer Date: Tue Nov 3 18:51:32 2015 +0100 dma: Update to 0.10 =20 Sorry, I borked the PATCH from yesterday...second try: =20 dma: Update to 0.10 Changes: dns.c, do not treat unreachable DNS server as permanent error See: https://github.com/corecode/dma/commit/1a1306df018bd62cf1c5feb2e6e66= 4f656bc9554#diff-8e1267319329e5ee7e6a92fb2aa01c6b =20 Deleted unnecessary blank lines in 'mail.cgi' =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/rootfiles/common/lzo | 17 ++-- .../{oldcore/94 =3D> core/95}/filelists/dma | 0 config/rootfiles/core/95/filelists/files | 2 + .../{oldcore/81 =3D> core/95}/filelists/lzo | 0 .../{oldcore/89 =3D> core/95}/filelists/snort | 0 html/cgi-bin/ids.cgi | 6 +- html/cgi-bin/mail.cgi | 15 --- html/cgi-bin/ovpnmain.cgi | 110 +++++++++++++++++++= +- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + lfs/dma | 6 +- lfs/lzo | 15 ++- lfs/snort | 8 +- 13 files changed, 138 insertions(+), 43 deletions(-) copy config/rootfiles/{oldcore/94 =3D> core/95}/filelists/dma (100%) copy config/rootfiles/{oldcore/81 =3D> core/95}/filelists/lzo (100%) copy config/rootfiles/{oldcore/89 =3D> core/95}/filelists/snort (100%) Difference in files: diff --git a/config/rootfiles/common/lzo b/config/rootfiles/common/lzo index 6d746bd..4ebc05c 100644 --- a/config/rootfiles/common/lzo +++ b/config/rootfiles/common/lzo @@ -12,16 +12,15 @@ #usr/include/lzo/lzoconf.h #usr/include/lzo/lzodefs.h #usr/include/lzo/lzoutil.h -#usr/lib/liblzo2.a #usr/lib/liblzo2.la usr/lib/liblzo2.so usr/lib/liblzo2.so.2 usr/lib/liblzo2.so.2.0.0 -#usr/share/doc/lzo -#usr/share/doc/lzo/AUTHORS -#usr/share/doc/lzo/COPYING -#usr/share/doc/lzo/LZO.FAQ -#usr/share/doc/lzo/LZO.TXT -#usr/share/doc/lzo/LZOAPI.TXT -#usr/share/doc/lzo/NEWS -#usr/share/doc/lzo/THANKS +#usr/share/doc/lzo-2.09 +#usr/share/doc/lzo-2.09/AUTHORS +#usr/share/doc/lzo-2.09/COPYING +#usr/share/doc/lzo-2.09/LZO.FAQ +#usr/share/doc/lzo-2.09/LZO.TXT +#usr/share/doc/lzo-2.09/LZOAPI.TXT +#usr/share/doc/lzo-2.09/NEWS +#usr/share/doc/lzo-2.09/THANKS diff --git a/config/rootfiles/core/95/filelists/dma b/config/rootfiles/core/9= 5/filelists/dma new file mode 120000 index 0000000..60f4682 --- /dev/null +++ b/config/rootfiles/core/95/filelists/dma @@ -0,0 +1 @@ +../../../common/dma \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core= /95/filelists/files index d9aeaa7..ab8f1a8 100644 --- a/config/rootfiles/core/95/filelists/files +++ b/config/rootfiles/core/95/filelists/files @@ -9,7 +9,9 @@ srv/web/ipfire/cgi-bin/connections.cgi srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/firewall.cgi +srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat +srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/routing.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi diff --git a/config/rootfiles/core/95/filelists/lzo b/config/rootfiles/core/9= 5/filelists/lzo new file mode 120000 index 0000000..8e11e78 --- /dev/null +++ b/config/rootfiles/core/95/filelists/lzo @@ -0,0 +1 @@ +../../../common/lzo \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/snort b/config/rootfiles/core= /95/filelists/snort new file mode 120000 index 0000000..9406ce0 --- /dev/null +++ b/config/rootfiles/core/95/filelists/snort @@ -0,0 +1 @@ +../../../common/snort \ No newline at end of file diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 5ada911..f17b16a 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -2,7 +2,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2013 IPFire Team = # +# Copyright (C) 2007-2015 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -263,9 +263,9 @@ if (-e "/etc/snort/snort.conf") { ####################### End added for snort rules control ################= ################# =20 if ($snortsettings{'RULES'} eq 'subscripted') { - $url=3D" https://www.snort.org/rules/snortrules-snapshot-2970.tar.gz?oinkco= de=3D$snortsettings{'OINKCODE'}"; + $url=3D" https://www.snort.org/rules/snortrules-snapshot-2976.tar.gz?oinkco= de=3D$snortsettings{'OINKCODE'}"; } elsif ($snortsettings{'RULES'} eq 'registered') { - $url=3D" https://www.snort.org/rules/snortrules-snapshot-2970.tar.gz?oinkco= de=3D$snortsettings{'OINKCODE'}"; + $url=3D" https://www.snort.org/rules/snortrules-snapshot-2976.tar.gz?oinkco= de=3D$snortsettings{'OINKCODE'}"; } elsif ($snortsettings{'RULES'} eq 'community') { $url=3D" https://www.snort.org/rules/community"; } else { diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi index be663a6..a72f923 100755 --- a/html/cgi-bin/mail.cgi +++ b/html/cgi-bin/mail.cgi @@ -328,18 +328,3 @@ sub error { &Header::closebox(); } } - - - - - - - - - - - - - - - diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9e252a9..2eff2e0 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -926,6 +926,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NA= ME'}"){mkdir "${General print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n";=20 print SERVERCONF "# Client Gateway Network\n";=20 print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n"; + print SERVERCONF "up /etc/init.d/static-routes start\n"; print SERVERCONF "# tun Device\n";=20 print SERVERCONF "dev tun\n";=20 print SERVERCONF "#Logfile for statistics\n"; @@ -2265,9 +2266,41 @@ else print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST= _PORT'}\r\n"; } =09 + my $file_crt =3D new File::Temp( UNLINK =3D> 1 ); + my $file_key =3D new File::Temp( UNLINK =3D> 1 ); + my $include_certs =3D 0; + if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot= }/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {=20 - print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}= }[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $c= onfighash{$cgiparams{'KEY'}}[1].p12\n"; + if ($cgiparams{'MODE'} eq 'insecure') { + $include_certs =3D 1; + + # Add the CA + print CLIENTCONF ";ca cacert.pem\r\n"; + $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or d= ie "Can't add file cacert.pem\n"; + + # Extract the certificate + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs= /$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'= ); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; + print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; + + # Extract the key + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs= /$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; + print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + } else { + print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'= }}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $= confighash{$cgiparams{'KEY'}}[1].p12\n"; + } } else { print CLIENTCONF "ca cacert.pem\r\n"; print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; @@ -2282,6 +2315,9 @@ else print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; } if ($vpnsettings{'TLSAUTH'} eq 'on') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } print CLIENTCONF "tls-auth ta.key\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "C= an't add file ta.key\n"; } @@ -2306,6 +2342,53 @@ else print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; } } + + if ($include_certs) { + print CLIENTCONF "\r\n"; + + # CA + open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem"); + print CLIENTCONF "\r\n"; + while () { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "\r\n\r\n"; + close(FILE); + + # Cert + open(FILE, "<$file_crt"); + print CLIENTCONF "\r\n"; + while () { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "\r\n\r\n"; + close(FILE); + + # Key + open(FILE, "<$file_key"); + print CLIENTCONF "\r\n"; + while () { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "\r\n\r\n"; + close(FILE); + + # TLS auth + if ($vpnsettings{'TLSAUTH'} eq 'on') { + open(FILE, "<${General::swroot}/ovpn/certs/ta.key"); + print CLIENTCONF "\r\n"; + while () { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "\r\n\r\n"; + close(FILE); + } + } + # Print client.conf.local if entries exist to client.ovpn if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on')= { open (LCC, "$local_clientconf"); @@ -4251,6 +4334,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] =3D $cgiparams{'DAUTH'}; $confighash{$key}[40] =3D $cgiparams{'DCIPHER'}; =20 + if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] =3D "no-pass"; + } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash= ); =09 if ($cgiparams{'CHECK1'} ){ @@ -5127,7 +5214,7 @@ END $Lang::tr{'type'}<= /b> $Lang::tr{'remark'= } $Lang::tr{'status'= } - $Lang= ::tr{'action'} + $Lang= ::tr{'action'} END } @@ -5141,7 +5228,7 @@ END $Lang::tr{'type'}<= /b> $Lang::tr{'remark'= } $Lang::tr{'status'= } - $Lang= ::tr{'action'} + $Lang= ::tr{'action'} END } @@ -5240,6 +5327,21 @@ END END ; + + if ($confighash{$key}[41] eq "no-pass") { + print < + + + + + +END + } else { + print " "; + } + if ($confighash{$key}[4] eq 'cert') { print < diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index da9b885..2bca854 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -731,6 +731,7 @@ 'display traffic at home' =3D> 'Berechneten Traffic auf der Startseite anzei= gen', 'display webinterface effects' =3D> '=C3=9Cberblendeffekte einschalten', 'dl client arch' =3D> 'Client Paket herunterladen (zip)', +'dl client arch insecure' =3D> 'Ungesichertes Client-Paket herunterladen (zi= p)', 'dmz' =3D> 'DMZ', 'dmz pinhole configuration' =3D> 'Einstellungen des DMZ-Schlupfloches', 'dmz pinhole rule added' =3D> 'Regel f=C3=BCr DMZ-Schlupfloch hinzugef=C3=BC= gt; Starte DMZ-Schlupfloch neu', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 56238ed..4c52392 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -756,6 +756,7 @@ 'display traffic at home' =3D> 'Display calculated traffic on startpage', 'display webinterface effects' =3D> 'Activate effects', 'dl client arch' =3D> 'Download Client Package (zip)', +'dl client arch insecure' =3D> 'Download insecure Client Package (zip)', 'dmz' =3D> 'DMZ', 'dmz pinhole configuration' =3D> 'DMZ pinhole configuration', 'dmz pinhole rule added' =3D> 'DMZ pinhole rule added; restarting DMZ pinhol= e', diff --git a/lfs/dma b/lfs/dma index 977efc8..cf264ea 100644 --- a/lfs/dma +++ b/lfs/dma @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2011 IPFire Team = # +# Copyright (C) 2015 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 0.9.1 +VER =3D 0.10 =20 THISAPP =3D dma-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 56afaf438ba34d4ff9c8879dc29a16b1 +$(DL_FILE)_MD5 =3D 91f521b0749e16f5d78e139e717245ea =20 install : $(TARGET) =20 diff --git a/lfs/lzo b/lfs/lzo index 19ad090..2afc89f 100644 --- a/lfs/lzo +++ b/lfs/lzo @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2014 IPFire Team = # +# Copyright (C) 2015 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 2.06 +VER =3D 2.09 =20 THISAPP =3D lzo-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 95380bd4081f85ef08c5209f4107e9f8 +$(DL_FILE)_MD5 =3D c7ffc9a103afe2d1bba0b015e7aa887f =20 install : $(TARGET) =20 @@ -70,9 +70,14 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/lzo-2.06-CVE-2014-4607= .patch - cd $(DIR_APP) && ./configure --prefix=3D/usr --enable-shared=20 + cd $(DIR_APP) && ./configure \ + --prefix=3D/usr \ + --enable-shared \ + --disable-static \ + --docdir=3D/usr/share/doc/lzo-2.09 + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/snort b/lfs/snort index 373e53c..148f539 100644 --- a/lfs/snort +++ b/lfs/snort @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2013 IPFire Team = # +# Copyright (C) 2007-2015 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 2.9.7.0 +VER =3D 2.9.7.6 =20 THISAPP =3D snort-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -36,11 +36,11 @@ TARGET =3D $(DIR_INFO)/$(THISAPP) # Top-level Rules ############################################################################= ### =20 -objects =3D $(DL_FILE)=20 +objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D c2a45bc56441ee9456478f219dd8d1e2 +$(DL_FILE)_MD5 =3D 65349f3272c4de5b3210f77f1f7ab0e6 =20 install : $(TARGET) =20 hooks/post-receive -- IPFire 2.x development tree --===============5507157888984563003==--