From patchwork Thu Feb 22 12:43:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7558 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TgXrd6v9zz3wtW for ; Thu, 22 Feb 2024 12:44:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TgXrQ4F16z26g; Thu, 22 Feb 2024 12:43:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TgXrQ0zRHz32nf; Thu, 22 Feb 2024 12:43:50 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TgXrL2BN8z2xg9 for ; Thu, 22 Feb 2024 12:43:46 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4TgXrK2Jkhz1CQ; Thu, 22 Feb 2024 12:43:45 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1708605825; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=6ALY4LIw+g/DEolMaws/emR7BUztKFQEx/AterWF5IU=; b=ErlLxYB41X9OGBRi0ua2TNaqXsnFGGhOTJSOPVxjDs65SMoe5A92Ye+SKytU4AE1ehUaXl GN7vgqjPaoEuJgCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1708605825; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=6ALY4LIw+g/DEolMaws/emR7BUztKFQEx/AterWF5IU=; b=tUpmtKE1ivlDOyfHU/daeFEuM0YwCBup8xlXLrqxvsfbWApEBUM37ddYeaNjkLMpKPkEYx LUrBoGhAbJFIrss9GhZdL5xTJFvBDXSgdg1qqZG89b0VSvMzz6s9POeKA1HpzppjTuwjYV NCuFOLhSZ/dQmwFiYRTFOVyIZfp2bRsBYsYduRnVE5SmwoRDpVidNpQbIjqiMiCRv2wdyE ZmJfR/oXa6gQ8b2Rk0KTkTz7kcZmOgDmfurdH4uWPhaAbVaJvHI7U52F6YKfEq/Z2m78Bz qe6gnLoCINVyehrGZm4UdtqDyv0gmJXcM2/99WdOA/vk0+xWVde6xEXyvsXhCA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] ovpnmain.cgi: Fixes bug#13548 - imported N2N client connections get disabled instead of no-pass Date: Thu, 22 Feb 2024 13:43:38 +0100 Message-ID: <20240222124339.9847-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: V25UHWYLX4F7DPIJYLNR742ZZBQJNGLI X-Message-ID-Hash: V25UHWYLX4F7DPIJYLNR742ZZBQJNGLI X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - When bug#11408 was fixed it was missed that key 41 has disabled inserted into it when uploading into the N2N client. This replaced the no-pass entry for all N2N connections resulting in the ovpnmain.cgi not being able to show the status correctly as the code looks for pass or no-pass. - The disabled entry has been present for a very long time and is not utilised anywhere in the code. - This fix ensures that key 41 in the uploaded N2N connection has no-pass entered - Tested out and confirmed in my vm testbed. Fixes: Bug#13548 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/ovpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index eb89c5095..b773bc4b7 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -3472,7 +3472,7 @@ foreach my $dkey (keys %confighash) { $confighash{$key}[31] = $n2ntunmtu[1]; $confighash{$key}[39] = $n2nauth[1]; $confighash{$key}[40] = $n2ncipher[1]; - $confighash{$key}[41] = 'disabled'; + $confighash{$key}[41] = 'no-pass'; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); From patchwork Thu Feb 22 12:43:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7557 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TgXrb6PHSz3wtW for ; Thu, 22 Feb 2024 12:43:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TgXrQ17mCz1DV; Thu, 22 Feb 2024 12:43:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TgXrP5TrFz32nX; Thu, 22 Feb 2024 12:43:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TgXrL3PrZz30V3 for ; Thu, 22 Feb 2024 12:43:46 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4TgXrK6W3Nz1dd; Thu, 22 Feb 2024 12:43:45 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1708605826; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eAiXfhghlbe24FtxCjZqDZzgSBGTU5DOWAmggkb22LU=; b=sa0mEr3rssFSmSQN0HB51SCyvAIa52tsRJIR1+582uY9Z8z1Sjce7OMvX5SCcFP02zk/ki lfhxuQ6XBnkBB5AQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1708605826; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eAiXfhghlbe24FtxCjZqDZzgSBGTU5DOWAmggkb22LU=; b=ucnaGXw6FuYJXQ++Gd/5El49oK/PG/5sHbMK3SgaQfV8FBqkgWI90/ccCqGyX6/edP3F2A 4F6Kkp5lP2aN83KLykFZFy7sN2Dq7VkNB+KbWc0VNi9/7BDDpc0RM57iy5Sk0urvnc+UlL LNSxRB49Sq2d06xlD6HKzJGiDKfoA2sMNHtknnslDSWeknFxSH07bTc5ElAr7qFf5+r7ES Wjn4PI5+AEvTcXoL0OnKPNiy0xjI7KEhyXNB4ne7vOvDJ+wYcuMAYYTcrvgSm52XXiMWUl HUu15igvRlbQpW7GnzbgNaIWvDKFIbtQn9r+E+oTCkBg+dYAQZtcVy6Uxi3dyA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 2/2] update.sh: Fixes bug#13548 - make key 41 contain no-pass for N2N connections Date: Thu, 22 Feb 2024 13:43:39 +0100 Message-ID: <20240222124339.9847-2-adolf.belka@ipfire.org> In-Reply-To: <20240222124339.9847-1-adolf.belka@ipfire.org> References: <20240222124339.9847-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: BIJHYNR6VDLTWSKREXIXBNEE52EEAMVT X-Message-ID-Hash: BIJHYNR6VDLTWSKREXIXBNEE52EEAMVT X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This code ensures that all existing N2N connections have no-pass in key 41 in place of disabled for some of them. - Tested out and confirmed on my vm testbed. Fixes: Bug#13548 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/rootfiles/core/185/update.sh | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/config/rootfiles/core/185/update.sh b/config/rootfiles/core/185/update.sh index 903fe1753..0a3fae638 100644 --- a/config/rootfiles/core/185/update.sh +++ b/config/rootfiles/core/185/update.sh @@ -88,6 +88,27 @@ telinit u /etc/init.d/unbound restart /etc/init.d/ntp start +## Modify ovpnconfig according to bug 13548 for no-pass entry for N2N client connections +# Check if ovpnconfig exists and is not empty +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then + # Add blank line at top of ovpnconfig otherwise the first roadwarrior entry is treated like a blank line and missed out from update + awk 'NR==1{print ""}1' /var/ipfire/ovpn/ovpnconfig > /var/ipfire/ovpn/tmp_file && mv /var/ipfire/ovpn/tmp_file /var/ipfire/ovpn/ovpnconfig + + # Make all N2N connections 'no-pass' since they do not use encryption + awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new + + # Copy all RW connections unchanged to the new ovpnconfig file + for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do + awk -v var="$y" '{FS=OFS=","} {if($3==var) {print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new + + done +fi + +# Replace existing ovpnconfig with updated index +mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig +# Set correct ownership +chown nobody:nobody /var/ipfire/ovpn/ovpnconfig + # This update needs a reboot... #touch /var/run/need_reboot