From 71af643cda77f02a006613f3fcc1a223a88f01a6 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 30 Oct 2015 15:47:21 +0000 Subject: [PATCH] openvpn: Add option to download a client package with PEM files This patch adds the option to download a client package that comes with a regular PEM and key file instead of a PKCS12 file which is easier to use with clients that don't support PKCS12 (like iOS) opposed to converting the file manually. This requires that the connection is created without using a password for the certificate. Then the certificate is already stored in an insecure way. This patch also adds this to the Core Update 95 updater. Fixes: #10966 Signed-off-by: Michael Tremer CC: Alexander Marx --- config/rootfiles/core/95/filelists/files | 1 + html/cgi-bin/ovpnmain.cgi | 56 ++++++++++++++++++++++-- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 4 files changed, 55 insertions(+), 4 deletions(-) diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files index d9aeaa72d7..f3cc305ca2 100644 --- a/config/rootfiles/core/95/filelists/files +++ b/config/rootfiles/core/95/filelists/files @@ -10,6 +10,7 @@ srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/firewall.cgi srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat +srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/routing.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 54237b9a3e..d648b8f2ce 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2266,9 +2266,38 @@ else print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } + my $file_crt = new File::Temp( UNLINK => 1 ); + my $file_key = new File::Temp( UNLINK => 1 ); + if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { - print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + if ($cgiparams{'MODE'} eq 'insecure') { + # Add the CA + print CLIENTCONF "ca cacert.pem\r\n"; + $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; + + # Extract the certificate + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; + print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; + + # Extract the key + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; + print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + } else { + print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + } } else { print CLIENTCONF "ca cacert.pem\r\n"; print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; @@ -4252,6 +4281,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; + if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] = "no-pass"; + } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($cgiparams{'CHECK1'} ){ @@ -5128,7 +5161,7 @@ END $Lang::tr{'type'} $Lang::tr{'remark'} $Lang::tr{'status'} - $Lang::tr{'action'} + $Lang::tr{'action'} END } @@ -5142,7 +5175,7 @@ END $Lang::tr{'type'} $Lang::tr{'remark'} $Lang::tr{'status'} - $Lang::tr{'action'} + $Lang::tr{'action'} END } @@ -5241,6 +5274,21 @@ END END ; + + if ($confighash{$key}[41] eq "no-pass") { + print < + + + + + +END + } else { + print " "; + } + if ($confighash{$key}[4] eq 'cert') { print < diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index da9b885ff8..2bca854ff1 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -731,6 +731,7 @@ 'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen', 'display webinterface effects' => 'Überblendeffekte einschalten', 'dl client arch' => 'Client Paket herunterladen (zip)', +'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches', 'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt; Starte DMZ-Schlupfloch neu', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 56238ed3e1..4c523921ce 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -756,6 +756,7 @@ 'display traffic at home' => 'Display calculated traffic on startpage', 'display webinterface effects' => 'Activate effects', 'dl client arch' => 'Download Client Package (zip)', +'dl client arch insecure' => 'Download insecure Client Package (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'DMZ pinhole configuration', 'dmz pinhole rule added' => 'DMZ pinhole rule added; restarting DMZ pinhole', -- 2.39.2