openvpn: Add option to download a client package with PEM files

This patch adds the option to download a client package
that comes with a regular PEM and key file instead of a
PKCS12 file which is easier to use with clients that
don't support PKCS12 (like iOS) opposed to converting
the file manually.

This requires that the connection is created without
using a password for the certificate. Then the certificate
is already stored in an insecure way.

This patch also adds this to the Core Update 95 updater.

Fixes: #10966
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
CC: Alexander Marx <alexander.marx@ipfire.org>

diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files
index dfecbaf9c9d33d6155fd67bbfcdc7cecfa3685bc..b886200c0b4c1b4ffc07332e526121779a03caff 100644 (file)
--- a/config/rootfiles/core/95/filelists/files
+++ b/config/rootfiles/core/95/filelists/files
@@ -8,6 +8,7 @@ srv/web/ipfire/cgi-bin/connections.cgi
 srv/web/ipfire/cgi-bin/dhcp.cgi
 srv/web/ipfire/cgi-bin/firewall.cgi
 srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
 srv/web/ipfire/cgi-bin/pppsetup.cgi
 srv/web/ipfire/cgi-bin/routing.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 9e252a9977f868c4cbf97681ba6f08057f397926..7c9ff95ff79c14bc34c1f0f75eaaf0e68192cea2 100644 (file)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2265,9 +2265,38 @@ else
        print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
     }
                        
+    my $file_crt = new File::Temp( UNLINK => 1 );
+    my $file_key = new File::Temp( UNLINK => 1 );
+
     if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { 
-       print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
-       $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+       if ($cgiparams{'MODE'} eq 'insecure') {
+               # Add the CA
+               print CLIENTCONF "ca cacert.pem\r\n";
+               $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or die "Can't add file cacert.pem\n";
+
+               # Extract the certificate
+               system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+                       '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
+               if ($?) {
+                       die "openssl error: $?";
+               }
+
+               $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
+               print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
+
+               # Extract the key
+               system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+                       '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
+               if ($?) {
+                       die "openssl error: $?";
+               }
+
+               $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
+               print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
+       } else {
+               print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
+               $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+       }
     } else {
        print CLIENTCONF "ca cacert.pem\r\n";
        print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
@@ -4251,6 +4280,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
        $confighash{$key}[39]           = $cgiparams{'DAUTH'};
        $confighash{$key}[40]           = $cgiparams{'DCIPHER'};
 
+       if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
+               $confighash{$key}[41] = "no-pass";
+       }
+
        &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
        
        if ($cgiparams{'CHECK1'} ){
@@ -5127,7 +5160,7 @@ END
        <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
        <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
        <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
-       <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th>
+       <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
 </tr>
 END
                }
@@ -5141,7 +5174,7 @@ END
        <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
        <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
        <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
-       <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th>
+       <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
 </tr>
 END
                }
@@ -5240,6 +5273,21 @@ END
        </td></form>
 END
        ;
+
+       if ($confighash{$key}[41] eq "no-pass") {
+               print <<END;
+                       <form method='post' name='frm${key}g'><td align='center' $col>
+                               <input type='image'  name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
+                                       alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
+                               <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
+                               <input type='hidden' name='MODE' value='insecure' />
+                               <input type='hidden' name='KEY' value='$key' />
+                       </td></form>
+END
+       } else {
+               print "<td $col>&nbsp;</td>";
+       }
+
        if ($confighash{$key}[4] eq 'cert') {
            print <<END;
            <form method='post' name='frm${key}b'><td align='center' $col>

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index cf04d3d5a827f3515c42526ae4bac756875f5e13..305db0be2a3338b494e996a870f68f24680c7850 100644 (file)
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -731,6 +731,7 @@
 'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen',
 'display webinterface effects' => 'Überblendeffekte einschalten',
 'dl client arch' => 'Client Paket herunterladen (zip)',
+'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)',
 'dmz' => 'DMZ',
 'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches',
 'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt; Starte DMZ-Schlupfloch neu',

diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 56238ed3e11c671a2301a68b62a0108d99a3a447..4c523921ce6633816130ca355a03b2d5757754f9 100644 (file)
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -756,6 +756,7 @@
 'display traffic at home' => 'Display calculated traffic on startpage',
 'display webinterface effects' => 'Activate effects',
 'dl client arch' => 'Download Client Package (zip)',
+'dl client arch insecure' => 'Download insecure Client Package (zip)',
 'dmz' => 'DMZ',
 'dmz pinhole configuration' => 'DMZ pinhole configuration',
 'dmz pinhole rule added' => 'DMZ pinhole rule added; restarting DMZ pinhole',