openvpn: Add option to download a client package with PEM files

This patch adds the option to download a client package
that comes with a regular PEM and key file instead of a
PKCS12 file which is easier to use with clients that
don't support PKCS12 (like iOS) opposed to converting
the file manually.

This requires that the connection is created without
using a password for the certificate. Then the certificate
is already stored in an insecure way.

This patch also adds this to the Core Update 95 updater.

Fixes: #10966
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
CC: Alexander Marx <alexander.marx@ipfire.org>

diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files
index d9aeaa72d722cdcb00878f6a79823ae94af4d857..f3cc305ca216d3139cfc55911cde57fd3bcc3b75 100644 (file)
--- a/config/rootfiles/core/95/filelists/files
+++ b/config/rootfiles/core/95/filelists/files
@@ -10,6 +10,7 @@ srv/web/ipfire/cgi-bin/credits.cgi
 srv/web/ipfire/cgi-bin/dhcp.cgi
 srv/web/ipfire/cgi-bin/firewall.cgi
 srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
 srv/web/ipfire/cgi-bin/pppsetup.cgi
 srv/web/ipfire/cgi-bin/routing.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 54237b9a3e0b969f4db7a9c3f1956a3a3a312715..d648b8f2ce52d655eff53758157a056e6cd177d3 100644 (file)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2266,9 +2266,38 @@ else
        print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
     }
                        
+    my $file_crt = new File::Temp( UNLINK => 1 );
+    my $file_key = new File::Temp( UNLINK => 1 );
+
     if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { 
-       print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
-       $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+       if ($cgiparams{'MODE'} eq 'insecure') {
+               # Add the CA
+               print CLIENTCONF "ca cacert.pem\r\n";
+               $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or die "Can't add file cacert.pem\n";
+
+               # Extract the certificate
+               system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+                       '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
+               if ($?) {
+                       die "openssl error: $?";
+               }
+
+               $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
+               print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
+
+               # Extract the key
+               system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+                       '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
+               if ($?) {
+                       die "openssl error: $?";
+               }
+
+               $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
+               print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
+       } else {
+               print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
+               $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+       }
     } else {
        print CLIENTCONF "ca cacert.pem\r\n";
        print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
@@ -4252,6 +4281,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
        $confighash{$key}[39]           = $cgiparams{'DAUTH'};
        $confighash{$key}[40]           = $cgiparams{'DCIPHER'};
 
+       if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
+               $confighash{$key}[41] = "no-pass";
+       }
+
        &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
        
        if ($cgiparams{'CHECK1'} ){
@@ -5128,7 +5161,7 @@ END
        <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
        <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
        <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
-       <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th>
+       <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
 </tr>
 END
                }
@@ -5142,7 +5175,7 @@ END
        <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
        <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
        <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
-       <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th>
+       <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
 </tr>
 END
                }
@@ -5241,6 +5274,21 @@ END
        </td></form>
 END
        ;
+
+       if ($confighash{$key}[41] eq "no-pass") {
+               print <<END;
+                       <form method='post' name='frm${key}g'><td align='center' $col>
+                               <input type='image'  name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
+                                       alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
+                               <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
+                               <input type='hidden' name='MODE' value='insecure' />
+                               <input type='hidden' name='KEY' value='$key' />
+                       </td></form>
+END
+       } else {
+               print "<td $col>&nbsp;</td>";
+       }
+
        if ($confighash{$key}[4] eq 'cert') {
            print <<END;
            <form method='post' name='frm${key}b'><td align='center' $col>

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index da9b885ff8f1649cece205119b2f5e7fa4265f92..2bca854ff1aadcb4ef0c76604dc6a5df5135e4f6 100644 (file)
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -731,6 +731,7 @@
 'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen',
 'display webinterface effects' => 'Überblendeffekte einschalten',
 'dl client arch' => 'Client Paket herunterladen (zip)',
+'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)',
 'dmz' => 'DMZ',
 'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches',
 'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt; Starte DMZ-Schlupfloch neu',

diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 56238ed3e11c671a2301a68b62a0108d99a3a447..4c523921ce6633816130ca355a03b2d5757754f9 100644 (file)
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -756,6 +756,7 @@
 'display traffic at home' => 'Display calculated traffic on startpage',
 'display webinterface effects' => 'Activate effects',
 'dl client arch' => 'Download Client Package (zip)',
+'dl client arch insecure' => 'Download insecure Client Package (zip)',
 'dmz' => 'DMZ',
 'dmz pinhole configuration' => 'DMZ pinhole configuration',
 'dmz pinhole rule added' => 'DMZ pinhole rule added; restarting DMZ pinhole',