From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2 1/2] openvpn: Add option to download a client package with
 PEM files
Date: Fri, 30 Oct 2015 15:47:21 +0000
Message-ID: <1446220042-22681-1-git-send-email-michael.tremer@ipfire.org>
In-Reply-To: <1446157505-23020-1-git-send-email-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9203728175253173531=="
List-Id: <development.lists.ipfire.org>

--===============9203728175253173531==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This patch adds the option to download a client package
that comes with a regular PEM and key file instead of a
PKCS12 file which is easier to use with clients that
don't support PKCS12 (like iOS) opposed to converting
the file manually.

This requires that the connection is created without
using a password for the certificate. Then the certificate
is already stored in an insecure way.

This patch also adds this to the Core Update 95 updater.

Fixes: #10966

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
CC: Alexander Marx <alexander.marx(a)ipfire.org>
---
 config/rootfiles/core/95/filelists/files |  1 +
 html/cgi-bin/ovpnmain.cgi                | 56 +++++++++++++++++++++++++++++-=
--
 langs/de/cgi-bin/de.pl                   |  1 +
 langs/en/cgi-bin/en.pl                   |  1 +
 4 files changed, 55 insertions(+), 4 deletions(-)

diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core=
/95/filelists/files
index dfecbaf..b886200 100644
--- a/config/rootfiles/core/95/filelists/files
+++ b/config/rootfiles/core/95/filelists/files
@@ -8,6 +8,7 @@ srv/web/ipfire/cgi-bin/connections.cgi
 srv/web/ipfire/cgi-bin/dhcp.cgi
 srv/web/ipfire/cgi-bin/firewall.cgi
 srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
 srv/web/ipfire/cgi-bin/pppsetup.cgi
 srv/web/ipfire/cgi-bin/routing.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 9e252a9..7c9ff95 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2265,9 +2265,38 @@ else
 	print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST=
_PORT'}\r\n";
     }
     	    	=09
+    my $file_crt =3D new File::Temp( UNLINK =3D> 1 );
+    my $file_key =3D new File::Temp( UNLINK =3D> 1 );
+
     if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot=
}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {=20
-	print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
-	$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}=
}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $c=
onfighash{$cgiparams{'KEY'}}[1].p12\n";
+	if ($cgiparams{'MODE'} eq 'insecure') {
+		# Add the CA
+		print CLIENTCONF "ca cacert.pem\r\n";
+		$zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or d=
ie "Can't add file cacert.pem\n";
+
+		# Extract the certificate
+		system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs=
/$confighash{$cgiparams{'KEY'}}[1].p12",
+			'-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'=
);
+		if ($?) {
+			die "openssl error: $?";
+		}
+
+		$zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
+		print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
+
+		# Extract the key
+		system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs=
/$confighash{$cgiparams{'KEY'}}[1].p12",
+			'-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
+		if ($?) {
+			die "openssl error: $?";
+		}
+
+		$zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
+		print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
+	} else {
+		print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
+		$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'=
}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $=
confighash{$cgiparams{'KEY'}}[1].p12\n";
+	}
     } else {
 	print CLIENTCONF "ca cacert.pem\r\n";
 	print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
@@ -4251,6 +4280,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	$confighash{$key}[39]		=3D $cgiparams{'DAUTH'};
 	$confighash{$key}[40]		=3D $cgiparams{'DCIPHER'};
=20
+	if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
+		$confighash{$key}[41] =3D "no-pass";
+	}
+
 	&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash=
);
 =09
 	if ($cgiparams{'CHECK1'} ){
@@ -5127,7 +5160,7 @@ END
 	<th width=3D'15%' class=3D'boldbase' align=3D'center'><b>$Lang::tr{'type'}<=
/b></th>
 	<th width=3D'20%' class=3D'boldbase' align=3D'center'><b>$Lang::tr{'remark'=
}</b></th>
 	<th width=3D'10%' class=3D'boldbase' align=3D'center'><b>$Lang::tr{'status'=
}</b></th>
-	<th width=3D'5%' class=3D'boldbase' colspan=3D'6' align=3D'center'><b>$Lang=
::tr{'action'}</b></th>
+	<th width=3D'5%' class=3D'boldbase' colspan=3D'7' align=3D'center'><b>$Lang=
::tr{'action'}</b></th>
 </tr>
 END
 		}
@@ -5141,7 +5174,7 @@ END
 	<th width=3D'15%' class=3D'boldbase' align=3D'center'><b>$Lang::tr{'type'}<=
/b></th>
 	<th width=3D'20%' class=3D'boldbase' align=3D'center'><b>$Lang::tr{'remark'=
}</b></th>
 	<th width=3D'10%' class=3D'boldbase' align=3D'center'><b>$Lang::tr{'status'=
}</b></th>
-	<th width=3D'5%' class=3D'boldbase' colspan=3D'6' align=3D'center'><b>$Lang=
::tr{'action'}</b></th>
+	<th width=3D'5%' class=3D'boldbase' colspan=3D'7' align=3D'center'><b>$Lang=
::tr{'action'}</b></th>
 </tr>
 END
 		}
@@ -5240,6 +5273,21 @@ END
 	</td></form>
 END
 	;
+
+	if ($confighash{$key}[41] eq "no-pass") {
+		print <<END;
+			<form method=3D'post' name=3D'frm${key}g'><td align=3D'center' $col>
+				<input type=3D'image'  name=3D'$Lang::tr{'dl client arch insecure'}' src=
=3D'/images/openvpn.png'
+					alt=3D'$Lang::tr{'dl client arch insecure'}' title=3D'$Lang::tr{'dl cli=
ent arch insecure'}' border=3D'0' />
+				<input type=3D'hidden' name=3D'ACTION' value=3D'$Lang::tr{'dl client arc=
h'}' />
+				<input type=3D'hidden' name=3D'MODE' value=3D'insecure' />
+				<input type=3D'hidden' name=3D'KEY' value=3D'$key' />
+			</td></form>
+END
+	} else {
+		print "<td $col>&nbsp;</td>";
+	}
+
 	if ($confighash{$key}[4] eq 'cert') {
 	    print <<END;
 	    <form method=3D'post' name=3D'frm${key}b'><td align=3D'center' $col>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index cf04d3d..305db0b 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -731,6 +731,7 @@
 'display traffic at home' =3D> 'Berechneten Traffic auf der Startseite anzei=
gen',
 'display webinterface effects' =3D> '=C3=9Cberblendeffekte einschalten',
 'dl client arch' =3D> 'Client Paket herunterladen (zip)',
+'dl client arch insecure' =3D> 'Ungesichertes Client-Paket herunterladen (zi=
p)',
 'dmz' =3D> 'DMZ',
 'dmz pinhole configuration' =3D> 'Einstellungen des DMZ-Schlupfloches',
 'dmz pinhole rule added' =3D> 'Regel f=C3=BCr DMZ-Schlupfloch hinzugef=C3=BC=
gt; Starte DMZ-Schlupfloch neu',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 56238ed..4c52392 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -756,6 +756,7 @@
 'display traffic at home' =3D> 'Display calculated traffic on startpage',
 'display webinterface effects' =3D> 'Activate effects',
 'dl client arch' =3D> 'Download Client Package (zip)',
+'dl client arch insecure' =3D> 'Download insecure Client Package (zip)',
 'dmz' =3D> 'DMZ',
 'dmz pinhole configuration' =3D> 'DMZ pinhole configuration',
 'dmz pinhole rule added' =3D> 'DMZ pinhole rule added; restarting DMZ pinhol=
e',
--=20
2.4.4


--===============9203728175253173531==--