[PATCH 1/5] ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password

[PATCH 1/5] ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 7458 bytes --]

- The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig
   is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the
   connection is a host and if the first password entry is a null. Then it adds no-pass
   to ovpnconfig.
- The same block of code is also used for when he connection is edited. However at this
   stage the password entry is back to null because the password value is only kept until
   the connection has been saved. Therefore doing an edit results in the password value
   being taken as null even for connections with a password.
- This fix enters no-pass if the connection type is host and the password is null, pass if
   the connection type is host and the password has characters. If the connection type is
   net then no-pass is used as net2net connections dop not have encrypted certificates.
- The code has been changed to show a different icon for unencrypted and encrypted
   certificates.
- Separate patches are provided for the language file change, the provision of a new icon
   and the code for the update.sh script for the Core Update to update all existing
   connections, if any exist, to have either pass or no-pass in index 41.
- This patch set was a joint collaboration between Erik Kapfer and Adolf Belka
- Patch set, including the code for the Core Update 175 update.sh script has been tested
   on a vm testbed

Fixes: Bug#11048
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Tested-by: Erik Kapfer <ummeegge(a)ipfire.org>
Suggested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Suggested-by: Erik Kapfer <ummeegge(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 72 +++++++++++++++++++++++----------------
 1 file changed, 42 insertions(+), 30 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 51d6e8431..50ad21e79 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -4327,8 +4327,14 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	$confighash{$key}[39]		= $cgiparams{'DAUTH'};
 	$confighash{$key}[40]		= $cgiparams{'DCIPHER'};
 
-	if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
-		$confighash{$key}[41] = "no-pass";
+       if ($confighash{$key}[41] eq "") {
+               if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
+                       $confighash{$key}[41] = "no-pass";
+               } elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) {
+                       $confighash{$key}[41] = "pass";
+               } elsif ($cgiparams{'TYPE'} eq 'net') {
+                       $confighash{$key}[41] = "no-pass";
+               }
 	}
 
    $confighash{$key}[42] = 'HOTP/T30/6';
@@ -5470,20 +5476,24 @@ END
 }
 
 
-    print <<END;
-	<td align='center' $col1>$active</td>
+       if ($confighash{$key}[41] eq "pass") {
+               print <<END;
+                       <td align='center' $col1>$active</td>
 
-	<form method='post' name='frm${key}a'><td align='center' $col>
-	    <input type='image'  name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
-	    <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
-	    <input type='hidden' name='KEY' value='$key' />
-	</td></form>
+                       <form method='post' name='frm${key}a'><td align='center' $col>
+                           <input type='image'  name='$Lang::tr{'dl client arch'}' src='/images/openvpn_encrypted.png'
+                                       alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
+                           <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
+                           <input type='hidden' name='MODE' value='secure' />
+                           <input type='hidden' name='KEY' value='$key' />
+                       </td></form>
 END
-	;
 
-	if ($confighash{$key}[41] eq "no-pass") {
+       ; } elsif ($confighash{$key}[41] eq "no-pass") {
 		print <<END;
-			<form method='post' name='frm${key}g'><td align='center' $col>
+                       <td align='center' $col1>$active</td>
+
+                       <form method='post' name='frm${key}a'><td align='center' $col>
 				<input type='image'  name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
 					alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
 				<input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
@@ -5491,7 +5501,7 @@ END
 				<input type='hidden' name='KEY' value='$key' />
 			</td></form>
 END
-	} else {
+	; } else {
 		print "<td $col>&nbsp;</td>";
 	}
 
@@ -5567,30 +5577,32 @@ END
     # If the config file contains entries, print Key to action icons
     if ( $id ) {
     print <<END;
-    <table border='0'>
-    <tr>
+       <table width='85%' border='0'>
+       <tr>
 		<td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
-		<td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
-		<td class='base'>$Lang::tr{'click to disable'}</td>
+              <td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
+              <td class='base'>$Lang::tr{'dl client arch insecure'}</td>
+              <td>&nbsp; &nbsp; <img src='/images/openvpn_encrypted.png' alt='?RELOAD'/></td>
+              <td class='base'>$Lang::tr{'dl client arch'}</td>
 		<td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
 		<td class='base'>$Lang::tr{'show certificate'}</td>
+              <td>&nbsp; &nbsp; <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td>
+              <td class='base'>$Lang::tr{'show otp qrcode'}</td>
+       </tr>
+       <tr>
+              <td>&nbsp; </td>
+              <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
+              <td class='base'>$Lang::tr{'download certificate'}</td>
+              <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
+              <td class='base'>$Lang::tr{'click to enable'}</td>
+              <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
+              <td class='base'>$Lang::tr{'click to disable'}</td>
 		<td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
 		<td class='base'>$Lang::tr{'edit'}</td>
 		<td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
 		<td class='base'>$Lang::tr{'remove'}</td>
-    </tr>
-    <tr>
-		<td>&nbsp; </td>
-		<td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
-		<td class='base'>$Lang::tr{'click to enable'}</td>
-		<td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
-		<td class='base'>$Lang::tr{'download certificate'}</td>
-		<td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
-		<td class='base'>$Lang::tr{'dl client arch'}</td>
-		<td>&nbsp; &nbsp; <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td>
-		<td class='base'>$Lang::tr{'show otp qrcode'}</td>
-		</tr>
-    </table><br>
+       </tr>
+       </table><br>
 END
     ;
     }
-- 
2.40.1

[PATCH 2/5] de.pl: Change language text for secure icon wording

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 867 bytes --]

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 langs/de/cgi-bin/de.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 33730f0c3..b9665e62d 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -817,7 +817,7 @@
 'display hostname in window title' => 'Hostname im Fenstertitel anzeigen',
 'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen',
 'display webinterface effects' => 'Überblendeffekte einschalten',
-'dl client arch' => 'Client Paket herunterladen (zip)',
+'dl client arch' => 'Verschlüsseltes Client Paket herunterladen (zip)',
 'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)',
 'dmz' => 'DMZ',
 'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches',
-- 
2.40.1

[PATCH 3/5] en.pl: Update to language wording for secure connection icon

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 793 bytes --]

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 langs/en/cgi-bin/en.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 729516538..7b1670494 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -859,7 +859,7 @@
 'display hostname in window title' => 'Display hostname in window title',
 'display traffic at home' => 'Display calculated traffic on startpage',
 'display webinterface effects' => 'Activate effects',
-'dl client arch' => 'Download Client Package (zip)',
+'dl client arch' => 'Download Encrypted Client Package (zip)',
 'dl client arch insecure' => 'Download insecure Client Package (zip)',
 'dmz' => 'DMZ',
 'dmz pinhole configuration' => 'DMZ pinhole configuration',
-- 
2.40.1

[PATCH 4/5] web-user-interface: Addition of new icon for secure connection certificate download

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 8182 bytes --]

- This uses a padlock icon from https://commons.wikimedia.org/wiki/File:Encrypted.png
- The license for this image is the following:-
   This library is free software; you can redistribute it and/or modify it under the terms
   of the GNU Lesser General Public License as published by the Free Software Foundation;
   either version 2.1 of the License, or (at your option) any later version. This library
   is distributed in the hope that it will be useful, but without any warranty; without
   even the implied warranty of merchantability or fitness for a particular purpose. See
   version 2.1 and version 3 of the GNU Lesser General Public License for more details.
- Based on the above license I believe it can be used by IPFire covered by the GNU General
   Public License that is used for it.
- The icon image was made by taking the existing openvpn.png file and superimposing the
   padlock icon on top of it at a 12x12 pixel format and naming it openvpn_encrypted.png

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/rootfiles/common/web-user-interface |   1 +
 html/html/images/openvpn_encrypted.png     | Bin 0 -> 7004 bytes
 2 files changed, 1 insertion(+)
 create mode 100644 html/html/images/openvpn_encrypted.png

diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/common/web-user-interface
index 33f0d30a7..9aec3bdbc 100644
--- a/config/rootfiles/common/web-user-interface
+++ b/config/rootfiles/common/web-user-interface
@@ -233,6 +233,7 @@ srv/web/ipfire/html/images/off.gif
 srv/web/ipfire/html/images/on.gif
 srv/web/ipfire/html/images/openvpn.gif
 srv/web/ipfire/html/images/openvpn.png
+srv/web/ipfire/html/images/openvpn_encrypted.png
 srv/web/ipfire/html/images/package-x-generic.png
 srv/web/ipfire/html/images/printer-error.png
 srv/web/ipfire/html/images/printer.png
diff --git a/html/html/images/openvpn_encrypted.png b/html/html/images/openvpn_encrypted.png
new file mode 100644
index 0000000000000000000000000000000000000000..873c6c46113df0b973022c9c0f3a01cba19c0fbd
GIT binary patch
literal 7004
zcmeHKc{J4h_aFOO_9gXbnigAQHq4kzw!tXMmaH)=BQwLyFry?{LbM1GQiyih+AL9)
z$W{_XNGVHsEM-gb`%q6$&+qp==XaiSe!u^kIiKym?|r(a)Reck)M=lzbe+hw&%QcV&B
z0<E$p;2nUc?D8cp3f$L!S|S3ETL+w6xDG(a)fIDpNf(fz4lZb$$XOy$#QAP~RX)6R5t
z4OqH-Na>(ig!z#n_^qUwNZjFklfBAuwQ*3fQ*S?oHReWBRZeQLs6EL8bvrK$yB<tN
zWqdhnm8-Cob1$}9&gE&3Q%qQ^t%}Aq{3J~;wTH8L3T*Zbr568$sVF`}blS2WOWeLM
zXjpBYcWPJs&YlDJWQ-<LX9!AW7;igT^#Y_+$f>izpU`1%ZnMj!y61AJ!0SJ4j!8q`
zxPd^DSh~5not-a>%i{R50>IYh=6{6(1dw^|4A04_OF5>kl6N4x1+J)NK3=&BT#3HY
zjwhzA(a)zxYtjnXUHkRvE(ffrUXjev+I9EB7?jzx!iKTtmfzEJC}Xm1~aDt6|+dsms7
z+P~iC(Ejt4vpApeL!D)yQx%K%D!49^;d)u&>)*WFaWdgpK6ybvdIBWW4Dv2Uq6E!w
zHQ|Kq>denJi3)QN(a)o+S+RtJPWUJ*IWomjF?PkEpc+b$gUBBG^{5_i|G_R7l$>7qlH
zwH<Sch#F1ACkrvfqKY&Hm6sDGZIEs8XV2A><6T1EO9!jDH{&3E>6-^*RVP&f?UhrL
zpl{qEoi<AOffiq#*JacbX(a)cR9xG}-iI(a)Y!MkS&unX0PxSilB8`lR77sj)`QhJ2L0M
z99eTOlu0(a)rUeMH@oAI(6Ioy}|(dmSVw_+_N4?gc-=6=9UG$~c8`pr4xot7T%WtST|
zX}3E&E#KGEyp%?(nBQ#U4we&cMi|dZ=S&|eT1(a)defCDAC+B1Sfi|WQjE|5{6soAO*
zdNP7wtx(a)-d>b<ksaYLJ}!3~8dL}P2K!F#q#{hNqy*-Il6=+Dn*6Y563Y0C7TOR84P
zmmGdmR(a)CnJEIRZ6O*E-4d+lOK>{8%suk$tVsHExv4nHS0;AwJTNL)_vrxzXq=yO&>
zQ{NmFmWVITmtwjg_G;S&{H`NTsa+5p?AjilBP$@!F)0;Ve2P9Cijl3V5Pu$5cW-Iy
zaDT}|>YL3;8FPlM&`k-g@>3<sv$bvV7X$<dg4%W<Z4;qk!HwRl{ljqqqUzNu!Vz#;
z5oZBqf*?Iyrr31*3-Mzn5-$XTBmL~8)Jzn71vE^=FspRKn_gq(a)3NRzZyoD1YhrC5A
z1U|_M6E`67M-;((2vW%K<_)5Q;vpvA?8FsC>P+KgW#rA~pKQ4-tQ~VT8+%#ei#k(a)s
zGrYho@(IpYF+CzIrmsfaCgMsV^7^WbYUvjuGm$l~Qvx6rYORq{17iV79y04Adj_N?
zg60g21dU^S<icg;)N+ohZji2BC4tXL6plK1-TYYMj*IGa)3Q_h2Dcz1Y&MSDsVa(C
zSgpzaXy14Fou;y%zTY2L755y+M)+AxUts1~+M_P-_C>l$Fv4$}FI?F8G;Y|RD_17p
z8_P8JGV8ZIncMFTS5>nVBS%iw<B6vc`{8+Mi)qfyA<bZ#G%CK1q*N&CBIXZ16Q|@I
zUwE+SQQ=Ub`HR4h?(5_(9YZ||d6N(a)p<RMTX&r{?nqoXpaTi)hPxbe4zg0qgd)uj%s
zo$#C!_=*Y30^2^>fRTMD-WYW}O503oKz?AufKnpCNuygnGS1_TC`oA&GbtIEJa=M~
zdAr8FL=wTQJ-D6N9(a)36$*Fm1WZX3MCDoJE;Y;enz#T0qUUE)|&QPfFccTy$(IKI60
zRIQYC#l<rh;|H}HjT(0}CY=^K{mg-{#n3`)<#%AOs9kY%sBtK1SEQpxOh)uZ97b~6
z_vUF(3z6MOb)^4Uv$N(%6>7bvxJBd}OQOAjy_#mK=36J}Ju#!^w)to5s&Z!>eJE54
zlv+dOQ1(;W8csZsO*d$XIkQ72_uPfv?8;QfGn~Y?4UDAyiEB(a)1BzZx`x3(q1&ahId
zpiBFX6uizpl~d(a)LZ9b3)*<tU6a6!0FhQHZdH?p~7^UO|{oySr$UD#d{&h2|8?cH*@
zge$x0&aM_OcN&_9+?=v_M^{QeR<fgbNAzRY6s<kSuI6g*y=69?If^RV+8dp<<7Uq6
z6Q7Rcj*90|enEbVexF9MqfO7HI^3VHr_1W8s!6CRsr9O%(yyiqq|c|fq|e@(aFf2V
z=?2cN(v8!N?Uw6yFWpwE5i}SS%AMk-2dR&q4m!u(`=RqgUwh3k;<Ll&nGd~BVy16=
zPWrt6vzWBE(0-wU2Vs$>=B3#;HnbJ?1-yu*43d(m9sYWLHmDi2F8oh;7%_(~&nSL&
zv1>5tN(%idJ#s_{wFc!?B3PnZ(%&-O;`(0y{hh51%2~=EpjhZWH#HabRvDMRTRAQw
zE{vkl+h2Sc<d!?kqO9VlrEw)MeNfF8kP)hR2|BlZ-S_rP-(a)e4?f9cvI(a)p0FSMH-88
zo^-e)jD4lmp|$;J9(ncXYMU5rjGR>&IrFXQBRLIyjeN(-X9_;6d~S1cKSjl7?JRCW
zq^cC;7ld{hbQz+z-MPga>XqZcW=XSQGHXu0Q-7|0689XZfXl%7R9vs<<e!_hJh%`t
z{#kv-eug-&H{U$hJy$S2Ho0*=`pcdL++^46&;n1STHwAwxuCl4Gq-y8PC0SGLxMb!
z?UL;hZhw3x!?$2G?{1l+$GQ^22rSLbdIq0;hcn<^g~f$pO+l$rsl1q-M;}F(a)quVU*
zS|wX0;M4I1$1BwHRO^n9Ce&NTSfMT33MO2N4%YD#_So1rpG(2&aGdvf=H1l}dVbcW
z(S`Q05ySPszj}ICrrCss;~4a5gn50HZaRJ|W;%1MxxjmO;5y8^%sAngsHvz%d`zup
zoTK$F>lEu}9%!ciEVY=&W=whP(a)P0gy9NiJy(W&R*=FzQ{B(a)K)2N-8*=m9#yLc*;H*
zQQXa({_{C1)Hsa1CHWq*#L+})(PmmAC^{oL*Y$*}zALMwreybf!q5c!3wxS#=iRQs
zkoSkmMQ<IwmA}mkdYJre*e&%|(1!~_lOM{u_Fsp27~g-ezb5f`)N!q~hqd8QO&GsY
zi{!XBn>}#!VNuJzjEwkA$L1_*+&|vwU|KNVF~|C8MU3&=yX!u_*}pk|bIRuRJ6!X+
z?jsiRM>C?wBzhK_t~agzSpD(!*xiz6^r1xd$W+Btk*7d;x6ZIqozhL-qd)Jv(Oq53
zV+yVA`doZmb(M4TecvAkjh!_1^cMu)p!Z%XW%b;@xA<|<Tr5+jv_re=OvioW1|0uR
z>$QT)edYJ3WZ&C$W?x!0u&S~jd7t6u<iC~vm7m7r4-y&@v$ka9=jZOQYDyoV5kGYl
zrIFG1IZFj4b(ixBQaat(>(;5LAD%h%YL>Ta?%eS9M$F5p$WEDsZcRqrnB76<f{m5K
zBZ809&}*%J$6n7FPlmDD5`V6=dn6rI?DM!)zEwHP6O+ng&V<&_k4VL-)R&RV*Lx&X
z(a)ULmyy|i??KTjtW2lM(EG=k&R4LlyX7QA=2C)wk}UFM<6%C(a)UF$26{;@BVUQp-0SL
z6w7+iH>~D?<p(#=hacL`W~8#_UzLR&d^z(a)DThsWfKTfPszt?nsTL^5ruW7+`c4)mn
zKQ_$eD`C|B9XapOwDE_<S6C8`P3t&RI&M9jBu2hoG*m_THbtzM(3+>eiyFm0yEs2M
zqSba~ZJV>v+QV6sp<!jidq=!xE1w*itYNiQO}F4%6RHNQJmxAtr#!q?a}(;tYZGnR
z9+osi3oDqr(a)vvv(xa#<UeyfV}X>H%a7wx9)$H`q9Rl8+W+Le{Ri3p{A`f9LFrXAQG
z^Xb4g*u~ZcOJ*^2i4+!zs>^2t0Q+MQ$jF!<KqT*{a=|3351omFjF(qIz;p@@vRB_0
zZW~}u^`#RIu&Is*b~%v`>?a#iAjaDzjrdpqfI;OF!F+~4lY`~sAS<|7;C)#PgMe35
zxchMs7h5~9Ig3pN>*?z0!l4#?dN2~QT(a)q}>rqHksc*`FUz!whU%jE`OVK5$#r^`d>
zve-T_grT7!432~$kx)Pb$_Zg|iF_!NvvC>XI|iQ0A+zZLTsn&hUdAMnSV3GI1OkkM
z|MHI!U~Bsmp2_*a0>B51PYi$|bm1(a)t1NN&0hiefGfc$XiKU#2{fYSubfy!Y8vB^}6
zU(a)DWl@mB~6`KNtA5Ziwx910mm^`|lbRSqyK;vZ95S=-wEv{<IVht3FCu>#2chbEU!
z`<twP__jQ<63(xV0Omh&|DpX?>?_KEmaQ!o&mspcyJwBZL6+yoQdnd<1-tSJN01E+
zFl00o2`3ps^=JqR6hkHfH=;fjV*p1O67`9{Kv^?6Tq2W9U4{a{b?E>O(Ey1?Q_#SM
zfwBx?NTxtZBpMNFK+;2_C<p`wMMeGsv71c?s*>pct5?fV6ab2X(lbO;_4T1hA_flC
zBf<5dL^u)+r5IqSR1(bqi9w(a)RpeSUlC5z1<0_mhPh(1(U0Mln>V3}~Nshu?rg4Bio
zEwS?_a%q484q`)R2J!zMaH2D)j$Gn0n+OAp9twdlK<OD^^bO$OCtAUCrm{IeB`#wk
z;JPTi74zk^V1Zx&Vu{Oj3IMFgfmpESY$}n<Vmq-|{y4}o1bEr<=ddlXoG3&t5l`e&
z0Z=#+g(a)x;55ojj_9E*fwQAiy)5)1!DpGBe5LjE`H<;4Rw`krzEode7tvLgDvq8zD#
z-(a)m?p`qNjI5*WO)D6mBG_YgS5U(a)B$BPXO!t5ZRZ=^q~UX<43vvC8z&~QXm;n^?+QF
zp>RDakUxF2KGcv(G=!qaWCJP!rB5Ow{u?@nMdR{_Y^tdbz$3sFP(a)XGXfi+hWrS(r=
zc)rx-EC7T-fztS!Fufmy!F~h`TkaWuMQjB7ADkGiDE!i70K4xppm_nk5cabf{@`r6
z?fgIfe&pi+aRvbT_ay&{-`{lort4oZ(a)UN7ASJ!X4{uKlNO8Iwn{h!e#`S)>($^>>n
zJm9cY0ym2X4qBq5omP0z((?a8<)tJ*A`w7v<$yp^3d@%OC_PgZ5Q=fFZ7sxxMC8O3
zA(a)Zx{*MLBR`>gS%PM9V}(r$tiQL*lD|7;ej8{@2rPbYY<UUU_9wT}--v>5YqWU%GT
zZsgf!<bY4*Fc^X=q-%nv+S1&_qb?nGt~5Vs-THMgX(a)RuNknx3Qq-JzJFK8h1;Gc#n
z1(>kKmz*2Z7LTbCSBv}QlN?q*>FXVr*|lkGDKE*fbL}DDO7!fFT{g^z3rB|-2YFRN
z0;MnSHm^UNVB8*`8}AJr?N!Lk^^9um^&CpOwMIhxMiA&C&2D35L+7*DEUnrWy6?DI
z)wp(a)vNs*n&`&3Lus*hx;TaH4)9zpxUcEP^{st0`(MS4VjGf<o;6{v<vsg`zPP6!E3
zl_DnxR9^0pc@#MRc(a)M{~KGwP3gY){##<VH;>(X-(a)w!2=?UW`=uV(a)NC6sJO(jS>N-0
z!;$yZN06pbkJmmaJZX3-%Y_4dnX>LMGQ=(Td7)D;2&!@C{*kJD=jI_oOI=)d|L~W}
zyVsiVd(>b~@gCNNdTV|3Q+pv1NRNZ?dM#YTbDi>g+y~(Yj-0n9HOfzUq?6^5H&s>r
z-UekSb>^2n-sm?WNysqMRB0f7l6qCXc-q5s^0JT2!$4D~fw`d9D)!p);&VI538vx#
zc_Okp;w25={y0-Xmdo2j5GWSis!Fy?kxRI(N-kVojZBkHK69nbZ`9}lR=Q_XtgLvv
zzFNPG(a)I+{|j(~83MPW!RKeO^#19qombsYp=|5|6y(TlPQljj?2it4-l+Lg;IB{x7!
zgbgZlg<OIy&5sC?89tDdHC{HC$d6Y=FPv8woE#^P)$hJNaY(CK#W<x4vQ(a)bGtB8WG
Wi<pASU;<ElAZv?V_yRNUi2nlR@?R_f

literal 0
HcmV?d00001

-- 
2.40.1

[PATCH 5/5] update.sh: Adds code to update an existing ovpnconfig with pass or no-pass

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 2961 bytes --]

- The code checks first if ovpnconfig exists and is not empty.
- Then it makes all net2net connections no-pass since they do not use encryption
- Then it cycles through all .p12 files and checks with openssl if a password exists or not.
   If a password is present then pass is added to index 41 and if not then no-pass is added
   to index 41
- This code should be left in update.sh for future Core Updates in case people don't update
   with Core Update 175 but leave it till later. This code works fine on code that already
   has pass or no-pass entered into index 41 in ovpnconfig

Fixes: Bug#11048
Suggested-by: Erik Kapfer <ummeegge(a)ipfire.org>
Suggested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Tested-by: Erik Kapfer <ummeegge(a)ipfire.org>
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/rootfiles/core/175/update.sh | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh
index 03ce4a93d..8ed34f39e 100644
--- a/config/rootfiles/core/175/update.sh
+++ b/config/rootfiles/core/175/update.sh
@@ -175,6 +175,30 @@ if [ -e /boot/pakfire-kernel-update ]; then
     /boot/pakfire-kernel-update ${KVER}
 fi
 
+## Modify ovpnconfig according to bug 11048 for pass, no-pass modification in ovpnconfig index
+# Check if ovpnconfig exists and is not empty
+if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
+       # Make all N2N connections 'no-pass' since they do not use encryption
+       awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+
+       # Evaluate roadwarrior connection names for *.p12 files
+       for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
+           # Sort all unencrypted roadwarriors out and set 'no-pass' in [43] index
+               if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted') ]]; then
+                       awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+               fi
+	    # Sort all encrypted roadwarriors out and set 'pass' in [43] index
+               if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'error')  ]]; then
+                       awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+               fi
+       done
+fi
+
+# Replace existing ovpnconfig with updated index
+mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig
+# Set correct ownership
+chown nobody:nobody /var/ipfire/ovpn/ovpnconfig
+
 # This update needs a reboot...
 touch /var/run/need_reboot
 
-- 
2.40.1