From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 6/6] update.sh: Adds code to update an existing ovpnconfig with pass or no-pass Date: Mon, 25 Sep 2023 18:41:56 +0200 Message-ID: <20230925164204.3500045-6-adolf.belka@ipfire.org> In-Reply-To: <20230925164204.3500045-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1907152919224189032==" List-Id: --===============1907152919224189032== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - The code checks first if ovpnconfig exists and is not empty. - Then it makes all net2net connections no-pass since they do not use encrypt= ion - Then it cycles through all .p12 files and checks with openssl if a password= exists or not. If a password is present then pass is added to index 41 and if not then no= -pass is added to index 41 - I had to add a blank line to the top of the ovpnconfig file otherwise the a= wk code treated the first line as a blank line and missed it out of the update. Th= is was the problem that was discovered during the previous Testing Release evaluation. Tested out this time with several existing entries both encrypted and inse= cure and with additional entries of both added in afterwards and all connection entries = were maintained - road warrior and net2net. - This code should be left in update.sh for future Core Updates in case peopl= e don't update with Core Update 175 but leave it till later. This code works fine on code= that already has pass or no-pass entered into index 41 in ovpnconfig Fixes: Bug#11048 Suggested-by: Erik Kapfer Suggested-by: Adolf Belka Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/rootfiles/core/180/update.sh | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/config/rootfiles/core/180/update.sh b/config/rootfiles/core/180/= update.sh index b538832bf..1f74e2f98 100644 --- a/config/rootfiles/core/180/update.sh +++ b/config/rootfiles/core/180/update.sh @@ -65,6 +65,33 @@ fi /etc/rc.d/init.d/udev restart /etc/rc.d/init.d/suricata restart =20 +## Modify ovpnconfig according to bug 11048 for pass, no-pass modification i= n ovpnconfig index +# Check if ovpnconfig exists and is not empty +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then + # Add blank line at top of ovpnconfig otherwise the first roadwarrior= entry is treated like a blank line and missed out from update + awk 'NR=3D=3D1{print ""}1' /var/ipfire/ovpn/ovpnconfig > /var/ipfire/= ovpn/tmp_file && mv /var/ipfire/ovpn/tmp_file /var/ipfire/ovpn/ovpnconfig + + # Make all N2N connections 'no-pass' since they do not use encryption + awk '{FS=3DOFS=3D","} {if($5=3D=3D"net") {$43=3D"no-pass"; print $0}}= ' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new + + # Evaluate roadwarrior connection names for *.p12 files + for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfi= g); do + # Sort all unencrypted roadwarriors out and set 'no-pass' in [43]= index + if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${= y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted data') ]]; then + awk -v var=3D"$y" '{FS=3DOFS=3D","} {if($3=3D=3Dvar) = {$43=3D"no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn= /ovpnconfig.new + fi + # Sort all encrypted roadwarriors out and set 'pass' in [43] index + if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${= y}.p12 -noout -password pass:'' 2>&1 | grep 'verify error') ]]; then + awk -v var=3D"$y" '{FS=3DOFS=3D","} {if($3=3D=3Dvar) = {$43=3D"pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ov= pnconfig.new + fi + done +fi + +# Replace existing ovpnconfig with updated index +mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig +# Set correct ownership +chown nobody:nobody /var/ipfire/ovpn/ovpnconfig + # This update needs a reboot... #touch /var/run/need_reboot =20 --=20 2.42.0 --===============1907152919224189032==--