From patchwork Wed May 17 09:56:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6867 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4QLpRp56Brz3wlm for ; Wed, 17 May 2023 09:57:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4QLpRj59PBz9W4; Wed, 17 May 2023 09:57:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4QLpRj3Z5kz30JR; Wed, 17 May 2023 09:57:05 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4QLpRf1zL5z30Jw for ; Wed, 17 May 2023 09:57:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4QLpRd6f05zXT; Wed, 17 May 2023 09:57:01 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1684317422; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WAsFRJiwKzCcuzunGyM8fTGEw8y3XmA6x6NDcgQzlPo=; b=zY5+NJAzJpT/J6zGepHnuzJ9SSjTRLjf23ghfLhd+BXVV9AX1j1b9JgWwrvlV78rWjpc9Y Zhb8t5dbhehxiCAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1684317422; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WAsFRJiwKzCcuzunGyM8fTGEw8y3XmA6x6NDcgQzlPo=; b=aEppEwkTEyWzw+9u5mtsOgLcKytWhJkZ1eOqGpxTedNjWXqHDJbsfnTEwvKvEp7d8g7xLN Yuf2FxfhG1kgNfxL3wvjWKlq88/4mtvaiHHeX3lSLaO4BaYDTB7qL1/lP3Q2uil3jvY52i IYdreHYz67UV3PLhMd67YX97cSb3dCtRwIA+p4PPcCmh15AGLPQ2XGhXIe3kq8D3hsryez oDd1fnmug22USdzggXOT4mdQxrPvUwlidYVSNW1vO+oEZ5sNtFoL/M377zodwZYQtl+SeQ 7jOmpUXtgitAzYgMweuekBpOQhfIISjhEbGiy6xuOO8sBfBVZdLPWHMKm1TNfQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 5/5] update.sh: Adds code to update an existing ovpnconfig with pass or no-pass Date: Wed, 17 May 2023 11:56:52 +0200 Message-Id: <20230517095652.8248-5-adolf.belka@ipfire.org> In-Reply-To: <20230517095652.8248-1-adolf.belka@ipfire.org> References: <20230517095652.8248-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - The code checks first if ovpnconfig exists and is not empty. - Then it makes all net2net connections no-pass since they do not use encryption - Then it cycles through all .p12 files and checks with openssl if a password exists or not. If a password is present then pass is added to index 41 and if not then no-pass is added to index 41 - This code should be left in update.sh for future Core Updates in case people don't update with Core Update 175 but leave it till later. This code works fine on code that already has pass or no-pass entered into index 41 in ovpnconfig Fixes: Bug#11048 Suggested-by: Erik Kapfer Suggested-by: Adolf Belka Tested-by: Erik Kapfer Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/rootfiles/core/175/update.sh | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh index 03ce4a93d..8ed34f39e 100644 --- a/config/rootfiles/core/175/update.sh +++ b/config/rootfiles/core/175/update.sh @@ -175,6 +175,30 @@ if [ -e /boot/pakfire-kernel-update ]; then /boot/pakfire-kernel-update ${KVER} fi +## Modify ovpnconfig according to bug 11048 for pass, no-pass modification in ovpnconfig index +# Check if ovpnconfig exists and is not empty +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then + # Make all N2N connections 'no-pass' since they do not use encryption + awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new + + # Evaluate roadwarrior connection names for *.p12 files + for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do + # Sort all unencrypted roadwarriors out and set 'no-pass' in [43] index + if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted') ]]; then + awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new + fi + # Sort all encrypted roadwarriors out and set 'pass' in [43] index + if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'error') ]]; then + awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new + fi + done +fi + +# Replace existing ovpnconfig with updated index +mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig +# Set correct ownership +chown nobody:nobody /var/ipfire/ovpn/ovpnconfig + # This update needs a reboot... touch /var/run/need_reboot