From patchwork Mon Sep 25 16:41:56 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 7252
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4RvTDq71cdz3wkw
	for <patchwork@web04.haj.ipfire.org>; Mon, 25 Sep 2023 16:42:19 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4RvTDj6WySz3r2;
	Mon, 25 Sep 2023 16:42:13 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4RvTDj3bypz306n;
	Mon, 25 Sep 2023 16:42:13 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4RvTDh2SWzz2yVy
 for <development@lists.ipfire.org>; Mon, 25 Sep 2023 16:42:12 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4RvTDh0rSjz1S8;
 Mon, 25 Sep 2023 16:42:12 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1695660132;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=HYf7m8xDBwtkgtfsawqgH5fafo3bxytCGhN8fK1J2/g=;
 b=f+wYexI4Q8cLrmq/x+NoDC9BNhCA++AFqEK+2gZGY7npzhwIiXQmowWkqYq15MdkxxO8S1
 8/ZbBMiXWl8dUVDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1695660132;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=HYf7m8xDBwtkgtfsawqgH5fafo3bxytCGhN8fK1J2/g=;
 b=mAB8R0JbsbAx/Ez+sYXxcE2yEftRRZQBFyoGsZzym4zgqudoTTf3l0NstY8L4e1759tlgW
 uchehhP/CpSFOt7bYXokSxv6NKX9PjfH1tVKD63Fk9KXgpMUYJnF0e0Kk3adU/xvfrKyzP
 c90kF9d7wr0F9gs6RiYNcCXqvpJRSwSGjD8dnWDaj2s3Ykx1YHQoJXMh27zO7IfMzY6WM7
 WOrsbVzUaOrDSgA3Kz5ip9DHqNcais0T65y3ohDc2c0prKy0+XEpwnQi0aU3PNpbDtx7qJ
 pKWesD857U/6AzxHCGXPLA7MpdFj+MT8BSHRGlc25HK9iX7fM4+NL3oYGqWKhw==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 6/6] update.sh: Adds code to update an existing ovpnconfig
 with pass or no-pass
Date: Mon, 25 Sep 2023 18:41:56 +0200
Message-ID: <20230925164204.3500045-6-adolf.belka@ipfire.org>
In-Reply-To: <20230925164204.3500045-1-adolf.belka@ipfire.org>
References: <20230925164204.3500045-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- The code checks first if ovpnconfig exists and is not empty.
- Then it makes all net2net connections no-pass since they do not use encryption
- Then it cycles through all .p12 files and checks with openssl if a password exists or not.
   If a password is present then pass is added to index 41 and if not then no-pass is added
   to index 41
- I had to add a blank line to the top of the ovpnconfig file otherwise the awk code
   treated the first line as a blank line and missed it out of the update. This was the
   problem that was discovered during the previous Testing Release evaluation.
   Tested out this time with several existing entries both encrypted and insecure and with
   additional entries of both added in afterwards and all connection entries were
   maintained - road warrior and net2net.
- This code should be left in update.sh for future Core Updates in case people don't update
   with Core Update 175 but leave it till later. This code works fine on code that already
   has pass or no-pass entered into index 41 in ovpnconfig

Fixes: Bug#11048
Suggested-by: Erik Kapfer <ummeegge@ipfire.org>
Suggested-by: Adolf Belka <adolf.belka@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/core/180/update.sh | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/config/rootfiles/core/180/update.sh b/config/rootfiles/core/180/update.sh
index b538832bf..1f74e2f98 100644
--- a/config/rootfiles/core/180/update.sh
+++ b/config/rootfiles/core/180/update.sh
@@ -65,6 +65,33 @@ fi
 /etc/rc.d/init.d/udev restart
 /etc/rc.d/init.d/suricata restart
 
+## Modify ovpnconfig according to bug 11048 for pass, no-pass modification in ovpnconfig index
+# Check if ovpnconfig exists and is not empty
+if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
+       # Add blank line at top of ovpnconfig otherwise the first roadwarrior entry is treated like a blank line and missed out from update
+       awk 'NR==1{print ""}1' /var/ipfire/ovpn/ovpnconfig > /var/ipfire/ovpn/tmp_file && mv /var/ipfire/ovpn/tmp_file /var/ipfire/ovpn/ovpnconfig
+
+       # Make all N2N connections 'no-pass' since they do not use encryption
+       awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+
+       # Evaluate roadwarrior connection names for *.p12 files
+       for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
+           # Sort all unencrypted roadwarriors out and set 'no-pass' in [43] index
+               if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted data') ]]; then
+                       awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+               fi
+           # Sort all encrypted roadwarriors out and set 'pass' in [43] index
+               if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'verify error')  ]]; then
+                       awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+               fi
+       done
+fi
+
+# Replace existing ovpnconfig with updated index
+mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig
+# Set correct ownership
+chown nobody:nobody /var/ipfire/ovpn/ovpnconfig
+
 # This update needs a reboot...
 #touch /var/run/need_reboot