Skip to content

O
OpnSense
Commit 330e1577 authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

(legacy) spaces and curly braces in openvpn-client-export.inc

parent d7dfa801
Show whitespace changes
Inline Side-by-side
Showing with 899 additions and 863 deletions
src/etc/inc/openvpn-client-export.inc
View file @ 330e1577
......@@ -33,13 +33,15 @@ global $current_openvpn_version, $current_openvpn_version_rev;
$current_openvpn_version = "2.3.6";
$current_openvpn_version_rev = "01";
function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null) {
function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null)
{
global $config;
// lookup server settings
$settings = $config['openvpn']['openvpn-server'][$srvid];
if (empty($settings))
if (empty($settings)) {
return false;
}
if (!empty($settings['disable'])) {
return false;
}
......@@ -58,7 +60,8 @@ function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null) {
return "{$host}-{$prot}-{$port}{$filename_addition}";
}
function openvpn_client_pem_to_pk12($outpath, $outpass, $crtpath, $keypath, $capath = false) {
function openvpn_client_pem_to_pk12($outpath, $outpass, $crtpath, $keypath, $capath = false)
{
$eoutpath = escapeshellarg($outpath);
$eoutpass = escapeshellarg($outpass);
$ecrtpath = escapeshellarg($crtpath);
......@@ -66,13 +69,15 @@ function openvpn_client_pem_to_pk12($outpath, $outpass, $crtpath, $keypath, $cap
if ($capath) {
$ecapath = escapeshellarg($capath);
exec("/usr/local/bin/openssl pkcs12 -export -in {$ecrtpath} -inkey {$ekeypath} -certfile {$ecapath} -out {$eoutpath} -passout pass:{$eoutpass}");
} else
} else {
exec("/usr/local/bin/openssl pkcs12 -export -in {$ecrtpath} -inkey {$ekeypath} -out {$eoutpath} -passout pass:{$eoutpass}");
}
unlink($crtpath);
unlink($keypath);
if ($capath)
if ($capath) {
unlink($capath);
}
}
function openvpn_client_export_validate_config($srvid, $usrid, $crtid)
......@@ -93,8 +98,7 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid)
// lookup server certificate info
$server_cert = lookup_cert($settings['certref']);
if (!$server_cert)
{
if (!$server_cert) {
$input_errors[] = gettext("Could not locate server certificate.");
} else {
$server_ca = ca_chain($server_cert);
......@@ -123,18 +127,22 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid)
$input_errors[] = gettext("Could not find client certificate.");
} else {
// If $cert is not an array, it's a certref not a cert.
if (!is_array($cert))
if (!is_array($cert)) {
$cert = lookup_cert($cert);
}
}
} elseif (($settings['mode'] == "server_tls") || (($settings['mode'] == "server_tls_user") && ($settings['authmode'] != "Local Database"))) {
$cert = $config['cert'][$crtid];
if (!$cert)
if (!$cert) {
$input_errors[] = gettext("Could not find client certificate.");
} else
}
} else {
$nokeys = true;
}
if ($input_errors)
if ($input_errors) {
return false;
}
return array($settings, $server_cert, $server_ca, $servercn, $user, $cert, $nokeys);
}
......@@ -161,28 +169,31 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys
// add basic settings
$devmode = empty($settings['dev_mode']) ? "tun" : $settings['dev_mode'];
if (($expformat != "inlinedroid") && ($expformat != "inlineios"))
if (($expformat != "inlinedroid") && ($expformat != "inlineios")) {
$conf .= "dev {$devmode}{$nl}";
if(!empty($settings['tunnel_networkv6']) && ($expformat != "inlinedroid") && ($expformat != "inlineios")) {
}
if (!empty($settings['tunnel_networkv6']) && ($expformat != "inlinedroid") && ($expformat != "inlineios")) {
$conf .= "tun-ipv6{$nl}";
}
$conf .= "persist-tun{$nl}";
$conf .= "persist-key{$nl}";
// if ((($expformat != "inlinedroid") && ($expformat != "inlineios")) && ($proto == "tcp"))
// $conf .= "proto tcp-client{$nl}";
// if ((($expformat != "inlinedroid") && ($expformat != "inlineios")) && ($proto == "tcp"))
// $conf .= "proto tcp-client{$nl}";
$conf .= "cipher {$cipher}{$nl}";
$conf .= "auth {$digest}{$nl}";
$conf .= "tls-client{$nl}";
$conf .= "client{$nl}";
if (($expformat != "inlinedroid") && ($expformat != "inlineios"))
if (($expformat != "inlinedroid") && ($expformat != "inlineios")) {
$conf .= "resolv-retry infinite{$nl}";
}
$conf .= "$remotes{$nl}";
/* Use a random local port, otherwise two clients will conflict if they run at the same time.
May not be supported on older clients (Released before May 2010) */
if (($randomlocalport != 0) && (substr($expformat, 0, 7) != "yealink") && ($expformat != "snom"))
if (($randomlocalport != 0) && (substr($expformat, 0, 7) != "yealink") && ($expformat != "snom")) {
$conf .= "lport 0{$nl}";
}
/* This line can cause problems with auth-only setups and also with Yealink/Snom phones
since they are stuck on an older OpenVPN version that does not support this feature. */
......@@ -205,18 +216,19 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys
if (!empty($proxy)) {
if ($proxy['proxy_type'] == "http") {
if (strtoupper(substr($settings['protocol'], 0, 3)) == "UDP") {
$input_errors[] = gettext("This server uses UDP protocol and cannot communicate with HTTP proxy.");
return;
}
$conf .= "http-proxy {$proxy['ip']} {$proxy['port']} ";
}
if ($proxy['proxy_type'] == "socks")
if ($proxy['proxy_type'] == "socks") {
$conf .= "socks-proxy {$proxy['ip']} {$proxy['port']} ";
}
if ($proxy['proxy_authtype'] != "none") {
if (!isset($proxy['passwdfile']))
if (!isset($proxy['passwdfile'])) {
$proxy['passwdfile'] = openvpn_client_export_prefix($srvid, $usrid, $crtid) . "-proxy";
}
$conf .= " {$proxy['passwdfile']} {$proxy['proxy_authtype']}";
}
$conf .= "{$nl}";
......@@ -233,7 +245,7 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys
// add key settings
$prefix = openvpn_client_export_prefix($srvid, $usrid, $crtid);
$cafile = "{$prefix}-ca.crt";
if($nokeys == false) {
if ($nokeys == false) {
if ($expformat == "yealink_t28") {
$conf .= "ca /yealink/config/openvpn/keys/ca.crt{$nl}";
$conf .= "cert /yealink/config/openvpn/keys/client1.crt{$nl}";
......@@ -257,22 +269,24 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys
$conf .= "pkcs12 {$prefix}.p12{$nl}";
}
} else if ($settings['mode'] == "server_user") {
if (substr($expformat, 0, 6) != "inline")
if (substr($expformat, 0, 6) != "inline") {
$conf .= "ca {$cafile}{$nl}";
}
}
if ($settings['tls'] && !$skiptls) {
if ($expformat == "yealink_t28")
if ($expformat == "yealink_t28") {
$conf .= "tls-auth /yealink/config/openvpn/keys/ta.key 1{$nl}";
elseif ($expformat == "yealink_t38g")
} elseif ($expformat == "yealink_t38g") {
$conf .= "tls-auth /phone/config/openvpn/keys/ta.key 1{$nl}";
elseif ($expformat == "yealink_t38g2")
} elseif ($expformat == "yealink_t38g2") {
$conf .= "tls-auth /config/openvpn/keys/ta.key 1{$nl}";
elseif ($expformat == "snom")
} elseif ($expformat == "snom") {
$conf .= "tls-auth /openvpn/ta.key 1{$nl}";
elseif (substr($expformat, 0, 6) != "inline")
} elseif (substr($expformat, 0, 6) != "inline") {
$conf .= "tls-auth {$prefix}-tls.key 1{$nl}";
}
}
// Prevent MITM attacks by verifying the server certificate.
// - Disable for now, it requires the server cert to include special options
......@@ -347,11 +361,12 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifys
// convert to pkcs12 format
$p12file = "{$tempdir}/{$prefix}.p12";
if ($usetoken)
if ($usetoken) {
openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile);
else
} else {
openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile);
}
}
$command = "cd " . escapeshellarg("{$tempdir}/..")
. " && /usr/local/bin/zip -r "
. escapeshellarg("/tmp/{$prefix}-config.zip")
......@@ -478,15 +493,17 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $veri
// create config directory
$confdir = "{$tempdir}/config";
if (!is_dir($conf_dir))
if (!is_dir($conf_dir)) {
mkdir($confdir, 0700, true);
}
// copy the template directory
exec("cp -r {$workdir}/template/* {$tempdir}");
// and put the required installer exe in place
exec("/bin/cp {$tempdir}/{$client_install_exe} {$tempdir}/openvpn-install.exe");
if (stristr($openvpn_version, "x64"))
if (stristr($openvpn_version, "x64")) {
rename("{$tempdir}/openvpn-postinstall64.exe", "{$tempdir}/openvpn-postinstall.exe");
}
// write configuration file
$prefix = openvpn_client_export_prefix($srvid, $usrid, $crtid);
......@@ -520,36 +537,39 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $veri
file_put_contents($keyfile, base64_decode($cert['prv']));
// convert to pkcs12 format
$p12file = "{$tempdir}/config/{$prefix}.p12";
if ($usetoken)
if ($usetoken) {
openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile);
else
} else {
openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile);
}
}
// 7zip the configuration data
chdir($tempdir);
$files = "config ";
if ($openvpnmanager)
if ($openvpnmanager) {
$files .= "openvpnmanager ";
}
$files .= "openvpn-install.exe ";
$files .= "openvpn-postinstall.exe ";
if ($usetoken)
if ($usetoken) {
$procchain = ';!@Install@!UTF-8!
RunProgram="openvpn-postinstall.exe /Import"
;!@InstallEnd@!'
;
else
} else {
$procchain = ';!@Install@!UTF-8!
RunProgram="openvpn-postinstall.exe"
;!@InstallEnd@!'
;
;!@InstallEnd@!';
}
file_put_contents("{$tempdir}/7zipConfig",$procchain);
if(file_exists("/usr/pbi/p7zip-{$uname_p}/bin/7z"))
if (file_exists("/usr/pbi/p7zip-{$uname_p}/bin/7z")) {
exec("/usr/pbi/p7zip-{$uname_p}/bin/7z -y a archive.7z {$files}");
else
} else {
exec("/usr/local/libexec/p7zip/7z -y a archive.7z {$files}");
}
// create the final installer
$outfile = "{$tempdir}-install.exe";
......@@ -597,15 +617,17 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead
}
$conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, true, $proxy, "baseconf", $outpass, true, true, $openvpnmanager, $advancedoptions);
if (!$conf)
if (!$conf) {
return false;
}
// We need to nuke the ca line from the above config if it exists.
$conf = explode("\n", $conf);
for ($i=0; $i < count($conf); $i++) {
if ((substr($conf[$i], 0, 3) == "ca ") || (substr($conf[$i], 0, 7) == "pkcs12 "))
if ((substr($conf[$i], 0, 3) == "ca ") || (substr($conf[$i], 0, 7) == "pkcs12 ")) {
unset($conf[$i]);
}
}
$conf = implode("\n", $conf);
$friendly_name = $settings['description'];
......@@ -638,7 +660,6 @@ EOF;
file_put_contents($cafile, $server_ca);
if ($settings['mode'] != "server_user") {
// write user .crt
$crtfile = "{$tempdir}/cert.crt";
file_put_contents($crtfile, base64_decode($cert['crt']));
......@@ -666,16 +687,16 @@ EOF;
}
// Zip Viscosity file
if(file_exists("/usr/pbi/zip-{$uname_p}/bin/zip"))
if (file_exists("/usr/pbi/zip-{$uname_p}/bin/zip")) {
exec("cd {$tempdir}/.. && /usr/pbi/zip-{$uname_p}/bin/zip -r {$zipfile} Viscosity.visc");
else
} else {
exec("cd {$tempdir}/.. && /usr/local/bin/zip -r {$zipfile} Viscosity.visc");
}
// Remove temporary directory
exec("rm -rf {$tempdir}");
return $zipfile;
}
function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipconf = false)
......@@ -699,31 +720,35 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco
if (!empty($settings['ipaddr']) && is_ipaddr($settings['ipaddr'])) {
$server_host = $settings['ipaddr'];
} else {
if (!$interface)
if (!$interface) {
$interface = "wan";
if (in_array(strtolower($settings['protocol']), array("udp6", "tcp6")))
}
if (in_array(strtolower($settings['protocol']), array("udp6", "tcp6"))) {
$server_host = get_interface_ipv6($interface);
else
} else {
$server_host = get_interface_ip($interface);
}
} else if ($useaddr == "serverhostname" || empty($useaddr)) {
}
} elseif ($useaddr == "serverhostname" || empty($useaddr)) {
$server_host = empty($config['system']['hostname']) ? "" : "{$config['system']['hostname']}.";
$server_host .= "{$config['system']['domain']}";
} else
} else {
$server_host = $useaddr;
}
$server_port = $settings['local_port'];
$proto = strtolower($settings['protocol']);
if (strtolower(substr($settings['protocol'], 0, 3)) == "tcp")
if (strtolower(substr($settings['protocol'], 0, 3)) == "tcp") {
$proto .= "-client";
}
$cipher = $settings['crypto'];
$digest = !empty($settings['digest']) ? $settings['digest'] : "SHA1";
// add basic settings
$conf = "dev tun\n";
if(! empty($settings['tunnel_networkv6'])) {
if (! empty($settings['tunnel_networkv6'])) {
$conf .= "tun-ipv6\n";
}
$conf .= "persist-tun\n";
......@@ -758,11 +783,13 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco
}
$conf .= "http-proxy {$proxy['ip']} {$proxy['port']} ";
}
if ($proxy['proxy_type'] == "socks")
if ($proxy['proxy_type'] == "socks") {
$conf .= "socks-proxy {$proxy['ip']} {$proxy['port']} ";
}
if ($proxy['proxy_authtype'] != "none") {
if (!isset($proxy['passwdfile']))
if (!isset($proxy['passwdfile'])) {
$proxy['passwdfile'] = openvpn_client_export_prefix($srvid) . "-proxy";
}
$conf .= " {$proxy['passwdfile']} {$proxy['proxy_authtype']}";
}
$conf .= "\n";
......@@ -774,10 +801,12 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco
$conf .= "secret {$shkeyfile}\n";
// add optional settings
if ($settings['compression'])
if ($settings['compression']) {
$conf .= "comp-lzo\n";
if ($settings['passtos'])
}
if ($settings['passtos']) {
$conf .= "passtos\n";
}
if ($zipconf == true) {
// create template directory
......@@ -789,16 +818,18 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco
$shkeyfile = "{$tempdir}/{$shkeyfile}";
file_put_contents("{$shkeyfile}", base64_decode($settings['shared_key']));
if(file_exists("/usr/pbi/zip-{$uname_p}/bin/zip"))
if (file_exists("/usr/pbi/zip-{$uname_p}/bin/zip")) {
exec("cd {$tempdir}/.. && /usr/pbi/zip-{$uname_p}/bin/zip -r /tmp/{$prefix}-config.zip {$prefix}");
else
} else {
exec("cd {$tempdir}/.. && /usr/local/bin/zip -r /tmp/{$prefix}-config.zip {$prefix}");
}
// Remove temporary directory
exec("rm -rf {$tempdir}");
return "{$prefix}-config.zip";
} else
} else {
return $conf;
}
}
function openvpn_client_export_build_remote_lines($settings, $useaddr, $interface, $expformat, $nl) {
......@@ -809,25 +840,30 @@ function openvpn_client_export_build_remote_lines($settings, $useaddr, $interfac
if (!empty($settings['ipaddr']) && is_ipaddr($settings['ipaddr'])) {
$server_host = $settings['ipaddr'];
} else {
if (!$interface || ($interface == "any"))
if (!$interface || ($interface == "any")) {
$interface = "wan";
if (in_array(strtolower($settings['protocol']), array("udp6", "tcp6")))
}
if (in_array(strtolower($settings['protocol']), array("udp6", "tcp6"))) {
$server_host = get_interface_ipv6($interface);
else
} else {
$server_host = get_interface_ip($interface);
}
}
} else if ($useaddr == "serverhostname" || empty($useaddr)) {
$server_host = empty($config['system']['hostname']) ? "" : "{$config['system']['hostname']}.";
$server_host .= "{$config['system']['domain']}";
} else
} else {
$server_host = $useaddr;
}
$proto = strtolower($settings['protocol']);
if (strtolower(substr($settings['protocol'], 0, 3)) == "tcp")
if (strtolower(substr($settings['protocol'], 0, 3)) == "tcp") {
$proto .= "-client";
}
if (($expformat == "inlineios") && ($proto == "tcp-client"))
if (($expformat == "inlineios") && ($proto == "tcp-client")) {
$proto = "tcp";
}
if (($useaddr == "servermagic") || ($useaddr == "servermagichost")) {
$destinations = openvpn_client_export_find_port_forwards($server_host, $settings['local_port'], $proto, true, ($useaddr == "servermagichost"));
......@@ -878,25 +914,24 @@ function openvpn_client_export_find_port_forwards($targetip, $targetport, $targe
$dstaddr_port = explode(" ", $dstaddr);
if(empty($dstaddr_port[0]) || strtolower(trim($dstaddr_port[0])) == "port")
if (empty($dstaddr_port[0]) || strtolower(trim($dstaddr_port[0])) == "port") {
continue; // Skip port forward if no destination address found
if (!is_ipaddr($dstaddr_port[0]))
}
if (!is_ipaddr($dstaddr_port[0])) {
continue; // We can only work with single IPs, not subnets!
if ($skipprivate && is_private_ip($dstaddr_port[0]))
}
if ($skipprivate && is_private_ip($dstaddr_port[0])) {
continue; // Skipping a private IP destination!
}
$dest['host'] = $dstaddr_port[0];
if ($findhostname) {
$hostname = openvpn_client_export_find_hostname($natif);
if (!empty($hostname))
if (!empty($hostname)) {
$dest['host'] = $hostname;
}
}
$destinations[] = $dest;
}
}
......@@ -912,15 +947,16 @@ function openvpn_client_export_find_hostname($interface)
if (isset($config['dyndnses']['dyndns'])) {
foreach ($config['dyndnses']['dyndns'] as $ddns) {
if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host']))
if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host'])) {
return $ddns['host'];
}
}
}
if (isset($config['dnsupdates']['dnsupdate'])) {
foreach ($config['dnsupdates']['dnsupdate'] as $ddns) {
if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host']))
if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host'])) {
return $ddns['host'];
}
}
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023