security/openconnect: release 1.3.2

security/openconnect/Makefile

@@ -1,6 +1,5 @@
 PLUGIN_NAME=		openconnect
-PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=     1
+PLUGIN_VERSION=		1.3.2
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

security/openconnect/src/etc/rc.d/opnsense-openconnect

@@ -24,7 +24,6 @@ secret=/usr/local/etc/openconnect.secret
 
 [ -z "$openconnect_enable" ] && openconnect_enable="NO"
 
-# status of openconnect
 openconnect_status()
 {
 	 if [ -n "$rc_pid" ]; then
@@ -35,16 +34,17 @@ openconnect_status()
 	 fi
 }
 
-# stop openconnect
 openconnect_stop()
 {
-	echo "stopping openconnect"
-	killall openconnect
-	ifconfig ocvpn0 destroy
-	return 0
+        if [ -n "$rc_pid" ]; then
+            echo "stopping openconnect"
+            ifconfig ocvpn0 name tun30000
+            kill -2 ${rc_pid}
+        else
+            echo "${name} is not running."
+        fi
 }
 
-# start openconnect
 openconnect_start()
 {
         echo "starting openconnect"

security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml

@@ -35,4 +35,16 @@
         <type>dropdown</type>
         <help>Select the type of hash. Possible values are SHA256 or SHA1.</help>
     </field>
+    <field>
+        <id>general.group</id>
+        <label>Group Name</label>
+        <type>text</type>
+        <help>When using profiles for group separation please set here.</help>
+    </field>
+    <field>
+        <id>general.clientcertificate</id>
+        <label>Client Certificate</label>
+        <type>dropdown</type>
+        <help>Select the client certificate to use.</help>
+    </field>
 </form>

security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml

@@ -37,5 +37,14 @@
                     <sha1>SHA1</sha1>
                 </OptionValues>
         </hash>
+        <group type="TextField">
+            <Required>N</Required>
+            <mask>/^[a-zA-Z0-9]{1,64}$/</mask>
+            <ValidationMessage>Only a-zA-Z0-9 are allowed.</ValidationMessage>
+        </group>
+        <clientcertificate type="CertificateField">
+            <Type>cert</Type>
+            <Required>N</Required>
+        </clientcertificate>
     </items>
 </model>

security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/generate_certs.php

@@ -0,0 +1,80 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2015 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+// use legacy code to generate certs and ca's
+// eventually we need to replace this.
+require_once("config.inc");
+require_once("certs.inc");
+require_once("legacy_bindings.inc");
+
+use OPNsense\Core\Config;
+
+$cert_pem_filename = '/usr/local/etc/openconnect_cert.pem';
+$cert_pem_content = '';
+
+$key_pem_filename = '/usr/local/etc/openconnect_key.pem';
+$key_pem_content = '';
+
+// traverse Openconnect plugin for certficiates
+$configObj = Config::getInstance()->object();
+if (isset($configObj->OPNsense->openconnect)) {
+    foreach ($configObj->OPNsense->openconnect->children() as $find_cert) {
+        $cert_refid = (string)$find_cert->clientcertificate;
+        if ($cert_refid != "") {
+            foreach ($configObj->cert as $cert) {
+                if ($cert_refid == (string)$cert->refid) {
+                    // generate cert pem file
+                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                        "\r",
+                        "",
+                        base64_decode((string)$cert->crt)
+                    )));
+                    $pem_content .= "\n";
+                    $cert_pem_content .= $pem_content;
+
+                    $key_content .= trim(str_replace(
+                        "\n\n",
+                        "\n",
+                        str_replace("\r", "", base64_decode((string)$cert->prv))
+                    ));
+                    $key_content .= "\n";
+                    $key_pem_content .= $key_content;
+                }
+            }
+        }
+    }
+}
+
+file_put_contents($cert_pem_filename, $cert_pem_content);
+chmod($cert_pem_filename, 0600);
+echo "Certificates generated $cert_pem_filename\n";
+
+file_put_contents($key_pem_filename, $key_pem_content);
+chmod($key_pem_filename, 0600);
+echo "Keys generated $key_pem_filename\n";

security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/setup.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/local/opnsense/scripts/OPNsense/Openconnect/generate_certs.php

security/openconnect/src/opnsense/service/conf/actions.d/actions_openconnect.conf

@@ -1,23 +1,23 @@
 [stop]
-command:sh /usr/local/etc/rc.d/opnsense-openconnect onestop;exit 0
+command:/usr/local/etc/rc.d/opnsense-openconnect onestop; exit 0
 parameters:
 type:script_output
 message:stop openconnect
 
 [start]
-command:sh /usr/local/etc/rc.d/opnsense-openconnect onestart
+command:/usr/local/opnsense/scripts/OPNsense/Openconnect/setup.sh; /usr/local/etc/rc.d/opnsense-openconnect onestart
 parameters:
 type:script_output
 message:start openconnect
 
 [restart]
-command:sh /usr/local/etc/rc.d/opnsense-openconnect onestop;exit 0;sh /usr/local/etc/rc.d/opnsense-openconnect onestart
+command:/usr/local/etc/rc.d/opnsense-openconnect onestop; /usr/local/opnsense/scripts/OPNsense/Openconnect/setup.sh; /usr/local/etc/rc.d/opnsense-openconnect onestart
 parameters:
 type:script_output
 message:restart openconnect
 
 [status]
-command:sh /usr/local/etc/rc.d/opnsense-openconnect status
+command:/usr/local/etc/rc.d/opnsense-openconnect status; exit 0
 parameters:
 type:script_output
 message:openconnect status

security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf

@@ -7,8 +7,16 @@ background
 quiet
 interface=tun30000
 syslog
+non-inter
 passwd-on-stdin
 {%   if helpers.exists('OPNsense.openconnect.general.servercert') and OPNsense.openconnect.general.servercert != '' %}
 servercert={{ OPNsense.openconnect.general.hash }}:{{ OPNsense.openconnect.general.servercert }}
 {%   endif %}
+{%   if helpers.exists('OPNsense.openconnect.general.group') and OPNsense.openconnect.general.group != '' %}
+authgroup={{ OPNsense.openconnect.general.group }}
+{%   endif %}
+{%   if helpers.exists('OPNsense.openconnect.general.clientcertificate') and OPNsense.openconnect.general.clientcertificate != '' %}
+certificate=/usr/local/etc/openconnect_cert.pem
+sslkey=/usr/local/etc/openconnect_key.pem
+{%   endif %}
 {% endif %}