From: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue, 1 Apr 2025 18:07:57 +0000 (+0200)
Subject: vpnmain.cgi: Fixes bug13737 - remove unneeded &cleanssldatabase calls
X-Git-Tag: v2.29-core194~13^2~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=65434dcc7bc297e7d2feabd68f93de1eace598f3;p=ipfire-2.x.git

vpnmain.cgi: Fixes bug13737 - remove unneeded &cleanssldatabase calls

- This first part removes all usages of &cleanssldatabase with the client certificates.
   This is not needed here. If used then the serial number would be moved back to 01 when
   an existing client certificate is removged or a new one created, even if no errors
   occurred.
- The usage of &cleanssldatabase has also been removed from the root/host cert creation
   if it was successful, otherwise the index file is moved back to being empty and the
   serial file to containing 01.
- The only usage now of the &cleanssldatabase is for when the root/host cert set is
   being created or if an uploaded cert has been checked as good to install.
- This now means that each time a new client certificate is created the serial number
   is incremented.
- The removal of the x509 root/host cert also unlinks all .pem files in the certs
   directory and therefore also all the 01.pem, 02.pem etc files so the
   &cleanssldatabase routine no longer needs to unlink the 01.pem file
- The &newcleanssldatabase script is no longer needed, as the &cleanssldatabase commands
   used covers the required cleaning, so it has been removed.
- This patch together with the others from this set have been tested out on my vm system
   and I was able to create a new root/host cert set and then new client certs and make
   an ipsec certificate connection successfully. I could then renew the host cert and
   the client connection still worked.

Fixes: bug13737
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index e30506fdf..85119a81d 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -200,27 +200,6 @@ sub cleanssldatabase {
 	unlink ("${General::swroot}/certs/index.txt.old");
 	unlink ("${General::swroot}/certs/index.txt.attr.old");
 	unlink ("${General::swroot}/certs/serial.old");
-	unlink ("${General::swroot}/certs/01.pem");
-}
-sub newcleanssldatabase {
-	if (! -s "${General::swroot}/certs/serial" ) {
-		open(FILE, ">${General::swroot}/certs/serial");
-		print FILE "01";
-		close FILE;
-	}
-	if (! -s ">${General::swroot}/certs/index.txt") {
-		open(FILE, ">${General::swroot}/certs/index.txt");
-		close(FILE);
-	}
-	if (! -s ">${General::swroot}/certs/index.txt.attr") {
-		open(FILE, ">${General::swroot}/certs/index.txt.attr");
-		print FILE "unique_subject = yes";
-		close(FILE);
-	}
-	unlink ("${General::swroot}/certs/index.txt.old");
-	unlink ("${General::swroot}/certs/index.txt.attr.old");
-	unlink ("${General::swroot}/certs/serial.old");
-#	unlink ("${General::swroot}/certs/01.pem");		numbering evolves. Wrong place to delete
 }
 
 ###
@@ -889,8 +868,6 @@ END
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
 	$cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
 
-	&newcleanssldatabase();
-
 	if (-f "${General::swroot}/ca/cacert.pem") {
 		$errormessage = $Lang::tr{'valid root certificate already exists'};
 		goto ROOTCERT_SKIP;
@@ -1004,7 +981,6 @@ END
 		# IPFire can only import certificates
 
 		&General::log("charon", "p12 import completed!");
-		&cleanssldatabase();
 		goto ROOTCERT_SUCCESS;
 
 	} elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
@@ -1170,7 +1146,6 @@ END
 
 		# Successfully build CA / CERT!
 		if (!$errormessage) {
-			&cleanssldatabase();
 			goto ROOTCERT_SUCCESS;
 		}
 
@@ -1933,11 +1908,9 @@ END
 		if ( $errormessage = &callssl ($opt) ) {
 			unlink ($filename);
 			unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
-			&cleanssldatabase();
 			goto VPNCONF_ERROR;
 		} else {
 			unlink ($filename);
-			&cleanssldatabase();
 		}
 
 		$cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
@@ -2220,7 +2193,6 @@ END
 		} else {
 			unlink ($v3extname);
 			unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
-			&cleanssldatabase();
 		}
 
 		# Create the pkcs12 file