From 2475d6fb99c0f8ce3fa70769d949aecd100a79f2 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 11 Apr 2024 21:02:33 +0200 Subject: [PATCH] ovpnmain.cgi: Include the PKCS12 certificate on config export Before, OpenVPN did not support PKCS12 files in an embedded format. We extracted the key and the certificate in PEM format instead. This is no longer necessary and therefore we can simply include the file. Signed-off-by: Michael Tremer --- html/cgi-bin/ovpnmain.cgi | 69 +++++---------------------------------- 1 file changed, 9 insertions(+), 60 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index b469fa53f..497ce846c 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2345,6 +2345,8 @@ END # RW } else { + my $name = $confighash{$cgiparams{'KEY'}}[1]; + my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip"; my $zippathname = "$zippath$zipname"; $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn"; @@ -2371,48 +2373,6 @@ END if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { if ($cgiparams{'MODE'} eq 'insecure') { $include_certs = 1; - - # Add the CA - print CLIENTCONF ";ca cacert.pem\r\n"; - $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; - - # Extract the certificate - # This system call is safe, because all arguments are passed as an array. - if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { - system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } else { - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } - - $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; - print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; - - # Extract the key - # This system call is safe, because all arguments are passed as an array. - if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { - system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } else { - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } - - $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; - print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; } else { print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; @@ -2489,24 +2449,11 @@ END print CLIENTCONF "\r\n\r\n"; close(FILE); - # Cert - open(FILE, "<$file_crt"); - print CLIENTCONF "\r\n"; - while () { - chomp($_); - print CLIENTCONF "$_\r\n"; - } - print CLIENTCONF "\r\n\r\n"; - close(FILE); - - # Key - open(FILE, "<$file_key"); - print CLIENTCONF "\r\n"; - while () { - chomp($_); - print CLIENTCONF "$_\r\n"; - } - print CLIENTCONF "\r\n\r\n"; + # PKCS12 + open(FILE, "<${General::swroot}/ovpn/certs/${name}.p12"); + print CLIENTCONF "\r\n"; + print CLIENTCONF &MIME::Base64::encode_base64(do { local $/; }); + print CLIENTCONF "\r\n\r\n"; close(FILE); # TLS auth @@ -2522,6 +2469,8 @@ END } } + close(CLIENTCONF); + $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; my $status = $zip->writeToFileNamed($zippathname); -- 2.39.5