From b832388487e1718bba64a813dde6ea65d64643ea Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 11 Apr 2024 21:02:33 +0200 Subject: [PATCH] ovpnmain.cgi: Include the PKCS12 certificate on config export Before, OpenVPN did not support PKCS12 files in an embedded format. We extracted the key and the certificate in PEM format instead. This is no longer necessary and therefore we can simply include the file. Signed-off-by: Michael Tremer --- html/cgi-bin/ovpnmain.cgi | 69 +++++---------------------------------- 1 file changed, 9 insertions(+), 60 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 638062e6b..ffdbc839e 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2345,6 +2345,8 @@ END # RW } else { + my $name = $confighash{$cgiparams{'KEY'}}[1]; + my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip"; my $zippathname = "$zippath$zipname"; $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn"; @@ -2371,48 +2373,6 @@ END if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { if ($cgiparams{'MODE'} eq 'insecure') { $include_certs = 1; - - # Add the CA - print CLIENTCONF ";ca cacert.pem\r\n"; - $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; - - # Extract the certificate - # This system call is safe, because all arguments are passed as an array. - if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { - system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } else { - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } - - $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; - print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; - - # Extract the key - # This system call is safe, because all arguments are passed as an array. - if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { - system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } else { - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; - } - } - - $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; - print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; } else { print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; @@ -2489,24 +2449,11 @@ END print CLIENTCONF "\r\n\r\n"; close(FILE); - # Cert - open(FILE, "<$file_crt"); - print CLIENTCONF "\r\n"; - while () { - chomp($_); - print CLIENTCONF "$_\r\n"; - } - print CLIENTCONF "\r\n\r\n"; - close(FILE); - - # Key - open(FILE, "<$file_key"); - print CLIENTCONF "\r\n"; - while () { - chomp($_); - print CLIENTCONF "$_\r\n"; - } - print CLIENTCONF "\r\n\r\n"; + # PKCS12 + open(FILE, "<${General::swroot}/ovpn/certs/${name}.p12"); + print CLIENTCONF "\r\n"; + print CLIENTCONF &MIME::Base64::encode_base64(do { local $/; }); + print CLIENTCONF "\r\n\r\n"; close(FILE); # TLS auth @@ -2522,6 +2469,8 @@ END } } + close(CLIENTCONF); + $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; my $status = $zip->writeToFileNamed($zippathname); -- 2.39.5