From be920425c99d674174bd01eb5bac535c9293286e Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 10 Apr 2024 14:03:30 +0200 Subject: [PATCH] ovpnmain.cgi: Load the OpenSSL legacy provider if required Signed-off-by: Michael Tremer --- html/cgi-bin/ovpnmain.cgi | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c3fd6a094..b93b05cdb 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -56,6 +56,14 @@ my @SUPPORTED_CIPHERS = ( "CHACHA20-POLY1305", ); +my @LEGACY_CIPHERS = ( + "BF-CBC", + "CAST5-CBC", + "DES-CBC", + "DESX-CBC", + "SEED-CBC", +); + my $DEFAULT_CIPHERS = "AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305"; # Translations for the cipher selection @@ -127,6 +135,16 @@ sub iscertlegacy return 0; } +sub is_legacy_cipher($) { + my $cipher = shift; + + foreach my $c (@LEGACY_CIPHERS) { + return 1 if ($cipher eq $c); + } + + return 0; +} + sub cleanssldatabase() { if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) { print FILE "01"; @@ -162,6 +180,9 @@ sub deletebackupcert sub writeserverconf { my %sovpnsettings = (); + # Do we require the OpenSSL Legacy Provider? + my $requires_legacy_provider = 0; + &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings); &read_routepushfile(\%sovpnsettings); @@ -247,6 +268,10 @@ sub writeserverconf { # Enable fallback cipher? if ($sovpnsettings{'DCIPHER'} ne '') { + if (&is_legacy_cipher($sovpnsettings{'DCIPHER'})) { + $requires_legacy_provider++; + } + print CONF "data-ciphers-fallback $sovpnsettings{'DCIPHER'}\n"; } @@ -303,6 +328,11 @@ sub writeserverconf { print CONF "management /var/run/openvpn.sock unix\n"; print CONF "management-client-auth\n"; + # Enable the legacy provider + if ($requires_legacy_provider > 0) { + print CONF "providers legacy default\n"; + } + close(CONF); # Rewrite all CCD configurations -- 2.39.5