ovpnmain.cgi: Re-implement iscertlegacy function

Re-implement the iscertlegacy function to proper detect any kind
of legacy certificate by using the openssl legacy switch.

Fixes #13936

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index e53bd6e28b6bd113d272563720de0950d86253b2..b435d9e1ba2d7ed36950ca6c3ffb0aad6849a0cd 100644 (file)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -143,12 +143,32 @@ my $col="";
 sub iscertlegacy
 {
        my $file=$_[0];
-       my @certinfo = &General::system_output("/usr/bin/openssl", "pkcs12", "-info", "-nodes",
-       "-in", "$file.p12", "-noout", "-passin", "pass:''");
-       if (index ($certinfo[0], "MAC: sha1") != -1) {
-               return 1;
-       }
-       return 0;
+       my @openssl_cmd = ("/usr/bin/openssl", "pkcs12", "-info", "-nodes",
+       "-in", "$file.p12", "-noout", "-passin", "pass:");
+       my $ret;
+
+       # Execute the openssl command.
+       $ret = &General::safe_system(@openssl_cmd);
+
+       # Early exit if the openssl return code is zero and we do not have a
+       # lecacy certificate.
+       return 0 if ($ret eq "0");
+
+       # In case we got an return code of one, retry with enabled legacy option.
+       #
+       # Add option to enable legacy ciphers to the openssl command.
+       push(@openssl_cmd, "-legacy");
+
+       # Re-execute the openssl command with legacy option.
+       $ret = &General::safe_system(@openssl_cmd);
+
+       # Exit and return 1 if the return code of the openssl command is zero
+       # with enabled legay option, which indicates a legacy certificate.
+       return 1 if ($ret eq "0");
+
+       # If we got here, the openssl command was not able to detect
+       # which kind of certificate is used.
+       return undef;
 }
 
 sub is_cert_rfc3280_compliant($) {