From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Mon, 21 Jun 2021 15:45:05 +0000 (+0200)
Subject: ovpnmain.cgi: Fix detection of used DH key lenght.
X-Git-Tag: v2.25-core158~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f56040805375784a7c695d7324365c115262eb72;p=ipfire-2.x.git

ovpnmain.cgi: Fix detection of used DH key lenght.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 077f5ab6c4..d9e26de2fe 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -221,14 +221,23 @@ sub pkiconfigcheck
 	# Warning if DH parameter is 1024 bit
 	if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
 		my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
+		my $dhbit;
 
+		# Loop through the output and search for the DH bit lenght.
 		foreach my $line (@dhparameter) {
-			my @dhbit = ($line =~ /(\d+)/);
-			if ($1 < 2048) {
-				$cryptoerror = "$Lang::tr{'ovpn error dh'}";
-				goto CRYPTO_ERROR;
+			if ($line =~ (/(\d+)/)) {
+				# Assign match to dhbit value.
+				$dhbit = $1;
+
+				last;
 			}
 		}
+
+		# Check if the used key lenght is at least 2048 bit.
+		if ($dhbit < 2048) {
+			$cryptoerror = "$Lang::tr{'ovpn error dh'}";
+			goto CRYPTO_ERROR;
+		}
 	}
 
 	# Warning if md5 is in usage