This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core175 has been updated
via d57f305a1042fb69aa597426ee3f62ccce384f80 (commit)
via 7dec360355f0eb5bb9bc61b32a08e733aa070b40 (commit)
from 3d2beee7b11a5eb1f42fa6478469fa8827e2a5e5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d57f305a1042fb69aa597426ee3f62ccce384f80
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Tue Jun 6 12:40:50 2023 +0200
update.sh: Fixes bug#13138 - root/host certificate set fails to be created
- The fix applied in vpnmain.cgi only adds the unique_subject = yes to the index.txt.attr
file after the first time that the root/host certificates are attempted to be created.
- Without this line in update.sh, the first attempt to create the root/host certificate set
will still have the original error code. If the creation is attempted again then it will
work because the unique_subject = yes will have then been added into the file.
- This patch ensures that the first attempt to create a root/host certificate set in CU175
will work.
- Confirmed on vm testbed with freshly updated CU175.
Fixes: Bug#13138
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 7dec360355f0eb5bb9bc61b32a08e733aa070b40
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Wed Jun 7 16:21:48 2023 +0200
ovpnmain.cgi: Updated fix for Bug#13137
- This now only adds "providers legacy default" to the config files of connections that
have legacy certificates, both for n2n and roadwarrior.
- This new approach also removes the requirement to have code in the update.sh script
or in backup.pl so those earlier modifications are removed in two additional patches
combined with this one in a set.
- The -legacy option has been removed from the pkcs12 creation part of the code as
otherwise this creates a certificate in legacy format, which is not wanted. All new
connection certificates being created will be based on openssl-3.x
Fixes: Bug#13137
Suggested-by: Michael Tremer <michael.tremer(a)ipfire.org>
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/175/update.sh | 3 ++
html/cgi-bin/ovpnmain.cgi | 70 +++++++++++++++++++++++++++++--------
2 files changed, 58 insertions(+), 15 deletions(-)
Difference in files:
diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh
index 82676bc72..f1c6873c1 100644
--- a/config/rootfiles/core/175/update.sh
+++ b/config/rootfiles/core/175/update.sh
@@ -191,6 +191,9 @@ if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
done
fi
+## Add unique_subject = yes to vpn index.txt.attr file
+echo "unique_subject = yes" > /var/ipfire/certs/index.txt.attr
+
# This update needs a reboot...
touch /var/run/need_reboot
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 88106251e..a210e0509 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -138,6 +138,17 @@ unless (-e "$local_clientconf") {
###
### Useful functions
###
+sub iscertlegacy
+{
+ my $file=$_[0];
+ my @certinfo = &General::system_output("/usr/bin/openssl", "pkcs12", "-info", "-nodes",
+ "-in", "$file.p12", "-noout", "-passin", "pass:''");
+ if (index ($certinfo[0], "MAC: sha1") != -1) {
+ return 0;
+ }
+ return 1;
+}
+
sub haveOrangeNet
{
if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;}
@@ -1115,7 +1126,9 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print CLIENTCONF "# Activate Management Interface and Port\n";
if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
- print CLIENTCONF "providers legacy default\n";
+ if (&iscertlegacy("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}")) {
+ print CLIENTCONF "providers legacy default\n";
+ }
close(CLIENTCONF);
}
@@ -1649,7 +1662,7 @@ END
goto ROOTCERT_ERROR;
}
} else { # child
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys',
+ unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
'-in', $filename,
'-out', "$tempdir/cacert.pem")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
@@ -1672,7 +1685,7 @@ END
goto ROOTCERT_ERROR;
}
} else { # child
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys',
+ unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
'-in', $filename,
'-out', "$tempdir/hostcert.pem")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
@@ -1695,7 +1708,7 @@ END
goto ROOTCERT_ERROR;
}
} else { # child
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts',
+ unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
'-nodes',
'-in', $filename,
'-out', "$tempdir/serverkey.pem")) {
@@ -2157,7 +2170,10 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
- print CLIENTCONF "providers legacy default\n";
+ if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) {
+ print CLIENTCONF "providers legacy default\n";
+ }
+
close(CLIENTCONF);
@@ -2229,10 +2245,18 @@ else
# Extract the certificate
# This system call is safe, because all arguments are passed as an array.
- system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
- '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
- if ($?) {
- die "openssl error: $?";
+ if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) {
+ system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
+ } else {
+ system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
}
$zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
@@ -2240,10 +2264,18 @@ else
# Extract the key
# This system call is safe, because all arguments are passed as an array.
- system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
- '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
- if ($?) {
- die "openssl error: $?";
+ if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) {
+ system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
+ } else {
+ system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
}
$zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
@@ -2302,6 +2334,11 @@ else
# If the server is asking for TOTP this needs to happen interactively
print CLIENTCONF "auth-retry interact\r\n";
+ # Add provider line if certificate is legacy type
+ if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) {
+ print CLIENTCONF "providers legacy default\r\n";
+ }
+
if ($include_certs) {
print CLIENTCONF "\r\n";
@@ -3298,7 +3335,10 @@ END
print FILE "# Logfile\n";
print FILE "status-version 1\n";
print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
- print FILE "providers legacy default\n";
+ if (&iscertlegacy("${General::swroot}/ovpn/certs/$cgiparams{'n2nname'}")) {
+ print CLIENTCONF "providers legacy default\n";
+ }
+
close FILE;
unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) {
@@ -4245,7 +4285,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
# Create the pkcs12 file
# The system call is safe, because all arguments are passed as an array.
- system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export',
+ system('/usr/bin/openssl', 'pkcs12', '-export',
'-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
'-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
'-name', $cgiparams{'NAME'},
hooks/post-receive
--
IPFire 2.x development tree