This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, core175 has been updated via d57f305a1042fb69aa597426ee3f62ccce384f80 (commit) via 7dec360355f0eb5bb9bc61b32a08e733aa070b40 (commit) from 3d2beee7b11a5eb1f42fa6478469fa8827e2a5e5 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit d57f305a1042fb69aa597426ee3f62ccce384f80 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Jun 6 12:40:50 2023 +0200
update.sh: Fixes bug#13138 - root/host certificate set fails to be created
- The fix applied in vpnmain.cgi only adds the unique_subject = yes to the index.txt.attr file after the first time that the root/host certificates are attempted to be created. - Without this line in update.sh, the first attempt to create the root/host certificate set will still have the original error code. If the creation is attempted again then it will work because the unique_subject = yes will have then been added into the file. - This patch ensures that the first attempt to create a root/host certificate set in CU175 will work. - Confirmed on vm testbed with freshly updated CU175.
Fixes: Bug#13138 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7dec360355f0eb5bb9bc61b32a08e733aa070b40 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Jun 7 16:21:48 2023 +0200
ovpnmain.cgi: Updated fix for Bug#13137
- This now only adds "providers legacy default" to the config files of connections that have legacy certificates, both for n2n and roadwarrior. - This new approach also removes the requirement to have code in the update.sh script or in backup.pl so those earlier modifications are removed in two additional patches combined with this one in a set. - The -legacy option has been removed from the pkcs12 creation part of the code as otherwise this creates a certificate in legacy format, which is not wanted. All new connection certificates being created will be based on openssl-3.x
Fixes: Bug#13137 Suggested-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/175/update.sh | 3 ++ html/cgi-bin/ovpnmain.cgi | 70 +++++++++++++++++++++++++++++-------- 2 files changed, 58 insertions(+), 15 deletions(-)
Difference in files: diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh index 82676bc72..f1c6873c1 100644 --- a/config/rootfiles/core/175/update.sh +++ b/config/rootfiles/core/175/update.sh @@ -191,6 +191,9 @@ if [ -s /var/ipfire/ovpn/ovpnconfig ]; then done fi
+## Add unique_subject = yes to vpn index.txt.attr file +echo "unique_subject = yes" > /var/ipfire/certs/index.txt.attr + # This update needs a reboot... touch /var/run/need_reboot
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 88106251e..a210e0509 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -138,6 +138,17 @@ unless (-e "$local_clientconf") { ### ### Useful functions ### +sub iscertlegacy +{ + my $file=$_[0]; + my @certinfo = &General::system_output("/usr/bin/openssl", "pkcs12", "-info", "-nodes", + "-in", "$file.p12", "-noout", "-passin", "pass:''"); + if (index ($certinfo[0], "MAC: sha1") != -1) { + return 0; + } + return 1; +} + sub haveOrangeNet { if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;} @@ -1115,7 +1126,9 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Activate Management Interface and Port\n"; if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"} else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"}; - print CLIENTCONF "providers legacy default\n"; + if (&iscertlegacy("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}")) { + print CLIENTCONF "providers legacy default\n"; + } close(CLIENTCONF);
} @@ -1649,7 +1662,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys', '-in', $filename, '-out', "$tempdir/cacert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1672,7 +1685,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys', '-in', $filename, '-out', "$tempdir/hostcert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1695,7 +1708,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts', '-nodes', '-in', $filename, '-out', "$tempdir/serverkey.pem")) { @@ -2157,7 +2170,10 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"} else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"}; print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n"; - print CLIENTCONF "providers legacy default\n"; + if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { + print CLIENTCONF "providers legacy default\n"; + } +
close(CLIENTCONF); @@ -2229,10 +2245,18 @@ else
# Extract the certificate # This system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; + if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + } else { + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } }
$zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; @@ -2240,10 +2264,18 @@ else
# Extract the key # This system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; + if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + } else { + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } }
$zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; @@ -2302,6 +2334,11 @@ else # If the server is asking for TOTP this needs to happen interactively print CLIENTCONF "auth-retry interact\r\n";
+ # Add provider line if certificate is legacy type + if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { + print CLIENTCONF "providers legacy default\r\n"; + } + if ($include_certs) { print CLIENTCONF "\r\n";
@@ -3298,7 +3335,10 @@ END print FILE "# Logfile\n"; print FILE "status-version 1\n"; print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n"; - print FILE "providers legacy default\n"; + if (&iscertlegacy("${General::swroot}/ovpn/certs/$cgiparams{'n2nname'}")) { + print CLIENTCONF "providers legacy default\n"; + } + close FILE;
unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) { @@ -4245,7 +4285,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
# Create the pkcs12 file # The system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export', + system('/usr/bin/openssl', 'pkcs12', '-export', '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", '-name', $cgiparams{'NAME'},
hooks/post-receive -- IPFire 2.x development tree