further cleanup of php-fpm code, related to https://github.com/opnsense/core/issues/42

3f8a9f08 · Ad Schellevis · 67601e0d · 3f8a9f08 · 3f8a9f08 · 3f8a9f08
Commit 3f8a9f08 authored Feb 22, 2015 by Ad Schellevis
Showing with 19 additions and 58 deletions

openvpn.auth-user.php src/etc/inc/openvpn.auth-user.php +12 -39

openvpn.tls-verify.php src/etc/inc/openvpn.tls-verify.php +3 -12

ovpn_auth_verify src/sbin/ovpn_auth_verify +4 -7

No files found.
--- a/src/etc/inc/openvpn.auth-user.php
+++ b/src/etc/inc/openvpn.auth-user.php
@@ -75,10 +75,10 @@ function getNasIP()
 /* setup syslog logging */
 openlog("openvpn", LOG_ODELAY, LOG_AUTH);
-if (count($argv) > 6) {
+if (count($argv) >= 6) {
 	$authmodes = explode(',', $argv[5]);
-	$username = $argv[1];
+        $username = base64_decode(str_replace('%3D', '=', $argv[1]));
-	$password = urldecode($argv[2]);
+        $password = base64_decode(str_replace('%3D', '=', $argv[2]));        
 	$common_name = $argv[3];
 	$modeid = $argv[6];
 	$strictusercn = $argv[4] == 'false' ? false : true;
@@ -91,14 +91,8 @@ if (count($argv) > 6) {
 if (!$username || !$password) {
 	syslog(LOG_ERR, "invalid user authentication environment");
-	if (isset($_GET)) {
+	closelog();
-		echo "FAILED";
+	exit(-1);
-		closelog();
-		return;
-	} else {
-		closelog();
-		exit(-1);
-	}
 }
 /* Replaced by a sed with propper variables used below(ldap parameters). */
@@ -113,26 +107,14 @@ $authenticated = false;
 if (($strictusercn === true) && ($common_name != $username)) {
 	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
-	if (isset($_GET)) {
+	closelog();
-		echo "FAILED";
+	exit(1);
-		closelog();
-		return;
-	} else {
-		closelog();
-		exit(1);
-	}
 }
 if (!is_array($authmodes)) {
 	syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}");
-	if (isset($_GET)) {
+	closelog();
-		echo "FAILED";
+	exit(1);
-		closelog();
-		return;
-	} else {
-		closelog();
-		exit(1);
-	}
 }
 $attributes = array();
@@ -148,14 +130,8 @@ foreach ($authmodes as $authmode) {
 if ($authenticated == false) {
 	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
-	if (isset($_GET)) {
+	closelog();
-		echo "FAILED";
+	exit(-1);
-		closelog();
-		return;
-	} else {
-		closelog();
-		exit(-1);
-	}
 }
 @include_once('openvpn.attributes.php');
@@ -190,7 +166,4 @@ if (!empty($content))
 syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
 closelog();
-if (isset($_GET))
+exit(0);
-	echo "OK";
-else
-	exit(0);
--- a/src/etc/inc/openvpn.tls-verify.php
+++ b/src/etc/inc/openvpn.tls-verify.php
@@ -59,23 +59,14 @@ foreach ($subj at $s) {
 if (isset($allowed_depth) && ($cert_depth > $allowed_depth)) {
 	syslog(LOG_WARNING, "Certificate depth {$cert_depth} exceeded max allowed depth of {$allowed_depth}.\n");
-	if (isset($_GET)) {
+	closelog();
-		echo "FAILED";
+	exit(1);
-		closelog();
-		return;
-	} else {
-		closelog();
-		exit(1);
-	}
 }
 // Debug
 //syslog(LOG_WARNING, "Found certificate {$argv[2]} with depth {$cert_depth}\n");
 closelog();
-if (isset($_GET))
+exit(0);
-	echo "OK";
-else
-	exit(0);
 ?>
--- a/src/sbin/ovpn_auth_verify
+++ b/src/sbin/ovpn_auth_verify
 #!/bin/sh
 if [ "$1" = "tls" ]; then
-	RESULT=$(/usr/local/bin/php /usr/local/etc/inc/openvpn.tls-verify.php -d $2 $3)
+	(/usr/local/bin/php /usr/local/etc/inc/openvpn.tls-verify.php -d "$2" "$3")
+	exit $?
 else
 	# Single quoting $password breaks getting the value from the variable.
 	password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's/=/%3D/g')
 	username=$(echo -n "${username}" | openssl enc -base64 | sed -e 's/=/%3D/g')
-	RESULT=$(/usr/local/bin/php /etc/inc/openvpn.auth-user.php $username $password $common_name $3 $2 $4)
+	(/usr/local/bin/php /usr/local/etc/inc/openvpn.auth-user.php "$username" "$password" "$common_name" "$3" "$2" "$4")
-fi
+	exit $?
-if [ "${RESULT}" = "OK" ]; then
-	exit 0
 fi
 exit 1