further cleanup of php-fpm code, related to https://github.com/opnsense/core/issues/42

src/etc/inc/openvpn.auth-user.php

@@ -75,10 +75,10 @@ function getNasIP()
 /* setup syslog logging */
 openlog("openvpn", LOG_ODELAY, LOG_AUTH);
 
-if (count($argv) > 6) {
+if (count($argv) >= 6) {
 	$authmodes = explode(',', $argv[5]);
-	$username = $argv[1];
-	$password = urldecode($argv[2]);
+        $username = base64_decode(str_replace('%3D', '=', $argv[1]));
+        $password = base64_decode(str_replace('%3D', '=', $argv[2]));        
 	$common_name = $argv[3];
 	$modeid = $argv[6];
 	$strictusercn = $argv[4] == 'false' ? false : true;
@@ -91,14 +91,8 @@ if (count($argv) > 6) {
 
 if (!$username || !$password) {
 	syslog(LOG_ERR, "invalid user authentication environment");
-	if (isset($_GET)) {
-		echo "FAILED";
-		closelog();
-		return;
-	} else {
-		closelog();
-		exit(-1);
-	}
+	closelog();
+	exit(-1);
 }
 
 /* Replaced by a sed with propper variables used below(ldap parameters). */
@@ -113,26 +107,14 @@ $authenticated = false;
 
 if (($strictusercn === true) && ($common_name != $username)) {
 	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
-	if (isset($_GET)) {
-		echo "FAILED";
-		closelog();
-		return;
-	} else {
-		closelog();
-		exit(1);
-	}
+	closelog();
+	exit(1);
 }
 
 if (!is_array($authmodes)) {
 	syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}");
-	if (isset($_GET)) {
-		echo "FAILED";
-		closelog();
-		return;
-	} else {
-		closelog();
-		exit(1);
-	}
+	closelog();
+	exit(1);
 }
 
 $attributes = array();
@@ -148,14 +130,8 @@ foreach ($authmodes as $authmode) {
 
 if ($authenticated == false) {
 	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
-	if (isset($_GET)) {
-		echo "FAILED";
-		closelog();
-		return;
-	} else {
-		closelog();
-		exit(-1);
-	}
+	closelog();
+	exit(-1);
 }
 
 @include_once('openvpn.attributes.php');
@@ -190,7 +166,4 @@ if (!empty($content))
 syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
 closelog();
 
-if (isset($_GET))
-	echo "OK";
-else
-	exit(0);
+exit(0);

src/etc/inc/openvpn.tls-verify.php

@@ -59,23 +59,14 @@ foreach ($subj at $s) {
 
 if (isset($allowed_depth) && ($cert_depth > $allowed_depth)) {
 	syslog(LOG_WARNING, "Certificate depth {$cert_depth} exceeded max allowed depth of {$allowed_depth}.\n");
-	if (isset($_GET)) {
-		echo "FAILED";
-		closelog();
-		return;
-	} else {
-		closelog();
-		exit(1);
-	}
+	closelog();
+	exit(1);
 }
 
 // Debug
 //syslog(LOG_WARNING, "Found certificate {$argv[2]} with depth {$cert_depth}\n");
 
 closelog();
-if (isset($_GET))
-	echo "OK";
-else
-	exit(0);
+exit(0);
 
 ?>

src/sbin/ovpn_auth_verify

@@ -1,17 +1,14 @@
 #!/bin/sh
-
 if [ "$1" = "tls" ]; then
-	RESULT=$(/usr/local/bin/php /usr/local/etc/inc/openvpn.tls-verify.php -d $2 $3)
+	(/usr/local/bin/php /usr/local/etc/inc/openvpn.tls-verify.php -d "$2" "$3")
+	exit $?
 else
 	# Single quoting $password breaks getting the value from the variable.
 	password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's/=/%3D/g')
 	username=$(echo -n "${username}" | openssl enc -base64 | sed -e 's/=/%3D/g')
 
-	RESULT=$(/usr/local/bin/php /etc/inc/openvpn.auth-user.php $username $password $common_name $3 $2 $4)
-fi
-
-if [ "${RESULT}" = "OK" ]; then
-	exit 0
+	(/usr/local/bin/php /usr/local/etc/inc/openvpn.auth-user.php "$username" "$password" "$common_name" "$3" "$2" "$4")
+	exit $?
 fi
 
 exit 1