From 3f8a9f08981d4b1f2f80a609da366ba99b96bad4 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Sun, 22 Feb 2015 10:51:51 +0000 Subject: [PATCH] further cleanup of php-fpm code, related to https://github.com/opnsense/core/issues/42 --- src/etc/inc/openvpn.auth-user.php | 51 +++++++----------------------- src/etc/inc/openvpn.tls-verify.php | 15 ++------- src/sbin/ovpn_auth_verify | 11 +++---- 3 files changed, 19 insertions(+), 58 deletions(-) diff --git a/src/etc/inc/openvpn.auth-user.php b/src/etc/inc/openvpn.auth-user.php index bd25d3792..7ffa443e8 100644 --- a/src/etc/inc/openvpn.auth-user.php +++ b/src/etc/inc/openvpn.auth-user.php @@ -75,10 +75,10 @@ function getNasIP() /* setup syslog logging */ openlog("openvpn", LOG_ODELAY, LOG_AUTH); -if (count($argv) > 6) { +if (count($argv) >= 6) { $authmodes = explode(',', $argv[5]); - $username = $argv[1]; - $password = urldecode($argv[2]); + $username = base64_decode(str_replace('%3D', '=', $argv[1])); + $password = base64_decode(str_replace('%3D', '=', $argv[2])); $common_name = $argv[3]; $modeid = $argv[6]; $strictusercn = $argv[4] == 'false' ? false : true; @@ -91,14 +91,8 @@ if (count($argv) > 6) { if (!$username || !$password) { syslog(LOG_ERR, "invalid user authentication environment"); - if (isset($_GET)) { - echo "FAILED"; - closelog(); - return; - } else { - closelog(); - exit(-1); - } + closelog(); + exit(-1); } /* Replaced by a sed with propper variables used below(ldap parameters). */ @@ -113,26 +107,14 @@ $authenticated = false; if (($strictusercn === true) && ($common_name != $username)) { syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n"); - if (isset($_GET)) { - echo "FAILED"; - closelog(); - return; - } else { - closelog(); - exit(1); - } + closelog(); + exit(1); } if (!is_array($authmodes)) { syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}"); - if (isset($_GET)) { - echo "FAILED"; - closelog(); - return; - } else { - closelog(); - exit(1); - } + closelog(); + exit(1); } $attributes = array(); @@ -148,14 +130,8 @@ foreach ($authmodes as $authmode) { if ($authenticated == false) { syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n"); - if (isset($_GET)) { - echo "FAILED"; - closelog(); - return; - } else { - closelog(); - exit(-1); - } + closelog(); + exit(-1); } @include_once('openvpn.attributes.php'); @@ -190,7 +166,4 @@ if (!empty($content)) syslog(LOG_NOTICE, "user '{$username}' authenticated\n"); closelog(); -if (isset($_GET)) - echo "OK"; -else - exit(0); +exit(0); diff --git a/src/etc/inc/openvpn.tls-verify.php b/src/etc/inc/openvpn.tls-verify.php index cb354fd08..97df44298 100644 --- a/src/etc/inc/openvpn.tls-verify.php +++ b/src/etc/inc/openvpn.tls-verify.php @@ -59,23 +59,14 @@ foreach ($subj at $s) { if (isset($allowed_depth) && ($cert_depth > $allowed_depth)) { syslog(LOG_WARNING, "Certificate depth {$cert_depth} exceeded max allowed depth of {$allowed_depth}.\n"); - if (isset($_GET)) { - echo "FAILED"; - closelog(); - return; - } else { - closelog(); - exit(1); - } + closelog(); + exit(1); } // Debug //syslog(LOG_WARNING, "Found certificate {$argv[2]} with depth {$cert_depth}\n"); closelog(); -if (isset($_GET)) - echo "OK"; -else - exit(0); +exit(0); ?> diff --git a/src/sbin/ovpn_auth_verify b/src/sbin/ovpn_auth_verify index 9e871a60e..b2f3e2ba5 100755 --- a/src/sbin/ovpn_auth_verify +++ b/src/sbin/ovpn_auth_verify @@ -1,17 +1,14 @@ #!/bin/sh - if [ "$1" = "tls" ]; then - RESULT=$(/usr/local/bin/php /usr/local/etc/inc/openvpn.tls-verify.php -d $2 $3) + (/usr/local/bin/php /usr/local/etc/inc/openvpn.tls-verify.php -d "$2" "$3") + exit $? else # Single quoting $password breaks getting the value from the variable. password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's/=/%3D/g') username=$(echo -n "${username}" | openssl enc -base64 | sed -e 's/=/%3D/g') - RESULT=$(/usr/local/bin/php /etc/inc/openvpn.auth-user.php $username $password $common_name $3 $2 $4) -fi - -if [ "${RESULT}" = "OK" ]; then - exit 0 + (/usr/local/bin/php /usr/local/etc/inc/openvpn.auth-user.php "$username" "$password" "$common_name" "$3" "$2" "$4") + exit $? fi exit 1