From e7d04751c9f87dbca8737274a6ec45849a330d6e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 28 Feb 2019 16:36:40 +0100
Subject: [PATCH] OpenVPN server, validate certificate type, closes
 https://github.com/opnsense/core/issues/3045

---
 src/www/vpn_openvpn_server.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/www/vpn_openvpn_server.php b/src/www/vpn_openvpn_server.php
index f0f91d6cf..a65eba110 100644
--- a/src/www/vpn_openvpn_server.php
+++ b/src/www/vpn_openvpn_server.php
@@ -329,6 +329,19 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $input_errors[] = gettext("Renegotiate time should contain a valid number of seconds.");
         }
 
+        // When server certificate is set, check type.
+        if (!empty($pconfig['certref'])) {
+            foreach ($config['cert'] as $cert) {
+                if ($cert['refid'] == $pconfig['certref']) {
+                    if (cert_get_purpose($cert['crt'])['server'] == 'No') {
+                          $input_errors[] = gettext(
+                            sprintf("certificate %s is not intended for server use", $cert['descr'])
+                          );
+                    }
+                }
+            }
+        }
+
         do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
 
         if (count($input_errors) == 0) {