From d3063a20174d8cb156dc8dea78bcfc59cdba22e2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Apr 2021 10:02:52 +0200
Subject: [PATCH] openvpn: remove OpenSSL engine support #4896

---
 src/etc/inc/plugins.inc.d/openvpn.inc        | 54 --------------------
 src/etc/inc/plugins.inc.d/openvpn/wizard.inc |  9 ----
 src/wizard/openvpn.xml                       | 13 -----
 src/www/vpn_openvpn_client.php               | 23 ++-------
 src/www/vpn_openvpn_server.php               | 26 ++--------
 5 files changed, 6 insertions(+), 119 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/openvpn.inc b/src/etc/inc/plugins.inc.d/openvpn.inc
index ca1ed0e2f..64711ac0d 100644
--- a/src/etc/inc/plugins.inc.d/openvpn.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn.inc
@@ -297,56 +297,6 @@ function openvpn_get_digestlist()
     return $digests;
 }
 
-function openvpn_get_engines()
-{
-    $openssl_engines = array('none' => 'No Hardware Crypto Acceleration');
-    exec('/usr/local/bin/openssl engine -t -c 2> /dev/null', $openssl_engine_output);
-
-    if (!count($openssl_engine_output)) {
-        /* LibreSSL doesn't offer anything of value */
-        return $openssl_engines;
-    }
-
-    $openssl_engine_output = implode("\n", $openssl_engine_output);
-    $openssl_engine_output = preg_replace("/\\n\\s+/", "|", $openssl_engine_output);
-    $openssl_engine_output = explode("\n", $openssl_engine_output);
-
-    foreach ($openssl_engine_output as $oeo) {
-        $keep = true;
-        $details = explode("|", $oeo);
-        $engine = array_shift($details);
-        $linematch = array();
-        preg_match("/\((.*)\)\s(.*)/", $engine, $linematch);
-        foreach ($details as $dt) {
-            if (strpos($dt, "unavailable") !== false) {
-                $keep = false;
-            }
-            if (strpos($dt, "available") !== false) {
-                continue;
-            }
-            if (strpos($dt, "[") !== false) {
-                $ciphers = trim($dt, "[]");
-            }
-        }
-        if (!empty($ciphers)) {
-            $ciphers = " - " . $ciphers;
-        }
-        if (strlen($ciphers) > 60) {
-            $ciphers = substr($ciphers, 0, 60) . " ... ";
-        }
-        if ($keep) {
-            $openssl_engines[$linematch[1]] = $linematch[2] . $ciphers;
-        }
-    }
-    return $openssl_engines;
-}
-
-function openvpn_validate_engine($engine)
-{
-    $engines = openvpn_get_engines();
-    return array_key_exists($engine, $engines);
-}
-
 function openvpn_validate_port($value, $name)
 {
     $value = trim($value);
@@ -602,10 +552,6 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
         $conf .= "multihome\n";
     }
 
-    if (openvpn_validate_engine($settings['engine']) && ($settings['engine'] != "none")) {
-        $conf .= "engine {$settings['engine']}\n";
-    }
-
     // server specific settings
     if ($mode == 'server') {
         list($ip, $cidr) = explode('/', $settings['tunnel_network']);
diff --git a/src/etc/inc/plugins.inc.d/openvpn/wizard.inc b/src/etc/inc/plugins.inc.d/openvpn/wizard.inc
index 4fd5dd2ae..953390b17 100644
--- a/src/etc/inc/plugins.inc.d/openvpn/wizard.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn/wizard.inc
@@ -414,14 +414,6 @@ function step10_stepbeforeformdisplay()
                 $opt['value'] = $name;
                 $pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'][] = $opt;
             }
-        } elseif ($field['name'] == "engine") {
-            $pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'] = array();
-            foreach (openvpn_get_engines() as $name => $desc) {
-                $opt = array();
-                $opt['name'] = $desc;
-                $opt['value'] = $name;
-                $pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'][] = $opt;
-            }
         } elseif ($field['name'] == "nbttype") {
             $pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'] = array();
             foreach ($netbios_nodetypes as $type => $name) {
@@ -755,7 +747,6 @@ function step12_submitphpaction()
     }
     $server['crypto'] = $pconfig['step10']['crypto'];
     $server['digest'] = $pconfig['step10']['digest'];
-    $server['engine'] = $pconfig['step10']['engine'];
 
     if (isset($pconfig['step11']['ovpnrule'])) {
         $rule = array();
diff --git a/src/wizard/openvpn.xml b/src/wizard/openvpn.xml
index 1c5a6b77b..00bedfac0 100644
--- a/src/wizard/openvpn.xml
+++ b/src/wizard/openvpn.xml
@@ -695,19 +695,6 @@
                 <value>SHA1</value>
                 <description>The method used to authenticate traffic between endpoints. This setting must match on the client and server side, but is otherwise set however you like.</description>
             </field>
-            <field>
-                <name>engine</name>
-                <type>select</type>
-                <displayname>Hardware Crypto</displayname>
-                <bindstofield>wizardtemp->step10->engine</bindstofield>
-                <options>
-                    <option>
-                        <name>dummy</name>
-                        <value>dummy</value>
-                    </option>
-                </options>
-                <description>The hardware cryptographic accelerator to use for this VPN connection, if any.</description>
-            </field>
             <field>
                 <type>listtopic</type>
                 <name>Tunnel Settings</name>
diff --git a/src/www/vpn_openvpn_client.php b/src/www/vpn_openvpn_client.php
index 0507adc09..51739b98c 100644
--- a/src/www/vpn_openvpn_client.php
+++ b/src/www/vpn_openvpn_client.php
@@ -61,7 +61,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $copy_fields = "auth_user,auth_pass,disable,mode,protocol,interface
             ,local_port,server_addr,server_port,resolve_retry,remote_random,reneg-sec
             ,proxy_addr,proxy_port,proxy_user,proxy_passwd,proxy_authtype,description
-            ,custom_options,ns_cert_type,dev_mode,caref,certref,crypto,digest,engine
+            ,custom_options,ns_cert_type,dev_mode,caref,certref,crypto,digest
             ,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6,use_shaper
             ,compression,passtos,no_tun_ipv6,route_no_pull,route_no_exec,verbosity_level";
 
@@ -102,7 +102,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $init_fields = "auth_user,auth_pass,disable,mode,protocol,interface
             ,local_port,server_addr,server_port,resolve_retry,remote_random,reneg-sec
             ,proxy_addr,proxy_port,proxy_user,proxy_passwd,proxy_authtype,description
-            ,custom_options,ns_cert_type,dev_mode,caref,certref,crypto,digest,engine
+            ,custom_options,ns_cert_type,dev_mode,caref,certref,crypto,digest
             ,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6,use_shaper
             ,compression,passtos,no_tun_ipv6,route_no_pull,route_no_exec,verbosity_level";
 
@@ -305,7 +305,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $copy_fields = "auth_user,auth_pass,protocol,dev_mode,local_port,reneg-sec
                 ,server_addr,server_port,resolve_retry,proxy_addr,proxy_port,remote_random
                 ,proxy_authtype,proxy_user,proxy_passwd,description,mode,crypto,digest
-                ,engine,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6
+                ,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6
                 ,use_shaper,compression,passtos,no_tun_ipv6,route_no_pull,route_no_exec
                 ,verbosity_level,interface";
 
@@ -933,23 +933,6 @@ $( document ).ready(function() {
               </div>
             </td>
           </tr>
-          <tr id="engine">
-            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Hardware Crypto"); ?></td>
-            <td>
-              <select name="engine" class="form-control">
-<?php
-              $engines = openvpn_get_engines();
-              foreach ($engines as $name => $desc) :
-                  $selected = "";
-                  if ($name == $pconfig['engine']) {
-                      $selected = " selected=\"selected\"";
-                  }?>
-                <option value="<?=$name;?>"<?=$selected?>><?=htmlspecialchars($desc);?></option>
-<?php
-              endforeach; ?>
-              </select>
-            </td>
-          </tr>
          </table>
         </div>
        </div>
diff --git a/src/www/vpn_openvpn_server.php b/src/www/vpn_openvpn_server.php
index b019dc1b1..285ea70e4 100644
--- a/src/www/vpn_openvpn_server.php
+++ b/src/www/vpn_openvpn_server.php
@@ -59,7 +59,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
 
         // 1 on 1 copy of config attributes
         $copy_fields = "mode,protocol,authmode,dev_mode,interface,local_port
-            ,description,custom_options,crypto,engine,tunnel_network
+            ,description,custom_options,crypto,tunnel_network
             ,tunnel_networkv6,remote_network,remote_networkv6,gwredir,local_network
             ,local_networkv6,maxclients,compression,passtos,client2client
             ,dynamic_ip,pool_enable,topology_subnet,serverbridge_dhcp
@@ -107,7 +107,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $pconfig['cert_depth'] = 1;
         // init all fields used in the form
         $init_fields = "mode,protocol,authmode,dev_mode,interface,local_port
-            ,description,custom_options,crypto,engine,tunnel_network
+            ,description,custom_options,crypto,tunnel_network
             ,tunnel_networkv6,remote_network,remote_networkv6,gwredir,local_network
             ,local_networkv6,maxclients,compression,passtos,client2client
             ,dynamic_ip,pool_enable,topology_subnet,serverbridge_dhcp
@@ -350,7 +350,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                 openvpn_delete('server', $a_server[$id]);
             }
             // 1 on 1 copy of config attributes
-            $copy_fields = "mode,protocol,dev_mode,local_port,description,crypto,digest,engine
+            $copy_fields = "mode,protocol,dev_mode,local_port,description,crypto,digest
                 ,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6
                 ,gwredir,local_network,local_networkv6,maxclients,compression
                 ,passtos,client2client,dynamic_ip,pool_enable,topology_subnet,local_group
@@ -997,26 +997,6 @@ endif; ?>
                         </div>
                       </td>
                     </tr>
-                    <tr id="engine">
-                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Hardware Crypto"); ?></td>
-                      <td>
-                        <select name="engine" class="selectpicker" data-size="5" data-live-search="true">
-<?php
-                        $engines = openvpn_get_engines();
-                        foreach ($engines as $name => $desc) :
-                            $selected = "";
-                            if ($name == $pconfig['engine']) {
-                                $selected = " selected=\"selected\"";
-                            }
-                        ?>
-                          <option value="<?=$name;?>"<?=$selected?>>
-                            <?=htmlspecialchars($desc);?>
-                          </option>
-<?php
-                        endforeach; ?>
-                        </select>
-                      </td>
-                    </tr>
                     <tr class="opt_mode opt_mode_p2p_tls opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user">
                       <td style="width:22%"><a id="help_for_cert_depth" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Certificate Depth"); ?></td>
                       <td>