[OpenVPN Client Export Utility] Password to protect the pkcs12 not working
-
Hi all,
I just setup OpenVPN and spent an hour trying to understand why my client was not able to read the pkcs12. It seems that if the password contains a special character (I only tried with #) the pkcs12 is not encrypted with the right password. Using alphanumeric characters work.
OpenVPN Client Export Utility 0.6
2.0-BETA5 (i386)
built on Mon Feb 21 23:53:12 EST 2011Can somebody confirm this issue? Thank you.
-
yup seems to be an issue.
I jut tried exporting mine with password of
test#and
test#123
Failed to import the p12 into windows, says password wrong.
btw using
2.0-RC1-IPv6 (i386)
built on Sat Mar 12 01:18:33 EST 2011 -
I think that nobody report this on redmine. Is redmine the right place to report bugs on external packages? Or should I report it in the "Packages" section of this forum?
-
redmine.pfsense.org is the best place to report confirmed bugs.
Are you sure that special characters are supposed to be allowed in such a password? I can look at the code but I thought it just passed it directly. Might just need some escape codes around it.
-
Can you edit /usr/local/pkg/openvpn-client-export.inc
And change openvpn_client_pem_to_pk12() on line 81 to this:
function openvpn_client_pem_to_pk12($outpath, $outpass, $crtpath, $keypath, $capath = false) { $outpath = escapeshellarg($outpath); $outpass = escapeshellarg($outpass); $crtpath = escapeshellarg($crtpath); $keypath = escapeshellarg($keypath); if ($capath) { $capath = escapeshellarg($capath); exec("/usr/bin/openssl pkcs12 -export -in {$crtpath} -inkey {$keypath} -certfile {$capath} -out {$outpath} -passout pass:{$outpass}"); } else exec("/usr/bin/openssl pkcs12 -export -in {$crtpath} -inkey {$keypath} -out {$outpath} -passout pass:{$outpass}"); unlink($crtpath); unlink($keypath); if ($capath) unlink($capath); }I didn't test this, but just from eyeballing it, it may work. If it does, I can commit it.
-
Unfortunately, your fix does not work :-\ The password get messed up before the call to this function.
The password should be escaped in the javascript code in /usr/local/www/vpn_openvpn_export.php
435 if (usepass) 436 dlurl += "&password=" + escape(pass); 437 if (useproxy) {I also suggest to put $outpass between single quotes in /usr/local/pkg/openvpn-client-export.inc
81 function openvpn_client_pem_to_pk12($outpath, $outpass, $crtpath, $keypath, $capath = false) { 82 if ($capath) 83 exec("/usr/bin/openssl pkcs12 -export -in {$crtpath} -inkey {$keypath} -certfile {$capath} -out {$outpath} -passout pass:'{$outpass}'"); 84 else 85 exec("/usr/bin/openssl pkcs12 -export -in {$crtpath} -inkey {$keypath} -out {$outpath} -passout pass:'{$outpass}'"); 86Tested with @#!a as password. Works for me.
The same could also be required for proxypass. I don't use this so I'm not sure if a similar fix is required there. Also take care of shell injection through user input. I guess it could be possible to inject shell commands using passout before. Not 100% sure though.
Thank you ;D
-
escapeshellarg, as I used in my example, will protect against that (and place them in single quotes) :-)
So I'll work up a fix based on what you found. Thanks!
-
escapeshellarg, as I used in my example, will protect against that (and place them in single quotes) :-)
Oh sorry, I didn't use PHP for ages ;D
Is there an update system for the packages or will I need to remove it and re-install it again? Thank you.
-
No, not yet. I haven't finished coding/testing the fix.
I'm going to escape all of the arguments, to be safe.
-
No, not yet. I haven't finished coding/testing the fix.
Sure of course, I meant "when the fix will be released and the new package built". In the meanwhile, Google told me about "Diagnostics -> Backup/Restore -> Reinstall packages" ::)
Feel free to contact me if you want me to test something.
-
I didn't bump the version number of the package, but if you reinstall that package (From System > Packages, on the Installed Packages tab, click the 'pkg' button) it should pull in the changes.
