Fix OpenVPN Auth Digest Algorithm selection so it does not use duplicate/alias names in the list, and fix existing entries on upgrade so they use the actual digest name and not an alias.

3 files changed, 57 insertions, 3 deletions

diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc
index c4533d8..627bc1d 100644
--- a/src/etc/inc/globals.inc
+++ b/src/etc/inc/globals.inc
@@ -71,7 +71,7 @@ $g = array(
 	"disablecrashreporter" => false,
 	"crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php",
 	"debug" => false,
-	"latest_config" => "16.5",
+	"latest_config" => "16.6",
 	"minimum_ram_warning" => "101",
 	"minimum_ram_warning_text" => "128 MB",
 	"wan_interface_name" => "wan",
diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index cce84bd..3509f1d 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -433,20 +433,55 @@ function openvpn_validate_curve($curve) {
 	return array_key_exists($curve, $curves);
 }
 
-function openvpn_get_digestlist() {
+/* Obtain the list of digest algorithms supported by openssl and their alternate names */
+function openvpn_get_openssldigestmappings() {
+	$digests = array();
+	$digest_out = shell_exec('/usr/bin/openssl list-message-digest-algorithms | /usr/bin/grep "=>"');
+	$digest_lines = explode("\n", trim($digest_out));
+	sort($digest_lines);
+	foreach ($digest_lines as $line) {
+		$words = explode(' => ', $line, 2);
+		$digests[$words[0]] = $words[1];
+	}
+	return $digests;
+}
 
+/* Obtain the list of digest algorithms supported by openvpn */
+function openvpn_get_digestlist() {
+	/* Grab the list from OpenSSL to check for duplicates or aliases */
+	$openssl_digest_mappings = openvpn_get_openssldigestmappings();
 	$digests = array();
 	$digest_out = shell_exec('/usr/local/sbin/openvpn --show-digests | /usr/bin/grep "digest size" | /usr/bin/awk \'{print $1, "(" $2 "-" $3 ")";}\'');
 	$digest_lines = explode("\n", trim($digest_out));
 	sort($digest_lines);
 	foreach ($digest_lines as $line) {
 		$words = explode(' ', $line);
-		$digests[$words[0]] = "{$words[0]} {$words[1]}";
+		/* Only add the entry if it is NOT also listed as being an alias/mapping by OpenSSL */
+		if (!array_key_exists($words[0], $openssl_digest_mappings)) {
+			$digests[$words[0]] = "{$words[0]} {$words[1]}";
+		}
 	}
 	$digests["none"] = gettext("None (No Authentication)");
 	return $digests;
 }
 
+/* Check to see if a digest name is an alias and if so, find the actual digest
+ * algorithm instead. Useful for upgrade code that has to translate aliased
+ * algorithms to their actual names.
+ */
+function openvpn_remap_digest($digest) {
+	$openssl_digest_mappings = openvpn_get_openssldigestmappings();
+	if (array_key_exists($digest, $openssl_digest_mappings)) {
+		/* Some mappings point to other mappings, keep going until we find the actual digest algorithm */
+		if (array_key_exists($openssl_digest_mappings[$digest], $openssl_digest_mappings)) {
+			return openvpn_remap_digest($openssl_digest_mappings[$digest]);
+		} else {
+			return $openssl_digest_mappings[$digest];
+		}
+	}
+	return $digest;
+}
+
 function openvpn_get_engines() {
 	$openssl_engines = array('none' => gettext('No Hardware Crypto Acceleration'));
 	exec("/usr/bin/openssl engine -t -c", $openssl_engine_output);
diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc
index 512d7de..74082dd 100644
--- a/src/etc/inc/upgrade_config.inc
+++ b/src/etc/inc/upgrade_config.inc
@@ -5304,4 +5304,23 @@ function upgrade_164_to_165() {
 	}
 }
 
+/* Fixup digest algorithm selection for OpenVPN clients and servers so they do not use aliased names. */
+function upgrade_165_to_166() {
+	require_once('openvpn.inc');
+	global $config;
+
+	if (isset($config['openvpn']) && is_array($config['openvpn'])) {
+		if (is_array($config['openvpn']['openvpn-server'])) {
+			foreach ($config['openvpn']['openvpn-server'] as &$vpn) {
+				$vpn['digest'] = openvpn_remap_digest($vpn['digest']);
+			}
+		}
+		if (is_array($config['openvpn']['openvpn-client'])) {
+			foreach ($config['openvpn']['openvpn-client'] as &$vpn) {
+				$vpn['digest'] = openvpn_remap_digest($vpn['digest']);
+			}
+		}
+	}
+}
+
 ?>