pfSense

#!/bin/sh

#

# ovpn_auth_verify

#

# part of pfSense (https://www.pfsense.org)

# Copyright (c) 2004-2013 BSD Perimeter

# Copyright (c) 2013-2016 Electric Sheep Fencing

# Copyright (c) 2014-2025 Rubicon Communications, LLC (Netgate)

# All rights reserved.

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

# http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

if [ "$1" = "tls" ]; then

	for check_depth in $(/usr/bin/seq ${3} -1 0)

	do

		eval serial="\$tls_serial_${check_depth}"

		if [ -n "$serial" ]; then

			# $config contains the path, e.g. '/var/etc/openvpn/server1/config.ovpn'

			RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")

			if [ "${RESULT}" = "FAILED" ]; then

				exit 1

			fi

		fi

	done

else

	# Single quoting $password breaks getting the value from the variable.

	# Base64 and urlEncode usernames and passwords

	password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')

	username=$(echo -n "${username}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')

	RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4&nas_port=$5")

fi

if [ "${RESULT}" = "OK" ]; then

	exit 0

fi

exit 1