ovpnmain.cgi: Fix for bug#11048 - insecure download icon for connections with a password
| Message ID | 20230210181343.17763-1-adolf.belka@ipfire.org |
|---|---|
| State | Superseded |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4PD21W1sqGz3ws7 for <patchwork@web04.haj.ipfire.org>; Fri, 10 Feb 2023 18:14:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4PD21S6ngwz1Dk; Fri, 10 Feb 2023 18:14:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4PD21S4zrbz2yWN; Fri, 10 Feb 2023 18:14:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4PD21R0QzJz2xbq for <development@lists.ipfire.org>; Fri, 10 Feb 2023 18:14:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4PD21Q1THLzV7; Fri, 10 Feb 2023 18:14:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1676052842; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uddLFpkVoEvXKvUdWJ6RCvz1C+crw8fQKdvIbyJXjWY=; b=WUOeeKeo2sHK5LxwvhdeEuRll9v1lhrx7zGDE4lve3RiJPlZsRzsshMd+tV8LkSVMoth2K eFRrutoWp8kz6SDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1676052842; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uddLFpkVoEvXKvUdWJ6RCvz1C+crw8fQKdvIbyJXjWY=; b=WPU8CA8ieaPt2Uk8/pnSaCiVaSnRyXy9IoJpAlJLV69aI9qz7dQuHMgsGiitEDqoO66QDE 5oHrO6HMJTqwpv1QQz47/xldKOcUc1E6kHPt+rsiZYq6IlLloByqMDE9j/r8j7UykJxaj+ Lv7CENfnPBKzUJiqN/juCxZpscxccvSKXkR72gf9F9yCWdH3hcqkO4Ses+JInvC7zVZtCh 4DRwrPq5RYXoSgzo9uGqqcwsdqOtINEIeN01eVNKY9y3byH51xT5x17QG0t0b0UsWk8qQd PWWtCkgGo6qGikPczXzgNCaJ8D6iQmu36YDAbBMvdrutmG71y61xvrAyuH67Ew== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] ovpnmain.cgi: Fix for bug#11048 - insecure download icon for connections with a password Date: Fri, 10 Feb 2023 19:13:43 +0100 Message-Id: <20230210181343.17763-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
ovpnmain.cgi: Fix for bug#11048 - insecure download icon for connections with a password
|
|
Commit Message
Adolf Belka
Feb. 10, 2023, 6:13 p.m. UTC
- The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the connection is a host and if the first password entry is a null. Then it adds no-pass to ovpnconfig. - The same block of code is also used for when he connection is edited. However at this stage the password entry is back to null because the password value is only kept until the connection has been saved. Therefore doing an edit results in the password value being taken as null even for connections with a password. - This fix checks the password value only if entry 41 in the ovpnconfig file is a null. If it is a null then it enters no-pass if the password is a null and it enters pass if the password contains characters. This way the entry 41 always contains either pass or no-pass, except when the connection is being first added and saved. - When adding this fix into a Core Update the update.sh script will need to check if ovpnconfig exists and then add pass to all lines that have a null at entry 41. This will only fix those connections that have not already been edited. Any connections already edited will have no-pass at entry 41 of ovpnconfig and will therefore show the insecure package download icon. - The only way I can think of dealing with entries that already have no-pass added is to go through all .p12 files in the certs directory and if there is a connection entry with that name then to change the no-pass to a pass. However that will only work if the connection name has been set the same as the certificate name, which is not a requirement. - So I think we can only fix those coneections that have never been edited. Any connections with passwords that have already been edited and containg no-pass in ovpnconfig and showing the insecure package download icon will have to be manually dealt with by users. - I think that should still be okay because they currently have two icons when they shouldn't and that will continue to be the case if they don't carry out a manual edit of ovpnconfig. - Maybe someone can think of an alternative way of identifying all connections using a password so that they can have entry 41 changed to pass. I haven't been able to do that so far - Looking forward to feedback Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> --- html/cgi-bin/ovpnmain.cgi | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
Comments
Hi All, I have marked this patch as superseded as it became clear that also the N2N entries in ovpnconfig needed to be explicitly specified as no-pass. Also with the no password insecure option two icons were still shown for the download. There should only be one icon for each situation. One downloads the package with no password option and the certificates built into the .ovpn file and the other downloads the package with the .p12 file protected by a password. A new patch will be put together covering all above and tested and then submitted together with a tested script for giving all connections, N2N, password protected hosts and hosts with no password in ovpnconfig an explicit status of pass or no-pass. Regards, Adolf. On 10/02/2023 19:13, Adolf Belka wrote: > - The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig > is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the > connection is a host and if the first password entry is a null. Then it adds no-pass > to ovpnconfig. > - The same block of code is also used for when he connection is edited. However at this > stage the password entry is back to null because the password value is only kept until > the connection has been saved. Therefore doing an edit results in the password value > being taken as null even for connections with a password. > - This fix checks the password value only if entry 41 in the ovpnconfig file is a null. > If it is a null then it enters no-pass if the password is a null and it enters pass > if the password contains characters. This way the entry 41 always contains either pass > or no-pass, except when the connection is being first added and saved. > - When adding this fix into a Core Update the update.sh script will need to check if > ovpnconfig exists and then add pass to all lines that have a null at entry 41. This will > only fix those connections that have not already been edited. Any connections already > edited will have no-pass at entry 41 of ovpnconfig and will therefore show the insecure > package download icon. > - The only way I can think of dealing with entries that already have no-pass added is to > go through all .p12 files in the certs directory and if there is a connection entry > with that name then to change the no-pass to a pass. However that will only work if the > connection name has been set the same as the certificate name, which is not a > requirement. > - So I think we can only fix those coneections that have never been edited. Any connections > with passwords that have already been edited and containg no-pass in ovpnconfig and > showing the insecure package download icon will have to be manually dealt with by users. > - I think that should still be okay because they currently have two icons when they > shouldn't and that will continue to be the case if they don't carry out a manual edit > of ovpnconfig. > - Maybe someone can think of an alternative way of identifying all connections using a > password so that they can have entry 41 changed to pass. I haven't been able to do that > so far > - Looking forward to feedback > > Tested-by: Adolf Belka <adolf.belka@ipfire.org> > Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> > --- > html/cgi-bin/ovpnmain.cgi | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index 42a7354fc..2586a1796 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -4326,9 +4326,13 @@ if ($cgiparams{'TYPE'} eq 'net') { > $confighash{$key}[39] = $cgiparams{'DAUTH'}; > $confighash{$key}[40] = $cgiparams{'DCIPHER'}; > > - if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { > - $confighash{$key}[41] = "no-pass"; > - } > + if ($confighash{$key}[41] eq "") { > + if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { > + $confighash{$key}[41] = "no-pass"; > + } elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) { > + $confighash{$key}[41] = "pass"; > + } > + } > > $confighash{$key}[42] = 'HOTP/T30/6'; > $confighash{$key}[43] = $cgiparams{'OTP_STATE'};
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 42a7354fc..2586a1796 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4326,9 +4326,13 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; - if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { - $confighash{$key}[41] = "no-pass"; - } + if ($confighash{$key}[41] eq "") { + if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] = "no-pass"; + } elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) { + $confighash{$key}[41] = "pass"; + } + } $confighash{$key}[42] = 'HOTP/T30/6'; $confighash{$key}[43] = $cgiparams{'OTP_STATE'};