From patchwork Mon Sep 25 16:41:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7248 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4RvTDk5rpCz3wkw for ; Mon, 25 Sep 2023 16:42:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4RvTDh3ttCz1S8; Mon, 25 Sep 2023 16:42:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4RvTDh1WGQz306y; Mon, 25 Sep 2023 16:42:12 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4RvTDf732hz2xKH for ; Mon, 25 Sep 2023 16:42:10 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4RvTDf2vbCz18r; Mon, 25 Sep 2023 16:42:10 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1695660130; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=5jRn9H+lftsTgsPZwDO+Cym7veYhr9nvwn3FTQjRaJ4=; b=IrLmTv+c0/3F/Mkmu4F0lPzddg+TBQOQYouXG+mRirY3UDLM8iQYaNkng34zx5lsdrupxB 51R213V3kvd+KzAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1695660130; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=5jRn9H+lftsTgsPZwDO+Cym7veYhr9nvwn3FTQjRaJ4=; b=UBM4xXsC06/mrqzS4eifZy0vq9iA+nk9eA0WdIcro7rayRIREivUD5Al7VHnlcGNB7rrso GFHe4YpLFkdp3/cmfDFltnS6zRLdk9b6YZ780rAhZ2lrxx5UFofz5KldxdzyQ1duQAdbnj Ank8eiKvme1MT1yC/7dWsUm+Y1L5dJU0H/WQrbGNUzFK//I9jZA8bOaewdt8hsD4XTVx+a jA+Ounq1yrr5BVZzPaA3YzDPQo9pgt/RIETv8p8WvLktkiN3wN+WWiSM7DLPxBxWU6i16c 2Z4D/yIZK4D+QYkLpFXWYrSjWCGuKOhRO2ZrrB0mXCOdIbUFv5xeNejMQvItqA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/6] ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password Date: Mon, 25 Sep 2023 18:41:51 +0200 Message-ID: <20230925164204.3500045-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - At long last I have re-visited the patch submission for bug #11048 and fixed the issues that caused the problems last time I evaluated it in Testing. - The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the connection is a host and if the first password entry is a null. Then it adds no-pass to ovpnconfig. - The same block of code is also used for when he connection is edited. However at this stage the password entry is back to null because the password value is only kept until the connection has been saved. Therefore doing an edit results in the password value being taken as null even for connections with a password. - This fix enters no-pass if the connection type is host and the password is null, pass if the connection type is host and the password has characters. If the connection type is net then no-pass is used as net2net connections dop not have encrypted certificates. - The code has been changed to show a different icon for unencrypted and encrypted certificates. - Separate patches are provided for the language file change, the provision of a new icon and the code for the update.sh script for the Core Update to update all existing connections, if any exist, to have either pass or no-pass in index 41. - This patch set was a joint collaboration between Erik Kapfer and Adolf Belka - Patch set, including the code for the Core Update 180 update.sh script has been tested on a vm testbed Fixes: Bug#11048 Tested-by: Adolf Belka Suggested-by: Adolf Belka Suggested-by: Erik Kapfer Signed-off-by: Adolf Belka --- html/cgi-bin/ovpnmain.cgi | 75 +++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 31 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5afe54f55..eb89c5095 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4370,9 +4370,15 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; - if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { - $confighash{$key}[41] = "no-pass"; - } + if ($confighash{$key}[41] eq "") { + if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] = "no-pass"; + } elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) { + $confighash{$key}[41] = "pass"; + } elsif ($cgiparams{'TYPE'} eq 'net') { + $confighash{$key}[41] = "no-pass"; + } + } $confighash{$key}[42] = 'HOTP/T30/6'; $confighash{$key}[43] = $cgiparams{'OTP_STATE'}; @@ -5512,20 +5518,24 @@ END } - print <$active + if ($confighash{$key}[41] eq "pass") { + print <$active -
- - - -
+
+ + + + +
END - ; - if ($confighash{$key}[41] eq "no-pass") { + ; } elsif ($confighash{$key}[41] eq "no-pass") { print < + $active + +
@@ -5533,7 +5543,7 @@ END
END - } else { + ; } else { print " "; } @@ -5609,30 +5619,33 @@ END # If the config file contains entries, print Key to action icons if ( $id ) { print < - + + - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - -
  $Lang::tr{'legend'}:  $Lang::tr{$Lang::tr{'click to disable'}    ?RELOAD$Lang::tr{'dl client arch insecure'}    ?RELOAD$Lang::tr{'dl client arch'}     $Lang::tr{ $Lang::tr{'show certificate'}    $Lang::tr{$Lang::tr{'show otp qrcode'}
      ?FLOPPY$Lang::tr{'download certificate'}  ?OFF$Lang::tr{'click to enable'}  $Lang::tr{$Lang::tr{'click to disable'}    $Lang::tr{ $Lang::tr{'edit'}     $Lang::tr{ $Lang::tr{'remove'}
    ?OFF$Lang::tr{'click to enable'}    ?FLOPPY$Lang::tr{'download certificate'}    ?RELOAD$Lang::tr{'dl client arch'}    $Lang::tr{$Lang::tr{'show otp qrcode'}

+ +
END ; }