From patchwork Mon Feb 26 15:05:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7563 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Tk3wY6j39z3wvB for ; Mon, 26 Feb 2024 15:11:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Tk3wM49m8z2yX; Mon, 26 Feb 2024 15:10:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Tk3wH4TSjz30Vf; Mon, 26 Feb 2024 15:10:55 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Tk3wD1Lnzz2xVd for ; Mon, 26 Feb 2024 15:10:52 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Tk3nc6JKSzfX; Mon, 26 Feb 2024 15:05:08 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1708959909; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uKtDV7v6IQkCSKBqbfVuZMtmeM843AB7PUjgbP9uSfA=; b=3U95ZevjyhUt3AEJ5xftdsI5VCAGAek4QyVjjNG3CWXJTjuhWSXpZOFtz1Pl5G+8hYEUXt Tuh+wJbP8eP5plDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1708959909; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uKtDV7v6IQkCSKBqbfVuZMtmeM843AB7PUjgbP9uSfA=; b=WMTB+dWiObKxXrbJt2rg8Wysmj4LpHS7zutrcMIeVQY32Eqf24obnNwzJQvpGWcc4FMq3T 3TAa619yg9lmGOd2PD+owMpD8RkITc/cYDoYjO7HrdBUSISyej/g9GEXNatnmL9B14rH8p IPceHGNhQe/HU/16IJKEdsSud9cuc+Ieqjj35UySG64oFiE8E26eHC4DUcxqJE1AM7gKCx iDWqj/rMz2myYs7a7tRm1xgAQnRIk/T6zOwIeF0iSX1JRN7unOHppcqWbfVw1WlKyS3NuS vam/tfa8xXZ9nBh9BNpqq+5M9JcLUO5mG/1HaR70a1yviA3YOMdQ9uHkAk4xAA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] ovpnmain.cgi: Fixes bug#13404 - prevents certs being saved if common name is already used Date: Mon, 26 Feb 2024 16:05:00 +0100 Message-ID: <20240226150501.16508-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: BQBGD345J7LT27AAHUVKSCIGG2XDMOWQ X-Message-ID-Hash: BQBGD345J7LT27AAHUVKSCIGG2XDMOWQ X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This was fixed by moving the code for checking if the common name is already used, to the same location as the code for checking if the connection name is already used. - Tested out on vm testbed and confirmed that the certificates are not created and the index.txt not updated if the common name is flagged as already being used. If the entry is changed to use a new CN and Save pressed then the certs are saved and the index.txt updated. If Cancel is pressed then no certs are saved and index.txt is not updated. Fixes: Bug#13404 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/ovpnmain.cgi | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index eb89c5095..98900b277 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4216,15 +4216,25 @@ if ($cgiparams{'TYPE'} eq 'net') { } } - # Check for RW if client name is already set - if ($cgiparams{'TYPE'} eq 'host') { - foreach my $key (keys %confighash) { - if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { - $errormessage = $Lang::tr{'a connection with this name already exists'}; - goto VPNCONF_ERROR; - } - } - } + # Check for RW if client name is already set + if ($cgiparams{'TYPE'} eq 'host') { + foreach my $key (keys %confighash) { + if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { + $errormessage = $Lang::tr{'a connection with this name already exists'}; + goto VPNCONF_ERROR; + } + } + } + + # Check if there is no other entry with this common name + if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) { + foreach my $key (keys %confighash) { + if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) { + $errormessage = $Lang::tr{'a connection with this common name already exists'}; + goto VPNCONF_ERROR; + } + } + } # Replace empty strings with a . (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; @@ -4309,16 +4319,6 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; } - # Check if there is no other entry with this common name - if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) { - foreach my $key (keys %confighash) { - if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) { - $errormessage = $Lang::tr{'a connection with this common name already exists'}; - goto VPNCONF_ERROR; - } - } - } - # Save the config my $key = $cgiparams{'KEY'};