From patchwork Wed Dec 11 11:51:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8318 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Y7YqP5q0Kz3wxp for ; Wed, 11 Dec 2024 11:52:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Y7YqN1jgTz4Md; Wed, 11 Dec 2024 11:52:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Y7YqN0840z340v; Wed, 11 Dec 2024 11:52:00 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Y7YqK4FVkz32wS for ; Wed, 11 Dec 2024 11:51:57 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Y7YqJ6QyMz1G0; Wed, 11 Dec 2024 11:51:56 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1733917917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=kvr+hohqQ9lni1Q9hSJ/aPmqixQVFtdYP5KowhZ6ZNk=; b=hXv4qst/yPT/ZyXnV7sH3rBTZokIByRbqRO6YLReAKA4zvDOQOfwj3kn80AvrvCfxc9vTp deu9dsfvJXtQgcCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1733917917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=kvr+hohqQ9lni1Q9hSJ/aPmqixQVFtdYP5KowhZ6ZNk=; b=LU8aA7/knh+E3Vo+gHY9sewDzmMdCZd0uDG3D16UtBKiPPLujKdH8CRy8JpYI3RWuBz0uF Zk0Kwf4FGoDUfUCO9yOtHYTn7cNYSbc7PSrG1HBNVGTiomPePjPcpTohBPKYVTgz4xwDBl oHtgeEleHVE1o3nAsvLWGTkc5eUyIapMqWF8bAerp+o0C3N1BfAmEn6Y6HdmhL93ICEw61 WVMEeaQnkOws9Z4e6xTjoxCklVcf8nX0aJWmdQ/P9tvjRoGpFNZvu5r7Y38N1gNvZaf+64 xhqgUF20kJjcrkY3cwOPBJwPoWYk5OZpIIoNxH8Ea/Gzvbsbe77DkmWstH+WUQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] vpnmain.cgi: Fix for 2nd part of bug10595 Date: Wed, 11 Dec 2024 12:51:43 +0100 Message-ID: <20241211115144.2837-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: ROQIIEWTI3BHTN6CF2CLSE243BQ3GXRS X-Message-ID-Hash: ROQIIEWTI3BHTN6CF2CLSE243BQ3GXRS X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Bug10595 had two parts in it and was closed after the first part was fixed. The second part was still unfixed at that time. I cam across it when checking out an open bug on a similar issue with OpenVPN. - I found the section that checks on the CA Name and modified it to also allow spaces. - Having modified that then the subroutines getsubjectfromcert and getCNfromcert required to have quotation marks put around the parameter that had the CA Name with spaces in it otherwise the openssl statement only got a filename with the first portion of the ca name until the first space was encountered. - Tested this change out on my vm and it worked fine. I was able to upload a ca certificate into IPSec and use spaces in the CA Name. Fixes: Bug10595 part 2 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) mode change 100755 => 100644 html/cgi-bin/vpnmain.cgi diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi old mode 100755 new mode 100644 index 3541aaa29..694eeed76 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -245,7 +245,7 @@ sub callssl ($) { ### sub getCNfromcert ($) { #&General::log("ipsec", "Extracting name from $_[0]..."); - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; + my $temp = `/usr/bin/openssl x509 -text -in '$_[0]'`; $temp =~ /Subject:.*CN\s*=\s*(.*)[\n]/; $temp = $1; $temp =~ s+/Email+, E+; @@ -259,7 +259,7 @@ sub getCNfromcert ($) { ### sub getsubjectfromcert ($) { #&General::log("ipsec", "Extracting subject from $_[0]..."); - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; + my $temp = `/usr/bin/openssl x509 -text -in '$_[0]'`; $temp =~ /Subject: (.*)[\n]/; $temp = $1; $temp =~ s+/Email+, E+; @@ -644,8 +644,8 @@ END } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9 ]*$/) { + $errormessage = $Lang::tr{'ca name must only contain characters or spaces'}; goto UPLOADCA_ERROR; }