From patchwork Thu Mar 6 11:32:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8510 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Z7nMf0DhPz3xGq for ; Thu, 6 Mar 2025 11:32:30 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Z7nMd1QrZz7hx for ; Thu, 6 Mar 2025 11:32:29 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Z7nMd0hs4z3773 for ; Thu, 6 Mar 2025 11:32:29 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Z7nMY5R4dz340l for ; Thu, 6 Mar 2025 11:32:25 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Z7nMX3W22z7gQ; Thu, 6 Mar 2025 11:32:24 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1741260744; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=t6nVWkY2q5b/C2JKK6rwBD0kNZS+fhffK/nuZ+1yH6Y=; b=qnWY2oj2mfKTelLi+vR/famSVTIsWx+7U9ELYHctyPkueRK2E9A50HQ1huE0in/GtOVNF1 n2HK1AnxU2WbDPDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1741260744; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=t6nVWkY2q5b/C2JKK6rwBD0kNZS+fhffK/nuZ+1yH6Y=; b=JK3wEymvUAhbx+w8nCEN6WZNfFPYnyzLssPeKMHxGUtqXNvyFw3iYyPQYwB+73lFSImJ1Q TelBYIXYy9XjLkUtdj7Ngh9+Ry6cvym6xJE/5C2LNC0MKvEs3Wg0zcWqbUnX7GLMuBIFJG Rv2FJj77mEs2byWWQhOpdpx/LYl2YriLHc381xDXbPHUPeoZPbmImaUkQj8fimi5sm3bBT colrVA6DlJC87E1DNCaFjF3gwu9emQCfoGkEf7687np0WJn1jFwVuMvjF1H1YeJt8+a6cO SeWShOqCCdPiZOMC4JGefVbAgT2nA+j4uWtQwNdmunMOuRtskueLsLrP0yTTKg== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH v3 1/2] vpnmain.cgi: Fix for 2nd part of bug10595 Date: Thu, 6 Mar 2025 12:32:20 +0100 Message-ID: <20250306113221.6990-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Bug10595 had two parts in it and was closed after the first part was fixed. The second part was still unfixed at that time. I cam across it when checking out an open bug on a similar issue with OpenVPN. - I found the section that checks on the CA Name and modified it to also allow spaces. - Having modified that then the subroutines getsubjectfromcert and getCNfromcert required modifications otherwise the openssl statement only got a filename with the first portion of the ca name until the first space was encountered. This v2 version of this patch set has the safe approach suggested by @Michael. This v3 version has been re based to another patch submission that modified lines in a similar place and prevented a merge to work. - I am open to any suggestions for improvements to how I implemented the use of the &General::system_output function - Tested this change out on my vm and it worked fine. I was able to upload a ca certificate into IPSec and use spaces in the CA Name. - Changed the test for the CA_NAME to allow spaces. Change also made to en.pl file Fixes: Bug10595 part 2 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index c9bbbb494..0c69efb17 100755 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -245,13 +245,16 @@ sub callssl ($) { ### sub getCNfromcert ($) { #&General::log("charon", "Extracting name from $_[0]..."); - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =~ /Subject:.*CN\s*=\s*(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST = / S = /; - $temp =~ s/,//g; - $temp =~ s/\'//g; + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$_[0]"); + my $temp; + foreach my $line (@output) { + $line =~ /Subject:.*CN\s*=\s*(.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST = / S = /; + $temp =~ s/,//g; + $temp =~ s/\'//g; + } return $temp; } ### @@ -259,11 +262,14 @@ sub getCNfromcert ($) { ### sub getsubjectfromcert ($) { #&General::log("charon", "Extracting subject from $_[0]..."); - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =~ /Subject: (.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST = / S = /; + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$_[0]"); + my $temp; + foreach my $line (@output) { + $line =~ /Subject: (.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST = / S = /; + } return $temp; } ### @@ -644,8 +650,8 @@ END } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9 ]*$/) { + $errormessage = $Lang::tr{'ca name must only contain characters and spaces'}; goto UPLOADCA_ERROR; }