From patchwork Sun Mar 9 14:12:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8512 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Z9hmj0P4Vz3xDt for ; Sun, 9 Mar 2025 14:12:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Z9hmg2Zxcz7h7 for ; Sun, 9 Mar 2025 14:12:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Z9hmg1pn3z36V4 for ; Sun, 9 Mar 2025 14:12:19 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Z9hmc0svsz36W6 for ; Sun, 9 Mar 2025 14:12:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Z9hmZ5Z1hzrN; Sun, 9 Mar 2025 14:12:14 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1741529534; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=pkU4BRdE+kEW4IEX6qAYFsko6DZa51KkmkqXO2aU0XY=; b=/JD2udMtADIh+wKOrYMdL6DqMPu3jwZoYHQht1qM8UhW++rjN/rWT2zuD3fmqgFC6FgOuM M7labClWvTIN+WBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1741529534; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=pkU4BRdE+kEW4IEX6qAYFsko6DZa51KkmkqXO2aU0XY=; b=HCREA+BdEwCyMgEehT1HYfO0Mv+aW8MkEE64aDte2xkxuy90XLjO7ZjDpYPI32uuEdLQjf BUOUii6Av+iloZhGF+6+itiOXIRJmP3OmqdBqSzUPURpCHv7wFYvubg8TJ1N+OVYIjeXNN ISzIYfiq3qg9fCyithx4s21uPXAIrWG3tH/qnyTzqdzkeQmjAT6qDJ3X3vBQwI1MxymQxA lWFHvKATLe0n2GFEf4BdxkJOWtKoxuGzbaAWAsaqap4YFegGVnp+yw3bty8PIl6rqR/Hn9 dgengfFRWqbzoVD0uQhz1XWVG6eury1FiUvzl4frqugWEZqkQJ7QzgKg9oD+Ew== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 1/2] vpnmain.cgi: Fixes bug12298 - IPSec password cannot use semicolon Date: Sun, 9 Mar 2025 15:12:03 +0100 Message-ID: <20250309141209.18633-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - The password for the pkcs12 certificate is passed to the open ssl command via $opt but it is not quoted and so the ; is taken as the end of the command rather than as part of the password. This also means that a pkcs12 file is not created and the .pem intermediate file is what is left in the directory. - This patch makes the -passout option quoted in the same way as the -name and -caname options. - Based on being the same as the name and caname parts in $opt, I believe that this should not give rise to a vulnerability but I am open to being corrected. - By quoting the -passout then the password must not contain double quotation marks, ", so a test for the password containing a " has been added. - The message about the use of the double quotation mark has been added to the english, dutch and german language files. Feel free to correct if what I have used is not correct. Those are in the other patch of this patch set. - Tested out on my testbed system. I was able to create a pkcs12 certificate with a password containing a variety of characters, including the semicolon, and getting a message that the password contains a double quotation mark when I used that. Fixes: bug12298 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) mode change 100755 => 100644 html/cgi-bin/vpnmain.cgi diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi old mode 100755 new mode 100644 index c9bbbb494..8106ee24e --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2149,6 +2149,10 @@ END $errormessage = $Lang::tr{'password too short'}; goto VPNCONF_ERROR; } + if ($cgiparams{'CERT_PASS1'} =~ /["]/) { + $errormessage = $Lang::tr{'password has quotation mark'}; + goto VPNCONF_ERROR; + } if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { $errormessage = $Lang::tr{'passwords do not match'}; goto VPNCONF_ERROR; @@ -2226,7 +2230,7 @@ END $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; $opt .= " -name \"$cgiparams{'NAME'}\""; - $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; + $opt .= " -passout pass:\"$cgiparams{'CERT_PASS1'}\""; $opt .= " -certfile ${General::swroot}/ca/cacert.pem"; $opt .= " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\""; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12";