| Message ID | 20250401180802.19784-2-adolf.belka@ipfire.org |
|---|---|
| State | Staged |
| Commit | 41c7cc325e1e2f922de803842d0625e564f6771e |
| Headers |
Return-Path: <development+bounces-189-patchwork=ipfire.org@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZRwwH43gFz3xD7 for <patchwork@web04.haj.ipfire.org>; Tue, 1 Apr 2025 18:08:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZRwwC5yCyz4XK for <patchwork@ipfire.org>; Tue, 1 Apr 2025 18:08:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZRwwB5JQMz3372 for <patchwork@ipfire.org>; Tue, 1 Apr 2025 18:08:10 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZRww75mpxz3348 for <development@lists.ipfire.org>; Tue, 1 Apr 2025 18:08:07 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZRww73kp9zGJ; Tue, 1 Apr 2025 18:08:07 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1743530887; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j/LYoYkx9d0tKvEeZB0FSyU7R5lgU1x6lRMW6M3Qz6c=; b=9NKEkYZoQ8oatGFmXGbFwtq3I6J4AQVVsK7Wu7Yo6/+1qez3B4EwkvPj9j6fWVqrG4HJY8 3ia30QoRKeXRKvDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1743530887; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j/LYoYkx9d0tKvEeZB0FSyU7R5lgU1x6lRMW6M3Qz6c=; b=cut6UyzIOZftkYc5SEcFHxRDyAh5Kpn0E9yGNVDA9JiJJeDn2RSLqY+/NpOfrRdP6/nRfl 0YApdpHnwpMJgjD8bjBud3Il/K5Za57OQ0x8pTAxw0LzSqIJs2m92yekvrZWSzCzkJ6LbJ 6QnvI3WMAf2cECDlWXxA2gZJCk3qQ3OFJeoQNdm8FgFI89MWIVEqyfbl3LDCQfyZHolIQJ MyCv33xOHaDJOnoTZjfPQwmjX7fdwhC8bIiBcwlKs9bgGuT2l1sUq6d8v9/wfd53bl1yBb /bEsAQF257EXjsizTYoiW4ieSDglC/l++/rrHz/CM0BUD9QPLJ7V4mpehauwyw== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Cc: Adolf Belka <adolf.belka@ipfire.org> Subject: [PATCH 2/6] vpnmain.cgi: Fixes bug13737 - revoke any deleted client certificate Date: Tue, 1 Apr 2025 20:07:58 +0200 Message-ID: <20250401180802.19784-2-adolf.belka@ipfire.org> In-Reply-To: <20250401180802.19784-1-adolf.belka@ipfire.org> References: <20250401180802.19784-1-adolf.belka@ipfire.org> Precedence: list List-Id: <development.lists.ipfire.org> List-Subscribe: <https://lists.ipfire.org/>, <mailto:development+subscribe@lists.ipfire.org?subject=subscribe> List-Unsubscribe: <https://lists.ipfire.org/>, <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development+help@lists.ipfire.org?subject=help> Sender: <development@lists.ipfire.org> Mail-Followup-To: <development@lists.ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit |
| Series |
[1/6] vpnmain.cgi: Fixes bug13737 - remove unneeded &cleanssldatabase calls
|
|
Commit Message
Adolf Belka
April 1, 2025, 6:07 p.m. UTC
- As the serial number is incremented now for each new cert that is created, then when a client cert is deleted from the ipsec list in the wui then that cert must be revoked otherwise it will still be listed in the .index file as a valid certificate and then the certificate name and DN could never be used again. - Running the revoke command when deleting a client cert leaves the details in the .index file but the same name can then be re-used and will get a new serial number etc. Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> --- html/cgi-bin/vpnmain.cgi | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-)
Comments
> On 1 Apr 2025, at 19:07, Adolf Belka <adolf.belka@ipfire.org> wrote: > > - As the serial number is incremented now for each new cert that is created, then when a > client cert is deleted from the ipsec list in the wui then that cert must be revoked > otherwise it will still be listed in the .index file as a valid certificate and then > the certificate name and DN could never be used again. > - Running the revoke command when deleting a client cert leaves the details in the .index > file but the same name can then be re-used and will get a new serial number etc. > > Fixes: bug13737 > Tested-by: Adolf Belka <adolf.belka@ipfire.org> > Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> > --- > html/cgi-bin/vpnmain.cgi | 30 +++++++++++++++++++----------- > 1 file changed, 19 insertions(+), 11 deletions(-) > > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > index 85119a81d..1c9f9243b 100644 > --- a/html/cgi-bin/vpnmain.cgi > +++ b/html/cgi-bin/vpnmain.cgi > @@ -1595,17 +1595,25 @@ END > &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); > &General::readhasharray("${General::swroot}/vpn/config", \%confighash); > > - if ($confighash{$cgiparams{'KEY'}}) { > - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); > - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); > - delete $confighash{$cgiparams{'KEY'}}; > - &General::writehasharray("${General::swroot}/vpn/config", \%confighash); > - &writeipsecfiles(); > - &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); > - } else { > - $errormessage = $Lang::tr{'invalid key'}; > - } > - &General::firewall_reload(); > + if ($confighash{$cgiparams{'KEY'}}) { > + # Revoke the removed certificate > + if (!$errormessage) { > + &General::log("charon", "Revoking the removed client cert..."); > + my $opt = " ca -revoke ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"; > + $errormessage = &callssl($opt); This is another chance to perform some shell command execution because the $cgiparams{'KEY’} input is potentially unchecked. Can we change the validate the key before? It should be a number. In the if statement above, we are only checking if it is actually set. > + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); > + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); > + delete $confighash{$cgiparams{'KEY'}}; > + &General::writehasharray("${General::swroot}/vpn/config", \%confighash); > + &writeipsecfiles(); > + &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); > + } else { > + goto VPNCONF_ERROR; > + } > + } else { > + $errormessage = $Lang::tr{'invalid key'}; > + } > + &General::firewall_reload(); > ### > ### Choose between adding a host-net or net-net connection > ### > -- > 2.49.0 > >
Hi Michael, On 02/04/2025 12:21, Michael Tremer wrote: > > >> On 1 Apr 2025, at 19:07, Adolf Belka <adolf.belka@ipfire.org> wrote: >> >> - As the serial number is incremented now for each new cert that is created, then when a >> client cert is deleted from the ipsec list in the wui then that cert must be revoked >> otherwise it will still be listed in the .index file as a valid certificate and then >> the certificate name and DN could never be used again. >> - Running the revoke command when deleting a client cert leaves the details in the .index >> file but the same name can then be re-used and will get a new serial number etc. >> >> Fixes: bug13737 >> Tested-by: Adolf Belka <adolf.belka@ipfire.org> >> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> >> --- >> html/cgi-bin/vpnmain.cgi | 30 +++++++++++++++++++----------- >> 1 file changed, 19 insertions(+), 11 deletions(-) >> >> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi >> index 85119a81d..1c9f9243b 100644 >> --- a/html/cgi-bin/vpnmain.cgi >> +++ b/html/cgi-bin/vpnmain.cgi >> @@ -1595,17 +1595,25 @@ END >> &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); >> &General::readhasharray("${General::swroot}/vpn/config", \%confighash); >> >> - if ($confighash{$cgiparams{'KEY'}}) { >> - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); >> - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); >> - delete $confighash{$cgiparams{'KEY'}}; >> - &General::writehasharray("${General::swroot}/vpn/config", \%confighash); >> - &writeipsecfiles(); >> - &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); >> - } else { >> - $errormessage = $Lang::tr{'invalid key'}; >> - } >> - &General::firewall_reload(); >> + if ($confighash{$cgiparams{'KEY'}}) { >> + # Revoke the removed certificate >> + if (!$errormessage) { >> + &General::log("charon", "Revoking the removed client cert..."); >> + my $opt = " ca -revoke ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"; >> + $errormessage = &callssl($opt); > > This is another chance to perform some shell command execution because the $cgiparams{'KEY’} input is potentially unchecked. > > Can we change the validate the key before? It should be a number. In the if statement above, we are only checking if it is actually set. I will look at doing that. However it might have to wait till I am back from visiting my family. I might be able to do it while visiting my son but can't be sure I will get the time. Will put it on my list. Regards, Adolf. > >> + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); >> + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); >> + delete $confighash{$cgiparams{'KEY'}}; >> + &General::writehasharray("${General::swroot}/vpn/config", \%confighash); >> + &writeipsecfiles(); >> + &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); >> + } else { >> + goto VPNCONF_ERROR; >> + } >> + } else { >> + $errormessage = $Lang::tr{'invalid key'}; >> + } >> + &General::firewall_reload(); >> ### >> ### Choose between adding a host-net or net-net connection >> ### >> -- >> 2.49.0 >> >> > >
Hello Adolf, > On 2 Apr 2025, at 11:41, Adolf Belka <adolf.belka@ipfire.org> wrote: > > Hi Michael, > > On 02/04/2025 12:21, Michael Tremer wrote: >>> On 1 Apr 2025, at 19:07, Adolf Belka <adolf.belka@ipfire.org> wrote: >>> >>> - As the serial number is incremented now for each new cert that is created, then when a >>> client cert is deleted from the ipsec list in the wui then that cert must be revoked >>> otherwise it will still be listed in the .index file as a valid certificate and then >>> the certificate name and DN could never be used again. >>> - Running the revoke command when deleting a client cert leaves the details in the .index >>> file but the same name can then be re-used and will get a new serial number etc. >>> >>> Fixes: bug13737 >>> Tested-by: Adolf Belka <adolf.belka@ipfire.org> >>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> >>> --- >>> html/cgi-bin/vpnmain.cgi | 30 +++++++++++++++++++----------- >>> 1 file changed, 19 insertions(+), 11 deletions(-) >>> >>> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi >>> index 85119a81d..1c9f9243b 100644 >>> --- a/html/cgi-bin/vpnmain.cgi >>> +++ b/html/cgi-bin/vpnmain.cgi >>> @@ -1595,17 +1595,25 @@ END >>> &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); >>> &General::readhasharray("${General::swroot}/vpn/config", \%confighash); >>> >>> - if ($confighash{$cgiparams{'KEY'}}) { >>> - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); >>> - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); >>> - delete $confighash{$cgiparams{'KEY'}}; >>> - &General::writehasharray("${General::swroot}/vpn/config", \%confighash); >>> - &writeipsecfiles(); >>> - &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); >>> - } else { >>> - $errormessage = $Lang::tr{'invalid key'}; >>> - } >>> - &General::firewall_reload(); >>> + if ($confighash{$cgiparams{'KEY'}}) { >>> + # Revoke the removed certificate >>> + if (!$errormessage) { >>> + &General::log("charon", "Revoking the removed client cert..."); >>> + my $opt = " ca -revoke ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"; >>> + $errormessage = &callssl($opt); >> This is another chance to perform some shell command execution because the $cgiparams{'KEY’} input is potentially unchecked. >> Can we change the validate the key before? It should be a number. In the if statement above, we are only checking if it is actually set. > > I will look at doing that. However it might have to wait till I am back from visiting my family. I might be able to do it while visiting my son but can't be sure I will get the time. No rush, this is not that urgent, but of course we should not forget about it… -Michael > > Will put it on my list. > > Regards, > > Adolf. > >>> + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); >>> + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); >>> + delete $confighash{$cgiparams{'KEY'}}; >>> + &General::writehasharray("${General::swroot}/vpn/config", \%confighash); >>> + &writeipsecfiles(); >>> + &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); >>> + } else { >>> + goto VPNCONF_ERROR; >>> + } >>> + } else { >>> + $errormessage = $Lang::tr{'invalid key'}; >>> + } >>> + &General::firewall_reload(); >>> ### >>> ### Choose between adding a host-net or net-net connection >>> ### >>> -- >>> 2.49.0
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 85119a81d..1c9f9243b 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1595,17 +1595,25 @@ END &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - if ($confighash{$cgiparams{'KEY'}}) { - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/vpn/config", \%confighash); - &writeipsecfiles(); - &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } - &General::firewall_reload(); + if ($confighash{$cgiparams{'KEY'}}) { + # Revoke the removed certificate + if (!$errormessage) { + &General::log("charon", "Revoking the removed client cert..."); + my $opt = " ca -revoke ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"; + $errormessage = &callssl($opt); + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + delete $confighash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/vpn/config", \%confighash); + &writeipsecfiles(); + &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); + } else { + goto VPNCONF_ERROR; + } + } else { + $errormessage = $Lang::tr{'invalid key'}; + } + &General::firewall_reload(); ### ### Choose between adding a host-net or net-net connection ###