From patchwork Sat Nov 11 20:45:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 1528 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 6A78F60D81 for ; Sat, 11 Nov 2017 10:46:43 +0100 (CET) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 8CF0934FF; Sat, 11 Nov 2017 10:46:42 +0100 (CET) Received: from localhost.localdomain (p5DC0B6C7.dip0.t-ipconnect.de [93.192.182.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 242F434FF; Sat, 11 Nov 2017 10:45:28 +0100 (CET) From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] OpenVPN: Fix to prevent exceedance of OpenSSLs max. validity. Date: Sat, 11 Nov 2017 10:45:07 +0100 Message-Id: <1510393507-15218-1-git-send-email-erik.kapfer@ipfire.org> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - If the OpenSSL maximum of '999999' will be exceeded over the WUI, the entry in OpenVPNs database index.txt will be written without a timestamp and crashes the database which blocks the creation of new clients. To prevent this, a check has been set which restricts the data field of 'valid til days' to '6' numerics. Fixes: #10482 --- html/cgi-bin/ovpnmain.cgi | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index ceb88c1..8f45f04 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4039,6 +4039,14 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; } + # Check that OpenSSL maximum of valid days won´t be exceeded + if (length($cgiparams{'DAYS_VALID'}) > 6) { + $errormessage = $Lang::tr{'invalid input for valid till days'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { $errormessage = $Lang::tr{'invalid input'}; goto VPNCONF_ERROR; @@ -4221,6 +4229,12 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; } + # Check that OpenSSL maximum of valid days won´t be exceeded + if (length($cgiparams{'DAYS_VALID'}) > 6) { + $errormessage = $Lang::tr{'invalid input for valid till days'}; + goto VPNCONF_ERROR; + } + # Replace empty strings with a . (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;