From patchwork Fri Feb 10 18:13:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6507 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4PD21W1sqGz3ws7 for ; Fri, 10 Feb 2023 18:14:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4PD21S6ngwz1Dk; Fri, 10 Feb 2023 18:14:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4PD21S4zrbz2yWN; Fri, 10 Feb 2023 18:14:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4PD21R0QzJz2xbq for ; Fri, 10 Feb 2023 18:14:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4PD21Q1THLzV7; Fri, 10 Feb 2023 18:14:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1676052842; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uddLFpkVoEvXKvUdWJ6RCvz1C+crw8fQKdvIbyJXjWY=; b=WUOeeKeo2sHK5LxwvhdeEuRll9v1lhrx7zGDE4lve3RiJPlZsRzsshMd+tV8LkSVMoth2K eFRrutoWp8kz6SDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1676052842; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uddLFpkVoEvXKvUdWJ6RCvz1C+crw8fQKdvIbyJXjWY=; b=WPU8CA8ieaPt2Uk8/pnSaCiVaSnRyXy9IoJpAlJLV69aI9qz7dQuHMgsGiitEDqoO66QDE 5oHrO6HMJTqwpv1QQz47/xldKOcUc1E6kHPt+rsiZYq6IlLloByqMDE9j/r8j7UykJxaj+ Lv7CENfnPBKzUJiqN/juCxZpscxccvSKXkR72gf9F9yCWdH3hcqkO4Ses+JInvC7zVZtCh 4DRwrPq5RYXoSgzo9uGqqcwsdqOtINEIeN01eVNKY9y3byH51xT5x17QG0t0b0UsWk8qQd PWWtCkgGo6qGikPczXzgNCaJ8D6iQmu36YDAbBMvdrutmG71y61xvrAyuH67Ew== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] ovpnmain.cgi: Fix for bug#11048 - insecure download icon for connections with a password Date: Fri, 10 Feb 2023 19:13:43 +0100 Message-Id: <20230210181343.17763-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the connection is a host and if the first password entry is a null. Then it adds no-pass to ovpnconfig. - The same block of code is also used for when he connection is edited. However at this stage the password entry is back to null because the password value is only kept until the connection has been saved. Therefore doing an edit results in the password value being taken as null even for connections with a password. - This fix checks the password value only if entry 41 in the ovpnconfig file is a null. If it is a null then it enters no-pass if the password is a null and it enters pass if the password contains characters. This way the entry 41 always contains either pass or no-pass, except when the connection is being first added and saved. - When adding this fix into a Core Update the update.sh script will need to check if ovpnconfig exists and then add pass to all lines that have a null at entry 41. This will only fix those connections that have not already been edited. Any connections already edited will have no-pass at entry 41 of ovpnconfig and will therefore show the insecure package download icon. - The only way I can think of dealing with entries that already have no-pass added is to go through all .p12 files in the certs directory and if there is a connection entry with that name then to change the no-pass to a pass. However that will only work if the connection name has been set the same as the certificate name, which is not a requirement. - So I think we can only fix those coneections that have never been edited. Any connections with passwords that have already been edited and containg no-pass in ovpnconfig and showing the insecure package download icon will have to be manually dealt with by users. - I think that should still be okay because they currently have two icons when they shouldn't and that will continue to be the case if they don't carry out a manual edit of ovpnconfig. - Maybe someone can think of an alternative way of identifying all connections using a password so that they can have entry 41 changed to pass. I haven't been able to do that so far - Looking forward to feedback Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/ovpnmain.cgi | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 42a7354fc..2586a1796 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4326,9 +4326,13 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; - if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { - $confighash{$key}[41] = "no-pass"; - } + if ($confighash{$key}[41] eq "") { + if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] = "no-pass"; + } elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) { + $confighash{$key}[41] = "pass"; + } + } $confighash{$key}[42] = 'HOTP/T30/6'; $confighash{$key}[43] = $cgiparams{'OTP_STATE'};