From patchwork Sun Mar 9 14:12:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8512 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Z9hmj0P4Vz3xDt for ; Sun, 9 Mar 2025 14:12:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Z9hmg2Zxcz7h7 for ; Sun, 9 Mar 2025 14:12:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Z9hmg1pn3z36V4 for ; Sun, 9 Mar 2025 14:12:19 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Z9hmc0svsz36W6 for ; Sun, 9 Mar 2025 14:12:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Z9hmZ5Z1hzrN; Sun, 9 Mar 2025 14:12:14 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1741529534; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=pkU4BRdE+kEW4IEX6qAYFsko6DZa51KkmkqXO2aU0XY=; b=/JD2udMtADIh+wKOrYMdL6DqMPu3jwZoYHQht1qM8UhW++rjN/rWT2zuD3fmqgFC6FgOuM M7labClWvTIN+WBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1741529534; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=pkU4BRdE+kEW4IEX6qAYFsko6DZa51KkmkqXO2aU0XY=; b=HCREA+BdEwCyMgEehT1HYfO0Mv+aW8MkEE64aDte2xkxuy90XLjO7ZjDpYPI32uuEdLQjf BUOUii6Av+iloZhGF+6+itiOXIRJmP3OmqdBqSzUPURpCHv7wFYvubg8TJ1N+OVYIjeXNN ISzIYfiq3qg9fCyithx4s21uPXAIrWG3tH/qnyTzqdzkeQmjAT6qDJ3X3vBQwI1MxymQxA lWFHvKATLe0n2GFEf4BdxkJOWtKoxuGzbaAWAsaqap4YFegGVnp+yw3bty8PIl6rqR/Hn9 dgengfFRWqbzoVD0uQhz1XWVG6eury1FiUvzl4frqugWEZqkQJ7QzgKg9oD+Ew== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 1/2] vpnmain.cgi: Fixes bug12298 - IPSec password cannot use semicolon Date: Sun, 9 Mar 2025 15:12:03 +0100 Message-ID: <20250309141209.18633-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - The password for the pkcs12 certificate is passed to the open ssl command via $opt but it is not quoted and so the ; is taken as the end of the command rather than as part of the password. This also means that a pkcs12 file is not created and the .pem intermediate file is what is left in the directory. - This patch makes the -passout option quoted in the same way as the -name and -caname options. - Based on being the same as the name and caname parts in $opt, I believe that this should not give rise to a vulnerability but I am open to being corrected. - By quoting the -passout then the password must not contain double quotation marks, ", so a test for the password containing a " has been added. - The message about the use of the double quotation mark has been added to the english, dutch and german language files. Feel free to correct if what I have used is not correct. Those are in the other patch of this patch set. - Tested out on my testbed system. I was able to create a pkcs12 certificate with a password containing a variety of characters, including the semicolon, and getting a message that the password contains a double quotation mark when I used that. Fixes: bug12298 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) mode change 100755 => 100644 html/cgi-bin/vpnmain.cgi diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi old mode 100755 new mode 100644 index c9bbbb494..8106ee24e --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2149,6 +2149,10 @@ END $errormessage = $Lang::tr{'password too short'}; goto VPNCONF_ERROR; } + if ($cgiparams{'CERT_PASS1'} =~ /["]/) { + $errormessage = $Lang::tr{'password has quotation mark'}; + goto VPNCONF_ERROR; + } if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { $errormessage = $Lang::tr{'passwords do not match'}; goto VPNCONF_ERROR; @@ -2226,7 +2230,7 @@ END $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; $opt .= " -name \"$cgiparams{'NAME'}\""; - $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; + $opt .= " -passout pass:\"$cgiparams{'CERT_PASS1'}\""; $opt .= " -certfile ${General::swroot}/ca/cacert.pem"; $opt .= " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\""; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; From patchwork Sun Mar 9 14:12:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8511 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Z9hmj005fz3xDX for ; Sun, 9 Mar 2025 14:12:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Z9hmg2DPmz7gH for ; Sun, 9 Mar 2025 14:12:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Z9hmg1T4Wz376w for ; Sun, 9 Mar 2025 14:12:19 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Z9hmc0QCtz35ZM for ; Sun, 9 Mar 2025 14:12:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Z9hmb45hTz31P; Sun, 9 Mar 2025 14:12:15 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1741529535; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gUgAGF0fEaPiycdLuJ3ifXslbqO23dFqVhkPupPPmz0=; b=XB4jW0D3f5/WNxshwhl/hlqPfOAOc/oolu9chFGwCKa3njJTYUwgbGwyET+WuYAzCaIOeT lFNNHoUHWDsz2kBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1741529535; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gUgAGF0fEaPiycdLuJ3ifXslbqO23dFqVhkPupPPmz0=; b=tLaLxZyUzYikSTEb4HZ0lzZvSnodzvUwKp2a5mcR1lf8aZB+x77HNRu8Rvcbd1/wpnnW8R gaMkd0SICodFV2wfUeRF30qr/RPhSlUZPRqAFPOKCzfWPiBfk9i8+HX/J0gkye+0x+6aPp 7i6meHRm0lfmBGQHjCFMlUfYI6UtagLWRjaYFCtZUZ3wiKou9ALbdKdehycLzGLCKOG8U2 GNLaT9yl4zetupTR4fL/iEq69zERCcBA1eRGwAj2ktoG6W+nePNaTZJayShYRVc6qEGA+B HkdROAeiw5cmpqsqjxv50gXmbaNUcVNO82+9y1I6hUopLbh0Kd/dpat/4BIznQ== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 2/2] language files: Update to include a message about a double quotation mark Date: Sun, 9 Mar 2025 15:12:04 +0100 Message-ID: <20250309141209.18633-2-adolf.belka@ipfire.org> In-Reply-To: <20250309141209.18633-1-adolf.belka@ipfire.org> References: <20250309141209.18633-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Fixes: bug12298 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 6 ++++++ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + langs/nl/cgi-bin/nl.pl | 1 + 11 files changed, 16 insertions(+) diff --git a/doc/language_issues.en b/doc/language_issues.en index a1730ac7b..02c4e6bfd 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1480,6 +1480,7 @@ WARNING: untranslated string: pap or chap = PAP or CHAP WARNING: untranslated string: parentclass = Parentclass WARNING: untranslated string: parentclass add = Add parentclass WARNING: untranslated string: password = Password: +WARNING: untranslated string: password has quotation mark = Password contains an illegal double quotation mark. WARNING: untranslated string: password not set = Password not set. WARNING: untranslated string: password too short = Password is too short. WARNING: untranslated string: passwords do not match = Passwords do not match. diff --git a/doc/language_issues.es b/doc/language_issues.es index 0a89279d5..60177bf49 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1066,6 +1066,7 @@ WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: password has quotation mark = Password contains an illegal double quotation mark. WARNING: untranslated string: processors = Processors WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: regenerate host certificate = Renew Host Certificate diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 7f9349bc0..7cf937d51 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -1014,6 +1014,7 @@ WARNING: untranslated string: load average = Load Average WARNING: untranslated string: oops something went wrong = Oops, something went wrong... WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: password has quotation mark = Password contains an illegal double quotation mark. WARNING: untranslated string: processors = Processors WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: routing config added = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 16371b566..1595e79d9 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1269,6 +1269,7 @@ WARNING: untranslated string: pakfire tree = Repository WARNING: untranslated string: pakfire tree stable = Stable WARNING: untranslated string: pakfire tree testing = Testing WARNING: untranslated string: pakfire tree unstable = Unstable +WARNING: untranslated string: password has quotation mark = Password contains an illegal double quotation mark. WARNING: untranslated string: please reboot to apply your changes = Please reboot to apply your changes WARNING: untranslated string: pptp netconfig = My Net Config WARNING: untranslated string: pptp peer = Peer diff --git a/doc/language_issues.pl b/doc/language_issues.pl index a3acc61af..935241881 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1464,6 +1464,7 @@ WARNING: untranslated string: pakfire tree = Repository WARNING: untranslated string: pakfire tree stable = Stable WARNING: untranslated string: pakfire tree testing = Testing WARNING: untranslated string: pakfire tree unstable = Unstable +WARNING: untranslated string: password has quotation mark = Password contains an illegal double quotation mark. WARNING: untranslated string: please reboot to apply your changes = Please reboot to apply your changes WARNING: untranslated string: pptp netconfig = My Net Config WARNING: untranslated string: pptp peer = Peer diff --git a/doc/language_issues.ru b/doc/language_issues.ru index e946c22df..4e9dda4b4 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1457,6 +1457,7 @@ WARNING: untranslated string: pakfire tree = Repository WARNING: untranslated string: pakfire tree stable = Stable WARNING: untranslated string: pakfire tree testing = Testing WARNING: untranslated string: pakfire tree unstable = Unstable +WARNING: untranslated string: password has quotation mark = Password contains an illegal double quotation mark. WARNING: untranslated string: please reboot to apply your changes = Please reboot to apply your changes WARNING: untranslated string: pptp netconfig = My Net Config WARNING: untranslated string: pptp peer = Peer diff --git a/doc/language_issues.tr b/doc/language_issues.tr index c0cb2703a..2746a108a 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1183,6 +1183,7 @@ WARNING: untranslated string: pakfire tree = Repository WARNING: untranslated string: pakfire tree stable = Stable WARNING: untranslated string: pakfire tree testing = Testing WARNING: untranslated string: pakfire tree unstable = Unstable +WARNING: untranslated string: password has quotation mark = Password contains an illegal double quotation mark. WARNING: untranslated string: please reboot to apply your changes = Please reboot to apply your changes WARNING: untranslated string: processor vulnerability mitigations = Processor Vulnerability Mitigations WARNING: untranslated string: processors = Processors diff --git a/doc/language_missings b/doc/language_missings index 92a78b090..c30f09827 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -150,6 +150,7 @@ < openvpn cert expires soon < openvpn cert has expired < ovpn roadwarrior server +< password has quotation mark < processors < regenerate host certificate < reg_file_data_sampling @@ -193,6 +194,7 @@ < load average < oops something went wrong < ovpn roadwarrior server +< password has quotation mark < processors < reg_file_data_sampling < scanned @@ -593,6 +595,7 @@ < pakfire tree testing < pakfire tree unstable < pak update +< password has quotation mark < please reboot to apply your changes < pptp netconfig < pptp peer @@ -2064,6 +2067,7 @@ < pakfire tree testing < pakfire tree unstable < pak update +< password has quotation mark < please reboot to apply your changes < pptp netconfig < pptp peer @@ -3084,6 +3088,7 @@ < pakfire tree testing < pakfire tree unstable < pak update +< password has quotation mark < please reboot to apply your changes < pptp netconfig < pptp peer @@ -3595,6 +3600,7 @@ < pakfire tree testing < pakfire tree unstable < pak update +< password has quotation mark < please reboot to apply your changes < processors < processor vulnerability mitigations diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 5f89c7010..5cac132b9 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2044,6 +2044,7 @@ 'password' => 'Passwort:', 'password contains illegal characters' => 'Passwort enthält ungültige(s) Zeichen.', 'password crypting key' => 'Schlüssel wird mit dem Passwort chiffriert', +'password has quotation mark' => 'Kennwort enthält ein unzulässiges doppeltes Anführungszeichen.', 'password not set' => 'Passwort nicht angegeben.', 'password too short' => 'Passwort ist zu kurz.', 'passwords do not match' => 'Die Passwörter stimmen nicht überein.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 197f44633..8c105150a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2108,6 +2108,7 @@ 'password' => 'Password:', 'password contains illegal characters' => 'Password contains illegal characters.', 'password crypting key' => 'Password crypting the key', +'password has quotation mark' => 'Password contains an illegal double quotation mark.', 'password not set' => 'Password not set.', 'password too short' => 'Password is too short.', 'passwords do not match' => 'Passwords do not match.', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index beb1b6e36..8b8979972 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -1712,6 +1712,7 @@ 'password' => 'Wachtwoord:', 'password contains illegal characters' => 'Wachtwoord bevat ongeldige tekens.', 'password crypting key' => 'Wachtwoord codeert de sleutel', +'password has quotation mark' => 'Wachtwoord bevat een ongeldig dubbel aanhalingsteken.', 'password not set' => 'Wachtwoord niet ingesteld.', 'password too short' => 'Wachtwoord is te kort.', 'passwords do not match' => 'Wachtwoorden komen niet overeen.',