From mboxrd@z Thu Jan  1 00:00:00 1970
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] OpenVPN: Fix to prevent exceedance of OpenSSLs max. validity.
Date: Sat, 11 Nov 2017 10:45:07 +0100
Message-ID: <1510393507-15218-1-git-send-email-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4369568212381694244=="
List-Id: <development.lists.ipfire.org>

--===============4369568212381694244==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

- If the OpenSSL maximum of '999999' will be exceeded over the WUI, the entry=
 in
	OpenVPNs database index.txt will be written without a timestamp
	and crashes the database which blocks the creation of new clients.
	To prevent this, a check has been set which restricts the data field
	of 'valid til days' to '6' numerics.

Fixes: #10482
---
 html/cgi-bin/ovpnmain.cgi | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index ceb88c1..8f45f04 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -4039,6 +4039,14 @@ if ($cgiparams{'TYPE'} eq 'net') {
       		goto VPNCONF_ERROR;
 	}
=20
+	# Check that OpenSSL maximum of valid days won=C2=B4t be exceeded
+	if (length($cgiparams{'DAYS_VALID'}) > 6) {
+		$errormessage =3D $Lang::tr{'invalid input for valid till days'};
+		unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NA=
ME'}.conf") or die "Removing Configfile fail: $!";
+		rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Remov=
ing Directory fail: $!";
+		goto VPNCONF_ERROR;
+	}
+
 	if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
 	    $errormessage =3D $Lang::tr{'invalid input'};
 	    goto VPNCONF_ERROR;
@@ -4221,6 +4229,12 @@ if ($cgiparams{'TYPE'} eq 'net') {
 		goto VPNCONF_ERROR;
 	    }
=20
+		# Check that OpenSSL maximum of valid days won=C2=B4t be exceeded
+		if (length($cgiparams{'DAYS_VALID'}) > 6) {
+			$errormessage =3D $Lang::tr{'invalid input for valid till days'};
+			goto VPNCONF_ERROR;
+		}
+
 	    # Replace empty strings with a .
 	    (my $ou =3D $cgiparams{'CERT_OU'}) =3D~ s/^\s*$/\./;
 	    (my $city =3D $cgiparams{'CERT_CITY'}) =3D~ s/^\s*$/\./;
--=20
2.7.4


--===============4369568212381694244==--