* [PATCH 1/2] ovpnmain.cgi: Fixes bug#13404 - prevents certs being saved if common name is already used
@ 2024-02-26 15:05 Adolf Belka
2024-02-26 15:05 ` [PATCH 2/2] backup.pl: Fixes bug#13404 - Clear out OpenVPN certs before doing restore Adolf Belka
0 siblings, 1 reply; 2+ messages in thread
From: Adolf Belka @ 2024-02-26 15:05 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2736 bytes --]
- This was fixed by moving the code for checking if the common name is already used, to
the same location as the code for checking if the connection name is already used.
- Tested out on vm testbed and confirmed that the certificates are not created and the
index.txt not updated if the common name is flagged as already being used. If the
entry is changed to use a new CN and Save pressed then the certs are saved and the
index.txt updated. If Cancel is pressed then no certs are saved and index.txt is not
updated.
Fixes: Bug#13404
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index eb89c5095..98900b277 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -4216,15 +4216,25 @@ if ($cgiparams{'TYPE'} eq 'net') {
}
}
- # Check for RW if client name is already set
- if ($cgiparams{'TYPE'} eq 'host') {
- foreach my $key (keys %confighash) {
- if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
- $errormessage = $Lang::tr{'a connection with this name already exists'};
- goto VPNCONF_ERROR;
- }
- }
- }
+ # Check for RW if client name is already set
+ if ($cgiparams{'TYPE'} eq 'host') {
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
+ $errormessage = $Lang::tr{'a connection with this name already exists'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
+
+ # Check if there is no other entry with this common name
+ if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
+ $errormessage = $Lang::tr{'a connection with this common name already exists'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
# Replace empty strings with a .
(my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
@@ -4309,16 +4319,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
goto VPNCONF_ERROR;
}
- # Check if there is no other entry with this common name
- if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
- foreach my $key (keys %confighash) {
- if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
- $errormessage = $Lang::tr{'a connection with this common name already exists'};
- goto VPNCONF_ERROR;
- }
- }
- }
-
# Save the config
my $key = $cgiparams{'KEY'};
--
2.44.0
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH 2/2] backup.pl: Fixes bug#13404 - Clear out OpenVPN certs before doing restore
2024-02-26 15:05 [PATCH 1/2] ovpnmain.cgi: Fixes bug#13404 - prevents certs being saved if common name is already used Adolf Belka
@ 2024-02-26 15:05 ` Adolf Belka
0 siblings, 0 replies; 2+ messages in thread
From: Adolf Belka @ 2024-02-26 15:05 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1222 bytes --]
- Existing situation is if four new client connections are created and then it is decided
to restore to an earlier stage the new certficates will be in the certs directory but
not usable from the WUI page as they are no longer shown in the client connection table
as that now shows the ones from the restored backup.
- This patch clears the /var/ipfire/ovpn/certs/ directory before restoring the contents
of the backup so that the certs directory only holds what was in the backup.
Fixes: Bug#13404
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
config/backup/backup.pl | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 7992f21c5..b43420740 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -75,6 +75,10 @@ make_backup() {
restore_backup() {
local filename="${1}"
+ # remove all openvpn certs to prevent old unusable
+ # certificates being left in directory after a restore
+ rm -f /var/ipfire/ovpn/certs/*
+
# Extract backup
if ! tar xvzpf "${filename}" -C / \
--exclude-from="/var/ipfire/backup/exclude" \
--
2.44.0
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-02-26 15:05 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-26 15:05 [PATCH 1/2] ovpnmain.cgi: Fixes bug#13404 - prevents certs being saved if common name is already used Adolf Belka
2024-02-26 15:05 ` [PATCH 2/2] backup.pl: Fixes bug#13404 - Clear out OpenVPN certs before doing restore Adolf Belka
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox