From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-6-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Z9hmg5x58z371M
	for <archive@lists.ipfire.org>; Sun,  9 Mar 2025 14:12:19 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Z9hmc0svsz36W6
	for <development@lists.ipfire.org>; Sun,  9 Mar 2025 14:12:16 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4Z9hmZ5Z1hzrN;
	Sun,  9 Mar 2025 14:12:14 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1741529534;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=pkU4BRdE+kEW4IEX6qAYFsko6DZa51KkmkqXO2aU0XY=;
	b=/JD2udMtADIh+wKOrYMdL6DqMPu3jwZoYHQht1qM8UhW++rjN/rWT2zuD3fmqgFC6FgOuM
	M7labClWvTIN+WBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1741529534;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=pkU4BRdE+kEW4IEX6qAYFsko6DZa51KkmkqXO2aU0XY=;
	b=HCREA+BdEwCyMgEehT1HYfO0Mv+aW8MkEE64aDte2xkxuy90XLjO7ZjDpYPI32uuEdLQjf
	BUOUii6Av+iloZhGF+6+itiOXIRJmP3OmqdBqSzUPURpCHv7wFYvubg8TJ1N+OVYIjeXNN
	ISzIYfiq3qg9fCyithx4s21uPXAIrWG3tH/qnyTzqdzkeQmjAT6qDJ3X3vBQwI1MxymQxA
	lWFHvKATLe0n2GFEf4BdxkJOWtKoxuGzbaAWAsaqap4YFegGVnp+yw3bty8PIl6rqR/Hn9
	dgengfFRWqbzoVD0uQhz1XWVG6eury1FiUvzl4frqugWEZqkQJ7QzgKg9oD+Ew==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH 1/2] vpnmain.cgi: Fixes bug12298 - IPSec password cannot use semicolon
Date: Sun,  9 Mar 2025 15:12:03 +0100
Message-ID: <20250309141209.18633-1-adolf.belka@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

- The password for the pkcs12 certificate is passed to the open ssl command via $opt but
   it is not quoted and so the ; is taken as the end of the command rather than as part
   of the password. This also means that a pkcs12 file is not created and the .pem
   intermediate file is what is left in the directory.
- This patch makes the -passout option quoted in the same way as the -name and -caname
   options.
- Based on being the same as the name and caname parts in $opt, I believe that this should
   not give rise to a vulnerability but I am open to being corrected.
- By quoting the -passout then the password must not contain double quotation marks, ",
   so a test for the password containing a " has been added.
- The message about the use of the double quotation mark has been added to the english,
   dutch and german language files. Feel free to correct if what I have used is not
   correct. Those are in the other patch of this patch set.
- Tested out on my testbed system. I was able to create a pkcs12 certificate with a
   password containing a variety of characters, including the semicolon, and getting
   a message that the password contains a double quotation mark when I used that.

Fixes: bug12298
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 mode change 100755 => 100644 html/cgi-bin/vpnmain.cgi

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
old mode 100755
new mode 100644
index c9bbbb494..8106ee24e
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2149,6 +2149,10 @@ END
 			$errormessage = $Lang::tr{'password too short'};
 			goto VPNCONF_ERROR;
 		}
+		if ($cgiparams{'CERT_PASS1'} =~ /["]/) {
+			$errormessage = $Lang::tr{'password has quotation mark'};
+			goto VPNCONF_ERROR;
+		}
 		if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
 			$errormessage = $Lang::tr{'passwords do not match'};
 			goto VPNCONF_ERROR;
@@ -2226,7 +2230,7 @@ END
 		$opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
 		$opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
 		$opt .= " -name \"$cgiparams{'NAME'}\"";
-		$opt .= " -passout pass:$cgiparams{'CERT_PASS1'}";
+		$opt .= " -passout pass:\"$cgiparams{'CERT_PASS1'}\"";
 		$opt .= " -certfile ${General::swroot}/ca/cacert.pem";
 		$opt .= " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\"";
 		$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12";
-- 
2.48.1