openvpn: Fix verifying the certificate CN with email addresses.

Reported-by: Stefan Ferstl <st.ferstl@gmail.com>
Fixes #10552:
  https://bugzilla.ipfire.org/show_bug.cgi?id=10552

diff --git a/config/ovpn/verify b/config/ovpn/verify
index 1a1fcb501d83065ca5fb408580789b993740e921..c4cbec3bd3da2fa0be846b44c60cd08c528de912 100644 (file)
--- a/config/ovpn/verify
+++ b/config/ovpn/verify
@@ -30,7 +30,7 @@ my $CN    = $ARGV[1];
 exit 0 unless ($DEPTH eq "0");
 
 # Strip the CN from the X509 identifier.
-$CN =~ /(\/|,\ )CN=(.*)$/i;
+$CN =~ /(\/|,\ )CN=([^,\/ ]+)?/i;
 $CN = $2;
 
 my %confighash = ();

diff --git a/config/ovpn/verify-test b/config/ovpn/verify-test
new file mode 100644 (file)
index 0000000..42ad2ce
--- /dev/null
+++ b/config/ovpn/verify-test
@@ -0,0 +1,23 @@
+#!/usr/bin/perl
+
+my @teststrings = (
+       ["ovpnClient", "C=XX, L=Xxxxxx, O=xxx, OU=XX, CN=ovpnClient, emailAddress=ovpnClient\@example.com"],
+       ["ovpnClient", "C=XX, L=Xxxxxx, O=xxx, OU=XX, CN=ovpnClient"],
+       ["ovpnClient", "C=XX/L=Xxxxxx/O=xxx/OU=XX/CN=ovpnClient/emailAddress=ovpnClient\@example.com"],
+       ["ovpnClient", "C=XX/L=Xxxxxx/O=xxx/OU=XX/CN=ovpnClient"],
+);
+
+foreach my $string (@teststrings) {
+       my $result = @$string[0];
+       my $cn     = @$string[1];
+
+       $cn =~ /(\/|,\ )CN=([^,\/ ]+)?/i;
+       $cn = $2;
+
+       if ($result eq $cn) {
+               print "GOOD: @$string\n";
+       } else {
+               print "ERROR: -->$cn<-- (@$string)\n";
+       }
+}
+

diff --git a/config/rootfiles/core/80/filelists/files b/config/rootfiles/core/80/filelists/files
index 409e5fe8ac4e0442392c03e5efbd9d5d44e33c72..6c3001f42b5807bf162a414608368f7c46c80e23 100644 (file)
--- a/config/rootfiles/core/80/filelists/files
+++ b/config/rootfiles/core/80/filelists/files
@@ -1,2 +1,3 @@
 etc/system-release
 etc/issue
+usr/lib/openvpn/verify