From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 21 Aug 2017 12:19:01 +0000 (+0000)
Subject: ipsec: Properly validate FQDNs
X-Git-Tag: 010~183
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=01ff07e90e487bfdb6b796a1cfac82715a54ffe3;p=network.git

ipsec: Properly validate FQDNs

Fixes #11441

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec
index a15ff468..6f14c8ea 100644
--- a/src/functions/functions.ipsec
+++ b/src/functions/functions.ipsec
@@ -1086,12 +1086,18 @@ ipsec_connection_check_peer() {
 	assert [ $# -eq 1 ]
 	local peer=${1}
 
-	# TODO Accept also FQDNs
+	# IP addresses are accepted
 	if ip_is_valid ${peer}; then
 		return ${EXIT_TRUE}
-	else
-		return ${EXIT_FALSE}
 	fi
+
+	# FQDNs are okay, too
+	if fqdn_is_valid "${peer}"; then
+		return ${EXIT_TRUE}
+	fi
+
+	# We cannot use anything else
+	return ${EXIT_FALSE}
 }
 
 # This function checks if a VPN IPsec connection name is valid
diff --git a/src/functions/functions.util b/src/functions/functions.util
index dff0b907..73778180 100644
--- a/src/functions/functions.util
+++ b/src/functions/functions.util
@@ -316,6 +316,17 @@ mac_is_valid() {
 	[[ ${mac} =~ ^([0-9a-f]{2}\:){5}[0-9a-f]{2}$ ]]
 }
 
+# Converts the given string to lowercase and returns true if it is a valid FQDN
+fqdn_is_valid() {
+	local fqdn="${1}"
+
+	if grep -qP "^(?!:\/\/)(?=.{1,255}$)((.{1,63}\.){1,127}(?![0-9]*$)[a-z0-9-]+\.?)$" <<< "${fqdn,,}"; then
+		return ${EXIT_TRUE}
+	fi
+
+	return ${EXIT_FALSE}
+}
+
 uuid() {
 	echo $(</proc/sys/kernel/random/uuid)
 }