From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 15 Jun 2014 15:08:36 +0000 (+0200)
Subject: openvpn: Fix verifying the certificate CN with email addresses.
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=730628e7e43bb119e3900786a7fc2d0400cf0c0a;p=people%2Fms%2Fipfire-2.x.git

openvpn: Fix verifying the certificate CN with email addresses.

Reported-by: Stefan Ferstl <st.ferstl@gmail.com>

Fixes #10552:
  https://bugzilla.ipfire.org/show_bug.cgi?id=10552
---

diff --git a/config/ovpn/verify b/config/ovpn/verify
index 1a1fcb501d..c4cbec3bd3 100644
--- a/config/ovpn/verify
+++ b/config/ovpn/verify
@@ -30,7 +30,7 @@ my $CN    = $ARGV[1];
 exit 0 unless ($DEPTH eq "0");
 
 # Strip the CN from the X509 identifier.
-$CN =~ /(\/|,\ )CN=(.*)$/i;
+$CN =~ /(\/|,\ )CN=([^,\/ ]+)?/i;
 $CN = $2;
 
 my %confighash = ();
diff --git a/config/ovpn/verify-test b/config/ovpn/verify-test
new file mode 100644
index 0000000000..42ad2ce4bd
--- /dev/null
+++ b/config/ovpn/verify-test
@@ -0,0 +1,23 @@
+#!/usr/bin/perl
+
+my @teststrings = (
+	["ovpnClient", "C=XX, L=Xxxxxx, O=xxx, OU=XX, CN=ovpnClient, emailAddress=ovpnClient\@example.com"],
+	["ovpnClient", "C=XX, L=Xxxxxx, O=xxx, OU=XX, CN=ovpnClient"],
+	["ovpnClient", "C=XX/L=Xxxxxx/O=xxx/OU=XX/CN=ovpnClient/emailAddress=ovpnClient\@example.com"],
+	["ovpnClient", "C=XX/L=Xxxxxx/O=xxx/OU=XX/CN=ovpnClient"],
+);
+
+foreach my $string (@teststrings) {
+	my $result = @$string[0];
+	my $cn     = @$string[1];
+
+	$cn =~ /(\/|,\ )CN=([^,\/ ]+)?/i;
+	$cn = $2;
+
+	if ($result eq $cn) {
+		print "GOOD: @$string\n";
+	} else {
+		print "ERROR: -->$cn<-- (@$string)\n";
+	}
+}
+
diff --git a/config/rootfiles/core/80/filelists/files b/config/rootfiles/core/80/filelists/files
index 409e5fe8ac..6c3001f42b 100644
--- a/config/rootfiles/core/80/filelists/files
+++ b/config/rootfiles/core/80/filelists/files
@@ -1,2 +1,3 @@
 etc/system-release
 etc/issue
+usr/lib/openvpn/verify