ipsec: Properly validate FQDNs

Fixes #11441

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec
index a15ff468010527db9419a096d9b721d8755e9fd0..6f14c8eaeb96283e6ee1d94c244fde5b9796d5ce 100644 (file)
--- a/src/functions/functions.ipsec
+++ b/src/functions/functions.ipsec
@@ -1086,12 +1086,18 @@ ipsec_connection_check_peer() {
        assert [ $# -eq 1 ]
        local peer=${1}
 
-       # TODO Accept also FQDNs
+       # IP addresses are accepted
        if ip_is_valid ${peer}; then
                return ${EXIT_TRUE}
-       else
-               return ${EXIT_FALSE}
        fi
+
+       # FQDNs are okay, too
+       if fqdn_is_valid "${peer}"; then
+               return ${EXIT_TRUE}
+       fi
+
+       # We cannot use anything else
+       return ${EXIT_FALSE}
 }
 
 # This function checks if a VPN IPsec connection name is valid

diff --git a/src/functions/functions.util b/src/functions/functions.util
index dff0b90789183a5242392456660708a9d4f01ab8..7377818049d5b1953cf54bb0e53bd41348373579 100644 (file)
--- a/src/functions/functions.util
+++ b/src/functions/functions.util
@@ -316,6 +316,17 @@ mac_is_valid() {
        [[ ${mac} =~ ^([0-9a-f]{2}\:){5}[0-9a-f]{2}$ ]]
 }
 
+# Converts the given string to lowercase and returns true if it is a valid FQDN
+fqdn_is_valid() {
+       local fqdn="${1}"
+
+       if grep -qP "^(?!:\/\/)(?=.{1,255}$)((.{1,63}\.){1,127}(?![0-9]*$)[a-z0-9-]+\.?)$" <<< "${fqdn,,}"; then
+               return ${EXIT_TRUE}
+       fi
+
+       return ${EXIT_FALSE}
+}
+
 uuid() {
        echo $(</proc/sys/kernel/random/uuid)
 }