From patchwork Fri Jul 5 17:18:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7905 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4WG0cC2zWSz3wwl for ; Fri, 5 Jul 2024 17:19:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4WG0c86zPSz2rk; Fri, 5 Jul 2024 17:19:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4WG0c84RDRz33rt; Fri, 5 Jul 2024 17:19:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4WG0c66fhXz33Fl for ; Fri, 5 Jul 2024 17:19:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4WG0c56G5Bz2rk; Fri, 5 Jul 2024 17:19:01 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1720199942; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=gYJsaBHGO+c164PUs/Sr1OrbxbpXJ7/mGCaM79czWYk=; b=XpklqslgF3ZvY0+IZFEyrQ1zGc6clYq8saL6BmaMcCjg6ISrkiS762XfquKUZuNfwkCH+0 LjIOS3uvz1d9bJDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1720199942; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=gYJsaBHGO+c164PUs/Sr1OrbxbpXJ7/mGCaM79czWYk=; b=HTeroVfD4Vl01Uaviq9JP0ClfOGrMKlEJywrMKvvYZkcA2FeL7u8omwxHDW5XPQm+R5dPR U8u5q9lCWWF/2J6GRcWyxLJ/SdE2J6oycE/T16yWbu3iz1alBdlmBxGa7ohVX97Nb5y07d 9kqDetfUCw5txSgOVecUNIwgFPbiMf/nnygc1lRcDQT9x9b9Lm9mSw/SZT82EMLIgji2gl +DY3uXhO51xRcOFHuQYaQGMpf8N2G0igz93hX3EyDztnqA7gBRNIUGOv9uEaJ17BqLwYMs 38a4KvI9KoDUOi4oZadz1b9udZNkIxC8FT4vN8U1aHL2ElKHRR8k4aaDao31hw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/3] vpnmain.cgi: Fix for bug13029 - add base64 encoding to IPSec cgi page Date: Fri, 5 Jul 2024 19:18:54 +0200 Message-ID: <20240705171856.3471127-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: A5272AVHRSA4EPLZSSKFNQIBZOZ274J7 X-Message-ID-Hash: A5272AVHRSA4EPLZSSKFNQIBZOZ274J7 X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This adds the base64 encoded PSK into the config file and when the ipsec.secrets file is created the PSK is base64 decoded to write it to the file. The ipsec.secrets file surrounds the PSK with single quotation marks so that character is not allowed to be used in the PSK but anything else can be. - Tested out on my vm system and shown to be working. New PSK with various characters characters including commas was base64 encoded before putting into the config file and therefore was accepted by the code. If a single quotation mark was used in the PSK then the error message about invalid characters was shown. Fixes: Bug13029 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) mode change 100644 => 100755 html/cgi-bin/vpnmain.cgi diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi old mode 100644 new mode 100755 index 25e0f0a53..bde5e11bc --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -481,7 +481,8 @@ sub writeipsecfiles { if ($lconfighash{$key}[4] eq 'psk') { $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? - $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; + my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]); + $psk_line .= " : PSK '$decoded_psk'\n"; # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. if ($psk_line =~ /%any/) { $last_secrets .= $psk_line; @@ -2260,7 +2261,7 @@ END $confighash{$key}[3] = $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = $cgiparams{'PSK'}; + $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); } else { $confighash{$key}[4] = 'cert'; }