From patchwork Fri Jul 5 17:18:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7907 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4WG0cG6SKRz3wwl for ; Fri, 5 Jul 2024 17:19:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4WG0cB0jsxz5pw; Fri, 5 Jul 2024 17:19:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4WG0cB0Fy5z33rm; Fri, 5 Jul 2024 17:19:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4WG0c72mqFz33rn for ; Fri, 5 Jul 2024 17:19:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4WG0c71GnBz1Tl; Fri, 5 Jul 2024 17:19:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1720199943; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4xIstlipt10S2o9wQALkF0oxzqlw6HySNFMKJ95PX8E=; b=BqwgA6bRBr+FueTdtzNoyhdDelBArP6dbR8Szzdbuz4iU0dDNp/rv6b2nd20jbP5MfzG0Z JNgZJr5/c2CDOmBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1720199943; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4xIstlipt10S2o9wQALkF0oxzqlw6HySNFMKJ95PX8E=; b=KsZri9g3xtZwELCqzH2+Ew+hblqgZuH4bONlBGiqWnUlcOjezCtYQVHEeczH8OJwJwj3i3 9BQgpOUQXKAqDMZyx1o+VGykGE7UUKKMZsz0rEN43UmGUbL4rfxslJqi92IRLyV3jIs2xS sT1nszFnU7Am0t5Z20hMF2XIgiPQ8KS27lxmXYltfiLy92/ornLi+veeRgn1//zZkRFFSB 898u4gwAZUdU+pjgwwXYYKqZzEQV/86UPcldUTyFlBakuEKMfflAcEjR+uDKvFitXbejpY 2beNztx717xm2eLBhSU35y2MNq7QtBQSS2SCtg42qf3NavNMP6MY3sc7gD0CWQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 3/3] vpnmain.cgi: Add coding to differentiate old and base64 encoded PSK's Date: Fri, 5 Jul 2024 19:18:56 +0200 Message-ID: <20240705171856.3471127-3-adolf.belka@ipfire.org> In-Reply-To: <20240705171856.3471127-1-adolf.belka@ipfire.org> References: <20240705171856.3471127-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: D343IBQOHRHIOJ7LTJTGTSOV56U7B42Z X-Message-ID-Hash: D343IBQOHRHIOJ7LTJTGTSOV56U7B42Z X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - An additional key was defined for a PSK being base64 encoded. All existing PSK's that are not base64 encoded will have that key empty. This enables base64 encoded PSK's and non base64 encoded PSK'sd to be differentiated. - If the PSK connection is disabled and then enabled with a non base64 encoded PSK the PSK will be left as it is. If the edit page is selected and Save pressed, even if nothing has been modified, then the PSK will be converted to a base64 encoded PSK. - The old style and new style PSK was tested out on my vm system and worked without any issue. - Using an old non base64 encoded PSK the IPSec connection worked without any problems. If the PSK was tehn converted to basse64 encoding by saving from the Edit page without changing anything, then the client IPSec connection was successfully made without any indication of a change. The conversion from non base64 to base64 encoded PSK occurred seamlessly without any hiccup. Fixes: Bug13029 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index bde5e11bc..c6eb6d7b7 100755 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -94,6 +94,7 @@ $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; $cgiparams{'REMARK'} = ''; $cgiparams{'PSK'} = ''; +$cgiparams{'BASE_64'} = ''; $cgiparams{'CERT_NAME'} = ''; $cgiparams{'CERT_EMAIL'} = ''; $cgiparams{'CERT_OU'} = ''; @@ -481,8 +482,12 @@ sub writeipsecfiles { if ($lconfighash{$key}[4] eq 'psk') { $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? - my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]); - $psk_line .= " : PSK '$decoded_psk'\n"; + if ($lconfighash{$key}[40] eq 'YES') { + my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]); + $psk_line .= " : PSK '$decoded_psk'\n"; + } else { + $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; + } # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. if ($psk_line =~ /%any/) { $last_secrets .= $psk_line; @@ -1703,6 +1708,7 @@ END $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39]; + $cgiparams{'BASE_64'} = $confighash{$cgiparams{'KEY'}}[40]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1884,6 +1890,7 @@ END } if ($cgiparams{'AUTH'} eq 'psk') { + $cgiparams{'BASE_64'} = 'YES'; if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; goto VPNCONF_ERROR; @@ -2261,7 +2268,13 @@ END $confighash{$key}[3] = $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); + if ($cgiparams{'BASE_64'} eq 'YES') { + $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); + $confighash{$key}[40] = 'YES'; + } else { + $confighash{$key}[5] = $cgiparams{'PSK'}; + $confighash{$key}[40] = ''; + } } else { $confighash{$key}[4] = 'cert'; }