diff mbox series

vpnmain.cgi: Fixes bug13833 - ipsec cert renewal bug

Message ID	20250427185851.25437-1-adolf.belka@ipfire.org
State	New
Headers	From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Cc: Adolf Belka <adolf.belka@ipfire.org> Subject: [PATCH] vpnmain.cgi: Fixes bug13833 - ipsec cert renewal bug Date: Sun, 27 Apr 2025 20:58:51 +0200 Message-ID: <20250427185851.25437-1-adolf.belka@ipfire.org> Precedence: list Sender: <development@lists.ipfire.org> Mail-Followup-To: <development@lists.ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	vpnmain.cgi: Fixes bug13833 - ipsec cert renewal bug \| vpnmain.cgi: Fixes bug13833 - ipsec cert renewal bug

Commit Message

Adolf Belka April 27, 2025, 6:58 p.m. UTC

  - This patch corrects the encoding section which was incorrectly set up to have the
   encoding set up when the BASE_64 parameter was set to YES. This meant that the
   encoded PSK was then encoded a further time and the ipsec.secrets file PSK entry
   was set as the decoded version of that twice encoded PSK. This could then happen again
   and again with the PSK being encoded twice or more times.
- This patch only base64 encodes the PSK if the BASE_64 paramter is not set to YES, which
   means set to empty.
- This patch set has been tested with PSK's from restored backaups from when the PSK was
   not base64 encoded. It has also been tested on non base64 encoded PSK's that have
   then had the Save button on the PSK edit screen pressed and also on PSK's that have
   already been base64 encoded. In all cases the correct base64 encoding was carried
   out and multiple Saves of the PSK Edit screen no longer give further base64 encodings
   of the already base64 encoded PSK.
- The problem with the original patch for this issue was that the emcoding was not done
   for the correct BASE_64 status.

Fixes: Bug13833
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff mbox series

Patch

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 1c9f9243b..778ec25c4 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1879,7 +1879,7 @@  END
 		}
 
 		if ($cgiparams{'AUTH'} eq 'psk') {
-			$cgiparams{'BASE_64'} = 'YES';
+			$cgiparams{'BASE_64'} = $confighash{$cgiparams{'KEY'}}[40];
 			if (! length($cgiparams{'PSK'}) ) {
 				$errormessage = $Lang::tr{'pre-shared key is too short'};
 				goto VPNCONF_ERROR;
@@ -2248,7 +2248,7 @@  END
 	my $key = $cgiparams{'KEY'};
 	if (! $key) {
 		$key = &General::findhasharraykey (\%confighash);
-		foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";}
+		foreach my $i (0 .. 40) { $confighash{$key}[$i] = "";}
 	}
 	$confighash{$key}[0] = $cgiparams{'ENABLED'};
 	$confighash{$key}[1] = $cgiparams{'NAME'};
@@ -2259,11 +2259,10 @@  END
 	if ($cgiparams{'AUTH'} eq 'psk') {
 		$confighash{$key}[4] = 'psk';
 		if ($cgiparams{'BASE_64'} eq 'YES') {
+			$confighash{$key}[5] = $cgiparams{'PSK'};
+		} else {
 			$confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, "");
 			$confighash{$key}[40] = 'YES';
-		} else {
-			$confighash{$key}[5] = $cgiparams{'PSK'};
-			$confighash{$key}[40] = '';
 		}
 	} else {
 		$confighash{$key}[4] = 'cert';