From patchwork Sun Apr 27 18:58:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8645 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Zlwpq4Z6xz3x1X for ; Sun, 27 Apr 2025 18:58:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Zlwpq0Kghz3LG for ; Sun, 27 Apr 2025 18:58:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Zlwpp6hLWz333g for ; Sun, 27 Apr 2025 18:58:58 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Zlwpl6rTTz307R for ; Sun, 27 Apr 2025 18:58:55 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Zlwpl1zvgz1Tn; Sun, 27 Apr 2025 18:58:55 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1745780335; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=zKrnRzUXVHS5zT8zP3UBtdDwSYkw3/SobYaFmMf+L58=; b=vZnBQ19JG2Xgw4Yt6o1j2f0nh0NZJVZxrt0w4cIwULyA+z3J/LRu87vGpfDsBuWz1YBV0H /2wR2wBSugKEH1Bw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1745780335; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=zKrnRzUXVHS5zT8zP3UBtdDwSYkw3/SobYaFmMf+L58=; b=OP/mvvHVtKnA4/M7M+ihCc423ei8nEsTE5johbMdeFbSvFKv4Nod4sezjZfYK/Chqo/IEF uiRkI41y2zAsNyCugCaGBAIuo3fNO8AMtBEwOFHwOsQGo++VY2AIHmhkuC+PH+ZVkb1jQE kGRpxi+pfQ1igX4B+f4ehWs6R1SYuqaRFthu+iK4OnuCQo9C1EjLm8eN3RQZv2e0hlfd3O M7V9bDwaSDdwJ+OdU//vmREwiMXJPaWWIHCp4Qv6wx/bw8D3Z20FuaVbwYSEMA9CW5Hs3H CezD0ppgaj7oowvxgpVKzn0j/9r8bvbCcM3zVU4d6tqFXcgZoqGeXb4VuvoFiQ== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] vpnmain.cgi: Fixes bug13833 - ipsec cert renewal bug Date: Sun, 27 Apr 2025 20:58:51 +0200 Message-ID: <20250427185851.25437-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - This patch corrects the encoding section which was incorrectly set up to have the encoding set up when the BASE_64 parameter was set to YES. This meant that the encoded PSK was then encoded a further time and the ipsec.secrets file PSK entry was set as the decoded version of that twice encoded PSK. This could then happen again and again with the PSK being encoded twice or more times. - This patch only base64 encodes the PSK if the BASE_64 paramter is not set to YES, which means set to empty. - This patch set has been tested with PSK's from restored backaups from when the PSK was not base64 encoded. It has also been tested on non base64 encoded PSK's that have then had the Save button on the PSK edit screen pressed and also on PSK's that have already been base64 encoded. In all cases the correct base64 encoding was carried out and multiple Saves of the PSK Edit screen no longer give further base64 encodings of the already base64 encoded PSK. - The problem with the original patch for this issue was that the emcoding was not done for the correct BASE_64 status. Fixes: Bug13833 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 1c9f9243b..778ec25c4 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1879,7 +1879,7 @@ END } if ($cgiparams{'AUTH'} eq 'psk') { - $cgiparams{'BASE_64'} = 'YES'; + $cgiparams{'BASE_64'} = $confighash{$cgiparams{'KEY'}}[40]; if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; goto VPNCONF_ERROR; @@ -2248,7 +2248,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 40) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -2259,11 +2259,10 @@ END if ($cgiparams{'AUTH'} eq 'psk') { $confighash{$key}[4] = 'psk'; if ($cgiparams{'BASE_64'} eq 'YES') { + $confighash{$key}[5] = $cgiparams{'PSK'}; + } else { $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); $confighash{$key}[40] = 'YES'; - } else { - $confighash{$key}[5] = $cgiparams{'PSK'}; - $confighash{$key}[40] = ''; } } else { $confighash{$key}[4] = 'cert';