From patchwork Fri Jul 5 17:18:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7905 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4WG0cC2zWSz3wwl for ; Fri, 5 Jul 2024 17:19:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4WG0c86zPSz2rk; Fri, 5 Jul 2024 17:19:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4WG0c84RDRz33rt; Fri, 5 Jul 2024 17:19:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4WG0c66fhXz33Fl for ; Fri, 5 Jul 2024 17:19:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4WG0c56G5Bz2rk; Fri, 5 Jul 2024 17:19:01 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1720199942; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=gYJsaBHGO+c164PUs/Sr1OrbxbpXJ7/mGCaM79czWYk=; b=XpklqslgF3ZvY0+IZFEyrQ1zGc6clYq8saL6BmaMcCjg6ISrkiS762XfquKUZuNfwkCH+0 LjIOS3uvz1d9bJDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1720199942; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=gYJsaBHGO+c164PUs/Sr1OrbxbpXJ7/mGCaM79czWYk=; b=HTeroVfD4Vl01Uaviq9JP0ClfOGrMKlEJywrMKvvYZkcA2FeL7u8omwxHDW5XPQm+R5dPR U8u5q9lCWWF/2J6GRcWyxLJ/SdE2J6oycE/T16yWbu3iz1alBdlmBxGa7ohVX97Nb5y07d 9kqDetfUCw5txSgOVecUNIwgFPbiMf/nnygc1lRcDQT9x9b9Lm9mSw/SZT82EMLIgji2gl +DY3uXhO51xRcOFHuQYaQGMpf8N2G0igz93hX3EyDztnqA7gBRNIUGOv9uEaJ17BqLwYMs 38a4KvI9KoDUOi4oZadz1b9udZNkIxC8FT4vN8U1aHL2ElKHRR8k4aaDao31hw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/3] vpnmain.cgi: Fix for bug13029 - add base64 encoding to IPSec cgi page Date: Fri, 5 Jul 2024 19:18:54 +0200 Message-ID: <20240705171856.3471127-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: A5272AVHRSA4EPLZSSKFNQIBZOZ274J7 X-Message-ID-Hash: A5272AVHRSA4EPLZSSKFNQIBZOZ274J7 X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This adds the base64 encoded PSK into the config file and when the ipsec.secrets file is created the PSK is base64 decoded to write it to the file. The ipsec.secrets file surrounds the PSK with single quotation marks so that character is not allowed to be used in the PSK but anything else can be. - Tested out on my vm system and shown to be working. New PSK with various characters characters including commas was base64 encoded before putting into the config file and therefore was accepted by the code. If a single quotation mark was used in the PSK then the error message about invalid characters was shown. Fixes: Bug13029 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) mode change 100644 => 100755 html/cgi-bin/vpnmain.cgi diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi old mode 100644 new mode 100755 index 25e0f0a53..bde5e11bc --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -481,7 +481,8 @@ sub writeipsecfiles { if ($lconfighash{$key}[4] eq 'psk') { $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? - $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; + my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]); + $psk_line .= " : PSK '$decoded_psk'\n"; # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. if ($psk_line =~ /%any/) { $last_secrets .= $psk_line; @@ -2260,7 +2261,7 @@ END $confighash{$key}[3] = $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = $cgiparams{'PSK'}; + $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); } else { $confighash{$key}[4] = 'cert'; } From patchwork Fri Jul 5 17:18:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7906 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4WG0cD6cZYz3wwl for ; Fri, 5 Jul 2024 17:19:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4WG0c92Fq1z6gK; Fri, 5 Jul 2024 17:19:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4WG0c85qvkz33rv; Fri, 5 Jul 2024 17:19:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4WG0c71GW4z33Fl for ; Fri, 5 Jul 2024 17:19:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4WG0c64hRRz4TX; Fri, 5 Jul 2024 17:19:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1720199942; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PFw4mKcQC8i7lxHidQrsdDBe2sxBhyHNd4CFWhQMiwI=; b=n2J5e2hjMk2wlh1gdYKr7OKkV3neVaRTuQM9vSSl2Ebcq5SS4l9q9LXF5TFXsLuXcNp19m L7yIgpr/D/YTpkAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1720199942; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PFw4mKcQC8i7lxHidQrsdDBe2sxBhyHNd4CFWhQMiwI=; b=qieOQp3Fx0HYBakjKy5vOoPHlzJEmmjzV65+daRNiiVhwSJYfGIl7ralLwYxq/T9eEjXD0 EQlYCFol1f/BgeyUACv8Op+UTjsts9nzebI80IpwHFvt2KPLLboAK7fvTcAyfcI/ZoPBdR lS6mPLoGeIGJo8VFYS6z9H4Z0j/hBz3cgp6Ndwbl7LYKTh/ZAMVn6AlwSR9nJ7Oe4e50P/ YB+MO9ZRSSFDpXkt70W3kReY38yARRgphNMDT0A823Ej5J0PWfqGhf5zHKZstR4l+kEshp W7uOC6h+EV7W8hhvjdRx7FJY5BOTvSCFmBEJURtwF/NmcvSsItXYF9h9dMb/lQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 2/3] en.pl: Update to explicitly mention single quotation mark being invalid Date: Fri, 5 Jul 2024 19:18:55 +0200 Message-ID: <20240705171856.3471127-2-adolf.belka@ipfire.org> In-Reply-To: <20240705171856.3471127-1-adolf.belka@ipfire.org> References: <20240705171856.3471127-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: MEYOLTUBDDTQ74CFBQ4KP6ZV77HH6HD5 X-Message-ID-Hash: MEYOLTUBDDTQ74CFBQ4KP6ZV77HH6HD5 X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - As all characters, except for the single quotation mark, are now allowed in the PSK with the base64 encoding implemented then the error message in the English Lang file has been changed to explicitly mention the single quotation mark rather than characters as a generic message. Fixes: Bug13029 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- doc/language_issues.de | 2 +- doc/language_issues.en | 6 ++++-- doc/language_issues.es | 2 +- doc/language_issues.fr | 2 +- doc/language_issues.it | 4 ++-- doc/language_issues.nl | 4 +++- doc/language_issues.pl | 4 +++- doc/language_issues.ru | 4 +++- doc/language_issues.tr | 4 ++-- doc/language_missings | 8 ++++++++ langs/en/cgi-bin/en.pl | 2 +- 11 files changed, 29 insertions(+), 13 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index 79b21fe24..757b566e6 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -517,7 +517,6 @@ WARNING: translation string unused: network time WARNING: translation string unused: network traffic graphs WARNING: translation string unused: network updated WARNING: translation string unused: networks settings -WARNING: translation string unused: never WARNING: translation string unused: new optionsfw must boot WARNING: translation string unused: no alcatelusb firmware WARNING: translation string unused: no cfg upload @@ -942,6 +941,7 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: optional = Optional WARNING: untranslated string: pakfire invalid tree = Invalid repository selected +WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. diff --git a/doc/language_issues.en b/doc/language_issues.en index 2541ccf88..a20121638 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -680,7 +680,7 @@ WARNING: untranslated string: drop action = Default behaviour of (forward) firew WARNING: untranslated string: drop action1 = Default behaviour of (outgoing) firewall in mode "Blocked" WARNING: untranslated string: drop action2 = Default behaviour of (input) firewall WARNING: untranslated string: drop forward = Log dropped forward packets -WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) +WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) WARNING: untranslated string: drop input = Log dropped input packets WARNING: untranslated string: drop newnotsyn = Log dropped new not SYN packets WARNING: untranslated string: drop outgoing = Log dropped outgoing packets @@ -1116,7 +1116,7 @@ WARNING: untranslated string: intrusion detection = Intrusion Prevention WARNING: untranslated string: intrusion detection system = Intrusion Prevention System WARNING: untranslated string: intrusion detection system rules = Ruleset WARNING: untranslated string: invalid broadcast ip = Invalid broadcast IP -WARNING: untranslated string: invalid characters found in pre-shared key = Invalid characters found in pre-shared key. +WARNING: untranslated string: invalid characters found in pre-shared key = Invalid single quotation mark found in pre-shared key. WARNING: untranslated string: invalid default lease time = Invalid default lease time. WARNING: untranslated string: invalid domain name = Invalid domain name. WARNING: untranslated string: invalid end address = Invalid end address. @@ -1382,6 +1382,7 @@ WARNING: untranslated string: network time from = Obtain time from a network tim WARNING: untranslated string: network traffic graphs external = Net-Traffic graphs (external) WARNING: untranslated string: network traffic graphs internal = Net-Traffic graphs (internal) WARNING: untranslated string: network traffic graphs others = Network (others) +WARNING: untranslated string: never = Never WARNING: untranslated string: new optionsfw later = Some options need a reboot to take effect WARNING: untranslated string: newer = Newer WARNING: untranslated string: next = next @@ -1584,6 +1585,7 @@ WARNING: untranslated string: red1 = RED WARNING: untranslated string: references = References WARNING: untranslated string: refresh = Refresh WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected +WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. diff --git a/doc/language_issues.es b/doc/language_issues.es index 4949d9335..b124927aa 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -566,7 +566,6 @@ WARNING: translation string unused: network time WARNING: translation string unused: network traffic graphs WARNING: translation string unused: network updated WARNING: translation string unused: networks settings -WARNING: translation string unused: never WARNING: translation string unused: new optionsfw must boot WARNING: translation string unused: no alcatelusb firmware WARNING: translation string unused: no cfg upload @@ -1003,6 +1002,7 @@ WARNING: untranslated string: no data = unknown string WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. diff --git a/doc/language_issues.fr b/doc/language_issues.fr index fb29de25c..9a290fb58 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -545,7 +545,6 @@ WARNING: translation string unused: network time WARNING: translation string unused: network traffic graphs WARNING: translation string unused: network updated WARNING: translation string unused: networks settings -WARNING: translation string unused: never WARNING: translation string unused: new optionsfw must boot WARNING: translation string unused: no alcatelusb firmware WARNING: translation string unused: no cfg upload @@ -947,6 +946,7 @@ WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hostile networks total = Total Hostile Networks WARNING: untranslated string: ids provider eol = (EOL) WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: routing config added = unknown string WARNING: untranslated string: routing config changed = unknown string WARNING: untranslated string: system time = System Time (as of last page load) diff --git a/doc/language_issues.it b/doc/language_issues.it index 680cc5f4e..b85041c74 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -504,7 +504,6 @@ WARNING: translation string unused: network time WARNING: translation string unused: network traffic graphs WARNING: translation string unused: network updated WARNING: translation string unused: networks settings -WARNING: translation string unused: never WARNING: translation string unused: new optionsfw must boot WARNING: translation string unused: no alcatelusb firmware WARNING: translation string unused: no cfg upload @@ -972,7 +971,7 @@ WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: downfall gather data sampling = Downfall/Gather Data Sampling WARNING: untranslated string: download apple profile = Download Apple Configuration Profile -WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) +WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) WARNING: untranslated string: drop spoofed martians = Log dropped spoofed packets and martians WARNING: untranslated string: duration = Duration WARNING: untranslated string: eight hours = 8 Hours @@ -1221,6 +1220,7 @@ WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. diff --git a/doc/language_issues.nl b/doc/language_issues.nl index de9dc112a..adf28c036 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -976,7 +976,7 @@ WARNING: untranslated string: dnssec validating = DNSSEC Validating WARNING: untranslated string: downfall gather data sampling = Downfall/Gather Data Sampling WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: download tls-auth key = Download tls-auth key -WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) +WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) WARNING: untranslated string: drop outgoing = Log dropped outgoing packets WARNING: untranslated string: drop spoofed martians = Log dropped spoofed packets and martians WARNING: untranslated string: duration = Duration @@ -1201,6 +1201,7 @@ WARNING: untranslated string: monitor interface = Monitor Interface WARNING: untranslated string: mtu = MTU WARNING: untranslated string: nameserver = Nameserver WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon +WARNING: untranslated string: never = Never WARNING: untranslated string: no data = unknown string WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: none = none @@ -1243,6 +1244,7 @@ WARNING: untranslated string: ptr = PTR WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. diff --git a/doc/language_issues.pl b/doc/language_issues.pl index d52c29f6b..d15f00f91 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -963,7 +963,7 @@ WARNING: untranslated string: drop action = Default behaviour of (forward) firew WARNING: untranslated string: drop action1 = Default behaviour of (outgoing) firewall in mode "Blocked" WARNING: untranslated string: drop action2 = Default behaviour of (input) firewall WARNING: untranslated string: drop forward = Log dropped forward packets -WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) +WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) WARNING: untranslated string: drop outgoing = Log dropped outgoing packets WARNING: untranslated string: drop spoofed martians = Log dropped spoofed packets and martians WARNING: untranslated string: duration = Duration @@ -1355,6 +1355,7 @@ WARNING: untranslated string: most preferred = most preferred WARNING: untranslated string: mtu = MTU WARNING: untranslated string: nameserver = Nameserver WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon +WARNING: untranslated string: never = Never WARNING: untranslated string: no data = unknown string WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: none = none @@ -1424,6 +1425,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received WARNING: untranslated string: red1 = RED +WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 3436c4a6e..d052eefac 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -960,7 +960,7 @@ WARNING: untranslated string: drop action = Default behaviour of (forward) firew WARNING: untranslated string: drop action1 = Default behaviour of (outgoing) firewall in mode "Blocked" WARNING: untranslated string: drop action2 = Default behaviour of (input) firewall WARNING: untranslated string: drop forward = Log dropped forward packets -WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) +WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) WARNING: untranslated string: drop outgoing = Log dropped outgoing packets WARNING: untranslated string: drop spoofed martians = Log dropped spoofed packets and martians WARNING: untranslated string: duration = Duration @@ -1353,6 +1353,7 @@ WARNING: untranslated string: most preferred = most preferred WARNING: untranslated string: mtu = MTU WARNING: untranslated string: nameserver = Nameserver WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon +WARNING: untranslated string: never = Never WARNING: untranslated string: no data = unknown string WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: none = none @@ -1419,6 +1420,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received WARNING: untranslated string: red1 = RED +WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. diff --git a/doc/language_issues.tr b/doc/language_issues.tr index ca57075b1..6e077d586 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -533,7 +533,6 @@ WARNING: translation string unused: network time WARNING: translation string unused: network traffic graphs WARNING: translation string unused: network updated WARNING: translation string unused: networks settings -WARNING: translation string unused: never WARNING: translation string unused: new optionsfw must boot WARNING: translation string unused: no alcatelusb firmware WARNING: translation string unused: no cfg upload @@ -952,7 +951,7 @@ WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: downfall gather data sampling = Downfall/Gather Data Sampling WARNING: untranslated string: download apple profile = Download Apple Configuration Profile -WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) +WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) WARNING: untranslated string: drop spoofed martians = Log dropped spoofed packets and martians WARNING: untranslated string: duration = Duration WARNING: untranslated string: email recipient invalid = Invalid email recipient @@ -1131,6 +1130,7 @@ WARNING: untranslated string: ptr = PTR WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. diff --git a/doc/language_missings b/doc/language_missings index a214b8f9a..4c657f099 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -81,6 +81,7 @@ < quick control < random number generator daemon < regenerate host certificate +< reg_file_data_sampling < reiserfs warning1 < reiserfs warning2 < required @@ -134,6 +135,7 @@ < openvpn cert expires soon < openvpn cert has expired < regenerate host certificate +< reg_file_data_sampling < reiserfs warning1 < reiserfs warning2 < service boot setting unavailable @@ -156,6 +158,7 @@ < hostile networks total < ids provider eol < ids unsupported provider +< reg_file_data_sampling < system time < timeformat < upload fcdsl.o @@ -548,6 +551,7 @@ < rebooting ipfire fsck < received < regenerate host certificate +< reg_file_data_sampling < reiserfs warning1 < reiserfs warning2 < release @@ -1098,6 +1102,7 @@ < rebooting ipfire fsck < received < regenerate host certificate +< reg_file_data_sampling < reiserfs warning1 < reiserfs warning2 < required @@ -1988,6 +1993,7 @@ < received < red1 < regenerate host certificate +< reg_file_data_sampling < reiserfs warning1 < reiserfs warning2 < release @@ -2989,6 +2995,7 @@ < received < red1 < regenerate host certificate +< reg_file_data_sampling < reiserfs warning1 < reiserfs warning2 < release @@ -3470,6 +3477,7 @@ < rebooting ipfire fsck < received < regenerate host certificate +< reg_file_data_sampling < reiserfs warning1 < reiserfs warning2 < release diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a9fb3a6f7..40753cf62 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1515,7 +1515,7 @@ 'intrusion prevention system' => 'Intrusion Prevention System', 'invalid broadcast ip' => 'Invalid broadcast IP', 'invalid cache size' => 'Invalid cache size.', -'invalid characters found in pre-shared key' => 'Invalid characters found in pre-shared key.', +'invalid characters found in pre-shared key' => 'Invalid single quotation mark found in pre-shared key.', 'invalid date entered' => 'Invalid date entered.', 'invalid default lease time' => 'Invalid default lease time.', 'invalid domain name' => 'Invalid domain name.', From patchwork Fri Jul 5 17:18:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7907 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4WG0cG6SKRz3wwl for ; Fri, 5 Jul 2024 17:19:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4WG0cB0jsxz5pw; Fri, 5 Jul 2024 17:19:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4WG0cB0Fy5z33rm; Fri, 5 Jul 2024 17:19:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4WG0c72mqFz33rn for ; Fri, 5 Jul 2024 17:19:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4WG0c71GnBz1Tl; Fri, 5 Jul 2024 17:19:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1720199943; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4xIstlipt10S2o9wQALkF0oxzqlw6HySNFMKJ95PX8E=; b=BqwgA6bRBr+FueTdtzNoyhdDelBArP6dbR8Szzdbuz4iU0dDNp/rv6b2nd20jbP5MfzG0Z JNgZJr5/c2CDOmBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1720199943; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4xIstlipt10S2o9wQALkF0oxzqlw6HySNFMKJ95PX8E=; b=KsZri9g3xtZwELCqzH2+Ew+hblqgZuH4bONlBGiqWnUlcOjezCtYQVHEeczH8OJwJwj3i3 9BQgpOUQXKAqDMZyx1o+VGykGE7UUKKMZsz0rEN43UmGUbL4rfxslJqi92IRLyV3jIs2xS sT1nszFnU7Am0t5Z20hMF2XIgiPQ8KS27lxmXYltfiLy92/ornLi+veeRgn1//zZkRFFSB 898u4gwAZUdU+pjgwwXYYKqZzEQV/86UPcldUTyFlBakuEKMfflAcEjR+uDKvFitXbejpY 2beNztx717xm2eLBhSU35y2MNq7QtBQSS2SCtg42qf3NavNMP6MY3sc7gD0CWQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 3/3] vpnmain.cgi: Add coding to differentiate old and base64 encoded PSK's Date: Fri, 5 Jul 2024 19:18:56 +0200 Message-ID: <20240705171856.3471127-3-adolf.belka@ipfire.org> In-Reply-To: <20240705171856.3471127-1-adolf.belka@ipfire.org> References: <20240705171856.3471127-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: D343IBQOHRHIOJ7LTJTGTSOV56U7B42Z X-Message-ID-Hash: D343IBQOHRHIOJ7LTJTGTSOV56U7B42Z X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - An additional key was defined for a PSK being base64 encoded. All existing PSK's that are not base64 encoded will have that key empty. This enables base64 encoded PSK's and non base64 encoded PSK'sd to be differentiated. - If the PSK connection is disabled and then enabled with a non base64 encoded PSK the PSK will be left as it is. If the edit page is selected and Save pressed, even if nothing has been modified, then the PSK will be converted to a base64 encoded PSK. - The old style and new style PSK was tested out on my vm system and worked without any issue. - Using an old non base64 encoded PSK the IPSec connection worked without any problems. If the PSK was tehn converted to basse64 encoding by saving from the Edit page without changing anything, then the client IPSec connection was successfully made without any indication of a change. The conversion from non base64 to base64 encoded PSK occurred seamlessly without any hiccup. Fixes: Bug13029 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index bde5e11bc..c6eb6d7b7 100755 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -94,6 +94,7 @@ $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; $cgiparams{'REMARK'} = ''; $cgiparams{'PSK'} = ''; +$cgiparams{'BASE_64'} = ''; $cgiparams{'CERT_NAME'} = ''; $cgiparams{'CERT_EMAIL'} = ''; $cgiparams{'CERT_OU'} = ''; @@ -481,8 +482,12 @@ sub writeipsecfiles { if ($lconfighash{$key}[4] eq 'psk') { $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? - my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]); - $psk_line .= " : PSK '$decoded_psk'\n"; + if ($lconfighash{$key}[40] eq 'YES') { + my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]); + $psk_line .= " : PSK '$decoded_psk'\n"; + } else { + $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; + } # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. if ($psk_line =~ /%any/) { $last_secrets .= $psk_line; @@ -1703,6 +1708,7 @@ END $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39]; + $cgiparams{'BASE_64'} = $confighash{$cgiparams{'KEY'}}[40]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1884,6 +1890,7 @@ END } if ($cgiparams{'AUTH'} eq 'psk') { + $cgiparams{'BASE_64'} = 'YES'; if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; goto VPNCONF_ERROR; @@ -2261,7 +2268,13 @@ END $confighash{$key}[3] = $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); + if ($cgiparams{'BASE_64'} eq 'YES') { + $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); + $confighash{$key}[40] = 'YES'; + } else { + $confighash{$key}[5] = $cgiparams{'PSK'}; + $confighash{$key}[40] = ''; + } } else { $confighash{$key}[4] = 'cert'; }