From patchwork Mon Apr 28 09:45:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8646 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZmJVL5Pmnz3x1X for ; Mon, 28 Apr 2025 09:46:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZmJVL34LYz34S for ; Mon, 28 Apr 2025 09:46:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZmJVL2N7Mz30XH for ; Mon, 28 Apr 2025 09:46:02 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZmJVH2dBzz2ykN for ; Mon, 28 Apr 2025 09:45:59 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "michael.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZmJVG2Ltsz29K; Mon, 28 Apr 2025 09:45:58 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4ZmJVG19FQzTgRJ; Mon, 28 Apr 2025 09:45:58 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Cc: Michael Tremer Subject: [PATCH] vpnmain.cgi: Fix editing connections that are using a PSK Date: Mon, 28 Apr 2025 09:45:51 +0000 Message-Id: <20250428094551.704156-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.5 Reply-To: 20250427185851.25437-1-adolf.belka@ipfire.org Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 This patch takes care of properly decoding the PSK if it was already stored base64-encoded. If the connection is edited, it always will be stored base64-encoded upon save. It would have been nice to not send the PSK back to the browser again (although the security benefits would have been marginal), but that would make the code even messier than it is. Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 1c9f9243b..4f81fecdf 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -468,7 +468,7 @@ sub writeipsecfiles { $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? if ($lconfighash{$key}[40] eq 'YES') { - my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]); + my $decoded_psk = &MIME::Base64::decode_base64($lconfighash{$key}[5]); $psk_line .= " : PSK '$decoded_psk'\n"; } else { $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; @@ -1662,6 +1662,10 @@ END $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; + # Decode the PSK if it is base64-encoded + if ($cgiparams{'PSK'} && $confighash{$cgiparams{'KEY'}}[40] eq 'YES') { + $cgiparams{'PSK'} = &MIME::Base64::decode_base64($cgiparams{'PSK'}); + } $cgiparams{'LOCAL'} = $confighash{$cgiparams{'KEY'}}[6]; $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]); @@ -1879,7 +1883,6 @@ END } if ($cgiparams{'AUTH'} eq 'psk') { - $cgiparams{'BASE_64'} = 'YES'; if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; goto VPNCONF_ERROR; @@ -2248,7 +2251,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 40) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -2258,13 +2261,10 @@ END $confighash{$key}[3] = $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { $confighash{$key}[4] = 'psk'; - if ($cgiparams{'BASE_64'} eq 'YES') { - $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); - $confighash{$key}[40] = 'YES'; - } else { - $confighash{$key}[5] = $cgiparams{'PSK'}; - $confighash{$key}[40] = ''; - } + + # Always store the PSK base64-encoded, even if it wasn't base64 before + $confighash{$key}[5] = &MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); + $confighash{$key}[40] = 'YES'; } else { $confighash{$key}[4] = 'cert'; }