From patchwork Tue Jun 18 00:08:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2303 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id D1717887EE9 for ; Mon, 17 Jun 2019 15:08:21 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 45SCjd07GVz581hH; Mon, 17 Jun 2019 15:08:21 +0100 (BST) Received: from [127.0.0.1] (unknown [IPv6:2620:7:6001::122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 45SCjX2wYZz581gY; Mon, 17 Jun 2019 15:08:15 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1560780498; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iPkt8JOB/a4Fdk1JdnbsXWepbEIM+OKuftd5UULdk0o=; b=XZ1YG9aai3N9cFOVkS7ZvcmKRRy+4Wn27qHUy/D8swBDrjI85bqJ1gaw8G7h/jp3aSDBl/ GDg7n0/E0OT1hJF3dC/cPySG3uLOXjklKkDdzROlFrhsdSPm+0HCPEpvKS2nr1MVrDA1c+ pL0FGWhAYxF0jx1dYnQ+TkK94refp14ZqiAif2Fq3uPU4lV4HZYLTRB1uhr0QhY80+tL8T rXnwzHCKtJfcJcNBHmVAz6gtFNimVmzXQpY1EXNjhZ4eCrtemtUDZO0TJj/LYV/EQFjTm8 u3C/mmjIHFeeZyHlYdLdsjYFWlBqzU8wL7eVed5FBucqgRSweh37dREV3DwVFQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1560780498; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iPkt8JOB/a4Fdk1JdnbsXWepbEIM+OKuftd5UULdk0o=; b=sMXLjOYU4iiPqynnsX/7MVUc91oh6Bynn3nmS5UKKAg/cjJHV4D2tRH19L0joaUz+IUOOo y/TLtQORas1bc1Bg== To: Michael Tremer From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] vpnmain.cgi: Fix writing ESP settings for PFS ciphers Organization: IPFire.org Message-ID: Date: Mon, 17 Jun 2019 14:08:00 +0000 MIME-Version: 1.0 Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org Cc: "IPFire: Development-List" X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" The changes introduced due to #12091 caused IPsec ESP to be invalid if PFS ciphers were selected. Code has to read "!$pfs" instead of just "$pfs", as it should trigger for ciphers _without_ Perfect Forward Secrecy. Fixes #12099 Signed-off-by: Peter Müller Cc: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index fbc274919..750b69b1d 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -3338,7 +3338,7 @@ sub make_algos($$$$$) { push(@algo, $int); } - if ($pfs || $grp eq "none") { + if (!$pfs || $grp eq "none") { # noop } elsif ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1");