[PATCH 1/3] vpnmain.cgi: Fix for bug13029 - add base64 encoding to IPSec cgi page

[PATCH 1/3] vpnmain.cgi: Fix for bug13029 - add base64 encoding to IPSec cgi page

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 2075 bytes --]

- This adds the base64 encoded PSK into the config file and when the ipsec.secrets file
   is created the PSK is base64 decoded to write it to the file. The ipsec.secrets file
   surrounds the PSK with single quotation marks so that character is not allowed to be
   used in the PSK but anything else can be.
- Tested out on my vm system and shown to be working. New PSK with various characters
   characters including commas was base64 encoded before putting into the config file
   and therefore was accepted by the code. If a single quotation mark was used in the
   PSK then the error message about invalid characters was shown.

Fixes: Bug13029
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 mode change 100644 => 100755 html/cgi-bin/vpnmain.cgi

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
old mode 100644
new mode 100755
index 25e0f0a53..bde5e11bc
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -481,7 +481,8 @@ sub writeipsecfiles {
 		if ($lconfighash{$key}[4] eq 'psk') {
 			$psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ;
 			$psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address?
-			$psk_line .= " : PSK '$lconfighash{$key}[5]'\n";
+			my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]);
+			$psk_line .= " : PSK '$decoded_psk'\n";
 			# if the line contains %any, it is less specific than two IP or ID, so move it at end of file.
 			if ($psk_line =~ /%any/) {
 				$last_secrets .= $psk_line;
@@ -2260,7 +2261,7 @@ END
 	$confighash{$key}[3] = $cgiparams{'TYPE'};
 	if ($cgiparams{'AUTH'} eq 'psk') {
 		$confighash{$key}[4] = 'psk';
-		$confighash{$key}[5] = $cgiparams{'PSK'};
+		$confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, "");
 	} else {
 		$confighash{$key}[4] = 'cert';
 	}
-- 
2.45.2

[PATCH 2/3] en.pl: Update to explicitly mention single quotation mark being invalid

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 22118 bytes --]

- As all characters, except for the single quotation mark, are now allowed in the PSK
   with the base64 encoding implemented then the error message in the English Lang file
   has been changed to explicitly mention the single quotation mark rather than characters
   as a generic message.

Fixes: Bug13029
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 doc/language_issues.de | 2 +-
 doc/language_issues.en | 6 ++++--
 doc/language_issues.es | 2 +-
 doc/language_issues.fr | 2 +-
 doc/language_issues.it | 4 ++--
 doc/language_issues.nl | 4 +++-
 doc/language_issues.pl | 4 +++-
 doc/language_issues.ru | 4 +++-
 doc/language_issues.tr | 4 ++--
 doc/language_missings  | 8 ++++++++
 langs/en/cgi-bin/en.pl | 2 +-
 11 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 79b21fe24..757b566e6 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -517,7 +517,6 @@ WARNING: translation string unused: network time
 WARNING: translation string unused: network traffic graphs
 WARNING: translation string unused: network updated
 WARNING: translation string unused: networks settings
-WARNING: translation string unused: never
 WARNING: translation string unused: new optionsfw must boot
 WARNING: translation string unused: no alcatelusb firmware
 WARNING: translation string unused: no cfg upload
@@ -942,6 +941,7 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: optional = Optional
 WARNING: untranslated string: pakfire invalid tree = Invalid repository selected
+WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS)
 WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 2541ccf88..a20121638 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -680,7 +680,7 @@ WARNING: untranslated string: drop action = Default behaviour of (forward) firew
 WARNING: untranslated string: drop action1 = Default behaviour of (outgoing) firewall in mode "Blocked"
 WARNING: untranslated string: drop action2 = Default behaviour of (input) firewall
 WARNING: untranslated string: drop forward = Log dropped forward packets
-WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/drop/" target="_blank">Spamhaus DROP</a>, etc.)
+WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/blocklists/do-not-route-or-peer/" target="_blank">Spamhaus DROP</a>, etc.)
 WARNING: untranslated string: drop input = Log dropped input packets
 WARNING: untranslated string: drop newnotsyn = Log dropped new not SYN packets
 WARNING: untranslated string: drop outgoing = Log dropped outgoing packets
@@ -1116,7 +1116,7 @@ WARNING: untranslated string: intrusion detection = Intrusion Prevention
 WARNING: untranslated string: intrusion detection system = Intrusion Prevention System
 WARNING: untranslated string: intrusion detection system rules = Ruleset
 WARNING: untranslated string: invalid broadcast ip = Invalid broadcast IP
-WARNING: untranslated string: invalid characters found in pre-shared key = Invalid characters found in pre-shared key.
+WARNING: untranslated string: invalid characters found in pre-shared key = Invalid single quotation mark found in pre-shared key.
 WARNING: untranslated string: invalid default lease time = Invalid default lease time.
 WARNING: untranslated string: invalid domain name = Invalid domain name.
 WARNING: untranslated string: invalid end address = Invalid end address.
@@ -1382,6 +1382,7 @@ WARNING: untranslated string: network time from = Obtain time from a network tim
 WARNING: untranslated string: network traffic graphs external = Net-Traffic graphs (external)
 WARNING: untranslated string: network traffic graphs internal = Net-Traffic graphs (internal)
 WARNING: untranslated string: network traffic graphs others = Network (others)
+WARNING: untranslated string: never = Never
 WARNING: untranslated string: new optionsfw later = Some options need a reboot to take effect
 WARNING: untranslated string: newer = Newer
 WARNING: untranslated string: next = next
@@ -1584,6 +1585,7 @@ WARNING: untranslated string: red1 = RED
 WARNING: untranslated string: references = References
 WARNING: untranslated string: refresh = Refresh
 WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected
+WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS)
 WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 4949d9335..b124927aa 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -566,7 +566,6 @@ WARNING: translation string unused: network time
 WARNING: translation string unused: network traffic graphs
 WARNING: translation string unused: network updated
 WARNING: translation string unused: networks settings
-WARNING: translation string unused: never
 WARNING: translation string unused: new optionsfw must boot
 WARNING: translation string unused: no alcatelusb firmware
 WARNING: translation string unused: no cfg upload
@@ -1003,6 +1002,7 @@ WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: openvpn cert expires soon = Expires Soon
 WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: pakfire ago = ago.
+WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS)
 WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index fb29de25c..9a290fb58 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -545,7 +545,6 @@ WARNING: translation string unused: network time
 WARNING: translation string unused: network traffic graphs
 WARNING: translation string unused: network updated
 WARNING: translation string unused: networks settings
-WARNING: translation string unused: never
 WARNING: translation string unused: new optionsfw must boot
 WARNING: translation string unused: no alcatelusb firmware
 WARNING: translation string unused: no cfg upload
@@ -947,6 +946,7 @@ WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: hostile networks total = Total Hostile Networks
 WARNING: untranslated string: ids provider eol = (EOL)
 WARNING: untranslated string: pakfire ago = ago.
+WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS)
 WARNING: untranslated string: routing config added = unknown string
 WARNING: untranslated string: routing config changed = unknown string
 WARNING: untranslated string: system time = System Time (as of last page load)
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 680cc5f4e..b85041c74 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -504,7 +504,6 @@ WARNING: translation string unused: network time
 WARNING: translation string unused: network traffic graphs
 WARNING: translation string unused: network updated
 WARNING: translation string unused: networks settings
-WARNING: translation string unused: never
 WARNING: translation string unused: new optionsfw must boot
 WARNING: translation string unused: no alcatelusb firmware
 WARNING: translation string unused: no cfg upload
@@ -972,7 +971,7 @@ WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is
 WARNING: untranslated string: dnsforward forward_servers = Nameservers
 WARNING: untranslated string: downfall gather data sampling = Downfall/Gather Data Sampling
 WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
-WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/drop/" target="_blank">Spamhaus DROP</a>, etc.)
+WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/blocklists/do-not-route-or-peer/" target="_blank">Spamhaus DROP</a>, etc.)
 WARNING: untranslated string: drop spoofed martians = Log dropped spoofed packets and martians
 WARNING: untranslated string: duration = Duration
 WARNING: untranslated string: eight hours = 8 Hours
@@ -1221,6 +1220,7 @@ WARNING: untranslated string: rdns = rDNS
 WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS)
 WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index de9dc112a..adf28c036 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -976,7 +976,7 @@ WARNING: untranslated string: dnssec validating = DNSSEC Validating
 WARNING: untranslated string: downfall gather data sampling = Downfall/Gather Data Sampling
 WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
 WARNING: untranslated string: download tls-auth key = Download tls-auth key
-WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/drop/" target="_blank">Spamhaus DROP</a>, etc.)
+WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/blocklists/do-not-route-or-peer/" target="_blank">Spamhaus DROP</a>, etc.)
 WARNING: untranslated string: drop outgoing = Log dropped outgoing packets
 WARNING: untranslated string: drop spoofed martians = Log dropped spoofed packets and martians
 WARNING: untranslated string: duration = Duration
@@ -1201,6 +1201,7 @@ WARNING: untranslated string: monitor interface = Monitor Interface
 WARNING: untranslated string: mtu = MTU
 WARNING: untranslated string: nameserver = Nameserver
 WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon
+WARNING: untranslated string: never = Never
 WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: none = none
@@ -1243,6 +1244,7 @@ WARNING: untranslated string: ptr = PTR
 WARNING: untranslated string: rdns = rDNS
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS)
 WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index d52c29f6b..d15f00f91 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -963,7 +963,7 @@ WARNING: untranslated string: drop action = Default behaviour of (forward) firew
 WARNING: untranslated string: drop action1 = Default behaviour of (outgoing) firewall in mode "Blocked"
 WARNING: untranslated string: drop action2 = Default behaviour of (input) firewall
 WARNING: untranslated string: drop forward = Log dropped forward packets
-WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/drop/" target="_blank">Spamhaus DROP</a>, etc.)
+WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/blocklists/do-not-route-or-peer/" target="_blank">Spamhaus DROP</a>, etc.)
 WARNING: untranslated string: drop outgoing = Log dropped outgoing packets
 WARNING: untranslated string: drop spoofed martians = Log dropped spoofed packets and martians
 WARNING: untranslated string: duration = Duration
@@ -1355,6 +1355,7 @@ WARNING: untranslated string: most preferred = most preferred
 WARNING: untranslated string: mtu = MTU
 WARNING: untranslated string: nameserver = Nameserver
 WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon
+WARNING: untranslated string: never = Never
 WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: none = none
@@ -1424,6 +1425,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
 WARNING: untranslated string: red1 = RED
+WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS)
 WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 3436c4a6e..d052eefac 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -960,7 +960,7 @@ WARNING: untranslated string: drop action = Default behaviour of (forward) firew
 WARNING: untranslated string: drop action1 = Default behaviour of (outgoing) firewall in mode "Blocked"
 WARNING: untranslated string: drop action2 = Default behaviour of (input) firewall
 WARNING: untranslated string: drop forward = Log dropped forward packets
-WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/drop/" target="_blank">Spamhaus DROP</a>, etc.)
+WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/blocklists/do-not-route-or-peer/" target="_blank">Spamhaus DROP</a>, etc.)
 WARNING: untranslated string: drop outgoing = Log dropped outgoing packets
 WARNING: untranslated string: drop spoofed martians = Log dropped spoofed packets and martians
 WARNING: untranslated string: duration = Duration
@@ -1353,6 +1353,7 @@ WARNING: untranslated string: most preferred = most preferred
 WARNING: untranslated string: mtu = MTU
 WARNING: untranslated string: nameserver = Nameserver
 WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon
+WARNING: untranslated string: never = Never
 WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: none = none
@@ -1419,6 +1420,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
 WARNING: untranslated string: red1 = RED
+WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS)
 WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index ca57075b1..6e077d586 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -533,7 +533,6 @@ WARNING: translation string unused: network time
 WARNING: translation string unused: network traffic graphs
 WARNING: translation string unused: network updated
 WARNING: translation string unused: networks settings
-WARNING: translation string unused: never
 WARNING: translation string unused: new optionsfw must boot
 WARNING: translation string unused: no alcatelusb firmware
 WARNING: translation string unused: no cfg upload
@@ -952,7 +951,7 @@ WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is
 WARNING: untranslated string: dnsforward forward_servers = Nameservers
 WARNING: untranslated string: downfall gather data sampling = Downfall/Gather Data Sampling
 WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
-WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/drop/" target="_blank">Spamhaus DROP</a>, etc.)
+WARNING: untranslated string: drop hostile = Drop packets from and to hostile networks (listed at <a href="https://www.spamhaus.org/blocklists/do-not-route-or-peer/" target="_blank">Spamhaus DROP</a>, etc.)
 WARNING: untranslated string: drop spoofed martians = Log dropped spoofed packets and martians
 WARNING: untranslated string: duration = Duration
 WARNING: untranslated string: email recipient invalid = Invalid email recipient
@@ -1131,6 +1130,7 @@ WARNING: untranslated string: ptr = PTR
 WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS)
 WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
diff --git a/doc/language_missings b/doc/language_missings
index a214b8f9a..4c657f099 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -81,6 +81,7 @@
 < quick control
 < random number generator daemon
 < regenerate host certificate
+< reg_file_data_sampling
 < reiserfs warning1
 < reiserfs warning2
 < required
@@ -134,6 +135,7 @@
 < openvpn cert expires soon
 < openvpn cert has expired
 < regenerate host certificate
+< reg_file_data_sampling
 < reiserfs warning1
 < reiserfs warning2
 < service boot setting unavailable
@@ -156,6 +158,7 @@
 < hostile networks total
 < ids provider eol
 < ids unsupported provider
+< reg_file_data_sampling
 < system time
 < timeformat
 < upload fcdsl.o
@@ -548,6 +551,7 @@
 < rebooting ipfire fsck
 < received
 < regenerate host certificate
+< reg_file_data_sampling
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -1098,6 +1102,7 @@
 < rebooting ipfire fsck
 < received
 < regenerate host certificate
+< reg_file_data_sampling
 < reiserfs warning1
 < reiserfs warning2
 < required
@@ -1988,6 +1993,7 @@
 < received
 < red1
 < regenerate host certificate
+< reg_file_data_sampling
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -2989,6 +2995,7 @@
 < received
 < red1
 < regenerate host certificate
+< reg_file_data_sampling
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -3470,6 +3477,7 @@
 < rebooting ipfire fsck
 < received
 < regenerate host certificate
+< reg_file_data_sampling
 < reiserfs warning1
 < reiserfs warning2
 < release
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index a9fb3a6f7..40753cf62 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1515,7 +1515,7 @@
 'intrusion prevention system' => 'Intrusion Prevention System',
 'invalid broadcast ip' => 'Invalid broadcast IP',
 'invalid cache size' => 'Invalid cache size.',
-'invalid characters found in pre-shared key' => 'Invalid characters found in pre-shared key.',
+'invalid characters found in pre-shared key' => 'Invalid single quotation mark found in pre-shared key.',
 'invalid date entered' => 'Invalid date entered.',
 'invalid default lease time' => 'Invalid default lease time.',
 'invalid domain name' => 'Invalid domain name.',
-- 
2.45.2

[PATCH 3/3] vpnmain.cgi: Add coding to differentiate old and base64 encoded PSK's

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 3640 bytes --]

- An additional key was defined for a PSK being base64 encoded. All existing PSK's that
   are not base64 encoded will have that key empty. This enables base64 encoded PSK's and
   non base64 encoded PSK'sd to be differentiated.
- If the PSK connection is disabled and then enabled with a non base64 encoded PSK the PSK
   will be left as it is. If the edit page is selected and Save pressed, even if nothing
   has been modified, then the PSK will be converted to a base64 encoded PSK.
- The old style and new style PSK was tested out on my vm system and worked without any
   issue.
- Using an old non base64 encoded PSK the IPSec connection worked without any problems.
   If the PSK was tehn converted to basse64 encoding by saving from the Edit page without
   changing anything, then the client IPSec connection was successfully made without any
   indication of a change. The conversion from non base64 to base64 encoded PSK occurred
   seamlessly without any hiccup.

Fixes: Bug13029
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index bde5e11bc..c6eb6d7b7 100755
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -94,6 +94,7 @@ $cgiparams{'LOCAL_ID'} = '';
 $cgiparams{'REMOTE_ID'} = '';
 $cgiparams{'REMARK'} = '';
 $cgiparams{'PSK'} = '';
+$cgiparams{'BASE_64'} = '';
 $cgiparams{'CERT_NAME'} = '';
 $cgiparams{'CERT_EMAIL'} = '';
 $cgiparams{'CERT_OU'} = '';
@@ -481,8 +482,12 @@ sub writeipsecfiles {
 		if ($lconfighash{$key}[4] eq 'psk') {
 			$psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ;
 			$psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address?
-			my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]);
-			$psk_line .= " : PSK '$decoded_psk'\n";
+			if ($lconfighash{$key}[40] eq 'YES') {
+				my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]);
+				$psk_line .= " : PSK '$decoded_psk'\n";
+			} else {
+				$psk_line .= " : PSK '$lconfighash{$key}[5]'\n";
+			}
 			# if the line contains %any, it is less specific than two IP or ID, so move it at end of file.
 			if ($psk_line =~ /%any/) {
 				$last_secrets .= $psk_line;
@@ -1703,6 +1708,7 @@ END
 		$cgiparams{'INTERFACE_ADDRESS'}		= $confighash{$cgiparams{'KEY'}}[37];
 		$cgiparams{'INTERFACE_MTU'}		= $confighash{$cgiparams{'KEY'}}[38];
 		$cgiparams{'DNS_SERVERS'}		= $confighash{$cgiparams{'KEY'}}[39];
+		$cgiparams{'BASE_64'}			= $confighash{$cgiparams{'KEY'}}[40];
 
 		if (!$cgiparams{'DPD_DELAY'}) {
 			$cgiparams{'DPD_DELAY'} = 30;
@@ -1884,6 +1890,7 @@ END
 		}
 
 		if ($cgiparams{'AUTH'} eq 'psk') {
+			$cgiparams{'BASE_64'} = 'YES';
 			if (! length($cgiparams{'PSK'}) ) {
 				$errormessage = $Lang::tr{'pre-shared key is too short'};
 				goto VPNCONF_ERROR;
@@ -2261,7 +2268,13 @@ END
 	$confighash{$key}[3] = $cgiparams{'TYPE'};
 	if ($cgiparams{'AUTH'} eq 'psk') {
 		$confighash{$key}[4] = 'psk';
-		$confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, "");
+		if ($cgiparams{'BASE_64'} eq 'YES') {
+			$confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, "");
+			$confighash{$key}[40] = 'YES';
+		} else {
+			$confighash{$key}[5] = $cgiparams{'PSK'};
+			$confighash{$key}[40] = '';
+		}
 	} else {
 		$confighash{$key}[4] = 'cert';
 	}
-- 
2.45.2