From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 3/3] vpnmain.cgi: Add coding to differentiate old and base64 encoded PSK's Date: Fri, 05 Jul 2024 19:18:56 +0200 Message-ID: <20240705171856.3471127-3-adolf.belka@ipfire.org> In-Reply-To: <20240705171856.3471127-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1862892644577863754==" List-Id: --===============1862892644577863754== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - An additional key was defined for a PSK being base64 encoded. All existing = PSK's that are not base64 encoded will have that key empty. This enables base64 encod= ed PSK's and non base64 encoded PSK'sd to be differentiated. - If the PSK connection is disabled and then enabled with a non base64 encode= d PSK the PSK will be left as it is. If the edit page is selected and Save pressed, even= if nothing has been modified, then the PSK will be converted to a base64 encoded PSK. - The old style and new style PSK was tested out on my vm system and worked w= ithout any issue. - Using an old non base64 encoded PSK the IPSec connection worked without any= problems. If the PSK was tehn converted to basse64 encoding by saving from the Edit = page without changing anything, then the client IPSec connection was successfully made = without any indication of a change. The conversion from non base64 to base64 encoded P= SK occurred seamlessly without any hiccup. Fixes: Bug13029 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index bde5e11bc..c6eb6d7b7 100755 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -94,6 +94,7 @@ $cgiparams{'LOCAL_ID'} =3D ''; $cgiparams{'REMOTE_ID'} =3D ''; $cgiparams{'REMARK'} =3D ''; $cgiparams{'PSK'} =3D ''; +$cgiparams{'BASE_64'} =3D ''; $cgiparams{'CERT_NAME'} =3D ''; $cgiparams{'CERT_EMAIL'} =3D ''; $cgiparams{'CERT_OU'} =3D ''; @@ -481,8 +482,12 @@ sub writeipsecfiles { if ($lconfighash{$key}[4] eq 'psk') { $psk_line =3D ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside= ) . " " ; $psk_line .=3D $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfigha= sh{$key}[10]; #remoteid or remote address? - my $decoded_psk =3D MIME::Base64::decode_base64($lconfighash{$key}[5]); - $psk_line .=3D " : PSK '$decoded_psk'\n"; + if ($lconfighash{$key}[40] eq 'YES') { + my $decoded_psk =3D MIME::Base64::decode_base64($lconfighash{$key}[5]); + $psk_line .=3D " : PSK '$decoded_psk'\n"; + } else { + $psk_line .=3D " : PSK '$lconfighash{$key}[5]'\n"; + } # if the line contains %any, it is less specific than two IP or ID, so mo= ve it at end of file. if ($psk_line =3D~ /%any/) { $last_secrets .=3D $psk_line; @@ -1703,6 +1708,7 @@ END $cgiparams{'INTERFACE_ADDRESS'} =3D $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'INTERFACE_MTU'} =3D $confighash{$cgiparams{'KEY'}}[38]; $cgiparams{'DNS_SERVERS'} =3D $confighash{$cgiparams{'KEY'}}[39]; + $cgiparams{'BASE_64'} =3D $confighash{$cgiparams{'KEY'}}[40]; =20 if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} =3D 30; @@ -1884,6 +1890,7 @@ END } =20 if ($cgiparams{'AUTH'} eq 'psk') { + $cgiparams{'BASE_64'} =3D 'YES'; if (! length($cgiparams{'PSK'}) ) { $errormessage =3D $Lang::tr{'pre-shared key is too short'}; goto VPNCONF_ERROR; @@ -2261,7 +2268,13 @@ END $confighash{$key}[3] =3D $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { $confighash{$key}[4] =3D 'psk'; - $confighash{$key}[5] =3D MIME::Base64::encode_base64($cgiparams{'PSK'}, ""= ); + if ($cgiparams{'BASE_64'} eq 'YES') { + $confighash{$key}[5] =3D MIME::Base64::encode_base64($cgiparams{'PSK'}, "= "); + $confighash{$key}[40] =3D 'YES'; + } else { + $confighash{$key}[5] =3D $cgiparams{'PSK'}; + $confighash{$key}[40] =3D ''; + } } else { $confighash{$key}[4] =3D 'cert'; } --=20 2.45.2 --===============1862892644577863754==--