From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] vpnmain.cgi: Fixes bug13833 - ipsec cert renewal bug
Date: Sun, 27 Apr 2025 20:58:51 +0200 [thread overview]
Message-ID: <20250427185851.25437-1-adolf.belka@ipfire.org> (raw)
- This patch corrects the encoding section which was incorrectly set up to have the
encoding set up when the BASE_64 parameter was set to YES. This meant that the
encoded PSK was then encoded a further time and the ipsec.secrets file PSK entry
was set as the decoded version of that twice encoded PSK. This could then happen again
and again with the PSK being encoded twice or more times.
- This patch only base64 encodes the PSK if the BASE_64 paramter is not set to YES, which
means set to empty.
- This patch set has been tested with PSK's from restored backaups from when the PSK was
not base64 encoded. It has also been tested on non base64 encoded PSK's that have
then had the Save button on the PSK edit screen pressed and also on PSK's that have
already been base64 encoded. In all cases the correct base64 encoding was carried
out and multiple Saves of the PSK Edit screen no longer give further base64 encodings
of the already base64 encoded PSK.
- The problem with the original patch for this issue was that the emcoding was not done
for the correct BASE_64 status.
Fixes: Bug13833
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/vpnmain.cgi | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 1c9f9243b..778ec25c4 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1879,7 +1879,7 @@ END
}
if ($cgiparams{'AUTH'} eq 'psk') {
- $cgiparams{'BASE_64'} = 'YES';
+ $cgiparams{'BASE_64'} = $confighash{$cgiparams{'KEY'}}[40];
if (! length($cgiparams{'PSK'}) ) {
$errormessage = $Lang::tr{'pre-shared key is too short'};
goto VPNCONF_ERROR;
@@ -2248,7 +2248,7 @@ END
my $key = $cgiparams{'KEY'};
if (! $key) {
$key = &General::findhasharraykey (\%confighash);
- foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";}
+ foreach my $i (0 .. 40) { $confighash{$key}[$i] = "";}
}
$confighash{$key}[0] = $cgiparams{'ENABLED'};
$confighash{$key}[1] = $cgiparams{'NAME'};
@@ -2259,11 +2259,10 @@ END
if ($cgiparams{'AUTH'} eq 'psk') {
$confighash{$key}[4] = 'psk';
if ($cgiparams{'BASE_64'} eq 'YES') {
+ $confighash{$key}[5] = $cgiparams{'PSK'};
+ } else {
$confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, "");
$confighash{$key}[40] = 'YES';
- } else {
- $confighash{$key}[5] = $cgiparams{'PSK'};
- $confighash{$key}[40] = '';
}
} else {
$confighash{$key}[4] = 'cert';
--
2.49.0
reply other threads:[~2025-04-27 18:58 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250427185851.25437-1-adolf.belka@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox