From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] vpnmain.cgi: Fix writing ESP settings for PFS ciphers
Date: Mon, 17 Jun 2019 16:31:52 +0100
Message-ID: <9F68F24B-956A-4BCA-B487-88273B09109E@ipfire.org>
In-Reply-To: <a777231c-e588-3895-b508-7f13795949da@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4410267476412941162=="
List-Id: <development.lists.ipfire.org>

--===============4410267476412941162==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Oops. Yes.

Weirdly, someone confirmed that this patch works for them…

> On 17 Jun 2019, at 15:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> The changes introduced due to #12091 caused IPsec ESP
> to be invalid if PFS ciphers were selected. Code has
> to read "!$pfs" instead of just "$pfs", as it should trigger
> for ciphers _without_ Perfect Forward Secrecy.
> 
> Fixes #12099
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> html/cgi-bin/vpnmain.cgi | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index fbc274919..750b69b1d 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -3338,7 +3338,7 @@ sub make_algos($$$$$) {
> 						push(@algo, $int);
> 					}
> 
> -					if ($pfs || $grp eq "none") {
> +					if (!$pfs || $grp eq "none") {
> 						# noop
> 					} elsif ($grp =~ m/^e(.*)$/) {
> 						push(@algo, "ecp$1");
> -- 
> 2.16.4


--===============4410267476412941162==--