From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] vpnmain.cgi: Fix writing ESP settings for PFS ciphers
Date: Mon, 17 Jun 2019 14:08:00 +0000
Message-ID: <a777231c-e588-3895-b508-7f13795949da@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8277581161103544203=="
List-Id: <development.lists.ipfire.org>

--===============8277581161103544203==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

The changes introduced due to #12091 caused IPsec ESP
to be invalid if PFS ciphers were selected. Code has
to read "!$pfs" instead of just "$pfs", as it should trigger
for ciphers _without_ Perfect Forward Secrecy.

Fixes #12099

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index fbc274919..750b69b1d 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -3338,7 +3338,7 @@ sub make_algos($$$$$) {
 						push(@algo, $int);
 					}
 
-					if ($pfs || $grp eq "none") {
+					if (!$pfs || $grp eq "none") {
 						# noop
 					} elsif ($grp =~ m/^e(.*)$/) {
 						push(@algo, "ecp$1");
-- 
2.16.4

--===============8277581161103544203==--