- An additional key was defined for a PSK being base64 encoded. All existing PSK's that are not base64 encoded will have that key empty. This enables base64 encoded PSK's and non base64 encoded PSK'sd to be differentiated. - If the PSK connection is disabled and then enabled with a non base64 encoded PSK the PSK will be left as it is. If the edit page is selected and Save pressed, even if nothing has been modified, then the PSK will be converted to a base64 encoded PSK. - The old style and new style PSK was tested out on my vm system and worked without any issue. - Using an old non base64 encoded PSK the IPSec connection worked without any problems. If the PSK was tehn converted to basse64 encoding by saving from the Edit page without changing anything, then the client IPSec connection was successfully made without any indication of a change. The conversion from non base64 to base64 encoded PSK occurred seamlessly without any hiccup.
Fixes: Bug13029 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- html/cgi-bin/vpnmain.cgi | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index bde5e11bc..c6eb6d7b7 100755 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -94,6 +94,7 @@ $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; $cgiparams{'REMARK'} = ''; $cgiparams{'PSK'} = ''; +$cgiparams{'BASE_64'} = ''; $cgiparams{'CERT_NAME'} = ''; $cgiparams{'CERT_EMAIL'} = ''; $cgiparams{'CERT_OU'} = ''; @@ -481,8 +482,12 @@ sub writeipsecfiles { if ($lconfighash{$key}[4] eq 'psk') { $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? - my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]); - $psk_line .= " : PSK '$decoded_psk'\n"; + if ($lconfighash{$key}[40] eq 'YES') { + my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]); + $psk_line .= " : PSK '$decoded_psk'\n"; + } else { + $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; + } # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. if ($psk_line =~ /%any/) { $last_secrets .= $psk_line; @@ -1703,6 +1708,7 @@ END $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39]; + $cgiparams{'BASE_64'} = $confighash{$cgiparams{'KEY'}}[40];
if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1884,6 +1890,7 @@ END }
if ($cgiparams{'AUTH'} eq 'psk') { + $cgiparams{'BASE_64'} = 'YES'; if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; goto VPNCONF_ERROR; @@ -2261,7 +2268,13 @@ END $confighash{$key}[3] = $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); + if ($cgiparams{'BASE_64'} eq 'YES') { + $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); + $confighash{$key}[40] = 'YES'; + } else { + $confighash{$key}[5] = $cgiparams{'PSK'}; + $confighash{$key}[40] = ''; + } } else { $confighash{$key}[4] = 'cert'; }