[git.ipfire.org] IPFire 2.x development tree branch, master, updated. f9f02b4c244fea3025245348678bb08bbfbd48a8

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. f9f02b4c244fea3025245348678bb08bbfbd48a8
Date: Tue, 29 Apr 2025 08:53:28 +0000 (UTC)	[thread overview]
Message-ID: <4ZmvHD0tTrz2xnD@people01.haj.ipfire.org> (raw)

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, master has been updated
       via  f9f02b4c244fea3025245348678bb08bbfbd48a8 (commit)
      from  610ed2f195d1447f8f56b9796d916edf2800661f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f9f02b4c244fea3025245348678bb08bbfbd48a8
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Mon Apr 28 09:45:51 2025 +0000

    vpnmain.cgi: Fix editing connections that are using a PSK
    
    This patch takes care of properly decoding the PSK if it was already
    stored base64-encoded. If the connection is edited, it always will be
    stored base64-encoded upon save.
    
    It would have been nice to not send the PSK back to the browser again
    (although the security benefits would have been marginal), but that
    would make the code even messier than it is.
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
    Tested-by: Adolf Belka <adolf.belka@ipfire.org>
    Tested-by: Christian Hernmarck <linux@hernmarck.ch>

-----------------------------------------------------------------------

Summary of changes:
 html/cgi-bin/vpnmain.cgi | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

Difference in files:
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 1c9f9243b..4f81fecdf 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -468,7 +468,7 @@ sub writeipsecfiles {
 			$psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ;
 			$psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address?
 			if ($lconfighash{$key}[40] eq 'YES') {
-				my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]);
+				my $decoded_psk = &MIME::Base64::decode_base64($lconfighash{$key}[5]);
 				$psk_line .= " : PSK '$decoded_psk'\n";
 			} else {
 				$psk_line .= " : PSK '$lconfighash{$key}[5]'\n";
@@ -1662,6 +1662,10 @@ END
 		$cgiparams{'TYPE'}				= $confighash{$cgiparams{'KEY'}}[3];
 		$cgiparams{'AUTH'}				= $confighash{$cgiparams{'KEY'}}[4];
 		$cgiparams{'PSK'}				= $confighash{$cgiparams{'KEY'}}[5];
+		# Decode the PSK if it is base64-encoded
+		if ($cgiparams{'PSK'} && $confighash{$cgiparams{'KEY'}}[40] eq 'YES') {
+			$cgiparams{'PSK'} = &MIME::Base64::decode_base64($cgiparams{'PSK'});
+		}
 		$cgiparams{'LOCAL'}				= $confighash{$cgiparams{'KEY'}}[6];
 		$cgiparams{'LOCAL_ID'}			= $confighash{$cgiparams{'KEY'}}[7];
 		my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]);
@@ -1879,7 +1883,6 @@ END
 		}
 
 		if ($cgiparams{'AUTH'} eq 'psk') {
-			$cgiparams{'BASE_64'} = 'YES';
 			if (! length($cgiparams{'PSK'}) ) {
 				$errormessage = $Lang::tr{'pre-shared key is too short'};
 				goto VPNCONF_ERROR;
@@ -2248,7 +2251,7 @@ END
 	my $key = $cgiparams{'KEY'};
 	if (! $key) {
 		$key = &General::findhasharraykey (\%confighash);
-		foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";}
+		foreach my $i (0 .. 40) { $confighash{$key}[$i] = "";}
 	}
 	$confighash{$key}[0] = $cgiparams{'ENABLED'};
 	$confighash{$key}[1] = $cgiparams{'NAME'};
@@ -2258,13 +2261,10 @@ END
 	$confighash{$key}[3] = $cgiparams{'TYPE'};
 	if ($cgiparams{'AUTH'} eq 'psk') {
 		$confighash{$key}[4] = 'psk';
-		if ($cgiparams{'BASE_64'} eq 'YES') {
-			$confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, "");
-			$confighash{$key}[40] = 'YES';
-		} else {
-			$confighash{$key}[5] = $cgiparams{'PSK'};
-			$confighash{$key}[40] = '';
-		}
+
+		# Always store the PSK base64-encoded, even if it wasn't base64 before
+		$confighash{$key}[5] = &MIME::Base64::encode_base64($cgiparams{'PSK'}, "");
+		$confighash{$key}[40] = 'YES';
 	} else {
 		$confighash{$key}[4] = 'cert';
 	}


hooks/post-receive
--
IPFire 2.x development tree

                 reply	other threads:[~2025-04-29  8:53 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4ZmvHD0tTrz2xnD@people01.haj.ipfire.org \
    --to=git@ipfire.org \
    --cc=ipfire-scm@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox