From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZmvHF3PTWz32wY for ; Tue, 29 Apr 2025 08:53:29 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZmvHF34s7z2xVK for ; Tue, 29 Apr 2025 08:53:29 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZmvHD4Cg0z16G for ; Tue, 29 Apr 2025 08:53:28 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1745916808; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=wbrbm3rpVih9zwfmilVgMaxUKghA8sdtK+Tre6zQklg=; b=/HMaksj62/AtGcYbkzz6iJaBipiU6vqNks7Bes1OhaOakKTvvsTvUAaiTwFsMIOaUN3AOu XHwoNlMPCOuePBCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1745916808; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=wbrbm3rpVih9zwfmilVgMaxUKghA8sdtK+Tre6zQklg=; b=HyisfqXWiG8Qki3QH+gX8dO+ol1YeZL0hrq8HfT/i3myDWGu9E98Cbyblu4q7FLCAlRs95 V/EXBGSw3qLdZ0BQfIkxEOtIkWBP5qbtM546uYjAOi9ofUf+uxdmuviAnAM0DYngALmUjT vJVvq7gPd1E5Cl9RkdyPSZJnWkNqvYe79xjoH6YuybN+5qAJE5q8EO1xe24y+xvn49K8j8 VVUntxF8ELpXtgjbICP2JZsuEdydV93RkD9wjEcemnkeh4blwZTxBGqSO5rBT+2QQ288+R bNXkg93upK47xOzUVbfziZUxpSJzO178KRXh2Va6UexhTEFmvUDQZOxL3xMe4A== Received: by people01.haj.ipfire.org (Postfix, from userid 1000) id 4ZmvHD0tTrz2xnD; Tue, 29 Apr 2025 08:53:28 +0000 (UTC) To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. f9f02b4c244fea3025245348678bb08bbfbd48a8 X-Git-Refname: refs/heads/master X-Git-Reftype: branch X-Git-Oldrev: 610ed2f195d1447f8f56b9796d916edf2800661f X-Git-Newrev: f9f02b4c244fea3025245348678bb08bbfbd48a8 Message-Id: <4ZmvHD0tTrz2xnD@people01.haj.ipfire.org> Date: Tue, 29 Apr 2025 08:53:28 +0000 (UTC) From: Michael Tremer Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, master has been updated via f9f02b4c244fea3025245348678bb08bbfbd48a8 (commit) from 610ed2f195d1447f8f56b9796d916edf2800661f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit f9f02b4c244fea3025245348678bb08bbfbd48a8 Author: Michael Tremer Date: Mon Apr 28 09:45:51 2025 +0000 vpnmain.cgi: Fix editing connections that are using a PSK This patch takes care of properly decoding the PSK if it was already stored base64-encoded. If the connection is edited, it always will be stored base64-encoded upon save. It would have been nice to not send the PSK back to the browser again (although the security benefits would have been marginal), but that would make the code even messier than it is. Signed-off-by: Michael Tremer Tested-by: Adolf Belka Tested-by: Christian Hernmarck ----------------------------------------------------------------------- Summary of changes: html/cgi-bin/vpnmain.cgi | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) Difference in files: diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 1c9f9243b..4f81fecdf 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -468,7 +468,7 @@ sub writeipsecfiles { $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? if ($lconfighash{$key}[40] eq 'YES') { - my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]); + my $decoded_psk = &MIME::Base64::decode_base64($lconfighash{$key}[5]); $psk_line .= " : PSK '$decoded_psk'\n"; } else { $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; @@ -1662,6 +1662,10 @@ END $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; + # Decode the PSK if it is base64-encoded + if ($cgiparams{'PSK'} && $confighash{$cgiparams{'KEY'}}[40] eq 'YES') { + $cgiparams{'PSK'} = &MIME::Base64::decode_base64($cgiparams{'PSK'}); + } $cgiparams{'LOCAL'} = $confighash{$cgiparams{'KEY'}}[6]; $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]); @@ -1879,7 +1883,6 @@ END } if ($cgiparams{'AUTH'} eq 'psk') { - $cgiparams{'BASE_64'} = 'YES'; if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; goto VPNCONF_ERROR; @@ -2248,7 +2251,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 40) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -2258,13 +2261,10 @@ END $confighash{$key}[3] = $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { $confighash{$key}[4] = 'psk'; - if ($cgiparams{'BASE_64'} eq 'YES') { - $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); - $confighash{$key}[40] = 'YES'; - } else { - $confighash{$key}[5] = $cgiparams{'PSK'}; - $confighash{$key}[40] = ''; - } + + # Always store the PSK base64-encoded, even if it wasn't base64 before + $confighash{$key}[5] = &MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); + $confighash{$key}[40] = 'YES'; } else { $confighash{$key}[4] = 'cert'; } hooks/post-receive -- IPFire 2.x development tree