Bug 13029 - IPSec definition distorted by entered secret
Summary: IPSec definition distorted by entered secret
Status: MODIFIED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: all Linux
: Will only affect a few users Minor Usability
Assignee: Adolf Belka
QA Contact:
URL:
Keywords:
: 11725 (view as bug list)
Depends on:
Blocks:
 
Reported: 2023-01-14 10:48 UTC by Jan Penkava
Modified: 2024-09-23 12:02 UTC (History)
4 users (show)

See Also:


Attachments
server erro upon saving IPSec settings with secret (36.34 KB, image/jpeg)
2023-01-14 10:48 UTC, Jan Penkava
Details
setings lost and miced up in advanced section of IPSec (131.31 KB, image/jpeg)
2023-01-14 10:49 UTC, Jan Penkava
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Penkava 2023-01-14 10:48:27 UTC
Created attachment 1133 [details]
server erro upon saving IPSec settings with secret

When Ipsec definition is updated with secret containing some of the characters below, upon save IPFire reports "Internal server error".
The definition for which the secret was saved then gest randomly mixed up settings some values are lost, most values shown in different fields. Settings in Advanced sections are mostly lost, option fields and values mixed up too.
Different secret must be used and whole IPSec settings manually restored 

I was able to replicate this, using e.g. follwoing secret "/?,wH,tIo^N#XP^U" (withouyt quotation marks) and then again with just "/?," characters used for secret.
Comment 1 Jan Penkava 2023-01-14 10:49:31 UTC
Created attachment 1134 [details]
setings lost and miced up in advanced section of IPSec
Comment 2 Michael Tremer 2023-01-16 17:53:04 UTC
Hello Jan,

yes, it is indeed not possible to have comma in the PSK since it is being stored in a CSV-style format which does not handle this well.

Please don't use a comma as a workaround for the moment.

I will leave this ticket open and hopefully will soon have some time for a fix. There is currently a large pile of tickets that require our attention first.
Comment 3 Jan Penkava 2023-01-16 19:55:04 UTC
(In reply to Michael Tremer from comment #2)
Hallo Michael,
yes, this is a minor issue and I worked around it using different secret. I was using some random passwords from a password generator and when tried first one, I actually got message that the sevcret contained some charactars that are not allowed... so tried the second one that has crashed it.
Since this was doen as last update to IPSEc connection I was setting up where started with a simple secret initially, it was a bit of surprise. Just an inconvenience to restore everything back I guess, no major problem. 

Thanks for looking into this, I appreciate your prompt verification of this. 

Cheers, Jan
Comment 4 Adolf Belka 2023-09-04 13:02:02 UTC
I have updated the IPSec wiki page to clarify that a comma and a single quotation mark are invalid characters for the PSK.

The vpnmain.cgi code already flags up a single quotation mark as an invalid character.

I will pick this bug up to update the cgi code to also flag up a comma as invalid.
Comment 5 Michael Tremer 2023-09-04 13:52:17 UTC
If someone has time for this, we could simply encode the PSK in base64. That will allow any kind of characters without taking care about the character encoding and any special characters after the base64 encode.

To be backwards-compatible, we can simply use the original value if it cannot be base64 decoded.
Comment 6 Adolf Belka 2023-09-04 16:16:18 UTC
I am willing to have a look at base64 encoding but that would take me longer than my original idea as I would need to better understand the vpnmain.cgi code and where the changes would need to be implemented.

I also have a lot of other bugs on my list that I need to close off first, so if someone else wants to pick it up I am fine with that but if it is still here when I have gone through all my other bugs, I will have a go at it.
Comment 7 Tom Rymes 2024-05-20 13:55:37 UTC
Just posting here that I stumbled across this issue today. Posted up in the forum, FWIW. Having now found this, I will continue to workaround by changing the PSK.

https://community.ipfire.org/t/comma-in-ipsec-psk-causes-problems/11651
Comment 8 Adolf Belka 2024-06-21 13:40:44 UTC
I have now got some time to start working on this issue.

I have read up on base64 encoding/decoding and understand it enough to work on this.

However, I have come across a problem. @Michael wrote in comment 5

> To be backwards-compatible, we can simply use the original value if it cannot > be base64 decoded.

However there is no way to easily identify if an original string has been base64 encoded if the string only uses upper and lower case letters and digits and it has an integral number of 6 bit groups.

So a user could have had an original PSK of

reiyy558sJJU

which when base64 encoded becomes

cmVpeXk1NThzSkpV

However you can't identify that the user did not have a PSK string of

cmVpeXk1NThzSkpV

originally.


The only thing I could do is check if a PSK string has characters that are not valid in a base64 string, in which case it must have been a PSK that was not base64 encoded.

How do I handle this.

Maybe there is a simple solution that due to my lack of knowledge about base64 encoding/decoding, I am missing.

Open to suggestions.
Comment 9 Adolf Belka 2024-06-22 11:48:15 UTC
Interesting thing I have found is that base64 encode/decode is already used in the vpnmain.cgi for the CA and the certificate.

In terms of the backwards compatibility for PSK's that were historically not base64 encoded I have had the idea that I can add a $cgiparams{'KEY'} entry for if base64 encoding is used. All previous values would have no entry in that key but all PSK's created would have the key with an entry such as YES.

Then base64 encoding and decoding would only be done for PSK's where this additional BASE64 KEY value was set as YES. All others would have the PSK taken as it is.

That seems a reasonable way around the issue I highlighted yesterday.
I will start working on that basis.
Comment 10 Man Grove 2024-06-26 21:49:54 UTC
*** Bug 11725 has been marked as a duplicate of this bug. ***
Comment 11 Adolf Belka 2024-07-03 16:01:41 UTC
I have been able to successfully store the PSK in the config file as a Base64 encoded string. That means there are no problems with commas or any other type of character.

When storing the PSK into the ipsec.secrets file the PSK is decoded back from Base64.

I have tested the above with my laptop using PSK and was able to successfully use a comma and all sorts of other characters.

The only limitation that still stays in place is that single quotation marks can not be used in the PSK.

The single quotation mark is used in the ipsec.secrets file to delineate the bounds of the PSK.

I have also added a variable for new PSK's which flags them as base64 encoded. So old valid PSK's stay working without the base64 encoding.

If the old PSL connection is edited (even with no change) then the PSK will be updated to base64 encoded. This will be transparent to the user.
I tested a non-base64 encoded PSK and the connection worked. Editing the connection and converting the PSK to base64 encoded still worked with the same PSK used on the client.

I will submit a patch for this so it can be reviewed to see if there are any coding style improvements that can be made.
Comment 12 Adolf Belka 2024-07-03 16:30:09 UTC
Bit more work to do.

Have found that if I disable the connection and then re-enable it that the ipsec-secrets PSK value is base64 encoded which should not occur. It looks like when it is disabled that it loses track on whether it is Base64 encoded or a raw PSK.
Comment 13 Adolf Belka 2024-07-05 12:54:51 UTC
Have now got it working correctly when disabled/enabled, edited or done from fresh.

It also works fine with existing PSK's that are not base64 encoded. They stay as they are if just disabled/enabled but if you edit it and press the Save button, even if nothing is changed, then the PSK in the config file will be base64 encoded. The user will not notice that effect. The same PSK will still be used in the client.

Later today or tomorrow I will submit the patch for the fix for review in the developers mailing list.
Comment 15 Adolf Belka 2024-09-23 12:02:51 UTC
The patch has been merged into next (will be CU190)