Page MenuHomePhabricator

Use base64 or hex format in ipsec.secrets to allow double quotes
Open, WishlistPublicENHANCEMENT

Description

The strongswan documentation states:

PSK Secret
A preshared secret is most conveniently represented as a sequence of characters, which is delimited by double-quote characters ("). The sequence cannot contain newline or double-quote characters.
Alternatively, preshared secrets can be represented as hexadecimal or Base64 encoded binary values. A character sequence beginning with 0x is interpreted as sequence hexadecimal digits. Similarly, a character sequence beginning with 0s is interpreted as Base64 encoded binary data.

Using hex- or base64-encoding in the /etc/ipsec.secrets file would allow double quotes- and newline-characters to be used in VPN PSKs (double quotes being a requirement we just encountered connecting to an ISP's Cisco VPN).

The change is as simple as encoding the PSK, prepending "0s" (base64) or "0x" (hex) and putting the result unquoted (!) into the file.

The problem is that the value is checked for illegal characters in a completely different place.
Changing that unfortunately exceeds my coding abilities.

This will probably get a low priority but I at least wanted to document my findings.

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

hsychla created this task.Feb 3 2017, 3:58 PM
syncer triaged this task as Wishlist priority.Aug 1 2017, 3:57 AM
syncer changed the edit policy from "Task Author" to "Custom Policy".
syncer added a project: VyOS 1.2 Crux.
syncer set Version to -.
syncer reassigned this task from syncer to dmbaturin.Nov 3 2017, 12:57 PM
syncer added a subscriber: syncer.
syncer reassigned this task from dmbaturin to c-po.Oct 13 2018, 6:39 PM
syncer added a subscriber: dmbaturin.
syncer changed the subtype of this task from "Task" to "Enhancement".Oct 20 2018, 4:49 AM

This is best done along with IPsec scripts rewrite.

pasik added a subscriber: pasik.Mar 12 2019, 6:12 PM