From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 28 May 2025 14:11:07 +0000 (+0000)
Subject: core196: Don't break IPsec tunnels that use MLKEM
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ed4634be943fe125b61f0348063016fcacb89ee;p=ipfire-2.x.git

core196: Don't break IPsec tunnels that use MLKEM

The previous patch was changing the string regardless of it having been
changed before. The CGI script also has to be called as nobody.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh
index b8f92322f..bd9e80f42 100644
--- a/config/rootfiles/core/196/update.sh
+++ b/config/rootfiles/core/196/update.sh
@@ -68,10 +68,12 @@ esac
 
 # Change IPsec configuration of existing connections using ML-KEM
 # to always make use of hybrid key exchange in conjunction with Curve 25519.
-sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config
+if ! grep -q "x25519-ke1_mlkem" /var/ipfire/vpn/config; then
+	sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config
+fi
 
 # Apply changes to ipsec.conf
-/srv/web/ipfire/cgi-bin/vpnmain.cgi
+sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi
 
 # Start services
 if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then