From 6ed4634be943fe125b61f0348063016fcacb89ee Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 28 May 2025 14:11:07 +0000
Subject: [PATCH] core196: Don't break IPsec tunnels that use MLKEM

The previous patch was changing the string regardless of it having been
changed before. The CGI script also has to be called as nobody.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/core/196/update.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh
index b8f92322f..bd9e80f42 100644
--- a/config/rootfiles/core/196/update.sh
+++ b/config/rootfiles/core/196/update.sh
@@ -68,10 +68,12 @@ esac
 
 # Change IPsec configuration of existing connections using ML-KEM
 # to always make use of hybrid key exchange in conjunction with Curve 25519.
-sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config
+if ! grep -q "x25519-ke1_mlkem" /var/ipfire/vpn/config; then
+	sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config
+fi
 
 # Apply changes to ipsec.conf
-/srv/web/ipfire/cgi-bin/vpnmain.cgi
+sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi
 
 # Start services
 if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
-- 
2.39.5