Révision c650b2f7
Ajouté par Ermal il y a plus de 9 ans
| etc/inc/vpn.inc | ||
|---|---|---|
| 693 | 693 |
$ph2ent['pfsgroup'] = $a_client['pfs_group']; |
| 694 | 694 |
|
| 695 | 695 |
if ($ph2ent['protocol'] == 'esp') {
|
| 696 |
if (is_array($ph2ent['encryption-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
|
| 696 |
if (is_array($ph2ent['encryption-algorithm-option'])) {
|
|
| 697 | 697 |
foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
|
| 698 | 698 |
$ealg_id = $ealg['name']; |
| 699 | 699 |
$ealg_kl = $ealg['keylen']; |
| ... | ... | |
| 709 | 709 |
* seconds wrecking bootup */ |
| 710 | 710 |
if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) {
|
| 711 | 711 |
for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
|
| 712 |
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
|
|
| 713 |
$halgo = str_replace('hmac_', '', $halgo);
|
|
| 714 |
$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
|
|
| 712 |
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
|
| 713 |
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
|
|
| 714 |
$halgo = str_replace('hmac_', '', $halgo);
|
|
| 715 |
$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
|
|
| 716 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); |
|
| 717 |
if (!empty($modp)) |
|
| 718 |
$tmpealgo .= "-{$modp}";
|
|
| 719 |
$ealgoESPsp2arr[] = $tmpealgo; |
|
| 720 |
} |
|
| 721 |
} else {
|
|
| 722 |
$tmpealgo = "{$ealg_id}{$keylen}";
|
|
| 715 | 723 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); |
| 716 | 724 |
if (!empty($modp)) |
| 717 | 725 |
$tmpealgo .= "-{$modp}";
|
| ... | ... | |
| 720 | 728 |
} |
| 721 | 729 |
} |
| 722 | 730 |
} else {
|
| 723 |
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
|
|
| 724 |
$halgo = str_replace('hmac_', '', $halgo);
|
|
| 725 |
$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
|
|
| 731 |
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
|
| 732 |
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
|
|
| 733 |
$halgo = str_replace('hmac_', '', $halgo);
|
|
| 734 |
$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
|
|
| 735 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); |
|
| 736 |
if (!empty($modp)) |
|
| 737 |
$tmpealgo .= "-{$modp}";
|
|
| 738 |
$ealgoESPsp2arr[] = $tmpealgo; |
|
| 739 |
} |
|
| 740 |
} else {
|
|
| 741 |
$tmpealgo = "{$ealg_id}{$ealg_kl}";
|
|
| 726 | 742 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); |
| 727 | 743 |
if (!empty($modp)) |
| 728 | 744 |
$tmpealgo .= "-{$modp}";
|
| ... | ... | |
| 732 | 748 |
} |
| 733 | 749 |
} |
| 734 | 750 |
} else if ($ph2ent['protocol'] == 'ah') {
|
| 735 |
if (is_array($ph2ent['hash-algorithm-option'])) {
|
|
| 751 |
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
|
| 736 | 752 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); |
| 737 | 753 |
foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
|
| 738 | 754 |
$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
|
| ... | ... | |
| 784 | 800 |
$ipsecconf .= "\t{$ealgosp1}\n";
|
| 785 | 801 |
if (!empty($ealgoAHsp2arr)) |
| 786 | 802 |
$ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
|
| 787 |
if (!empty($ealgoESPsp2arr)) |
|
| 803 |
if (!empty($ealgoESPsp2arr)) {
|
|
| 804 |
file_put_contents("/var/etc/ipsec/dump_test", print_r($ealgoESPsp2arr, true));
|
|
| 788 | 805 |
$ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
|
| 806 |
} |
|
| 789 | 807 |
if (!empty($authentication)) |
| 790 | 808 |
$ipsecconf .= "\t{$authentication}\n";
|
| 791 | 809 |
if (!empty($peerid_spec)) |
| usr/local/www/vpn_ipsec_phase2.php | ||
|---|---|---|
| 127 | 127 |
$input_errors[] = gettext("A valid ikeid must be specified.");
|
| 128 | 128 |
|
| 129 | 129 |
/* input validation */ |
| 130 |
$reqdfields = explode(" ", "localid_type halgos uniqid");
|
|
| 131 |
$reqdfieldsn = array(gettext("Local network type"),gettext("P2 Hash Algorithms"), gettext("Unique Identifier"));
|
|
| 130 |
$reqdfields = explode(" ", "localid_type uniqid");
|
|
| 131 |
$reqdfieldsn = array(gettext("Local network type"), gettext("Unique Identifier"));
|
|
| 132 | 132 |
if (!isset($pconfig['mobile'])){
|
| 133 | 133 |
$reqdfields[] = "remoteid_type"; |
| 134 | 134 |
$reqdfieldsn[] = gettext("Remote network type");
|
| ... | ... | |
| 254 | 254 |
|
| 255 | 255 |
if (!count($ealgos)) {
|
| 256 | 256 |
$input_errors[] = gettext("At least one encryption algorithm must be selected.");
|
| 257 |
} else {
|
|
| 258 |
if (empty($pconfig['halgo'])) {
|
|
| 259 |
foreach ($ealgos as $ealgo) {
|
|
| 260 |
if (!strpos($ealgo['name'], "gcm")) {
|
|
| 261 |
$input_errors[] = gettext("At least one hashing algorithm needs to be selected.");
|
|
| 262 |
break; |
|
| 263 |
} |
|
| 264 |
} |
|
| 265 |
} |
|
| 257 | 266 |
} |
| 267 |
|
|
| 258 | 268 |
} |
| 259 | 269 |
if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) {
|
| 260 | 270 |
$input_errors[] = gettext("The P2 lifetime must be an integer.");
|
| ... | ... | |
| 277 | 287 |
|
| 278 | 288 |
$ph2ent['protocol'] = $pconfig['proto']; |
| 279 | 289 |
$ph2ent['encryption-algorithm-option'] = $ealgos; |
| 280 |
$ph2ent['hash-algorithm-option'] = $pconfig['halgos']; |
|
| 290 |
if (!empty($pconfig['halgos'])) |
|
| 291 |
$ph2ent['hash-algorithm-option'] = $pconfig['halgos']; |
|
| 292 |
else |
|
| 293 |
unset($ph2ent['hash-algorithm-option']); |
|
| 281 | 294 |
$ph2ent['pfsgroup'] = $pconfig['pfsgroup']; |
| 282 | 295 |
$ph2ent['lifetime'] = $pconfig['lifetime']; |
| 283 | 296 |
$ph2ent['pinghost'] = $pconfig['pinghost']; |
Formats disponibles : Unified diff
Allow HASH algorithms to be empty for phase2 in case the encryption one is AES-GCM