From 037a92f2cade99f7598514478ef528917814d32c Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Wed, 12 Sep 2018 15:11:34 +0000 Subject: [PATCH] ipsec: multiple hash algos in phase 1 #1852 --- src/etc/inc/plugins.inc.d/ipsec.inc | 79 +++++++++++++++-------------- src/www/vpn_ipsec_phase1.php | 79 ++++++++++++++++------------- 2 files changed, 86 insertions(+), 72 deletions(-) diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc index 01f77b36e..8e1454372 100644 --- a/src/etc/inc/plugins.inc.d/ipsec.inc +++ b/src/etc/inc/plugins.inc.d/ipsec.inc @@ -1,34 +1,34 @@ - Copyright (C) 2008 Ermal Luçi - Copyright (C) 2004-2007 Scott Ullrich - Copyright (C) 2003-2004 Manuel Kasper - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ + * Copyright (C) 2016 Deciso B.V. + * Copyright (C) 2008 Shrew Soft Inc. + * Copyright (C) 2008 Ermal Luçi + * Copyright (C) 2004-2007 Scott Ullrich + * Copyright (C) 2003-2004 Manuel Kasper + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ $ipsec_loglevels = array( "asn" => "Low-level encoding/decoding (ASN.1, X.509 etc.)", @@ -1184,17 +1184,20 @@ EOD; $peerid_spec = ipsec_find_id($ph1ent, "peer"); if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { - $ealg_id = $ph1ent['encryption-algorithm']['name']; - if (isset($ph1ent['encryption-algorithm']['keylen'])) { - $ealgosp1 = "ike = {$ealg_id}{$ph1ent['encryption-algorithm']['keylen']}-{$ph1ent['hash-algorithm']}"; - } else { - $ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; + $list = array(); + foreach (explode(',', $ph1ent['hash-algorithm']) as $halgo) { + $entry = "{$ph1ent['encryption-algorithm']['name']}"; + if (isset($ph1ent['encryption-algorithm']['keylen'])) { + $entry .= "{$ph1ent['encryption-algorithm']['keylen']}"; + } + $entry .= "-{$halgo}"; + $modp = ipsec_convert_to_modp($ph1ent['dhgroup']); + if (!empty($modp)) { + $entry .= "-{$modp}"; + } + $list[] = $entry; } - $modp = ipsec_convert_to_modp($ph1ent['dhgroup']); - if (!empty($modp)) { - $ealgosp1 .= "-{$modp}"; - } - $ealgosp1 .= "!"; + $ealgosp1 = 'ike = ' . implode(',', $list) . '!'; } if (!empty($ph1ent['dpd_delay']) && !empty($ph1ent['dpd_maxfail'])) { diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php index 6b716bb4e..1031cd54f 100644 --- a/src/www/vpn_ipsec_phase1.php +++ b/src/www/vpn_ipsec_phase1.php @@ -1,33 +1,33 @@ - Copyright (C) 2003-2005 Manuel Kasper - Copyright (C) 2014 Ermal Luçi - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ + * Copyright (C) 2014-2015 Deciso B.V. + * Copyright (C) 2008 Shrew Soft Inc. + * Copyright (C) 2003-2005 Manuel Kasper + * Copyright (C) 2014 Ermal Luçi + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ require_once("guiconfig.inc"); require_once("system.inc"); @@ -76,9 +76,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { // generice defaults $pconfig['interface'] = "wan"; - $pconfig['iketype'] = "ikev1"; + $pconfig['iketype'] = "ikev2"; $phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data - ,encryption-algorithm,hash-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal + ,encryption-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal ,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref ,caref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers,mobike"; if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) { @@ -105,6 +105,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { } else { $pconfig['authservers'] = array(); } + if (!empty($config['ipsec']['phase1'][$p1index]['hash-algorithm'])) { + $pconfig['hash-algorithm'] = explode(',', $config['ipsec']['phase1'][$p1index]['hash-algorithm']); + } else { + $pconfig['hash-algorithm'] = array(); + } $pconfig['remotebits'] = null; $pconfig['remotenet'] = null ; if (isset($a_phase1[$p1index]['remote-subnet']) && strpos($config['ipsec']['phase1'][$p1index]['remote-subnet'],'/') !== false) { @@ -127,11 +132,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig['peerid_type'] = "peeraddress"; $pconfig['authentication_method'] = "pre_shared_key"; $pconfig['encryption-algorithm'] = array("name" => "aes", "keylen" => "128"); - $pconfig['hash-algorithm'] = "sha256"; + $pconfig['hash-algorithm'] = array('sha256'); $pconfig['dhgroup'] = "14"; $pconfig['lifetime'] = "28800"; $pconfig['nat_traversal'] = "on"; - $pconfig['iketype'] = "ikev1"; $pconfig['authservers'] = array(); /* mobile client */ @@ -324,6 +328,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig['encryption-algorithm']['keylen'] = $pconfig['ealgo_keylen']; } + if (empty($pconfig['hash-algorithm'])) { + $input_errors[] = gettext('Hash algorithm selection cannot be empty.'); + $pconfig['hash-algorithm'] = array(); + } + foreach ($p1_ealgos as $algo => $algodata) { if (!empty($pconfig['iketype']) && !empty($pconfig['encryption-algorithm']['name']) && !empty($algodata['iketype']) && $pconfig['iketype'] != $algodata['iketype'] && $pconfig['encryption-algorithm']['name'] == $algo) { @@ -333,7 +342,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { if (count($input_errors) == 0) { $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data - ,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup + ,peerid_type,peerid_data,encryption-algorithm,dhgroup ,lifetime,pre-shared-key,certref,caref,authentication_method,descr ,nat_traversal,auto,mobike"; @@ -347,6 +356,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $ph1ent['authservers'] = implode(',', $pconfig['authservers']); } + $ph1ent['hash-algorithm'] = implode(',', $pconfig['hash-algorithm']); + $ph1ent['disabled'] = !empty($pconfig['disabled']) ? true : false; $ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null; if (!empty($pconfig['mobile'])) { @@ -903,7 +914,7 @@ endforeach; ?> - 'MD5', @@ -915,7 +926,7 @@ endforeach; ?> ); foreach ($p1_halgos as $algo => $algoname) : ?> -