From 36cde519cda29cdbb0f5b2194696463d8ec3be4c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 12 Sep 2018 19:09:02 +0200
Subject: [PATCH] ipsec: multiple phase 1 dh groups #1852

---
 src/etc/inc/plugins.inc.d/ipsec.inc | 13 ++++++---
 src/www/vpn_ipsec.php               |  6 +++--
 src/www/vpn_ipsec_phase1.php        | 42 +++++++++++++++--------------
 3 files changed, 35 insertions(+), 26 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 8e1454372..bb35c07c1 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -1191,11 +1191,16 @@ EOD;
                              $entry .= "{$ph1ent['encryption-algorithm']['keylen']}";
                         }
                         $entry .= "-{$halgo}";
-                        $modp = ipsec_convert_to_modp($ph1ent['dhgroup']);
-                        if (!empty($modp)) {
-                            $entry .= "-{$modp}";
+                        if (!empty($ph1ent['dhgroup'])) {
+                            foreach (explode(',', $ph1ent['dhgroup']) as $dhgrp) {
+                                $entryd = $entry;
+                                $modp = ipsec_convert_to_modp($dhgrp);
+                                if (!empty($modp)) {
+                                    $entryd .= "-{$modp}";
+                                }
+                                $list[] = $entryd;
+                            }
                         }
-                        $list[] = $entry;
                     }
                     $ealgosp1 = 'ike = ' . implode(',', $list) . '!';
                 }
diff --git a/src/www/vpn_ipsec.php b/src/www/vpn_ipsec.php
index 4401c45a6..783137839 100644
--- a/src/www/vpn_ipsec.php
+++ b/src/www/vpn_ipsec.php
@@ -419,8 +419,10 @@ $( document ).ready(function() {
                             }
                         }?> +
 
-                        <?=strtoupper($ph1ent['hash-algorithm']);?> +
-                          <?=gettext("DH Group"); ?>&nbsp;<?=$dhgroups[$ph1ent['dhgroup']];?>
+                        <?=strtoupper($ph1ent['hash-algorithm']);?>
+<?php if (!empty($ph1ent['dhgroup'])): ?>
+                          + <?=gettext("DH Group"); ?>&nbsp;<?= $ph1ent['dhgroup'] ?>
+<?php endif ?>
                       </td>
                       <td class="hidden-xs">
                           <?= html_safe($p1_authentication_methods[$ph1ent['authentication_method']]['name']) ?>
diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php
index 65ed04022..5da60edd7 100644
--- a/src/www/vpn_ipsec_phase1.php
+++ b/src/www/vpn_ipsec_phase1.php
@@ -78,7 +78,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['interface'] = "wan";
     $pconfig['iketype'] = "ikev2";
     $phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data
-    ,encryption-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal
+    ,encryption-algorithm,lifetime,authentication_method,descr,nat_traversal
     ,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref
     ,caref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers,mobike";
     if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) {
@@ -100,16 +100,14 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         }
         $pconfig['disabled'] = isset($config['ipsec']['phase1'][$p1index]['disabled']);
 
-        if (!empty($config['ipsec']['phase1'][$p1index]['authservers'])) {
-          $pconfig['authservers'] = explode(',', $config['ipsec']['phase1'][$p1index]['authservers']);
-        } else {
-          $pconfig['authservers'] = array();
-        }
-        if (!empty($config['ipsec']['phase1'][$p1index]['hash-algorithm'])) {
-          $pconfig['hash-algorithm'] = explode(',', $config['ipsec']['phase1'][$p1index]['hash-algorithm']);
-        } else {
-          $pconfig['hash-algorithm'] = array();
+        foreach (array('authservers', 'dhgroup', 'hash-algorithm') as $fieldname) {
+            if (!empty($config['ipsec']['phase1'][$p1index][$fieldname])) {
+                $pconfig[$fieldname] = explode(',', $config['ipsec']['phase1'][$p1index][$fieldname]);
+            } else {
+                $pconfig[$fieldname] = array();
+            }
         }
+
         $pconfig['remotebits'] = null;
         $pconfig['remotenet'] = null ;
         if (isset($a_phase1[$p1index]['remote-subnet']) && strpos($config['ipsec']['phase1'][$p1index]['remote-subnet'],'/') !== false) {
@@ -133,7 +131,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $pconfig['authentication_method'] = "pre_shared_key";
         $pconfig['encryption-algorithm'] = array("name" => "aes", "keylen" => "128");
         $pconfig['hash-algorithm'] = array('sha256');
-        $pconfig['dhgroup'] = "14";
+        $pconfig['dhgroup'] = array('14');
         $pconfig['lifetime'] = "28800";
         $pconfig['nat_traversal'] = "on";
         $pconfig['authservers'] = array();
@@ -333,6 +331,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $pconfig['hash-algorithm'] = array();
     }
 
+    if (empty($pconfig['dhgroup'])) {
+        $pconfig['dhgroup'] = array();
+    }
+
     foreach ($p1_ealgos as $algo => $algodata) {
         if (!empty($pconfig['iketype']) && !empty($pconfig['encryption-algorithm']['name']) && !empty($algodata['iketype'])
           && $pconfig['iketype'] != $algodata['iketype'] && $pconfig['encryption-algorithm']['name'] == $algo) {
@@ -342,7 +344,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
 
     if (count($input_errors) == 0) {
         $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
-        ,peerid_type,peerid_data,encryption-algorithm,dhgroup
+        ,peerid_type,peerid_data,encryption-algorithm,
         ,lifetime,pre-shared-key,certref,caref,authentication_method,descr
         ,nat_traversal,auto,mobike";
 
@@ -352,11 +354,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                 $ph1ent[$fieldname] = $pconfig[$fieldname];
             }
         }
-        if (!empty($pconfig['authservers'])) {
-            $ph1ent['authservers'] = implode(',', $pconfig['authservers']);
-        }
 
-        $ph1ent['hash-algorithm'] = implode(',', $pconfig['hash-algorithm']);
+        foreach (array('authservers', 'dhgroup', 'hash-algorithm') as $fieldname) {
+            if (!empty($pconfig[$fieldname])) {
+                $ph1ent[$fieldname] = implode(',', $pconfig[$fieldname]);
+            }
+        }
 
         $ph1ent['disabled'] = !empty($pconfig['disabled']) ? true : false;
         $ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null;
@@ -940,10 +943,9 @@ endforeach; ?>
                   <tr>
                     <td><a id="help_for_dhgroup" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DH key group"); ?></td>
                     <td>
-                      <select name="dhgroup">
+                      <select name="dhgroup[]" class="selectpicker" multiple="multiple">
 <?php
                       $p1_dhgroups = array(
-                           0 => gettext('off'),
                            1 => '1 (768 bits)',
                            2 => '2 (1024 bits)',
                            5 => '5 (1536 bits)',
@@ -964,8 +966,8 @@ endforeach; ?>
                       );
                       foreach ($p1_dhgroups as $keygroup => $keygroupname):
 ?>
-                        <option value="<?=$keygroup;?>" <?= $keygroup == $pconfig['dhgroup'] ? "selected=\"selected\"" : "";?>>
-                          <?=$keygroupname;?>
+                        <option value="<?= html_safe($keygroup) ?>" <?= in_array($keygroup, $pconfig['dhgroup']) ? 'selected="selected"' : '' ?>>
+                          <?= html_safe($keygroupname) ?>
                         </option>
 <?php                endforeach;
 ?>