diff options
author | Ermal <eri@pfsense.org> | 2012-11-14 19:31:09 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2012-11-14 19:31:09 +0000 |
commit | 52c9f9faafec960a9016fd9b41f32660beff61a2 (patch) | |
tree | c1755bef8baefdf578c10529d9515d809e309c42 | |
parent | 9a6d6728e8ca7b4a2264d420892a90cadb83f29e (diff) | |
download | pfsense-52c9f9faafec960a9016fd9b41f32660beff61a2.zip pfsense-52c9f9faafec960a9016fd9b41f32660beff61a2.tar.gz |
Allow other system authentication types to be used with ipsec. LDAP/RADIUS/local acc
-rw-r--r-- | etc/inc/ipsec.attributes.php | 183 | ||||
-rwxr-xr-x | etc/inc/ipsec.auth-user.php | 134 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 201 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_mobile.php | 46 |
4 files changed, 423 insertions, 141 deletions
diff --git a/etc/inc/ipsec.attributes.php b/etc/inc/ipsec.attributes.php new file mode 100644 index 0000000..bad0170 --- /dev/null +++ b/etc/inc/ipsec.attributes.php @@ -0,0 +1,183 @@ +<?php +/* + Copyright (C) 2011-2012 Ermal Luçi + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +if (empty($common_name)) { + $common_name = getenv("common_name"); + if (empty($common_name)) + $common_name = getenv("username"); +} + +function cisco_to_cidr($addr) { + if (!is_ipaddr($addr)) + return 0; + $mask = decbin(~ip2long($addr)); + $mask = substr($mask, -32); + $k = 0; + for ($i = 0; $i <= 32; $i++) { + $k += intval($mask[$i]); + } + return $k; +} + +function cisco_extract_index($prule) { + + $index = explode("#", $prule); + if (is_numeric($index[1])) + return intval($index[1]); + else + syslog(LOG_WARNING, "Error parsing rule {$prule}: Could not extract index"); + return -1;; +} + +function parse_cisco_acl($attribs) { + global $attributes; + if (!is_array($attribs)) + return ""; + + $devname = "enc0"; + $finalrules = ""; + if (is_array($attribs['ciscoavpair'])) { + $inrules = array(); + $outrules = array(); + foreach ($attribs['ciscoavpair'] as $avrules) { + $rule = explode("=", $avrules); + $dir = ""; + if (strstr($rule[0], "inacl")) { + $dir = "in"; + } else if (strstr($rule[0], "outacl")) + $dir = "out"; + else if (strstr($rule[0], "dns-servers")) { + $attributes['dns-servers'] = explode(" ", $rule[1]); + continue; + } else if (strstr($rule[0], "route")) { + if (!is_array($attributes['routes'])) + $attributes['routes'] = array(); + $attributes['routes'][] = $route[1]; + continue; + } + $rindex = cisco_extract_index($rule[0]); + if ($rindex < 0) + continue; + + $rule = $rule[1]; + $rule = explode(" ", $rule); + $tmprule = ""; + $index = 0; + $isblock = false; + if ($rule[$index] == "permit") + $tmprule = "pass {$dir} quick on {$devname} "; + else if ($rule[$index] == "deny") { + //continue; + $isblock = true; + $tmprule = "block {$dir} quick on {$devname} "; + } else { + continue; + } + + $index++; + + switch ($rule[$index]) { + case "tcp": + case "udp": + $tmprule .= "proto {$rule[$index]} "; + break; + + } + + $index++; + /* Source */ + if (trim($rule[$index]) == "host") { + $index++; + $tmprule .= "from {$rule[$index]} "; + $index++; + if ($isblock == true) + $isblock = false; + } else if (trim($rule[$index]) == "any") { + $tmprule .= "from any"; + $index++; + } else { + $tmprule .= "from $rule[$index]"; + $index++; + $netmask = cisco_to_cidr($rule[$index]); + $tmprule .= "/{$netmask} "; + $index++; + if ($isblock == true) + $isblock = false; + } + /* Destination */ + if (trim($rule[$index]) == "host") { + $index++; + $tmprule .= "to {$rule[$index]} "; + $index++; + if ($isblock == true) + $isblock = false; + } else if (trim($rule[$index]) == "any") { + $index++; + $tmprule .= "to any"; + } else { + $tmprule .= "to $rule[$index]"; + $index++; + $netmask = cisco_to_cidr($rule[$index]); + $tmprule .= "/{$netmask} "; + $index++; + if ($isblock == true) + $isblock = false; + } + + if ($isblock == true) + continue; + + if ($dir == "in") + $inrules[$rindex] = $tmprule; + else if ($dir == "out") + $outrules[$rindex] = $tmprule; + } + + + $state = ""; + if (!empty($outrules)) + $state = "no state"; + ksort($inrules, SORT_NUMERIC); + foreach ($inrules as $inrule) + $finalrules .= "{$inrule} {$state}\n"; + if (!empty($outrules)) { + ksort($outrules, SORT_NUMERIC); + foreach ($outrules as $outrule) + $finalrules .= "{$outrule} {$state}\n"; + } + } + return $finalrules; +} + +$rules = parse_cisco_acl($attributes); +if (!empty($rules)) { + @file_put_contents("/tmp/{$common_name}.rules", $rules); + mwexec("/sbin/pfctl -a \"ipsec/{$common_name}\" -f {$g['tmp_path']}/{$common_name}.rules"); + @unlink("{$g['tmp_path']}/{$common_name}.rules"); +} + +?> diff --git a/etc/inc/ipsec.auth-user.php b/etc/inc/ipsec.auth-user.php new file mode 100755 index 0000000..9c51bf4 --- /dev/null +++ b/etc/inc/ipsec.auth-user.php @@ -0,0 +1,134 @@ +#!/usr/local/bin/php -f +<?php +/* + ipsec.auth-user.php + + Copyright (C) 2008 Shrew Soft Inc + Copyright (C) 2010 Ermal Luçi + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + DISABLE_PHP_LINT_CHECKING +*/ +/* + pfSense_BUILDER_BINARIES: + pfSense_MODULE: openvpn +*/ +/* + * racoon calls this script to authenticate a user + * based on a username and password. We lookup these + * in our config.xml file and check the credentials. + */ + +require_once("globals.inc"); +require_once("config.inc"); +require_once("radius.inc"); +require_once("auth.inc"); +require_once("interfaces.inc"); + +/** + * Get the NAS-Identifier + * + * We will use our local hostname to make up the nas_id + */ +if (!function_exists("getNasID")) { +function getNasID() +{ + global $g; + + $nasId = ""; + exec("/bin/hostname", $nasId); + if(!$nasId[0]) + $nasId[0] = "{$g['product_name']}"; + return $nasId[0]; +} +} + +/** + * Get the NAS-IP-Address based on the current wan address + * + * Use functions in interfaces.inc to find this out + * + */ +if (!function_exists("getNasIP")) { +function getNasIP() +{ + $nasIp = get_interface_ip(); + if(!$nasIp) + $nasIp = "0.0.0.0"; + return $nasIp; +} +} +/* setup syslog logging */ +openlog("racoon", LOG_ODELAY, LOG_AUTH); + +/* read data from environment */ +$username = getenv("username"); +$password = getenv("password"); +$common_name = getenv("common_name"); + +if (!$username || !$password) { + syslog(LOG_ERR, "invalid user authentication environment"); + exit(-1); +} + +/* Replaced by a sed with propper variables used below(ldap parameters). */ +//<template> + +if (file_exists("{$g['varetc_path']}/ipsec/{$modeid}.ca")) { + //putenv("LDAPTLS_CACERT={$g['varetc_path']}/ipsec/{$ikeid}.crt"); + putenv("LDAPTLS_CACERTDIR={$g['varetc_path']}/ipsec"); + putenv("LDAPTLS_REQCERT=never"); +} + +$authenticated = false; + +if (($strictusercn === true) && ($common_name != $username)) { + syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n"); + exit(1); +} + +$attributes = array(); +foreach ($authmodes as $authmode) { + $authcfg = auth_get_authserver($authmode); + if (!$authcfg && $authmode != "local") + continue; + + $authenticated = authenticate_user($username, $password, $authcfg, $attributes); + if ($authenticated == true) + break; +} + +if ($authenticated == false) { + syslog(LOG_WARNING, "user {$username} could not authenticate.\n"); + exit(-1); +} + +if (file_exists("/etc/inc/ipsec.attributes.php")) + include_once("/etc/inc/ipsec.attributes.php"); + +syslog(LOG_NOTICE, "user {$username} authenticated\n"); + +exit(0); + +?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index c5ced75..5e92fe8 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -84,6 +84,7 @@ function vpn_ipsec_configure($ipchg = false) if ($g['platform'] == 'jail') return; + /* get the automatic ping_hosts.sh ready */ unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts"); touch("{$g['vardb_path']}/ipsecpinghosts"); @@ -97,16 +98,15 @@ function vpn_ipsec_configure($ipchg = false) $a_client = $config['ipsec']['client']; if (!isset($ipseccfg['enable'])) { - mwexec("/sbin/ifconfig enc0 down"); - - /* send a SIGKILL to be sure */ - sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); - - /* kill racoon */ - if(is_process_running("racoon")) - mwexec("/usr/bin/killall racoon", true); + /* try to stop racoon*/ + killbypid("{$g['varrun_path']}/racoon.pid"); + /* Stop dynamic monitoring */ killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); + /* kill racoon forcefully */ + if (is_process_running("racoon")) + mwexec("/usr/bin/killall -9 racoon", true); + /* wait for racoon process to die */ sleep(2); @@ -115,12 +115,20 @@ function vpn_ipsec_configure($ipchg = false) mwexec("/usr/local/sbin/setkey -FP"); /* disallow IPSEC, it is off */ + mwexec("/sbin/ifconfig enc0 down"); exec("/sbin/sysctl net.inet.ip.ipsec_in_use=0"); return true; } else { mwexec("/sbin/ifconfig enc0 up"); mwexec("/sbin/sysctl net.inet.ip.ipsec_in_use=1"); + /* needed for racoonctl admin socket */ + if (!is_dir("/var/db/racoon")) + mkdir("/var/db/racoon/"); + /* needed for config files */ + if (!is_dir("{$g['varetc_path']}/ipsec")) + mkdir("{$g['varetc_path']}/ipsec"); + if ($g['booting']) echo gettext("Configuring IPsec VPN... "); @@ -218,7 +226,7 @@ function vpn_ipsec_configure($ipchg = false) $ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; } } - file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts); + @file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts); } } } @@ -236,21 +244,14 @@ function vpn_ipsec_configure($ipchg = false) log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr'])); continue; } - $fname = $g['varetc_path']."/".$x509cert['hash'].".0"; - if (!file_put_contents($fname, $cert)) { + $fname = "{$g['varetc_path']}/ipsec/{$x509cert['hash']}.0"; + if (!@file_put_contents($fname, $cert)) { log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr'])); continue; } } } - /* generate psk.txt */ - $fd = fopen("{$g['varetc_path']}/psk.txt", "w"); - if (!$fd) { - printf(gettext("Error: cannot open psk.txt in vpn_ipsec_configure().") . "\n"); - return 1; - } - $pskconf = ""; if (is_array($a_phase1) && count($a_phase1)) { @@ -300,21 +301,14 @@ function vpn_ipsec_configure($ipchg = false) } } - fwrite($fd, $pskconf); - fclose($fd); - chmod("{$g['varetc_path']}/psk.txt", 0600); + @file_put_contents("{$g['varetc_path']}/ipsec/psk.txt", $pskconf); + chmod("{$g['varetc_path']}/ipsec/psk.txt", 0600); /* begin racoon.conf */ - if ((is_array($a_phase1) && count($a_phase1)) || - (is_array($a_phase2) && count($a_phase2))) { - - $fd = fopen("{$g['varetc_path']}/racoon.conf", "w"); - if (!$fd) { - printf(gettext("Error: cannot open racoon.conf in vpn_ipsec_configure().") . "\n"); - return 1; - } + $racoonconf = ""; + if ((is_array($a_phase1) && count($a_phase1)) || (is_array($a_phase2) && count($a_phase2))) { - $racoonconf = "# This file is automatically generated. Do not edit\n"; + $racoonconf .= "# This file is automatically generated. Do not edit\n"; $racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; $racoonconf .= "path certificate \"{$g['varetc_path']}\";\n\n"; @@ -336,9 +330,9 @@ function vpn_ipsec_configure($ipchg = false) $racoonconf .= "\nmode_cfg\n"; $racoonconf .= "{\n"; - if ($a_client['user_source']) - $racoonconf .= "\tauth_source {$a_client['user_source']};\n"; - if ($a_client['group_source']) + if (!empty($a_client['user_source']) && $a_client['user_source'] != "none") + $racoonconf .= "\tauth_source external;\n"; + if (!empty($a_client['group_source']) && $a_client['group_source'] != "none") $racoonconf .= "\tgroup_source {$a_client['group_source']};\n"; if ($a_client['pool_address'] && $a_client['pool_netbits']) { @@ -406,16 +400,7 @@ function vpn_ipsec_configure($ipchg = false) $racoonconf .= "\tpfs_group {$a_client['pfs_group']};\n"; if ($a_client['login_banner']) { - $fn = "{$g['varetc_path']}/racoon.motd"; - $fd1 = fopen($fn, "w"); - if (!$fd1) { - printf(gettext("Error: cannot open server %s in vpn.\n"), $fn); - return 1; - } - - fwrite($fd1, $a_client['login_banner']); - fclose($fd1); - + @file_put_contents("{$g['varetc_path']}/ipsec/racoon.motd", $a_client['login_banner']); $racoonconf .= "\tbanner \"{$fn}\";\n"; } @@ -426,33 +411,23 @@ function vpn_ipsec_configure($ipchg = false) } /* end mode_cfg section */ -// Disable this for now, when LDAP support returns it will be via external script auth, -// since we no longer build racoon with LDAP integrated. This is only preventing racoon from running. -// -// if ($a_client['user_source'] != "system") { -// if (is_array($config['system']['authserver'])) { -// foreach ($config['system']['authserver'] as $authcfg) { -// if ($authcfg['type'] == 'ldap' and $authcfg['name'] == $a_client['user_source']) -// $thisauthcfg = $authcfg; -// } -// -// /* begin ldapcfg */ -// $racoonconf .= "ldapcfg {\n"; -// $racoonconf .= "\tversion 3;\n"; -// $racoonconf .= "\thost \"".$thisauthcfg['host']."\";\n"; -// $lport = "389"; -// if ($authcfg['port'] != "") -// $lport = $authcfg['port']; -// $racoonconf .= "\tport ".$lport.";\n"; -// $racoonconf .= "\tbase \"".$thisauthcfg['ldap_basedn']."\";\n"; -// $racoonconf .= "\tsubtree on;\n"; -// $racoonconf .= "\tbind_dn \"".$thisauthcfg['ldap_binddn']."\";\n"; -// $racoonconf .= "\tbind_pw \"".$thisauthcfg['ldap_bindpw']."\";\n"; -// $racoonconf .= "\tattr_user \"".$thisauthcfg['ldap_attr_user']."\";\n"; -// $racoonconf .= "}\n\n"; -// /* end ldapcfg */ -// } -// } + if ($a_client['user_source'] != "none") { + $authcfgs = explode(",", $a_client['user_source']); + $sed = "\$authmodes=array("; + $firstsed = 0; + foreach ($authcfgs as $authcfg) { + if ($firstsed > 0) + $sed .= ","; + $firstsed = 1; + $sed .= "\"{$authcfg}\""; + } + $sed .= ");\\\n"; + if ($a_client['strictusercn']) + $sed .= "\$strictusercn = true;"; + mwexec("/bin/cat /etc/inc/ipsec.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/ipsec/ipsec.php"); + mwexec("/bin/chmod a+x {$g['varetc_path']}/ipsec/ipsec.php"); + $racoonconf .= "extcfg { script \"{$g['varetc_path']}/ipsec/ipsec.php\" }\n"; + } /* begin remote sections */ if (is_array($a_phase1) && count($a_phase1)) { @@ -838,20 +813,12 @@ EOD; /* end sainfo */ } /* end sainfo sections */ - - fwrite($fd, $racoonconf); - fclose($fd); } + @file_put_contents("{$g['varetc_path']}/ipsec/racoon.conf", $racoonconf); /* end racoon.conf */ /* generate IPsec policies */ /* generate spd.conf */ - $fd = fopen("{$g['varetc_path']}/spd.conf", "w"); - if (!$fd) { - printf(gettext("Error: cannot open spd.conf in vpn_ipsec_configure().") . "\n"); - return 1; - } - $spdconf = ""; $natfilterrules = false; if (is_array($a_phase2) && count($a_phase2)) { @@ -966,19 +933,14 @@ EOD; } } } - fwrite($fd, $spdconf); - fclose($fd); + @file_put_contents("{$g['varetc_path']}/ipsec/spd.conf", $spdconf); - /* needed for racoonctl admin socket */ - if (!is_dir("/var/db/racoon")) - mkdir("/var/db/racoon/"); - /* mange racoon process */ if (is_process_running("racoon")) { sleep("0.1"); mwexec("/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config", false); /* load SPD without flushing to be safe on config additions or changes. */ - mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false); + mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/ipsec/spd.conf", false); } else { /* flush SA + SPD entries */ mwexec("/usr/local/sbin/setkey -FP", false); @@ -987,10 +949,10 @@ EOD; sleep("0.1"); /* start racoon */ $ipsecdebug = isset($config['ipsec']['racoondebug']) ? "-d -v" : ""; - mwexec("/usr/local/sbin/racoon {$ipsecdebug} -f {$g['varetc_path']}/racoon.conf", false); + mwexec("/usr/local/sbin/racoon {$ipsecdebug} -f {$g['varetc_path']}/ipsec/racoon.conf", false); sleep("0.1"); /* load SPD */ - mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false); + mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/ipsec/spd.conf", false); } if ($natfilterrules == true) @@ -1005,11 +967,11 @@ EOD; array_unique($filterdns_list); foreach ($filterdns_list as $hostname) $hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n"; - file_put_contents("{$g['varetc_path']}/filterdns-ipsec.hosts", $hostnames); + file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames); killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); sleep(1); - mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/filterdns-ipsec.hosts -d 1"); + mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1"); } vpn_ipsec_failover_configure(); @@ -1021,7 +983,8 @@ EOD; return 0; } -/* Forcefully restart IPsec +/* + * Forcefully restart IPsec * This is required for when dynamic interfaces reload * For all other occasions the normal vpn_ipsec_configure() * will gracefully reload the settings without restarting @@ -1032,15 +995,15 @@ function vpn_ipsec_force_reload() { $ipseccfg = $config['ipsec']; - /* kill racoon */ - if(is_process_running("racoon")) - mwexec("/usr/bin/killall racoon", true); + /* send a SIGKILL to be sure */ + killbypid("{$g['varrun_path']}/racoon.pid"); /* wait for process to die */ sleep(4); - /* send a SIGKILL to be sure */ - sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); + /* kill racoon forcefully */ + if (is_process_running("racoon")) + mwexec("/usr/bin/killall -9 racoon", true); /* wait for flushing to finish */ sleep(1); @@ -1050,7 +1013,6 @@ function vpn_ipsec_force_reload() { log_error(gettext("Forcefully reloading IPsec racoon daemon")); vpn_ipsec_configure(); } - } /* master setup for vpn (mpd) */ @@ -1713,54 +1675,41 @@ function vpn_ipsec_refresh_policies() { } /* Walk the Ipsec tunnel array */ - if (!is_array($a_phase1) || (!count($a_phase1))) { + if (!is_array($a_phase1) || (!count($a_phase1))) return; - } foreach ($a_phase1 as $phase1) { - if (isset($phase1['disabled'])) { + if (isset($phase1['disabled'])) continue; - } - if (is_ipaddr($phase1['remote-gateway'])) { + if (is_ipaddr($phase1['remote-gateway'])) continue; - } if (!is_ipaddr($phase1['remote-gateway'])) { $dnscache = compare_hostname_to_dnscache($phase1['remote-gateway']); $dnscache = trim($dnscache); /* we should have the old IP addresses in the dnscache now */ - if($dnscache <> "") { + if(!empty($dnscache)) { $oldphase1 = $phase1; - $oldphase1['remote-gateway'] = trim($dnscache); + $oldphase1['remote-gateway'] = $dnscache; /* now we need to find all tunnels for this host */ - if (!is_array($a_phase2) || (!count($a_phase2))) { + if (!is_array($a_phase2) || (!count($a_phase2))) continue; - } foreach ($a_phase2 as $phase2) { - if($phase2['ikeid'] == $phase1['ikeid']) { + if ($phase2['ikeid'] == $phase1['ikeid']) reload_tunnel_spd_policy ($phase1, $phase2, $oldphase1, $oldphase2); - } } } } } - /* process all generated spd.conf files from tmp which are left behind - * behind by either changes of dynamic tunnels or manual edits - * scandir() is only available in PHP5 */ - $tmpfiles = array(); - $dh = opendir($g['tmp_path']); - while (false !== ($filename = readdir($dh))) { - if(preg_match("/^spd.conf.reload./", $filename)) { - $tmpfiles[] = $filename; - } - } - sort($tmpfiles); + /* process all generated temporary spd.conf files */ + $tmpfiles = glob("{$g['tmp_path']}/spd.conf.reload.*"); foreach($tmpfiles as $tmpfile) { - $ret = mwexec("/usr/local/sbin/setkey -f {$g['tmp_path']}/{$tmpfile} 2>&1", false); - if($ret == 0) { - unlink_if_exists("{$g['tmp_path']}/{$tmpfile}"); - } else { - rename("{$g['tmp_path']}/{$tmpfile}", ("{$g['tmp_path']}/failed.{$tmpfile}")); + $ret = mwexec("/usr/local/sbin/setkey -f {$tmpfile} 2>&1", false); + if ($ret == 0) + unlink_if_exists($tmpfile); + else { + $tmpfile = basename($tmpfile); + @rename("{$g['tmp_path']}/{$tmpfile}", ("{$g['tmp_path']}/failed.{$tmpfile}")); } } } @@ -1888,7 +1837,7 @@ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) { $now = time(); $spdfile = tempnam("{$g['tmp_path']}", "spd.conf.reload.{$now}."); /* generate temporary spd.conf */ - file_put_contents($spdfile, $spdconf); + @file_put_contents($spdfile, $spdconf); return true; } diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php index 539b483..10a96b2 100755 --- a/usr/local/www/vpn_ipsec_mobile.php +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -186,7 +186,8 @@ if ($_POST['submit']) { if ($pconfig['enable']) $client['enable'] = true; - $client['user_source'] = $pconfig['user_source']; + if (!empty($pconfig['user_source'])) + $client['user_source'] = implode(",", $pconfig['user_source']); $client['group_source'] = $pconfig['group_source']; if ($pconfig['pool_enable']) { @@ -376,24 +377,39 @@ function login_banner_change() { <?=gettext("Extended Authentication (Xauth)"); ?> </td> </tr> +<tr id="authmodetr" style="display:none"> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Backend for authentication");?></td> + <td width="78%" class="vtable"> + <select name='authmode[]' id='authmode' class="formselect" multiple="true" size="<?php echo count($auth_servers); ?>"> + <?php $authmodes = explode(",", $pconfig['authmode']); ?> + <?php + $auth_servers = auth_get_authserver_list(); + foreach ($auth_servers as $auth_server): + $selected = ""; + if (in_array($auth_server['name'], $authmodes)) + $selected = "selected"; + ?> + <option value="<?=$auth_server['name'];?>" <?=$selected;?>><?=$auth_server['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("User Authentication"); ?></td> <td width="78%" class="vtable"> <?=gettext("Source"); ?>: - <select name="user_source" class="formselect" id="user_source"> - <option value="system" <?php if ($pconfig['user_source'] == 'system') echo "selected"; ?>><?=gettext("system"); ?></option> - <?php - if (is_array($config['system']['authserver'])) { - foreach ($config['system']['authserver'] as $authcfg) { - if ($authcfg['type'] == 'ldap') { - $selected = ""; - if ($pconfig['user_source'] == $authcfg['name']) - $selected = "selected"; - echo "<option value='{$authcfg['name']}' {$selected} >{$authcfg['name']}</option>\n"; - } - } - } - ?> + <select name="user_source[]" class="formselect" id="user_source" multiple="true" size="3"> + <option value='none'>none</option>\n"; + <?php + $authmodes = explode(",", $pconfig['user_source']); + $auth_servers = auth_get_authserver_list(); + foreach ($auth_servers as $auth_server) { + $selected = ""; + if (in_array($auth_server['name'], $authmodes)) + $selected = "selected"; + echo "<option value='{$auth_server['name']}' {$selected}>{$auth_server['name']}</option>\n"; + } + ?> </select> </td> </tr> |