Disable IPsec phase1 or phase2 using DES and inform user why they were disabled since DES is no longer supported. It should fix #5543

2 files changed, 37 insertions, 1 deletions

diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc
index a1fd43d..cd10100 100644
--- a/src/etc/inc/globals.inc
+++ b/src/etc/inc/globals.inc
@@ -96,7 +96,7 @@ $g = array(
 	"disablecrashreporter" => false,
 	"crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php",
 	"debug" => false,
-	"latest_config" => "13.2",
+	"latest_config" => "13.3",
 	"nopkg_platforms" => array("cdrom"),
 	"minimum_ram_warning" => "101",
 	"minimum_ram_warning_text" => "128 MB",
diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc
index 6867522..fa411fc 100644
--- a/src/etc/inc/upgrade_config.inc
+++ b/src/etc/inc/upgrade_config.inc
@@ -4203,4 +4203,40 @@ function upgrade_131_to_132() {
 		clear_all_log_files(false);
 	}
 }
+
+function upgrade_132_to_133() {
+	global $config;
+
+	if (isset($config['ipsec']['phase1']) &&
+	    is_array($config['ipsec']['phase1'])) {
+		foreach ($config['ipsec']['phase1'] as &$p1) {
+			if (isset($p1['encryption-algorithm']['name']) &&
+			    $p1['encryption-algorithm']['name'] == 'des') {
+				$p1['disabled'] = true;
+				file_notice("IPsec",
+				    "DES is no longer supported, IPsec phase 1 " .
+				    "item '{$p1['descr']}' is being disabled.");
+			}
+		}
+	}
+
+	if (isset($config['ipsec']['phase2']) &&
+	    is_array($config['ipsec']['phase2'])) {
+		foreach ($config['ipsec']['phase2'] as &$p2) {
+			if (!isset($p2['encryption-algorithm-option']) ||
+			    !is_array($p2['encryption-algorithm-option'])) {
+				continue;
+			}
+
+			foreach ($p2['encryption-algorithm-option'] as $ealgo) {
+				if ($ealgo['name'] == 'des') {
+					$p2['disabled'] = true;
+					file_notice("IPsec",
+					    "DES is no longer supported, IPsec phase 2 " .
+					    "item '{$p2['descr']}' is being disabled.");
+				}
+			}
+		}
+	}
+}
 ?>