Improve handling of source-hash key

- Store the source-hash key in its own config field.
- Validate the provided source-hash key. Check that hex string input is
  of the form "0x" followed by 32 hexadecimal digits. Any other string
  not starting with "0x" is hashed using md5 and stored as "0x" followed
  by the md5 hash.
- Correct style issues making sure to follow pfSense Developer Style
  Guide.
- Addition of the stored source-hash key config field in filter.inc,
  append it to the poolopts variable

(cherry picked from commit b2e511600bc804e77251b332e0d7d256828b794e)

2 files changed, 27 insertions, 20 deletions

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index 6fe8aaf..b7eba6c 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -2067,6 +2067,11 @@ function filter_nat_rules_generate() {
 				$obtarget = ($obent['target'] == "other-subnet") ? $obent['targetip'] . '/' . $obent['targetip_subnet']: $obent['target'];
 				$poolopts = (is_subnet($obtarget) || is_alias($obtarget)) ? $obent['poolopts'] : "";
 
+				/* pool option source-hash allows specification of an optional source-hash key */
+				if ($poolopts == "source-hash" && isset($obent['source_hash_key'])) {
+					$poolopts = "source-hash ".$obent['source_hash_key'];
+				}
+
 				$natrules .= filter_nat_rules_generate_if($obent['interface'],
 					$src,
 					$obent['sourceport'],
diff --git a/src/usr/local/www/firewall_nat_out_edit.php b/src/usr/local/www/firewall_nat_out_edit.php
index 6bac6f8..17dc578 100644
--- a/src/usr/local/www/firewall_nat_out_edit.php
+++ b/src/usr/local/www/firewall_nat_out_edit.php
@@ -128,13 +128,8 @@ if (isset($id) && $a_out[$id]) {
 	$pconfig['target'] = $a_out[$id]['target'];
 	$pconfig['targetip'] = $a_out[$id]['targetip'];
 	$pconfig['targetip_subnet'] = $a_out[$id]['targetip_subnet'];
-	if (substr($a_out[$id]['poolopts'],0,11) == 'source-hash'){
-		list($opts, $key) = split(" ",$a_out[$id]['poolopts']);
-		$pconfig['source-hash-key']=$key;
-		$pconfig['poolopts']=$opts;
-	}else{
-		$pconfig['poolopts']=$a_out[$id]['poolopts'];
-	}
+	$pconfig['poolopts'] = $a_out[$id]['poolopts'];
+	$pconfig['source_hash_key'] = $a_out[$id]['source_hash_key'];
 	$pconfig['interface'] = $a_out[$id]['interface'];
 
 	if (!$pconfig['interface']) {
@@ -265,6 +260,7 @@ if ($_POST) {
 
 	/* Verify Pool Options */
 	$poolopts = "";
+	$source_hash_key = "";
 	if ($_POST['poolopts']) {
 		if (is_subnet($_POST['target']) || ($_POST['target'] == "other-subnet")) {
 			$poolopts = $_POST['poolopts'];
@@ -275,8 +271,17 @@ if ($_POST) {
 				$input_errors[] = gettext("Only Round Robin pool options may be chosen when selecting an alias.");
 			}
 		}
-		if ($_POST['source-hash-key']){
-			$source_hash_key = $_POST['source-hash-key'];
+		/* If specified, verify valid source-hash key or generate a valid key using md5 */
+		if ($_POST['source_hash_key']) {
+			if (substr($_POST['source_hash_key'],0,2) == "0x") {
+				if (ctype_xdigit(substr($_POST['source_hash_key'],2)) && strlen($_POST['source_hash_key']) == 34) {
+					$source_hash_key = $_POST['source_hash_key'];
+				} else {
+					$input_errors[] = gettext("Incorrect format for source-hash key, \"0x\" must be followed by exactly 32 hexadecimal characters.");
+				}
+			} else {
+				$source_hash_key = "0x".md5($_POST['source_hash_key']);
+			}
 		}
 	}
 
@@ -319,11 +324,8 @@ if ($_POST) {
 		$natent['targetip'] = (!isset($_POST['nonat'])) ? $_POST['targetip'] : "";
 		$natent['targetip_subnet'] = (!isset($_POST['nonat'])) ? $_POST['targetip_subnet'] : "";
 		$natent['interface'] = $_POST['interface'];
-		if($poolopts == 'source-hash' && isset($source_hash_key)){
-			$natent['poolopts'] = $poolopts." ".$source_hash_key;
-		}else{
-			$natent['poolopts'] = $poolopts;
-		}
+		$natent['poolopts'] = $poolopts;
+		$natent['source_hash_key'] = $source_hash_key;
 
 		/* static-port */
 		if (isset($_POST['staticnatport']) && $protocol_uses_ports && !isset($_POST['nonat'])) {
@@ -617,11 +619,11 @@ $section->addInput(new Form_Select(
 			'</ul><span class="help-block">');
 
 $section->addInput(new Form_Input(
-	'source-hash-key',
+	'source_hash_key',
 	'Source Hash Key',
 	'text',
-	$pconfig['source-hash-key']
-))->setHelp('The key that is fed to the hashing algorithm in hex format or as a string, defaults to a randomly generated value.')->setWidth(10)->addClass('othersubnet');
+	$pconfig['source_hash_key']
+))->setHelp('The key that is fed to the hashing algorithm in hex format, preceeded by "0x", or any string. A non-hex string is hashed using md5 to a hexadecimal key. Defaults to a randomly generated value.')->setWidth(10)->addClass('othersubnet');
 
 $group = new Form_Group('Port');
 $group->addClass('natportgrp');
@@ -774,15 +776,15 @@ events.push(function() {
 			hideInput('poolopts', false);
 			hideGroupClass('othersubnet', false);
 			if ($('#poolopts option:selected').text().trim().substring(0,6) == "Source") {
-				hideInput('source-hash-key', false);
+				hideInput('source_hash_key', false);
 			}else {
-				hideInput('source-hash-key', true);
+				hideInput('source_hash_key', true);
 			}
 		} else {
 			$('#poolopts').prop('selectedIndex',0);
 			hideInput('poolopts', true);
 			hideGroupClass('othersubnet', true);
-			hideInput('source-hash-key', true);
+			hideInput('source_hash_key', true);
 			$('#targetip').val('');
 			$('#targetip_subnet').val('0');
 		}