diff options
author | Ermal <eri@pfsense.org> | 2014-08-01 20:39:06 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2014-08-01 20:39:06 +0000 |
commit | 9b91568608add6749256d4c85b624985e53652e4 (patch) | |
tree | b933e8044acc6da5ae9804f427ac1d0323493229 /usr/local/www/vpn_ipsec_phase2.php | |
parent | fa0a1411026bcbf173fbe6d573dfc260ee883102 (diff) | |
download | pfsense-9b91568608add6749256d4c85b624985e53652e4.zip pfsense-9b91568608add6749256d4c85b624985e53652e4.tar.gz |
Use a uniqid() to track phase2 entries to avoid confustion and various mistakes when modifying and editing them.
Diffstat (limited to 'usr/local/www/vpn_ipsec_phase2.php')
-rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 133 |
1 files changed, 60 insertions, 73 deletions
diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index 6848efd..8a78065 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -51,35 +51,45 @@ if (!is_array($config['ipsec']['phase2'])) $a_phase2 = &$config['ipsec']['phase2']; -if (is_numericint($_GET['p2index'])) - $p2index = $_GET['p2index']; -if (isset($_POST['p2index']) && is_numericint($_POST['p2index'])) - $p2index = $_POST['p2index']; - -if (isset($_GET['dup']) && is_numericint($_GET['dup'])) - $p2index = $_GET['dup']; +if (!empty($_GET['p2index'])) + $uindex = $_GET['p2index']; +if (!empty($_POST['uniqid'])) + $uindex = $_POST['uniqid']; + +if (!empty($_GET['dup'])) + $uindex = $_GET['dup']; + +$ph2found = false; +if (isset($uindex)) { + foreach ($a_phase2 as $p2index => $ph2) { + if ($ph2['uniqid'] == $uindex) { + $ph2found = true; + break; + } + } +} -if (isset($p2index) && $a_phase2[$p2index]) +if ($ph2found === true) { - $pconfig['ikeid'] = $a_phase2[$p2index]['ikeid']; - $pconfig['disabled'] = isset($a_phase2[$p2index]['disabled']); - $pconfig['mode'] = $a_phase2[$p2index]['mode']; - $pconfig['descr'] = $a_phase2[$p2index]['descr']; - $old_ph2ent = $a_phase2[$p2index]; - - if (!empty($a_phase2[$p2index]['natlocalid'])) - idinfo_to_pconfig("natlocal",$a_phase2[$p2index]['natlocalid'],$pconfig); - idinfo_to_pconfig("local",$a_phase2[$p2index]['localid'],$pconfig); - idinfo_to_pconfig("remote",$a_phase2[$p2index]['remoteid'],$pconfig); - - $pconfig['proto'] = $a_phase2[$p2index]['protocol']; - ealgos_to_pconfig($a_phase2[$p2index]['encryption-algorithm-option'],$pconfig); - $pconfig['halgos'] = $a_phase2[$p2index]['hash-algorithm-option']; - $pconfig['pfsgroup'] = $a_phase2[$p2index]['pfsgroup']; - $pconfig['lifetime'] = $a_phase2[$p2index]['lifetime']; - $pconfig['pinghost'] = $a_phase2[$p2index]['pinghost']; - - if (isset($a_phase2[$p2index]['mobile'])) + $pconfig['ikeid'] = $ph2['ikeid']; + $pconfig['disabled'] = isset($ph2['disabled']); + $pconfig['mode'] = $ph2['mode']; + $pconfig['descr'] = $ph2['descr']; + $pconfig['uniqid'] = $ph2['uniqid']; + + if (!empty($ph2['natlocalid'])) + idinfo_to_pconfig("natlocal",$ph2['natlocalid'],$pconfig); + idinfo_to_pconfig("local",$ph2['localid'],$pconfig); + idinfo_to_pconfig("remote",$ph2['remoteid'],$pconfig); + + $pconfig['proto'] = $ph2['protocol']; + ealgos_to_pconfig($ph2['encryption-algorithm-option'],$pconfig); + $pconfig['halgos'] = $ph2['hash-algorithm-option']; + $pconfig['pfsgroup'] = $ph2['pfsgroup']; + $pconfig['lifetime'] = $ph2['lifetime']; + $pconfig['pinghost'] = $ph2['pinghost']; + + if (isset($ph2['mobile'])) $pconfig['mobile'] = true; } else @@ -94,14 +104,19 @@ else $pconfig['halgos'] = explode(",", "hmac_sha1,hmac_md5"); $pconfig['pfsgroup'] = "0"; $pconfig['lifetime'] = "3600"; + $pconfig['uniqid'] = uniqid(); - /* mobile client */ - if($_GET['mobile']) - $pconfig['mobile']=true; + /* mobile client */ + if($_GET['mobile']) + $pconfig['mobile']=true; } -if (isset($_GET['dup']) && is_numericint($_GET['dup'])) +unset($ph2); +if (!empty($_GET['dup'])) { + unset($uindex); unset($p2index); + $pconfig['uniqid'] = uniqid(); +} if ($_POST) { @@ -112,8 +127,8 @@ if ($_POST) { $input_errors[] = gettext("A valid ikeid must be specified."); /* input validation */ - $reqdfields = explode(" ", "localid_type halgos"); - $reqdfieldsn = array(gettext("Local network type"),gettext("P2 Hash Algorithms")); + $reqdfields = explode(" ", "localid_type halgos uniqid"); + $reqdfieldsn = array(gettext("Local network type"),gettext("P2 Hash Algorithms"), gettext("Unique Identifier")); if (!isset($pconfig['mobile'])){ $reqdfields[] = "remoteid_type"; $reqdfieldsn[] = gettext("Remote network type"); @@ -191,7 +206,7 @@ if ($_POST) { if (isset($pconfig['mobile'])){ /* User is adding phase 2 for mobile phase1 */ foreach($a_phase2 as $key => $name){ - if (isset($name['mobile'])){ + if (isset($name['mobile']) && $name['uniqid'] != $pconfig['uniqid']) { /* check duplicate localids only for mobile clents */ $localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']); $entered = array(); @@ -200,15 +215,9 @@ if ($_POST) { if (isset($pconfig['localid_netbits'])) $entered['netbits'] = $pconfig['localid_netbits']; $entered_localid_data = ipsec_idinfo_to_cidr($entered, false, $pconfig['mode']); if ($localid_data == $entered_localid_data){ - if (!isset($pconfig['p2index'])){ - /* adding new p2 entry */ - $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); - break; - }else if ($pconfig['p2index'] != $key){ - /* editing p2 and entered p2 networks match with different p2 for given p1 */ - $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); - break; - } + /* adding new p2 entry */ + $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); + break; } } } @@ -216,7 +225,7 @@ if ($_POST) { /* User is adding phase 2 for site-to-site phase1 */ $input_error = 0; foreach($a_phase2 as $key => $name){ - if (!isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid']){ + if (!isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid'] && $pconfig['uniqid'] != $name['uniqid']) { /* check duplicate subnets only for given phase1 */ $localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']); $remoteid_data = ipsec_idinfo_to_cidr($name['remoteid'], false, $name['mode']); @@ -231,15 +240,9 @@ if ($_POST) { if (isset($pconfig['remoteid_netbits'])) $entered_remote['netbits'] = $pconfig['remoteid_netbits']; $entered_remoteid_data = ipsec_idinfo_to_cidr($entered_remote, false, $pconfig['mode']); if ($localid_data == $entered_localid_data && $remoteid_data == $entered_remoteid_data) { - if (!isset($pconfig['p2index'])){ - /* adding new p2 entry */ - $input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1."); - break; - }else if ($pconfig['p2index'] != $key){ - /* editing p2 and entered p2 networks match with different p2 for given p1 */ - $input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1."); - break; - } + /* adding new p2 entry */ + $input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1."); + break; } } } @@ -259,7 +262,9 @@ if ($_POST) { if (!$input_errors) { + $ph2ent = array(); $ph2ent['ikeid'] = $pconfig['ikeid']; + $ph2ent['uniqid'] = $pconfig['uniqid']; $ph2ent['mode'] = $pconfig['mode']; $ph2ent['disabled'] = $pconfig['disabled'] ? true : false; @@ -281,27 +286,12 @@ if ($_POST) { if (isset($pconfig['mobile'])) $ph2ent['mobile'] = true; - ipsec_lookup_phase1($ph2ent, $ph1ent); - if (($ph1ent['protocol'] == "inet") && ($ph2ent['mode'] == "tunnel6")) - $input_errors[] = gettext("Phase 1 is using IPv4. You cannot use Tunnel IPv6 on Phase 2."); - if (($ph1ent['protocol'] == "inet6") && ($ph2ent['mode'] == "tunnel")) - $input_errors[] = gettext("Phase 1 is using IPv6. You cannot use Tunnel IPv4 on Phase 2."); - } - - if (!$input_errors) { - if (isset($p2index) && $a_phase2[$p2index]) + if ($ph2found === true && $a_phase2[$p2index]) $a_phase2[$p2index] = $ph2ent; else $a_phase2[] = $ph2ent; - /* now we need to find all phase2 entries for this host */ - if(is_array($ph2ent)) { - ipsec_lookup_phase1($ph2ent, $ph1ent); - $old_ph1ent = $ph1ent; - $old_ph1ent['remote-gateway'] = resolve_retry($old_ph1ent['remote-gateway']); - } - write_config(); mark_subsystem_dirty('ipsec'); @@ -780,15 +770,13 @@ function change_protocol() { <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <?php if (isset($p2index) && $a_phase2[$p2index]): ?> - <input name="p2index" type="hidden" value="<?=htmlspecialchars($p2index);?>" /> - <?php endif; ?> <?php if ($pconfig['mobile']): ?> <input name="mobile" type="hidden" value="true" /> <input name="remoteid_type" type="hidden" value="mobile" /> <?php endif; ?> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input name="ikeid" type="hidden" value="<?=htmlspecialchars($pconfig['ikeid']);?>" /> + <input name="uniqid" type="hidden" value="<?=htmlspecialchars($pconfig['uniqid']);?>" /> </td> </tr> </table> @@ -817,7 +805,6 @@ typesel_change_remote(<?=htmlspecialchars($pconfig['remoteid_netbits'])?>); /* local utility functions */ function pconfig_to_ealgos(& $pconfig) { - global $p2_ealgos; $ealgos = array(); |