From 6d0f5a635aed336e5d2b6208a07a564b79f8863d Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Fri, 28 Feb 2014 17:25:05 -0300
Subject: Add an option to verify peers_identifier when it's ASN.1
 distinguished name. It should fix #2904

---
 etc/inc/vpn.inc                    |  4 ++++
 usr/local/www/vpn_ipsec_phase1.php | 14 ++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 62d997c..3a75c96 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -308,6 +308,7 @@ function vpn_ipsec_configure($ipchg = false)
 
 		/* begin racoon.conf */
 		$racoonconf = "";
+		$peerid_verify = "";
 		if ((is_array($a_phase1) && count($a_phase1)) || (is_array($a_phase2) && count($a_phase2))) {
 
 			$racoonconf .= "# This file is automatically generated. Do not edit\n";
@@ -607,6 +608,8 @@ function vpn_ipsec_configure($ipchg = false)
 					/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
 					if (!(($ph1ent['authentication_method'] == "pre_shared_key") && isset($ph1ent['mobile']))) {
 						$peerid_spec = "peers_identifier {$peerid_type} {$peerid_data};";
+						if (isset($ph1ent['verify_identifier']))
+							$peerid_verify = "verify_identifier on;";
 					}
 
 					/* add remote section to configuration */
@@ -619,6 +622,7 @@ remote {$rgip}
 	exchange_mode {$ph1ent['mode']};
 	my_identifier {$myid_type} {$myid_data};
 	{$peerid_spec}
+	{$peerid_verify}
 	ike_frag on;
 	generate_policy = {$genp};
 	initial_contact = {$init};
diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php
index 90c2c34..a72b908 100644
--- a/usr/local/www/vpn_ipsec_phase1.php
+++ b/usr/local/www/vpn_ipsec_phase1.php
@@ -85,6 +85,7 @@ if (isset($p1index) && $a_phase1[$p1index]) {
 	$pconfig['myid_data'] = $a_phase1[$p1index]['myid_data'];
 	$pconfig['peerid_type'] = $a_phase1[$p1index]['peerid_type'];
 	$pconfig['peerid_data'] = $a_phase1[$p1index]['peerid_data'];
+	$pconfig['verify_identifier'] = isset($a_phase1[$p1index]['verify_identifier']);
 	$pconfig['ealgo'] = $a_phase1[$p1index]['encryption-algorithm'];
 	$pconfig['halgo'] = $a_phase1[$p1index]['hash-algorithm'];
 	$pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup'];
@@ -327,6 +328,10 @@ if ($_POST) {
 		$ph1ent['myid_data'] = $pconfig['myid_data'];
 		$ph1ent['peerid_type'] = $pconfig['peerid_type'];
 		$ph1ent['peerid_data'] = $pconfig['peerid_data'];
+		if (isset($pconfig['verify_identifier']))
+			$ph1ent['verify_identifier'] = true;
+		else
+			unset($ph1ent['verify_identifier']);
 
 		$ph1ent['encryption-algorithm'] = $pconfig['ealgo'];
 		$ph1ent['hash-algorithm'] = $pconfig['halgo'];
@@ -407,6 +412,11 @@ function peeridsel_change() {
 			document.getElementById('peerid_data').style.visibility = 'hidden';
 	else
 			document.getElementById('peerid_data').style.visibility = 'visible';
+
+	if (value == 'asn1dn')
+		document.getElementById('opt_verify_identifier').style.visibility = 'visible';
+	else
+		document.getElementById('opt_verify_identifier').style.visibility = 'hidden';
 }
 
 function methodsel_change() {
@@ -686,6 +696,10 @@ function dpdchkbox_change() {
 							<?php endforeach; ?>
 							</select>
 							<input name="peerid_data" type="text" class="formfld unknown" id="peerid_data" size="30" value="<?=htmlspecialchars($pconfig['peerid_data']);?>">
+							<span id="opt_verify_identifier">
+								<input id="verify_identifier" name="verify_identifier" type="checkbox" value="yes" <?php if ($pconfig['verify_identifier']) echo "checked=\"checked\""; ?> />
+								<span class="vexpl"><?=gettext("Verify peer's identifier"); ?>.</span>
+							</span>
 						<?php if ($pconfig['mobile']) { ?>
 							<br/><br/><?=gettext("NOTE: This is known as the \"group\" setting on some VPN client implementations"); ?>.
 						<?php } ?>
-- 
cgit v1.1