From 76a9ad942e1e91acfeb5eaaeb358e34adaaf0cd4 Mon Sep 17 00:00:00 2001
From: Chris Buechler <cmb@pfsense.org>
Date: Sat, 31 Jan 2015 16:30:19 -0600
Subject: Add input validation to prevent the use of AES > 128 where glxsb is
 enabled. Ticket #4361

---
 usr/local/www/vpn_ipsec_phase1.php |  7 +++++++
 usr/local/www/vpn_ipsec_phase2.php | 12 +++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php
index 07f8c8b..8738038 100644
--- a/usr/local/www/vpn_ipsec_phase1.php
+++ b/usr/local/www/vpn_ipsec_phase1.php
@@ -328,6 +328,13 @@ if ($_POST) {
 
 	if (!empty($pconfig['iketype']) && $pconfig['iketype'] != "ikev1" && $pconfig['iketype'] != "ikev2" && $pconfig['iketype'] != "auto")
 		$input_errors[] = gettext("Valid arguments for IKE type is v1 or v2 or auto");
+                
+        if (!empty($_POST['ealgo']) && isset($config['system']['crypto_hardware'])) {
+            if ($config['system']['crypto_hardware'] == "glxsb") {
+                if ($_POST['ealgo'] == "aes" && $_POST['ealgo_keylen'] != "128")
+                    $input_errors[] = gettext("Only 128 bit AES can be used where the glxsb crypto accelerator is enabled.");
+            }
+        }
 
 	/* build our encryption algorithms array */
 	$pconfig['ealgo'] = array();
diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php
index e6ce3f0..e42cc0b 100644
--- a/usr/local/www/vpn_ipsec_phase2.php
+++ b/usr/local/www/vpn_ipsec_phase2.php
@@ -142,7 +142,7 @@ if ($_POST) {
 	}
 
 	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
-
+	
 	if(($pconfig['mode'] == "tunnel") || ($pconfig['mode'] == "tunnel6")) 
 	{
 		switch ($pconfig['localid_type']) {
@@ -300,8 +300,14 @@ if ($_POST) {
 		if (!count($ealgos)) {
 			$input_errors[] = gettext("At least one encryption algorithm must be selected.");
 		} else {
-			if (empty($pconfig['halgos'])) {
-				foreach ($ealgos as $ealgo) {
+			foreach ($ealgos as $ealgo) {
+				if (isset($config['system']['crypto_hardware'])) {
+					if ($config['system']['crypto_hardware'] == "glxsb") {
+					    if ($ealgo['name'] == "aes" && $ealgo['keylen'] != "128")
+						$input_errors[] = gettext("Only 128 bit AES can be used where the glxsb crypto accelerator is enabled.");
+					}
+				}
+				if (empty($pconfig['halgos'])) {
 					if (!strpos($ealgo['name'], "gcm")) {
 						$input_errors[] = gettext("At least one hashing algorithm needs to be selected.");
 						break;
-- 
cgit v1.1