X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=9f3c645e1a11b4cbc778504921383e4106860d9e;hp=218dafa26814624dd2e3358cf661c3e7566a8087;hb=f6529a04a398643edeea679f79b15912f8a6fc94;hpb=bd767b27c85b2c6992cac38781b7bb78a03b694a

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 218dafa268..9f3c645e1a 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -108,6 +108,7 @@ $cgiparams{'ROOTCERT_STATE'} = '';
 $cgiparams{'RW_NET'} = '';
 $cgiparams{'DPD_DELAY'} = '30';
 $cgiparams{'DPD_TIMEOUT'} = '120';
+$cgiparams{'FORCE_MOBIKE'} = 'off';
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
 
 ###
@@ -329,7 +330,13 @@ sub writeipsecfiles {
 	if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
 		my @encs   = split('\|', $lconfighash{$key}[21]);
 		my @ints   = split('\|', $lconfighash{$key}[22]);
-		my @groups = split('\|', $lconfighash{$key}[20]);
+		my @groups = split('\|', $lconfighash{$key}[23]);
+
+		# Use IKE grouptype if no ESP group type has been selected
+		# (for backwards compatibility)
+		if ($lconfighash{$key}[23] eq "") {
+			@groups = split('\|', $lconfighash{$key}[20]);
+		}
 
 		my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on"));
 		print CONF "\tesp=" . join(",", @algos);
@@ -354,6 +361,11 @@ sub writeipsecfiles {
 	# Compression
 	print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on');
 
+	# Force MOBIKE?
+	if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) {
+		print CONF "\tmobike=yes\n";
+	}
+
 	# Dead Peer Detection
 	my $dpdaction = $lconfighash{$key}[27];
 	print CONF "\tdpdaction=$dpdaction\n";
@@ -1270,6 +1282,9 @@ END
 	$cgiparams{'ESP_ENCRYPTION'} 	= $confighash{$cgiparams{'KEY'}}[21];
 	$cgiparams{'ESP_INTEGRITY'}  	= $confighash{$cgiparams{'KEY'}}[22];
 	$cgiparams{'ESP_GROUPTYPE'}  	= $confighash{$cgiparams{'KEY'}}[23];
+	if ($cgiparams{'ESP_GROUPTYPE'} eq "") {
+		$cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'};
+	}
 	$cgiparams{'ESP_KEYLIFE'}    	= $confighash{$cgiparams{'KEY'}}[17];
 	$cgiparams{'COMPRESSION'}    	= $confighash{$cgiparams{'KEY'}}[13];
 	$cgiparams{'ONLY_PROPOSED'}  	= $confighash{$cgiparams{'KEY'}}[24];
@@ -1277,6 +1292,7 @@ END
 	$cgiparams{'VHOST'}            	= $confighash{$cgiparams{'KEY'}}[14];
 	$cgiparams{'DPD_TIMEOUT'}		= $confighash{$cgiparams{'KEY'}}[30];
 	$cgiparams{'DPD_DELAY'}		= $confighash{$cgiparams{'KEY'}}[31];
+	$cgiparams{'FORCE_MOBIKE'}	= $confighash{$cgiparams{'KEY'}}[32];
 
 	if (!$cgiparams{'DPD_DELAY'}) {
 		$cgiparams{'DPD_DELAY'} = 30;
@@ -1759,7 +1775,7 @@ END
 	my $key = $cgiparams{'KEY'};
 	if (! $key) {
 	    $key = &General::findhasharraykey (\%confighash);
-	    foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";}
+	    foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";}
 	}
 	$confighash{$key}[0] = $cgiparams{'ENABLED'};
 	$confighash{$key}[1] = $cgiparams{'NAME'};
@@ -1801,6 +1817,7 @@ END
 	$confighash{$key}[14] = $cgiparams{'VHOST'};
 	$confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'};
 	$confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
+	$confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
 
 	#free unused fields!
 	$confighash{$key}[6] = 'off';
@@ -1849,6 +1866,10 @@ END
 		$cgiparams{'DPD_TIMEOUT'} = 120;
 	}
 
+	if (!$cgiparams{'FORCE_MOBIKE'}) {
+		$cgiparams{'FORCE_MOBIKE'} = 'no';
+	}
+
 	# Default IKE Version to v2
 	if (!$cgiparams{'IKE_VERSION'}) {
 	    $cgiparams{'IKE_VERSION'} = 'ikev2';
@@ -1865,7 +1886,7 @@ END
 	$cgiparams{'IKE_LIFETIME'}   = '3';		#[16];
 	$cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128';	#[21];
 	$cgiparams{'ESP_INTEGRITY'}  = 'sha2_512|sha2_256|sha1';	#[22];
-	$cgiparams{'ESP_GROUPTYPE'}  = '';		#[23];
+	$cgiparams{'ESP_GROUPTYPE'}  = '4096|3072|2048|1536|1024';		#[23];
 	$cgiparams{'ESP_KEYLIFE'}    = '1';		#[17];
 	$cgiparams{'COMPRESSION'}    = 'on';		#[13];
 	$cgiparams{'ONLY_PROPOSED'}  = 'off';		#[24];
@@ -1926,6 +1947,7 @@ END
 	<input type='hidden' name='DPD_ACTION' value='$cgiparams{'DPD_ACTION'}' />
 	<input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
 	<input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
+	<input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' />
 END
     ;
     if ($cgiparams{'KEY'}) {
@@ -2175,13 +2197,17 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		goto ADVANCED_ERROR;
 	    }
 	}
-	if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
-	    $cgiparams{'ESP_GROUPTYPE'} !~  /^ecp(192|224|256|384|512)(bp)?$/ &&
-	    $cgiparams{'ESP_GROUPTYPE'} !~  /^modp(1024|1536|2048|2048s(256|224|160)|3072|4096|6144|8192)$/) {
+	@temp = split('\|', $cgiparams{'ESP_GROUPTYPE'});
+	if ($#temp < 0) {
 	    $errormessage = $Lang::tr{'invalid input'};
 	    goto ADVANCED_ERROR;
 	}
-
+	foreach my $val (@temp) {
+	    if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) {
+		$errormessage = $Lang::tr{'invalid input'};
+		goto ADVANCED_ERROR;
+	    }
+	}
 	if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) {
 	    $errormessage = $Lang::tr{'invalid input for esp keylife'};
 	    goto ADVANCED_ERROR;
@@ -2193,6 +2219,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 
 	if (
 	    ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) ||
+	    ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) ||
 	    ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) ||
 	    ($cgiparams{'PFS'} !~ /^(|on|off)$/) ||
 	    ($cgiparams{'VHOST'} !~ /^(|on|off)$/)
@@ -2228,6 +2255,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	$confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'};
 	$confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'};
 	$confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'};
+	$confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'};
 	&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 	&writeipsecfiles();
 	if (&vpnenabled) {
@@ -2244,6 +2272,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	$cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
 	$cgiparams{'ESP_INTEGRITY'}  = $confighash{$cgiparams{'KEY'}}[22];
 	$cgiparams{'ESP_GROUPTYPE'}  = $confighash{$cgiparams{'KEY'}}[23];
+	if ($cgiparams{'ESP_GROUPTYPE'} eq "") {
+		$cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'};
+	}
 	$cgiparams{'ESP_KEYLIFE'}    = $confighash{$cgiparams{'KEY'}}[17];
 	$cgiparams{'COMPRESSION'}    = $confighash{$cgiparams{'KEY'}}[13];
 	$cgiparams{'ONLY_PROPOSED'}  = $confighash{$cgiparams{'KEY'}}[24];
@@ -2252,6 +2283,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	$cgiparams{'DPD_ACTION'}     = $confighash{$cgiparams{'KEY'}}[27];
 	$cgiparams{'DPD_TIMEOUT'}    = $confighash{$cgiparams{'KEY'}}[30];
 	$cgiparams{'DPD_DELAY'}      = $confighash{$cgiparams{'KEY'}}[31];
+	$cgiparams{'FORCE_MOBIKE'}   = $confighash{$cgiparams{'KEY'}}[32];
 
 	if (!$cgiparams{'DPD_DELAY'}) {
 		$cgiparams{'DPD_DELAY'} = 30;
@@ -2333,9 +2365,20 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
     $checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
     @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
     foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
-    $checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'";
+    $checked{'ESP_GROUPTYPE'}{'768'} = '';
+    $checked{'ESP_GROUPTYPE'}{'1024'} = '';
+    $checked{'ESP_GROUPTYPE'}{'1536'} = '';
+    $checked{'ESP_GROUPTYPE'}{'2048'} = '';
+    $checked{'ESP_GROUPTYPE'}{'3072'} = '';
+    $checked{'ESP_GROUPTYPE'}{'4096'} = '';
+    $checked{'ESP_GROUPTYPE'}{'6144'} = '';
+    $checked{'ESP_GROUPTYPE'}{'8192'} = '';
+    $checked{'ESP_GROUPTYPE'}{'none'} = '';
+    @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'});
+    foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; }
 
     $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ;
+    $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ;
     $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ;
     $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ;
     $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ;
@@ -2494,7 +2537,30 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 					<option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024</option>
 				</select>
 			</td>
-			<td></td>
+			<td class='boldbase'>
+				<select name='ESP_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
+					<option value='e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
+					<option value='e512bp' $checked{'ESP_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
+					<option value='e384' $checked{'ESP_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
+					<option value='e384bp' $checked{'ESP_GROUPTYPE'}{'e384bp'}>ECP-384 (Brainpool)</option>
+					<option value='e256' $checked{'ESP_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option>
+					<option value='e256bp' $checked{'ESP_GROUPTYPE'}{'e256bp'}>ECP-256 (Brainpool)</option>
+					<option value='e224' $checked{'ESP_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option>
+					<option value='e224bp' $checked{'ESP_GROUPTYPE'}{'e224bp'}>ECP-224 (Brainpool)</option>
+					<option value='e192' $checked{'ESP_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option>
+					<option value='8192' $checked{'ESP_GROUPTYPE'}{'8192'}>MODP-8192</option>
+					<option value='6144' $checked{'ESP_GROUPTYPE'}{'6144'}>MODP-6144</option>
+					<option value='4096' $checked{'ESP_GROUPTYPE'}{'4096'}>MODP-4096</option>
+					<option value='3072' $checked{'ESP_GROUPTYPE'}{'3072'}>MODP-3072</option>
+					<option value='2048s256' $checked{'ESP_GROUPTYPE'}{'2048s256'}>MODP-2048/256</option>
+					<option value='2048s224' $checked{'ESP_GROUPTYPE'}{'2048s224'}>MODP-2048/224</option>
+					<option value='2048s160' $checked{'ESP_GROUPTYPE'}{'2048s160'}>MODP-2048/160</option>
+					<option value='2048' $checked{'ESP_GROUPTYPE'}{'2048'}>MODP-2048</option>
+					<option value='1536' $checked{'ESP_GROUPTYPE'}{'1536'}>MODP-1536</option>
+					<option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024</option>
+					<option value='none' $checked{'ESP_GROUPTYPE'}{'none'}>- $Lang::tr{'none'} -</option>
+				</select>
+			</td>
 		</tr>
 	</tbody>
     </table>
@@ -2556,6 +2622,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			</label>
 		</td>
 	</tr>
+	<tr>
+		<td>
+			<label>
+				<input type='checkbox' name='FORCE_MOBIKE' $checked{'FORCE_MOBIKE'} />
+				$Lang::tr{'vpn force mobike'}
+			</label>
+		</td>
+	</tr>
 EOF
     ;
     if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
@@ -3039,6 +3113,14 @@ sub make_algos($$$$$) {
 					if (!$is_aead) {
 						push(@algo, $int);
 					}
+
+					if ($grp eq "none") {
+						# noop
+					} elsif ($grp =~ m/^e(.*)$/) {
+						push(@algo, "ecp$1");
+					} else {
+						push(@algo, "modp$grp");
+					}
 				}
 
 				push(@algos, join("-", @algo));