Bug #6668 ยป psk-ordering.diff
src/etc/inc/vpn.inc | ||
---|---|---|
671 | 671 |
} |
672 | 672 | |
673 | 673 |
$pskconf = ""; |
674 |
$late_pskconf = ""; |
|
674 | 675 | |
675 | 676 |
$vpncas = array(); |
676 | 677 |
if (is_array($a_phase1) && count($a_phase1)) { |
... | ... | |
743 | 744 |
$peerid = "@{$peerid}"; |
744 | 745 |
} |
745 | 746 | |
747 |
$pskconfent = ""; |
|
748 |
$late = false; |
|
746 | 749 |
if (!empty($ph1ent['pre-shared-key'])) { |
747 |
$pskconf .= "{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; |
|
750 |
if ($myid == "%any") { |
|
751 |
$late = true; |
|
752 |
} |
|
753 |
$pskconfent = "{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; |
|
748 | 754 |
if (isset($ph1ent['mobile'])) { |
749 |
$pskconf .= " : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; |
|
755 |
$pskconfent = " : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; |
|
756 |
} |
|
757 | ||
758 |
/* Store PSKs with wildcard IDs later to prevent over-matching */ |
|
759 |
if ($late) { |
|
760 |
$pskconf_late .= $pskconfent; |
|
761 |
} else { |
|
762 |
$pskconf .= $pskconfent; |
|
750 | 763 |
} |
751 | 764 |
} |
752 | 765 |
} |
... | ... | |
801 | 814 |
/* add PSKs for mobile clients */ |
802 | 815 |
if (is_array($ipseccfg['mobilekey'])) { |
803 | 816 |
foreach ($ipseccfg['mobilekey'] as $key) { |
804 |
if ($key['ident'] == "allusers") { |
|
805 |
$key['ident'] = '%any'; |
|
806 |
} |
|
807 |
if ($key['ident'] == "any") { |
|
808 |
$key['ident'] = '%any'; |
|
809 |
} |
|
810 | 817 |
if (empty($key['type'])) { |
811 | 818 |
$key['type'] = 'PSK'; |
812 | 819 |
} |
813 |
$pskconf .= " {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n"; |
|
820 |
if (($key['ident'] == "allusers") || ($key['ident'] == "any")) { |
|
821 |
/* Store wildcard PSKs last as they could over-match unintentionally */ |
|
822 |
$late_pskconf .= " %any : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n"; |
|
823 |
} else { |
|
824 |
$pskconf .= " {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n"; |
|
825 |
} |
|
814 | 826 |
} |
827 |
$pskconf .= $late_pskconf; |
|
815 | 828 |
unset($key); |
816 | 829 |
} |
817 | 830 |