Project

General

Profile

psk-ordering.diff

Jim Pingle, 11/04/2016 10:35 AM

View differences:

src/etc/inc/vpn.inc
671 671
	}
672 672

  
673 673
	$pskconf = "";
674
	$late_pskconf = "";
674 675

  
675 676
	$vpncas = array();
676 677
	if (is_array($a_phase1) && count($a_phase1)) {
......
743 744
					$peerid = "@{$peerid}";
744 745
				}
745 746

  
747
				$pskconfent = "";
748
				$late = false;
746 749
				if (!empty($ph1ent['pre-shared-key'])) {
747
					$pskconf .= "{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
750
					if ($myid == "%any") {
751
						$late = true;
752
					}
753
					$pskconfent = "{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
748 754
					if (isset($ph1ent['mobile'])) {
749
						$pskconf .= " : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
755
						$pskconfent = " : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
756
					}
757

  
758
					/* Store PSKs with wildcard IDs later to prevent over-matching */
759
					if ($late) {
760
						$pskconf_late .= $pskconfent;
761
					} else {
762
						$pskconf .= $pskconfent;
750 763
					}
751 764
				}
752 765
			}
......
801 814
	/* add PSKs for mobile clients */
802 815
	if (is_array($ipseccfg['mobilekey'])) {
803 816
		foreach ($ipseccfg['mobilekey'] as $key) {
804
			if ($key['ident'] == "allusers") {
805
				$key['ident'] = '%any';
806
			}
807
			if ($key['ident'] == "any") {
808
				$key['ident'] = '%any';
809
			}
810 817
			if (empty($key['type'])) {
811 818
				$key['type'] = 'PSK';
812 819
			}
813
			$pskconf .= " {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n";
820
			if (($key['ident'] == "allusers") || ($key['ident'] == "any")) {
821
				/* Store wildcard PSKs last as they could over-match unintentionally */
822
				$late_pskconf .= " %any : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n";
823
			} else {
824
				$pskconf .= " {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n";
825
			}
814 826
		}
827
		$pskconf .= $late_pskconf;
815 828
		unset($key);
816 829
	}
817 830