| 6684 |
6684 |
}
|
| 6685 |
6685 |
}
|
| 6686 |
6686 |
|
|
6687 |
function upgrade_227_to_228() {
|
|
6688 |
global $config;
|
|
6689 |
|
|
6690 |
/* We no longer support 3des, blowfish, cast128 or md5 and sha1
|
|
6691 |
* authentication for IPSec. */
|
|
6692 |
if (is_array($config['ipsec'])) {
|
|
6693 |
if (is_array($config['ipsec']['phase1'])) {
|
|
6694 |
foreach ($config['ipsec']['phase1'] as & $phase1) {
|
|
6695 |
if (! isset($phase1['encryption']) || !is_array($phase1['encryption']['item']))
|
|
6696 |
continue;
|
|
6697 |
|
|
6698 |
foreach ($phase1['encryption']['item'] as $enc) {
|
|
6699 |
if (isset($enc['encryption-algorithm']['name']) &&
|
|
6700 |
in_array($enc['encryption-algorithm']['name'],
|
|
6701 |
array("blowfish", "3des", "cast128"))) {
|
|
6702 |
$phase1['disabled'] = true;
|
|
6703 |
file_notice("IPsec", sprintf(gettext("3DES, Blowfish and CAST128 are no longer supported, IPsec phase1 item '%s' is being disabled."), $phase1['descr']));
|
|
6704 |
}
|
|
6705 |
if (isset($enc['hash-algorithm']) && $enc['hash-algorithm'] == "md5") {
|
|
6706 |
$phase1['disabled'] = true;
|
|
6707 |
file_notice("IPsec", sprintf(gettext("MD5 is no longer supported, IPsec phase1 item '%s' is being disabled."), $phase1['descr']));
|
|
6708 |
}
|
|
6709 |
}
|
|
6710 |
}
|
|
6711 |
}
|
|
6712 |
if (is_array($config['ipsec']['phase2'])) {
|
|
6713 |
foreach ($config['ipsec']['phase2'] as & $phase2) {
|
|
6714 |
if (is_array($phase2['encryption-algorithm-option'])) {
|
|
6715 |
foreach ($phase2['encryption-algorithm-option'] as & $opt) {
|
|
6716 |
if (in_array($opt['name'], array("blowfish", "3des", "cast128"))) {
|
|
6717 |
$phase2['disabled'] = true;
|
|
6718 |
file_notice("IPsec", sprintf(gettext("3DES, Blowfish and CAST128 are no longer supported, IPsec phase2 item '%s' is being disabled."), $phase2['descr']));
|
|
6719 |
}
|
|
6720 |
}
|
|
6721 |
}
|
|
6722 |
if (is_array($phase2['hash-algorithm-option'])) {
|
|
6723 |
foreach ($phase2['hash-algorithm-option'] as & $opt) {
|
|
6724 |
if ($opt == "hmac_md5") {
|
|
6725 |
$phase2['disabled'] = true;
|
|
6726 |
file_notice("IPsec", sprintf(gettext("MD5 is no longer supported, IPsec phase2 item '%s' is being disabled."), $phase2['descr']));
|
|
6727 |
}
|
|
6728 |
}
|
|
6729 |
}
|
|
6730 |
}
|
|
6731 |
}
|
|
6732 |
}
|
|
6733 |
}
|
|
6734 |
|
| 6687 |
6735 |
/*
|
| 6688 |
6736 |
* Special function that is called independent of current config version. It's
|
| 6689 |
6737 |
* a workaround to have config_upgrade running on older versions after next
|
ipsec: disable any tunnels using 3des, blowfish, cast128 or md5 during upgrades
Redmine: #9247