]>
Commit | Line | Data |
---|---|---|
3eae7bed JS |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2017 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE INTEGRITY KEY_EXCHANGE LIFETIME PFS" | |
878cfa3e | 23 | VPN_SECURITY_POLICIES_READONLY="system performance" |
3eae7bed | 24 | |
6fdbda80 MT |
25 | VPN_DEFAULT_SECURITY_POLICY="system" |
26 | ||
b116ad92 | 27 | declare -A VPN_SUPPORTED_CIPHERS=( |
b68fed1f MT |
28 | # 3DES-CBC |
29 | [3DES-CBC]="168 bit 3DES-EDE-CBC" | |
30 | ||
31 | # AES-CBC | |
b116ad92 MT |
32 | [AES256-CBC]="256 bit AES-CBC" |
33 | [AES192-CBC]="192 bit AES-CBC" | |
34 | [AES128-CBC]="128 bit AES-CBC" | |
b68fed1f MT |
35 | |
36 | # AES-CTR | |
37 | [AES256-CTR]="256 bit AES-COUNTER" | |
38 | [AES192-CTR]="192 bit AES-COUNTER" | |
39 | [AES128-CTR]="128 bit AES-COUNTER" | |
40 | ||
41 | # AES-GCM | |
42 | [AES256-GCM128]="256 bit AES-GCM with 128 bit ICV" | |
43 | [AES192-GCM128]="192 bit AES-GCM with 128 bit ICV" | |
44 | [AES128-GCM128]="128 bit AES-GCM with 128 bit ICV" | |
45 | [AES256-GCM96]="256 bit AES-GCM with 96 bit ICV" | |
46 | [AES192-GCM96]="192 bit AES-GCM with 96 bit ICV" | |
47 | [AES128-GCM96]="128 bit AES-GCM with 96 bit ICV" | |
48 | [AES256-GCM64]="256 bit AES-GCM with 64 bit ICV" | |
49 | [AES192-GCM64]="192 bit AES-GCM with 64 bit ICV" | |
50 | [AES128-GCM64]="128 bit AES-GCM with 64 bit ICV" | |
51 | ||
52 | # AES-CCM | |
53 | [AES256-CCM128]="256 bit AES-CCM with 128 bit ICV" | |
54 | [AES192-CCM128]="192 bit AES-CCM with 128 bit ICV" | |
55 | [AES128-CCM128]="128 bit AES-CCM with 128 bit ICV" | |
56 | [AES256-CCM96]="256 bit AES-CCM with 96 bit ICV" | |
57 | [AES192-CCM96]="192 bit AES-CCM with 96 bit ICV" | |
58 | [AES128-CCM96]="128 bit AES-CCM with 96 bit ICV" | |
59 | [AES256-CCM64]="256 bit AES-CCM with 64 bit ICV" | |
60 | [AES192-CCM64]="192 bit AES-CCM with 64 bit ICV" | |
61 | [AES128-CCM64]="128 bit AES-CCM with 64 bit ICV" | |
62 | ||
63 | # CAMELLIA-CBC | |
64 | [CAMELLIA256-CBC]="256 bit CAMELLIA-CBC" | |
65 | [CAMELLIA192-CBC]="192 bit CAMELLIA-CBC" | |
66 | [CAMELLIA128-CBC]="128 bit CAMELLIA-CBC" | |
67 | ||
68 | # CAMELLIA-CTR | |
69 | [CAMELLIA256-CTR]="256 bit CAMELLIA-COUNTER" | |
70 | [CAMELLIA192-CTR]="192 bit CAMELLIA-COUNTER" | |
71 | [CAMELLIA128-CTR]="128 bit CAMELLIA-COUNTER" | |
72 | ||
73 | # CAMELLIA-GCM | |
74 | [CAMELLIA256-GCM128]="256 bit CAMELLIA-GCM with 128 bit ICV" | |
75 | [CAMELLIA192-GCM128]="192 bit CAMELLIA-GCM with 128 bit ICV" | |
76 | [CAMELLIA128-GCM128]="128 bit CAMELLIA-GCM with 128 bit ICV" | |
77 | [CAMELLIA256-GCM96]="256 bit CAMELLIA-GCM with 96 bit ICV" | |
78 | [CAMELLIA192-GCM96]="192 bit CAMELLIA-GCM with 96 bit ICV" | |
79 | [CAMELLIA128-GCM96]="128 bit CAMELLIA-GCM with 96 bit ICV" | |
80 | [CAMELLIA256-GCM64]="256 bit CAMELLIA-GCM with 64 bit ICV" | |
81 | [CAMELLIA192-GCM64]="192 bit CAMELLIA-GCM with 64 bit ICV" | |
82 | [CAMELLIA128-GCM64]="128 bit CAMELLIA-GCM with 64 bit ICV" | |
83 | ||
84 | # CAMELLIA-CCM | |
85 | [CAMELLIA256-CCM128]="256 bit CAMELLIA-CCM with 128 bit ICV" | |
86 | [CAMELLIA192-CCM128]="192 bit CAMELLIA-CCM with 128 bit ICV" | |
87 | [CAMELLIA128-CCM128]="128 bit CAMELLIA-CCM with 128 bit ICV" | |
88 | [CAMELLIA256-CCM96]="256 bit CAMELLIA-CCM with 96 bit ICV" | |
89 | [CAMELLIA192-CCM96]="192 bit CAMELLIA-CCM with 96 bit ICV" | |
90 | [CAMELLIA128-CCM96]="128 bit CAMELLIA-CCM with 96 bit ICV" | |
91 | [CAMELLIA256-CCM64]="256 bit CAMELLIA-CCM with 64 bit ICV" | |
92 | [CAMELLIA192-CCM64]="192 bit CAMELLIA-CCM with 64 bit ICV" | |
93 | [CAMELLIA128-CCM64]="128 bit CAMELLIA-CCM with 64 bit ICV" | |
d9a8af16 | 94 | |
51fa7039 MT |
95 | # DJB |
96 | [CHACHA20-POLY1305]="256 bit ChaCha20/Poly1305 with 128 bit ICV" | |
97 | ||
d9a8af16 MT |
98 | # No Encryption |
99 | [NULL]="No Encryption" | |
b116ad92 MT |
100 | ) |
101 | ||
d69af00f MT |
102 | declare -A CIPHER_TO_STRONGSWAN=( |
103 | # 3DES-CBC | |
104 | [3DES-CBC]="3des" | |
105 | ||
106 | # AES-CBC | |
107 | [AES256-CBC]="aes256" | |
108 | [AES192-CBC]="aes192" | |
109 | [AES128-CBC]="aes128" | |
110 | ||
111 | # AES-CTR | |
112 | [AES256-CTR]="aes256ctr" | |
113 | [AES192-CTR]="aes192ctr" | |
114 | [AES128-CTR]="aes128ctr" | |
115 | ||
116 | # AES-GCM | |
117 | [AES256-GCM128]="aes256gcm128" | |
118 | [AES192-GCM128]="aes192gcm128" | |
119 | [AES128-GCM128]="aes128gcm128" | |
120 | [AES256-GCM96]="aes256gcm96" | |
121 | [AES192-GCM96]="aes192gcm96" | |
122 | [AES128-GCM96]="aes128gcm96" | |
123 | [AES256-GCM64]="aes256gcm64" | |
124 | [AES192-GCM64]="aes192gcm64" | |
125 | [AES128-GCM64]="aes128gcm64" | |
126 | ||
127 | # AES-CCM | |
128 | [AES256-CCM128]="aes256ccm128" | |
129 | [AES192-CCM128]="aes192ccm128" | |
130 | [AES128-CCM128]="aes128ccm128" | |
131 | [AES256-CCM96]="aes256ccm96" | |
132 | [AES192-CCM96]="aes192ccm96" | |
133 | [AES128-CCM96]="aes128ccm96" | |
134 | [AES256-CCM64]="aes256ccm64" | |
135 | [AES192-CCM64]="aes192ccm64" | |
136 | [AES128-CCM64]="aes128ccm64" | |
137 | ||
138 | # CAMELLIA-CBC | |
139 | [CAMELLIA256-CBC]="camellia256" | |
140 | [CAMELLIA192-CBC]="camellia192" | |
141 | [CAMELLIA128-CBC]="camellia128" | |
142 | ||
143 | # CAMELLIA-CTR | |
144 | [CAMELLIA256-CTR]="camellia256ctr" | |
145 | [CAMELLIA192-CTR]="camellia192ctr" | |
146 | [CAMELLIA128-CTR]="camellia128ctr" | |
147 | ||
148 | # CAMELLIA-GCM | |
149 | [CAMELLIA256-GCM128]="camellia256gcm128" | |
150 | [CAMELLIA192-GCM128]="camellia192gcm128" | |
151 | [CAMELLIA128-GCM128]="camellia128gcm128" | |
152 | [CAMELLIA256-GCM96]="camellia256gcm96" | |
153 | [CAMELLIA192-GCM96]="camellia192gcm96" | |
154 | [CAMELLIA128-GCM96]="camellia128gcm96" | |
155 | [CAMELLIA256-GCM64]="camellia256gcm64" | |
156 | [CAMELLIA192-GCM64]="camellia192gcm64" | |
157 | [CAMELLIA128-GCM64]="camellia128gcm64" | |
158 | ||
159 | # CAMELLIA-CCM | |
160 | [CAMELLIA256-CCM128]="camellia256ccm128" | |
161 | [CAMELLIA192-CCM128]="camellia192ccm128" | |
162 | [CAMELLIA128-CCM128]="camellia128ccm128" | |
163 | [CAMELLIA256-CCM96]="camellia256ccm96" | |
164 | [CAMELLIA192-CCM96]="camellia192ccm96" | |
165 | [CAMELLIA128-CCM96]="camellia128ccm96" | |
166 | [CAMELLIA256-CCM64]="camellia256ccm64" | |
167 | [CAMELLIA192-CCM64]="camellia192ccm64" | |
168 | [CAMELLIA128-CCM64]="camellia128ccm64" | |
d9a8af16 | 169 | |
51fa7039 MT |
170 | # DJB |
171 | [CHACHA20-POLY1305]="chacha20poly1305" | |
172 | ||
d9a8af16 MT |
173 | # No Encryption |
174 | [NULL]="null" | |
d69af00f MT |
175 | ) |
176 | ||
3a0c376c MT |
177 | declare -A VPN_SUPPORTED_INTEGRITY=( |
178 | [MD5]="MD5-HMAC" | |
179 | ||
180 | # SHA | |
181 | [SHA1]="SHA1-HMAC" | |
3003747b | 182 | [SHA512]="512 bit SHA2-HMAC" |
3a0c376c MT |
183 | [SHA384]="384 bit SHA2-HMAC" |
184 | [SHA256]="256 bit SHA2-HMAC" | |
185 | ||
186 | # AES | |
187 | [AES-XCBC]="AES-XCBC" | |
188 | [AES-CMAC]="AES-CMAC" | |
189 | [AES256-GMAC]="256 bit AES-GMAC" | |
190 | [AES192-GMAC]="192 bit AES-GMAC" | |
191 | [AES128-GMAC]="128 bit AES-GMAC" | |
192 | ) | |
193 | ||
d69af00f MT |
194 | declare -A INTEGRITY_TO_STRONGSWAN=( |
195 | [MD5]="md5" | |
196 | ||
197 | # SHA | |
198 | [SHA1]="sha1" | |
199 | [SHA512]="sha512" | |
200 | [SHA384]="sha384" | |
201 | [SHA256]="sha256" | |
202 | ||
203 | # AES | |
204 | [AES-XCBC]="aesxcbc" | |
205 | [AES-CMAC]="aescmac" | |
206 | [AES256-GMAC]="aes256gmac" | |
207 | [AES192-GMAC]="aes192gmac" | |
208 | [AES128-GMAC]="aes128gmac" | |
209 | ) | |
210 | ||
54fc6c3f MT |
211 | declare -A VPN_SUPPORTED_GROUP_TYPES=( |
212 | # Regular Groups | |
213 | [MODP768]="768 bit Modulo Prime Group" | |
214 | [MODP1024]="1024 bit Modulo Prime Group" | |
215 | [MODP1536]="1536 bit Modulo Prime Group" | |
216 | [MODP2048]="2048 bit Modulo Prime Group" | |
217 | [MODP3072]="3072 bit Modulo Prime Group" | |
218 | [MODP4096]="4096 bit Modulo Prime Group" | |
219 | [MODP6144]="6144 bit Modulo Prime Group" | |
220 | [MODP8192]="8192 bit Modulo Prime Group" | |
221 | ||
222 | # NIST Elliptic Curve Groups | |
223 | [ECP192]="192 bit NIST Elliptic Curve Group" | |
224 | [ECP224]="224 bit NIST Elliptic Curve Group" | |
225 | [ECP256]="256 bit NIST Elliptic Curve Group" | |
226 | [ECP384]="384 bit NIST Elliptic Curve Group" | |
227 | [ECP521]="521 bit NIST Elliptic Curve Group" | |
228 | ||
229 | # Brainpool Elliptic Curve Groups | |
230 | [ECP224BP]="224 bit Brainpool Elliptic Curve Group" | |
231 | [ECP256BP]="256 bit Brainpool Elliptic Curve Group" | |
232 | [ECP384BP]="384 bit Brainpool Elliptic Curve Group" | |
233 | [ECP512BP]="512 bit Brainpool Elliptic Curve Group" | |
234 | ||
235 | # Curve25519 | |
236 | [CURVE25519]="256 bit Elliptic Curve 25519" | |
237 | ) | |
3eae7bed | 238 | |
d69af00f MT |
239 | declare -A GROUP_TYPE_TO_STRONGSWAN=( |
240 | # Regular Groups | |
241 | [MODP768]="modp768" | |
242 | [MODP1024]="modp1024" | |
243 | [MODP1536]="modp1536" | |
244 | [MODP2048]="modp2048" | |
245 | [MODP3072]="modp3072" | |
246 | [MODP4096]="modp4096" | |
247 | [MODP6144]="modp6144" | |
248 | [MODP8192]="modp8192" | |
249 | ||
250 | # NIST Elliptic Curve Groups | |
251 | [ECP192]="ecp192" | |
252 | [ECP224]="ecp224" | |
253 | [ECP256]="ecp256" | |
254 | [ECP384]="ecp384" | |
255 | [ECP521]="ecp521" | |
256 | ||
257 | # Brainpool Elliptic Curve Groups | |
258 | [ECP224BP]="ecp224bp" | |
259 | [ECP256BP]="ecp256bp" | |
260 | [ECP384BP]="ecp384bp" | |
261 | [ECP512BP]="ecp512bp" | |
262 | ||
263 | # Curve25519 | |
264 | [CURVE25519]="curve25519" | |
265 | ) | |
266 | ||
2da98f56 MT |
267 | cli_vpn_security_policies() { |
268 | local action | |
269 | local security_policy | |
270 | ||
271 | if vpn_security_policy_exists ${1}; then | |
272 | security_policy=${1} | |
273 | key=${2} | |
274 | shift 2 | |
275 | ||
276 | case "${key}" in | |
277 | cipher|compression|integrity|lifetime|pfs|show) | |
2212045f | 278 | vpn_security_policies_${key} ${security_policy} "$@" |
2da98f56 MT |
279 | ;; |
280 | group-type) | |
2212045f | 281 | vpn_security_policies_group_type ${security_policy} "$@" |
2da98f56 MT |
282 | ;; |
283 | key-exchange) | |
2212045f | 284 | vpn_security_policies_key_exchange ${security_policy} "$@" |
2da98f56 MT |
285 | ;; |
286 | *) | |
287 | error "Unrecognized argument: ${key}" | |
288 | exit ${EXIT_ERROR} | |
289 | ;; | |
290 | esac | |
291 | else | |
292 | action=${1} | |
293 | shift | |
294 | ||
295 | case "${action}" in | |
296 | new) | |
2212045f | 297 | vpn_security_policies_new "$@" |
2da98f56 MT |
298 | ;; |
299 | destroy) | |
2212045f | 300 | vpn_security_policies_destroy "$@" |
2da98f56 MT |
301 | ;; |
302 | ""|*) | |
303 | if [ -n "${action}" ]; then | |
304 | error "Unrecognized argument: '${action}'" | |
305 | fi | |
306 | exit ${EXIT_ERROR} | |
307 | ;; | |
308 | esac | |
309 | fi | |
310 | } | |
311 | ||
6740c9c5 MT |
312 | # This functions checks if a policy is readonly |
313 | # returns true when yes and false when no | |
3eae7bed | 314 | vpn_security_policies_check_readonly() { |
3eae7bed JS |
315 | if isoneof name ${VPN_SECURITY_POLICIES_READONLY}; then |
316 | return ${EXIT_TRUE} | |
317 | else | |
318 | return ${EXIT_FALSE} | |
319 | fi | |
320 | } | |
321 | ||
6740c9c5 | 322 | # This function writes all values to a via ${name} specificated vpn security policy configuration file |
3eae7bed | 323 | vpn_security_policies_write_config() { |
3eae7bed JS |
324 | assert [ $# -ge 1 ] |
325 | ||
326 | local name="${1}" | |
327 | ||
6740c9c5 | 328 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
329 | log ERROR "No such vpn security policy: ${name}" |
330 | return ${EXIT_ERROR} | |
331 | fi | |
332 | ||
6740c9c5 | 333 | if vpn_security_policies_check_readonly "${name}"; then |
3eae7bed JS |
334 | log ERROR "The ${name} vpn security policy cannot be changed." |
335 | return ${EXIT_ERROR} | |
336 | fi | |
337 | ||
6740c9c5 | 338 | local path="$(vpn_security_policies_path "${name}")" |
3eae7bed JS |
339 | if [ ! -w ${path} ]; then |
340 | log ERROR "${path} is not writeable" | |
341 | return ${EXIT_ERROR} | |
342 | fi | |
343 | ||
344 | if ! settings_write "${path}" ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}; then | |
345 | log ERROR "Could not write configuration settings for vpn security policy ${name}" | |
346 | return ${EXIT_ERROR} | |
347 | fi | |
348 | ||
f0e91d26 JS |
349 | if ! vpn_security_policies_reload ${name}; then |
350 | log WARNING "Could not reload the IPsec connection using this security policy" | |
351 | return ${EXIT_ERROR} | |
352 | fi | |
353 | } | |
354 | ||
355 | # reload IPsec connections using a special policy | |
356 | vpn_security_policies_reload() { | |
357 | local name=${1} | |
358 | ||
359 | local connection | |
360 | for connection in $(ipsec_list_connections); do | |
5601f4f5 JS |
361 | local SECURITY_POLICY ENABLED |
362 | ||
f0e91d26 JS |
363 | if ! ipsec_connection_read_config "${connection}" "SECURITY_POLICY"; then |
364 | continue | |
365 | fi | |
366 | ||
5601f4f5 | 367 | if [[ "${SECURITY_POLICY}" = "${name}" ]] && enabled ENABLED; then |
f0e91d26 JS |
368 | if ! ipsec_connection_to_strongswan "${connection}"; then |
369 | log ERROR "Could not generate strongswan config for ${connnection}" | |
370 | fi | |
371 | fi | |
372 | done | |
373 | ||
374 | ipsec_strongswan_load | |
3eae7bed JS |
375 | } |
376 | ||
6740c9c5 | 377 | # This funtion writes the value for one key to a via ${name} specificated vpn security policy configuration file |
3eae7bed | 378 | vpn_security_policies_write_config_key() { |
3eae7bed | 379 | assert [ $# -ge 3 ] |
6740c9c5 | 380 | |
3eae7bed JS |
381 | local name=${1} |
382 | local key=${2} | |
383 | shift 2 | |
6740c9c5 | 384 | |
3eae7bed JS |
385 | local value="$@" |
386 | ||
6740c9c5 | 387 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
388 | log ERROR "No such vpn security policy: ${name}" |
389 | return ${EXIT_ERROR} | |
390 | fi | |
391 | ||
392 | log DEBUG "Set '${key}' to new value '${value}' in vpn security policy ${name}" | |
393 | ||
394 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
395 | ||
396 | # Read the config settings | |
6740c9c5 | 397 | if ! vpn_security_policies_read_config "${name}"; then |
3eae7bed JS |
398 | return ${EXIT_ERROR} |
399 | fi | |
400 | ||
401 | # Set the key to a new value | |
402 | assign "${key}" "${value}" | |
403 | ||
6740c9c5 | 404 | if ! vpn_security_policies_write_config "${name}"; then |
3eae7bed JS |
405 | return ${EXIT_ERROR} |
406 | fi | |
407 | ||
408 | return ${EXIT_TRUE} | |
3eae7bed JS |
409 | } |
410 | ||
6740c9c5 | 411 | # Reads one or more keys out of a settings file or all if no key is provided. |
3eae7bed | 412 | vpn_security_policies_read_config() { |
3eae7bed JS |
413 | assert [ $# -ge 1 ] |
414 | ||
415 | local name="${1}" | |
416 | shift 1 | |
417 | ||
6740c9c5 | 418 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
419 | log ERROR "No such vpn security policy: ${name}" |
420 | return ${EXIT_ERROR} | |
421 | fi | |
422 | ||
423 | ||
424 | local args | |
425 | if [ $# -eq 0 ] && [ -n "${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}" ]; then | |
426 | list_append args ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
427 | else | |
2212045f | 428 | list_append args "$@" |
3eae7bed JS |
429 | fi |
430 | ||
431 | local path="$(vpn_security_policies_path ${name})" | |
432 | ||
433 | if ! settings_read "${path}" ${args}; then | |
434 | log ERROR "Could not read settings for vpn security policy ${name}" | |
435 | return ${EXIT_ERROR} | |
436 | fi | |
437 | } | |
438 | ||
6740c9c5 | 439 | # Returns the path to a the configuration fora given name |
3eae7bed | 440 | vpn_security_policies_path() { |
3eae7bed | 441 | assert [ $# -eq 1 ] |
6740c9c5 | 442 | |
3eae7bed JS |
443 | local name=${1} |
444 | ||
6740c9c5 | 445 | if vpn_security_policies_check_readonly "${name}"; then |
3eae7bed JS |
446 | echo "${NETWORK_SHARE_DIR}/vpn/security-policies/${name}" |
447 | else | |
448 | echo "${NETWORK_CONFIG_DIR}/vpn/security-policies/${name}" | |
449 | fi | |
450 | } | |
451 | ||
6740c9c5 | 452 | # Print the content of a vpn security policy configuration file in a nice way |
3eae7bed | 453 | vpn_security_policies_show() { |
3eae7bed | 454 | assert [ $# -eq 1 ] |
6740c9c5 | 455 | |
3eae7bed JS |
456 | local name=${1} |
457 | ||
458 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
3eae7bed JS |
459 | if ! vpn_security_policies_read_config ${name}; then |
460 | return ${EXIT_ERROR} | |
461 | fi | |
462 | ||
463 | cli_print_fmt1 0 "Security Policy: ${name}" | |
464 | cli_space | |
465 | ||
466 | # This could be done in a loop but a loop is much more complicated | |
467 | # because we print 'Group Types' but the variable is named 'GROUP_TYPES' | |
468 | cli_print_fmt1 1 "Ciphers:" | |
d21db419 MT |
469 | local cipher |
470 | for cipher in ${CIPHER}; do | |
471 | cli_print_fmt1 2 "${VPN_SUPPORTED_CIPHERS[${cipher}]-${cipher}}" | |
472 | done | |
3eae7bed | 473 | cli_space |
6740c9c5 | 474 | |
3eae7bed | 475 | cli_print_fmt1 1 "Integrity:" |
f3098f76 MT |
476 | local integrity |
477 | for integrity in ${INTEGRITY}; do | |
478 | cli_print_fmt1 2 "${VPN_SUPPORTED_INTEGRITY[${integrity}]-${integrity}}" | |
479 | done | |
3eae7bed | 480 | cli_space |
6740c9c5 | 481 | |
3eae7bed | 482 | cli_print_fmt1 1 "Group Types:" |
84c1cc17 MT |
483 | local group_type |
484 | for group_type in ${GROUP_TYPE}; do | |
485 | cli_print_fmt1 2 "${VPN_SUPPORTED_GROUP_TYPES[${group_type}]-${group_type}}" | |
486 | done | |
3eae7bed JS |
487 | cli_space |
488 | ||
489 | cli_print_fmt1 1 "Key Exchange:" "${KEY_EXCHANGE}" | |
6740c9c5 MT |
490 | |
491 | # Key Lifetime | |
3eae7bed JS |
492 | if isinteger LIFETIME && [ ${LIFETIME} -gt 0 ]; then |
493 | cli_print_fmt1 1 "Key Lifetime:" "$(format_time ${LIFETIME})" | |
494 | else | |
495 | log ERROR "The value for Key Lifetime is not a valid integer greater zero." | |
496 | fi | |
6740c9c5 MT |
497 | |
498 | # PFS | |
3eae7bed JS |
499 | if enabled PFS; then |
500 | cli_print_fmt1 1 "Perfect Forward Secrecy:" "enabled" | |
501 | else | |
502 | cli_print_fmt1 1 "Perfect Forward Secrecy:" "disabled" | |
503 | fi | |
504 | cli_space | |
6740c9c5 MT |
505 | |
506 | # Compression | |
3eae7bed JS |
507 | if enabled COMPRESSION; then |
508 | cli_print_fmt1 1 "Compression:" "enabled" | |
509 | else | |
510 | cli_print_fmt1 1 "Compression:" "disabled" | |
511 | fi | |
512 | cli_space | |
513 | } | |
514 | ||
6740c9c5 MT |
515 | # This function checks if a vpn security policy exists |
516 | # Returns True when yes and false when not | |
3eae7bed | 517 | vpn_security_policy_exists() { |
3eae7bed | 518 | assert [ $# -eq 1 ] |
6740c9c5 | 519 | |
3eae7bed JS |
520 | local name=${1} |
521 | ||
6740c9c5 MT |
522 | local path=$(vpn_security_policies_path "${name}") |
523 | ||
524 | [ -f ${path} ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
3eae7bed JS |
525 | } |
526 | ||
527 | ||
6740c9c5 | 528 | # This function parses the parameters for the 'cipher' command |
3eae7bed | 529 | vpn_security_policies_cipher(){ |
3eae7bed JS |
530 | local name=${1} |
531 | shift | |
532 | ||
533 | if [ $# -eq 0 ]; then | |
534 | log ERROR "You must pass at least one value after cipher" | |
535 | return ${EXIT_ERROR} | |
536 | fi | |
537 | ||
538 | local CIPHER | |
3eae7bed JS |
539 | if ! vpn_security_policies_read_config ${name} "CIPHER"; then |
540 | return ${EXIT_ERROR} | |
541 | fi | |
542 | ||
543 | # Remove duplicated entries to proceed the list safely | |
544 | CIPHER="$(list_unique ${CIPHER})" | |
545 | ||
d9a6c183 MT |
546 | local ciphers_added |
547 | local ciphers_removed | |
548 | local ciphers_set | |
549 | ||
3eae7bed | 550 | while [ $# -gt 0 ]; do |
d9a6c183 MT |
551 | local arg="${1}" |
552 | ||
553 | case "${arg}" in | |
554 | +*) | |
555 | list_append ciphers_added "${arg:1}" | |
556 | ;; | |
3eae7bed | 557 | -*) |
d9a6c183 | 558 | list_append ciphers_removed "${arg:1}" |
3eae7bed | 559 | ;; |
d9a6c183 MT |
560 | [A-Z0-9]*) |
561 | list_append ciphers_set "${arg}" | |
562 | ;; | |
563 | *) | |
564 | error "Invalid argument: ${arg}" | |
565 | return ${EXIT_ERROR} | |
3eae7bed JS |
566 | ;; |
567 | esac | |
568 | shift | |
569 | done | |
570 | ||
d9a6c183 MT |
571 | # Check if the user is trying a mixed operation |
572 | if ! list_is_empty ciphers_set && (! list_is_empty ciphers_added || ! list_is_empty ciphers_removed); then | |
573 | error "You cannot reset the cipher list and add or remove ciphers at the same time" | |
574 | return ${EXIT_ERROR} | |
575 | fi | |
576 | ||
577 | # Set new cipher list | |
578 | if ! list_is_empty ciphers_set; then | |
579 | # Check if all ciphers are valid | |
580 | local cipher | |
581 | for cipher in ${ciphers_set}; do | |
582 | if ! vpn_security_policies_cipher_supported ${cipher}; then | |
583 | error "Unsupported cipher: ${cipher}" | |
584 | return ${EXIT_ERROR} | |
585 | fi | |
586 | done | |
587 | ||
6eb85c57 | 588 | CIPHER="${ciphers_set}" |
d9a6c183 MT |
589 | |
590 | # Perform incremental updates | |
3eae7bed | 591 | else |
d9a6c183 MT |
592 | local cipher |
593 | ||
594 | # Perform all removals | |
595 | for cipher in ${ciphers_removed}; do | |
596 | if ! list_remove CIPHER ${cipher}; then | |
597 | warning "${cipher} was not on the list and could not be removed" | |
598 | fi | |
599 | done | |
600 | ||
601 | for cipher in ${ciphers_added}; do | |
602 | if vpn_security_policies_cipher_supported ${cipher}; then | |
603 | if ! list_append_unique CIPHER ${cipher}; then | |
604 | warning "${cipher} is already on the cipher list" | |
605 | fi | |
606 | else | |
607 | warning "${cipher} is unknown or unsupported and could not be added" | |
608 | fi | |
609 | done | |
610 | fi | |
611 | ||
612 | # Check if the list contain at least one valid cipher | |
613 | if list_is_empty CIPHER; then | |
614 | error "Cannot save an empty cipher list" | |
3eae7bed JS |
615 | return ${EXIT_ERROR} |
616 | fi | |
d9a6c183 MT |
617 | |
618 | # Save everything | |
619 | if ! vpn_security_policies_write_config_key ${name} "CIPHER" ${CIPHER}; then | |
620 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
621 | fi | |
622 | ||
623 | cli_headline 1 "Current cipher list for ${name}:" | |
624 | for cipher in ${CIPHER}; do | |
625 | cli_print_fmt1 1 "${cipher}" "${VPN_SUPPORTED_CIPHERS[${cipher}]}" | |
626 | done | |
3eae7bed JS |
627 | } |
628 | ||
6740c9c5 | 629 | # This function parses the parameters for the 'compression' command |
3eae7bed | 630 | vpn_security_policies_compression(){ |
3eae7bed JS |
631 | local name=${1} |
632 | local value=${2} | |
633 | ||
634 | # Check if we get only one argument after compression <name> | |
635 | if [ ! $# -eq 2 ]; then | |
636 | log ERROR "The number of arguments do not match. Only one argument after compression is allowed." | |
637 | return ${EXIT_ERROR} | |
638 | fi | |
639 | ||
640 | if ! isbool value; then | |
641 | # We suggest only two values to avoid overburding the user. | |
642 | log ERROR "Invalid Argument ${value}" | |
643 | return ${EXIT_ERROR} | |
644 | fi | |
645 | ||
646 | vpn_security_policies_write_config_key "${name}" "COMPRESSION" "${value}" | |
647 | } | |
648 | ||
6740c9c5 | 649 | # This function parses the parameters for the 'group-type' command |
3eae7bed | 650 | vpn_security_policies_group_type(){ |
3eae7bed JS |
651 | local name=${1} |
652 | shift | |
653 | ||
654 | if [ $# -eq 0 ]; then | |
655 | log ERROR "You must pass at least one value after group-type" | |
656 | return ${EXIT_ERROR} | |
657 | fi | |
658 | ||
659 | local GROUP_TYPE | |
3eae7bed JS |
660 | if ! vpn_security_policies_read_config ${name} "GROUP_TYPE"; then |
661 | return ${EXIT_ERROR} | |
662 | fi | |
663 | ||
664 | # Remove duplicated entries to proceed the list safely | |
665 | GROUP_TYPE="$(list_unique ${GROUP_TYPE})" | |
666 | ||
1b58f970 JS |
667 | local group_types_added |
668 | local group_types_removed | |
669 | local group_types_set | |
670 | ||
3eae7bed | 671 | while [ $# -gt 0 ]; do |
1b58f970 JS |
672 | local arg="${1}" |
673 | ||
674 | case "${arg}" in | |
675 | +*) | |
676 | list_append group_types_added "${arg:1}" | |
677 | ;; | |
3eae7bed | 678 | -*) |
1b58f970 | 679 | list_append group_types_removed "${arg:1}" |
3eae7bed | 680 | ;; |
1b58f970 JS |
681 | [A-Z0-9]*) |
682 | list_append group_types_set "${arg}" | |
683 | ;; | |
684 | *) | |
685 | error "Invalid argument: ${arg}" | |
686 | return ${EXIT_ERROR} | |
3eae7bed JS |
687 | ;; |
688 | esac | |
689 | shift | |
690 | done | |
691 | ||
1b58f970 JS |
692 | # Check if the user is trying a mixed operation |
693 | if ! list_is_empty group_types_set && (! list_is_empty group_types_added || ! list_is_empty group_types_removed); then | |
694 | error "You cannot reset the group type list and add or remove group types at the same time" | |
695 | return ${EXIT_ERROR} | |
696 | fi | |
697 | ||
698 | # Set new group type list | |
699 | if ! list_is_empty group_types_set; then | |
700 | # Check if all group types are valid | |
701 | local group_type | |
702 | for group_type in ${group_types_set}; do | |
703 | if ! vpn_security_policies_group_type_supported ${group_type}; then | |
704 | error "Unsupported group type: ${group_type}" | |
705 | return ${EXIT_ERROR} | |
706 | fi | |
707 | done | |
708 | ||
709 | GROUP_TYPE="${group_types_set}" | |
710 | ||
711 | # Perform incremental updates | |
3eae7bed | 712 | else |
1b58f970 JS |
713 | local group_type |
714 | ||
715 | # Perform all removals | |
716 | for group_type in ${group_types_removed}; do | |
717 | if ! list_remove GROUP_TYPE ${group_type}; then | |
718 | warning "${group_type} was not on the list and could not be removed" | |
719 | fi | |
720 | done | |
721 | ||
722 | for group_type in ${group_types_added}; do | |
723 | if vpn_security_policies_group_type_supported ${group_type}; then | |
724 | if ! list_append_unique GROUP_TYPE ${group_type}; then | |
725 | warning "${group_type} is already on the group type list" | |
726 | fi | |
727 | else | |
728 | warning "${group_type} is unknown or unsupported and could not be added" | |
729 | fi | |
730 | done | |
731 | fi | |
732 | ||
733 | # Check if the list contain at least one valid group_type | |
734 | if list_is_empty GROUP_TYPE; then | |
735 | error "Cannot save an empty group type list" | |
3eae7bed JS |
736 | return ${EXIT_ERROR} |
737 | fi | |
1b58f970 JS |
738 | |
739 | # Save everything | |
740 | if ! vpn_security_policies_write_config_key ${name} "GROUP_TYPE" ${GROUP_TYPE}; then | |
741 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
742 | fi | |
743 | ||
744 | cli_headline 1 "Current group type list for ${name}:" | |
745 | for group_type in ${GROUP_TYPE}; do | |
746 | cli_print_fmt1 1 "${group_type}" "${VPN_SUPPORTED_GROUP_TYPES[${group_type}]}" | |
747 | done | |
3eae7bed | 748 | } |
6740c9c5 MT |
749 | |
750 | # This function parses the parameters for the 'integrity' command | |
3eae7bed | 751 | vpn_security_policies_integrity(){ |
3eae7bed JS |
752 | local name=${1} |
753 | shift | |
754 | ||
755 | if [ $# -eq 0 ]; then | |
1b58f970 | 756 | log ERROR "You must pass at least one value after integrity" |
3eae7bed JS |
757 | return ${EXIT_ERROR} |
758 | fi | |
759 | ||
760 | local INTEGRITY | |
3eae7bed JS |
761 | if ! vpn_security_policies_read_config ${name} "INTEGRITY"; then |
762 | return ${EXIT_ERROR} | |
763 | fi | |
764 | ||
765 | # Remove duplicated entries to proceed the list safely | |
766 | INTEGRITY="$(list_unique ${INTEGRITY})" | |
767 | ||
1b58f970 JS |
768 | local integritys_added |
769 | local integritys_removed | |
770 | local integritys_set | |
771 | ||
3eae7bed | 772 | while [ $# -gt 0 ]; do |
1b58f970 JS |
773 | local arg="${1}" |
774 | ||
775 | case "${arg}" in | |
776 | +*) | |
777 | list_append integritys_added "${arg:1}" | |
778 | ;; | |
3eae7bed | 779 | -*) |
1b58f970 | 780 | list_append integritys_removed "${arg:1}" |
3eae7bed | 781 | ;; |
1b58f970 JS |
782 | [A-Z0-9]*) |
783 | list_append integritys_set "${arg}" | |
784 | ;; | |
785 | *) | |
786 | error "Invalid argument: ${arg}" | |
787 | return ${EXIT_ERROR} | |
3eae7bed JS |
788 | ;; |
789 | esac | |
790 | shift | |
791 | done | |
792 | ||
1b58f970 JS |
793 | # Check if the user is trying a mixed operation |
794 | if ! list_is_empty integritys_set && (! list_is_empty integritys_added || ! list_is_empty integritys_removed); then | |
795 | error "You cannot reset the integrity hashes list and add or remove integrity hashes at the same time" | |
796 | return ${EXIT_ERROR} | |
797 | fi | |
798 | ||
799 | # Set new integrity list | |
800 | if ! list_is_empty integritys_set; then | |
801 | # Check if all integrity hashes are valid | |
802 | local integrity | |
803 | for integrity in ${integritys_set}; do | |
804 | if ! vpn_security_policies_integrity_supported ${integrity}; then | |
805 | error "Unsupported integrity hash: ${integrity}" | |
806 | return ${EXIT_ERROR} | |
807 | fi | |
808 | done | |
809 | ||
810 | INTEGRITY="${integritys_set}" | |
811 | ||
812 | # Perform incremental updates | |
3eae7bed | 813 | else |
1b58f970 JS |
814 | local integrity |
815 | ||
816 | # Perform all removals | |
817 | for integrity in ${integritys_removed}; do | |
818 | if ! list_remove INTEGRITY ${integrity}; then | |
819 | warning "${integrity} was not on the list and could not be removed" | |
820 | fi | |
821 | done | |
822 | ||
823 | for integrity in ${integritys_added}; do | |
824 | if vpn_security_policies_integrity_supported ${integrity}; then | |
825 | if ! list_append_unique INTEGRITY ${integrity}; then | |
826 | warning "${integrity} is already on the integrity list" | |
827 | fi | |
828 | else | |
829 | warning "${integrity} is unknown or unsupported and could not be added" | |
830 | fi | |
831 | done | |
832 | fi | |
833 | ||
834 | # Check if the list contain at least one valid integrity | |
835 | if list_is_empty INTEGRITY; then | |
836 | error "Cannot save an empty integrity hashes list" | |
3eae7bed JS |
837 | return ${EXIT_ERROR} |
838 | fi | |
1b58f970 JS |
839 | |
840 | # Save everything | |
841 | if ! vpn_security_policies_write_config_key ${name} "INTEGRITY" ${INTEGRITY}; then | |
842 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
843 | fi | |
844 | ||
845 | cli_headline 1 "Current integrity hashes list for ${name}:" | |
846 | for integrity in ${INTEGRITY}; do | |
847 | cli_print_fmt1 1 "${integrity}" "${VPN_SUPPORTED_INTEGRITY[${integrity}]}" | |
848 | done | |
3eae7bed JS |
849 | } |
850 | ||
6740c9c5 | 851 | # This function parses the parameters for the 'key-exchange' command |
3eae7bed | 852 | vpn_security_policies_key_exchange() { |
3eae7bed JS |
853 | local name=${1} |
854 | local value=${2} | |
6740c9c5 | 855 | |
3eae7bed JS |
856 | # Check if we get only one argument after key-exchange <name> |
857 | if [ ! $# -eq 2 ]; then | |
858 | log ERROR "The number of arguments do not match. Only argument after key-exchange is allowed." | |
859 | return ${EXIT_ERROR} | |
860 | fi | |
861 | ||
3eae7bed JS |
862 | if ! isoneof value "ikev1" "ikev2" "IKEV1" "IKEV2"; then |
863 | log ERROR "Invalid Argument ${value}" | |
864 | return ${EXIT_ERROR} | |
865 | fi | |
866 | ||
867 | vpn_security_policies_write_config_key "${name}" "KEY_EXCHANGE" "${value,,}" | |
868 | } | |
869 | ||
6740c9c5 | 870 | # This function parses the parameters for the 'lifetime' command. |
3eae7bed | 871 | vpn_security_policies_lifetime(){ |
3eae7bed JS |
872 | local name=${1} |
873 | shift | |
6740c9c5 | 874 | |
3eae7bed JS |
875 | local value=$@ |
876 | ||
877 | # Check if we get only one argument after lifetime <name> | |
878 | if [ ! $# -ge 1 ]; then | |
879 | log ERROR "The number of arguments do not match you must provide at least one integer value or a valid time with the format <hours>h <minutes>m <seconds>s" | |
880 | return ${EXIT_ERROR} | |
881 | fi | |
882 | ||
883 | if ! isinteger value; then | |
2212045f | 884 | value=$(parse_time "$@") |
3eae7bed JS |
885 | if [ ! $? -eq 0 ]; then |
886 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
887 | return ${EXIT_ERROR} | |
888 | fi | |
889 | fi | |
890 | ||
891 | if [ ${value} -le 0 ]; then | |
892 | log ERROR "The passed time value must be in the sum greater zero seconds." | |
893 | return ${EXIT_ERROR} | |
894 | fi | |
895 | ||
896 | vpn_security_policies_write_config_key "${name}" "LIFETIME" "${value}" | |
897 | } | |
898 | ||
6740c9c5 | 899 | # This function parses the parameters for the 'pfs' command |
3eae7bed | 900 | vpn_security_policies_pfs(){ |
3eae7bed JS |
901 | local name=${1} |
902 | local value=${2} | |
903 | ||
904 | # Check if we get only one argument after pfs <name> | |
905 | if [ ! $# -eq 2 ]; then | |
906 | log ERROR "The number of arguments do not match. Only argument after pfs is allowed." | |
907 | return ${EXIT_ERROR} | |
908 | fi | |
909 | ||
910 | if [ ! $# -eq 2 ] || ! isbool value; then | |
911 | # We suggest only two values to avoid overburding the user. | |
912 | log ERROR "Invalid Argument ${value}" | |
913 | return ${EXIT_ERROR} | |
914 | fi | |
915 | ||
916 | vpn_security_policies_write_config_key "${name}" "PFS" "${value}" | |
917 | } | |
918 | ||
6740c9c5 MT |
919 | # This function checks if a vpn security policy name is valid |
920 | # Allowed are only A-Za-z0-9 | |
3eae7bed | 921 | vpn_security_policies_check_name() { |
3eae7bed | 922 | assert [ $# -eq 1 ] |
6740c9c5 | 923 | |
3eae7bed | 924 | local name=${1} |
6740c9c5 | 925 | |
3eae7bed JS |
926 | [[ ${name} =~ [^[:alnum:]$] ]] |
927 | } | |
928 | ||
6740c9c5 | 929 | # Function that creates based on the paramters one ore more new vpn security policies |
3eae7bed | 930 | vpn_security_policies_new() { |
58aa0edf MT |
931 | if [ $# -gt 1 ]; then |
932 | error "Too many arguments" | |
3eae7bed JS |
933 | return ${EXIT_ERROR} |
934 | fi | |
935 | ||
58aa0edf MT |
936 | local name="${1}" |
937 | if ! isset name; then | |
938 | error "Please provide a name" | |
939 | return ${EXIT_ERROR} | |
940 | fi | |
3eae7bed | 941 | |
58aa0edf MT |
942 | # Check for duplicates |
943 | if vpn_security_policy_exists "${name}"; then | |
944 | error "The VPN security policy with name ${name} already exists" | |
945 | return ${EXIT_ERROR} | |
946 | fi | |
3eae7bed | 947 | |
58aa0edf MT |
948 | # Check if name is valid |
949 | if vpn_security_policies_check_name "${name}"; then | |
950 | error "'${name}' contains illegal characters" | |
951 | return ${EXIT_ERROR} | |
952 | fi | |
3eae7bed | 953 | |
58aa0edf MT |
954 | # Check if we have a read-only policy with the same name |
955 | if vpn_security_policies_check_readonly "${name}"; then | |
956 | error "The VPN security policy ${name} is read-only" | |
957 | return ${EXIT_ERROR} | |
958 | fi | |
959 | ||
6fdbda80 MT |
960 | # Check if our source policy exists |
961 | if ! vpn_security_policy_exists "${VPN_DEFAULT_SECURITY_POLICY}"; then | |
962 | error "Default VPN Security Policy '${VPN_DEFAULT_SECURITY_POLICY}' does not exist" | |
963 | return ${EXIT_ERROR} | |
964 | fi | |
965 | ||
58aa0edf MT |
966 | log DEBUG "Creating VPN Security Policy ${name}" |
967 | ||
88013fd8 | 968 | if copy "$(vpn_security_policies_path "${VPN_DEFAULT_SECURITY_POLICY}")" \ |
aab75c48 | 969 | "$(vpn_security_policies_path ${name})"; then |
58aa0edf MT |
970 | log INFO "VPN Security Policy ${name} successfully created" |
971 | else | |
972 | log ERROR "Could not create VPN Security Policy ${name}" | |
973 | return ${EXIT_ERROR} | |
974 | fi | |
c787fea5 MT |
975 | |
976 | # Show the newly created policy | |
977 | vpn_security_policies_show "${name}" | |
3eae7bed JS |
978 | } |
979 | ||
6740c9c5 | 980 | # Function that deletes based on the passed parameters one ore more vpn security policies |
3eae7bed | 981 | vpn_security_policies_destroy() { |
3eae7bed | 982 | local name |
2212045f | 983 | for name in "$@"; do |
3eae7bed JS |
984 | if ! vpn_security_policy_exists ${name}; then |
985 | log ERROR "The vpn security policy ${name} does not exist." | |
986 | continue | |
987 | fi | |
988 | ||
989 | if vpn_security_policies_check_readonly ${name}; then | |
990 | log ERROR "The vpn security policy ${name} cannot be deleted." | |
991 | continue | |
992 | fi | |
993 | ||
994 | log DEBUG "Deleting vpn security policy ${name}" | |
995 | settings_remove $(vpn_security_policies_path ${name}) | |
26b47a99 MT |
996 | |
997 | # Delete cache | |
998 | rm -rf "${NETWORK_CACHE_DIR}/vpn/security-policies/${name}" | |
3eae7bed JS |
999 | done |
1000 | } | |
d69af00f | 1001 | |
d9a6c183 MT |
1002 | vpn_security_policies_cipher_supported() { |
1003 | local cipher=${1} | |
1004 | ||
1005 | list_match ${cipher} ${!VPN_SUPPORTED_CIPHERS[@]} | |
1006 | } | |
1007 | ||
1b58f970 JS |
1008 | |
1009 | vpn_security_policies_group_type_supported() { | |
1010 | local group_type=${1} | |
1011 | ||
1012 | list_match ${group_type} ${!VPN_SUPPORTED_GROUP_TYPES[@]} | |
1013 | } | |
1014 | ||
1015 | vpn_security_policies_integrity_supported() { | |
1016 | local integrity=${1} | |
1017 | ||
1018 | list_match ${integrity} ${!VPN_SUPPORTED_INTEGRITY[@]} | |
1019 | } | |
1020 | ||
0d645497 MT |
1021 | vpn_security_policies_cipher_is_aead() { |
1022 | local cipher=${1} | |
1023 | ||
1024 | # All CCM and GCM ciphers are AEAD | |
831e3597 MT |
1025 | if string_match "[CG]CM" "${cipher}"; then |
1026 | return ${EXIT_TRUE} | |
1027 | fi | |
1028 | ||
1029 | # Poly1305 is AEAD | |
1030 | if string_match "POLY1305" "${cipher}"; then | |
1031 | return ${EXIT_TRUE} | |
1032 | fi | |
1033 | ||
1034 | return ${EXIT_FALSE} | |
0d645497 MT |
1035 | } |
1036 | ||
e3ffacf7 | 1037 | vpn_security_policies_make_ike_proposal() { |
d69af00f MT |
1038 | local name=${1} |
1039 | ||
e1947a76 MT |
1040 | if ! vpn_security_policy_exists ${name}; then |
1041 | return ${EXIT_ERROR} | |
1042 | fi | |
1043 | ||
1044 | local config_path="$(vpn_security_policies_path ${name})" | |
e3ffacf7 | 1045 | local cache_path="${NETWORK_CACHE_DIR}/vpn/security-policies/${name}/ike-proposal" |
e1947a76 MT |
1046 | |
1047 | # Get data from cache if possible | |
1048 | if file_exists "${cache_path}" && ! file_is_newer_than "${config_path}" "${cache_path}"; then | |
1049 | fread "${cache_path}" | |
1050 | return ${EXIT_OK} | |
1051 | fi | |
1052 | ||
1053 | # No or invalid cache data found | |
e3ffacf7 | 1054 | local proposal=$(_vpn_security_policies_make_ike_proposal "${name}") |
e1947a76 MT |
1055 | |
1056 | # Write proposal to cache | |
46954be3 | 1057 | if ! make_parent_directory "${cache_path}" || ! fwrite "${cache_path}" "${proposal}"; then |
e1947a76 MT |
1058 | log WARNING "Could not write to cache: ${cache_path}" |
1059 | fi | |
1060 | ||
1061 | print "${proposal}" | |
1062 | } | |
1063 | ||
e3ffacf7 | 1064 | _vpn_security_policies_make_ike_proposal() { |
e1947a76 MT |
1065 | local name=${1} |
1066 | ||
d69af00f MT |
1067 | # Read the config settings |
1068 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
1069 | if ! vpn_security_policies_read_config "${name}"; then | |
1070 | return ${EXIT_ERROR} | |
1071 | fi | |
1072 | ||
1073 | local proposals | |
1074 | ||
1075 | local cipher | |
1076 | for cipher in ${CIPHER}; do | |
1077 | # Translate cipher | |
1078 | local _cipher=${CIPHER_TO_STRONGSWAN[${cipher}]} | |
1079 | ||
1080 | if ! isset _cipher; then | |
1081 | log WARN "Unsupported cipher: ${cipher}" | |
1082 | continue | |
1083 | fi | |
1084 | ||
1085 | local integrity | |
1086 | for integrity in ${INTEGRITY}; do | |
1087 | local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]} | |
1088 | ||
1089 | if ! isset _integrity; then | |
1090 | log WARN "Unsupported integrity: ${integrity}" | |
1091 | continue | |
1092 | fi | |
1093 | ||
1094 | local group_type | |
1095 | for group_type in ${GROUP_TYPE}; do | |
1096 | local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} | |
1097 | ||
1098 | if ! isset _group_type; then | |
1099 | log WARN "Unsupported group-type: ${group_type}" | |
1100 | continue | |
1101 | fi | |
1102 | ||
1103 | # Put everything together | |
1104 | list_append proposals "${_cipher}-${_integrity}-${_group_type}" | |
1105 | done | |
1106 | done | |
1107 | done | |
1108 | ||
1109 | # Returns as a comma-separated list | |
1110 | list_join proposals , | |
1111 | } | |
0d645497 MT |
1112 | |
1113 | vpn_security_policies_make_esp_proposal() { | |
1114 | local name=${1} | |
1115 | ||
e1947a76 MT |
1116 | if ! vpn_security_policy_exists ${name}; then |
1117 | return ${EXIT_ERROR} | |
1118 | fi | |
1119 | ||
1120 | local config_path="$(vpn_security_policies_path ${name})" | |
1121 | local cache_path="${NETWORK_CACHE_DIR}/vpn/security-policies/${name}/esp-proposal" | |
1122 | ||
1123 | # Get data from cache if possible | |
1124 | if file_exists "${cache_path}" && ! file_is_newer_than "${config_path}" "${cache_path}"; then | |
1125 | fread "${cache_path}" | |
1126 | return ${EXIT_OK} | |
1127 | fi | |
1128 | ||
1129 | # No or invalid cache data found | |
1130 | local proposal=$(_vpn_security_policies_make_esp_proposal "${name}") | |
1131 | ||
1132 | # Write proposal to cache | |
46954be3 | 1133 | if ! make_parent_directory "${cache_path}" || ! fwrite "${cache_path}" "${proposal}"; then |
e1947a76 MT |
1134 | log WARNING "Could not write to cache: ${cache_path}" |
1135 | fi | |
1136 | ||
1137 | print "${proposal}" | |
1138 | } | |
1139 | ||
1140 | _vpn_security_policies_make_esp_proposal() { | |
1141 | local name=${1} | |
1142 | ||
0d645497 MT |
1143 | # Read the config settings |
1144 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
1145 | if ! vpn_security_policies_read_config "${name}"; then | |
1146 | return ${EXIT_ERROR} | |
1147 | fi | |
1148 | ||
1149 | local proposals | |
1150 | ||
1151 | local cipher | |
1152 | for cipher in ${CIPHER}; do | |
1153 | # Translate cipher | |
1154 | local _cipher=${CIPHER_TO_STRONGSWAN[${cipher}]} | |
1155 | ||
1156 | if ! isset _cipher; then | |
1157 | log WARN "Unsupported cipher: ${cipher}" | |
1158 | continue | |
1159 | fi | |
1160 | ||
1161 | if vpn_security_policies_cipher_is_aead ${cipher}; then | |
1162 | local group_type | |
1163 | for group_type in ${GROUP_TYPE}; do | |
1164 | local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} | |
1165 | ||
1166 | if ! isset _group_type; then | |
1167 | log WARN "Unsupported group-type: ${group_type}" | |
1168 | continue | |
1169 | fi | |
1170 | ||
1171 | # Put everything together | |
1172 | list_append proposals "${_cipher}-${_group_type}" | |
1173 | done | |
1174 | else | |
1175 | local integrity | |
1176 | for integrity in ${INTEGRITY}; do | |
1177 | local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]} | |
1178 | ||
1179 | if ! isset _integrity; then | |
1180 | log WARN "Unsupported integrity: ${integrity}" | |
1181 | continue | |
1182 | fi | |
1183 | ||
1184 | local group_type | |
1185 | for group_type in ${GROUP_TYPE}; do | |
1186 | local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} | |
1187 | ||
1188 | if ! isset _group_type; then | |
1189 | log WARN "Unsupported group-type: ${group_type}" | |
1190 | continue | |
1191 | fi | |
1192 | ||
1193 | # Put everything together | |
1194 | list_append proposals "${_cipher}-${_integrity}-${_group_type}" | |
1195 | done | |
1196 | done | |
1197 | fi | |
1198 | done | |
1199 | ||
1200 | # Returns as a comma-separated list | |
1201 | list_join proposals , | |
1202 | } | |
a00e7803 JS |
1203 | |
1204 | # List all security policies | |
1205 | vpn_security_policies_list_all() { | |
60b1f378 | 1206 | list_directory "${NETWORK_SHARE_DIR}/vpn/security-policies" |
a00e7803 | 1207 | |
3cac4fcd MT |
1208 | # Add all user-defined policies |
1209 | vpn_security_policies_list_user | |
1210 | } | |
1211 | ||
1212 | vpn_security_policies_list_user() { | |
60b1f378 | 1213 | list_directory "${NETWORK_CONFIG_DIR}/vpn/security-policies" |
a00e7803 | 1214 | } |