]>
Commit | Line | Data |
---|---|---|
3eae7bed JS |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2017 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
a6d140eb | 22 | VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHERS COMPRESSION GROUP_TYPES \ |
0c1844c0 | 23 | INTEGRITIES PSEUDO_RANDOM_FUNCTIONS KEY_EXCHANGE LIFETIME PFS" |
878cfa3e | 24 | VPN_SECURITY_POLICIES_READONLY="system performance" |
3eae7bed | 25 | |
6fdbda80 MT |
26 | VPN_DEFAULT_SECURITY_POLICY="system" |
27 | ||
b116ad92 | 28 | declare -A VPN_SUPPORTED_CIPHERS=( |
b68fed1f MT |
29 | # 3DES-CBC |
30 | [3DES-CBC]="168 bit 3DES-EDE-CBC" | |
31 | ||
32 | # AES-CBC | |
b116ad92 MT |
33 | [AES256-CBC]="256 bit AES-CBC" |
34 | [AES192-CBC]="192 bit AES-CBC" | |
35 | [AES128-CBC]="128 bit AES-CBC" | |
b68fed1f MT |
36 | |
37 | # AES-CTR | |
38 | [AES256-CTR]="256 bit AES-COUNTER" | |
39 | [AES192-CTR]="192 bit AES-COUNTER" | |
40 | [AES128-CTR]="128 bit AES-COUNTER" | |
41 | ||
42 | # AES-GCM | |
43 | [AES256-GCM128]="256 bit AES-GCM with 128 bit ICV" | |
44 | [AES192-GCM128]="192 bit AES-GCM with 128 bit ICV" | |
45 | [AES128-GCM128]="128 bit AES-GCM with 128 bit ICV" | |
46 | [AES256-GCM96]="256 bit AES-GCM with 96 bit ICV" | |
47 | [AES192-GCM96]="192 bit AES-GCM with 96 bit ICV" | |
48 | [AES128-GCM96]="128 bit AES-GCM with 96 bit ICV" | |
49 | [AES256-GCM64]="256 bit AES-GCM with 64 bit ICV" | |
50 | [AES192-GCM64]="192 bit AES-GCM with 64 bit ICV" | |
51 | [AES128-GCM64]="128 bit AES-GCM with 64 bit ICV" | |
52 | ||
53 | # AES-CCM | |
54 | [AES256-CCM128]="256 bit AES-CCM with 128 bit ICV" | |
55 | [AES192-CCM128]="192 bit AES-CCM with 128 bit ICV" | |
56 | [AES128-CCM128]="128 bit AES-CCM with 128 bit ICV" | |
57 | [AES256-CCM96]="256 bit AES-CCM with 96 bit ICV" | |
58 | [AES192-CCM96]="192 bit AES-CCM with 96 bit ICV" | |
59 | [AES128-CCM96]="128 bit AES-CCM with 96 bit ICV" | |
60 | [AES256-CCM64]="256 bit AES-CCM with 64 bit ICV" | |
61 | [AES192-CCM64]="192 bit AES-CCM with 64 bit ICV" | |
62 | [AES128-CCM64]="128 bit AES-CCM with 64 bit ICV" | |
63 | ||
64 | # CAMELLIA-CBC | |
65 | [CAMELLIA256-CBC]="256 bit CAMELLIA-CBC" | |
66 | [CAMELLIA192-CBC]="192 bit CAMELLIA-CBC" | |
67 | [CAMELLIA128-CBC]="128 bit CAMELLIA-CBC" | |
68 | ||
69 | # CAMELLIA-CTR | |
70 | [CAMELLIA256-CTR]="256 bit CAMELLIA-COUNTER" | |
71 | [CAMELLIA192-CTR]="192 bit CAMELLIA-COUNTER" | |
72 | [CAMELLIA128-CTR]="128 bit CAMELLIA-COUNTER" | |
73 | ||
74 | # CAMELLIA-GCM | |
75 | [CAMELLIA256-GCM128]="256 bit CAMELLIA-GCM with 128 bit ICV" | |
76 | [CAMELLIA192-GCM128]="192 bit CAMELLIA-GCM with 128 bit ICV" | |
77 | [CAMELLIA128-GCM128]="128 bit CAMELLIA-GCM with 128 bit ICV" | |
78 | [CAMELLIA256-GCM96]="256 bit CAMELLIA-GCM with 96 bit ICV" | |
79 | [CAMELLIA192-GCM96]="192 bit CAMELLIA-GCM with 96 bit ICV" | |
80 | [CAMELLIA128-GCM96]="128 bit CAMELLIA-GCM with 96 bit ICV" | |
81 | [CAMELLIA256-GCM64]="256 bit CAMELLIA-GCM with 64 bit ICV" | |
82 | [CAMELLIA192-GCM64]="192 bit CAMELLIA-GCM with 64 bit ICV" | |
83 | [CAMELLIA128-GCM64]="128 bit CAMELLIA-GCM with 64 bit ICV" | |
84 | ||
85 | # CAMELLIA-CCM | |
86 | [CAMELLIA256-CCM128]="256 bit CAMELLIA-CCM with 128 bit ICV" | |
87 | [CAMELLIA192-CCM128]="192 bit CAMELLIA-CCM with 128 bit ICV" | |
88 | [CAMELLIA128-CCM128]="128 bit CAMELLIA-CCM with 128 bit ICV" | |
89 | [CAMELLIA256-CCM96]="256 bit CAMELLIA-CCM with 96 bit ICV" | |
90 | [CAMELLIA192-CCM96]="192 bit CAMELLIA-CCM with 96 bit ICV" | |
91 | [CAMELLIA128-CCM96]="128 bit CAMELLIA-CCM with 96 bit ICV" | |
92 | [CAMELLIA256-CCM64]="256 bit CAMELLIA-CCM with 64 bit ICV" | |
93 | [CAMELLIA192-CCM64]="192 bit CAMELLIA-CCM with 64 bit ICV" | |
94 | [CAMELLIA128-CCM64]="128 bit CAMELLIA-CCM with 64 bit ICV" | |
d9a8af16 | 95 | |
51fa7039 MT |
96 | # DJB |
97 | [CHACHA20-POLY1305]="256 bit ChaCha20/Poly1305 with 128 bit ICV" | |
98 | ||
d9a8af16 MT |
99 | # No Encryption |
100 | [NULL]="No Encryption" | |
b116ad92 MT |
101 | ) |
102 | ||
d69af00f MT |
103 | declare -A CIPHER_TO_STRONGSWAN=( |
104 | # 3DES-CBC | |
105 | [3DES-CBC]="3des" | |
106 | ||
107 | # AES-CBC | |
108 | [AES256-CBC]="aes256" | |
109 | [AES192-CBC]="aes192" | |
110 | [AES128-CBC]="aes128" | |
111 | ||
112 | # AES-CTR | |
113 | [AES256-CTR]="aes256ctr" | |
114 | [AES192-CTR]="aes192ctr" | |
115 | [AES128-CTR]="aes128ctr" | |
116 | ||
117 | # AES-GCM | |
118 | [AES256-GCM128]="aes256gcm128" | |
119 | [AES192-GCM128]="aes192gcm128" | |
120 | [AES128-GCM128]="aes128gcm128" | |
121 | [AES256-GCM96]="aes256gcm96" | |
122 | [AES192-GCM96]="aes192gcm96" | |
123 | [AES128-GCM96]="aes128gcm96" | |
124 | [AES256-GCM64]="aes256gcm64" | |
125 | [AES192-GCM64]="aes192gcm64" | |
126 | [AES128-GCM64]="aes128gcm64" | |
127 | ||
128 | # AES-CCM | |
129 | [AES256-CCM128]="aes256ccm128" | |
130 | [AES192-CCM128]="aes192ccm128" | |
131 | [AES128-CCM128]="aes128ccm128" | |
132 | [AES256-CCM96]="aes256ccm96" | |
133 | [AES192-CCM96]="aes192ccm96" | |
134 | [AES128-CCM96]="aes128ccm96" | |
135 | [AES256-CCM64]="aes256ccm64" | |
136 | [AES192-CCM64]="aes192ccm64" | |
137 | [AES128-CCM64]="aes128ccm64" | |
138 | ||
139 | # CAMELLIA-CBC | |
140 | [CAMELLIA256-CBC]="camellia256" | |
141 | [CAMELLIA192-CBC]="camellia192" | |
142 | [CAMELLIA128-CBC]="camellia128" | |
143 | ||
144 | # CAMELLIA-CTR | |
145 | [CAMELLIA256-CTR]="camellia256ctr" | |
146 | [CAMELLIA192-CTR]="camellia192ctr" | |
147 | [CAMELLIA128-CTR]="camellia128ctr" | |
148 | ||
149 | # CAMELLIA-GCM | |
150 | [CAMELLIA256-GCM128]="camellia256gcm128" | |
151 | [CAMELLIA192-GCM128]="camellia192gcm128" | |
152 | [CAMELLIA128-GCM128]="camellia128gcm128" | |
153 | [CAMELLIA256-GCM96]="camellia256gcm96" | |
154 | [CAMELLIA192-GCM96]="camellia192gcm96" | |
155 | [CAMELLIA128-GCM96]="camellia128gcm96" | |
156 | [CAMELLIA256-GCM64]="camellia256gcm64" | |
157 | [CAMELLIA192-GCM64]="camellia192gcm64" | |
158 | [CAMELLIA128-GCM64]="camellia128gcm64" | |
159 | ||
160 | # CAMELLIA-CCM | |
161 | [CAMELLIA256-CCM128]="camellia256ccm128" | |
162 | [CAMELLIA192-CCM128]="camellia192ccm128" | |
163 | [CAMELLIA128-CCM128]="camellia128ccm128" | |
164 | [CAMELLIA256-CCM96]="camellia256ccm96" | |
165 | [CAMELLIA192-CCM96]="camellia192ccm96" | |
166 | [CAMELLIA128-CCM96]="camellia128ccm96" | |
167 | [CAMELLIA256-CCM64]="camellia256ccm64" | |
168 | [CAMELLIA192-CCM64]="camellia192ccm64" | |
169 | [CAMELLIA128-CCM64]="camellia128ccm64" | |
d9a8af16 | 170 | |
51fa7039 MT |
171 | # DJB |
172 | [CHACHA20-POLY1305]="chacha20poly1305" | |
173 | ||
d9a8af16 MT |
174 | # No Encryption |
175 | [NULL]="null" | |
d69af00f MT |
176 | ) |
177 | ||
f2a2bf3c | 178 | declare -A VPN_SUPPORTED_PSEUDO_RANDOM_FUNCTIONS=( |
9e4b2cdc MT |
179 | [MD5]="MD5" |
180 | ||
181 | # SHA | |
182 | [SHA1]="SHA1" | |
183 | [SHA256]="SHA256" | |
184 | [SHA384]="SHA384" | |
185 | [SHA512]="SHA512" | |
186 | ||
187 | # AES | |
188 | [AES-XCBC]="AES-XCBC" | |
189 | [AES-CMAC]="AES-CMAC" | |
190 | ) | |
191 | ||
192 | declare -A PSEUDO_RANDOM_FUNCTION_TO_STRONGSWAN=( | |
193 | [MD5]="prfmd5" | |
194 | ||
195 | # SHA | |
196 | [SHA1]="prfsha1" | |
197 | [SHA256]="prfsha256" | |
198 | [SHA384]="prfsha384" | |
199 | [SHA512]="prfsha512" | |
200 | ||
201 | # AES | |
202 | [AES-XCBC]="prfaesxcbc" | |
203 | [AES-CMAC]="prfaescmac" | |
204 | ) | |
205 | ||
0c1844c0 | 206 | declare -A VPN_SUPPORTED_INTEGRITIES=( |
3a0c376c MT |
207 | [MD5]="MD5-HMAC" |
208 | ||
209 | # SHA | |
210 | [SHA1]="SHA1-HMAC" | |
3003747b | 211 | [SHA512]="512 bit SHA2-HMAC" |
3a0c376c MT |
212 | [SHA384]="384 bit SHA2-HMAC" |
213 | [SHA256]="256 bit SHA2-HMAC" | |
214 | ||
215 | # AES | |
216 | [AES-XCBC]="AES-XCBC" | |
217 | [AES-CMAC]="AES-CMAC" | |
218 | [AES256-GMAC]="256 bit AES-GMAC" | |
219 | [AES192-GMAC]="192 bit AES-GMAC" | |
220 | [AES128-GMAC]="128 bit AES-GMAC" | |
221 | ) | |
222 | ||
d69af00f MT |
223 | declare -A INTEGRITY_TO_STRONGSWAN=( |
224 | [MD5]="md5" | |
225 | ||
226 | # SHA | |
227 | [SHA1]="sha1" | |
228 | [SHA512]="sha512" | |
229 | [SHA384]="sha384" | |
230 | [SHA256]="sha256" | |
231 | ||
232 | # AES | |
233 | [AES-XCBC]="aesxcbc" | |
234 | [AES-CMAC]="aescmac" | |
235 | [AES256-GMAC]="aes256gmac" | |
236 | [AES192-GMAC]="aes192gmac" | |
237 | [AES128-GMAC]="aes128gmac" | |
238 | ) | |
239 | ||
54fc6c3f MT |
240 | declare -A VPN_SUPPORTED_GROUP_TYPES=( |
241 | # Regular Groups | |
242 | [MODP768]="768 bit Modulo Prime Group" | |
243 | [MODP1024]="1024 bit Modulo Prime Group" | |
244 | [MODP1536]="1536 bit Modulo Prime Group" | |
245 | [MODP2048]="2048 bit Modulo Prime Group" | |
246 | [MODP3072]="3072 bit Modulo Prime Group" | |
247 | [MODP4096]="4096 bit Modulo Prime Group" | |
248 | [MODP6144]="6144 bit Modulo Prime Group" | |
249 | [MODP8192]="8192 bit Modulo Prime Group" | |
250 | ||
251 | # NIST Elliptic Curve Groups | |
252 | [ECP192]="192 bit NIST Elliptic Curve Group" | |
253 | [ECP224]="224 bit NIST Elliptic Curve Group" | |
254 | [ECP256]="256 bit NIST Elliptic Curve Group" | |
255 | [ECP384]="384 bit NIST Elliptic Curve Group" | |
256 | [ECP521]="521 bit NIST Elliptic Curve Group" | |
257 | ||
258 | # Brainpool Elliptic Curve Groups | |
259 | [ECP224BP]="224 bit Brainpool Elliptic Curve Group" | |
260 | [ECP256BP]="256 bit Brainpool Elliptic Curve Group" | |
261 | [ECP384BP]="384 bit Brainpool Elliptic Curve Group" | |
262 | [ECP512BP]="512 bit Brainpool Elliptic Curve Group" | |
263 | ||
264 | # Curve25519 | |
265 | [CURVE25519]="256 bit Elliptic Curve 25519" | |
27208caa MT |
266 | |
267 | # Curve448 | |
268 | [CURVE448]="224 bit Elliptic Curve 448" | |
54fc6c3f | 269 | ) |
3eae7bed | 270 | |
d69af00f MT |
271 | declare -A GROUP_TYPE_TO_STRONGSWAN=( |
272 | # Regular Groups | |
273 | [MODP768]="modp768" | |
274 | [MODP1024]="modp1024" | |
275 | [MODP1536]="modp1536" | |
276 | [MODP2048]="modp2048" | |
277 | [MODP3072]="modp3072" | |
278 | [MODP4096]="modp4096" | |
279 | [MODP6144]="modp6144" | |
280 | [MODP8192]="modp8192" | |
281 | ||
282 | # NIST Elliptic Curve Groups | |
283 | [ECP192]="ecp192" | |
284 | [ECP224]="ecp224" | |
285 | [ECP256]="ecp256" | |
286 | [ECP384]="ecp384" | |
287 | [ECP521]="ecp521" | |
288 | ||
289 | # Brainpool Elliptic Curve Groups | |
290 | [ECP224BP]="ecp224bp" | |
291 | [ECP256BP]="ecp256bp" | |
292 | [ECP384BP]="ecp384bp" | |
293 | [ECP512BP]="ecp512bp" | |
294 | ||
27208caa | 295 | # More Curves |
d69af00f | 296 | [CURVE25519]="curve25519" |
27208caa | 297 | [CURVE448]="curve448" |
d69af00f MT |
298 | ) |
299 | ||
2da98f56 MT |
300 | cli_vpn_security_policies() { |
301 | local action | |
302 | local security_policy | |
303 | ||
304 | if vpn_security_policy_exists ${1}; then | |
305 | security_policy=${1} | |
306 | key=${2} | |
307 | shift 2 | |
308 | ||
309 | case "${key}" in | |
0c1844c0 | 310 | ciphers|compression|integrities|lifetime|pfs|show) |
2212045f | 311 | vpn_security_policies_${key} ${security_policy} "$@" |
2da98f56 | 312 | ;; |
cd9cba7d MT |
313 | pseudo-random-functions) |
314 | vpn_security_policies_pseudo_random_functions "${security_policy}" "$@" | |
315 | ;; | |
a6d140eb MT |
316 | group-types) |
317 | vpn_security_policies_group_types ${security_policy} "$@" | |
2da98f56 MT |
318 | ;; |
319 | key-exchange) | |
2212045f | 320 | vpn_security_policies_key_exchange ${security_policy} "$@" |
2da98f56 MT |
321 | ;; |
322 | *) | |
323 | error "Unrecognized argument: ${key}" | |
324 | exit ${EXIT_ERROR} | |
325 | ;; | |
326 | esac | |
327 | else | |
328 | action=${1} | |
329 | shift | |
330 | ||
331 | case "${action}" in | |
332 | new) | |
2212045f | 333 | vpn_security_policies_new "$@" |
2da98f56 MT |
334 | ;; |
335 | destroy) | |
2212045f | 336 | vpn_security_policies_destroy "$@" |
2da98f56 MT |
337 | ;; |
338 | ""|*) | |
339 | if [ -n "${action}" ]; then | |
340 | error "Unrecognized argument: '${action}'" | |
341 | fi | |
342 | exit ${EXIT_ERROR} | |
343 | ;; | |
344 | esac | |
345 | fi | |
346 | } | |
347 | ||
6740c9c5 MT |
348 | # This functions checks if a policy is readonly |
349 | # returns true when yes and false when no | |
3eae7bed | 350 | vpn_security_policies_check_readonly() { |
3eae7bed JS |
351 | if isoneof name ${VPN_SECURITY_POLICIES_READONLY}; then |
352 | return ${EXIT_TRUE} | |
353 | else | |
354 | return ${EXIT_FALSE} | |
355 | fi | |
356 | } | |
357 | ||
6740c9c5 | 358 | # This function writes all values to a via ${name} specificated vpn security policy configuration file |
3eae7bed | 359 | vpn_security_policies_write_config() { |
3eae7bed JS |
360 | assert [ $# -ge 1 ] |
361 | ||
362 | local name="${1}" | |
363 | ||
6740c9c5 | 364 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
365 | log ERROR "No such vpn security policy: ${name}" |
366 | return ${EXIT_ERROR} | |
367 | fi | |
368 | ||
6740c9c5 | 369 | if vpn_security_policies_check_readonly "${name}"; then |
3eae7bed JS |
370 | log ERROR "The ${name} vpn security policy cannot be changed." |
371 | return ${EXIT_ERROR} | |
372 | fi | |
373 | ||
6740c9c5 | 374 | local path="$(vpn_security_policies_path "${name}")" |
3eae7bed JS |
375 | if [ ! -w ${path} ]; then |
376 | log ERROR "${path} is not writeable" | |
377 | return ${EXIT_ERROR} | |
378 | fi | |
379 | ||
380 | if ! settings_write "${path}" ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}; then | |
381 | log ERROR "Could not write configuration settings for vpn security policy ${name}" | |
382 | return ${EXIT_ERROR} | |
383 | fi | |
384 | ||
f0e91d26 JS |
385 | if ! vpn_security_policies_reload ${name}; then |
386 | log WARNING "Could not reload the IPsec connection using this security policy" | |
387 | return ${EXIT_ERROR} | |
388 | fi | |
389 | } | |
390 | ||
391 | # reload IPsec connections using a special policy | |
392 | vpn_security_policies_reload() { | |
393 | local name=${1} | |
394 | ||
395 | local connection | |
396 | for connection in $(ipsec_list_connections); do | |
5601f4f5 JS |
397 | local SECURITY_POLICY ENABLED |
398 | ||
f0e91d26 JS |
399 | if ! ipsec_connection_read_config "${connection}" "SECURITY_POLICY"; then |
400 | continue | |
401 | fi | |
402 | ||
5601f4f5 | 403 | if [[ "${SECURITY_POLICY}" = "${name}" ]] && enabled ENABLED; then |
f0e91d26 JS |
404 | if ! ipsec_connection_to_strongswan "${connection}"; then |
405 | log ERROR "Could not generate strongswan config for ${connnection}" | |
406 | fi | |
407 | fi | |
408 | done | |
409 | ||
410 | ipsec_strongswan_load | |
3eae7bed JS |
411 | } |
412 | ||
6740c9c5 | 413 | # This funtion writes the value for one key to a via ${name} specificated vpn security policy configuration file |
3eae7bed | 414 | vpn_security_policies_write_config_key() { |
3eae7bed | 415 | assert [ $# -ge 3 ] |
6740c9c5 | 416 | |
3eae7bed JS |
417 | local name=${1} |
418 | local key=${2} | |
419 | shift 2 | |
6740c9c5 | 420 | |
3eae7bed JS |
421 | local value="$@" |
422 | ||
6740c9c5 | 423 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
424 | log ERROR "No such vpn security policy: ${name}" |
425 | return ${EXIT_ERROR} | |
426 | fi | |
427 | ||
428 | log DEBUG "Set '${key}' to new value '${value}' in vpn security policy ${name}" | |
429 | ||
430 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
431 | ||
432 | # Read the config settings | |
6740c9c5 | 433 | if ! vpn_security_policies_read_config "${name}"; then |
3eae7bed JS |
434 | return ${EXIT_ERROR} |
435 | fi | |
436 | ||
437 | # Set the key to a new value | |
438 | assign "${key}" "${value}" | |
439 | ||
6740c9c5 | 440 | if ! vpn_security_policies_write_config "${name}"; then |
3eae7bed JS |
441 | return ${EXIT_ERROR} |
442 | fi | |
443 | ||
444 | return ${EXIT_TRUE} | |
3eae7bed JS |
445 | } |
446 | ||
6740c9c5 | 447 | # Reads one or more keys out of a settings file or all if no key is provided. |
3eae7bed | 448 | vpn_security_policies_read_config() { |
3eae7bed JS |
449 | assert [ $# -ge 1 ] |
450 | ||
451 | local name="${1}" | |
452 | shift 1 | |
453 | ||
6740c9c5 | 454 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
455 | log ERROR "No such vpn security policy: ${name}" |
456 | return ${EXIT_ERROR} | |
457 | fi | |
458 | ||
459 | ||
460 | local args | |
461 | if [ $# -eq 0 ] && [ -n "${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}" ]; then | |
462 | list_append args ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
463 | else | |
2212045f | 464 | list_append args "$@" |
3eae7bed JS |
465 | fi |
466 | ||
467 | local path="$(vpn_security_policies_path ${name})" | |
468 | ||
469 | if ! settings_read "${path}" ${args}; then | |
470 | log ERROR "Could not read settings for vpn security policy ${name}" | |
471 | return ${EXIT_ERROR} | |
472 | fi | |
473 | } | |
474 | ||
6740c9c5 | 475 | # Returns the path to a the configuration fora given name |
3eae7bed | 476 | vpn_security_policies_path() { |
3eae7bed | 477 | assert [ $# -eq 1 ] |
6740c9c5 | 478 | |
3eae7bed JS |
479 | local name=${1} |
480 | ||
6740c9c5 | 481 | if vpn_security_policies_check_readonly "${name}"; then |
3eae7bed JS |
482 | echo "${NETWORK_SHARE_DIR}/vpn/security-policies/${name}" |
483 | else | |
484 | echo "${NETWORK_CONFIG_DIR}/vpn/security-policies/${name}" | |
485 | fi | |
486 | } | |
487 | ||
6740c9c5 | 488 | # Print the content of a vpn security policy configuration file in a nice way |
3eae7bed | 489 | vpn_security_policies_show() { |
3eae7bed | 490 | assert [ $# -eq 1 ] |
6740c9c5 | 491 | |
3eae7bed JS |
492 | local name=${1} |
493 | ||
494 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
3eae7bed JS |
495 | if ! vpn_security_policies_read_config ${name}; then |
496 | return ${EXIT_ERROR} | |
497 | fi | |
498 | ||
499 | cli_print_fmt1 0 "Security Policy: ${name}" | |
500 | cli_space | |
501 | ||
502 | # This could be done in a loop but a loop is much more complicated | |
503 | # because we print 'Group Types' but the variable is named 'GROUP_TYPES' | |
504 | cli_print_fmt1 1 "Ciphers:" | |
d21db419 | 505 | local cipher |
57d62b96 | 506 | for cipher in ${CIPHERS}; do |
d21db419 MT |
507 | cli_print_fmt1 2 "${VPN_SUPPORTED_CIPHERS[${cipher}]-${cipher}}" |
508 | done | |
3eae7bed | 509 | cli_space |
6740c9c5 | 510 | |
3eae7bed | 511 | cli_print_fmt1 1 "Integrity:" |
f3098f76 | 512 | local integrity |
0c1844c0 MT |
513 | for integrity in ${INTEGRITIES}; do |
514 | cli_print_fmt1 2 "${VPN_SUPPORTED_INTEGRITIES[${integrity}]-${integrity}}" | |
f3098f76 | 515 | done |
3eae7bed | 516 | cli_space |
6740c9c5 | 517 | |
16a68a9b MT |
518 | cli_print_fmt1 1 "Pseudo Random Functions:" |
519 | local prf | |
520 | for prf in ${PSEUDO_RANDOM_FUNCTIONS}; do | |
521 | cli_print_fmt1 2 "${VPN_SUPPORTED_PSEUDO_RANDOM_FUNCTIONS[${prf}]-${prf}}" | |
522 | done | |
523 | cli_space | |
524 | ||
3eae7bed | 525 | cli_print_fmt1 1 "Group Types:" |
84c1cc17 | 526 | local group_type |
a6d140eb | 527 | for group_type in ${GROUP_TYPES}; do |
84c1cc17 MT |
528 | cli_print_fmt1 2 "${VPN_SUPPORTED_GROUP_TYPES[${group_type}]-${group_type}}" |
529 | done | |
3eae7bed JS |
530 | cli_space |
531 | ||
532 | cli_print_fmt1 1 "Key Exchange:" "${KEY_EXCHANGE}" | |
6740c9c5 MT |
533 | |
534 | # Key Lifetime | |
3eae7bed JS |
535 | if isinteger LIFETIME && [ ${LIFETIME} -gt 0 ]; then |
536 | cli_print_fmt1 1 "Key Lifetime:" "$(format_time ${LIFETIME})" | |
537 | else | |
538 | log ERROR "The value for Key Lifetime is not a valid integer greater zero." | |
539 | fi | |
6740c9c5 MT |
540 | |
541 | # PFS | |
3eae7bed JS |
542 | if enabled PFS; then |
543 | cli_print_fmt1 1 "Perfect Forward Secrecy:" "enabled" | |
544 | else | |
545 | cli_print_fmt1 1 "Perfect Forward Secrecy:" "disabled" | |
546 | fi | |
547 | cli_space | |
6740c9c5 MT |
548 | |
549 | # Compression | |
3eae7bed JS |
550 | if enabled COMPRESSION; then |
551 | cli_print_fmt1 1 "Compression:" "enabled" | |
552 | else | |
553 | cli_print_fmt1 1 "Compression:" "disabled" | |
554 | fi | |
555 | cli_space | |
556 | } | |
557 | ||
6740c9c5 MT |
558 | # This function checks if a vpn security policy exists |
559 | # Returns True when yes and false when not | |
3eae7bed | 560 | vpn_security_policy_exists() { |
3eae7bed | 561 | assert [ $# -eq 1 ] |
6740c9c5 | 562 | |
3eae7bed JS |
563 | local name=${1} |
564 | ||
6740c9c5 MT |
565 | local path=$(vpn_security_policies_path "${name}") |
566 | ||
567 | [ -f ${path} ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
3eae7bed JS |
568 | } |
569 | ||
570 | ||
6740c9c5 | 571 | # This function parses the parameters for the 'cipher' command |
57d62b96 | 572 | vpn_security_policies_ciphers() { |
3eae7bed JS |
573 | local name=${1} |
574 | shift | |
575 | ||
576 | if [ $# -eq 0 ]; then | |
577 | log ERROR "You must pass at least one value after cipher" | |
578 | return ${EXIT_ERROR} | |
579 | fi | |
580 | ||
57d62b96 MT |
581 | local CIPHERS |
582 | if ! vpn_security_policies_read_config ${name} "CIPHERS"; then | |
3eae7bed JS |
583 | return ${EXIT_ERROR} |
584 | fi | |
585 | ||
586 | # Remove duplicated entries to proceed the list safely | |
57d62b96 | 587 | CIPHERS="$(list_unique ${CIPHERS})" |
3eae7bed | 588 | |
d9a6c183 MT |
589 | local ciphers_added |
590 | local ciphers_removed | |
591 | local ciphers_set | |
592 | ||
3eae7bed | 593 | while [ $# -gt 0 ]; do |
d9a6c183 MT |
594 | local arg="${1}" |
595 | ||
596 | case "${arg}" in | |
597 | +*) | |
598 | list_append ciphers_added "${arg:1}" | |
599 | ;; | |
3eae7bed | 600 | -*) |
d9a6c183 | 601 | list_append ciphers_removed "${arg:1}" |
3eae7bed | 602 | ;; |
d9a6c183 MT |
603 | [A-Z0-9]*) |
604 | list_append ciphers_set "${arg}" | |
605 | ;; | |
606 | *) | |
607 | error "Invalid argument: ${arg}" | |
608 | return ${EXIT_ERROR} | |
3eae7bed JS |
609 | ;; |
610 | esac | |
611 | shift | |
612 | done | |
613 | ||
d9a6c183 MT |
614 | # Check if the user is trying a mixed operation |
615 | if ! list_is_empty ciphers_set && (! list_is_empty ciphers_added || ! list_is_empty ciphers_removed); then | |
616 | error "You cannot reset the cipher list and add or remove ciphers at the same time" | |
617 | return ${EXIT_ERROR} | |
618 | fi | |
619 | ||
620 | # Set new cipher list | |
621 | if ! list_is_empty ciphers_set; then | |
622 | # Check if all ciphers are valid | |
623 | local cipher | |
624 | for cipher in ${ciphers_set}; do | |
625 | if ! vpn_security_policies_cipher_supported ${cipher}; then | |
626 | error "Unsupported cipher: ${cipher}" | |
627 | return ${EXIT_ERROR} | |
628 | fi | |
629 | done | |
630 | ||
57d62b96 | 631 | CIPHERS="${ciphers_set}" |
d9a6c183 MT |
632 | |
633 | # Perform incremental updates | |
3eae7bed | 634 | else |
d9a6c183 MT |
635 | local cipher |
636 | ||
637 | # Perform all removals | |
638 | for cipher in ${ciphers_removed}; do | |
57d62b96 | 639 | if ! list_remove CIPHERS ${cipher}; then |
d9a6c183 MT |
640 | warning "${cipher} was not on the list and could not be removed" |
641 | fi | |
642 | done | |
643 | ||
644 | for cipher in ${ciphers_added}; do | |
645 | if vpn_security_policies_cipher_supported ${cipher}; then | |
57d62b96 | 646 | if ! list_append_unique CIPHERS ${cipher}; then |
d9a6c183 MT |
647 | warning "${cipher} is already on the cipher list" |
648 | fi | |
649 | else | |
650 | warning "${cipher} is unknown or unsupported and could not be added" | |
651 | fi | |
652 | done | |
653 | fi | |
654 | ||
655 | # Check if the list contain at least one valid cipher | |
57d62b96 | 656 | if list_is_empty CIPHERS; then |
d9a6c183 | 657 | error "Cannot save an empty cipher list" |
3eae7bed JS |
658 | return ${EXIT_ERROR} |
659 | fi | |
d9a6c183 MT |
660 | |
661 | # Save everything | |
57d62b96 | 662 | if ! vpn_security_policies_write_config_key ${name} "CIPHERS" ${CIPHERS}; then |
d9a6c183 MT |
663 | log ERROR "The changes for the vpn security policy ${name} could not be written." |
664 | fi | |
665 | ||
666 | cli_headline 1 "Current cipher list for ${name}:" | |
57d62b96 | 667 | for cipher in ${CIPHERS}; do |
d9a6c183 MT |
668 | cli_print_fmt1 1 "${cipher}" "${VPN_SUPPORTED_CIPHERS[${cipher}]}" |
669 | done | |
3eae7bed JS |
670 | } |
671 | ||
6740c9c5 | 672 | # This function parses the parameters for the 'compression' command |
3eae7bed | 673 | vpn_security_policies_compression(){ |
3eae7bed JS |
674 | local name=${1} |
675 | local value=${2} | |
676 | ||
677 | # Check if we get only one argument after compression <name> | |
678 | if [ ! $# -eq 2 ]; then | |
679 | log ERROR "The number of arguments do not match. Only one argument after compression is allowed." | |
680 | return ${EXIT_ERROR} | |
681 | fi | |
682 | ||
683 | if ! isbool value; then | |
684 | # We suggest only two values to avoid overburding the user. | |
685 | log ERROR "Invalid Argument ${value}" | |
686 | return ${EXIT_ERROR} | |
687 | fi | |
688 | ||
689 | vpn_security_policies_write_config_key "${name}" "COMPRESSION" "${value}" | |
690 | } | |
691 | ||
6740c9c5 | 692 | # This function parses the parameters for the 'group-type' command |
a6d140eb | 693 | vpn_security_policies_group_types() { |
3eae7bed JS |
694 | local name=${1} |
695 | shift | |
696 | ||
697 | if [ $# -eq 0 ]; then | |
698 | log ERROR "You must pass at least one value after group-type" | |
699 | return ${EXIT_ERROR} | |
700 | fi | |
701 | ||
a6d140eb MT |
702 | local GROUP_TYPES |
703 | if ! vpn_security_policies_read_config ${name} "GROUP_TYPES"; then | |
3eae7bed JS |
704 | return ${EXIT_ERROR} |
705 | fi | |
706 | ||
707 | # Remove duplicated entries to proceed the list safely | |
a6d140eb | 708 | GROUP_TYPES="$(list_unique ${GROUP_TYPES})" |
3eae7bed | 709 | |
1b58f970 JS |
710 | local group_types_added |
711 | local group_types_removed | |
712 | local group_types_set | |
713 | ||
3eae7bed | 714 | while [ $# -gt 0 ]; do |
1b58f970 JS |
715 | local arg="${1}" |
716 | ||
717 | case "${arg}" in | |
718 | +*) | |
719 | list_append group_types_added "${arg:1}" | |
720 | ;; | |
3eae7bed | 721 | -*) |
1b58f970 | 722 | list_append group_types_removed "${arg:1}" |
3eae7bed | 723 | ;; |
1b58f970 JS |
724 | [A-Z0-9]*) |
725 | list_append group_types_set "${arg}" | |
726 | ;; | |
727 | *) | |
728 | error "Invalid argument: ${arg}" | |
729 | return ${EXIT_ERROR} | |
3eae7bed JS |
730 | ;; |
731 | esac | |
732 | shift | |
733 | done | |
734 | ||
1b58f970 JS |
735 | # Check if the user is trying a mixed operation |
736 | if ! list_is_empty group_types_set && (! list_is_empty group_types_added || ! list_is_empty group_types_removed); then | |
737 | error "You cannot reset the group type list and add or remove group types at the same time" | |
738 | return ${EXIT_ERROR} | |
739 | fi | |
740 | ||
741 | # Set new group type list | |
742 | if ! list_is_empty group_types_set; then | |
743 | # Check if all group types are valid | |
744 | local group_type | |
745 | for group_type in ${group_types_set}; do | |
746 | if ! vpn_security_policies_group_type_supported ${group_type}; then | |
747 | error "Unsupported group type: ${group_type}" | |
748 | return ${EXIT_ERROR} | |
749 | fi | |
750 | done | |
751 | ||
a6d140eb | 752 | GROUP_TYPES="${group_types_set}" |
1b58f970 JS |
753 | |
754 | # Perform incremental updates | |
3eae7bed | 755 | else |
1b58f970 JS |
756 | local group_type |
757 | ||
758 | # Perform all removals | |
759 | for group_type in ${group_types_removed}; do | |
a6d140eb | 760 | if ! list_remove GROUP_TYPES ${group_type}; then |
1b58f970 JS |
761 | warning "${group_type} was not on the list and could not be removed" |
762 | fi | |
763 | done | |
764 | ||
765 | for group_type in ${group_types_added}; do | |
766 | if vpn_security_policies_group_type_supported ${group_type}; then | |
a6d140eb | 767 | if ! list_append_unique GROUP_TYPES ${group_type}; then |
1b58f970 JS |
768 | warning "${group_type} is already on the group type list" |
769 | fi | |
770 | else | |
771 | warning "${group_type} is unknown or unsupported and could not be added" | |
772 | fi | |
773 | done | |
774 | fi | |
775 | ||
776 | # Check if the list contain at least one valid group_type | |
a6d140eb | 777 | if list_is_empty GROUP_TYPES; then |
1b58f970 | 778 | error "Cannot save an empty group type list" |
3eae7bed JS |
779 | return ${EXIT_ERROR} |
780 | fi | |
1b58f970 JS |
781 | |
782 | # Save everything | |
a6d140eb | 783 | if ! vpn_security_policies_write_config_key ${name} "GROUP_TYPES" ${GROUP_TYPES}; then |
1b58f970 JS |
784 | log ERROR "The changes for the vpn security policy ${name} could not be written." |
785 | fi | |
786 | ||
787 | cli_headline 1 "Current group type list for ${name}:" | |
a6d140eb | 788 | for group_type in ${GROUP_TYPES}; do |
1b58f970 JS |
789 | cli_print_fmt1 1 "${group_type}" "${VPN_SUPPORTED_GROUP_TYPES[${group_type}]}" |
790 | done | |
3eae7bed | 791 | } |
6740c9c5 MT |
792 | |
793 | # This function parses the parameters for the 'integrity' command | |
0c1844c0 | 794 | vpn_security_policies_integrities() { |
3eae7bed JS |
795 | local name=${1} |
796 | shift | |
797 | ||
798 | if [ $# -eq 0 ]; then | |
0c1844c0 | 799 | log ERROR "You must pass at least one value" |
3eae7bed JS |
800 | return ${EXIT_ERROR} |
801 | fi | |
802 | ||
0c1844c0 MT |
803 | local INTEGRITIES |
804 | if ! vpn_security_policies_read_config ${name} "INTEGRITIES"; then | |
3eae7bed JS |
805 | return ${EXIT_ERROR} |
806 | fi | |
807 | ||
808 | # Remove duplicated entries to proceed the list safely | |
0c1844c0 | 809 | INTEGRITIES="$(list_unique ${INTEGRITIES})" |
3eae7bed | 810 | |
1b58f970 JS |
811 | local integritys_added |
812 | local integritys_removed | |
813 | local integritys_set | |
814 | ||
3eae7bed | 815 | while [ $# -gt 0 ]; do |
1b58f970 JS |
816 | local arg="${1}" |
817 | ||
818 | case "${arg}" in | |
819 | +*) | |
820 | list_append integritys_added "${arg:1}" | |
821 | ;; | |
3eae7bed | 822 | -*) |
1b58f970 | 823 | list_append integritys_removed "${arg:1}" |
3eae7bed | 824 | ;; |
1b58f970 JS |
825 | [A-Z0-9]*) |
826 | list_append integritys_set "${arg}" | |
827 | ;; | |
828 | *) | |
829 | error "Invalid argument: ${arg}" | |
830 | return ${EXIT_ERROR} | |
3eae7bed JS |
831 | ;; |
832 | esac | |
833 | shift | |
834 | done | |
835 | ||
1b58f970 JS |
836 | # Check if the user is trying a mixed operation |
837 | if ! list_is_empty integritys_set && (! list_is_empty integritys_added || ! list_is_empty integritys_removed); then | |
838 | error "You cannot reset the integrity hashes list and add or remove integrity hashes at the same time" | |
839 | return ${EXIT_ERROR} | |
840 | fi | |
841 | ||
842 | # Set new integrity list | |
843 | if ! list_is_empty integritys_set; then | |
844 | # Check if all integrity hashes are valid | |
845 | local integrity | |
846 | for integrity in ${integritys_set}; do | |
847 | if ! vpn_security_policies_integrity_supported ${integrity}; then | |
848 | error "Unsupported integrity hash: ${integrity}" | |
849 | return ${EXIT_ERROR} | |
850 | fi | |
851 | done | |
852 | ||
0c1844c0 | 853 | INTEGRITIES="${integritys_set}" |
1b58f970 JS |
854 | |
855 | # Perform incremental updates | |
3eae7bed | 856 | else |
1b58f970 JS |
857 | local integrity |
858 | ||
859 | # Perform all removals | |
860 | for integrity in ${integritys_removed}; do | |
0c1844c0 | 861 | if ! list_remove INTEGRITIES ${integrity}; then |
1b58f970 JS |
862 | warning "${integrity} was not on the list and could not be removed" |
863 | fi | |
864 | done | |
865 | ||
866 | for integrity in ${integritys_added}; do | |
867 | if vpn_security_policies_integrity_supported ${integrity}; then | |
0c1844c0 | 868 | if ! list_append_unique INTEGRITIES ${integrity}; then |
1b58f970 JS |
869 | warning "${integrity} is already on the integrity list" |
870 | fi | |
871 | else | |
872 | warning "${integrity} is unknown or unsupported and could not be added" | |
873 | fi | |
874 | done | |
875 | fi | |
876 | ||
877 | # Check if the list contain at least one valid integrity | |
0c1844c0 | 878 | if list_is_empty INTEGRITIES; then |
1b58f970 | 879 | error "Cannot save an empty integrity hashes list" |
3eae7bed JS |
880 | return ${EXIT_ERROR} |
881 | fi | |
1b58f970 JS |
882 | |
883 | # Save everything | |
0c1844c0 | 884 | if ! vpn_security_policies_write_config_key ${name} "INTEGRITIES" ${INTEGRITIES}; then |
1b58f970 JS |
885 | log ERROR "The changes for the vpn security policy ${name} could not be written." |
886 | fi | |
887 | ||
888 | cli_headline 1 "Current integrity hashes list for ${name}:" | |
0c1844c0 MT |
889 | for integrity in ${INTEGRITIES}; do |
890 | cli_print_fmt1 1 "${integrity}" "${VPN_SUPPORTED_INTEGRITIES[${integrity}]}" | |
1b58f970 | 891 | done |
3eae7bed JS |
892 | } |
893 | ||
cd9cba7d MT |
894 | # This function parses the parameters for the 'pseudo-random-functions' command |
895 | vpn_security_policies_pseudo_random_functions() { | |
896 | local name=${1} | |
897 | shift | |
898 | ||
899 | if [ $# -eq 0 ]; then | |
900 | log ERROR "You must pass at least one value" | |
901 | return ${EXIT_ERROR} | |
902 | fi | |
903 | ||
f2a2bf3c MT |
904 | local PSEUDO_RANDOM_FUNCTIONS |
905 | if ! vpn_security_policies_read_config ${name} "PSEUDO_RANDOM_FUNCTIONS"; then | |
cd9cba7d MT |
906 | return ${EXIT_ERROR} |
907 | fi | |
908 | ||
909 | # Remove duplicated entries to proceed the list safely | |
f2a2bf3c | 910 | PSEUDO_RANDOM_FUNCTIONS="$(list_unique ${PSEUDO_RANDOM_FUNCTIONS})" |
cd9cba7d MT |
911 | |
912 | local prfs_added | |
913 | local prfs_removed | |
914 | local prfs_set | |
915 | ||
916 | while [ $# -gt 0 ]; do | |
917 | local arg="${1}" | |
918 | ||
919 | case "${arg}" in | |
920 | +*) | |
921 | list_append prfs_added "${arg:1}" | |
922 | ;; | |
923 | -*) | |
924 | list_append prfs_removed "${arg:1}" | |
925 | ;; | |
926 | [A-Z0-9]*) | |
927 | list_append prfs_set "${arg}" | |
928 | ;; | |
929 | *) | |
930 | error "Invalid argument: ${arg}" | |
931 | return ${EXIT_ERROR} | |
932 | ;; | |
933 | esac | |
934 | shift | |
935 | done | |
936 | ||
937 | # Check if the user is trying a mixed operation | |
938 | if ! list_is_empty prfs_set && (! list_is_empty prfs_added || ! list_is_empty prfs_removed); then | |
939 | error "You cannot reset the pseudo random function list and add or remove functions at the same time" | |
940 | return ${EXIT_ERROR} | |
941 | fi | |
942 | ||
943 | # Set new psudo random function list | |
944 | if ! list_is_empty prfs_set; then | |
945 | # Check if all PRFs are valid | |
946 | local prf | |
947 | for prf in ${prfs_set}; do | |
948 | if ! vpn_security_policies_pseudo_random_function_supported "${prf}"; then | |
949 | error "Unsupported pseudo random function: ${prf}" | |
950 | return ${EXIT_ERROR} | |
951 | fi | |
952 | done | |
953 | ||
f2a2bf3c | 954 | PSEUDO_RANDOM_FUNCTIONS="${prfs_set}" |
cd9cba7d MT |
955 | |
956 | # Perform incremental updates | |
957 | else | |
958 | local prf | |
959 | ||
960 | # Perform all removals | |
961 | for prf in ${prfs_removed}; do | |
f2a2bf3c | 962 | if ! list_remove PSEUDO_RANDOM_FUNCTIONS "${prf}"; then |
cd9cba7d MT |
963 | warning "${prf} was not on the list and could not be removed" |
964 | fi | |
965 | done | |
966 | ||
967 | for prf in ${prfs_added}; do | |
968 | if vpn_security_policies_pseudo_random_function_supported "${prf}"; then | |
f2a2bf3c | 969 | if ! list_append_unique PSEUDO_RANDOM_FUNCTIONS "${prf}"; then |
cd9cba7d MT |
970 | warning "${prf} is already on the list" |
971 | fi | |
972 | else | |
973 | warning "${prf} is unknown or unsupported and could not be added" | |
974 | fi | |
975 | done | |
976 | fi | |
977 | ||
978 | # Check if the list contain at least one valid value | |
f2a2bf3c | 979 | if list_is_empty PSEUDO_RANDOM_FUNCTIONS; then |
cd9cba7d MT |
980 | error "Cannot save an empty list of pseudo random functions" |
981 | return ${EXIT_ERROR} | |
982 | fi | |
983 | ||
984 | # Save everything | |
f2a2bf3c | 985 | if ! vpn_security_policies_write_config_key "${name}" "PSEUDO_RANDOM_FUNCTIONS" "${PSEUDO_RANDOM_FUNCTIONS}"; then |
cd9cba7d MT |
986 | log ERROR "The changes for the VPN security policy ${name} could not be written" |
987 | fi | |
988 | ||
989 | cli_headline 1 "Current pseudo random function list for ${name}:" | |
f2a2bf3c MT |
990 | for prf in ${PSEUDO_RANDOM_FUNCTIONS}; do |
991 | cli_print_fmt1 1 "${prf}" "${VPN_SUPPORTED_PSEUDO_RANDOM_FUNCTIONS[${prf}]}" | |
cd9cba7d MT |
992 | done |
993 | } | |
994 | ||
6740c9c5 | 995 | # This function parses the parameters for the 'key-exchange' command |
3eae7bed | 996 | vpn_security_policies_key_exchange() { |
3eae7bed JS |
997 | local name=${1} |
998 | local value=${2} | |
6740c9c5 | 999 | |
3eae7bed JS |
1000 | # Check if we get only one argument after key-exchange <name> |
1001 | if [ ! $# -eq 2 ]; then | |
1002 | log ERROR "The number of arguments do not match. Only argument after key-exchange is allowed." | |
1003 | return ${EXIT_ERROR} | |
1004 | fi | |
1005 | ||
3eae7bed JS |
1006 | if ! isoneof value "ikev1" "ikev2" "IKEV1" "IKEV2"; then |
1007 | log ERROR "Invalid Argument ${value}" | |
1008 | return ${EXIT_ERROR} | |
1009 | fi | |
1010 | ||
1011 | vpn_security_policies_write_config_key "${name}" "KEY_EXCHANGE" "${value,,}" | |
1012 | } | |
1013 | ||
6740c9c5 | 1014 | # This function parses the parameters for the 'lifetime' command. |
3eae7bed | 1015 | vpn_security_policies_lifetime(){ |
3eae7bed JS |
1016 | local name=${1} |
1017 | shift | |
6740c9c5 | 1018 | |
3eae7bed JS |
1019 | local value=$@ |
1020 | ||
1021 | # Check if we get only one argument after lifetime <name> | |
1022 | if [ ! $# -ge 1 ]; then | |
1023 | log ERROR "The number of arguments do not match you must provide at least one integer value or a valid time with the format <hours>h <minutes>m <seconds>s" | |
1024 | return ${EXIT_ERROR} | |
1025 | fi | |
1026 | ||
1027 | if ! isinteger value; then | |
2212045f | 1028 | value=$(parse_time "$@") |
3eae7bed JS |
1029 | if [ ! $? -eq 0 ]; then |
1030 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
1031 | return ${EXIT_ERROR} | |
1032 | fi | |
1033 | fi | |
1034 | ||
1035 | if [ ${value} -le 0 ]; then | |
1036 | log ERROR "The passed time value must be in the sum greater zero seconds." | |
1037 | return ${EXIT_ERROR} | |
1038 | fi | |
1039 | ||
1040 | vpn_security_policies_write_config_key "${name}" "LIFETIME" "${value}" | |
1041 | } | |
1042 | ||
6740c9c5 | 1043 | # This function parses the parameters for the 'pfs' command |
3eae7bed | 1044 | vpn_security_policies_pfs(){ |
3eae7bed JS |
1045 | local name=${1} |
1046 | local value=${2} | |
1047 | ||
1048 | # Check if we get only one argument after pfs <name> | |
1049 | if [ ! $# -eq 2 ]; then | |
1050 | log ERROR "The number of arguments do not match. Only argument after pfs is allowed." | |
1051 | return ${EXIT_ERROR} | |
1052 | fi | |
1053 | ||
1054 | if [ ! $# -eq 2 ] || ! isbool value; then | |
1055 | # We suggest only two values to avoid overburding the user. | |
1056 | log ERROR "Invalid Argument ${value}" | |
1057 | return ${EXIT_ERROR} | |
1058 | fi | |
1059 | ||
1060 | vpn_security_policies_write_config_key "${name}" "PFS" "${value}" | |
1061 | } | |
1062 | ||
6740c9c5 MT |
1063 | # This function checks if a vpn security policy name is valid |
1064 | # Allowed are only A-Za-z0-9 | |
3eae7bed | 1065 | vpn_security_policies_check_name() { |
3eae7bed | 1066 | assert [ $# -eq 1 ] |
6740c9c5 | 1067 | |
3eae7bed | 1068 | local name=${1} |
6740c9c5 | 1069 | |
3eae7bed JS |
1070 | [[ ${name} =~ [^[:alnum:]$] ]] |
1071 | } | |
1072 | ||
6740c9c5 | 1073 | # Function that creates based on the paramters one ore more new vpn security policies |
3eae7bed | 1074 | vpn_security_policies_new() { |
58aa0edf MT |
1075 | if [ $# -gt 1 ]; then |
1076 | error "Too many arguments" | |
3eae7bed JS |
1077 | return ${EXIT_ERROR} |
1078 | fi | |
1079 | ||
58aa0edf MT |
1080 | local name="${1}" |
1081 | if ! isset name; then | |
1082 | error "Please provide a name" | |
1083 | return ${EXIT_ERROR} | |
1084 | fi | |
3eae7bed | 1085 | |
58aa0edf MT |
1086 | # Check for duplicates |
1087 | if vpn_security_policy_exists "${name}"; then | |
1088 | error "The VPN security policy with name ${name} already exists" | |
1089 | return ${EXIT_ERROR} | |
1090 | fi | |
3eae7bed | 1091 | |
58aa0edf MT |
1092 | # Check if name is valid |
1093 | if vpn_security_policies_check_name "${name}"; then | |
1094 | error "'${name}' contains illegal characters" | |
1095 | return ${EXIT_ERROR} | |
1096 | fi | |
3eae7bed | 1097 | |
58aa0edf MT |
1098 | # Check if we have a read-only policy with the same name |
1099 | if vpn_security_policies_check_readonly "${name}"; then | |
1100 | error "The VPN security policy ${name} is read-only" | |
1101 | return ${EXIT_ERROR} | |
1102 | fi | |
1103 | ||
6fdbda80 MT |
1104 | # Check if our source policy exists |
1105 | if ! vpn_security_policy_exists "${VPN_DEFAULT_SECURITY_POLICY}"; then | |
1106 | error "Default VPN Security Policy '${VPN_DEFAULT_SECURITY_POLICY}' does not exist" | |
1107 | return ${EXIT_ERROR} | |
1108 | fi | |
1109 | ||
58aa0edf MT |
1110 | log DEBUG "Creating VPN Security Policy ${name}" |
1111 | ||
88013fd8 | 1112 | if copy "$(vpn_security_policies_path "${VPN_DEFAULT_SECURITY_POLICY}")" \ |
aab75c48 | 1113 | "$(vpn_security_policies_path ${name})"; then |
58aa0edf MT |
1114 | log INFO "VPN Security Policy ${name} successfully created" |
1115 | else | |
1116 | log ERROR "Could not create VPN Security Policy ${name}" | |
1117 | return ${EXIT_ERROR} | |
1118 | fi | |
c787fea5 MT |
1119 | |
1120 | # Show the newly created policy | |
1121 | vpn_security_policies_show "${name}" | |
3eae7bed JS |
1122 | } |
1123 | ||
6740c9c5 | 1124 | # Function that deletes based on the passed parameters one ore more vpn security policies |
3eae7bed | 1125 | vpn_security_policies_destroy() { |
3eae7bed | 1126 | local name |
2212045f | 1127 | for name in "$@"; do |
3eae7bed JS |
1128 | if ! vpn_security_policy_exists ${name}; then |
1129 | log ERROR "The vpn security policy ${name} does not exist." | |
1130 | continue | |
1131 | fi | |
1132 | ||
1133 | if vpn_security_policies_check_readonly ${name}; then | |
1134 | log ERROR "The vpn security policy ${name} cannot be deleted." | |
1135 | continue | |
1136 | fi | |
1137 | ||
1138 | log DEBUG "Deleting vpn security policy ${name}" | |
1139 | settings_remove $(vpn_security_policies_path ${name}) | |
26b47a99 MT |
1140 | |
1141 | # Delete cache | |
1142 | rm -rf "${NETWORK_CACHE_DIR}/vpn/security-policies/${name}" | |
3eae7bed JS |
1143 | done |
1144 | } | |
d69af00f | 1145 | |
d9a6c183 MT |
1146 | vpn_security_policies_cipher_supported() { |
1147 | local cipher=${1} | |
1148 | ||
1149 | list_match ${cipher} ${!VPN_SUPPORTED_CIPHERS[@]} | |
1150 | } | |
1151 | ||
1b58f970 JS |
1152 | |
1153 | vpn_security_policies_group_type_supported() { | |
1154 | local group_type=${1} | |
1155 | ||
1156 | list_match ${group_type} ${!VPN_SUPPORTED_GROUP_TYPES[@]} | |
1157 | } | |
1158 | ||
1159 | vpn_security_policies_integrity_supported() { | |
1160 | local integrity=${1} | |
1161 | ||
0c1844c0 | 1162 | list_match ${integrity} ${!VPN_SUPPORTED_INTEGRITIES[@]} |
1b58f970 JS |
1163 | } |
1164 | ||
cd9cba7d MT |
1165 | vpn_security_policies_pseudo_random_function_supported() { |
1166 | local prf="${1}" | |
1167 | ||
f2a2bf3c | 1168 | list_match "${prf}" ${!VPN_SUPPORTED_PSEUDO_RANDOM_FUNCTIONS[@]} |
cd9cba7d MT |
1169 | } |
1170 | ||
0d645497 MT |
1171 | vpn_security_policies_cipher_is_aead() { |
1172 | local cipher=${1} | |
1173 | ||
1174 | # All CCM and GCM ciphers are AEAD | |
831e3597 MT |
1175 | if string_match "[CG]CM" "${cipher}"; then |
1176 | return ${EXIT_TRUE} | |
1177 | fi | |
1178 | ||
1179 | # Poly1305 is AEAD | |
1180 | if string_match "POLY1305" "${cipher}"; then | |
1181 | return ${EXIT_TRUE} | |
1182 | fi | |
1183 | ||
1184 | return ${EXIT_FALSE} | |
0d645497 MT |
1185 | } |
1186 | ||
e3ffacf7 | 1187 | vpn_security_policies_make_ike_proposal() { |
d69af00f MT |
1188 | local name=${1} |
1189 | ||
e1947a76 MT |
1190 | if ! vpn_security_policy_exists ${name}; then |
1191 | return ${EXIT_ERROR} | |
1192 | fi | |
1193 | ||
1194 | local config_path="$(vpn_security_policies_path ${name})" | |
e3ffacf7 | 1195 | local cache_path="${NETWORK_CACHE_DIR}/vpn/security-policies/${name}/ike-proposal" |
e1947a76 MT |
1196 | |
1197 | # Get data from cache if possible | |
1198 | if file_exists "${cache_path}" && ! file_is_newer_than "${config_path}" "${cache_path}"; then | |
1199 | fread "${cache_path}" | |
1200 | return ${EXIT_OK} | |
1201 | fi | |
1202 | ||
1203 | # No or invalid cache data found | |
e3ffacf7 | 1204 | local proposal=$(_vpn_security_policies_make_ike_proposal "${name}") |
e1947a76 MT |
1205 | |
1206 | # Write proposal to cache | |
46954be3 | 1207 | if ! make_parent_directory "${cache_path}" || ! fwrite "${cache_path}" "${proposal}"; then |
e1947a76 MT |
1208 | log WARNING "Could not write to cache: ${cache_path}" |
1209 | fi | |
1210 | ||
1211 | print "${proposal}" | |
1212 | } | |
1213 | ||
e3ffacf7 | 1214 | _vpn_security_policies_make_ike_proposal() { |
e1947a76 MT |
1215 | local name=${1} |
1216 | ||
d69af00f MT |
1217 | # Read the config settings |
1218 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
1219 | if ! vpn_security_policies_read_config "${name}"; then | |
1220 | return ${EXIT_ERROR} | |
1221 | fi | |
1222 | ||
1223 | local proposals | |
1224 | ||
1225 | local cipher | |
ded01e82 | 1226 | for cipher in ${CIPHERS}; do |
d69af00f MT |
1227 | # Translate cipher |
1228 | local _cipher=${CIPHER_TO_STRONGSWAN[${cipher}]} | |
1229 | ||
1230 | if ! isset _cipher; then | |
1231 | log WARN "Unsupported cipher: ${cipher}" | |
1232 | continue | |
1233 | fi | |
1234 | ||
9e4b2cdc MT |
1235 | if vpn_security_policies_cipher_is_aead "${cipher}"; then |
1236 | local prf | |
f2a2bf3c | 1237 | for prf in ${PSEUDO_RANDOM_FUNCTIONS}; do |
9e4b2cdc | 1238 | local _prf="${PSEUDO_RANDOM_FUNCTION_TO_STRONGSWAN[${prf}]}" |
d69af00f | 1239 | |
9e4b2cdc MT |
1240 | if ! isset _prf; then |
1241 | log WARN "Unsupported pseudo random function: ${prf}" | |
1242 | continue | |
1243 | fi | |
1244 | ||
1245 | local group_type | |
ded01e82 | 1246 | for group_type in ${GROUP_TYPES}; do |
9e4b2cdc | 1247 | local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} |
d69af00f | 1248 | |
9e4b2cdc MT |
1249 | if ! isset _group_type; then |
1250 | log WARN "Unsupported group-type: ${group_type}" | |
1251 | continue | |
1252 | fi | |
d69af00f | 1253 | |
9e4b2cdc MT |
1254 | # Put everything together |
1255 | list_append proposals "${_cipher}-${_prf}-${_group_type}" | |
1256 | done | |
1257 | done | |
1258 | else | |
1259 | local integrity | |
0c1844c0 | 1260 | for integrity in ${INTEGRITIES}; do |
9e4b2cdc MT |
1261 | local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]} |
1262 | ||
1263 | if ! isset _integrity; then | |
1264 | log WARN "Unsupported integrity: ${integrity}" | |
d69af00f MT |
1265 | continue |
1266 | fi | |
1267 | ||
9e4b2cdc | 1268 | local group_type |
ded01e82 | 1269 | for group_type in ${GROUP_TYPES}; do |
9e4b2cdc MT |
1270 | local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} |
1271 | ||
1272 | if ! isset _group_type; then | |
1273 | log WARN "Unsupported group-type: ${group_type}" | |
1274 | continue | |
1275 | fi | |
1276 | ||
1277 | # Put everything together | |
1278 | list_append proposals "${_cipher}-${_integrity}-${_group_type}" | |
1279 | done | |
d69af00f | 1280 | done |
9e4b2cdc | 1281 | fi |
d69af00f MT |
1282 | done |
1283 | ||
1284 | # Returns as a comma-separated list | |
1285 | list_join proposals , | |
1286 | } | |
0d645497 MT |
1287 | |
1288 | vpn_security_policies_make_esp_proposal() { | |
1289 | local name=${1} | |
1290 | ||
e1947a76 MT |
1291 | if ! vpn_security_policy_exists ${name}; then |
1292 | return ${EXIT_ERROR} | |
1293 | fi | |
1294 | ||
1295 | local config_path="$(vpn_security_policies_path ${name})" | |
1296 | local cache_path="${NETWORK_CACHE_DIR}/vpn/security-policies/${name}/esp-proposal" | |
1297 | ||
1298 | # Get data from cache if possible | |
1299 | if file_exists "${cache_path}" && ! file_is_newer_than "${config_path}" "${cache_path}"; then | |
1300 | fread "${cache_path}" | |
1301 | return ${EXIT_OK} | |
1302 | fi | |
1303 | ||
1304 | # No or invalid cache data found | |
1305 | local proposal=$(_vpn_security_policies_make_esp_proposal "${name}") | |
1306 | ||
1307 | # Write proposal to cache | |
46954be3 | 1308 | if ! make_parent_directory "${cache_path}" || ! fwrite "${cache_path}" "${proposal}"; then |
e1947a76 MT |
1309 | log WARNING "Could not write to cache: ${cache_path}" |
1310 | fi | |
1311 | ||
1312 | print "${proposal}" | |
1313 | } | |
1314 | ||
1315 | _vpn_security_policies_make_esp_proposal() { | |
1316 | local name=${1} | |
1317 | ||
0d645497 MT |
1318 | # Read the config settings |
1319 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
1320 | if ! vpn_security_policies_read_config "${name}"; then | |
1321 | return ${EXIT_ERROR} | |
1322 | fi | |
1323 | ||
1324 | local proposals | |
1325 | ||
1326 | local cipher | |
ded01e82 | 1327 | for cipher in ${CIPHERS}; do |
0d645497 MT |
1328 | # Translate cipher |
1329 | local _cipher=${CIPHER_TO_STRONGSWAN[${cipher}]} | |
1330 | ||
1331 | if ! isset _cipher; then | |
1332 | log WARN "Unsupported cipher: ${cipher}" | |
1333 | continue | |
1334 | fi | |
1335 | ||
1336 | if vpn_security_policies_cipher_is_aead ${cipher}; then | |
1337 | local group_type | |
ded01e82 | 1338 | for group_type in ${GROUP_TYPES}; do |
0d645497 MT |
1339 | local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} |
1340 | ||
1341 | if ! isset _group_type; then | |
1342 | log WARN "Unsupported group-type: ${group_type}" | |
1343 | continue | |
1344 | fi | |
1345 | ||
1346 | # Put everything together | |
1347 | list_append proposals "${_cipher}-${_group_type}" | |
1348 | done | |
1349 | else | |
1350 | local integrity | |
0c1844c0 | 1351 | for integrity in ${INTEGRITIES}; do |
0d645497 MT |
1352 | local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]} |
1353 | ||
1354 | if ! isset _integrity; then | |
1355 | log WARN "Unsupported integrity: ${integrity}" | |
1356 | continue | |
1357 | fi | |
1358 | ||
1359 | local group_type | |
ded01e82 | 1360 | for group_type in ${GROUP_TYPES}; do |
0d645497 MT |
1361 | local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} |
1362 | ||
1363 | if ! isset _group_type; then | |
1364 | log WARN "Unsupported group-type: ${group_type}" | |
1365 | continue | |
1366 | fi | |
1367 | ||
1368 | # Put everything together | |
1369 | list_append proposals "${_cipher}-${_integrity}-${_group_type}" | |
1370 | done | |
1371 | done | |
1372 | fi | |
1373 | done | |
1374 | ||
1375 | # Returns as a comma-separated list | |
1376 | list_join proposals , | |
1377 | } | |
a00e7803 JS |
1378 | |
1379 | # List all security policies | |
1380 | vpn_security_policies_list_all() { | |
60b1f378 | 1381 | list_directory "${NETWORK_SHARE_DIR}/vpn/security-policies" |
a00e7803 | 1382 | |
3cac4fcd MT |
1383 | # Add all user-defined policies |
1384 | vpn_security_policies_list_user | |
1385 | } | |
1386 | ||
1387 | vpn_security_policies_list_user() { | |
60b1f378 | 1388 | list_directory "${NETWORK_CONFIG_DIR}/vpn/security-policies" |
a00e7803 | 1389 | } |