]>
Commit | Line | Data |
---|---|---|
3eae7bed JS |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2017 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE INTEGRITY KEY_EXCHANGE LIFETIME PFS" | |
23 | VPN_SECURITY_POLICIES_READONLY="system" | |
24 | ||
6fdbda80 MT |
25 | VPN_DEFAULT_SECURITY_POLICY="system" |
26 | ||
b116ad92 | 27 | declare -A VPN_SUPPORTED_CIPHERS=( |
b68fed1f MT |
28 | # 3DES-CBC |
29 | [3DES-CBC]="168 bit 3DES-EDE-CBC" | |
30 | ||
31 | # AES-CBC | |
b116ad92 MT |
32 | [AES256-CBC]="256 bit AES-CBC" |
33 | [AES192-CBC]="192 bit AES-CBC" | |
34 | [AES128-CBC]="128 bit AES-CBC" | |
b68fed1f MT |
35 | |
36 | # AES-CTR | |
37 | [AES256-CTR]="256 bit AES-COUNTER" | |
38 | [AES192-CTR]="192 bit AES-COUNTER" | |
39 | [AES128-CTR]="128 bit AES-COUNTER" | |
40 | ||
41 | # AES-GCM | |
42 | [AES256-GCM128]="256 bit AES-GCM with 128 bit ICV" | |
43 | [AES192-GCM128]="192 bit AES-GCM with 128 bit ICV" | |
44 | [AES128-GCM128]="128 bit AES-GCM with 128 bit ICV" | |
45 | [AES256-GCM96]="256 bit AES-GCM with 96 bit ICV" | |
46 | [AES192-GCM96]="192 bit AES-GCM with 96 bit ICV" | |
47 | [AES128-GCM96]="128 bit AES-GCM with 96 bit ICV" | |
48 | [AES256-GCM64]="256 bit AES-GCM with 64 bit ICV" | |
49 | [AES192-GCM64]="192 bit AES-GCM with 64 bit ICV" | |
50 | [AES128-GCM64]="128 bit AES-GCM with 64 bit ICV" | |
51 | ||
52 | # AES-CCM | |
53 | [AES256-CCM128]="256 bit AES-CCM with 128 bit ICV" | |
54 | [AES192-CCM128]="192 bit AES-CCM with 128 bit ICV" | |
55 | [AES128-CCM128]="128 bit AES-CCM with 128 bit ICV" | |
56 | [AES256-CCM96]="256 bit AES-CCM with 96 bit ICV" | |
57 | [AES192-CCM96]="192 bit AES-CCM with 96 bit ICV" | |
58 | [AES128-CCM96]="128 bit AES-CCM with 96 bit ICV" | |
59 | [AES256-CCM64]="256 bit AES-CCM with 64 bit ICV" | |
60 | [AES192-CCM64]="192 bit AES-CCM with 64 bit ICV" | |
61 | [AES128-CCM64]="128 bit AES-CCM with 64 bit ICV" | |
62 | ||
63 | # CAMELLIA-CBC | |
64 | [CAMELLIA256-CBC]="256 bit CAMELLIA-CBC" | |
65 | [CAMELLIA192-CBC]="192 bit CAMELLIA-CBC" | |
66 | [CAMELLIA128-CBC]="128 bit CAMELLIA-CBC" | |
67 | ||
68 | # CAMELLIA-CTR | |
69 | [CAMELLIA256-CTR]="256 bit CAMELLIA-COUNTER" | |
70 | [CAMELLIA192-CTR]="192 bit CAMELLIA-COUNTER" | |
71 | [CAMELLIA128-CTR]="128 bit CAMELLIA-COUNTER" | |
72 | ||
73 | # CAMELLIA-GCM | |
74 | [CAMELLIA256-GCM128]="256 bit CAMELLIA-GCM with 128 bit ICV" | |
75 | [CAMELLIA192-GCM128]="192 bit CAMELLIA-GCM with 128 bit ICV" | |
76 | [CAMELLIA128-GCM128]="128 bit CAMELLIA-GCM with 128 bit ICV" | |
77 | [CAMELLIA256-GCM96]="256 bit CAMELLIA-GCM with 96 bit ICV" | |
78 | [CAMELLIA192-GCM96]="192 bit CAMELLIA-GCM with 96 bit ICV" | |
79 | [CAMELLIA128-GCM96]="128 bit CAMELLIA-GCM with 96 bit ICV" | |
80 | [CAMELLIA256-GCM64]="256 bit CAMELLIA-GCM with 64 bit ICV" | |
81 | [CAMELLIA192-GCM64]="192 bit CAMELLIA-GCM with 64 bit ICV" | |
82 | [CAMELLIA128-GCM64]="128 bit CAMELLIA-GCM with 64 bit ICV" | |
83 | ||
84 | # CAMELLIA-CCM | |
85 | [CAMELLIA256-CCM128]="256 bit CAMELLIA-CCM with 128 bit ICV" | |
86 | [CAMELLIA192-CCM128]="192 bit CAMELLIA-CCM with 128 bit ICV" | |
87 | [CAMELLIA128-CCM128]="128 bit CAMELLIA-CCM with 128 bit ICV" | |
88 | [CAMELLIA256-CCM96]="256 bit CAMELLIA-CCM with 96 bit ICV" | |
89 | [CAMELLIA192-CCM96]="192 bit CAMELLIA-CCM with 96 bit ICV" | |
90 | [CAMELLIA128-CCM96]="128 bit CAMELLIA-CCM with 96 bit ICV" | |
91 | [CAMELLIA256-CCM64]="256 bit CAMELLIA-CCM with 64 bit ICV" | |
92 | [CAMELLIA192-CCM64]="192 bit CAMELLIA-CCM with 64 bit ICV" | |
93 | [CAMELLIA128-CCM64]="128 bit CAMELLIA-CCM with 64 bit ICV" | |
b116ad92 MT |
94 | ) |
95 | ||
d69af00f MT |
96 | declare -A CIPHER_TO_STRONGSWAN=( |
97 | # 3DES-CBC | |
98 | [3DES-CBC]="3des" | |
99 | ||
100 | # AES-CBC | |
101 | [AES256-CBC]="aes256" | |
102 | [AES192-CBC]="aes192" | |
103 | [AES128-CBC]="aes128" | |
104 | ||
105 | # AES-CTR | |
106 | [AES256-CTR]="aes256ctr" | |
107 | [AES192-CTR]="aes192ctr" | |
108 | [AES128-CTR]="aes128ctr" | |
109 | ||
110 | # AES-GCM | |
111 | [AES256-GCM128]="aes256gcm128" | |
112 | [AES192-GCM128]="aes192gcm128" | |
113 | [AES128-GCM128]="aes128gcm128" | |
114 | [AES256-GCM96]="aes256gcm96" | |
115 | [AES192-GCM96]="aes192gcm96" | |
116 | [AES128-GCM96]="aes128gcm96" | |
117 | [AES256-GCM64]="aes256gcm64" | |
118 | [AES192-GCM64]="aes192gcm64" | |
119 | [AES128-GCM64]="aes128gcm64" | |
120 | ||
121 | # AES-CCM | |
122 | [AES256-CCM128]="aes256ccm128" | |
123 | [AES192-CCM128]="aes192ccm128" | |
124 | [AES128-CCM128]="aes128ccm128" | |
125 | [AES256-CCM96]="aes256ccm96" | |
126 | [AES192-CCM96]="aes192ccm96" | |
127 | [AES128-CCM96]="aes128ccm96" | |
128 | [AES256-CCM64]="aes256ccm64" | |
129 | [AES192-CCM64]="aes192ccm64" | |
130 | [AES128-CCM64]="aes128ccm64" | |
131 | ||
132 | # CAMELLIA-CBC | |
133 | [CAMELLIA256-CBC]="camellia256" | |
134 | [CAMELLIA192-CBC]="camellia192" | |
135 | [CAMELLIA128-CBC]="camellia128" | |
136 | ||
137 | # CAMELLIA-CTR | |
138 | [CAMELLIA256-CTR]="camellia256ctr" | |
139 | [CAMELLIA192-CTR]="camellia192ctr" | |
140 | [CAMELLIA128-CTR]="camellia128ctr" | |
141 | ||
142 | # CAMELLIA-GCM | |
143 | [CAMELLIA256-GCM128]="camellia256gcm128" | |
144 | [CAMELLIA192-GCM128]="camellia192gcm128" | |
145 | [CAMELLIA128-GCM128]="camellia128gcm128" | |
146 | [CAMELLIA256-GCM96]="camellia256gcm96" | |
147 | [CAMELLIA192-GCM96]="camellia192gcm96" | |
148 | [CAMELLIA128-GCM96]="camellia128gcm96" | |
149 | [CAMELLIA256-GCM64]="camellia256gcm64" | |
150 | [CAMELLIA192-GCM64]="camellia192gcm64" | |
151 | [CAMELLIA128-GCM64]="camellia128gcm64" | |
152 | ||
153 | # CAMELLIA-CCM | |
154 | [CAMELLIA256-CCM128]="camellia256ccm128" | |
155 | [CAMELLIA192-CCM128]="camellia192ccm128" | |
156 | [CAMELLIA128-CCM128]="camellia128ccm128" | |
157 | [CAMELLIA256-CCM96]="camellia256ccm96" | |
158 | [CAMELLIA192-CCM96]="camellia192ccm96" | |
159 | [CAMELLIA128-CCM96]="camellia128ccm96" | |
160 | [CAMELLIA256-CCM64]="camellia256ccm64" | |
161 | [CAMELLIA192-CCM64]="camellia192ccm64" | |
162 | [CAMELLIA128-CCM64]="camellia128ccm64" | |
163 | ) | |
164 | ||
3a0c376c MT |
165 | declare -A VPN_SUPPORTED_INTEGRITY=( |
166 | [MD5]="MD5-HMAC" | |
167 | ||
168 | # SHA | |
169 | [SHA1]="SHA1-HMAC" | |
3003747b | 170 | [SHA512]="512 bit SHA2-HMAC" |
3a0c376c MT |
171 | [SHA384]="384 bit SHA2-HMAC" |
172 | [SHA256]="256 bit SHA2-HMAC" | |
173 | ||
174 | # AES | |
175 | [AES-XCBC]="AES-XCBC" | |
176 | [AES-CMAC]="AES-CMAC" | |
177 | [AES256-GMAC]="256 bit AES-GMAC" | |
178 | [AES192-GMAC]="192 bit AES-GMAC" | |
179 | [AES128-GMAC]="128 bit AES-GMAC" | |
180 | ) | |
181 | ||
d69af00f MT |
182 | declare -A INTEGRITY_TO_STRONGSWAN=( |
183 | [MD5]="md5" | |
184 | ||
185 | # SHA | |
186 | [SHA1]="sha1" | |
187 | [SHA512]="sha512" | |
188 | [SHA384]="sha384" | |
189 | [SHA256]="sha256" | |
190 | ||
191 | # AES | |
192 | [AES-XCBC]="aesxcbc" | |
193 | [AES-CMAC]="aescmac" | |
194 | [AES256-GMAC]="aes256gmac" | |
195 | [AES192-GMAC]="aes192gmac" | |
196 | [AES128-GMAC]="aes128gmac" | |
197 | ) | |
198 | ||
54fc6c3f MT |
199 | declare -A VPN_SUPPORTED_GROUP_TYPES=( |
200 | # Regular Groups | |
201 | [MODP768]="768 bit Modulo Prime Group" | |
202 | [MODP1024]="1024 bit Modulo Prime Group" | |
203 | [MODP1536]="1536 bit Modulo Prime Group" | |
204 | [MODP2048]="2048 bit Modulo Prime Group" | |
205 | [MODP3072]="3072 bit Modulo Prime Group" | |
206 | [MODP4096]="4096 bit Modulo Prime Group" | |
207 | [MODP6144]="6144 bit Modulo Prime Group" | |
208 | [MODP8192]="8192 bit Modulo Prime Group" | |
209 | ||
210 | # NIST Elliptic Curve Groups | |
211 | [ECP192]="192 bit NIST Elliptic Curve Group" | |
212 | [ECP224]="224 bit NIST Elliptic Curve Group" | |
213 | [ECP256]="256 bit NIST Elliptic Curve Group" | |
214 | [ECP384]="384 bit NIST Elliptic Curve Group" | |
215 | [ECP521]="521 bit NIST Elliptic Curve Group" | |
216 | ||
217 | # Brainpool Elliptic Curve Groups | |
218 | [ECP224BP]="224 bit Brainpool Elliptic Curve Group" | |
219 | [ECP256BP]="256 bit Brainpool Elliptic Curve Group" | |
220 | [ECP384BP]="384 bit Brainpool Elliptic Curve Group" | |
221 | [ECP512BP]="512 bit Brainpool Elliptic Curve Group" | |
222 | ||
223 | # Curve25519 | |
224 | [CURVE25519]="256 bit Elliptic Curve 25519" | |
225 | ) | |
3eae7bed | 226 | |
d69af00f MT |
227 | declare -A GROUP_TYPE_TO_STRONGSWAN=( |
228 | # Regular Groups | |
229 | [MODP768]="modp768" | |
230 | [MODP1024]="modp1024" | |
231 | [MODP1536]="modp1536" | |
232 | [MODP2048]="modp2048" | |
233 | [MODP3072]="modp3072" | |
234 | [MODP4096]="modp4096" | |
235 | [MODP6144]="modp6144" | |
236 | [MODP8192]="modp8192" | |
237 | ||
238 | # NIST Elliptic Curve Groups | |
239 | [ECP192]="ecp192" | |
240 | [ECP224]="ecp224" | |
241 | [ECP256]="ecp256" | |
242 | [ECP384]="ecp384" | |
243 | [ECP521]="ecp521" | |
244 | ||
245 | # Brainpool Elliptic Curve Groups | |
246 | [ECP224BP]="ecp224bp" | |
247 | [ECP256BP]="ecp256bp" | |
248 | [ECP384BP]="ecp384bp" | |
249 | [ECP512BP]="ecp512bp" | |
250 | ||
251 | # Curve25519 | |
252 | [CURVE25519]="curve25519" | |
253 | ) | |
254 | ||
6740c9c5 MT |
255 | # This functions checks if a policy is readonly |
256 | # returns true when yes and false when no | |
3eae7bed | 257 | vpn_security_policies_check_readonly() { |
3eae7bed JS |
258 | if isoneof name ${VPN_SECURITY_POLICIES_READONLY}; then |
259 | return ${EXIT_TRUE} | |
260 | else | |
261 | return ${EXIT_FALSE} | |
262 | fi | |
263 | } | |
264 | ||
6740c9c5 | 265 | # This function writes all values to a via ${name} specificated vpn security policy configuration file |
3eae7bed | 266 | vpn_security_policies_write_config() { |
3eae7bed JS |
267 | assert [ $# -ge 1 ] |
268 | ||
269 | local name="${1}" | |
270 | ||
6740c9c5 | 271 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
272 | log ERROR "No such vpn security policy: ${name}" |
273 | return ${EXIT_ERROR} | |
274 | fi | |
275 | ||
6740c9c5 | 276 | if vpn_security_policies_check_readonly "${name}"; then |
3eae7bed JS |
277 | log ERROR "The ${name} vpn security policy cannot be changed." |
278 | return ${EXIT_ERROR} | |
279 | fi | |
280 | ||
6740c9c5 | 281 | local path="$(vpn_security_policies_path "${name}")" |
3eae7bed JS |
282 | if [ ! -w ${path} ]; then |
283 | log ERROR "${path} is not writeable" | |
284 | return ${EXIT_ERROR} | |
285 | fi | |
286 | ||
287 | if ! settings_write "${path}" ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}; then | |
288 | log ERROR "Could not write configuration settings for vpn security policy ${name}" | |
289 | return ${EXIT_ERROR} | |
290 | fi | |
291 | ||
292 | # TODO everytime we successfully write a config we should call some trigger to take the changes into effect | |
293 | } | |
294 | ||
6740c9c5 | 295 | # This funtion writes the value for one key to a via ${name} specificated vpn security policy configuration file |
3eae7bed | 296 | vpn_security_policies_write_config_key() { |
3eae7bed | 297 | assert [ $# -ge 3 ] |
6740c9c5 | 298 | |
3eae7bed JS |
299 | local name=${1} |
300 | local key=${2} | |
301 | shift 2 | |
6740c9c5 | 302 | |
3eae7bed JS |
303 | local value="$@" |
304 | ||
6740c9c5 | 305 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
306 | log ERROR "No such vpn security policy: ${name}" |
307 | return ${EXIT_ERROR} | |
308 | fi | |
309 | ||
310 | log DEBUG "Set '${key}' to new value '${value}' in vpn security policy ${name}" | |
311 | ||
312 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
313 | ||
314 | # Read the config settings | |
6740c9c5 | 315 | if ! vpn_security_policies_read_config "${name}"; then |
3eae7bed JS |
316 | return ${EXIT_ERROR} |
317 | fi | |
318 | ||
319 | # Set the key to a new value | |
320 | assign "${key}" "${value}" | |
321 | ||
6740c9c5 | 322 | if ! vpn_security_policies_write_config "${name}"; then |
3eae7bed JS |
323 | return ${EXIT_ERROR} |
324 | fi | |
325 | ||
326 | return ${EXIT_TRUE} | |
3eae7bed JS |
327 | } |
328 | ||
6740c9c5 | 329 | # Reads one or more keys out of a settings file or all if no key is provided. |
3eae7bed | 330 | vpn_security_policies_read_config() { |
3eae7bed JS |
331 | assert [ $# -ge 1 ] |
332 | ||
333 | local name="${1}" | |
334 | shift 1 | |
335 | ||
6740c9c5 | 336 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
337 | log ERROR "No such vpn security policy: ${name}" |
338 | return ${EXIT_ERROR} | |
339 | fi | |
340 | ||
341 | ||
342 | local args | |
343 | if [ $# -eq 0 ] && [ -n "${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}" ]; then | |
344 | list_append args ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
345 | else | |
346 | list_append args $@ | |
347 | fi | |
348 | ||
349 | local path="$(vpn_security_policies_path ${name})" | |
350 | ||
351 | if ! settings_read "${path}" ${args}; then | |
352 | log ERROR "Could not read settings for vpn security policy ${name}" | |
353 | return ${EXIT_ERROR} | |
354 | fi | |
355 | } | |
356 | ||
6740c9c5 | 357 | # Returns the path to a the configuration fora given name |
3eae7bed | 358 | vpn_security_policies_path() { |
3eae7bed | 359 | assert [ $# -eq 1 ] |
6740c9c5 | 360 | |
3eae7bed JS |
361 | local name=${1} |
362 | ||
6740c9c5 | 363 | if vpn_security_policies_check_readonly "${name}"; then |
3eae7bed JS |
364 | echo "${NETWORK_SHARE_DIR}/vpn/security-policies/${name}" |
365 | else | |
366 | echo "${NETWORK_CONFIG_DIR}/vpn/security-policies/${name}" | |
367 | fi | |
368 | } | |
369 | ||
6740c9c5 | 370 | # Print the content of a vpn security policy configuration file in a nice way |
3eae7bed | 371 | vpn_security_policies_show() { |
3eae7bed | 372 | assert [ $# -eq 1 ] |
6740c9c5 | 373 | |
3eae7bed JS |
374 | local name=${1} |
375 | ||
376 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
3eae7bed JS |
377 | if ! vpn_security_policies_read_config ${name}; then |
378 | return ${EXIT_ERROR} | |
379 | fi | |
380 | ||
381 | cli_print_fmt1 0 "Security Policy: ${name}" | |
382 | cli_space | |
383 | ||
384 | # This could be done in a loop but a loop is much more complicated | |
385 | # because we print 'Group Types' but the variable is named 'GROUP_TYPES' | |
386 | cli_print_fmt1 1 "Ciphers:" | |
d21db419 MT |
387 | local cipher |
388 | for cipher in ${CIPHER}; do | |
389 | cli_print_fmt1 2 "${VPN_SUPPORTED_CIPHERS[${cipher}]-${cipher}}" | |
390 | done | |
3eae7bed | 391 | cli_space |
6740c9c5 | 392 | |
3eae7bed | 393 | cli_print_fmt1 1 "Integrity:" |
f3098f76 MT |
394 | local integrity |
395 | for integrity in ${INTEGRITY}; do | |
396 | cli_print_fmt1 2 "${VPN_SUPPORTED_INTEGRITY[${integrity}]-${integrity}}" | |
397 | done | |
3eae7bed | 398 | cli_space |
6740c9c5 | 399 | |
3eae7bed | 400 | cli_print_fmt1 1 "Group Types:" |
84c1cc17 MT |
401 | local group_type |
402 | for group_type in ${GROUP_TYPE}; do | |
403 | cli_print_fmt1 2 "${VPN_SUPPORTED_GROUP_TYPES[${group_type}]-${group_type}}" | |
404 | done | |
3eae7bed JS |
405 | cli_space |
406 | ||
407 | cli_print_fmt1 1 "Key Exchange:" "${KEY_EXCHANGE}" | |
6740c9c5 MT |
408 | |
409 | # Key Lifetime | |
3eae7bed JS |
410 | if isinteger LIFETIME && [ ${LIFETIME} -gt 0 ]; then |
411 | cli_print_fmt1 1 "Key Lifetime:" "$(format_time ${LIFETIME})" | |
412 | else | |
413 | log ERROR "The value for Key Lifetime is not a valid integer greater zero." | |
414 | fi | |
6740c9c5 MT |
415 | |
416 | # PFS | |
3eae7bed JS |
417 | if enabled PFS; then |
418 | cli_print_fmt1 1 "Perfect Forward Secrecy:" "enabled" | |
419 | else | |
420 | cli_print_fmt1 1 "Perfect Forward Secrecy:" "disabled" | |
421 | fi | |
422 | cli_space | |
6740c9c5 MT |
423 | |
424 | # Compression | |
3eae7bed JS |
425 | if enabled COMPRESSION; then |
426 | cli_print_fmt1 1 "Compression:" "enabled" | |
427 | else | |
428 | cli_print_fmt1 1 "Compression:" "disabled" | |
429 | fi | |
430 | cli_space | |
431 | } | |
432 | ||
6740c9c5 MT |
433 | # This function checks if a vpn security policy exists |
434 | # Returns True when yes and false when not | |
3eae7bed | 435 | vpn_security_policy_exists() { |
3eae7bed | 436 | assert [ $# -eq 1 ] |
6740c9c5 | 437 | |
3eae7bed JS |
438 | local name=${1} |
439 | ||
6740c9c5 MT |
440 | local path=$(vpn_security_policies_path "${name}") |
441 | ||
442 | [ -f ${path} ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
3eae7bed JS |
443 | } |
444 | ||
445 | ||
6740c9c5 | 446 | # This function parses the parameters for the 'cipher' command |
3eae7bed | 447 | vpn_security_policies_cipher(){ |
3eae7bed JS |
448 | local name=${1} |
449 | shift | |
450 | ||
451 | if [ $# -eq 0 ]; then | |
452 | log ERROR "You must pass at least one value after cipher" | |
453 | return ${EXIT_ERROR} | |
454 | fi | |
455 | ||
456 | local CIPHER | |
3eae7bed JS |
457 | if ! vpn_security_policies_read_config ${name} "CIPHER"; then |
458 | return ${EXIT_ERROR} | |
459 | fi | |
460 | ||
461 | # Remove duplicated entries to proceed the list safely | |
462 | CIPHER="$(list_unique ${CIPHER})" | |
463 | ||
d9a6c183 MT |
464 | local ciphers_added |
465 | local ciphers_removed | |
466 | local ciphers_set | |
467 | ||
3eae7bed | 468 | while [ $# -gt 0 ]; do |
d9a6c183 MT |
469 | local arg="${1}" |
470 | ||
471 | case "${arg}" in | |
472 | +*) | |
473 | list_append ciphers_added "${arg:1}" | |
474 | ;; | |
3eae7bed | 475 | -*) |
d9a6c183 | 476 | list_append ciphers_removed "${arg:1}" |
3eae7bed | 477 | ;; |
d9a6c183 MT |
478 | [A-Z0-9]*) |
479 | list_append ciphers_set "${arg}" | |
480 | ;; | |
481 | *) | |
482 | error "Invalid argument: ${arg}" | |
483 | return ${EXIT_ERROR} | |
3eae7bed JS |
484 | ;; |
485 | esac | |
486 | shift | |
487 | done | |
488 | ||
d9a6c183 MT |
489 | # Check if the user is trying a mixed operation |
490 | if ! list_is_empty ciphers_set && (! list_is_empty ciphers_added || ! list_is_empty ciphers_removed); then | |
491 | error "You cannot reset the cipher list and add or remove ciphers at the same time" | |
492 | return ${EXIT_ERROR} | |
493 | fi | |
494 | ||
495 | # Set new cipher list | |
496 | if ! list_is_empty ciphers_set; then | |
497 | # Check if all ciphers are valid | |
498 | local cipher | |
499 | for cipher in ${ciphers_set}; do | |
500 | if ! vpn_security_policies_cipher_supported ${cipher}; then | |
501 | error "Unsupported cipher: ${cipher}" | |
502 | return ${EXIT_ERROR} | |
503 | fi | |
504 | done | |
505 | ||
6eb85c57 | 506 | CIPHER="${ciphers_set}" |
d9a6c183 MT |
507 | |
508 | # Perform incremental updates | |
3eae7bed | 509 | else |
d9a6c183 MT |
510 | local cipher |
511 | ||
512 | # Perform all removals | |
513 | for cipher in ${ciphers_removed}; do | |
514 | if ! list_remove CIPHER ${cipher}; then | |
515 | warning "${cipher} was not on the list and could not be removed" | |
516 | fi | |
517 | done | |
518 | ||
519 | for cipher in ${ciphers_added}; do | |
520 | if vpn_security_policies_cipher_supported ${cipher}; then | |
521 | if ! list_append_unique CIPHER ${cipher}; then | |
522 | warning "${cipher} is already on the cipher list" | |
523 | fi | |
524 | else | |
525 | warning "${cipher} is unknown or unsupported and could not be added" | |
526 | fi | |
527 | done | |
528 | fi | |
529 | ||
530 | # Check if the list contain at least one valid cipher | |
531 | if list_is_empty CIPHER; then | |
532 | error "Cannot save an empty cipher list" | |
3eae7bed JS |
533 | return ${EXIT_ERROR} |
534 | fi | |
d9a6c183 MT |
535 | |
536 | # Save everything | |
537 | if ! vpn_security_policies_write_config_key ${name} "CIPHER" ${CIPHER}; then | |
538 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
539 | fi | |
540 | ||
541 | cli_headline 1 "Current cipher list for ${name}:" | |
542 | for cipher in ${CIPHER}; do | |
543 | cli_print_fmt1 1 "${cipher}" "${VPN_SUPPORTED_CIPHERS[${cipher}]}" | |
544 | done | |
3eae7bed JS |
545 | } |
546 | ||
6740c9c5 | 547 | # This function parses the parameters for the 'compression' command |
3eae7bed | 548 | vpn_security_policies_compression(){ |
3eae7bed JS |
549 | local name=${1} |
550 | local value=${2} | |
551 | ||
552 | # Check if we get only one argument after compression <name> | |
553 | if [ ! $# -eq 2 ]; then | |
554 | log ERROR "The number of arguments do not match. Only one argument after compression is allowed." | |
555 | return ${EXIT_ERROR} | |
556 | fi | |
557 | ||
558 | if ! isbool value; then | |
559 | # We suggest only two values to avoid overburding the user. | |
560 | log ERROR "Invalid Argument ${value}" | |
561 | return ${EXIT_ERROR} | |
562 | fi | |
563 | ||
564 | vpn_security_policies_write_config_key "${name}" "COMPRESSION" "${value}" | |
565 | } | |
566 | ||
6740c9c5 | 567 | # This function parses the parameters for the 'group-type' command |
3eae7bed | 568 | vpn_security_policies_group_type(){ |
3eae7bed JS |
569 | local name=${1} |
570 | shift | |
571 | ||
572 | if [ $# -eq 0 ]; then | |
573 | log ERROR "You must pass at least one value after group-type" | |
574 | return ${EXIT_ERROR} | |
575 | fi | |
576 | ||
577 | local GROUP_TYPE | |
3eae7bed JS |
578 | if ! vpn_security_policies_read_config ${name} "GROUP_TYPE"; then |
579 | return ${EXIT_ERROR} | |
580 | fi | |
581 | ||
582 | # Remove duplicated entries to proceed the list safely | |
583 | GROUP_TYPE="$(list_unique ${GROUP_TYPE})" | |
584 | ||
585 | while [ $# -gt 0 ]; do | |
586 | case "${1}" in | |
587 | -*) | |
588 | value=${1#-} | |
589 | # Check if the group type is in the list of group types and | |
590 | # check if the list has after removing this group type at leatst one valid value | |
591 | if list_match ${value} ${GROUP_TYPE}; then | |
592 | list_remove GROUP_TYPE ${value} | |
593 | else | |
594 | # We do not break here because this error does not break the processing of the next maybe valid values. | |
595 | log ERROR "Can not remove ${value} from the list of group types because ${value} is not in the list." | |
596 | fi | |
597 | ;; | |
598 | +*) | |
599 | value=${1#+} | |
600 | # Check if the group type is in the list of supported group types. | |
54fc6c3f | 601 | if ! isoneof value ${!VPN_SUPPORTED_GROUP_TYPES[@]}; then |
3eae7bed JS |
602 | # We do not break here because the processing of other maybe valid values are indepent from this error. |
603 | log ERROR "${value} is not a supported group type and can thats why not added to the list of group types." | |
604 | else | |
605 | if list_match ${value} ${GROUP_TYPE}; then | |
606 | log WARNING "${value} is already in the list of group-types of this policy." | |
607 | else | |
608 | list_append GROUP_TYPE ${value} | |
609 | fi | |
610 | fi | |
611 | ;; | |
612 | esac | |
613 | shift | |
614 | done | |
615 | ||
616 | # Check if the list contain at least one valid group-type | |
617 | if [ $(list_length ${GROUP_TYPE}) -ge 1 ]; then | |
618 | if ! vpn_security_policies_write_config_key ${name} "GROUP_TYPE" ${GROUP_TYPE}; then | |
619 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
620 | fi | |
621 | else | |
622 | log ERROR "After proceding all group types the list is empty and thats why no changes are written." | |
623 | return ${EXIT_ERROR} | |
624 | fi | |
625 | } | |
6740c9c5 MT |
626 | |
627 | # This function parses the parameters for the 'integrity' command | |
3eae7bed | 628 | vpn_security_policies_integrity(){ |
3eae7bed JS |
629 | local name=${1} |
630 | shift | |
631 | ||
632 | if [ $# -eq 0 ]; then | |
633 | log ERROR "You must pass at least one value after integrity." | |
634 | return ${EXIT_ERROR} | |
635 | fi | |
636 | ||
637 | local INTEGRITY | |
3eae7bed JS |
638 | if ! vpn_security_policies_read_config ${name} "INTEGRITY"; then |
639 | return ${EXIT_ERROR} | |
640 | fi | |
641 | ||
642 | # Remove duplicated entries to proceed the list safely | |
643 | INTEGRITY="$(list_unique ${INTEGRITY})" | |
644 | ||
645 | while [ $# -gt 0 ]; do | |
646 | case "${1}" in | |
647 | -*) | |
648 | value=${1#-} | |
649 | # Check if the integrity hash is in the list of integrity hashes and | |
650 | # check if the list has after removing this integrity hash at least one valid value | |
651 | if list_match ${value} ${INTEGRITY}; then | |
652 | list_remove INTEGRITY ${value} | |
653 | else | |
654 | # We do not break here because the processing of other maybe valid values are indepent from this error. | |
655 | log ERROR "Can not remove ${value} from the list of integrity hashes because ${value} is not in the list." | |
656 | fi | |
657 | ;; | |
658 | +*) | |
659 | value=${1#+} | |
660 | # Check if the Ciphers is in the list of supported integrity hashes. | |
3a0c376c | 661 | if ! isoneof value ${!VPN_SUPPORTED_INTEGRITY[@]}; then |
3eae7bed JS |
662 | # We do not break here because the processing of other maybe valid values are indepent from this error. |
663 | log ERROR "${value} is not a supported integrity hash and can thats why not added to the list of integrity hashes." | |
664 | else | |
665 | if list_match ${value} ${INTEGRITY}; then | |
666 | log WARNING "${value} is already in the list of integrety hashes of this policy." | |
667 | else | |
668 | list_append INTEGRITY ${value} | |
669 | fi | |
670 | fi | |
671 | ;; | |
672 | esac | |
673 | shift | |
674 | done | |
675 | ||
676 | # Check if the list contain at least one valid group-type | |
677 | if [ $(list_length ${INTEGRITY}) -ge 1 ]; then | |
678 | if ! vpn_security_policies_write_config_key ${name} "INTEGRITY" ${INTEGRITY}; then | |
679 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
680 | fi | |
681 | else | |
682 | log ERROR "After proceding all integrity hashes the list is empty and thats why no changes are written." | |
683 | return ${EXIT_ERROR} | |
684 | fi | |
3eae7bed JS |
685 | } |
686 | ||
6740c9c5 | 687 | # This function parses the parameters for the 'key-exchange' command |
3eae7bed | 688 | vpn_security_policies_key_exchange() { |
3eae7bed JS |
689 | local name=${1} |
690 | local value=${2} | |
6740c9c5 | 691 | |
3eae7bed JS |
692 | # Check if we get only one argument after key-exchange <name> |
693 | if [ ! $# -eq 2 ]; then | |
694 | log ERROR "The number of arguments do not match. Only argument after key-exchange is allowed." | |
695 | return ${EXIT_ERROR} | |
696 | fi | |
697 | ||
3eae7bed JS |
698 | if ! isoneof value "ikev1" "ikev2" "IKEV1" "IKEV2"; then |
699 | log ERROR "Invalid Argument ${value}" | |
700 | return ${EXIT_ERROR} | |
701 | fi | |
702 | ||
703 | vpn_security_policies_write_config_key "${name}" "KEY_EXCHANGE" "${value,,}" | |
704 | } | |
705 | ||
6740c9c5 | 706 | # This function parses the parameters for the 'lifetime' command. |
3eae7bed | 707 | vpn_security_policies_lifetime(){ |
3eae7bed JS |
708 | local name=${1} |
709 | shift | |
6740c9c5 | 710 | |
3eae7bed JS |
711 | local value=$@ |
712 | ||
713 | # Check if we get only one argument after lifetime <name> | |
714 | if [ ! $# -ge 1 ]; then | |
715 | log ERROR "The number of arguments do not match you must provide at least one integer value or a valid time with the format <hours>h <minutes>m <seconds>s" | |
716 | return ${EXIT_ERROR} | |
717 | fi | |
718 | ||
719 | if ! isinteger value; then | |
720 | value=$(parse_time $@) | |
721 | if [ ! $? -eq 0 ]; then | |
722 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
723 | return ${EXIT_ERROR} | |
724 | fi | |
725 | fi | |
726 | ||
727 | if [ ${value} -le 0 ]; then | |
728 | log ERROR "The passed time value must be in the sum greater zero seconds." | |
729 | return ${EXIT_ERROR} | |
730 | fi | |
731 | ||
732 | vpn_security_policies_write_config_key "${name}" "LIFETIME" "${value}" | |
733 | } | |
734 | ||
6740c9c5 | 735 | # This function parses the parameters for the 'pfs' command |
3eae7bed | 736 | vpn_security_policies_pfs(){ |
3eae7bed JS |
737 | local name=${1} |
738 | local value=${2} | |
739 | ||
740 | # Check if we get only one argument after pfs <name> | |
741 | if [ ! $# -eq 2 ]; then | |
742 | log ERROR "The number of arguments do not match. Only argument after pfs is allowed." | |
743 | return ${EXIT_ERROR} | |
744 | fi | |
745 | ||
746 | if [ ! $# -eq 2 ] || ! isbool value; then | |
747 | # We suggest only two values to avoid overburding the user. | |
748 | log ERROR "Invalid Argument ${value}" | |
749 | return ${EXIT_ERROR} | |
750 | fi | |
751 | ||
752 | vpn_security_policies_write_config_key "${name}" "PFS" "${value}" | |
753 | } | |
754 | ||
6740c9c5 MT |
755 | # This function checks if a vpn security policy name is valid |
756 | # Allowed are only A-Za-z0-9 | |
3eae7bed | 757 | vpn_security_policies_check_name() { |
3eae7bed | 758 | assert [ $# -eq 1 ] |
6740c9c5 | 759 | |
3eae7bed | 760 | local name=${1} |
6740c9c5 | 761 | |
3eae7bed JS |
762 | [[ ${name} =~ [^[:alnum:]$] ]] |
763 | } | |
764 | ||
6740c9c5 | 765 | # Function that creates based on the paramters one ore more new vpn security policies |
3eae7bed | 766 | vpn_security_policies_new() { |
58aa0edf MT |
767 | if [ $# -gt 1 ]; then |
768 | error "Too many arguments" | |
3eae7bed JS |
769 | return ${EXIT_ERROR} |
770 | fi | |
771 | ||
58aa0edf MT |
772 | local name="${1}" |
773 | if ! isset name; then | |
774 | error "Please provide a name" | |
775 | return ${EXIT_ERROR} | |
776 | fi | |
3eae7bed | 777 | |
58aa0edf MT |
778 | # Check for duplicates |
779 | if vpn_security_policy_exists "${name}"; then | |
780 | error "The VPN security policy with name ${name} already exists" | |
781 | return ${EXIT_ERROR} | |
782 | fi | |
3eae7bed | 783 | |
58aa0edf MT |
784 | # Check if name is valid |
785 | if vpn_security_policies_check_name "${name}"; then | |
786 | error "'${name}' contains illegal characters" | |
787 | return ${EXIT_ERROR} | |
788 | fi | |
3eae7bed | 789 | |
58aa0edf MT |
790 | # Check if we have a read-only policy with the same name |
791 | if vpn_security_policies_check_readonly "${name}"; then | |
792 | error "The VPN security policy ${name} is read-only" | |
793 | return ${EXIT_ERROR} | |
794 | fi | |
795 | ||
6fdbda80 MT |
796 | # Check if our source policy exists |
797 | if ! vpn_security_policy_exists "${VPN_DEFAULT_SECURITY_POLICY}"; then | |
798 | error "Default VPN Security Policy '${VPN_DEFAULT_SECURITY_POLICY}' does not exist" | |
799 | return ${EXIT_ERROR} | |
800 | fi | |
801 | ||
58aa0edf MT |
802 | log DEBUG "Creating VPN Security Policy ${name}" |
803 | ||
88013fd8 | 804 | if copy "$(vpn_security_policies_path "${VPN_DEFAULT_SECURITY_POLICY}")" \ |
aab75c48 | 805 | "$(vpn_security_policies_path ${name})"; then |
58aa0edf MT |
806 | log INFO "VPN Security Policy ${name} successfully created" |
807 | else | |
808 | log ERROR "Could not create VPN Security Policy ${name}" | |
809 | return ${EXIT_ERROR} | |
810 | fi | |
c787fea5 MT |
811 | |
812 | # Show the newly created policy | |
813 | vpn_security_policies_show "${name}" | |
3eae7bed JS |
814 | } |
815 | ||
6740c9c5 | 816 | # Function that deletes based on the passed parameters one ore more vpn security policies |
3eae7bed | 817 | vpn_security_policies_destroy() { |
3eae7bed JS |
818 | local name |
819 | for name in $@; do | |
820 | if ! vpn_security_policy_exists ${name}; then | |
821 | log ERROR "The vpn security policy ${name} does not exist." | |
822 | continue | |
823 | fi | |
824 | ||
825 | if vpn_security_policies_check_readonly ${name}; then | |
826 | log ERROR "The vpn security policy ${name} cannot be deleted." | |
827 | continue | |
828 | fi | |
829 | ||
830 | log DEBUG "Deleting vpn security policy ${name}" | |
831 | settings_remove $(vpn_security_policies_path ${name}) | |
832 | done | |
833 | } | |
d69af00f | 834 | |
d9a6c183 MT |
835 | vpn_security_policies_cipher_supported() { |
836 | local cipher=${1} | |
837 | ||
838 | list_match ${cipher} ${!VPN_SUPPORTED_CIPHERS[@]} | |
839 | } | |
840 | ||
0d645497 MT |
841 | vpn_security_policies_cipher_is_aead() { |
842 | local cipher=${1} | |
843 | ||
844 | # All CCM and GCM ciphers are AEAD | |
845 | string_match "[CG]CM" "${cipher}" | |
846 | } | |
847 | ||
d69af00f MT |
848 | vpn_security_policies_make_ah_proposal() { |
849 | local name=${1} | |
850 | ||
851 | # Read the config settings | |
852 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
853 | if ! vpn_security_policies_read_config "${name}"; then | |
854 | return ${EXIT_ERROR} | |
855 | fi | |
856 | ||
857 | local proposals | |
858 | ||
859 | local cipher | |
860 | for cipher in ${CIPHER}; do | |
861 | # Translate cipher | |
862 | local _cipher=${CIPHER_TO_STRONGSWAN[${cipher}]} | |
863 | ||
864 | if ! isset _cipher; then | |
865 | log WARN "Unsupported cipher: ${cipher}" | |
866 | continue | |
867 | fi | |
868 | ||
869 | local integrity | |
870 | for integrity in ${INTEGRITY}; do | |
871 | local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]} | |
872 | ||
873 | if ! isset _integrity; then | |
874 | log WARN "Unsupported integrity: ${integrity}" | |
875 | continue | |
876 | fi | |
877 | ||
878 | local group_type | |
879 | for group_type in ${GROUP_TYPE}; do | |
880 | local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} | |
881 | ||
882 | if ! isset _group_type; then | |
883 | log WARN "Unsupported group-type: ${group_type}" | |
884 | continue | |
885 | fi | |
886 | ||
887 | # Put everything together | |
888 | list_append proposals "${_cipher}-${_integrity}-${_group_type}" | |
889 | done | |
890 | done | |
891 | done | |
892 | ||
893 | # Returns as a comma-separated list | |
894 | list_join proposals , | |
895 | } | |
0d645497 MT |
896 | |
897 | vpn_security_policies_make_esp_proposal() { | |
898 | local name=${1} | |
899 | ||
900 | # Read the config settings | |
901 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
902 | if ! vpn_security_policies_read_config "${name}"; then | |
903 | return ${EXIT_ERROR} | |
904 | fi | |
905 | ||
906 | local proposals | |
907 | ||
908 | local cipher | |
909 | for cipher in ${CIPHER}; do | |
910 | # Translate cipher | |
911 | local _cipher=${CIPHER_TO_STRONGSWAN[${cipher}]} | |
912 | ||
913 | if ! isset _cipher; then | |
914 | log WARN "Unsupported cipher: ${cipher}" | |
915 | continue | |
916 | fi | |
917 | ||
918 | if vpn_security_policies_cipher_is_aead ${cipher}; then | |
919 | local group_type | |
920 | for group_type in ${GROUP_TYPE}; do | |
921 | local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} | |
922 | ||
923 | if ! isset _group_type; then | |
924 | log WARN "Unsupported group-type: ${group_type}" | |
925 | continue | |
926 | fi | |
927 | ||
928 | # Put everything together | |
929 | list_append proposals "${_cipher}-${_group_type}" | |
930 | done | |
931 | else | |
932 | local integrity | |
933 | for integrity in ${INTEGRITY}; do | |
934 | local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]} | |
935 | ||
936 | if ! isset _integrity; then | |
937 | log WARN "Unsupported integrity: ${integrity}" | |
938 | continue | |
939 | fi | |
940 | ||
941 | local group_type | |
942 | for group_type in ${GROUP_TYPE}; do | |
943 | local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} | |
944 | ||
945 | if ! isset _group_type; then | |
946 | log WARN "Unsupported group-type: ${group_type}" | |
947 | continue | |
948 | fi | |
949 | ||
950 | # Put everything together | |
951 | list_append proposals "${_cipher}-${_integrity}-${_group_type}" | |
952 | done | |
953 | done | |
954 | fi | |
955 | done | |
956 | ||
957 | # Returns as a comma-separated list | |
958 | list_join proposals , | |
959 | } |