From: Michael Tremer Date: Sun, 16 Sep 2018 13:45:45 +0000 (+0200) Subject: ipsec: security-policies: Add CLI to modify PRFs X-Git-Tag: 010~94 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd9cba7daf8edaa9def6fdfc94c6e175e6bdda2c;p=network.git ipsec: security-policies: Add CLI to modify PRFs Signed-off-by: Michael Tremer --- diff --git a/src/bash-completion/network b/src/bash-completion/network index 71bf2452..9e35604e 100644 --- a/src/bash-completion/network +++ b/src/bash-completion/network @@ -561,7 +561,7 @@ _network_vpn_security_policies_subcommands() { shift local words=( $@ ) - local commands="cipher compression group-type integrity key-exchange lifetime pfs show" + local commands="cipher compression group-type integrity key-exchange lifetime pfs pseudo-random-functions show" local cmd="$(_network_find_on_cmdline "${commands}")" if [[ -z "${cmd}" ]]; then COMPREPLY=( $(compgen -W "${commands}" -- "${cur}") ) @@ -583,6 +583,9 @@ _network_vpn_security_policies_subcommands() { integrity) _network_vpn_security_policies_subcommands_integrity ${policy} ${args} ;; + pseudo-random-functions) + _network_vpn_security_policies_subcommands_pseudo_random_functions "${policy}" "${args}" + ;; key-exchange) _network_vpn_security_policies_subcommands_key_exchange ${policy} ${args} ;; @@ -608,6 +611,10 @@ _network_vpn_security_policies_subcommands_integrity() { : } +_network_vpn_security_policies_subcommands_pseudo_random_functions() { + : +} + _network_vpn_security_policies_subcommands_key_exchange() { : } diff --git a/src/functions/functions.vpn-security-policies b/src/functions/functions.vpn-security-policies index 26b17998..8b81850c 100644 --- a/src/functions/functions.vpn-security-policies +++ b/src/functions/functions.vpn-security-policies @@ -306,6 +306,9 @@ cli_vpn_security_policies() { cipher|compression|integrity|lifetime|pfs|show) vpn_security_policies_${key} ${security_policy} "$@" ;; + pseudo-random-functions) + vpn_security_policies_pseudo_random_functions "${security_policy}" "$@" + ;; group-type) vpn_security_policies_group_type ${security_policy} "$@" ;; @@ -877,6 +880,107 @@ vpn_security_policies_integrity(){ done } +# This function parses the parameters for the 'pseudo-random-functions' command +vpn_security_policies_pseudo_random_functions() { + local name=${1} + shift + + if [ $# -eq 0 ]; then + log ERROR "You must pass at least one value" + return ${EXIT_ERROR} + fi + + local PSEUDO_RANDOM_FUNCTION + if ! vpn_security_policies_read_config ${name} "PSEUDO_RANDOM_FUNCTION"; then + return ${EXIT_ERROR} + fi + + # Remove duplicated entries to proceed the list safely + PSEUDO_RANDOM_FUNCTION="$(list_unique ${PSEUDO_RANDOM_FUNCTION})" + + local prfs_added + local prfs_removed + local prfs_set + + while [ $# -gt 0 ]; do + local arg="${1}" + + case "${arg}" in + +*) + list_append prfs_added "${arg:1}" + ;; + -*) + list_append prfs_removed "${arg:1}" + ;; + [A-Z0-9]*) + list_append prfs_set "${arg}" + ;; + *) + error "Invalid argument: ${arg}" + return ${EXIT_ERROR} + ;; + esac + shift + done + + # Check if the user is trying a mixed operation + if ! list_is_empty prfs_set && (! list_is_empty prfs_added || ! list_is_empty prfs_removed); then + error "You cannot reset the pseudo random function list and add or remove functions at the same time" + return ${EXIT_ERROR} + fi + + # Set new psudo random function list + if ! list_is_empty prfs_set; then + # Check if all PRFs are valid + local prf + for prf in ${prfs_set}; do + if ! vpn_security_policies_pseudo_random_function_supported "${prf}"; then + error "Unsupported pseudo random function: ${prf}" + return ${EXIT_ERROR} + fi + done + + PSEUDO_RANDOM_FUNCTION="${prfs_set}" + + # Perform incremental updates + else + local prf + + # Perform all removals + for prf in ${prfs_removed}; do + if ! list_remove PSEUDO_RANDOM_FUNCTION "${prf}"; then + warning "${prf} was not on the list and could not be removed" + fi + done + + for prf in ${prfs_added}; do + if vpn_security_policies_pseudo_random_function_supported "${prf}"; then + if ! list_append_unique PSEUDO_RANDOM_FUNCTION "${prf}"; then + warning "${prf} is already on the list" + fi + else + warning "${prf} is unknown or unsupported and could not be added" + fi + done + fi + + # Check if the list contain at least one valid value + if list_is_empty PSEUDO_RANDOM_FUNCTION; then + error "Cannot save an empty list of pseudo random functions" + return ${EXIT_ERROR} + fi + + # Save everything + if ! vpn_security_policies_write_config_key "${name}" "PSEUDO_RANDOM_FUNCTION" "${PSEUDO_RANDOM_FUNCTION}"; then + log ERROR "The changes for the VPN security policy ${name} could not be written" + fi + + cli_headline 1 "Current pseudo random function list for ${name}:" + for prf in ${PSEUDO_RANDOM_FUNCTION}; do + cli_print_fmt1 1 "${prf}" "${VPN_SUPPORTED_PSEUDO_RANDOM_FUNCTION[${prf}]}" + done +} + # This function parses the parameters for the 'key-exchange' command vpn_security_policies_key_exchange() { local name=${1} @@ -1047,6 +1151,12 @@ vpn_security_policies_integrity_supported() { list_match ${integrity} ${!VPN_SUPPORTED_INTEGRITY[@]} } +vpn_security_policies_pseudo_random_function_supported() { + local prf="${1}" + + list_match "${prf}" ${!VPN_SUPPORTED_PSEUDO_RANDOM_FUNCTION[@]} +} + vpn_security_policies_cipher_is_aead() { local cipher=${1}