]>
Commit | Line | Data |
---|---|---|
3eae7bed JS |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2017 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE INTEGRITY KEY_EXCHANGE LIFETIME PFS" | |
23 | VPN_SECURITY_POLICIES_READONLY="system" | |
24 | ||
6fdbda80 MT |
25 | VPN_DEFAULT_SECURITY_POLICY="system" |
26 | ||
b116ad92 | 27 | declare -A VPN_SUPPORTED_CIPHERS=( |
b68fed1f MT |
28 | # 3DES-CBC |
29 | [3DES-CBC]="168 bit 3DES-EDE-CBC" | |
30 | ||
31 | # AES-CBC | |
b116ad92 MT |
32 | [AES256-CBC]="256 bit AES-CBC" |
33 | [AES192-CBC]="192 bit AES-CBC" | |
34 | [AES128-CBC]="128 bit AES-CBC" | |
b68fed1f MT |
35 | |
36 | # AES-CTR | |
37 | [AES256-CTR]="256 bit AES-COUNTER" | |
38 | [AES192-CTR]="192 bit AES-COUNTER" | |
39 | [AES128-CTR]="128 bit AES-COUNTER" | |
40 | ||
41 | # AES-GCM | |
42 | [AES256-GCM128]="256 bit AES-GCM with 128 bit ICV" | |
43 | [AES192-GCM128]="192 bit AES-GCM with 128 bit ICV" | |
44 | [AES128-GCM128]="128 bit AES-GCM with 128 bit ICV" | |
45 | [AES256-GCM96]="256 bit AES-GCM with 96 bit ICV" | |
46 | [AES192-GCM96]="192 bit AES-GCM with 96 bit ICV" | |
47 | [AES128-GCM96]="128 bit AES-GCM with 96 bit ICV" | |
48 | [AES256-GCM64]="256 bit AES-GCM with 64 bit ICV" | |
49 | [AES192-GCM64]="192 bit AES-GCM with 64 bit ICV" | |
50 | [AES128-GCM64]="128 bit AES-GCM with 64 bit ICV" | |
51 | ||
52 | # AES-CCM | |
53 | [AES256-CCM128]="256 bit AES-CCM with 128 bit ICV" | |
54 | [AES192-CCM128]="192 bit AES-CCM with 128 bit ICV" | |
55 | [AES128-CCM128]="128 bit AES-CCM with 128 bit ICV" | |
56 | [AES256-CCM96]="256 bit AES-CCM with 96 bit ICV" | |
57 | [AES192-CCM96]="192 bit AES-CCM with 96 bit ICV" | |
58 | [AES128-CCM96]="128 bit AES-CCM with 96 bit ICV" | |
59 | [AES256-CCM64]="256 bit AES-CCM with 64 bit ICV" | |
60 | [AES192-CCM64]="192 bit AES-CCM with 64 bit ICV" | |
61 | [AES128-CCM64]="128 bit AES-CCM with 64 bit ICV" | |
62 | ||
63 | # CAMELLIA-CBC | |
64 | [CAMELLIA256-CBC]="256 bit CAMELLIA-CBC" | |
65 | [CAMELLIA192-CBC]="192 bit CAMELLIA-CBC" | |
66 | [CAMELLIA128-CBC]="128 bit CAMELLIA-CBC" | |
67 | ||
68 | # CAMELLIA-CTR | |
69 | [CAMELLIA256-CTR]="256 bit CAMELLIA-COUNTER" | |
70 | [CAMELLIA192-CTR]="192 bit CAMELLIA-COUNTER" | |
71 | [CAMELLIA128-CTR]="128 bit CAMELLIA-COUNTER" | |
72 | ||
73 | # CAMELLIA-GCM | |
74 | [CAMELLIA256-GCM128]="256 bit CAMELLIA-GCM with 128 bit ICV" | |
75 | [CAMELLIA192-GCM128]="192 bit CAMELLIA-GCM with 128 bit ICV" | |
76 | [CAMELLIA128-GCM128]="128 bit CAMELLIA-GCM with 128 bit ICV" | |
77 | [CAMELLIA256-GCM96]="256 bit CAMELLIA-GCM with 96 bit ICV" | |
78 | [CAMELLIA192-GCM96]="192 bit CAMELLIA-GCM with 96 bit ICV" | |
79 | [CAMELLIA128-GCM96]="128 bit CAMELLIA-GCM with 96 bit ICV" | |
80 | [CAMELLIA256-GCM64]="256 bit CAMELLIA-GCM with 64 bit ICV" | |
81 | [CAMELLIA192-GCM64]="192 bit CAMELLIA-GCM with 64 bit ICV" | |
82 | [CAMELLIA128-GCM64]="128 bit CAMELLIA-GCM with 64 bit ICV" | |
83 | ||
84 | # CAMELLIA-CCM | |
85 | [CAMELLIA256-CCM128]="256 bit CAMELLIA-CCM with 128 bit ICV" | |
86 | [CAMELLIA192-CCM128]="192 bit CAMELLIA-CCM with 128 bit ICV" | |
87 | [CAMELLIA128-CCM128]="128 bit CAMELLIA-CCM with 128 bit ICV" | |
88 | [CAMELLIA256-CCM96]="256 bit CAMELLIA-CCM with 96 bit ICV" | |
89 | [CAMELLIA192-CCM96]="192 bit CAMELLIA-CCM with 96 bit ICV" | |
90 | [CAMELLIA128-CCM96]="128 bit CAMELLIA-CCM with 96 bit ICV" | |
91 | [CAMELLIA256-CCM64]="256 bit CAMELLIA-CCM with 64 bit ICV" | |
92 | [CAMELLIA192-CCM64]="192 bit CAMELLIA-CCM with 64 bit ICV" | |
93 | [CAMELLIA128-CCM64]="128 bit CAMELLIA-CCM with 64 bit ICV" | |
b116ad92 MT |
94 | ) |
95 | ||
3a0c376c MT |
96 | declare -A VPN_SUPPORTED_INTEGRITY=( |
97 | [MD5]="MD5-HMAC" | |
98 | ||
99 | # SHA | |
100 | [SHA1]="SHA1-HMAC" | |
101 | [SHA512]="256 bit SHA2-HMAC" | |
102 | [SHA384]="384 bit SHA2-HMAC" | |
103 | [SHA256]="256 bit SHA2-HMAC" | |
104 | ||
105 | # AES | |
106 | [AES-XCBC]="AES-XCBC" | |
107 | [AES-CMAC]="AES-CMAC" | |
108 | [AES256-GMAC]="256 bit AES-GMAC" | |
109 | [AES192-GMAC]="192 bit AES-GMAC" | |
110 | [AES128-GMAC]="128 bit AES-GMAC" | |
111 | ) | |
112 | ||
3eae7bed JS |
113 | VPN_SUPPORTED_GROUP_TYPES="MODP8192 MODP4096" |
114 | ||
6740c9c5 MT |
115 | # This functions checks if a policy is readonly |
116 | # returns true when yes and false when no | |
3eae7bed | 117 | vpn_security_policies_check_readonly() { |
3eae7bed JS |
118 | if isoneof name ${VPN_SECURITY_POLICIES_READONLY}; then |
119 | return ${EXIT_TRUE} | |
120 | else | |
121 | return ${EXIT_FALSE} | |
122 | fi | |
123 | } | |
124 | ||
6740c9c5 | 125 | # This function writes all values to a via ${name} specificated vpn security policy configuration file |
3eae7bed | 126 | vpn_security_policies_write_config() { |
3eae7bed JS |
127 | assert [ $# -ge 1 ] |
128 | ||
129 | local name="${1}" | |
130 | ||
6740c9c5 | 131 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
132 | log ERROR "No such vpn security policy: ${name}" |
133 | return ${EXIT_ERROR} | |
134 | fi | |
135 | ||
6740c9c5 | 136 | if vpn_security_policies_check_readonly "${name}"; then |
3eae7bed JS |
137 | log ERROR "The ${name} vpn security policy cannot be changed." |
138 | return ${EXIT_ERROR} | |
139 | fi | |
140 | ||
6740c9c5 | 141 | local path="$(vpn_security_policies_path "${name}")" |
3eae7bed JS |
142 | if [ ! -w ${path} ]; then |
143 | log ERROR "${path} is not writeable" | |
144 | return ${EXIT_ERROR} | |
145 | fi | |
146 | ||
147 | if ! settings_write "${path}" ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}; then | |
148 | log ERROR "Could not write configuration settings for vpn security policy ${name}" | |
149 | return ${EXIT_ERROR} | |
150 | fi | |
151 | ||
152 | # TODO everytime we successfully write a config we should call some trigger to take the changes into effect | |
153 | } | |
154 | ||
6740c9c5 | 155 | # This funtion writes the value for one key to a via ${name} specificated vpn security policy configuration file |
3eae7bed | 156 | vpn_security_policies_write_config_key() { |
3eae7bed | 157 | assert [ $# -ge 3 ] |
6740c9c5 | 158 | |
3eae7bed JS |
159 | local name=${1} |
160 | local key=${2} | |
161 | shift 2 | |
6740c9c5 | 162 | |
3eae7bed JS |
163 | local value="$@" |
164 | ||
6740c9c5 | 165 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
166 | log ERROR "No such vpn security policy: ${name}" |
167 | return ${EXIT_ERROR} | |
168 | fi | |
169 | ||
170 | log DEBUG "Set '${key}' to new value '${value}' in vpn security policy ${name}" | |
171 | ||
172 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
173 | ||
174 | # Read the config settings | |
6740c9c5 | 175 | if ! vpn_security_policies_read_config "${name}"; then |
3eae7bed JS |
176 | return ${EXIT_ERROR} |
177 | fi | |
178 | ||
179 | # Set the key to a new value | |
180 | assign "${key}" "${value}" | |
181 | ||
6740c9c5 | 182 | if ! vpn_security_policies_write_config "${name}"; then |
3eae7bed JS |
183 | return ${EXIT_ERROR} |
184 | fi | |
185 | ||
186 | return ${EXIT_TRUE} | |
3eae7bed JS |
187 | } |
188 | ||
6740c9c5 | 189 | # Reads one or more keys out of a settings file or all if no key is provided. |
3eae7bed | 190 | vpn_security_policies_read_config() { |
3eae7bed JS |
191 | assert [ $# -ge 1 ] |
192 | ||
193 | local name="${1}" | |
194 | shift 1 | |
195 | ||
6740c9c5 | 196 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
197 | log ERROR "No such vpn security policy: ${name}" |
198 | return ${EXIT_ERROR} | |
199 | fi | |
200 | ||
201 | ||
202 | local args | |
203 | if [ $# -eq 0 ] && [ -n "${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}" ]; then | |
204 | list_append args ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
205 | else | |
206 | list_append args $@ | |
207 | fi | |
208 | ||
209 | local path="$(vpn_security_policies_path ${name})" | |
210 | ||
211 | if ! settings_read "${path}" ${args}; then | |
212 | log ERROR "Could not read settings for vpn security policy ${name}" | |
213 | return ${EXIT_ERROR} | |
214 | fi | |
215 | } | |
216 | ||
6740c9c5 | 217 | # Returns the path to a the configuration fora given name |
3eae7bed | 218 | vpn_security_policies_path() { |
3eae7bed | 219 | assert [ $# -eq 1 ] |
6740c9c5 | 220 | |
3eae7bed JS |
221 | local name=${1} |
222 | ||
6740c9c5 | 223 | if vpn_security_policies_check_readonly "${name}"; then |
3eae7bed JS |
224 | echo "${NETWORK_SHARE_DIR}/vpn/security-policies/${name}" |
225 | else | |
226 | echo "${NETWORK_CONFIG_DIR}/vpn/security-policies/${name}" | |
227 | fi | |
228 | } | |
229 | ||
6740c9c5 | 230 | # Print the content of a vpn security policy configuration file in a nice way |
3eae7bed | 231 | vpn_security_policies_show() { |
3eae7bed | 232 | assert [ $# -eq 1 ] |
6740c9c5 | 233 | |
3eae7bed JS |
234 | local name=${1} |
235 | ||
236 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
3eae7bed JS |
237 | if ! vpn_security_policies_read_config ${name}; then |
238 | return ${EXIT_ERROR} | |
239 | fi | |
240 | ||
241 | cli_print_fmt1 0 "Security Policy: ${name}" | |
242 | cli_space | |
243 | ||
244 | # This could be done in a loop but a loop is much more complicated | |
245 | # because we print 'Group Types' but the variable is named 'GROUP_TYPES' | |
246 | cli_print_fmt1 1 "Ciphers:" | |
d21db419 MT |
247 | |
248 | local cipher | |
249 | for cipher in ${CIPHER}; do | |
250 | cli_print_fmt1 2 "${VPN_SUPPORTED_CIPHERS[${cipher}]-${cipher}}" | |
251 | done | |
3eae7bed | 252 | cli_space |
6740c9c5 | 253 | |
3eae7bed JS |
254 | cli_print_fmt1 1 "Integrity:" |
255 | cli_print_fmt1 2 "${INTEGRITY}" | |
256 | cli_space | |
6740c9c5 | 257 | |
3eae7bed JS |
258 | cli_print_fmt1 1 "Group Types:" |
259 | cli_print_fmt1 2 "${GROUP_TYPE}" | |
260 | cli_space | |
261 | ||
262 | cli_print_fmt1 1 "Key Exchange:" "${KEY_EXCHANGE}" | |
6740c9c5 MT |
263 | |
264 | # Key Lifetime | |
3eae7bed JS |
265 | if isinteger LIFETIME && [ ${LIFETIME} -gt 0 ]; then |
266 | cli_print_fmt1 1 "Key Lifetime:" "$(format_time ${LIFETIME})" | |
267 | else | |
268 | log ERROR "The value for Key Lifetime is not a valid integer greater zero." | |
269 | fi | |
6740c9c5 MT |
270 | |
271 | # PFS | |
3eae7bed JS |
272 | if enabled PFS; then |
273 | cli_print_fmt1 1 "Perfect Forward Secrecy:" "enabled" | |
274 | else | |
275 | cli_print_fmt1 1 "Perfect Forward Secrecy:" "disabled" | |
276 | fi | |
277 | cli_space | |
6740c9c5 MT |
278 | |
279 | # Compression | |
3eae7bed JS |
280 | if enabled COMPRESSION; then |
281 | cli_print_fmt1 1 "Compression:" "enabled" | |
282 | else | |
283 | cli_print_fmt1 1 "Compression:" "disabled" | |
284 | fi | |
285 | cli_space | |
286 | } | |
287 | ||
6740c9c5 MT |
288 | # This function checks if a vpn security policy exists |
289 | # Returns True when yes and false when not | |
3eae7bed | 290 | vpn_security_policy_exists() { |
3eae7bed | 291 | assert [ $# -eq 1 ] |
6740c9c5 | 292 | |
3eae7bed JS |
293 | local name=${1} |
294 | ||
6740c9c5 MT |
295 | local path=$(vpn_security_policies_path "${name}") |
296 | ||
297 | [ -f ${path} ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
3eae7bed JS |
298 | } |
299 | ||
300 | ||
6740c9c5 | 301 | # This function parses the parameters for the 'cipher' command |
3eae7bed | 302 | vpn_security_policies_cipher(){ |
3eae7bed JS |
303 | local name=${1} |
304 | shift | |
305 | ||
306 | if [ $# -eq 0 ]; then | |
307 | log ERROR "You must pass at least one value after cipher" | |
308 | return ${EXIT_ERROR} | |
309 | fi | |
310 | ||
311 | local CIPHER | |
3eae7bed JS |
312 | if ! vpn_security_policies_read_config ${name} "CIPHER"; then |
313 | return ${EXIT_ERROR} | |
314 | fi | |
315 | ||
316 | # Remove duplicated entries to proceed the list safely | |
317 | CIPHER="$(list_unique ${CIPHER})" | |
318 | ||
319 | while [ $# -gt 0 ]; do | |
320 | case "${1}" in | |
321 | -*) | |
322 | value=${1#-} | |
323 | # Check if the cipher is in the list of ciphers and | |
324 | # check if the list has after removing this cipher at least one valid value | |
325 | if list_match ${value} ${CIPHER}; then | |
326 | list_remove CIPHER ${value} | |
327 | else | |
328 | # We do not break here because this error does not break the processing of the next maybe valid values. | |
329 | log ERROR "Can not remove ${value} from the list of Ciphers because ${value} is not in the list." | |
330 | fi | |
331 | ;; | |
332 | +*) | |
333 | value=${1#+} | |
334 | # Check if the Ciphers is in the list of supported ciphers. | |
b116ad92 | 335 | if ! isoneof value ${!VPN_SUPPORTED_CIPHERS[@]}; then |
3eae7bed JS |
336 | # We do not break here because this error does not break the processing of the next maybe valid values. |
337 | log ERROR "${value} is not a supported cipher and can thats why not added to the list of ciphers." | |
338 | else | |
339 | if list_match ${value} ${CIPHER}; then | |
340 | log WARNING "${value} is already in the list of ciphers of this policy." | |
341 | else | |
342 | list_append CIPHER ${value} | |
343 | fi | |
344 | fi | |
345 | ;; | |
346 | esac | |
347 | shift | |
348 | done | |
349 | ||
350 | # Check if the list contain at least one valid cipher | |
351 | if [ $(list_length ${CIPHER}) -ge 1 ]; then | |
352 | if ! vpn_security_policies_write_config_key ${name} "CIPHER" ${CIPHER}; then | |
353 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
354 | fi | |
355 | else | |
356 | log ERROR "After proceding all ciphers the list is empty and thats why no changes are written." | |
357 | return ${EXIT_ERROR} | |
358 | fi | |
359 | } | |
360 | ||
6740c9c5 | 361 | # This function parses the parameters for the 'compression' command |
3eae7bed | 362 | vpn_security_policies_compression(){ |
3eae7bed JS |
363 | local name=${1} |
364 | local value=${2} | |
365 | ||
366 | # Check if we get only one argument after compression <name> | |
367 | if [ ! $# -eq 2 ]; then | |
368 | log ERROR "The number of arguments do not match. Only one argument after compression is allowed." | |
369 | return ${EXIT_ERROR} | |
370 | fi | |
371 | ||
372 | if ! isbool value; then | |
373 | # We suggest only two values to avoid overburding the user. | |
374 | log ERROR "Invalid Argument ${value}" | |
375 | return ${EXIT_ERROR} | |
376 | fi | |
377 | ||
378 | vpn_security_policies_write_config_key "${name}" "COMPRESSION" "${value}" | |
379 | } | |
380 | ||
6740c9c5 | 381 | # This function parses the parameters for the 'group-type' command |
3eae7bed | 382 | vpn_security_policies_group_type(){ |
3eae7bed JS |
383 | local name=${1} |
384 | shift | |
385 | ||
386 | if [ $# -eq 0 ]; then | |
387 | log ERROR "You must pass at least one value after group-type" | |
388 | return ${EXIT_ERROR} | |
389 | fi | |
390 | ||
391 | local GROUP_TYPE | |
3eae7bed JS |
392 | if ! vpn_security_policies_read_config ${name} "GROUP_TYPE"; then |
393 | return ${EXIT_ERROR} | |
394 | fi | |
395 | ||
396 | # Remove duplicated entries to proceed the list safely | |
397 | GROUP_TYPE="$(list_unique ${GROUP_TYPE})" | |
398 | ||
399 | while [ $# -gt 0 ]; do | |
400 | case "${1}" in | |
401 | -*) | |
402 | value=${1#-} | |
403 | # Check if the group type is in the list of group types and | |
404 | # check if the list has after removing this group type at leatst one valid value | |
405 | if list_match ${value} ${GROUP_TYPE}; then | |
406 | list_remove GROUP_TYPE ${value} | |
407 | else | |
408 | # We do not break here because this error does not break the processing of the next maybe valid values. | |
409 | log ERROR "Can not remove ${value} from the list of group types because ${value} is not in the list." | |
410 | fi | |
411 | ;; | |
412 | +*) | |
413 | value=${1#+} | |
414 | # Check if the group type is in the list of supported group types. | |
415 | if ! isoneof value ${VPN_SUPPORTED_GROUP_TYPES}; then | |
416 | # We do not break here because the processing of other maybe valid values are indepent from this error. | |
417 | log ERROR "${value} is not a supported group type and can thats why not added to the list of group types." | |
418 | else | |
419 | if list_match ${value} ${GROUP_TYPE}; then | |
420 | log WARNING "${value} is already in the list of group-types of this policy." | |
421 | else | |
422 | list_append GROUP_TYPE ${value} | |
423 | fi | |
424 | fi | |
425 | ;; | |
426 | esac | |
427 | shift | |
428 | done | |
429 | ||
430 | # Check if the list contain at least one valid group-type | |
431 | if [ $(list_length ${GROUP_TYPE}) -ge 1 ]; then | |
432 | if ! vpn_security_policies_write_config_key ${name} "GROUP_TYPE" ${GROUP_TYPE}; then | |
433 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
434 | fi | |
435 | else | |
436 | log ERROR "After proceding all group types the list is empty and thats why no changes are written." | |
437 | return ${EXIT_ERROR} | |
438 | fi | |
439 | } | |
6740c9c5 MT |
440 | |
441 | # This function parses the parameters for the 'integrity' command | |
3eae7bed | 442 | vpn_security_policies_integrity(){ |
3eae7bed JS |
443 | local name=${1} |
444 | shift | |
445 | ||
446 | if [ $# -eq 0 ]; then | |
447 | log ERROR "You must pass at least one value after integrity." | |
448 | return ${EXIT_ERROR} | |
449 | fi | |
450 | ||
451 | local INTEGRITY | |
3eae7bed JS |
452 | if ! vpn_security_policies_read_config ${name} "INTEGRITY"; then |
453 | return ${EXIT_ERROR} | |
454 | fi | |
455 | ||
456 | # Remove duplicated entries to proceed the list safely | |
457 | INTEGRITY="$(list_unique ${INTEGRITY})" | |
458 | ||
459 | while [ $# -gt 0 ]; do | |
460 | case "${1}" in | |
461 | -*) | |
462 | value=${1#-} | |
463 | # Check if the integrity hash is in the list of integrity hashes and | |
464 | # check if the list has after removing this integrity hash at least one valid value | |
465 | if list_match ${value} ${INTEGRITY}; then | |
466 | list_remove INTEGRITY ${value} | |
467 | else | |
468 | # We do not break here because the processing of other maybe valid values are indepent from this error. | |
469 | log ERROR "Can not remove ${value} from the list of integrity hashes because ${value} is not in the list." | |
470 | fi | |
471 | ;; | |
472 | +*) | |
473 | value=${1#+} | |
474 | # Check if the Ciphers is in the list of supported integrity hashes. | |
3a0c376c | 475 | if ! isoneof value ${!VPN_SUPPORTED_INTEGRITY[@]}; then |
3eae7bed JS |
476 | # We do not break here because the processing of other maybe valid values are indepent from this error. |
477 | log ERROR "${value} is not a supported integrity hash and can thats why not added to the list of integrity hashes." | |
478 | else | |
479 | if list_match ${value} ${INTEGRITY}; then | |
480 | log WARNING "${value} is already in the list of integrety hashes of this policy." | |
481 | else | |
482 | list_append INTEGRITY ${value} | |
483 | fi | |
484 | fi | |
485 | ;; | |
486 | esac | |
487 | shift | |
488 | done | |
489 | ||
490 | # Check if the list contain at least one valid group-type | |
491 | if [ $(list_length ${INTEGRITY}) -ge 1 ]; then | |
492 | if ! vpn_security_policies_write_config_key ${name} "INTEGRITY" ${INTEGRITY}; then | |
493 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
494 | fi | |
495 | else | |
496 | log ERROR "After proceding all integrity hashes the list is empty and thats why no changes are written." | |
497 | return ${EXIT_ERROR} | |
498 | fi | |
3eae7bed JS |
499 | } |
500 | ||
6740c9c5 | 501 | # This function parses the parameters for the 'key-exchange' command |
3eae7bed | 502 | vpn_security_policies_key_exchange() { |
3eae7bed JS |
503 | local name=${1} |
504 | local value=${2} | |
6740c9c5 | 505 | |
3eae7bed JS |
506 | # Check if we get only one argument after key-exchange <name> |
507 | if [ ! $# -eq 2 ]; then | |
508 | log ERROR "The number of arguments do not match. Only argument after key-exchange is allowed." | |
509 | return ${EXIT_ERROR} | |
510 | fi | |
511 | ||
3eae7bed JS |
512 | if ! isoneof value "ikev1" "ikev2" "IKEV1" "IKEV2"; then |
513 | log ERROR "Invalid Argument ${value}" | |
514 | return ${EXIT_ERROR} | |
515 | fi | |
516 | ||
517 | vpn_security_policies_write_config_key "${name}" "KEY_EXCHANGE" "${value,,}" | |
518 | } | |
519 | ||
6740c9c5 | 520 | # This function parses the parameters for the 'lifetime' command. |
3eae7bed | 521 | vpn_security_policies_lifetime(){ |
3eae7bed JS |
522 | local name=${1} |
523 | shift | |
6740c9c5 | 524 | |
3eae7bed JS |
525 | local value=$@ |
526 | ||
527 | # Check if we get only one argument after lifetime <name> | |
528 | if [ ! $# -ge 1 ]; then | |
529 | log ERROR "The number of arguments do not match you must provide at least one integer value or a valid time with the format <hours>h <minutes>m <seconds>s" | |
530 | return ${EXIT_ERROR} | |
531 | fi | |
532 | ||
533 | if ! isinteger value; then | |
534 | value=$(parse_time $@) | |
535 | if [ ! $? -eq 0 ]; then | |
536 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
537 | return ${EXIT_ERROR} | |
538 | fi | |
539 | fi | |
540 | ||
541 | if [ ${value} -le 0 ]; then | |
542 | log ERROR "The passed time value must be in the sum greater zero seconds." | |
543 | return ${EXIT_ERROR} | |
544 | fi | |
545 | ||
546 | vpn_security_policies_write_config_key "${name}" "LIFETIME" "${value}" | |
547 | } | |
548 | ||
6740c9c5 | 549 | # This function parses the parameters for the 'pfs' command |
3eae7bed | 550 | vpn_security_policies_pfs(){ |
3eae7bed JS |
551 | local name=${1} |
552 | local value=${2} | |
553 | ||
554 | # Check if we get only one argument after pfs <name> | |
555 | if [ ! $# -eq 2 ]; then | |
556 | log ERROR "The number of arguments do not match. Only argument after pfs is allowed." | |
557 | return ${EXIT_ERROR} | |
558 | fi | |
559 | ||
560 | if [ ! $# -eq 2 ] || ! isbool value; then | |
561 | # We suggest only two values to avoid overburding the user. | |
562 | log ERROR "Invalid Argument ${value}" | |
563 | return ${EXIT_ERROR} | |
564 | fi | |
565 | ||
566 | vpn_security_policies_write_config_key "${name}" "PFS" "${value}" | |
567 | } | |
568 | ||
6740c9c5 MT |
569 | # This function checks if a vpn security policy name is valid |
570 | # Allowed are only A-Za-z0-9 | |
3eae7bed | 571 | vpn_security_policies_check_name() { |
3eae7bed | 572 | assert [ $# -eq 1 ] |
6740c9c5 | 573 | |
3eae7bed | 574 | local name=${1} |
6740c9c5 | 575 | |
3eae7bed JS |
576 | [[ ${name} =~ [^[:alnum:]$] ]] |
577 | } | |
578 | ||
6740c9c5 | 579 | # Function that creates based on the paramters one ore more new vpn security policies |
3eae7bed | 580 | vpn_security_policies_new() { |
58aa0edf MT |
581 | if [ $# -gt 1 ]; then |
582 | error "Too many arguments" | |
3eae7bed JS |
583 | return ${EXIT_ERROR} |
584 | fi | |
585 | ||
58aa0edf MT |
586 | local name="${1}" |
587 | if ! isset name; then | |
588 | error "Please provide a name" | |
589 | return ${EXIT_ERROR} | |
590 | fi | |
3eae7bed | 591 | |
58aa0edf MT |
592 | # Check for duplicates |
593 | if vpn_security_policy_exists "${name}"; then | |
594 | error "The VPN security policy with name ${name} already exists" | |
595 | return ${EXIT_ERROR} | |
596 | fi | |
3eae7bed | 597 | |
58aa0edf MT |
598 | # Check if name is valid |
599 | if vpn_security_policies_check_name "${name}"; then | |
600 | error "'${name}' contains illegal characters" | |
601 | return ${EXIT_ERROR} | |
602 | fi | |
3eae7bed | 603 | |
58aa0edf MT |
604 | # Check if we have a read-only policy with the same name |
605 | if vpn_security_policies_check_readonly "${name}"; then | |
606 | error "The VPN security policy ${name} is read-only" | |
607 | return ${EXIT_ERROR} | |
608 | fi | |
609 | ||
6fdbda80 MT |
610 | # Check if our source policy exists |
611 | if ! vpn_security_policy_exists "${VPN_DEFAULT_SECURITY_POLICY}"; then | |
612 | error "Default VPN Security Policy '${VPN_DEFAULT_SECURITY_POLICY}' does not exist" | |
613 | return ${EXIT_ERROR} | |
614 | fi | |
615 | ||
58aa0edf MT |
616 | log DEBUG "Creating VPN Security Policy ${name}" |
617 | ||
aab75c48 MT |
618 | if copy "$(vpn_security_policies_path "${VPN_DEFAULT_SECURITY_POLICY}")" |
619 | "$(vpn_security_policies_path ${name})"; then | |
58aa0edf MT |
620 | log INFO "VPN Security Policy ${name} successfully created" |
621 | else | |
622 | log ERROR "Could not create VPN Security Policy ${name}" | |
623 | return ${EXIT_ERROR} | |
624 | fi | |
c787fea5 MT |
625 | |
626 | # Show the newly created policy | |
627 | vpn_security_policies_show "${name}" | |
3eae7bed JS |
628 | } |
629 | ||
6740c9c5 | 630 | # Function that deletes based on the passed parameters one ore more vpn security policies |
3eae7bed | 631 | vpn_security_policies_destroy() { |
3eae7bed JS |
632 | local name |
633 | for name in $@; do | |
634 | if ! vpn_security_policy_exists ${name}; then | |
635 | log ERROR "The vpn security policy ${name} does not exist." | |
636 | continue | |
637 | fi | |
638 | ||
639 | if vpn_security_policies_check_readonly ${name}; then | |
640 | log ERROR "The vpn security policy ${name} cannot be deleted." | |
641 | continue | |
642 | fi | |
643 | ||
644 | log DEBUG "Deleting vpn security policy ${name}" | |
645 | settings_remove $(vpn_security_policies_path ${name}) | |
646 | done | |
647 | } |