/[smecontribs]/rpms/smeserver-libreswan/contribs9/smeserver-libreswan-add-certificates.patch
ViewVC logotype

Annotation of /rpms/smeserver-libreswan/contribs9/smeserver-libreswan-add-certificates.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 25 15:35:54 2017 UTC (7 years, 10 months ago) by reetspetit
Branch: MAIN
CVS Tags: smeserver-libreswan-0_5-26_el6_sme, smeserver-libreswan-0_5-23_el6_sme, smeserver-libreswan-0_5-31_el6_sme, smeserver-libreswan-0_5-33_el6_sme, smeserver-libreswan-0_5-25_el6_sme, smeserver-libreswan-0_5-30_el6_sme, smeserver-libreswan-0_5-32_el6_sme, smeserver-libreswan-0_5-28_el6_sme, smeserver-libreswan-0_5-27_el6_sme, smeserver-libreswan-0_5-24_el6_sme, smeserver-libreswan-0_5-29_el6_sme, smeserver-libreswan-0_5-34_el6_sme, HEAD
* Wed Jan 25 2017 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-23.sme
- Add the ability to use PEM/PKCS#12 certificates - fixes [SME: 9942]
- lots of code tidying

1 reetspetit 1.1 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
2     --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-01-25 16:19:45.651000000 +0100
3     +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-01-25 16:20:03.868000104 +0100
4     @@ -1,4 +1,3 @@
5     -#!/usr/bin/perl -w
6    
7     {
8     use strict;
9     @@ -26,212 +25,220 @@
10    
11     my @connections = $ipsecDB->keys;
12    
13     + $OUT .= "# ipsec.conf\n\n";
14     +
15     foreach my $ipsecprop (@connections) {
16     - if ( $ipsecDB->get_prop( $ipsecprop, 'type' ) eq 'ipsec' ) {
17    
18     - # first we verify if IPSec is enabled for the connection
19     + # first we verify if IPSec is enabled for the connection
20    
21     - my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
22     + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
23    
24     - if ( $ipsecstatus ne 'enabled' ) {
25     - $OUT .= "# $ipsecprop is disabled\n"
26     - unless $ipsecstatus eq "enabled";
27     - }
28     - else {
29     + if ( $ipsecstatus eq 'enabled' ) {
30    
31     - $OUT .= "conn $ipsecprop\n";
32     + $OUT .= "conn $ipsecprop\n";
33     +
34     + # These should be from $configDB-> ipsec
35    
36     - # These should be from $configDB-> ipsec
37     + # Not templated this - maybe later with L2TPD
38     + # We currently use a password file but this could be integrated with other authent later
39    
40     - # Not templated this - maybe later with L2TPD
41     - # We currently use a password file but this could be integrated with other authent later
42     + # Lazy - assume that it is security (password by default) - options are rsasig|certs
43    
44     - # Lazy - assume that it is security (password by default) - option is rsasig
45     + # Careful - property 'type' has a special meaning in configDB and returns 'service'
46    
47     - # Careful - property 'type' has a special meaning in configDB and returns 'service'
48     -
49     - my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
50     - || 'tunnel';
51     - $OUT .= " type=$connectiontype\n";
52     -
53     - my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' )
54     - || 'secret';
55     - my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || '';
56     -
57     - if ( $security eq "rsasig" ) {
58     - $OUT .= " authby=rsasig\n";
59     -
60     - my $leftrsasig = $ipsecDB->get_prop( "$ipsecprop", 'leftrsasig' )
61     - || '';
62     - $OUT .= " leftrsasigkey=$leftrsasig\n";
63     -
64     - my $rightrsasig = $ipsecDB->get_prop( "$ipsecprop", 'rightrsasig' )
65     - || '';
66     - $OUT .= " rightrsasigkey=$rightrsasig\n";
67     -
68     - }
69     -
70     - # Prep for certs
71     - # Problem here is that certificate settings are basically the same as rsasig
72     - # I think we can use a key to identify the type of connection and adjust accordingly
73     - # elsif ( $security eq "certificate" ) {
74     - # $OUT .= " authby=rsasig\n";
75     - # leftcert=$keyname.$ServerName.$DomainName
76     - # leftrsasigkey=%cert
77     - # leftid=leftid
78     - # leftsendcert=always - maybe not needed
79     -
80     - # rightca=%same
81     - # rightrsasigkey=%cert
82     - # rightid=%fromcert ?
83     -
84     - # $OUT .= " leftid=\"CN=$certname\"\n";
85     - # $OUT .= " leftcert=$certname\n";
86     -
87     - # }
88     -
89     - else {
90     - $OUT .= " authby=$security\n";
91     - }
92     -
93     - # Use connection value if it exists, if not use generic db value
94     - my $auto =
95     - $ipsecDB->get_prop( $ipsecprop, 'auto' )
96     - || $configDB->get_prop( $dbKey, 'auto' )
97     - || 'start';
98     -
99     - # If we are a static host to a dynamic client we are always add
100     - my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
101     -
102     - if ( $iptype eq 'stattodyn' ) {
103     - $OUT .= " auto=add\n";
104     - }
105     - else {
106     - $OUT .= " auto=$auto\n";
107     - }
108     -
109     - # We should change ipsecversion to ikev2status
110     - my $ipsecversion =
111     - $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
112     - || $configDB->get_prop( $dbKey, 'ipsecversion' )
113     - || 'permit';
114     -
115     - $OUT .= " ikev2=$ipsecversion\n";
116     -
117     - # Set the Phase one and Phase two default strengths - these are set to aes
118     - my $ike =
119     - $ipsecDB->get_prop( $ipsecprop, 'ike' )
120     - || $configDB->get_prop( $dbKey, 'ike' )
121     - || 'aes-sha1';
122     - $OUT .= " ike=$ike\n";
123     -
124     - my $phase2 =
125     - $ipsecDB->get_prop( $ipsecprop, 'phase2' )
126     - || $configDB->get_prop( $dbKey, 'phase2' )
127     - || 'aes-sha1';
128     - $OUT .= " phase2alg=$phase2\n";
129     + my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
130     + || 'tunnel';
131     + $OUT .= " type=$connectiontype\n";
132    
133     - # mtu can only be set per connection
134     - my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
135     - || '';
136     - unless ( $mtu eq '' ) {
137     - $OUT .= " mtu=$mtu\n";
138     - }
139     -
140     - # These should be from $configDB-> ipsec unless they exist in ipsec_connections
141     -
142     - my $keyingtries =
143     - $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
144     - || $configDB->get_prop( $dbKey, 'keyingtries' )
145     - || '0';
146     - $OUT .= " keyingtries=$keyingtries\n";
147     -
148     - # Following come from ipsecDB or configDB or hardcoded
149     - my $ikelifetime =
150     - $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
151     - || $configDB->get_prop( $dbKey, 'ikelifetime' )
152     - || '3600s';
153     - $OUT .= " ikelifetime=$ikelifetime\n";
154     -
155     - my $salifetime =
156     - $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
157     - || $configDB->get_prop( $dbKey, 'salifetime' )
158     - || '28800s';
159     - $OUT .= " salifetime=$salifetime\n";
160     -
161     - # Add is for incoming and is better that server dpd is ignored
162     - # Disabled for now
163     -
164     - # if ( $auto ne 'add' ) {
165     - my $dpdaction =
166     - $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
167     - || $configDB->get_prop( $dbKey, 'dpdaction' )
168     - || 'restart';
169     - $OUT .= " dpdaction=$dpdaction\n";
170     -
171     - my $dpddelay =
172     - $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
173     - || $configDB->get_prop( $dbKey, 'dpddelay' )
174     - || '30';
175     - $OUT .= " dpddelay=$dpddelay\n";
176     -
177     - my $dpdtimeout =
178     - $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
179     - || $configDB->get_prop( $dbKey, 'dpdtimeout' )
180     - || '10';
181     - $OUT .= " dpdtimeout=$dpdtimeout\n";
182     -
183     - # }
184     -
185     - # default to yes unless overridden in the connection db
186     - my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
187     - $OUT .= " pfs=$pfs\n";
188     -
189     - # Following come from ipsecDB or configDB or hardcoded
190     - my $left =
191     - $ipsecDB->get_prop( $ipsecprop, 'left' )
192     - || $configDB->get_prop( $dbKey, 'left' )
193     - || '%defaultroute';
194     - $OUT .= " left=$left\n";
195     -
196     - # These ONLY come from the ipsec_configurations db
197     - if ( ( my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) || '' ) ne '' ) {
198     - $OUT .= " leftid=\@$leftid\n";
199     - }
200     - my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
201     + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
202     + || 'secret';
203     +
204     + # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ?
205     +
206     + if ( $security eq 'rsasig' ) {
207     + $OUT .= " authby=rsasig\n";
208     +
209     + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
210     || '';
211     - $OUT .= " leftsourceip=$leftsourceip\n";
212     + $OUT .= " leftrsasigkey=$leftrsasig\n";
213    
214     - my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
215     + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
216     || '';
217     - $OUT .= " leftsubnet=$leftsub\n";
218     + $OUT .= " rightrsasigkey=$rightrsasig\n";
219     +
220     + }
221    
222     - # If we are a static host to a dynamic client we HAVE to set right %any
223     + elsif ( $security eq 'certs' ) {
224    
225     - my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
226     + $OUT .= " authby=rsasig\n";
227    
228     - if ( $iptype eq 'stattodyn' ) {
229     - $OUT .= " right=%any\n";
230     - }
231     - else {
232     - $OUT .= " right=$right\n";
233     - }
234     + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
235     + || '%cert';
236     + $OUT .= " leftrsasigkey=$leftrsasig\n";
237    
238     - if ( ( my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) || '' ) ne '' ) {
239     - $OUT .= " rightid=\@$rightid\n";
240     - }
241     + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
242     + || '%cert';
243     + $OUT .= " rightrsasigkey=$rightrsasig\n";
244    
245     - my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
246     - $OUT .= " rightsubnet=$rightsubnet\n";
247     + my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
248     + || '"LeftCertName"';
249     + $OUT .= " leftcert=\"$leftcert\"\n";
250     +
251     + my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
252     + || '"RightCertName"';
253     + $OUT .= " rightcert=\"$rightcert\"\n";
254    
255     }
256     - }
257    
258     - }
259     + else {
260     + $OUT .= " authby=$security\n";
261     + }
262    
263     - # End For
264     - }
265     + # Use connection value if it exists, if not use generic db value
266     + my $auto =
267     + $ipsecDB->get_prop( $ipsecprop, 'auto' )
268     + || $configDB->get_prop( $dbKey, 'auto' )
269     + || 'start';
270     +
271     + # If we are a static host to a dynamic client we are always add
272     + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
273     +
274     + if ( $iptype eq 'stattodyn' ) {
275     + $OUT .= " auto=add\n";
276     + }
277     + else {
278     + $OUT .= " auto=$auto\n";
279     + }
280    
281     - # End Else
282     + # We should change ipsecversion to ikev2status
283     + my $ipsecversion =
284     + $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
285     + || $configDB->get_prop( $dbKey, 'ipsecversion' )
286     + || 'permit';
287     +
288     + $OUT .= " ikev2=$ipsecversion\n";
289     +
290     + # Set the Phase one and Phase two default strengths - these are set to aes
291     + my $ike =
292     + $ipsecDB->get_prop( $ipsecprop, 'ike' )
293     + || $configDB->get_prop( $dbKey, 'ike' )
294     + || 'aes-sha1';
295     + $OUT .= " ike=$ike\n";
296     +
297     + my $phase2 =
298     + $ipsecDB->get_prop( $ipsecprop, 'phase2' )
299     + || $configDB->get_prop( $dbKey, 'phase2' )
300     + || 'aes-sha1';
301     + $OUT .= " phase2alg=$phase2\n";
302     +
303     + # mtu can only be set per connection
304     + my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
305     + || '';
306     +
307     + unless ( $mtu eq '' ) {
308     + $OUT .= " mtu=$mtu\n";
309     + }
310    
311     + # These should be from $configDB-> ipsec unless they exist in ipsec_connections
312     +
313     + my $keyingtries =
314     + $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
315     + || $configDB->get_prop( $dbKey, 'keyingtries' )
316     + || '0';
317     + $OUT .= " keyingtries=$keyingtries\n";
318     +
319     + # Following come from ipsecDB or configDB or hardcoded
320     + my $ikelifetime =
321     + $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
322     + || $configDB->get_prop( $dbKey, 'ikelifetime' )
323     + || '3600s';
324     + $OUT .= " ikelifetime=$ikelifetime\n";
325     +
326     + my $salifetime =
327     + $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
328     + || $configDB->get_prop( $dbKey, 'salifetime' )
329     + || '28800s';
330     + $OUT .= " salifetime=$salifetime\n";
331     +
332     + # Add is for incoming and is better that server dpd is ignored
333     + # Disabled for now
334     +
335     + # if ( $auto ne 'add' ) {}
336     + my $dpdaction =
337     + $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
338     + || $configDB->get_prop( $dbKey, 'dpdaction' )
339     + || 'restart';
340     + $OUT .= " dpdaction=$dpdaction\n";
341     +
342     + my $dpddelay =
343     + $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
344     + || $configDB->get_prop( $dbKey, 'dpddelay' )
345     + || '30';
346     + $OUT .= " dpddelay=$dpddelay\n";
347     +
348     + my $dpdtimeout =
349     + $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
350     + || $configDB->get_prop( $dbKey, 'dpdtimeout' )
351     + || '10';
352     + $OUT .= " dpdtimeout=$dpdtimeout\n";
353     +
354     + # default to yes unless overridden in the connection db
355     + my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
356     + $OUT .= " pfs=$pfs\n";
357     +
358     + # Following come from ipsecDB or configDB or hardcoded
359     + my $left =
360     + $ipsecDB->get_prop( $ipsecprop, 'left' )
361     + || $configDB->get_prop( $dbKey, 'left' )
362     + || '%defaultroute';
363     + $OUT .= " left=$left\n";
364     +
365     + if ( $security eq 'certs' ) {
366     + my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' );
367     + $OUT .= " leftid=$leftid\n";
368     + }
369     +
370     + # These ONLY come from the ipsec_configurations db
371     + elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) {
372     + $OUT .= " leftid=\@$leftid\n";
373     + }
374     +
375     + my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
376     + || '';
377     + $OUT .= " leftsourceip=$leftsourceip\n";
378     +
379     + my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
380     + || '';
381     + $OUT .= " leftsubnet=$leftsub\n";
382     +
383     + # If we are a static host to a dynamic client we HAVE to set right %any
384     +
385     + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
386     +
387     + if ( $iptype eq 'stattodyn' ) {
388     + $OUT .= " right=%any\n";
389     + }
390     + else {
391     + $OUT .= " right=$right\n";
392     + }
393     +
394     + if ( $security eq 'certs' ) {
395     + my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' );
396     + $OUT .= " rightid=$rightid\n";
397     + }
398     +
399     + elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) {
400     + $OUT .= " rightid=\@$rightid\n";
401     + }
402     +
403     + my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
404     + $OUT .= " rightsubnet=$rightsubnet\n";
405     +
406     + } # End If
407     + else {
408     + $OUT .= "# conn $ipsecprop disabled\n";
409     + }
410     + } # End foreach
411     + } # End else
412     }
413     +
414     diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
415     --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-01-25 16:19:45.652000000 +0100
416     +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-01-25 16:20:03.867000123 +0100
417     @@ -1,4 +1,3 @@
418     -#!/usr/bin/perl -w
419    
420     {
421     use strict;
422     @@ -22,31 +21,32 @@
423     my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
424     or die("cant connect to ipsec database");
425    
426     - my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
427     -
428     # This should get all the connections in an array
429    
430     my @connections = $ipsecDB->keys;
431    
432     - $OUT .= "# ipsec.secrets\n";
433     -
434     + $OUT .= "# ipsec.secrets\n\n";
435     +
436     + my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
437     +
438     foreach my $ipsecprop (@connections) {
439    
440     # first we verify if IPSec is enabled for the connection
441    
442     - my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' )
443     + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
444     || "disabled";
445    
446     if ( $ipsecstatus eq "enabled" ) {
447     - my $right = $ipsecDB->get_prop( "$ipsecprop", 'right' ) || '';
448     +
449     + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
450    
451     # Hmm..... if left is not set it defaults to %defaultroute which we don't want here
452    
453     - my $left = $ipsecDB->get_prop( "$ipsecprop", 'left' ) || $ExternalIP;
454     - my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' ) || 'secret';
455     - my $iptype = $ipsecDB->get_prop( "$ipsecprop", 'iptype' ) || '';
456     - my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || '';
457     - my $passwd = $ipsecDB->get_prop( "$ipsecprop", 'passwd' ) || '';
458     + my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP;
459     + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
460     + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
461     + my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
462     + my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
463    
464     # Double quote is not allowed in configuration
465     if ( $passwd =~ /"/ ) {
466     @@ -55,15 +55,19 @@
467    
468     $OUT .= "# $ipsecprop is enabled\n";
469    
470     - if ( $security eq "secret" ) {
471     + if ( $security eq 'certs' ) {
472     + $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
473     + }
474     +
475     + elsif ( $security eq 'secret' ) {
476    
477     # If dynamic it must be %any here
478     # If not it can be ExternalIP if left not set
479    
480     # IF we have IDs then use them in preference to %any
481    
482     - my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) || '';
483     - my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) || '';
484     + my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '';
485     + my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';
486    
487     if ( $iptype eq 'stattodyn' ) {
488     if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
489     @@ -101,7 +105,7 @@
490     $OUT .= "# $ipsecprop is disabled\n";
491     $OUT .= "\n";
492     }
493     - $OUT .= "\n\n";
494     + $OUT .= "\n";
495     }
496     }
497     }

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed