/[smecontribs]/rpms/smeserver-libreswan/contribs9/smeserver-libreswan-add-certificates.patch
ViewVC logotype

Contents of /rpms/smeserver-libreswan/contribs9/smeserver-libreswan-add-certificates.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (show annotations) (download)
Wed Jan 25 15:35:54 2017 UTC (7 years, 3 months ago) by reetspetit
Branch: MAIN
CVS Tags: smeserver-libreswan-0_5-26_el6_sme, smeserver-libreswan-0_5-23_el6_sme, smeserver-libreswan-0_5-31_el6_sme, smeserver-libreswan-0_5-33_el6_sme, smeserver-libreswan-0_5-25_el6_sme, smeserver-libreswan-0_5-30_el6_sme, smeserver-libreswan-0_5-32_el6_sme, smeserver-libreswan-0_5-28_el6_sme, smeserver-libreswan-0_5-27_el6_sme, smeserver-libreswan-0_5-24_el6_sme, smeserver-libreswan-0_5-29_el6_sme, smeserver-libreswan-0_5-34_el6_sme, HEAD 
* Wed Jan 25 2017 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-23.sme
- Add the ability to use PEM/PKCS#12 certificates - fixes [SME: 9942]
- lots of code tidying
1 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
2 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-01-25 16:19:45.651000000 +0100
3 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-01-25 16:20:03.868000104 +0100
4 @@ -1,4 +1,3 @@
5 -#!/usr/bin/perl -w
6
7 {
8 use strict;
9 @@ -26,212 +25,220 @@
10
11 my @connections = $ipsecDB->keys;
12
13 + $OUT .= "# ipsec.conf\n\n";
14 +
15 foreach my $ipsecprop (@connections) {
16 - if ( $ipsecDB->get_prop( $ipsecprop, 'type' ) eq 'ipsec' ) {
17
18 - # first we verify if IPSec is enabled for the connection
19 + # first we verify if IPSec is enabled for the connection
20
21 - my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
22 + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
23
24 - if ( $ipsecstatus ne 'enabled' ) {
25 - $OUT .= "# $ipsecprop is disabled\n"
26 - unless $ipsecstatus eq "enabled";
27 - }
28 - else {
29 + if ( $ipsecstatus eq 'enabled' ) {
30
31 - $OUT .= "conn $ipsecprop\n";
32 + $OUT .= "conn $ipsecprop\n";
33 +
34 + # These should be from $configDB-> ipsec
35
36 - # These should be from $configDB-> ipsec
37 + # Not templated this - maybe later with L2TPD
38 + # We currently use a password file but this could be integrated with other authent later
39
40 - # Not templated this - maybe later with L2TPD
41 - # We currently use a password file but this could be integrated with other authent later
42 + # Lazy - assume that it is security (password by default) - options are rsasig|certs
43
44 - # Lazy - assume that it is security (password by default) - option is rsasig
45 + # Careful - property 'type' has a special meaning in configDB and returns 'service'
46
47 - # Careful - property 'type' has a special meaning in configDB and returns 'service'
48 -
49 - my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
50 - || 'tunnel';
51 - $OUT .= " type=$connectiontype\n";
52 -
53 - my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' )
54 - || 'secret';
55 - my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || '';
56 -
57 - if ( $security eq "rsasig" ) {
58 - $OUT .= " authby=rsasig\n";
59 -
60 - my $leftrsasig = $ipsecDB->get_prop( "$ipsecprop", 'leftrsasig' )
61 - || '';
62 - $OUT .= " leftrsasigkey=$leftrsasig\n";
63 -
64 - my $rightrsasig = $ipsecDB->get_prop( "$ipsecprop", 'rightrsasig' )
65 - || '';
66 - $OUT .= " rightrsasigkey=$rightrsasig\n";
67 -
68 - }
69 -
70 - # Prep for certs
71 - # Problem here is that certificate settings are basically the same as rsasig
72 - # I think we can use a key to identify the type of connection and adjust accordingly
73 - # elsif ( $security eq "certificate" ) {
74 - # $OUT .= " authby=rsasig\n";
75 - # leftcert=$keyname.$ServerName.$DomainName
76 - # leftrsasigkey=%cert
77 - # leftid=leftid
78 - # leftsendcert=always - maybe not needed
79 -
80 - # rightca=%same
81 - # rightrsasigkey=%cert
82 - # rightid=%fromcert ?
83 -
84 - # $OUT .= " leftid=\"CN=$certname\"\n";
85 - # $OUT .= " leftcert=$certname\n";
86 -
87 - # }
88 -
89 - else {
90 - $OUT .= " authby=$security\n";
91 - }
92 -
93 - # Use connection value if it exists, if not use generic db value
94 - my $auto =
95 - $ipsecDB->get_prop( $ipsecprop, 'auto' )
96 - || $configDB->get_prop( $dbKey, 'auto' )
97 - || 'start';
98 -
99 - # If we are a static host to a dynamic client we are always add
100 - my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
101 -
102 - if ( $iptype eq 'stattodyn' ) {
103 - $OUT .= " auto=add\n";
104 - }
105 - else {
106 - $OUT .= " auto=$auto\n";
107 - }
108 -
109 - # We should change ipsecversion to ikev2status
110 - my $ipsecversion =
111 - $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
112 - || $configDB->get_prop( $dbKey, 'ipsecversion' )
113 - || 'permit';
114 -
115 - $OUT .= " ikev2=$ipsecversion\n";
116 -
117 - # Set the Phase one and Phase two default strengths - these are set to aes
118 - my $ike =
119 - $ipsecDB->get_prop( $ipsecprop, 'ike' )
120 - || $configDB->get_prop( $dbKey, 'ike' )
121 - || 'aes-sha1';
122 - $OUT .= " ike=$ike\n";
123 -
124 - my $phase2 =
125 - $ipsecDB->get_prop( $ipsecprop, 'phase2' )
126 - || $configDB->get_prop( $dbKey, 'phase2' )
127 - || 'aes-sha1';
128 - $OUT .= " phase2alg=$phase2\n";
129 + my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
130 + || 'tunnel';
131 + $OUT .= " type=$connectiontype\n";
132
133 - # mtu can only be set per connection
134 - my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
135 - || '';
136 - unless ( $mtu eq '' ) {
137 - $OUT .= " mtu=$mtu\n";
138 - }
139 -
140 - # These should be from $configDB-> ipsec unless they exist in ipsec_connections
141 -
142 - my $keyingtries =
143 - $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
144 - || $configDB->get_prop( $dbKey, 'keyingtries' )
145 - || '0';
146 - $OUT .= " keyingtries=$keyingtries\n";
147 -
148 - # Following come from ipsecDB or configDB or hardcoded
149 - my $ikelifetime =
150 - $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
151 - || $configDB->get_prop( $dbKey, 'ikelifetime' )
152 - || '3600s';
153 - $OUT .= " ikelifetime=$ikelifetime\n";
154 -
155 - my $salifetime =
156 - $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
157 - || $configDB->get_prop( $dbKey, 'salifetime' )
158 - || '28800s';
159 - $OUT .= " salifetime=$salifetime\n";
160 -
161 - # Add is for incoming and is better that server dpd is ignored
162 - # Disabled for now
163 -
164 - # if ( $auto ne 'add' ) {
165 - my $dpdaction =
166 - $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
167 - || $configDB->get_prop( $dbKey, 'dpdaction' )
168 - || 'restart';
169 - $OUT .= " dpdaction=$dpdaction\n";
170 -
171 - my $dpddelay =
172 - $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
173 - || $configDB->get_prop( $dbKey, 'dpddelay' )
174 - || '30';
175 - $OUT .= " dpddelay=$dpddelay\n";
176 -
177 - my $dpdtimeout =
178 - $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
179 - || $configDB->get_prop( $dbKey, 'dpdtimeout' )
180 - || '10';
181 - $OUT .= " dpdtimeout=$dpdtimeout\n";
182 -
183 - # }
184 -
185 - # default to yes unless overridden in the connection db
186 - my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
187 - $OUT .= " pfs=$pfs\n";
188 -
189 - # Following come from ipsecDB or configDB or hardcoded
190 - my $left =
191 - $ipsecDB->get_prop( $ipsecprop, 'left' )
192 - || $configDB->get_prop( $dbKey, 'left' )
193 - || '%defaultroute';
194 - $OUT .= " left=$left\n";
195 -
196 - # These ONLY come from the ipsec_configurations db
197 - if ( ( my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) || '' ) ne '' ) {
198 - $OUT .= " leftid=\@$leftid\n";
199 - }
200 - my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
201 + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
202 + || 'secret';
203 +
204 + # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ?
205 +
206 + if ( $security eq 'rsasig' ) {
207 + $OUT .= " authby=rsasig\n";
208 +
209 + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
210 || '';
211 - $OUT .= " leftsourceip=$leftsourceip\n";
212 + $OUT .= " leftrsasigkey=$leftrsasig\n";
213
214 - my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
215 + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
216 || '';
217 - $OUT .= " leftsubnet=$leftsub\n";
218 + $OUT .= " rightrsasigkey=$rightrsasig\n";
219 +
220 + }
221
222 - # If we are a static host to a dynamic client we HAVE to set right %any
223 + elsif ( $security eq 'certs' ) {
224
225 - my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
226 + $OUT .= " authby=rsasig\n";
227
228 - if ( $iptype eq 'stattodyn' ) {
229 - $OUT .= " right=%any\n";
230 - }
231 - else {
232 - $OUT .= " right=$right\n";
233 - }
234 + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
235 + || '%cert';
236 + $OUT .= " leftrsasigkey=$leftrsasig\n";
237
238 - if ( ( my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) || '' ) ne '' ) {
239 - $OUT .= " rightid=\@$rightid\n";
240 - }
241 + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
242 + || '%cert';
243 + $OUT .= " rightrsasigkey=$rightrsasig\n";
244
245 - my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
246 - $OUT .= " rightsubnet=$rightsubnet\n";
247 + my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
248 + || '"LeftCertName"';
249 + $OUT .= " leftcert=\"$leftcert\"\n";
250 +
251 + my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
252 + || '"RightCertName"';
253 + $OUT .= " rightcert=\"$rightcert\"\n";
254
255 }
256 - }
257
258 - }
259 + else {
260 + $OUT .= " authby=$security\n";
261 + }
262
263 - # End For
264 - }
265 + # Use connection value if it exists, if not use generic db value
266 + my $auto =
267 + $ipsecDB->get_prop( $ipsecprop, 'auto' )
268 + || $configDB->get_prop( $dbKey, 'auto' )
269 + || 'start';
270 +
271 + # If we are a static host to a dynamic client we are always add
272 + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
273 +
274 + if ( $iptype eq 'stattodyn' ) {
275 + $OUT .= " auto=add\n";
276 + }
277 + else {
278 + $OUT .= " auto=$auto\n";
279 + }
280
281 - # End Else
282 + # We should change ipsecversion to ikev2status
283 + my $ipsecversion =
284 + $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
285 + || $configDB->get_prop( $dbKey, 'ipsecversion' )
286 + || 'permit';
287 +
288 + $OUT .= " ikev2=$ipsecversion\n";
289 +
290 + # Set the Phase one and Phase two default strengths - these are set to aes
291 + my $ike =
292 + $ipsecDB->get_prop( $ipsecprop, 'ike' )
293 + || $configDB->get_prop( $dbKey, 'ike' )
294 + || 'aes-sha1';
295 + $OUT .= " ike=$ike\n";
296 +
297 + my $phase2 =
298 + $ipsecDB->get_prop( $ipsecprop, 'phase2' )
299 + || $configDB->get_prop( $dbKey, 'phase2' )
300 + || 'aes-sha1';
301 + $OUT .= " phase2alg=$phase2\n";
302 +
303 + # mtu can only be set per connection
304 + my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
305 + || '';
306 +
307 + unless ( $mtu eq '' ) {
308 + $OUT .= " mtu=$mtu\n";
309 + }
310
311 + # These should be from $configDB-> ipsec unless they exist in ipsec_connections
312 +
313 + my $keyingtries =
314 + $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
315 + || $configDB->get_prop( $dbKey, 'keyingtries' )
316 + || '0';
317 + $OUT .= " keyingtries=$keyingtries\n";
318 +
319 + # Following come from ipsecDB or configDB or hardcoded
320 + my $ikelifetime =
321 + $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
322 + || $configDB->get_prop( $dbKey, 'ikelifetime' )
323 + || '3600s';
324 + $OUT .= " ikelifetime=$ikelifetime\n";
325 +
326 + my $salifetime =
327 + $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
328 + || $configDB->get_prop( $dbKey, 'salifetime' )
329 + || '28800s';
330 + $OUT .= " salifetime=$salifetime\n";
331 +
332 + # Add is for incoming and is better that server dpd is ignored
333 + # Disabled for now
334 +
335 + # if ( $auto ne 'add' ) {}
336 + my $dpdaction =
337 + $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
338 + || $configDB->get_prop( $dbKey, 'dpdaction' )
339 + || 'restart';
340 + $OUT .= " dpdaction=$dpdaction\n";
341 +
342 + my $dpddelay =
343 + $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
344 + || $configDB->get_prop( $dbKey, 'dpddelay' )
345 + || '30';
346 + $OUT .= " dpddelay=$dpddelay\n";
347 +
348 + my $dpdtimeout =
349 + $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
350 + || $configDB->get_prop( $dbKey, 'dpdtimeout' )
351 + || '10';
352 + $OUT .= " dpdtimeout=$dpdtimeout\n";
353 +
354 + # default to yes unless overridden in the connection db
355 + my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
356 + $OUT .= " pfs=$pfs\n";
357 +
358 + # Following come from ipsecDB or configDB or hardcoded
359 + my $left =
360 + $ipsecDB->get_prop( $ipsecprop, 'left' )
361 + || $configDB->get_prop( $dbKey, 'left' )
362 + || '%defaultroute';
363 + $OUT .= " left=$left\n";
364 +
365 + if ( $security eq 'certs' ) {
366 + my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' );
367 + $OUT .= " leftid=$leftid\n";
368 + }
369 +
370 + # These ONLY come from the ipsec_configurations db
371 + elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) {
372 + $OUT .= " leftid=\@$leftid\n";
373 + }
374 +
375 + my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
376 + || '';
377 + $OUT .= " leftsourceip=$leftsourceip\n";
378 +
379 + my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
380 + || '';
381 + $OUT .= " leftsubnet=$leftsub\n";
382 +
383 + # If we are a static host to a dynamic client we HAVE to set right %any
384 +
385 + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
386 +
387 + if ( $iptype eq 'stattodyn' ) {
388 + $OUT .= " right=%any\n";
389 + }
390 + else {
391 + $OUT .= " right=$right\n";
392 + }
393 +
394 + if ( $security eq 'certs' ) {
395 + my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' );
396 + $OUT .= " rightid=$rightid\n";
397 + }
398 +
399 + elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) {
400 + $OUT .= " rightid=\@$rightid\n";
401 + }
402 +
403 + my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
404 + $OUT .= " rightsubnet=$rightsubnet\n";
405 +
406 + } # End If
407 + else {
408 + $OUT .= "# conn $ipsecprop disabled\n";
409 + }
410 + } # End foreach
411 + } # End else
412 }
413 +
414 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
415 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-01-25 16:19:45.652000000 +0100
416 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-01-25 16:20:03.867000123 +0100
417 @@ -1,4 +1,3 @@
418 -#!/usr/bin/perl -w
419
420 {
421 use strict;
422 @@ -22,31 +21,32 @@
423 my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
424 or die("cant connect to ipsec database");
425
426 - my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
427 -
428 # This should get all the connections in an array
429
430 my @connections = $ipsecDB->keys;
431
432 - $OUT .= "# ipsec.secrets\n";
433 -
434 + $OUT .= "# ipsec.secrets\n\n";
435 +
436 + my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
437 +
438 foreach my $ipsecprop (@connections) {
439
440 # first we verify if IPSec is enabled for the connection
441
442 - my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' )
443 + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
444 || "disabled";
445
446 if ( $ipsecstatus eq "enabled" ) {
447 - my $right = $ipsecDB->get_prop( "$ipsecprop", 'right' ) || '';
448 +
449 + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
450
451 # Hmm..... if left is not set it defaults to %defaultroute which we don't want here
452
453 - my $left = $ipsecDB->get_prop( "$ipsecprop", 'left' ) || $ExternalIP;
454 - my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' ) || 'secret';
455 - my $iptype = $ipsecDB->get_prop( "$ipsecprop", 'iptype' ) || '';
456 - my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || '';
457 - my $passwd = $ipsecDB->get_prop( "$ipsecprop", 'passwd' ) || '';
458 + my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP;
459 + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
460 + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
461 + my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
462 + my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
463
464 # Double quote is not allowed in configuration
465 if ( $passwd =~ /"/ ) {
466 @@ -55,15 +55,19 @@
467
468 $OUT .= "# $ipsecprop is enabled\n";
469
470 - if ( $security eq "secret" ) {
471 + if ( $security eq 'certs' ) {
472 + $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
473 + }
474 +
475 + elsif ( $security eq 'secret' ) {
476
477 # If dynamic it must be %any here
478 # If not it can be ExternalIP if left not set
479
480 # IF we have IDs then use them in preference to %any
481
482 - my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) || '';
483 - my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) || '';
484 + my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '';
485 + my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';
486
487 if ( $iptype eq 'stattodyn' ) {
488 if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
489 @@ -101,7 +105,7 @@
490 $OUT .= "# $ipsecprop is disabled\n";
491 $OUT .= "\n";
492 }
493 - $OUT .= "\n\n";
494 + $OUT .= "\n";
495 }
496 }
497 }
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed