From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jonatan Schlag To: network@lists.ipfire.org Subject: [RFC 1/2] vpn-security-policies: add new feature vpn security-policies Date: Thu, 13 Jul 2017 20:33:33 +0200 Message-ID: <1499970814-14953-2-git-send-email-jonatan.schlag@ipfire.org> In-Reply-To: <1499970814-14953-1-git-send-email-jonatan.schlag@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1140920891252546711==" List-Id: --===============1140920891252546711== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable For further explanation see: http://wiki.ipfire.org/devel/network/security-policies Signed-off-by: Jonatan Schlag --- src/functions/functions.vpn-security-policies | 437 ++++++++++++++++++++++++= ++ 1 file changed, 437 insertions(+) create mode 100644 src/functions/functions.vpn-security-policies diff --git a/src/functions/functions.vpn-security-policies b/src/functions/fu= nctions.vpn-security-policies new file mode 100644 index 0000000..9e24e4f --- /dev/null +++ b/src/functions/functions.vpn-security-policies @@ -0,0 +1,437 @@ +#!/bin/bash +############################################################################= ### +# = # +# IPFire.org - A linux based firewall = # +# Copyright (C) 2013 IPFire Network Development Team = # +# = # +# This program is free software: you can redistribute it and/or modify = # +# it under the terms of the GNU General Public License as published by = # +# the Free Software Foundation, either version 3 of the License, or = # +# (at your option) any later version. = # +# = # +# This program is distributed in the hope that it will be useful, = # +# but WITHOUT ANY WARRANTY; without even the implied warranty of = # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the = # +# GNU General Public License for more details. = # +# = # +# You should have received a copy of the GNU General Public License = # +# along with this program. If not, see . = # +# = # +############################################################################= ### + +VPN_SECURITY_POLICIES_CONFIG_SETTINGS=3D"CIPHER COMPRESSION GROUP_TYPE INTEG= RITY KEY_EXCHANGE LIFETIME PFS" +VPN_SECURITY_POLICIES_READONLY=3D"system" + +VPN_SUPPORTED_CIPHERS=3D"AES192 AES256 AES128" +VPN_SUPPORTED_INTEGRITY=3D"SHA512 SHA256 SHA128" +VPN_SUPPORTED_GROUP_TYPES=3D"MODP4096 MODP8192" + +vpn_security_policies_check_readonly() { + # This functions checks if a policy is readonly + # returns true when yes and false when no + + if isoneof name ${VPN_SECURITY_POLICIES_READONLY}; then + return ${EXIT_TRUE} + else + return ${EXIT_FALSE} + fi +} + +vpn_security_policies_write_config() { + # This function writes all values to a via ${name} specificated vpn securit= y policy configuration file + assert [ $# -ge 1 ] + + local name=3D"${1}" + + if ! vpn_security_policy_exists ${name}; then + log ERROR "No such policy: ${name}" + return ${EXIT_ERROR} + fi + + if vpn_security_policies_check_readonly ${name}; then + log ERROR "${name} is a readable only vpn security policy" + return ${EXIT_ERROR} + fi + + local args + list_append args ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} + + local path=3D"$(vpn_security_policies_path ${name})" + if [ ! -w ${path} ]; then + log ERROR "${path} is not writeable" + return ${EXIT_ERROR} + fi + + settings_write "${path}" ${args} + # TODO everytime we successfully write a config we should call some trigger= to take the changes into effect +} + +vpn_security_policies_write_config_key() { + # This funtion writes the value for one key to a via ${name} specificated v= pn security policy configuration file + assert [ $# -ge 3 ] + local name=3D${1} + + if ! vpn_security_policy_exists ${name}; then + log ERROR "No such policy: ${name}" + return ${EXIT_ERROR} + fi + + local key=3D${2} + shift 2 + local value=3D"$@" + log DEBUG "Set '${key}' to new value '${value}'" + + # Read the config settings + if ! vpn_security_policies_read_config ${name}; then + return ${EXIT_ERROR} + fi + + # Set the key to a new value + eval "${key}=3D\"${value}\"" + + if ! vpn_security_policies_write_config ${name}; then + return ${EXIT_ERROR} + fi + + return ${EXIT_TRUE} + +} + +vpn_security_policies_read_config() { + # Reads one or more keys out of a settings file or all if no key is provide= d. + assert [ $# -ge 1 ] + + local name=3D"${1}" + shift 1 + + if ! vpn_security_policy_exists ${name}; then + log ERROR "No such policy: ${name}" + return ${EXIT_ERROR} + fi + + + local args + if [ $# -eq 0 ] && [ -n "${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}" ]; then + list_append args ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} + else + list_append args $@ + fi + + local path=3D"$(vpn_security_policies_path ${name})" + if [ ! -r ${path} ]; then + log ERROR "${path} is not readable" + return ${EXIT_ERROR} + fi + + settings_read "${path}" ${args} +} + +vpn_security_policies_path() { + # Returns the path to a the configuration fora given name + assert [ $# -eq 1 ] + local name=3D${1} + + if vpn_security_policies_check_readonly ${name}; then + echo "/usr/share/network/vpn/security-policies/${name}" + else + echo "/etc/network/vpn/security-policies/${name}" + fi +} + +vpn_security_policies_show() { + # Print the content of a vpn security policy configuration file in a nice w= ay + assert [ $# -eq 1 ] + local name=3D${1} + + # Break if read fails + if ! vpn_security_policies_read_config ${name}; then + return ${EXIT_ERROR} + fi + + cli_print_fmt1 0 "Security Policy: ${name}" + cli_space + + # This could be done in a loop but a loop is much more complicated + # because we print 'Group Types' but the variable is named 'GROUP_TYPES' + cli_print_fmt1 1 "Ciphers:" + cli_print_fmt1 2 "${CIPHER}" + cli_space + cli_print_fmt1 1 "Integrity:" + cli_print_fmt1 2 "${INTEGRITY}" + cli_space + cli_print_fmt1 1 "Group Types:" + cli_print_fmt1 2 "${GROUP_TYPE}" + cli_space + + cli_print_fmt1 1 "Key exchange:" "${KEY_EXCHANGE}" + cli_print_fmt1 1 "Key Lifetime in seconds:" "${LIFETIME}" + if enabled PFS; then + cli_print_fmt1 1 "Perfect Forward Secrecy:" "enabled" + else + cli_print_fmt1 1 "Perfect Forward Secrecy:" "disabled" + fi + cli_space + if enabled COMPRESSION; then + cli_print_fmt1 1 "Compression:" "enabled" + else + cli_print_fmt1 1 "Compression:" "disabled" + fi + cli_space +} + +vpn_security_policy_exists() { + # This function checks if a vpn security policy exists + # Returns True when yes and false when not + assert [ $# -eq 1 ] + local name=3D${1} + + local path=3D$(vpn_security_policies_path ${name}) + [ -f ${path} ] +} + + +vpn_security_policies_cipher(){ + # This function parses the parameters for the 'cipher' command + local name=3D${1} + shift + + if [ $# -eq 0 ]; then + log ERROR "You must pass at least one value after cipher" + return ${EXIT_ERROR} + fi + + if ! vpn_security_policies_read_config ${name} "CIPHER"; then + return ${EXIT_ERROR} + fi + + # Remove duplicated entries to proceed the list safely + CIPHER=3D"$(list_unique ${CIPHER})" + + while [ $# -gt 0 ]; do + case "${1}" in + -*) + value=3D${1#-} + # Check if the cipher is in the list of ciphers and + # check if the list has after removing this cipher at least one valid va= lue + if list_match ${value} ${CIPHER} && [ $(list_length ${CIPHER}) -gt 1 ]; = then + list_remove CIPHER ${value} + else + log ERROR "Can not remove ${value} from the list of Ciphers because ${v= alue} is not in the list or the list would be empty after removing this ciphe= r" + fi + ;; + +*) + value=3D${1#+} + # Check if the Ciphers is in the list of supported ciphers. + if ! isoneof value ${VPN_SUPPORTED_CIPHERS}; then + log ERROR "${value} is not a supported cipher and can thats why not add= ed to the list of ciphers" + else + if list_match ${value} ${CIPHER}; then + log WARNING "${value} is already in the list of ciphers of this policy" + else + list_append CIPHER ${value} + fi + fi + ;; + esac + shift + done + + vpn_security_policies_write_config_key ${name} "CIPHER" ${CIPHER} +} + +vpn_security_policies_compression(){ + # This function parses the parameters for the 'compression' command + local name=3D${1} + local value=3D${2} + # Check if we get only one argument after compression + if [ ! $# -eq 2 ] || ! isbool value; then + log ERROR "You can pass only one parameter after compression and this one = must be 'on' or 'off'" + return ${EXIT_ERROR} + fi + + vpn_security_policies_write_config_key "${name}" "COMPRESSION" "${value}" +} + +vpn_security_policies_group_type(){ + # This function parses the parameters for the 'group-type' command. + local name=3D${1} + shift + + if [ $# -eq 0 ]; then + log ERROR "You must pass at least one value after group-type" + return ${EXIT_ERROR} + fi + + if ! vpn_security_policies_read_config ${name} "GROUP_TYPE"; then + return ${EXIT_ERROR} + fi + + # Remove duplicated entries to proceed the list safely + GROUP_TYPE=3D"$(list_unique ${GROUP_TYPE})" + + while [ $# -gt 0 ]; do + case "${1}" in + -*) + value=3D${1#-} + # Check if the group type is in the list of group types and + # check if the list has after removing this group type at leatst one val= id value + if list_match ${value} ${GROUP_TYPE} && [ $(list_length ${GROUP_TYPE}) -= gt 1 ]; then + list_remove GROUP_TYPE ${value} + else + log ERROR "Can not remove ${value} from the list of group types because= ${value} is not in the list or the list would be empty after removing this g= roup type" + fi + ;; + +*) + value=3D${1#+} + # Check if the group type is in the list of supported group types. + if ! isoneof value ${VPN_SUPPORTED_GROUP_TYPES}; then + log ERROR "${value} is not a supported group type and can thats why not= added to the list of group types" + else + if list_match ${value} ${GROUP_TYPE}; then + log WARNING "${value} is already in the list of group-types of this po= licy" + else + list_append GROUP_TYPES ${value} + fi + fi + ;; + esac + shift + done + + vpn_security_policies_write_config_key ${name} "GROUP_TYPE" ${GROUP_TYPE} +} + +vpn_security_policies_integrity(){ + # This function parses the parameters for the 'integrity' command + local name=3D${1} + shift + + if [ $# -eq 0 ]; then + log ERROR "You must pass at least one value after integrity" + return ${EXIT_ERROR} + fi + + if ! vpn_security_policies_read_config ${name} "INTEGRITY"; then + return ${EXIT_ERROR} + fi + + # Remove duplicated entries to proceed the list safely + INTEGRITY=3D"$(list_unique ${INTEGRITY})" + + while [ $# -gt 0 ]; do + case "${1}" in + -*) + value=3D${1#-} + # Check if the integrity hash is in the list of integrity hashes and + # check if the list has after removing this integrity hash at least one= valid value + if list_match ${value} ${INTEGRITY} && [ $(list_length ${INTEGRITY}) -gt= 1 ]; then + list_remove INTEGRITY ${value} + else + log ERROR "Can not remove ${value} from the list of integrity hashes be= cause ${value} is not in the list or the list would be empty after removing t= his integrity hash" + fi + ;; + +*) + value=3D${1#+} + # Check if the Ciphers is in the list of supported integrity hashes. + if ! isoneof value ${VPN_SUPPORTED_INTEGRITY}; then + log ERROR "${value} is not a supported integrity hashes and can thats w= hy not added to the list of integrity hashes" + else + if list_match ${value} ${INTEGRITY}; then + log WARNING "${value} is already in the list of integrety hashes of th= is policy" + else + list_append INTEGRITY ${value} + fi + fi + ;; + esac + shift + done + + vpn_security_policies_write_config_key ${name} "INTEGRITY" ${INTEGRITY} +} + +vpn_security_policies_key_exchange() { + # This function parses the parameters for the 'key-exchange' command + local name=3D${1} + local value=3D${2} + # Check if we get only one argument after compression + if [ ! $# -eq 2 ] || ! isoneof value "ikev1" "ikev2"; then + log ERROR "You can pass only one parameter after key-exchange and this one= must be 'ikev1' or 'ikev2'" + return ${EXIT_ERROR} + fi + + vpn_security_policies_write_config_key "${name}" "KEY_EXCHANGE" "${value}" +} + +vpn_security_policies_lifetime(){ + # This function parses the parameters for the 'lifetime' command + local name=3D${1} + local value=3D${2} + # Check if we get only one argument after compression + if [ ! $# -eq 2 ] || ! isinteger value || [ ${value} -le 0 ]; then + log ERROR "You can pass only one parameter after liftime and this one must= be an valid integer greater zero" + return ${EXIT_ERROR} + fi + + vpn_security_policies_write_config_key "${name}" "LIFETIME" "${value}" +} + +vpn_security_policies_pfs(){ + # This function parses the parameters for the 'pfs' command + local name=3D${1} + local value=3D${2} + # Check if we get only one argument after compression + if [ ! $# -eq 2 ] || ! isbool value; then + log ERROR "You can pass only one parameter after pfs and this one must be = 'on' or 'off'" + return ${EXIT_ERROR} + fi + + vpn_security_policies_write_config_key "${name}" "PFS" "${value}" +} + +vpn_security_policies_check_name() { + # This function checks if a vpn security policy name is valid + # Allowed are only A-Za-z0-9 + assert [ $# -eq 1 ] + local name=3D${1} + [[ ${name} =3D~ [[:alnum:]] ]] +} + +vpn_security_policies_new() { + # Function that creates based on the paramters one ore more new vpn securit= y policies + local name + for name in $@; do + if vpn_security_policy_exists ${name}; then + log ERROR "The vpn security policy ${name} does already exist" + continue + fi + + if vpn_security_policies_check_name ${name}; then + log ERROR "'${name}' contains illegal characters. Allowed are only A-Za-z= 0-9 are allowed" + continue + fi + + log DEBUG "Creating vpn security policy ${name}" + cp "$(vpn_security_policies_path "system")" "$(vpn_security_policies_path = ${name})" + done + +} + +vpn_security_policies_destroy() { + # Function that deletes based on the passed parameters one ore more vpn sec= urity policies + local name + for name in $@; do + if ! vpn_security_policy_exists ${name}; then + log ERROR "The vpn security policy ${name} does not exist" + continue + fi + + if vpn_security_policies_check_readonly ${name}; then + log ERROR "The vpn security policy ${name} is readonly and can thats why = not deleted" + continue + fi + + log DEBUG "Deleting vpn security policy ${name}" + rm -f $(vpn_security_policies_path ${name}) + done +} --=20 2.6.3 --===============1140920891252546711==--