From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: network@lists.ipfire.org
Subject:
 Re: [PATCH 1/2] ipsec: only accept valid options for a connection type
Date: Thu, 07 Sep 2017 20:44:34 +0100
Message-ID: <1504813474.18494.14.camel@ipfire.org>
In-Reply-To: <1503934373-8996-1-git-send-email-jonatan.schlag@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4408718286241993092=="
List-Id: <network.lists.ipfire.org>

--===============4408718286241993092==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

sorry for the very late review. See the comments below:

On Mon, 2017-08-28 at 17:32 +0200, Jonatan Schlag wrote:
> The valid options for a host-to-net ipsec connection and a net-to-net
> are different so we nedd to check if we get a valid option for the connecti=
on
> type.
>=20
> Fixes: #11444
>=20
> Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> ---
>  src/functions/functions.ipsec | 129
> ++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 129 insertions(+)
>=20
> diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec
> index 6f14c8e..11a1d9a 100644
> --- a/src/functions/functions.ipsec
> +++ b/src/functions/functions.ipsec
> @@ -54,6 +54,46 @@ IPSEC_DEFAULT_TYPE=3D"net-to-net"
>  IPSEC_VALID_MODES=3D"gre-transport tunnel vti"
>  IPSEC_VALID_AUTH_MODES=3D"PSK"
> =20
> +# Valid options for all types of connetions
> +IPSEC_ALL_VALID_OPTIONS=3D"\
> +	authentication \
> +	down \
> +	disable \
> +	dpd \
> +	enable \
> +	inactivity_timeout \
> +	local \
> +	mode \
> +	remote \
> +	security_policy \
> +	start_action \
> +	up \
> +	color \
> +	description \
> +	show"

Could we order those alphabetically?

> +
> +# Valid options for net-to-net
> +IPSEC_NET_TOT_NET_VALID_OPTIONS=3D"${IPSEC_ALL_VALID_OPTIONS} \
> +	peer"

I think it should be "TO" in the variable name. You could also use "N2N" to m=
ake
it a little bit shorter maybe.

> +
> +# Valid options for RW
> +IPSEC_RW_VALID_OPTIONS=3D"${IPSEC_ALL_VALID_OPTIONS} \
> +	pool"
> +
> +# Valid dpd options for all types of connetions
> +IPSEC_DPD_ALL_VALID_OPTIONS=3D"\
> +	delay \
> +	timeout"
> +
> +# Valid dpd options for net-to-net
> +IPSEC_DPD_NET_TOT_NET_VALID_OPTIONS=3D"${IPSEC_DPD_ALL_VALID_OPTIONS} \
> +	action"

Same as above.

> +
> +# Valid dpd options for RW
> +IPSEC_DPD_RW_VALID_OPTIONS=3D"${IPSEC_DPD_ALL_VALID_OPTIONS}"
> +
> +
> +

Three lines of whitespace. One should do.

>  cli_ipsec() {
>  	local action=3D${1}
>  	shift 1
> @@ -79,6 +119,10 @@ cli_ipsec_connection() {
>  		key=3D${key//-/_}
>  		shift 2
> =20
> +		if ! ipsec_connection_check_option "${connection}" "first"
> "${key}"; then
> +			return ${EXITR_ERROR}
> +		fi
> +

Typo in the EXIT_ERROR variable.

>  		case "${key}" in
>  			authentication|down|disable|dpd|enable|inactivity_tim
> eout|local|mode|peer|pool|remote|security_policy|start_action|up)
>  				ipsec_connection_${key} ${connection} "$@"
> @@ -148,6 +192,67 @@ ipsec_connection_get_description_title() {
>  	description_title_read $(description_format_filename "ipsec-
> connection" "${name}")
>  }
> =20
> +# This functions returns all options which are valid for this type of
> connection
> +ipsec_get_valid_options() {
> +	assert [ $# -eq 2 ]
> +
> +	local connection=3D"${1}"
> +	local type=3D"${2}"
> +
> +	local con_type=3D$(ipsec_connection_get_type "${connection}")
> +	assert isset con_type
> +
> +	case ${con_type} in
> +		host-to-net)
> +			case ${type} in
> +				first)
> +					echo "${IPSEC_RW_VALID_OPTIONS}"
> +					;;
> +				dpd)
> +					echo "${IPSEC_DPD_RW_VALID_OPTIONS}"
> +					;;
> +			esac
> +			;;
> +		net-to-net)
> +			case ${type} in
> +				first)
> +					echo
> "${IPSEC_NET_TOT_NET_VALID_OPTIONS}"
> +					;;
> +				dpd)
> +					echo
> "${IPSEC_DPD_NET_TOT_NET_VALID_OPTIONS}"
> +					;;
> +			esac
> +			;;
> +	esac
> +}
> +
> +# This Function checks if a option is valid for a given type
> +ipsec_connection_check_option() {
> +	assert [ $# -eq 3 ]
> +
> +	local connection=3D"${1}"
> +	local type=3D"${2}"
> +	local key=3D"${3}"
> +
> +	local con_type=3D$(ipsec_connection_get_type "${connection}")
> +	assert isset con_type
> +
> +	case ${con_type} in
> +		host-to-net)
> +			if ! isoneof key $(ipsec_get_valid_options
> "${connection}" "${type}"); then
> +				log ERROR "Invalid Argument: ${key}"
> +				return ${EXIT_ERROR}
> +			fi
> +			;;
> +		net-to-net)
> +			if ! isoneof key $(ipsec_get_valid_options
> "${connection}" "${type}"); then
> +				log ERROR "Invalid Argument: ${key}"
> +				return ${EXIT_ERROR}
> +			fi
> +		;;
> +	esac
> +}
> +
>  cli_ipsec_connection_show() {
>  	local connection=3D"${1}"
> =20
> @@ -443,6 +548,26 @@ ipsec_reload() {
>  	ipsec_strongswan_load
>  }
> =20
> +# Returns the type of a connection
> +ipsec_connection_get_type() {
> +	assert [ $# -eq 1 ]
> +
> +	local connection=3D${1}
> +
> +	if ! ipsec_connection_exists "${connection}"; then
> +		log ERROR "No such VPN ipsec connection: ${connection}"
> +		return ${EXIT_ERROR}
> +	fi

It is called a "IPsec VPN connection".

IPsec is spelled like this and the rest sounds like Yoda :)

> +
> +	local TYPE
> +
> +	if ! ipsec_connection_read_config "${connection}" TYPE; then
> +		return ${EXIT_ERROR}
> +	fi
> +
> +	echo ${TYPE}
> +}
> +
>  # Handle the cli after authentification
>  ipsec_connection_authentication() {
>  	if [ ! $# -gt 1 ]; then
> @@ -551,6 +676,10 @@ ipsec_connection_dpd() {
>  	local cmd=3D${2}
>  	shift 2
> =20
> +	if ! ipsec_connection_check_option "${connection}" "dpd" "${cmd}";
> then
> +		return ${EXITR_ERROR}
> +	fi
> +

Should the user not get a better message when DPD commands are not available?

>  	case ${cmd} in
>  		action)
>  			ipsec_connection_dpd_action "${connection}" "$@"

-Michael

--===============4408718286241993092==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl
Mnlwa3R4Z0hudy8yK1FDUWNGQWxteG9hSUFDZ2tRZ0hudy8yK1EKQ1FmOVZ4QUFuUDRyMysveWR4
a20vUTBvU05XamU0MVRDUTZ0VjhuaTAxMXFZc3hHZDVlT1JzTWV0OCtRd1VIUQppVXo1V3NzNXk4
UUhmVFVCQU1Ec2dNQ09zam9hYXhHZng1SzNJMy96ekMvWjZyODZwYzdvRURiaHNRdkxOZ2ZKCmc1
M2N4MVhYV3pUd216TjBKOFJaY1B3UXNFbGVuUjRJK1BBdHd5YVd3N1pUU1VmYlRDc2MzU1piYkFv
a3lqMzAKVHhSbXB5Wm5iZmFSZ1ZyNzhpbTVkdmxpMEp6Tk5SOCtnNlZXWGJyQ3dPZ29YZkY1WTYv
Vmwvai95am9ZR0IyVwo1MEtrSkxKUk05NG1tdWhNWnpVZXRldG91TjdtR2lEWWY2bysrMWNuM3Fi
SmJSZWdxTkdFU2xJUUh4d2xqSWxVCkU2dFFnUGVEVjFlQTM0U3V0REdLQ2ZzemovUkhUaVc2ZHU0
cVBwQWVOYnBGbTFHMUh1cEpxK3pEckFBbXNqU2gKK2dYQmExUXRrQkhaMk5lZkhNbUF5T2pZaElx
UnUybUZiMjhXQjFzWHRJZG11cFhuWjB4aVBRazBCU1Rma1F5WgpSbzhnVFJqTFR5eURvc0UzV3NZ
REVaUUF0TnpaWWJvS2M3Q0pyMVZYRG9pL3phOUpDWTJOV1RaSVdhTFNPQmN2CnRiTlNCa0hndUQ2
SUh3eGlxU2FEdXZnRE95dlgyWGsxWWViVGE2VXJaM203b0J3Q3paQnExR2Z0cWhnR1E5YTgKVDdJ
ajh5VG1JUW1SWDhaRytzSnVzSmM2L0orN3ZKbG5xNVdSdzdLbzJMdmU3WkhtWERXd2VOK1BoMEJq
ZFc2WApreGlhdG1xUmsvbDZxdTZRcWdHTHMreTdlQkhjbTR4UUk4emE3ZHkzMGt2Y3BoMk5GWnM9
Cj1PWEEvCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============4408718286241993092==--