/ - Diff - UnivNautes - Redmine Entr’ouvert

« Précédent | Suivant »

Révision fa4e059e

Ajouté par Ermal il y a plus de 9 ans

ID fa4e059e17708cc12f258b636a7b701a99528c84
Parent e373e4cd
Enfant ac19d32a

Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases

etc/inc/ipsec.inc
114	114	'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ),
115	115	'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ),
116	116	'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
	117	'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => false ),
117	118	'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
118	119	'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) );
119	120

     	$cfgtext = array();
     	foreach ($ipsec_loglevels as $lkey => $ldescr) {
     		if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig)
     			mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
     			mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -1", false);
     		else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
     		    intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5)
     			$forconfig ? $cfgtext[] = "${lkey} = " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
-...
     		return 0;
     	} else {
     		$certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs";
     		$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts";
     		$keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private";
     		mwexec("/sbin/ifconfig enc0 up");
     		set_single_sysctl("net.inet.ip.ipsec_in_use", "1");
     		/* needed for config files */
-...
     			mkdir("{$g['varetc_path']}/ipsec");
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d");
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts");
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/private"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/private");
     		if (!is_dir($capath))
     			mkdir($capath);
     		if (!is_dir($keypath))
     			mkdir($keypath);
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls");
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/certs"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/certs");
     		if (!is_dir($certpath))
     			mkdir($certpath);
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"))
     			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts");
     		if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"))
-...
     					log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr']));
     					continue;
+    				}
     				$fname = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$x509cert['hash']}.0";
     				$fname = "{$capath}/{$x509cert['hash']}.0.crt";
     				if (!@file_put_contents($fname, $cert)) {
     					log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr']));
     					continue;
-...
     				if (isset($ph1ent['disabled']))
     					continue;
     				if (strstr($ph1ent['authentication_method'],'rsa')) {
     				if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') {
     					$certline = '';
     					if (strstr($authmethod,'rsa')) {
     						$ikeid = $ph1ent['ikeid'];
     						$cert = lookup_cert($ph1ent['certref']);
     						if (!$cert) {
     							log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
     							continue;
+    						}
     						chmod($certpath, 0600);
     						$keyfile = "cert-{$ikeid}.key";
     						$keypath = "{$g['varetc_path']}/ipsec/{$keyfile}";
     						if (!file_put_contents($keypath, base64_decode($cert['prv']))) {
     							log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
     							continue;
+    						}
     					$ikeid = $ph1ent['ikeid'];
     					$cert = lookup_cert($ph1ent['certref']);
     						chmod($keypath, 0600);
     						/* XXX" Traffic selectors? */
     						$pskconf .= " : RSA {$keypath}\n";
     					if (!$cert) {
     						log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
     						continue;
+    					}
     						$ca = lookup_ca($ph1ent['caref']);
     						if ($ca) {
     							$cafile = "ca-{$ikeid}.crt";
     							$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$cafile}";
     					@chmod($certpath, 0600);
     							if (!file_put_contents($capath, base64_decode($ca['crt'])))
+    							{
     								log_error(sprintf(gettext("Error: Cannot write phase1 CA certificate file for %s"), $ph1ent['name']));
     								continue;
+    							}
     					$ph1keyfile = "{$keypath}/cert-{$ikeid}.key";
     					if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
     						log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
     						continue;
+    					}
     					@chmod($ph1keyfile, 0600);
     							chmod($capath, 0600);
+    						}
     					$ph1certfile = "{$certpath}/cert-{$ikeid}.crt";
     					if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
     						log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
     						@unlink($ph1keyfile);
     						continue;
+    					}
     					@chmod($ph1certfile, 0600);
     					/* XXX" Traffic selectors? */
     					$pskconf .= " : RSA {$ph1keyfile}\n";
     				} else {
     					list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
     					list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
-...
     				$authentication = "";
     				switch ($ph1ent['authentication_method']) {
     				case 'eap-tls':
     					$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
     					if (!empty($ph1ent['certref']))
     						$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
     					break;
     				case 'xauth_rsa_server':
     					$authentication = "leftauth = pubkey\n\trightauth = pubkey";
     					$authentication .= "\n\trightauth2 = xauth-generic";

     	Copyright (C) 2008 Shrew Soft Inc
     	Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
     	Copyright (C) 2014 Ermal LUÇI
     	All rights reserved.
     	Redistribution and use in source and binary forms, with or without
-...
     	else
     		$pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway'];
     	$pconfig['iketype'] = $a_phase1[$p1index]['iketype'];
     	if (empty($a_phase1[$p1index]['iketype']))
     		$pconfig['iketype'] = "ikev1";
     	else
     		$pconfig['iketype'] = $a_phase1[$p1index]['iketype'];
     	$pconfig['mode'] = $a_phase1[$p1index]['mode'];
     	$pconfig['protocol'] = $a_phase1[$p1index]['protocol'];
     	$pconfig['myid_type'] = $a_phase1[$p1index]['myid_type'];
-...
     	// Only require PSK here for normal PSK tunnels (not mobile) or xauth.
     	// For RSA methods, require the CA/Cert.
     	switch ($method) {
     		case "eap-tls":
     			if ($pconfig['iketype'] != 'ikev2')
     				$input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs.");
     			break;
     		case "pre_shared_key":
     			// If this is a mobile PSK tunnel the user PSKs go on
     			//    the PSK tab, not here, so skip the check.
-...
     	value = document.iform.authentication_method.options[index].value;
     	switch (value) {
     		case 'hybrid_rsa_server':
     			document.getElementById('opt_psk').style.display = 'none';
     			document.getElementById('opt_peerid').style.display = '';
     			document.getElementById('opt_cert').style.display = '';
     			document.getElementById('opt_ca').style.display = '';
     			document.getElementById('opt_cert').disabled = false;
     			document.getElementById('opt_ca').disabled = false;
     			break;
     		case 'xauth_rsa_server':
     		case 'rsasig':
     			document.getElementById('opt_psk').style.display = 'none';
     			document.getElementById('opt_peerid').style.display = '';
     			document.getElementById('opt_cert').style.display = '';
     			document.getElementById('opt_ca').style.display = '';
     			document.getElementById('opt_cert').disabled = false;
     			document.getElementById('opt_ca').disabled = false;
     			break;
     	case 'eap-tls':
     		document.getElementById('opt_psk').style.display = 'none';
     		document.getElementById('opt_peerid').style.display = '';
     		document.getElementById('opt_cert').style.display = '';
     		document.getElementById('opt_ca').style.display = '';
     		document.getElementById('opt_cert').disabled = false;
     		document.getElementById('opt_ca').disabled = false;
     		break;
     	case 'hybrid_rsa_server':
     		document.getElementById('opt_psk').style.display = 'none';
     		document.getElementById('opt_peerid').style.display = '';
     		document.getElementById('opt_cert').style.display = '';
     		document.getElementById('opt_ca').style.display = '';
     		document.getElementById('opt_cert').disabled = false;
     		document.getElementById('opt_ca').disabled = false;
     		break;
     	case 'xauth_rsa_server':
     	case 'rsasig':
     		document.getElementById('opt_psk').style.display = 'none';
     		document.getElementById('opt_peerid').style.display = '';
     		document.getElementById('opt_cert').style.display = '';
     		document.getElementById('opt_ca').style.display = '';
     		document.getElementById('opt_cert').disabled = false;
     		document.getElementById('opt_ca').disabled = false;
     		break;
     <?php if ($pconfig['mobile']) { ?>
     		case 'pre_shared_key':
     			document.getElementById('opt_psk').style.display = 'none';
     			document.getElementById('opt_peerid').style.display = 'none';
     			document.getElementById('opt_cert').style.display = 'none';
     			document.getElementById('opt_ca').style.display = 'none';
     			document.getElementById('opt_cert').disabled = true;
     			document.getElementById('opt_ca').disabled = true;
     			break;
     	case 'pre_shared_key':
     		document.getElementById('opt_psk').style.display = 'none';
     		document.getElementById('opt_peerid').style.display = 'none';
     		document.getElementById('opt_cert').style.display = 'none';
     		document.getElementById('opt_ca').style.display = 'none';
     		document.getElementById('opt_cert').disabled = true;
     		document.getElementById('opt_ca').disabled = true;
     		break;
     <?php } ?>
     		default: /* psk modes*/
     			document.getElementById('opt_psk').style.display = '';
     			document.getElementById('opt_peerid').style.display = '';
     			document.getElementById('opt_cert').style.display = 'none';
     			document.getElementById('opt_ca').style.display = 'none';
     			document.getElementById('opt_cert').disabled = true;
     			document.getElementById('opt_ca').disabled = true;
     			break;
     	default: /* psk modes*/
     		document.getElementById('opt_psk').style.display = '';
     		document.getElementById('opt_peerid').style.display = '';
     		document.getElementById('opt_cert').style.display = 'none';
     		document.getElementById('opt_ca').style.display = 'none';
     		document.getElementById('opt_cert').disabled = true;
     		document.getElementById('opt_ca').disabled = true;
     		break;
+    	}
+    }
-...
     							</span>
     						</td>
     					</tr>
     					<tr id="opt_cert">
     						<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate"); ?></td>
     						<td width="78%" class="vtable">
     							<select name="certref" class="formselect">
     							<?php
     								foreach ($config['cert'] as $cert):
     									$selected = "";
     									if ($pconfig['certref'] == $cert['refid'])
     										$selected = "selected=\"selected\"";
     							?>
     								<option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'];?></option>
     							<?php endforeach; ?>
     							</select>
     							<br />
     							<span class="vexpl">
     								<?=gettext("Select a certificate previously configured in the Certificate Manager"); ?>.
     							</span>
     						</td>
     					</tr>
     					<tr id="opt_ca">
     						<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate Authority"); ?></td>
     						<td width="78%" class="vtable">
     							<select name="caref" class="formselect">
     							<?php
     								foreach ($config['ca'] as $ca):
     									$selected = "";
     									if ($pconfig['caref'] == $ca['refid'])
     										$selected = "selected=\"selected\"";
     							?>
     								<option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option>
     							<?php endforeach; ?>
     							</select>
     							<br />
     							<span class="vexpl">
     								<?=gettext("Select a certificate authority previously configured in the Certificate Manager"); ?>.
     							</span>
     						</td>
     					</tr>
     					<tr>
     						<td colspan="2" valign="top" class="listtopic">
     							<?=gettext("Phase 1 proposal (Algorithms)"); ?>
     						</td>
     					</tr>
     					<tr>
     						<td width="22%" valign="top" class="vncellreq"><?=gettext("Encryption algorithm"); ?></td>
     						<td width="78%" class="vtable">
-...
     							<?=gettext("seconds"); ?>
     						</td>
     					</tr>
     					<tr id="opt_cert">
     						<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate"); ?></td>
     						<td width="78%" class="vtable">
     							<select name="certref" class="formselect">
     							<?php
     								foreach ($config['cert'] as $cert):
     									$selected = "";
     									if ($pconfig['certref'] == $cert['refid'])
     										$selected = "selected=\"selected\"";
     							?>
     								<option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'];?></option>
     							<?php endforeach; ?>
     							</select>
     							<br />
     							<span class="vexpl">
     								<?=gettext("Select a certificate previously configured in the Certificate Manager"); ?>.
     							</span>
     						</td>
     					</tr>
     					<tr id="opt_ca">
     						<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate Authority"); ?></td>
     						<td width="78%" class="vtable">
     							<select name="caref" class="formselect">
     							<?php
     								foreach ($config['ca'] as $ca):
     									$selected = "";
     									if ($pconfig['caref'] == $ca['refid'])
     										$selected = "selected=\"selected\"";
     							?>
     								<option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option>
     							<?php endforeach; ?>
     							</select>
     							<br />
     							<span class="vexpl">
     								<?=gettext("Select a certificate authority previously configured in the Certificate Manager"); ?>.
     							</span>
     						</td>
     					</tr>
     					<tr>
     						<td colspan="2" class="list" height="12"></td>
     					</tr>

Formats disponibles : Unified diff

Projet

Général

Profil

UnivNautes

Révision fa4e059e

Ajouté par Ermal il y a plus de 9 ans