From patchwork Thu May 28 17:58:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3136 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSD4v69z43x9 for ; Thu, 28 May 2020 17:59:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSB4dTzz2RP; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSB1Bx3z302m; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwS769DCz2y2h for ; Thu, 28 May 2020 17:59:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwS7377Vz1dJ; Thu, 28 May 2020 17:59:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=k2xnobwPkm14IBYmNx/fLKQtxY9nw1Utfagg3KjclX0=; b=IHuki9wkGixRvGeTQ8jL0NRDq3XAczA8rbhoOqU/1ShtXqHyQqyRBVd10Uljej6uv+AMib 1jyMhWzHqfWf3nCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=k2xnobwPkm14IBYmNx/fLKQtxY9nw1Utfagg3KjclX0=; b=DpBCu7akJJju5sizP/XRcAbVmVsEfVNDZztnk9ccftfZq6q+MEjd2cJ1IE1pXeo1xtkvoK VNrz2WcQX3lS/sJmH30etzMUgj19fv1fYwrPwtwGw5ykfdQlZNiUd/3OPOJ9Ylh3g+iuSR ycOPd+tL8H4oTgS73J0k12tSb9qzER/A/oPxoObdtZaENCIEkY47THACAl0ETxTUWfVbSH V9tC+1r3DAlf6yYTJ5icYemMhHufea3fylBk7L35KZSFLr6Z1gY3x467/uR/QwVlR5Dxog 6Pv8qwmhcg3JM+DFVWeDD/Q1qvNqkeBg0NUb5dhwya2eVf0kMvCrecaKZ3Vv4w== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 01/16] IPsec: Use sane defaults for certificate lifetimes Date: Thu, 28 May 2020 17:58:35 +0000 Message-Id: <20200528175850.12638-2-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index e0f2c7a5e..2d0f57f98 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1007,7 +1007,7 @@ END &General::log("ipsec", "Creating cacert..."); if (open(STDIN, "-|")) { my $opt = " req -x509 -sha256 -nodes"; - $opt .= " -days 999999"; + $opt .= " -days 3650"; $opt .= " -newkey rsa:4096"; $opt .= " -keyout ${General::swroot}/private/cakey.pem"; $opt .= " -out ${General::swroot}/ca/cacert.pem"; @@ -1065,7 +1065,7 @@ END print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); close ($fh); - my $opt = " ca -md sha256 -days 999999"; + my $opt = " ca -md sha256 -days 825"; $opt .= " -batch -notext"; $opt .= " -in ${General::swroot}/certs/hostreq.pem"; $opt .= " -out ${General::swroot}/certs/hostcert.pem"; @@ -1552,7 +1552,7 @@ END # Sign the certificate request &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); - my $opt = " ca -md sha256 -days 999999"; + my $opt = " ca -md sha256 -days 825"; $opt .= " -batch -notext"; $opt .= " -in $filename"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; @@ -1825,7 +1825,7 @@ END print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); close ($fh); - my $opt = " ca -md sha256 -days 999999 -batch -notext"; + my $opt = " ca -md sha256 -days 825 -batch -notext"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; $opt .= " -extfile $v3extname"; From patchwork Thu May 28 17:58:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3137 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSF0SW2z43xD for ; Thu, 28 May 2020 17:59:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSB6vQlz2L5; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSB579Pz303J; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwS76lqZz2yZb for ; Thu, 28 May 2020 17:59:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwS75Xjyz286; Thu, 28 May 2020 17:59:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8vMK18VF1Cz9a+xlYInY191ydXOKkbGuF0BiHJkPdUs=; b=LlNQokbqP+QFRETTUNpLLy4snlfV/LZzYAXWu5fJxxVIi8o+XgtIVune0mYToeFdfDTIhg 2goBbkQckFI0DUAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8vMK18VF1Cz9a+xlYInY191ydXOKkbGuF0BiHJkPdUs=; b=egTFPiUUa8uh0aKILaH9Sgl3c0+IeJSeI7PfltGJHyA/enfvyiOTss/OS7FzMrRaQ870Xz Ubq8YdgkhZNuXYWIYV/yzmoBASQj0+uegVyUI/JoaX7qt0TtW/P481BofQZE5J7cijbjoN JnPhwpIGQIPiJ+iFcQmY5Op1qG8NrPSB95nJqQOTea9S7MgwIf3AwAKDhk8S1Tdpdkwdr6 tqa/peA5kMnaz1jSho0LnMUmk1xW0PfPV6rLjAZpLrAh7GLCXhGKWuc8GhIZv/sbTER1II 5fBKskpE5s74bOKeXjOLKSTmNg23oY6hRJ/gIRjQEPPGVV16ovunXBPUabXGmA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 02/16] IPsec: Add prototype to export Apple Configuration profiles Date: Thu, 28 May 2020 17:58:36 +0000 Message-Id: <20200528175850.12638-3-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/rootfiles/common/web-user-interface | 1 + doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 8 ++ html/cgi-bin/vpnmain.cgi | 135 ++++++++++++++++++++- html/html/images/apple.png | Bin 0 -> 346 bytes langs/en/cgi-bin/en.pl | 1 + 14 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 html/html/images/apple.png diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/common/web-user-interface index 9aaa05631..7d67c346c 100644 --- a/config/rootfiles/common/web-user-interface +++ b/config/rootfiles/common/web-user-interface @@ -117,6 +117,7 @@ srv/web/ipfire/html/images/add.gif srv/web/ipfire/html/images/addblue.gif srv/web/ipfire/html/images/addgreen.gif srv/web/ipfire/html/images/address-book-new.png +srv/web/ipfire/html/images/apple.png srv/web/ipfire/html/images/application-certificate.png srv/web/ipfire/html/images/application-x-executable.png srv/web/ipfire/html/images/applications-accessories.png diff --git a/doc/language_issues.de b/doc/language_issues.de index 2dc986d0a..d53bfa601 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -767,6 +767,7 @@ WARNING: translation string unused: zoneconf val ppp assignment error WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: error the to date has to be later than the from date = The to date has to be later than the from date! WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string diff --git a/doc/language_issues.en b/doc/language_issues.en index 88fa6ed79..dc40a08bb 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -656,6 +656,7 @@ WARNING: untranslated string: downlink = Downlink WARNING: untranslated string: downlink speed = Downlink speed (kbit/sec) WARNING: untranslated string: downlink std class = downlink standard class WARNING: untranslated string: download = download +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: download ca certificate = Download CA certificate WARNING: untranslated string: download certificate = Download file WARNING: untranslated string: download host certificate = Download host certificate diff --git a/doc/language_issues.es b/doc/language_issues.es index ef78d6680..933e99eca 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -849,6 +849,7 @@ WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been WARNING: untranslated string: dnssec not supported = DNSSEC Not supported WARNING: untranslated string: dnssec validating = DNSSEC Validating WARNING: untranslated string: downlink = Downlink +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: download tls-auth key = Download tls-auth key WARNING: untranslated string: dpd delay = Delay WARNING: untranslated string: dpd timeout = Timeout diff --git a/doc/language_issues.fr b/doc/language_issues.fr index fd10b171e..fd9f8296c 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -807,6 +807,7 @@ WARNING: translation string unused: zoneconf val ppp assignment error WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 16ff776b5..e77b1ef3f 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -862,6 +862,7 @@ WARNING: untranslated string: dns use protocol for dns queries = Protocol for DN WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: duration = Duration WARNING: untranslated string: eight hours = 8 Hours WARNING: untranslated string: email config = Configuration diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 328a8e1f2..ca6dec27e 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -865,6 +865,7 @@ WARNING: untranslated string: dnssec aware = DNSSEC Aware WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled WARNING: untranslated string: dnssec not supported = DNSSEC Not supported WARNING: untranslated string: dnssec validating = DNSSEC Validating +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: download tls-auth key = Download tls-auth key WARNING: untranslated string: drop outgoing = Log dropped outgoing packets WARNING: untranslated string: duration = Duration diff --git a/doc/language_issues.pl b/doc/language_issues.pl index ef78d6680..933e99eca 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -849,6 +849,7 @@ WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been WARNING: untranslated string: dnssec not supported = DNSSEC Not supported WARNING: untranslated string: dnssec validating = DNSSEC Validating WARNING: untranslated string: downlink = Downlink +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: download tls-auth key = Download tls-auth key WARNING: untranslated string: dpd delay = Delay WARNING: untranslated string: dpd timeout = Timeout diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 0a579d406..1fed38304 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -853,6 +853,7 @@ WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been WARNING: untranslated string: dnssec not supported = DNSSEC Not supported WARNING: untranslated string: dnssec validating = DNSSEC Validating WARNING: untranslated string: downlink = Downlink +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: download tls-auth key = Download tls-auth key WARNING: untranslated string: dpd delay = Delay WARNING: untranslated string: dpd timeout = Timeout diff --git a/doc/language_issues.tr b/doc/language_issues.tr index d04c99305..c716af76d 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -838,6 +838,7 @@ WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigne WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled WARNING: untranslated string: dnsforward forward_servers = Nameservers +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: duration = Duration WARNING: untranslated string: email tls explicit = explicit (STARTTLS) WARNING: untranslated string: email tls implicit = implicit (TLS) diff --git a/doc/language_missings b/doc/language_missings index bfc3ba41f..cff74f9b0 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -32,6 +32,7 @@ < dh name is invalid < dns could not add server < done +< download apple profile < error the to date has to be later than the from date < g.dtm < g.lite @@ -248,6 +249,7 @@ < dns use isp assigned nameservers < dns use protocol for dns queries < downlink +< download apple profile < download dh parameter < download tls-auth key < dpd delay @@ -918,6 +920,7 @@ < ansi t1.483 < bewan adsl pci st < bewan adsl usb +< download apple profile < g.dtm < g.lite < upload fcdsl.o @@ -1031,6 +1034,7 @@ < dns tls hostname < dns use isp assigned nameservers < dns use protocol for dns queries +< download apple profile < duration < eight hours < email config @@ -1397,6 +1401,7 @@ < dns tls hostname < dns use isp assigned nameservers < dns use protocol for dns queries +< download apple profile < download dh parameter < download tls-auth key < drop outgoing @@ -1878,6 +1883,7 @@ < dns use isp assigned nameservers < dns use protocol for dns queries < downlink +< download apple profile < download dh parameter < download tls-auth key < dpd delay @@ -2729,6 +2735,7 @@ < dns use isp assigned nameservers < dns use protocol for dns queries < downlink +< download apple profile < download dh parameter < download tls-auth key < dpd delay @@ -3422,6 +3429,7 @@ < dns tls hostname < dns use isp assigned nameservers < dns use protocol for dns queries +< download apple profile < duration < email tls explicit < email tls implicit diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 2d0f57f98..9c0d72c88 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -19,6 +19,7 @@ # # ############################################################################### +use MIME::Base64; use Net::DNS; use File::Copy; use File::Temp qw/ tempfile tempdir /; @@ -1178,6 +1179,122 @@ END print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; exit (0); +# Export Apple profile to browser +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) { + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + my $key = $cgiparams{'KEY'}; + + my $uuid1 = "AAAABBBB"; + my $uuid2 = "CCCCDDDD"; + + my $cert = ""; + my $cert_uuid = "123456789"; + + # Read and encode certificate + if ($confighash{$key}[4] eq "cert") { + my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12"; + + # Read certificate and encode it into Base64 + open(CERT, "<${cert_path}"); + local($/) = undef; # slurp + $cert = MIME::Base64::encode_base64(); + close(CERT); + } + + print "Content-Type: application/octet-stream\n"; + print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n"; + print "\n"; # end headers + + print "\n"; + print "\n"; + print " \n"; + print " PayloadDisplayName\n"; + print " $confighash{$key}[1]\n"; + print " PayloadIdentifier\n"; + print " $confighash{$key}[1]\n"; + print " PayloadUUID\n"; + print " ${uuid1}\n"; + print " PayloadType\n"; + print " Configuration\n"; + print " PayloadVersion\n"; + print " 1\n"; + print " PayloadContent\n"; + print " \n"; + print " \n"; + print " PayloadIdentifier\n"; + print " org.example.vpn1.conf1\n"; + print " PayloadUUID\n"; + print " ${uuid2}\n"; + print " PayloadType\n"; + print " com.apple.vpn.managed\n"; + print " PayloadVersion\n"; + print " 1\n"; + print " UserDefinedName\n"; + print " $confighash{$key}[1]\n"; + print " VPNType\n"; + print " IKEv2\n"; + print " IKEv2\n"; + print " \n"; + print " RemoteAddress\n"; + print " 18.206.152.26\n"; + + # Left ID + if ($confighash{$key}[9]) { + print " LocalIdentifier\n"; + print " $confighash{$key}[9]\n"; + } + + # Right ID + if ($confighash{$key}[7]) { + print " RemoteIdentifier\n"; + print " $confighash{$key}[7]\n"; + } + + if ($confighash{$key}[4] eq "cert") { + print " AuthenticationMethod\n"; + print " Certificate\n"; + + print " PayloadCertificateUUID\n"; + print " ${cert_uuid}\n"; + } else { + print " AuthenticationMethod\n"; + print " SharedSecret\n"; + print " SharedSecret\n"; + print " $confighash{$key}[5]\n"; + } + + print " ExtendedAuthEnabled\n"; + print " 0\n"; + print " \n"; + print " \n"; + + if ($confighash{$key}[4] eq "cert") { + print " \n"; + print " PayloadIdentifier\n"; + print " org.example.vpn1.client\n"; + print " PayloadUUID\n"; + print " ${cert_uuid}\n"; + print " PayloadType\n"; + print " com.apple.security.pkcs12\n"; + print " PayloadVersion\n"; + print " 1\n"; + print " PayloadContent\n"; + print " \n"; + + foreach (split /\n/,${cert}) { + print " $_\n"; + } + + print " \n"; + print " \n"; + } + + print " \n"; + print " \n"; + print "\n"; + + # Done + exit(0); ### ### Display certificate ### @@ -2982,7 +3099,7 @@ END $Lang::tr{'common name'} $Lang::tr{'remark'} $Lang::tr{'status'} - $Lang::tr{'action'} + $Lang::tr{'action'} END ; @@ -3082,6 +3199,22 @@ END } else { print " "; } + + # Apple Profile + if ($confighash{$key}[3] eq 'host') { + print < +
+ + + +
+ +END + } else { + print " "; + } + print <
diff --git a/html/html/images/apple.png b/html/html/images/apple.png new file mode 100644 index 0000000000000000000000000000000000000000..6571a749b693911b9c616b29a6b749b409935853 GIT binary patch literal 346 zcmeAS@N?(olHy`uVBq!ia0vp^A|TAc1|)ksWqE-VOR5e-as->B0w#;z=wb9XPEh5Wee3MXypEOc8~ondH1Ay2V|w?oEt`%}g2C)Z zCR5BO#0eMt*&6iL??zAj*4dmoA2oFT_P=^$DO_>o$~Ql@9ECz-J>djav!H~Q|CLSb nF$uD(ZyYzx+c=dgd#Qd-dzV1X{ntx?;lSYO>gTe~DWM4fVRMKG literal 0 HcmV?d00001 diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ff08bce0c..aaf1d4978 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -906,6 +906,7 @@ 'downlink speed' => 'Downlink speed (kbit/sec)', 'downlink std class' => 'downlink standard class', 'download' => 'download', +'download apple profile' => 'Download Apple Configuration Profile', 'download ca certificate' => 'Download CA certificate', 'download certificate' => 'Download file', 'download dh parameter' => 'Download Diffie-Hellman parameters', From patchwork Thu May 28 17:58:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3139 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSF60nlz43xG for ; Thu, 28 May 2020 17:59:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSD1bWPz2mn; Thu, 28 May 2020 17:59:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSC4hD2z303T; Thu, 28 May 2020 17:59:07 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwS930vCz2ysp for ; Thu, 28 May 2020 17:59:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwS76g2LzJJ; Thu, 28 May 2020 17:59:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688744; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j5O+9Jw/P5MfirKQkr0ov1x/M55Dxz19WG08gHpqPYE=; b=nNjtc/6Anxm3KEMGnHqy8RmyA3SzvwYc+IPJxM8HcjYlNHAbyYCBlfZbMMNR5R9MmcFBFY 0rJFzHYF1DWOE1Dg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688744; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j5O+9Jw/P5MfirKQkr0ov1x/M55Dxz19WG08gHpqPYE=; b=Md0dYFGI9eJuMTl4PX1iTYhKHBBzng/a16fEmM0kiAJApkeWBxBjC0RfAA6jkZG4KCpNET B8QDRHUt5S5btrqb0SWi02WtV01yBQV5LTCcNlHUnx98zEi6aGS32MlJghhmzTS00J7536 MSZ+AHegyzZwEM7DN7VekYtqW6LnlAx2jooWd7tlOr8Oc/YFTf1LgYRAVPEJM7E4Y0ywNk 3PsNJX3oJKhTmWo8qijlFr6vARIJl/BGEkf3xP2HsS6cobV+CL+SJD2wrKEMHEBY5L9tmA Ro7WokJuVMb2S2jvxSFWyDhbiWvXk3VWfwku+tPlZ0v4O44AyMBGPxIUyWyrHg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 03/16] perl: Package Data::UUID Date: Thu, 28 May 2020 17:58:37 +0000 Message-Id: <20200528175850.12638-4-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This module is required to generate UUIDs in Perl Signed-off-by: Michael Tremer --- config/rootfiles/common/perl-Data-UUID | 7 +++ lfs/perl-Data-UUID | 77 ++++++++++++++++++++++++++ make.sh | 1 + 3 files changed, 85 insertions(+) create mode 100644 config/rootfiles/common/perl-Data-UUID create mode 100644 lfs/perl-Data-UUID diff --git a/config/rootfiles/common/perl-Data-UUID b/config/rootfiles/common/perl-Data-UUID new file mode 100644 index 000000000..69b7c3186 --- /dev/null +++ b/config/rootfiles/common/perl-Data-UUID @@ -0,0 +1,7 @@ +#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/Data +usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/Data/UUID.pm +#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data +#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data/UUID +#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data/UUID/.packlist +usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data/UUID/UUID.so +#usr/share/man/man3/Data::UUID.3 diff --git a/lfs/perl-Data-UUID b/lfs/perl-Data-UUID new file mode 100644 index 000000000..e3eee182b --- /dev/null +++ b/lfs/perl-Data-UUID @@ -0,0 +1,77 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2018 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 1.224 + +THISAPP = Data-UUID-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 71510bbcce760c394591fca83a9b5e6d + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && perl Makefile.PL + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 4acce807f..9117dd3ec 100755 --- a/make.sh +++ b/make.sh @@ -1301,6 +1301,7 @@ buildipfire() { lfsmake2 perl-Device-SerialPort lfsmake2 perl-Device-Modem lfsmake2 perl-Apache-Htpasswd + lfsmake2 perl-Data-UUID lfsmake2 gnupg lfsmake2 hdparm lfsmake2 sdparm From patchwork Thu May 28 17:58:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3138 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSF3gSJz43rk for ; Thu, 28 May 2020 17:59:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSC440qz25P; Thu, 28 May 2020 17:59:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSC23bnz303J; Thu, 28 May 2020 17:59:07 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwS93dpGz2ysJ for ; Thu, 28 May 2020 17:59:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwS931yGz1dJ; Thu, 28 May 2020 17:59:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MEU5EL67ydCPbeEiJMq/8y8sUtpINHM8HReATsuhVuU=; b=/MrGAtfz62B9Vg23i4bgY+ZAiRXjfdaQxoeiN/Aflblh6gO0JDrnMURxtxY2IZSttp5jvs lHuO+X1y/P8ytqDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MEU5EL67ydCPbeEiJMq/8y8sUtpINHM8HReATsuhVuU=; b=BG6rbxaQLAXtr6Qxg3Gp7pqBA828NoOypqBS89MpIMXBgTJsUVjw1DnE4JLhBJQ+u9OkB6 tWUDmbQzIvq3JADsJorqDGmY6HEh7EcXSchZcHw6Fe9YA0dzP3o5VvlQUhm4dtRzArRMd2 U7sbekkpeoOlycDB+KMD1LDE7worzcvf6riEVVgVUmdQH5WoxyBa/FNJsf3pixyf2GyV9Z TSpL5VrjbDmuPRXC0wz5fJ4ix91OxyHlDkD5Qs5Fg7Ku43uLGSihtruJW8+Qw0lU0mUMgx zgQRnkCvi7J/r8oDbzaUMIYnbCYgxqmjTqQvNn8+hgm5FexRrD39JHDiS5HcYw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 04/16] vpnmain.cgi: Generate random UUIDs Date: Thu, 28 May 2020 17:58:38 +0000 Message-Id: <20200528175850.12638-5-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 9c0d72c88..c004b6087 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -19,6 +19,7 @@ # # ############################################################################### +use Data::UUID; use MIME::Base64; use Net::DNS; use File::Copy; @@ -1184,11 +1185,14 @@ END &General::readhasharray("${General::swroot}/vpn/config", \%confighash); my $key = $cgiparams{'KEY'}; - my $uuid1 = "AAAABBBB"; - my $uuid2 = "CCCCDDDD"; + # Create a UUID generator + my $uuid = Data::UUID->new(); + + my $uuid1 = $uuid->create_str(); + my $uuid2 = $uuid->create_str(); my $cert = ""; - my $cert_uuid = "123456789"; + my $cert_uuid = $uuid->create_str(); # Read and encode certificate if ($confighash{$key}[4] eq "cert") { From patchwork Thu May 28 17:58:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3141 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSK0tfnz43xH for ; Thu, 28 May 2020 17:59:13 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSF5tSZz383; Thu, 28 May 2020 17:59:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSF4JHwz303j; Thu, 28 May 2020 17:59:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwS96BN2z2yZy for ; Thu, 28 May 2020 17:59:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwS93gZ3z286; Thu, 28 May 2020 17:59:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5xF0rEbT7hdwRf9C6I+CZJmOhwRwgbpS/PhLGaZGeHc=; b=/vCam4ZtfhW5W3Z4m5nDV6OoinMnXPFTQVmY17A9/N4HS245fFnE6rC2+DHP0Y67JtBytP ElTS+GwncGJcXyAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5xF0rEbT7hdwRf9C6I+CZJmOhwRwgbpS/PhLGaZGeHc=; b=vchXU2979hQXj16DfgUXs+sbj7+iVEM7lp/eHD+h14iJAvWxL1dISBGOmHufZ7J74aBNfc QnKmRngHEJfjjdVUp7vq2hJ6WoWQpjRxwCtXY6YTqHCxqbrzHPkWPvHXOF9i76E5flEFxx 6x1MXViOI2j4TlKYryP2iTkexeGc2VUjP098s35lLpKe0PQwbFdIpUXa+Ov39ea4mdOxNY s3PyIZj2QFIiDWIzmKttstFc4zBBK+bziST9glZDirAQFFd31J0kHSV6i+YGtBbT9/7By1 TnK8NvUwZC8Bx0oFv+YdO7gDFai6IBOmjKplEwue/5CD5nmDYKc4ncwWX0U9Eg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 05/16] vpnmain.cgi: Add field for roadwarrior endpoint Date: Thu, 28 May 2020 17:58:39 +0000 Message-Id: <20200528175850.12638-6-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This is the IP address or FQDN which will be written into Apple Configuration profiles as public peer address. Signed-off-by: Michael Tremer --- doc/language_issues.de | 2 ++ doc/language_issues.en | 2 ++ doc/language_issues.es | 2 ++ doc/language_issues.fr | 2 ++ doc/language_issues.it | 2 ++ doc/language_issues.nl | 2 ++ doc/language_issues.pl | 2 ++ doc/language_issues.ru | 2 ++ doc/language_issues.tr | 2 ++ doc/language_missings | 16 ++++++++++++++++ html/cgi-bin/vpnmain.cgi | 21 ++++++++++++++++++++- langs/en/cgi-bin/en.pl | 2 ++ 12 files changed, 56 insertions(+), 1 deletion(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index d53bfa601..4c4a37742 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -800,6 +800,8 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: pakfire invalid tree = Invalid repository selected WARNING: untranslated string: route config changed = unknown string diff --git a/doc/language_issues.en b/doc/language_issues.en index dc40a08bb..9bef2930c 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1169,9 +1169,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: iptmangles = IPTable Mangles diff --git a/doc/language_issues.es b/doc/language_issues.es index 933e99eca..57a20d214 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1150,9 +1150,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_issues.fr b/doc/language_issues.fr index fd9f8296c..3fe75fd07 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -839,6 +839,8 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: route config changed = unknown string WARNING: untranslated string: routing config added = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index e77b1ef3f..53cd94b90 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -986,8 +986,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_issues.nl b/doc/language_issues.nl index ca6dec27e..85a9cd587 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -995,8 +995,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 933e99eca..57a20d214 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1150,9 +1150,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 1fed38304..6ed13933a 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1152,9 +1152,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_issues.tr b/doc/language_issues.tr index c716af76d..8821371f7 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -912,8 +912,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_missings b/doc/language_missings index cff74f9b0..3034db5ba 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -37,6 +37,8 @@ < g.dtm < g.lite < insert removable device +< ipsec invalid ip address or fqdn for rw endpoint +< ipsec roadwarrior endpoint < no entries < notes < okay @@ -568,10 +570,12 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit @@ -923,6 +927,8 @@ < download apple profile < g.dtm < g.lite +< ipsec invalid ip address or fqdn for rw endpoint +< ipsec roadwarrior endpoint < upload fcdsl.o ############################################################################ # Checking cgi-bin translations for language: it # @@ -1135,8 +1141,10 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit @@ -1509,8 +1517,10 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit @@ -2204,10 +2214,12 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit @@ -3060,10 +3072,12 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit @@ -3472,8 +3486,10 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index c004b6087..61efcc72c 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -26,6 +26,7 @@ use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; use Sort::Naturally; +use Sys::Hostname; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; @@ -112,6 +113,7 @@ $cgiparams{'ROOTCERT_EMAIL'} = ''; $cgiparams{'ROOTCERT_OU'} = ''; $cgiparams{'ROOTCERT_CITY'} = ''; $cgiparams{'ROOTCERT_STATE'} = ''; +$cgiparams{'RW_ENDPOINT'} = ''; $cgiparams{'RW_NET'} = ''; $cgiparams{'DPD_DELAY'} = '30'; $cgiparams{'DPD_TIMEOUT'} = '120'; @@ -507,12 +509,18 @@ if ($ENV{"REMOTE_ADDR"} eq "") { if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); + if ($cgiparams{'RW_ENDPOINT'} ne '' && !&General::validip($cgiparams{'RW_ENDPOINT'}) && !&General::validfqdn($cgiparams{'RW_ENDPOINT'})) { + $errormessage = $Lang::tr{'ipsec invalid ip address or fqdn for rw endpoint'}; + goto SAVE_ERROR; + } + if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; goto SAVE_ERROR; } $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; + $vpnsettings{'RW_ENDPOINT'} = $cgiparams{'RW_ENDPOINT'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); &writeipsecfiles(); @@ -1182,6 +1190,10 @@ END # Export Apple profile to browser } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) { + # Read global configuration + &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); + + # Read connections &General::readhasharray("${General::swroot}/vpn/config", \%confighash); my $key = $cgiparams{'KEY'}; @@ -1209,6 +1221,9 @@ END print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n"; print "\n"; # end headers + # Use our own FQDN if nothing else is configured + my $endpoint = ($vpnsettings{'RW_ENDPOINT'} ne "") ? $vpnsettings{'RW_ENDPOINT'} : &hostname(); + print "\n"; print "\n"; print " \n"; @@ -1240,7 +1255,7 @@ END print " IKEv2\n"; print " \n"; print " RemoteAddress\n"; - print " 18.206.152.26\n"; + print " $endpoint\n"; # Left ID if ($confighash{$key}[9]) { @@ -3081,6 +3096,10 @@ EOF + + $Lang::tr{'ipsec roadwarrior endpoint'}: + + $Lang::tr{'host to net vpn'}: diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index aaf1d4978..54e8c404a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1550,10 +1550,12 @@ 'ipsec interface mode gre' => 'GRE', 'ipsec interface mode none' => '- None (Default) -', 'ipsec interface mode vti' => 'VTI', +'ipsec invalid ip address or fqdn for rw endpoint' => 'Invalid IP address or FQDN for Host-to-Net Endpoint', 'ipsec mode transport' => 'Transport', 'ipsec mode tunnel' => 'Tunnel', 'ipsec network' => 'IPsec network', 'ipsec no connections' => 'No active IPsec connections', +'ipsec roadwarrior endpoint' => 'Host-to-Net Endpoint', 'ipsec routing table entries' => 'IPsec Routing Table Entries', 'ipsec settings' => 'IPsec Settings', 'iptable rules' => 'IPTable rules', From patchwork Thu May 28 17:58:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3140 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSJ4nBtz43x9 for ; Thu, 28 May 2020 17:59:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSF34QXz2tD; Thu, 28 May 2020 17:59:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSF1bDTz2ycL; Thu, 28 May 2020 17:59:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwS96Wjzz2ysc for ; Thu, 28 May 2020 17:59:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwS94csQz2L4; Thu, 28 May 2020 17:59:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OWQWwKETR6UjWRn6zGi5KeurzdCWfC5Bgmip6MIe258=; b=FBk+HdJZREua1ZWd1nh20dDMS7qZOqxAAAvKqB6OsYI6HysOMQ3DzKjT5ePmE4WzWTziWG sr4rlGB6nRmI2vCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OWQWwKETR6UjWRn6zGi5KeurzdCWfC5Bgmip6MIe258=; b=wAynom8aAMeP4qAAxbxCjuopGXHE3icMKsL34BqGjxpt80YjTMrRJ3Khem354GwjE0LxhC 8o/hPvShsD9F9TvCiFec3d86XBoDqjV8sKeiXd7yPFJrU0gm+yB7NPWfFSxfO9ktpaXZ6O /oiIUEj/9tPdfGWLaMoLEkT/FIPNjIR8Bg21xq5Scavnx+bmIkJovm+v+n+rIS6QQcwwJM c+Xf38oIarOAHFGCz5eJ+jqLtNcxQhsE3E8OBTqFG1Lo8/qXDe4KlNQ4cNi5tYxZ5LoPek LXestKqc09vnmAeUXXVTxNGhrXAh8VRl/aMfHQ+fjAyqcpePPyvnGzgCey//BA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 06/16] vpnmain.cgi: Fix indentation on Apple profiles Date: Thu, 28 May 2020 17:58:40 +0000 Message-Id: <20200528175850.12638-7-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 61efcc72c..f5b1186a8 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1259,27 +1259,27 @@ END # Left ID if ($confighash{$key}[9]) { - print " LocalIdentifier\n"; - print " $confighash{$key}[9]\n"; + print " LocalIdentifier\n"; + print " $confighash{$key}[9]\n"; } # Right ID if ($confighash{$key}[7]) { - print " RemoteIdentifier\n"; - print " $confighash{$key}[7]\n"; + print " RemoteIdentifier\n"; + print " $confighash{$key}[7]\n"; } if ($confighash{$key}[4] eq "cert") { - print " AuthenticationMethod\n"; - print " Certificate\n"; + print " AuthenticationMethod\n"; + print " Certificate\n"; - print " PayloadCertificateUUID\n"; - print " ${cert_uuid}\n"; + print " PayloadCertificateUUID\n"; + print " ${cert_uuid}\n"; } else { - print " AuthenticationMethod\n"; - print " SharedSecret\n"; - print " SharedSecret\n"; - print " $confighash{$key}[5]\n"; + print " AuthenticationMethod\n"; + print " SharedSecret\n"; + print " SharedSecret\n"; + print " $confighash{$key}[5]\n"; } print " ExtendedAuthEnabled\n"; From patchwork Thu May 28 17:58:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3142 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSK506Dz43xD for ; Thu, 28 May 2020 17:59:13 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSG2QxTz38H; Thu, 28 May 2020 17:59:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSG0nHnz303m; Thu, 28 May 2020 17:59:10 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwSB0FvNz2yvt for ; Thu, 28 May 2020 17:59:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwS95FPnzJJ; Thu, 28 May 2020 17:59:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jwM6oXWFi3DS61OqO40R/eTwWadcztO0Kv2IsGKYvkU=; b=k1wvNDk2husolefZAlzYXVzeJ2ZlpilVof1vYqduKc3urtDnD7EUNDfA0QbTUq4Ozbx1IE 4l7JxPzQqCR/sLBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jwM6oXWFi3DS61OqO40R/eTwWadcztO0Kv2IsGKYvkU=; b=XOZzjgmJ7cc+DU9IGkoyFwWKe/HapVCPT10Jrh820aDXIruyH2+HXEwN96Bjk3omOXQOYg G549FqEZwp+nrf1aiP5CyNK0JnQvkMhkaemLYEmXz4VVVjLAHmuX4hr9jjXk7faPpXS8A/ oBVCfjYM3alkIPjUz2gFJYb18RcK7Ekh+k8nebcUFCTQY/D1c4FijMMVczCAHKm38rd8q7 pZmrOgn7I65v5o1sK615/Ih+wnzvoXr83vNZx5PcvhZzaKJJef0xrLdRl/onybUYyj0OSx 90+bWCgiFkKzeP61ihR3rBMgSbRYynn2z34ZjVckBn6Dx4t933gwDhUps2bgqg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 07/16] IPsec: Apple: Enable PFS on client when enabled Date: Thu, 28 May 2020 17:58:41 +0000 Message-Id: <20200528175850.12638-8-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index f5b1186a8..816136c92 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1257,6 +1257,13 @@ END print " RemoteAddress\n"; print " $endpoint\n"; + # PFS + my $pfs = $confighash{$key}[28]; + if ($pfs eq "on") { + print " EnablePFS\n"; + print " \n"; + } + # Left ID if ($confighash{$key}[9]) { print " LocalIdentifier\n"; From patchwork Thu May 28 17:58:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3143 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSK6qgnz43xJ for ; Thu, 28 May 2020 17:59:13 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSG51zmz38K; Thu, 28 May 2020 17:59:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSG3q72z2yjB; Thu, 28 May 2020 17:59:10 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwSB0hnrz2ywK for ; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwS95tgXz2L5; Thu, 28 May 2020 17:59:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SPeYk9K66jDdQWcCYnjcoTjXH8bmWk2CRiXSanvKFko=; b=n/5r7ENfiPngw/cxKfC6ufjlBBIaDmjR7I+ctnhCv//A5rR0C2vrXrXcTUZqc0viZb6nHq h16jEO41i4DfG2BQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SPeYk9K66jDdQWcCYnjcoTjXH8bmWk2CRiXSanvKFko=; b=fd7Q1WJ8sH1o9KYB/+6jvuR4oQjvXI+dCf7kYVKRnZUeHtZdlzjzsixg3uJ/iabCwLQgGb I/K64EnCkW2YkY6FSQqi2Dpl/bz/BC4fwsSwe1chAvqp76J3ENU66Dn8YFX4c3CLObgJWU k9MGpUelxqhQYk30kl+sQ+juP5IOB3XgxW80r1OxlcB/IS20npfD/uBuhv3oyKnlwO9e2c C7HU8pUNxEEGjTJbkYt2ZKufaCI/vb5s699REj4YpkAFYOo41yQpNw6NR1dAqRLTCtNgwr zgQihRNlmSB8hVlriz5mermlZY6eeMFCASU1scKHiJt3In4u1dJDV4rGpNeedw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 08/16] IPsec: Apple: Add desired cipher suites to profiles Date: Thu, 28 May 2020 17:58:42 +0000 Message-Id: <20200528175850.12638-9-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 110 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 816136c92..7011454fa 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -126,6 +126,35 @@ $cgiparams{'INTERFACE_ADDRESS'} = ""; $cgiparams{'INTERFACE_MTU'} = 1500; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); +my %APPLE_CIPHERS = ( + "aes256gcm128" => "AES-256-GCM", + "aes128gcm128" => "AES-128-GCM", + "aes256" => "AES-256", + "aes128" => "AES-128", + "3des" => "3DES", +); + +my %APPLE_INTEGRITIES = ( + "sha2_512" => "SHA2-512", + "sha2_384" => "SHA2-384", + "sha2_256" => "SHA2-256", + "sha1" => "SHA1-160", +); + +my %APPLE_DH_GROUPS = ( + "768" => 1, + "1024" => 2, + "1536" => 5, + "2048" => 14, + "3072" => 15, + "4096" => 16, + "6144" => 17, + "8192" => 18, + "e256" => 19, + "e384" => 20, + "e521" => 21, +); + ### ### Useful functions ### @@ -1264,6 +1293,87 @@ END print " \n"; } + # IKE Cipher Suite + print " IKESecurityAssociationParameters\n"; + print " \n"; + + # Encryption + foreach my $cipher (split(/\|/,$confighash{$key}[18])) { + # Skip all unsupported ciphers + next unless (exists $APPLE_CIPHERS{$cipher}); + + print " EncryptionAlgorithm\n"; + print " $APPLE_CIPHERS{$cipher}\n"; + last; + } + + # Integrity + foreach my $integrity (split(/\|/,$confighash{$key}[19])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_INTEGRITIES{$integrity}); + + print " IntegrityAlgorithm\n"; + print " $APPLE_INTEGRITIES{$integrity}\n"; + last; + } + + # Diffie Hellman Groups + foreach my $group (split(/\|/,$confighash{$key}[20])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_DH_GROUPS{$group}); + + print " DiffieHellmanGroup\n"; + print " $APPLE_DH_GROUPS{$group}\n"; + last; + } + + # Lifetime + my $lifetime = $confighash{$key}[16] * 60; + print " LifeTimeInMinutes\n"; + print " $lifetime\n"; + print " \n"; + + # ESP Cipher Suite + print " ChildSecurityAssociationParameters\n"; + print " \n"; + + # Encryption + foreach my $cipher (split(/\|/,$confighash{$key}[21])) { + # Skip all unsupported ciphers + next unless (exists $APPLE_CIPHERS{$cipher}); + + print " EncryptionAlgorithm\n"; + print " $APPLE_CIPHERS{$cipher}\n"; + last; + } + + # Integrity + foreach my $integrity (split(/\|/,$confighash{$key}[22])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_INTEGRITIES{$integrity}); + + print " IntegrityAlgorithm\n"; + print " $APPLE_INTEGRITIES{$integrity}\n"; + last; + } + + # Diffie Hellman Groups + foreach my $group (split(/\|/,$confighash{$key}[23])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_DH_GROUPS{$group}); + + print " DiffieHellmanGroup\n"; + print " $APPLE_DH_GROUPS{$group}\n"; + last; + } + + # Lifetime + my $lifetime = $confighash{$key}[17] * 60; + print " LifeTimeInMinutes\n"; + print " $lifetime\n"; + print " \n"; + + # Left ID if ($confighash{$key}[9]) { print " LocalIdentifier\n"; From patchwork Thu May 28 17:58:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3148 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSP24lWz43x9 for ; Thu, 28 May 2020 17:59:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSJ5jc3z3FP; Thu, 28 May 2020 17:59:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSJ3RYkz302m; Thu, 28 May 2020 17:59:12 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwSB0hyNz2ywn for ; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwS96Lfjz2Lq; Thu, 28 May 2020 17:59:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pCcYJoZndL32JZXdrDpVrrtsJUTbUJ5ODM8uuqYFRh4=; b=atIpw0QM41fNCzaz38L2AKSb4pTKGVYLq8pXi87uafCkUpBotIQJlw2zSiisKGZz9/G5Hg lBkLuMTRZCHEYoBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pCcYJoZndL32JZXdrDpVrrtsJUTbUJ5ODM8uuqYFRh4=; b=NADAqFm+XtWRl3Qa1Y9q+NiM1tJ/wQwiy8CZKJRpNwSihFIykha67+y5Lhs6jvBkkzH/xG x1i9+68SZ/E+1LLCEqDwTb28mgG+tEchUcVQJywSdE4cwcHZNpyUVtQ+8ztzsOSCo2f2QV mHTJc3sVI4SU/xM38TDNVjD1Psi1LlC1p+SPvR9BprMCcEyaikjxaoJKUxUW4iWjsKDz+O WWlWE/S78sec38LJEFa7QIqHvJcrGBc0nXX8PsSoz7bWt8x4ZYPz/K49tffEOi9H1EMTeS APhTtLw1YcMpbiEH6VYp7qnVkJM4ZpzzUgkT2Wtz6QNNq4uaaXOwyZoYFGlGCA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 09/16] IPsec: Apple: Stop prompting for credentials Date: Thu, 28 May 2020 17:58:43 +0000 Message-Id: <20200528175850.12638-10-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 7011454fa..0d141cb88 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1401,6 +1401,12 @@ END print " ExtendedAuthEnabled\n"; print " 0\n"; + + # These are not needed, but we provide some default to stop iPhone asking for credentials + print " AuthName\n"; + print " $confighash{$key}[1]\n"; + print " AuthPassword\n"; + print " \n"; print " \n"; print " \n"; From patchwork Thu May 28 17:58:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3145 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSM63mkz43xG for ; Thu, 28 May 2020 17:59:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSH4C0Cz38T; Thu, 28 May 2020 17:59:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSH29nzz2xjy; Thu, 28 May 2020 17:59:11 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwSB10dHz2yx6 for ; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwS970Jqz1dJ; Thu, 28 May 2020 17:59:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K5VjWWfQT1M2CgIzOX/QxSrOfr6ySJcWzpUbkqVKYO8=; b=qWPjw+A0DFxvHCbQ6ci9lu9/kFvwbSBvOJ5qD8ljqzpd0CIK0xBR1eBLImIl6b4JkIayCA PPIUya3up/GJlWBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K5VjWWfQT1M2CgIzOX/QxSrOfr6ySJcWzpUbkqVKYO8=; b=brrxqQehDIhU7tjY+ZnA90PoM/Ifzwf/D41VZX3q7mSFBFCvDU6Khk4RffZwZHk4TtrNBh ReDLBPkqiu6fU2fXcrYzeN4H0qJRANJE/vMYXEejIr0wm7EESmFKsxfP4Wsq/PUY7/rzd7 /ZGoZf+DWsS5W6QLlEHCRPe8c+O98KKO3Nl8azmOSZzT6j8L/fQzgReGzaGnuAb2HHdHci fVRGM1sqv9mpqDUAPNkbHTWnS+ld7RWDfvs7fi+Xh2AVgkOnARUA7t8nk+Sd9DpYf3UDsQ iOyR/TO85/HVxuQ+UijRsE3k8fnwEMs30KQawnGKa19u7yLU50sEUmrkqK7M1Q== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 10/16] IPsec: Allow sending DNS server addresses to RW clients Date: Thu, 28 May 2020 17:58:44 +0000 Message-Id: <20200528175850.12638-11-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- doc/language_issues.de | 2 +- doc/language_issues.en | 2 ++ doc/language_issues.es | 2 ++ doc/language_issues.fr | 2 +- doc/language_issues.it | 2 +- doc/language_issues.nl | 2 ++ doc/language_issues.pl | 2 ++ doc/language_issues.ru | 2 ++ doc/language_issues.tr | 2 +- doc/language_missings | 8 ++++++ html/cgi-bin/vpnmain.cgi | 54 ++++++++++++++++++++++++++++++++++------ langs/en/cgi-bin/en.pl | 1 + 12 files changed, 69 insertions(+), 12 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index 4c4a37742..ab074d94d 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -219,7 +219,6 @@ WARNING: translation string unused: dns new 1 WARNING: translation string unused: dns saved WARNING: translation string unused: dns saved txt WARNING: translation string unused: dns server -WARNING: translation string unused: dns servers WARNING: translation string unused: dnssec information WARNING: translation string unused: do not log this port list WARNING: translation string unused: domain not set @@ -800,6 +799,7 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: no entries = No entries at the moment. diff --git a/doc/language_issues.en b/doc/language_issues.en index 9bef2930c..c05fc0800 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -624,6 +624,7 @@ WARNING: untranslated string: dns no address given = No IP Address given. WARNING: untranslated string: dns no tls hostname given = No TLS hostname given. WARNING: untranslated string: dns proxy server = DNS Proxy Server WARNING: untranslated string: dns recursor mode = Recursor Mode +WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dns title = Domain Name System WARNING: untranslated string: dns tls hostname = TLS Hostname WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers @@ -1166,6 +1167,7 @@ WARNING: untranslated string: ipfires hostname = IPFire's Hostname WARNING: untranslated string: ipinfo = IP info WARNING: untranslated string: ipsec = IPsec WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.es b/doc/language_issues.es index 57a20d214..376af0dc4 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -833,6 +833,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati WARNING: untranslated string: dns no address given = No IP Address given. WARNING: untranslated string: dns no tls hostname given = No TLS hostname given. WARNING: untranslated string: dns recursor mode = Recursor Mode +WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dns tls hostname = TLS Hostname WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries @@ -1147,6 +1148,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 3fe75fd07..c52ef3972 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -246,7 +246,6 @@ WARNING: translation string unused: dns new 1 WARNING: translation string unused: dns saved WARNING: translation string unused: dns saved txt WARNING: translation string unused: dns server -WARNING: translation string unused: dns servers WARNING: translation string unused: dnssec information WARNING: translation string unused: do not log this port list WARNING: translation string unused: domain not set @@ -839,6 +838,7 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: pakfire ago = ago. diff --git a/doc/language_issues.it b/doc/language_issues.it index 53cd94b90..be1f9c351 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -220,7 +220,6 @@ WARNING: translation string unused: dns new 1 WARNING: translation string unused: dns saved WARNING: translation string unused: dns saved txt WARNING: translation string unused: dns server -WARNING: translation string unused: dns servers WARNING: translation string unused: dnsforward forward_server WARNING: translation string unused: dnssec information WARNING: translation string unused: do not log this port list @@ -983,6 +982,7 @@ WARNING: untranslated string: invalid input for valid till days = Invalid input WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 85a9cd587..21e1e8daa 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -856,6 +856,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati WARNING: untranslated string: dns no address given = No IP Address given. WARNING: untranslated string: dns no tls hostname given = No TLS hostname given. WARNING: untranslated string: dns recursor mode = Recursor Mode +WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dns tls hostname = TLS Hostname WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries @@ -992,6 +993,7 @@ WARNING: untranslated string: invalid input for valid till days = Invalid input WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 57a20d214..376af0dc4 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -833,6 +833,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati WARNING: untranslated string: dns no address given = No IP Address given. WARNING: untranslated string: dns no tls hostname given = No TLS hostname given. WARNING: untranslated string: dns recursor mode = Recursor Mode +WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dns tls hostname = TLS Hostname WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries @@ -1147,6 +1148,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 6ed13933a..dc8d83beb 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -837,6 +837,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati WARNING: untranslated string: dns no address given = No IP Address given. WARNING: untranslated string: dns no tls hostname given = No TLS hostname given. WARNING: untranslated string: dns recursor mode = Recursor Mode +WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dns tls hostname = TLS Hostname WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries @@ -1149,6 +1150,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 8821371f7..dd4d24ae3 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -242,7 +242,6 @@ WARNING: translation string unused: dns new 1 WARNING: translation string unused: dns saved WARNING: translation string unused: dns saved txt WARNING: translation string unused: dns server -WARNING: translation string unused: dns servers WARNING: translation string unused: dnsforward forward_server WARNING: translation string unused: dnssec information WARNING: translation string unused: do not log this port list @@ -909,6 +908,7 @@ WARNING: untranslated string: invalid input for local ip address = Invalid input WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_missings b/doc/language_missings index 3034db5ba..fe0713fdf 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -37,6 +37,7 @@ < g.dtm < g.lite < insert removable device +< ipsec dns server address is invalid < ipsec invalid ip address or fqdn for rw endpoint < ipsec roadwarrior endpoint < no entries @@ -567,6 +568,7 @@ < invalid logserver protocol < ipsec < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti @@ -927,6 +929,7 @@ < download apple profile < g.dtm < g.lite +< ipsec dns server address is invalid < ipsec invalid ip address or fqdn for rw endpoint < ipsec roadwarrior endpoint < upload fcdsl.o @@ -1138,6 +1141,7 @@ < invalid ip or hostname < invalid logserver protocol < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti @@ -1514,6 +1518,7 @@ < invalid ip or hostname < invalid logserver protocol < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti @@ -2211,6 +2216,7 @@ < invalid logserver protocol < ipsec < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti @@ -3069,6 +3075,7 @@ < invalid logserver protocol < ipsec < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti @@ -3483,6 +3490,7 @@ < invalid input for mode < invalid ip or hostname < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 0d141cb88..93120ea44 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -124,6 +124,7 @@ $cgiparams{'MODE'} = "tunnel"; $cgiparams{'INTERFACE_MODE'} = ""; $cgiparams{'INTERFACE_ADDRESS'} = ""; $cgiparams{'INTERFACE_MTU'} = 1500; +$cgiparams{'DNS_SERVERS'} = ""; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); my %APPLE_CIPHERS = ( @@ -511,6 +512,13 @@ sub writeipsecfiles { # Fragmentation print CONF "\tfragmentation=yes\n"; + # DNS Servers for RW + if ($lconfighash{$key}[3] eq 'host') { + my @servers = split(/\|/, $lconfighash{$key}[39]); + + print CONF "\trightdns=" . join(",", @servers) . "\n"; + } + print CONF "\n"; } #foreach key @@ -1612,6 +1620,7 @@ END $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; + $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1745,6 +1754,16 @@ END } } + if ($cgiparams{'TYPE'} eq 'host') { + my @servers = split(",", $cgiparams{'DNS_SERVERS'}); + foreach my $server (@servers) { + unless (&Network::check_ip_address($server)) { + $errormessage = $Lang::tr{'ipsec dns server address is invalid'}; + goto VPNCONF_ERROR; + } + } + } + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { $errormessage = $Lang::tr{'invalid input'}; goto VPNCONF_ERROR; @@ -2147,7 +2166,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -2198,6 +2217,7 @@ END $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'}; $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'}; $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'}; + $confighash{$key}[39] = join("|", split(",", $cgiparams{'DNS_SERVERS'})); # free unused fields! $confighash{$key}[15] = 'off'; @@ -2280,6 +2300,7 @@ END $cgiparams{'INTERFACE_MODE'} = ""; $cgiparams{'INTERFACE_ADDRESS'} = ""; $cgiparams{'INTERFACE_MTU'} = 1500; + $cgiparams{'DNS_SERVERS'} = ""; } VPNCONF_ERROR: @@ -2376,11 +2397,8 @@ END EOF } - my $disabled; - my $blob; - if ($cgiparams{'TYPE'} eq 'host') { - $disabled = "disabled='disabled'"; - } elsif ($cgiparams{'TYPE'} eq 'net') { + my $blob = ""; + if ($cgiparams{'TYPE'} eq 'net') { $blob = "*"; }; @@ -2390,6 +2408,9 @@ EOF my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'}); my $remote_subnets = join(",", @remote_subnets); + my @dns_servers = split(/\|/, $cgiparams{'DNS_SERVERS'}); + my $dns_servers = join(",", @dns_servers); + print < $Lang::tr{'enabled'} @@ -2425,10 +2446,26 @@ END - $Lang::tr{'remote subnet'} $blob +END + + if ($cgiparams{'TYPE'} eq "net") { + print <$Lang::tr{'remote subnet'} * + + + +END + + } elsif ($cgiparams{'TYPE'} eq "host") { + print <$Lang::tr{'dns servers'}: - + +END + } + + print < $Lang::tr{'vpn local id'}: @@ -2764,6 +2801,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; + $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 54e8c404a..adc04f6b3 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1547,6 +1547,7 @@ 'ipinfo' => 'IP info', 'ipsec' => 'IPsec', 'ipsec connection' => 'IPsec Connection', +'ipsec dns server address is invalid' => 'Invalid DNS server IP address(es)', 'ipsec interface mode gre' => 'GRE', 'ipsec interface mode none' => '- None (Default) -', 'ipsec interface mode vti' => 'VTI', From patchwork Thu May 28 17:58:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3150 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSc0D0cz43rk for ; Thu, 28 May 2020 17:59:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSL22xgz3TY; Thu, 28 May 2020 17:59:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSK4bdTz2ysc; Thu, 28 May 2020 17:59:13 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwSB1w91z302p for ; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwSB0yC0z286; Thu, 28 May 2020 17:59:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pCXIQQ30TcIcx9wNH5vrcFfgtQJ2lGV3BeK87xDAKM8=; b=THemE0buviuIo6zVD2jqOIPlqeMO72h4lxSyKDZsZcy0XrKDVcODTgWIEmYQ2wn9sHiJQJ PKUjcxxgLi9MnYDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pCXIQQ30TcIcx9wNH5vrcFfgtQJ2lGV3BeK87xDAKM8=; b=eIE/u1RqLAo1UPsV7ylIjUGzW45brqANR9MjgNCnudRhRdBp9hrV0T3DT2G3owV83bPy4H ZRTb/WJ2d9Z4H4xMehlbKJLOnRrqVmJT3icI+klFgdJb/+dHX1DK9OSYL4c+vHUMSin4a/ 1n3gtw+LvPbKgVt6tiJjsmYRDtFDLFn3ybOhjv9LtQ6AYjUNh+kEmtNkl+bUBBw3J5BDEb qMrI25ncdm1UedvIlhAG3iah2HDnkS6XYvRbeJI6fT6m9zT6fjPG2Wu8fLzDTu67nB2jwO LYr3O+2IBb1E04+Mqme3n4rAFVNkg64dMpd6vTPLCS2YUZD/7JsgHi+uZSjLdA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 11/16] IPsec: Always send our host certificate to all RW clients Date: Thu, 28 May 2020 17:58:45 +0000 Message-Id: <20200528175850.12638-12-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 93120ea44..85c4584e1 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -350,6 +350,12 @@ sub writeipsecfiles { print CONF "\tleftfirewall=yes\n"; print CONF "\tlefthostaccess=yes\n"; + + # Always send the host certificate + if ($lconfighash{$key}[3] eq 'host') { + print CONF "\tleftsendcert=always\n"; + } + print CONF "\tright=$lconfighash{$key}[10]\n"; if ($lconfighash{$key}[3] eq 'net') { From patchwork Thu May 28 17:58:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3144 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSL42jTz43rk for ; Thu, 28 May 2020 17:59:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSH0Xggz38N; Thu, 28 May 2020 17:59:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSG6Lq9z303h; Thu, 28 May 2020 17:59:10 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwSB2C4zz3035 for ; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwSB1ZQVz2RP; Thu, 28 May 2020 17:59:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RrQ0r7pSO5bBs8cjLSv3dU9Vuf3WV67C21B0NQLPqWo=; b=W3Mrza5nX6v9UKA9CGrIthOCNHoAdldkRHMlC7W3BZtEdSZZ+RDa7Tg8XwfBwfyEhj/r4j 3+9P+HsBHuPTaqDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RrQ0r7pSO5bBs8cjLSv3dU9Vuf3WV67C21B0NQLPqWo=; b=lAcSye82vUvG6OdscW+w3Qe5B4YaD+a7SguWTY1U3V76VzjGH6R9rD6PNlWnKzqsP1gjVA k67ExAlISiGJnzVhCmnQc2UK9GoGiYIXp2AYl890WgcuWC5klzRUI+lWnevxzYlQw+eNdY xjtzB+IKErfBWUOhhRVQKfSAMEkzb3iqkhEMbgGv9FvKflHVZ7+jjaHXMDNBNQCr7+4SN9 7QsLciNWCGWs5MDdtO+diKz92qd3N9ApCTL9+I3tEcDoQVD678CWO+qT1L9lHqPOBMfO8I qQFFWHbEim5cwCxXkV+dMeQhDvDjUIZZ3jC/mIWUK0XttgZjnMvmphnST9XTnA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 12/16] IPsec: Set display name for VPN connections Date: Thu, 28 May 2020 17:58:46 +0000 Message-Id: <20200528175850.12638-13-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 85c4584e1..9353a2f0d 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1428,6 +1428,8 @@ END print " \n"; print " PayloadIdentifier\n"; print " org.example.vpn1.client\n"; + print " PayloadDisplayName\n"; + print " $confighash{$key}[1]\n"; print " PayloadUUID\n"; print " ${cert_uuid}\n"; print " PayloadType\n"; From patchwork Thu May 28 17:58:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3146 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSN0jkZz43xK for ; Thu, 28 May 2020 17:59:16 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSH6bxrz3DD; Thu, 28 May 2020 17:59:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSH5BBvz2ysJ; Thu, 28 May 2020 17:59:11 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwSB2bwFz2ysJ for ; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwSB2FDKz2L5; Thu, 28 May 2020 17:59:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PERO4IyCqpdHMRCmPc71dTu+2ddRCY7T0I5rvgEomjE=; b=oAi6+xpcUHEIp8Qkj+Lf7jv5lUlB8MAurEV0AhCyF8I+jDxOStTJTr0lzFF/KEJxKGNCMD q6nf9ebKFpH3xM3LQV7rqcJfaUmbMiFbvlr7XHS60cBgA6fhfP0XDndZWSanz4DYCDZHMI mkSjTtVnRerHTaagN8GQpjBdnk0s2FCcYUPoEjhed6dOxicm9/ZuEgtCeElPIsEAzH8Fdq 64yKgh/3mjdOoS7cmN9hRpcGroPKXKWH3vMd5uvMjoSLrz5aJGXOXLFMi0Z2xn7pT91bas EdiVK09TRjzf3nBcbHEeJkY8AsvXCufLq5LCFOX2NFfceS2bpSSFX8bHdHSSww== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PERO4IyCqpdHMRCmPc71dTu+2ddRCY7T0I5rvgEomjE=; b=IafAHegxj0Sm1SHFEGeCs9Jbznhd9I/JS4NPtNpeU3p9dgbpch+OGyvxQ5hPYsIIOIZpwY WbwCsA/S7H+54oCQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 13/16] IPsec: Ensure that iOS VPNs are always connected Date: Thu, 28 May 2020 17:58:47 +0000 Message-Id: <20200528175850.12638-14-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 9353a2f0d..1e4115e95 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1421,6 +1421,18 @@ END print " $confighash{$key}[1]\n"; print " AuthPassword\n"; print " \n"; + + # Connect the VPN automatically + print " OnDemandEnabled\n"; + print " 1\n"; + print " OnDemandRules\n"; + print " \n"; + print " \n"; + print " Action\n"; + print " Connect\n"; + print " \n"; + print " \n"; + print " \n"; print " \n"; From patchwork Thu May 28 17:58:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3151 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSf31qJz43rk for ; Thu, 28 May 2020 17:59:30 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSK1x2lz32M; Thu, 28 May 2020 17:59:13 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSJ6blXz2ysJ; Thu, 28 May 2020 17:59:12 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwSB3DWXz2yjB for ; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwSB2f4Hz1dJ; Thu, 28 May 2020 17:59:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WTlYgerdFzyr5+91BF6Z4BgCd3pAQjdiSI1gFlq3lY4=; b=7s5mrBZWNIq6kwTl7fkT/oxGHR4HdGXGtRV6Pr4gBxXmfnOQnjZZ3CwUdY31UngCL7PBQm OmAGISwNIc5uuqCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WTlYgerdFzyr5+91BF6Z4BgCd3pAQjdiSI1gFlq3lY4=; b=tzmqgBgvHKj4/EnogOtqnPFh8Njk5pJk/TiD+/UJLGqSCJopYdTRcWl5LZanJ1diMnXHfk gmbRhJAGKcBiekDzgZt/NczQ5ggpiPUcpP2EcNXSn34QvWT7XiTUE9bw/Q2n3VSRWP2pVB apiNa0BflPnkt0na9ER5o6JVhFC7BWKeq79LZgAGukl0a71BhF8TpXKgA9esqK759myK67 8rv44ocjKORvKeDTW4i8nYv/RxaPzqdL6oc6FHWrkta9wyO9h4fg66wHEQG2LKtdtA29r9 kaoX6pLTGVFHzGv9eaAjsLqlI+DBUP7gZBcf2b3gTma9ZXukVkpp+jBddAg4cg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 14/16] IPsec: Strip @ from IDs in Apple profile Date: Thu, 28 May 2020 17:58:48 +0000 Message-Id: <20200528175850.12638-15-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 1e4115e95..2e0dd797d 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1390,14 +1390,28 @@ END # Left ID if ($confighash{$key}[9]) { + my $leftid = $confighash{$key}[9]; + + # Strip leading @ from FQDNs + if ($leftid =~ m/^@(.*)$/) { + $leftid = $1; + } + print " LocalIdentifier\n"; - print " $confighash{$key}[9]\n"; + print " $leftid\n"; } # Right ID if ($confighash{$key}[7]) { + my $rightid = $confighash{$key}[7]; + + # Strip leading @ from FQDNs + if ($rightid =~ m/^@(.*)$/) { + $rightid = $1; + } + print " RemoteIdentifier\n"; - print " $confighash{$key}[7]\n"; + print " $rightid\n"; } if ($confighash{$key}[4] eq "cert") { From patchwork Thu May 28 17:58:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3147 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSN2S96z43xL for ; Thu, 28 May 2020 17:59:16 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSJ24Jmz3DT; Thu, 28 May 2020 17:59:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSJ0m8yz2yjB; Thu, 28 May 2020 17:59:12 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwSB3pcMz2yZb for ; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwSB3F46z2Z3; Thu, 28 May 2020 17:59:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O70mn1JMaz+ljgH7oxGZEL8lvzxTD+rZiPSiTFVubDA=; b=RSIil1LNZpr8JgIgsB6OkkMIvFADQt2phDP43oOZf3EFNxOs8nKOQ6N2HdlkStDgNKSYer 7Bu32KlXjWAIoLAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O70mn1JMaz+ljgH7oxGZEL8lvzxTD+rZiPSiTFVubDA=; b=G2tMr62bDCUE5wfXnq7ZGUfmClfYT7F4Tm+NwTP3djeM+S5NU40CjJqwYtlbVOJaq5zoJ9 OadNCMVm3JjSjnzcZ75zfe09FsWK9d2+Z2HvzgZiES8VOhKG61kxAi2El1qaTziOJHpHmz zrPaQm8BRgtkz2jOsZVotcipGxEb73z4OHThASknyX4oTv5xqnj0Wu/Q6QAoatylqka3p4 8t+X1IvjDTebY+c38ERHyi2RbWTJ3fEB6lYRz86EfVj4SRIG9hcSxp/igg5Hl+wungKlz/ XHGRg/Iit+pEK5uNikvx3PTSn9IFIqJxFGVywmK726r4MIcRpqQef0oAxWHOuA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 15/16] Revert "IPsec: Apple: Stop prompting for credentials" Date: Thu, 28 May 2020 17:58:49 +0000 Message-Id: <20200528175850.12638-16-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This reverts commit eef4cd4b101da0c7ceab0c3386ad755ed242f8d5. Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 6 ------ 1 file changed, 6 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 2e0dd797d..bcbe6227e 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1430,12 +1430,6 @@ END print " ExtendedAuthEnabled\n"; print " 0\n"; - # These are not needed, but we provide some default to stop iPhone asking for credentials - print " AuthName\n"; - print " $confighash{$key}[1]\n"; - print " AuthPassword\n"; - print " \n"; - # Connect the VPN automatically print " OnDemandEnabled\n"; print " 1\n"; From patchwork Thu May 28 17:58:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3149 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSS5lTDz43xD for ; Thu, 28 May 2020 17:59:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSK3fx4z3Gg; Thu, 28 May 2020 17:59:13 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSK2Ft1z2yvq; Thu, 28 May 2020 17:59:13 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwSB4RzRz2ycL for ; Thu, 28 May 2020 17:59:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwSB3nwHz286; Thu, 28 May 2020 17:59:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MiTRfFQnqy1dvgp+TIIAb/liSbKWxcHo0yPzD+2SnJU=; b=V0PVCiodnQjLnoXXkAM25V3FqZekce6XRKhGcOzr+NptqIb/YnB2SMdjze+eRQMDDU5vzg xFp82HGYxSs+FFeeddh+Iv2OqrOzyAch1uRA9nCL+ZX8VeJzJhazolPLXF4qJ/DP06Y9ku 0HCJ+FBtYECFgOybqdx5vMzH7h9QjAXtHr4U06X2wsFJdy27hExGal73hWJQoLXXlLIqSP CQO8mnr4ZvYWkFDOSuHOSzfzWFskhYaDT6bgxhn6IOSPTRpL9AUvPzTg6tK881m0GkFB/X wwLlSRN6+TMEg7ZyPp++vFFEkKfwyW8jsMNkaxxaB0JhYCRNLWCpJw+dqFtRsA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1590688746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MiTRfFQnqy1dvgp+TIIAb/liSbKWxcHo0yPzD+2SnJU=; b=SN/mrVBCqNdKS2OLoWWNpLkcs/ElKiS594ZTYfCEzJaeMXucCSOu4Z20ppMDqgLaNOEuQE CkSWKcy3Vpa5kbAA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 16/16] IPsec: Add CA certificate in Apple profile Date: Thu, 28 May 2020 17:58:50 +0000 Message-Id: <20200528175850.12638-17-michael.tremer@ipfire.org> In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org> References: <20200528175850.12638-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index bcbe6227e..fa97ed531 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1246,13 +1246,23 @@ END my $uuid1 = $uuid->create_str(); my $uuid2 = $uuid->create_str(); + my $ca = ""; + my $ca_uuid = $uuid->create_str(); + my $cert = ""; my $cert_uuid = $uuid->create_str(); - # Read and encode certificate + # Read and encode the CA & certificate if ($confighash{$key}[4] eq "cert") { + my $ca_path = "${General::swroot}/ca/cacert.pem"; my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12"; + # Read the CA and encode it into Base64 + open(CA, "<${ca_path}"); + local($/) = undef; # slurp + $ca = MIME::Base64::encode_base64(); + close(CA); + # Read certificate and encode it into Base64 open(CERT, "<${cert_path}"); local($/) = undef; # slurp @@ -1465,6 +1475,25 @@ END print " \n"; print " \n"; + + print " \n"; + print " PayloadIdentifier\n"; + print " org.example.ca\n"; + print " PayloadUUID\n"; + print " ${ca_uuid}\n"; + print " PayloadType\n"; + print " com.apple.security.root\n"; + print " PayloadVersion\n"; + print " 1\n"; + print " PayloadContent\n"; + print " \n"; + + foreach (split /\n/,${ca}) { + print " $_\n"; + } + + print " \n"; + print " \n"; } print " \n";