# ipsec-config will be deleted.
#****
-proc editIpsecCfg { w node deleteid edit } {
-
- global viewid
+proc editIpsecCfg { w node deleteid edit phase } {
+
+ global viewid badentry
+
+#### TODO: ########################
+ $w config -cursor watch; update
+ if { $phase == 0 } {
+ set badentry 0
+ focus .
+ after 100 "editIpsecCfg $w $node $deleteid $edit 1"
+ return
+ } elseif { $badentry } {
+ $w config -cursor left_ptr
+ return
+ }
+#################################
set ipsecCfgList [getIpsecConfig $node]
set i 0
foreach element $ipsecCfgList {
if { $edit == "1" } {
set add "0"
- set ipsecCfg [ipsecConfigApply $w $node $add]
+ set ipsecCfg [ipsecConfigApply $w $node $add 0]
set newid [getConfig $ipsecCfg "ipsec-config-id"]
set viewid $newid
lappend ipsecCfgList $ipsecCfg
}
-
+
removeIpsecConfig $node
foreach ipsecCfg $ipsecCfgList {
setIpsecConfig $node $ipsecCfg
}
-
if { $edit != "1" } {
destroy $w
set delete "1"
#****
proc showIpsecErrors { str } {
- global viewid
set error ""
#foreach element $str {
# }
#}
set error $str
-
- set w .cfgeditor
- catch {destroy $w}
- toplevel $w -takefocus 1
- #wm transient $w .
- grab $w
- catch {unset viewid}
- frame $w.noentry -borderwidth 4
- label $w.noentry.label -text $error
- pack $w.noentry.label -side left -anchor w
- pack $w.noentry -side top -anchor w
-
- frame $w.noentrybuttons
- pack $w.noentrybuttons -side bottom
- button $w.noentrybuttons.close -text Close \
- -command "destroy $w"
- pack $w.noentrybuttons.close -side left
+ tk_messageBox -message $error -type ok -icon error \
+ -title "IPsec configuration error"
+}
+proc showIPsecInfo { str } {
+ tk_messageBox -message $str -type ok -icon info \
+ -title "IPsec configuration notice"
}
#****f* ipsec.tcl/viewIpsecCfg
#****
proc viewIpsecCfg { node delete view } {
-
- set idlist {}
- global viewid
- set ipsecCfgList [getIpsecConfig $node]
- set len [llength $ipsecCfgList]
- foreach ipsecCfg $ipsecCfgList {
- set id [lindex [lsearch -inline $ipsecCfg "ipsec-config-id *"] 1]
- lappend idlist $id
- }
- if { $delete == "1" } {
- set viewid [lindex $idlist 0]
- }
- if { $view == "0" } {
- catch {unset viewid}
- }
-
- set ipsecCfg ""
-
- if { $view == "1" && $idlist == {} } {
-
- set error "There are no ipsec-config entries with specified ipsec-config-id."
- showIpsecErrors $error
-
- } else {
+ set idlist {}
+ global viewid badentry
+ set ipsecCfgList [getIpsecConfig $node]
+ set len [llength $ipsecCfgList]
+ foreach ipsecCfg $ipsecCfgList {
+ set id [lindex [lsearch -inline $ipsecCfg "ipsec-config-id *"] 1]
+ lappend idlist $id
+ }
+ if { $delete == "1" } {
+ set viewid [lindex $idlist 0]
+ }
+ if { $view == "0" } {
+ catch {unset viewid}
+ }
+
+ set ipsecCfg ""
+
+ if { $view == "1" && $idlist == {} } {
+
+ set error "There are no ipsec-config entries with specified ipsec-config-id."
+ showIpsecErrors $error
+
+ } else {
set w .cfgeditor
catch {destroy $w}
toplevel $w -takefocus 1
#wm transient $w .
+ wm resizable $w 0 0
grab $w
wm title $w "Node $node"
wm iconname $w "$node"
frame $w.sad.sourceSA -borderwidth 4
label $w.sad.sourceSA.label -text "Src SA address:"
pack $w.sad.sourceSA.label -side left -anchor w
- entry $w.sad.sourceSA.source -bg white -width 30
+ entry $w.sad.sourceSA.source -bg white -width 30 \
+ -validate focus -invcmd "focusAndFlash %W"
if { $ipsecCfg != "" } {
set sourceSA [ getConfig $ipsecCfg "SA-source-address"]
} else {
set sourceSA ""
}
$w.sad.sourceSA.source insert end $sourceSA
+ $w.sad.sourceSA.source configure \
+ -vcmd {checkSAaddress %P}
pack $w.sad.sourceSA.source $w.sad.sourceSA.label \
-side left -padx 4 -pady 0
pack $w.sad.sourceSA -side top -anchor w
frame $w.sad.destSA -borderwidth 4
label $w.sad.destSA.label -text "Dst SA address:"
pack $w.sad.destSA.label -side left -anchor w
- entry $w.sad.destSA.dest -bg white -width 30
+ entry $w.sad.destSA.dest -bg white -width 30 \
+ -validate focus -invcmd "focusAndFlash %W"
if { $ipsecCfg != {} } {
set destSA [ getConfig $ipsecCfg "SA-destination-address"]
} else {
set destSA ""
}
$w.sad.destSA.dest insert end $destSA
+ $w.sad.destSA.dest configure \
+ -vcmd {checkSAaddress %P}
pack $w.sad.destSA.dest $w.sad.destSA.label \
-side left -padx 4 -pady 0
pack $w.sad.destSA -side top -anchor w
-validate focus -invcmd "focusAndFlash %W"
$w.sad.spi.inboundv insert 0 $inboundspi
$w.sad.spi.inboundv configure \
- -from 1 -to 65535 -increment 1 \
- -vcmd {checkIntRange %P 1 65535}
+ -from 1366 -to 65535 -increment 1 \
+ -vcmd {checkIntRange %P 1366 65535}
pack $w.sad.spi.inboundl $w.sad.spi.inboundv \
-side left -anchor w
-validate focus -invcmd "focusAndFlash %W"
$w.sad.spi.outboundv insert 0 $outboundspi
$w.sad.spi.outboundv configure \
- -from 2 -to 65535 -increment 1 \
- -vcmd {checkIntRange %P 2 65535 }
+ -from 1367 -to 65535 -increment 1 \
+ -vcmd {checkIntRange %P 1366 65535 }
pack $w.sad.spi.outboundl $w.sad.spi.outboundv \
-side left -anchor w
pack $w.sad.spi -side top -anchor w
-side left -anchor w
# IP compression:
- label $w.sad.ipsecalg.ipcomp -text "IPcomp:"
+ label $w.sad.ipsecalg.ipcomp -text "IPcomp: "
pack $w.sad.ipsecalg.ipcomp -side left -anchor w
- global ipcomp
+ global ipcompalg
if { $ipsecCfg != {} } {
- set ipcomp [ getConfig $ipsecCfg "IPcomp-algorithm"]
+ set ipcompalg [ getConfig $ipsecCfg "IPcomp-algorithm"]
} else {
- set ipcomp no
+ set ipcompalg "no IPcomp"
}
- radiobutton $w.sad.ipsecalg.ipcompyes -text "yes" \
- -variable ipcomp -value yes
- radiobutton $w.sad.ipsecalg.ipcompno -text "no" \
- -variable ipcomp -value no
- pack $w.sad.ipsecalg.ipcompyes -side top -anchor w
- pack $w.sad.ipsecalg.ipcompno -side bottom -anchor w
- pack $w.sad.ipsecalg.ipcomp \
- $w.sad.ipsecalg.ipcompyes $w.sad.ipsecalg.ipcompno \
+ tk_optionMenu $w.sad.ipsecalg.ipcompalg ipcompalg \
+ deflate lzs "no IPcomp"
+ pack $w.sad.ipsecalg.ipcomp $w.sad.ipsecalg.ipcompalg \
-side left -anchor w
pack $w.sad.ipsecalg -side top -anchor w
frame $w.sad.cryptoalg -borderwidth 4
label $w.sad.cryptoalg.label -text "Crypto algorithm:"
pack $w.sad.cryptoalg.label -side left -anchor w
- global cryptoalgesp cryptoalgah
+ global cryptoalgesp
+ global cryptoalgah
if { $ipsecCfg != {} } {
- set crytoalgesp [ getConfig $ipsecCfg "esp-crypto-algorithm"]
- set crytoalgah [ getConfig $ipsecCfg "ah-crypto-algorithm"]
+ set caesp [ getConfig $ipsecCfg "esp-crypto-algorithm"]
+ set caah [ getConfig $ipsecCfg "ah-crypto-algorithm"]
} else {
- set cryptoalgesp 3des-cbc
- set cryptoalgah hmac-sha2-256
+ set caesp 3des-cbc
+ set caah hmac-md5
}
- tk_optionMenu $w.sad.cryptoalg.esp cryptoalgesp des-cbc 3des-cbc \
- simple blowfish-cbc cast128-cbc rijndael-cbc
- tk_optionMenu $w.sad.cryptoalg.ah cryptoalgah hmac-md5 hmac-sha1 \
- keyed-md5 keyed-sha1 hmac-sha2-256 hmac-sha2-384 hmac-sha2-512 \
- null
+ set cryptoalgesp $caesp
+ set cryptoalgah $caah
+ tk_optionMenu $w.sad.cryptoalg.esp cryptoalgesp \
+ des-cbc 3des-cbc simple blowfish-cbc cast128-cbc \
+ rijndael-cbc null
+ tk_optionMenu $w.sad.cryptoalg.ah cryptoalgah \
+ hmac-md5 hmac-sha1 keyed-md5 keyed-sha1 hmac-sha2-256 \
+ hmac-sha2-384 hmac-sha2-512 null
pack $w.sad.cryptoalg.label $w.sad.cryptoalg.esp $w.sad.cryptoalg.ah \
-side left -anchor w
pack $w.sad.cryptoalg -side top -anchor w
#
frame $w.sad.psk -borderwidth 4
label $w.sad.psk.label -text "Shared secret:"
- entry $w.sad.psk.text -bg white -width 30
+ entry $w.sad.psk.text -bg white -width 30 \
+ -validate focus -invcmd "focusAndFlash %W"
if { $ipsecCfg != {} } {
set psk [ getConfig $ipsecCfg "shared-secret"]
} else {
set psk ""
}
$w.sad.psk.text insert end $psk
+ $w.sad.psk.text configure \
+ -vcmd {checkSharedSecret %P}
pack $w.sad.psk.text $w.sad.psk.label -side right -padx 4 -pady 0
pack $w.sad.psk -side top -anchor w
pack $w.sad -side top -anchor w -fill both
#
frame $w.spd.sourceSP -borderwidth 4
label $w.spd.sourceSP.label -text "Src SP address:"
- entry $w.spd.sourceSP.source -bg white -width 30
+ entry $w.spd.sourceSP.source -bg white -width 30 \
+ -validate focus -invcmd "focusAndFlash %W"
if { $ipsecCfg != "" } {
set sourceSP [ getConfig $ipsecCfg "SP-source-address"]
} else {
set sourceSP ""
}
$w.spd.sourceSP.source insert end $sourceSP
+ $w.spd.sourceSP.source configure \
+ -vcmd {checkSPrange %P}
pack $w.spd.sourceSP.source $w.spd.sourceSP.label \
-side right -padx 4 -pady 0
pack $w.spd.sourceSP -side top -anchor w
#
frame $w.spd.destSP -borderwidth 4
label $w.spd.destSP.label -text "Dst SP address:"
- entry $w.spd.destSP.dest -bg white -width 30
+ entry $w.spd.destSP.dest -bg white -width 30 \
+ -validate focus -invcmd "focusAndFlash %W"
if { $ipsecCfg != "" } {
set destSP [ getConfig $ipsecCfg "SP-destination-address"]
} else {
set destSP ""
}
$w.spd.destSP.dest insert end $destSP
+ $w.spd.destSP.dest configure \
+ -vcmd {checkSPrange %P}
pack $w.spd.destSP.dest $w.spd.destSP.label -side right -padx 4 -pady 0
pack $w.spd.destSP -side top -anchor w
#
frame $w.spd.sourcesgw -borderwidth 4
label $w.spd.sourcesgw.label -text "Src SGW address:"
- entry $w.spd.sourcesgw.source -bg white -width 30
+ entry $w.spd.sourcesgw.source -bg white -width 30 \
+ -validate focus -invcmd "focusAndFlash %W"
if { $ipsecCfg != "" } {
set sourcesgw [ getConfig $ipsecCfg "source-SGW-address"]
} else {
set sourcesgw ""
}
$w.spd.sourcesgw.source insert end $sourcesgw
+ $w.spd.sourcesgw.source configure \
+ -vcmd {checkIPv4Addr %P}
pack $w.spd.sourcesgw.source $w.spd.sourcesgw.label \
-side right -padx 4 -pady 0
pack $w.spd.sourcesgw -side top -anchor w
#
- # Source SGW address
+ # Destination SGW address
#
frame $w.spd.destsgw -borderwidth 4
label $w.spd.destsgw.label -text "Dst SGW address:"
- entry $w.spd.destsgw.source -bg white -width 30
+ entry $w.spd.destsgw.source -bg white -width 30 \
+ -validate focus -invcmd "focusAndFlash %W"
if { $ipsecCfg != "" } {
set destsgw [ getConfig $ipsecCfg "destination-SGW-address"]
} else {
set destsgw ""
}
$w.spd.destsgw.source insert end $destsgw
+ $w.spd.destsgw.source configure \
+ -vcmd {checkIPv4Addr %P}
pack $w.spd.destsgw.source $w.spd.destsgw.label \
-side right -padx 4 -pady 0
pack $w.spd.destsgw -side top -anchor w
#
frame $w.buttons
pack $w.buttons -side bottom
- button $w.buttons.close -text Close -command "destroy $w"
+ button $w.buttons.close -text Close -command \
+ "set badentry -1 ; destroy $w"
if { $view == "1" } {
set edit "1"
button $w.buttons.delete -text Delete \
-command "deleteIpsecCfg $w $node $viewid $edit"
button $w.buttons.apply -text Apply \
- -command "editIpsecCfg $w $node $viewid $edit"
+ -command "editIpsecCfg $w $node $viewid $edit 0"
+ focus $w.buttons.apply
pack $w.buttons.delete $w.buttons.close $w.buttons.apply -side left
} else {
set add "1"
button $w.buttons.apply -text "Apply" \
- -command "ipsecConfigApply $w $node $add"
+ -command "ipsecConfigApply $w $node $add 0"
+ focus $w.buttons.apply
pack $w.buttons.apply $w.buttons.close -side left
}
-
}
-
return
}
proc deleteIpsecCfg { w node viewid edit } {
set edit "0"
- editIpsecCfg $w $node $viewid $edit
+ editIpsecCfg $w $node $viewid $edit 0
return
}
# * ipsecCfg -- new ipsec-config structure
#****
-proc ipsecConfigApply { w node add } {
- global changed
- global ipsecalg spipsecalg mode ipcomp
+proc ipsecConfigApply { w node add phase } {
+ global ipsecalg spipsecalg mode ipcompalg
global cryptoalgesp cryptoalgah action traffic level
+ global badentry
set ipsecCfg ""
set error ""
-
+
+ if { $add == 1 } {
+ $w config -cursor watch
+ update
+ if { $phase == 0 } {
+ set badentry 0
+ focus .
+ after 100 "ipsecConfigApply $w $node $add 1"
+ return
+ } elseif { $badentry } {
+ $w config -cursor left_ptr
+ return
+ }
+ }
+
set id [$w.id.text get]
set sourceSA [$w.sad.sourceSA.source get]
set destSA [$w.sad.destSA.dest get]
set destsgw [$w.spd.destsgw.source get]
if { $add == "1" } {
- set valid [checkIpsecCfg $node "ipsec-config-id" $id]
- if { $valid == "0" } {
+ set error [checkIpsecCfg $node "ipsec-config-id" $id]
+ if { $error != "" } {
destroy $w
- set error "Choose another ipsec-config-id."
showIpsecErrors $error
return ""
}
set ipsecCfg [setConfig $ipsecCfg $sourceSA "SA-source-address"]
set ipsecCfg [setConfig $ipsecCfg $destSA "SA-destination-address"]
set ipsecCfg [setConfig $ipsecCfg $ipsecalg "ipsec-algorithm"]
- set ipsecCfg [setConfig $ipsecCfg $ipcomp "IPcomp-algorithm"]
+ set ipsecCfg [setConfig $ipsecCfg $ipcompalg "IPcomp-algorithm"]
set ipsecCfg [setConfig $ipsecCfg $inboundspi "inbound-spi"]
set ipsecCfg [setConfig $ipsecCfg $outboundspi "outbound-spi"]
set ipsecCfg [setConfig $ipsecCfg $cryptoalgesp "esp-crypto-algorithm"]
# TODO: Add check for the IPv4/IPv6 addresses
# TODO: Add check for the shared secret field
+# Currently, if there are some errors in syntax
+# od the setkey.conf, they will be shown after
+# Experiment->Execute in error window.
proc checkIpsecCfg { node strd str } {
- set valid "1"
+ set error ""
set ipsecCfgList [getIpsecConfig $node]
switch $strd {
ipsec-config-id {
- foreach ipsecCfg $ipsecCfgList {
- set currentid [getConfig $ipsecCfg "ipsec-config-id"]
- if { $str == $currentid } {
- set valid "0"
+
+ if { $str == "" } {
+ set error "Please, enter ipsec-config-id."
+ } else {
+
+ foreach ipsecCfg $ipsecCfgList {
+ set currentid [getConfig $ipsecCfg "ipsec-config-id"]
+ if { $str == $currentid } {
+ set error "Choose another ipsec-config-id."
+ }
}
}
}
}
- return $valid
+ return $error
}
#****f* ipsec.tcl/setConfig
set sourceSA ""
set destSA ""
set ipsecalg ""
- set ipcomp ""
+ set ipcompalg ""
set inboundspi ""
set outboundspi ""
set cryptoalgesp ""
set sourceSA [getConfig $ipsecCfg "SA-source-address"]
set destSA [getConfig $ipsecCfg "SA-destination-address"]
set ipsecalg [getConfig $ipsecCfg "ipsec-algorithm"]
- set ipcomp [getConfig $ipsecCfg "IPcomp-algorithm"]
+ set ipcompalg [getConfig $ipsecCfg "IPcomp-algorithm"]
set inboundspi [getConfig $ipsecCfg "inbound-spi"]
set outboundspi [getConfig $ipsecCfg "outbound-spi"]
set cryptoalgesp [getConfig $ipsecCfg "esp-crypto-algorithm"]
return ""
}
- #
- # TODO: IPcomp: deflate, lzs
- #
- #if { $ipcomp == "yes" } {
- # set ipcompalg " -C deflate"
- # append cryptoalg $ipcompalg
- #}
+ if { $ipcompalg == "defalte" || $ipcompalg == "lzs" } {
+ set ipcompalgorithm " -C $ipcompalg"
+ append cryptoalg $ipcompalgorithm
+ }
if { $sourceSA != "" && $destSA != "" && \
$ipsecalg != "" && $cryptoalg != "" && \
lappend cfg "spdadd $destSP $sourceSP $traffic -P in
$action $spipsecalg/$mode//$level;"
- } else {
+ } elseif { $mode == "tunnel" } {
if { $sourcesgw != "" && $destsgw != "" } {
}
return $cfg
}
+
+proc setkeyError { setkeyerror } {
+ set str "[lindex [split $setkeyerror "\."] 0]"
+ set errorstr "Error in created setkey.conf: "
+ append errorstr $str
+ showIpsecErrors $errorstr
+}
+
+# TODO: SP range can be one of the following:
+# address
+# address/prefixlen
+# address[port]
+# address/prefixlen[port]
+#
+proc checkSPrange { SPrange } {
+ if { [checkSAaddress $SPrange] == 1 } {
+ return 1
+ } elseif { [checkSPnet $SPrange] == 1 } {
+ return 1
+ } elseif { [checkIPv46AddrPort $SPrange] == 1 } {
+ return 1
+ }
+ return 0
+}
+
+# RETURN
+# 1 for address[port] or address/prefixlen[port]
+# (Address is IPv4/IPv6 address.)
+# 0 otherwise
+#
+
+#****f* ipsec.tcl/setConfig
+# NAME
+# checkIPv46AddrPort -- check SP range for spdadd
+# setkey command
+# SYNOPSIS
+# checkIPv46AddrPort $addr
+# FUNCTION
+# Check if str has the following form:
+# address[port] or address/prefixlen[port].
+# Address can be IPv4 or IPv6 address.
+# INPUTS
+# * str -- IPv4 or IPv6 address with port information
+# RESULT
+# * 1 -- if str has the form address[port] or
+# address/prefixlen[port]
+# * 0 -- otherwise
+#****
+
+proc checkIPv46AddrPort { str } {
+ if { $str == "" } {
+ return 1
+ }
+ set addr [lindex [split $str "\["] 0]
+ set SAaddress [checkSAaddress $addr]
+ set SPnet [checkSPnet $addr]
+ if { $SAaddress == 0 && $SPnet == 0 } {
+ return 0
+ } else {
+ set tmp [lindex [split $str "\["] 1]
+ set port [lindex [split $tmp "\]"] 0]
+ if { $port != "" } {
+ return [checkIntRange $port 0 65535]
+ } else {
+ return 0
+ }
+ }
+}
+
+#****f* ipsec.tcl/checkSAaddress
+# NAME
+# checkSAaddress -- check SA address for add
+# setkey command
+# SYNOPSIS
+# checkSAaddress $str
+# FUNCTION
+# Check if str is valid IPv4/IPv6 address, without /prefixlen.
+# INPUTS
+# * str -- IPv4 or IPv6 address
+# RESULT
+# * 1 -- if str is valid address
+# * 0 -- otherwise
+#****
+
+proc checkSAaddress { str } {
+ if { $str == "" } {
+ return 1
+ }
+ if { [checkIPv4Addr $str] == 1 } {
+ return 1
+ } elseif { [checkIPv6Addr $str] == 1 } {
+ return 1
+ }
+ return 0
+}
+
+#****f* ipsec.tcl/checkSPnet
+# NAME
+# checkSPnet -- check if CIDR address is valid
+# SYNOPSIS
+# checkSAaddress $str
+# FUNCTION
+# Check if str is valid IPv4/IPv6 address with /prefixlen.
+# INPUTS
+# * str -- IPv4 or IPv6 address
+# RESULT
+# * 1 -- if str is valid address
+# * 0 -- otherwise
+#****
+
+proc checkSPnet { str } {
+ if { $str == "" } {
+ return 1
+ }
+ if { [checkIPv4Net $str] == 1 } {
+ return 1
+ } elseif { [checkIPv6Net $str] == 1 } {
+ return 1
+ }
+ return 0
+}
+
+#****f* ipsec.tcl/checkSharedSecret
+# NAME
+# checkSharedSecret -- check if the shared secret has the
+# valid format
+# SYNOPSIS
+# checkSharedSecret $str
+# FUNCTION
+# Check if the shared secret has valid form. Allowed formats are:
+# -- double-quoted character string
+# -- series of hexadecimal digits
+# (TODO: Check the length of the shared secret (in relation with
+# choosen cryptographic algorithm)).
+# INPUTS
+# * str -- shared secret
+# RESULT
+# * 1 -- if shared secret has valid format
+# * 0 -- otherwise
+#****
+
+proc checkSharedSecret { str } {
+ if { $str == "" } {
+ return 1
+ }
+ set hexmark ""
+ set limiter1 ""
+ set limiter2 ""
+ set hexmark [string range $str 0 1]
+ set limiter1 [string index $str 0]
+ set limiter2 [string index $str end]
+ if { $hexmark == "0x" } {
+ set psk [string range $str 2 end]
+ if { $psk != "" } {
+ if { [string is integer $psk] } {
+ return 1
+ }
+ }
+ } elseif { $limiter1 == "\"" && $limiter2 == "\"" } {
+ set psk [string replace $str 0 0]
+ set pskonly [string replace $psk end end]
+ if { $pskonly != "" } {
+ return 1
+ }
+ }
+ return 0
+}
+
+
+
+
+
projects / imunes.git / commitdiff