From c33196624c7b957ce96611b43475a3322123903f Mon Sep 17 00:00:00 2001 From: ana Date: Tue, 16 Jan 2007 16:23:49 +0000 Subject: [PATCH] ipsec.tcl enhancement Bug found by: Submitted by: Requested by: Reviewed by: Approved by: Obtained from: --- cfgparse.tcl | 13 ++ editor.tcl | 23 ++- exec.tcl | 14 +- initgui.tcl | 5 +- ipsec.tcl | 436 ++++++++++++++++++++++++++++++++++++++------------- ipv4.tcl | 3 + 6 files changed, 367 insertions(+), 127 deletions(-) diff --git a/cfgparse.tcl b/cfgparse.tcl index c92576a..4165db4 100755 --- a/cfgparse.tcl +++ b/cfgparse.tcl @@ -92,6 +92,7 @@ proc dumpCfg {method dest} { global node_list link_list canvas_list global showIfNames showNodeLabels showLinkLabels global showIfIPaddrs showIfIPv6addrs + global showIPsecConfig foreach node $node_list { global $node @@ -169,6 +170,10 @@ proc dumpCfg {method dest} { dumpputs $method $dest " link_labels no" } else { dumpputs $method $dest " link_labels yes" } + if {$showIPsecConfig == 0} { + dumpputs $method $dest " ipsec_configs no" + } else { + dumpputs $method $dest " ipsec_configs yes" } dumpputs $method $dest "\}" dumpputs $method $dest "" @@ -191,6 +196,7 @@ proc loadCfg { cfg } { global node_list link_list canvas_list global showIfNames showNodeLabels showLinkLabels global showIfIPaddrs showIfIPv6addrs + global showIPsecConfig # Cleanup first set node_list {} @@ -377,6 +383,13 @@ proc loadCfg { cfg } { set showLinkLabels 1 } } + ipsec_configs { + if { $value == "no" } { + set showIPsecConfig 0 + } elseif { $value == "yes" } { + set showIPsecConfig 1 + } + } } } } diff --git a/editor.tcl b/editor.tcl index 89744b3..10a7957 100755 --- a/editor.tcl +++ b/editor.tcl @@ -1685,6 +1685,7 @@ proc popupConfigDialog { c } { } if { [lsearch {link linklabel} $tk_type] > -1 } { set object_type link + p } if { "$object_type" == ""} { destroy $wi @@ -1902,7 +1903,9 @@ proc popupConfigDialog { c } { # IPsec configuration: # global ipsecEnabled - labelframe $wi.ipsec -padx 4 -pady 4 + global showIPsecConfig + if { $showIPsecConfig == 1 } { + labelframe $wi.ipsec -padx 4 -pady 4 frame $wi.ipsec.label label $wi.ipsec.label.txt -text "Manual IPsec configuration:" pack $wi.ipsec.label.txt -side left -anchor w @@ -1928,7 +1931,8 @@ proc popupConfigDialog { c } { pack $wi.ipsec.label -side top -anchor w pack $wi.ipsec.cfg -side top pack $wi.ipsec -side top -anchor w -fill both - + } + # # CPU scheduling parameters # @@ -2085,22 +2089,25 @@ proc editStartupCfg { node } { pack $w.ftop -side top -anchor w text $w.text -relief sunken -bd 2 -yscrollcommand "$w.scroll set" \ - -setgrid 1 -height 10 -undo 1 -autosep 1 -background white + -setgrid 1 -height 40 -undo 1 -autosep 1 -background white focus $w.text scrollbar $w.scroll -command "$w.text yview" + frame $w.buttons + pack $w.buttons -side bottom + button $w.buttons.apply -text "Apply" \ + -command "customConfigApply $w $node" + button $w.buttons.cancel -text Cancel -command "destroy $w" + pack $w.buttons.apply $w.buttons.cancel -side left + pack $w.scroll -side right -fill y pack $w.text -expand yes -fill both - # TODO: Ako je custom-config vec ucitan i ostavimo postavljen custom - # config enabled, onda se ono ucitano razlomi tak da da svako slovo - # dodje u novi red. foreach line [getCustomConfig $node] { - $w.text insert end "$line " + $w.text insert end "$line^M" } $w.text mark set insert 0.0 - return } diff --git a/exec.tcl b/exec.tcl index c4f58e3..27449aa 100755 --- a/exec.tcl +++ b/exec.tcl @@ -402,8 +402,6 @@ proc l3node.start { eid node } { nexec vimage $node_id ifconfig $ifc mtu $mtu } - set ipsecCfg "" - if { [getCustomEnabled $node] == true } { set bootcmd [getCustomCmd $node] set bootcfg [getCustomConfig $node] @@ -412,6 +410,7 @@ proc l3node.start { eid node } { set bootcfg "" } + set ipsecCfg "" if { [getIpsecEnabled $node] == true } { set setkeycfg [ipsecCfggen $node] set setkeyFileId [open /tmp/$node_id/setkey.conf w+] @@ -420,10 +419,13 @@ proc l3node.start { eid node } { } close $setkeyFileId - # TODO: Show the user if setkey.conf has - # been succesfully loaded. - catch "nexec vimage $node_id setkey -f \ - /tmp/$node_id/setkey.conf" + set error "" + set errorstr "" + set error [catch "nexec vimage $node_id setkey -f \ + /tmp/$node_id/setkey.conf" errorstr] + if { $error == "1" } { + setkeyError $node_id $errorstr + } } if { $bootcmd == "" || $bootcfg =="" } { diff --git a/initgui.tcl b/initgui.tcl index acca085..c02cb62 100755 --- a/initgui.tcl +++ b/initgui.tcl @@ -134,6 +134,7 @@ set showIfIPaddrs 1 set showIfIPv6addrs 1 set showNodeLabels 1 set showLinkLabels 1 +set showIPsecConfig 1 set supp_router_models "xorp quagga static" set def_router_model quagga @@ -360,7 +361,9 @@ menu .menubar.view -tearoff 0 .c itemconfigure $object -state normal } } - +.menubar.view add separator +.menubar.view add checkbutton -label "Show IPsec config" \ + -underline 5 -variable showIPsecConfig # # Experiment diff --git a/ipsec.tcl b/ipsec.tcl index 956f395..15472fd 100755 --- a/ipsec.tcl +++ b/ipsec.tcl @@ -52,9 +52,22 @@ # ipsec-config will be deleted. #**** -proc editIpsecCfg { w node deleteid edit } { - - global viewid +proc editIpsecCfg { w node deleteid edit phase } { + + global viewid badentry + +#### TODO: ######################## + $w config -cursor watch; update + if { $phase == 0 } { + set badentry 0 + focus . + after 100 "editIpsecCfg $w $node $deleteid $edit 1" + return + } elseif { $badentry } { + $w config -cursor left_ptr + return + } +################################# set ipsecCfgList [getIpsecConfig $node] set i 0 foreach element $ipsecCfgList { @@ -67,17 +80,16 @@ proc editIpsecCfg { w node deleteid edit } { if { $edit == "1" } { set add "0" - set ipsecCfg [ipsecConfigApply $w $node $add] + set ipsecCfg [ipsecConfigApply $w $node $add 0] set newid [getConfig $ipsecCfg "ipsec-config-id"] set viewid $newid lappend ipsecCfgList $ipsecCfg } - + removeIpsecConfig $node foreach ipsecCfg $ipsecCfgList { setIpsecConfig $node $ipsecCfg } - if { $edit != "1" } { destroy $w set delete "1" @@ -105,7 +117,6 @@ proc editIpsecCfg { w node deleteid edit } { #**** proc showIpsecErrors { str } { - global viewid set error "" #foreach element $str { @@ -114,24 +125,13 @@ proc showIpsecErrors { str } { # } #} set error $str - - set w .cfgeditor - catch {destroy $w} - toplevel $w -takefocus 1 - #wm transient $w . - grab $w - catch {unset viewid} - frame $w.noentry -borderwidth 4 - label $w.noentry.label -text $error - pack $w.noentry.label -side left -anchor w - pack $w.noentry -side top -anchor w - - frame $w.noentrybuttons - pack $w.noentrybuttons -side bottom - button $w.noentrybuttons.close -text Close \ - -command "destroy $w" - pack $w.noentrybuttons.close -side left + tk_messageBox -message $error -type ok -icon error \ + -title "IPsec configuration error" +} +proc showIPsecInfo { str } { + tk_messageBox -message $str -type ok -icon info \ + -title "IPsec configuration notice" } #****f* ipsec.tcl/viewIpsecCfg @@ -158,35 +158,35 @@ proc showIpsecErrors { str } { #**** proc viewIpsecCfg { node delete view } { - - set idlist {} - global viewid - set ipsecCfgList [getIpsecConfig $node] - set len [llength $ipsecCfgList] - foreach ipsecCfg $ipsecCfgList { - set id [lindex [lsearch -inline $ipsecCfg "ipsec-config-id *"] 1] - lappend idlist $id - } - if { $delete == "1" } { - set viewid [lindex $idlist 0] - } - if { $view == "0" } { - catch {unset viewid} - } - - set ipsecCfg "" - - if { $view == "1" && $idlist == {} } { - - set error "There are no ipsec-config entries with specified ipsec-config-id." - showIpsecErrors $error - - } else { + set idlist {} + global viewid badentry + set ipsecCfgList [getIpsecConfig $node] + set len [llength $ipsecCfgList] + foreach ipsecCfg $ipsecCfgList { + set id [lindex [lsearch -inline $ipsecCfg "ipsec-config-id *"] 1] + lappend idlist $id + } + if { $delete == "1" } { + set viewid [lindex $idlist 0] + } + if { $view == "0" } { + catch {unset viewid} + } + + set ipsecCfg "" + + if { $view == "1" && $idlist == {} } { + + set error "There are no ipsec-config entries with specified ipsec-config-id." + showIpsecErrors $error + + } else { set w .cfgeditor catch {destroy $w} toplevel $w -takefocus 1 #wm transient $w . + wm resizable $w 0 0 grab $w wm title $w "Node $node" wm iconname $w "$node" @@ -241,13 +241,16 @@ proc viewIpsecCfg { node delete view } { frame $w.sad.sourceSA -borderwidth 4 label $w.sad.sourceSA.label -text "Src SA address:" pack $w.sad.sourceSA.label -side left -anchor w - entry $w.sad.sourceSA.source -bg white -width 30 + entry $w.sad.sourceSA.source -bg white -width 30 \ + -validate focus -invcmd "focusAndFlash %W" if { $ipsecCfg != "" } { set sourceSA [ getConfig $ipsecCfg "SA-source-address"] } else { set sourceSA "" } $w.sad.sourceSA.source insert end $sourceSA + $w.sad.sourceSA.source configure \ + -vcmd {checkSAaddress %P} pack $w.sad.sourceSA.source $w.sad.sourceSA.label \ -side left -padx 4 -pady 0 pack $w.sad.sourceSA -side top -anchor w @@ -258,13 +261,16 @@ proc viewIpsecCfg { node delete view } { frame $w.sad.destSA -borderwidth 4 label $w.sad.destSA.label -text "Dst SA address:" pack $w.sad.destSA.label -side left -anchor w - entry $w.sad.destSA.dest -bg white -width 30 + entry $w.sad.destSA.dest -bg white -width 30 \ + -validate focus -invcmd "focusAndFlash %W" if { $ipsecCfg != {} } { set destSA [ getConfig $ipsecCfg "SA-destination-address"] } else { set destSA "" } $w.sad.destSA.dest insert end $destSA + $w.sad.destSA.dest configure \ + -vcmd {checkSAaddress %P} pack $w.sad.destSA.dest $w.sad.destSA.label \ -side left -padx 4 -pady 0 pack $w.sad.destSA -side top -anchor w @@ -287,8 +293,8 @@ proc viewIpsecCfg { node delete view } { -validate focus -invcmd "focusAndFlash %W" $w.sad.spi.inboundv insert 0 $inboundspi $w.sad.spi.inboundv configure \ - -from 1 -to 65535 -increment 1 \ - -vcmd {checkIntRange %P 1 65535} + -from 1366 -to 65535 -increment 1 \ + -vcmd {checkIntRange %P 1366 65535} pack $w.sad.spi.inboundl $w.sad.spi.inboundv \ -side left -anchor w @@ -304,8 +310,8 @@ proc viewIpsecCfg { node delete view } { -validate focus -invcmd "focusAndFlash %W" $w.sad.spi.outboundv insert 0 $outboundspi $w.sad.spi.outboundv configure \ - -from 2 -to 65535 -increment 1 \ - -vcmd {checkIntRange %P 2 65535 } + -from 1367 -to 65535 -increment 1 \ + -vcmd {checkIntRange %P 1366 65535 } pack $w.sad.spi.outboundl $w.sad.spi.outboundv \ -side left -anchor w pack $w.sad.spi -side top -anchor w @@ -328,22 +334,17 @@ proc viewIpsecCfg { node delete view } { -side left -anchor w # IP compression: - label $w.sad.ipsecalg.ipcomp -text "IPcomp:" + label $w.sad.ipsecalg.ipcomp -text "IPcomp: " pack $w.sad.ipsecalg.ipcomp -side left -anchor w - global ipcomp + global ipcompalg if { $ipsecCfg != {} } { - set ipcomp [ getConfig $ipsecCfg "IPcomp-algorithm"] + set ipcompalg [ getConfig $ipsecCfg "IPcomp-algorithm"] } else { - set ipcomp no + set ipcompalg "no IPcomp" } - radiobutton $w.sad.ipsecalg.ipcompyes -text "yes" \ - -variable ipcomp -value yes - radiobutton $w.sad.ipsecalg.ipcompno -text "no" \ - -variable ipcomp -value no - pack $w.sad.ipsecalg.ipcompyes -side top -anchor w - pack $w.sad.ipsecalg.ipcompno -side bottom -anchor w - pack $w.sad.ipsecalg.ipcomp \ - $w.sad.ipsecalg.ipcompyes $w.sad.ipsecalg.ipcompno \ + tk_optionMenu $w.sad.ipsecalg.ipcompalg ipcompalg \ + deflate lzs "no IPcomp" + pack $w.sad.ipsecalg.ipcomp $w.sad.ipsecalg.ipcompalg \ -side left -anchor w pack $w.sad.ipsecalg -side top -anchor w @@ -355,19 +356,23 @@ proc viewIpsecCfg { node delete view } { frame $w.sad.cryptoalg -borderwidth 4 label $w.sad.cryptoalg.label -text "Crypto algorithm:" pack $w.sad.cryptoalg.label -side left -anchor w - global cryptoalgesp cryptoalgah + global cryptoalgesp + global cryptoalgah if { $ipsecCfg != {} } { - set crytoalgesp [ getConfig $ipsecCfg "esp-crypto-algorithm"] - set crytoalgah [ getConfig $ipsecCfg "ah-crypto-algorithm"] + set caesp [ getConfig $ipsecCfg "esp-crypto-algorithm"] + set caah [ getConfig $ipsecCfg "ah-crypto-algorithm"] } else { - set cryptoalgesp 3des-cbc - set cryptoalgah hmac-sha2-256 + set caesp 3des-cbc + set caah hmac-md5 } - tk_optionMenu $w.sad.cryptoalg.esp cryptoalgesp des-cbc 3des-cbc \ - simple blowfish-cbc cast128-cbc rijndael-cbc - tk_optionMenu $w.sad.cryptoalg.ah cryptoalgah hmac-md5 hmac-sha1 \ - keyed-md5 keyed-sha1 hmac-sha2-256 hmac-sha2-384 hmac-sha2-512 \ - null + set cryptoalgesp $caesp + set cryptoalgah $caah + tk_optionMenu $w.sad.cryptoalg.esp cryptoalgesp \ + des-cbc 3des-cbc simple blowfish-cbc cast128-cbc \ + rijndael-cbc null + tk_optionMenu $w.sad.cryptoalg.ah cryptoalgah \ + hmac-md5 hmac-sha1 keyed-md5 keyed-sha1 hmac-sha2-256 \ + hmac-sha2-384 hmac-sha2-512 null pack $w.sad.cryptoalg.label $w.sad.cryptoalg.esp $w.sad.cryptoalg.ah \ -side left -anchor w pack $w.sad.cryptoalg -side top -anchor w @@ -376,13 +381,16 @@ proc viewIpsecCfg { node delete view } { # frame $w.sad.psk -borderwidth 4 label $w.sad.psk.label -text "Shared secret:" - entry $w.sad.psk.text -bg white -width 30 + entry $w.sad.psk.text -bg white -width 30 \ + -validate focus -invcmd "focusAndFlash %W" if { $ipsecCfg != {} } { set psk [ getConfig $ipsecCfg "shared-secret"] } else { set psk "" } $w.sad.psk.text insert end $psk + $w.sad.psk.text configure \ + -vcmd {checkSharedSecret %P} pack $w.sad.psk.text $w.sad.psk.label -side right -padx 4 -pady 0 pack $w.sad.psk -side top -anchor w pack $w.sad -side top -anchor w -fill both @@ -401,13 +409,16 @@ proc viewIpsecCfg { node delete view } { # frame $w.spd.sourceSP -borderwidth 4 label $w.spd.sourceSP.label -text "Src SP address:" - entry $w.spd.sourceSP.source -bg white -width 30 + entry $w.spd.sourceSP.source -bg white -width 30 \ + -validate focus -invcmd "focusAndFlash %W" if { $ipsecCfg != "" } { set sourceSP [ getConfig $ipsecCfg "SP-source-address"] } else { set sourceSP "" } $w.spd.sourceSP.source insert end $sourceSP + $w.spd.sourceSP.source configure \ + -vcmd {checkSPrange %P} pack $w.spd.sourceSP.source $w.spd.sourceSP.label \ -side right -padx 4 -pady 0 pack $w.spd.sourceSP -side top -anchor w @@ -417,13 +428,16 @@ proc viewIpsecCfg { node delete view } { # frame $w.spd.destSP -borderwidth 4 label $w.spd.destSP.label -text "Dst SP address:" - entry $w.spd.destSP.dest -bg white -width 30 + entry $w.spd.destSP.dest -bg white -width 30 \ + -validate focus -invcmd "focusAndFlash %W" if { $ipsecCfg != "" } { set destSP [ getConfig $ipsecCfg "SP-destination-address"] } else { set destSP "" } $w.spd.destSP.dest insert end $destSP + $w.spd.destSP.dest configure \ + -vcmd {checkSPrange %P} pack $w.spd.destSP.dest $w.spd.destSP.label -side right -padx 4 -pady 0 pack $w.spd.destSP -side top -anchor w @@ -432,29 +446,35 @@ proc viewIpsecCfg { node delete view } { # frame $w.spd.sourcesgw -borderwidth 4 label $w.spd.sourcesgw.label -text "Src SGW address:" - entry $w.spd.sourcesgw.source -bg white -width 30 + entry $w.spd.sourcesgw.source -bg white -width 30 \ + -validate focus -invcmd "focusAndFlash %W" if { $ipsecCfg != "" } { set sourcesgw [ getConfig $ipsecCfg "source-SGW-address"] } else { set sourcesgw "" } $w.spd.sourcesgw.source insert end $sourcesgw + $w.spd.sourcesgw.source configure \ + -vcmd {checkIPv4Addr %P} pack $w.spd.sourcesgw.source $w.spd.sourcesgw.label \ -side right -padx 4 -pady 0 pack $w.spd.sourcesgw -side top -anchor w # - # Source SGW address + # Destination SGW address # frame $w.spd.destsgw -borderwidth 4 label $w.spd.destsgw.label -text "Dst SGW address:" - entry $w.spd.destsgw.source -bg white -width 30 + entry $w.spd.destsgw.source -bg white -width 30 \ + -validate focus -invcmd "focusAndFlash %W" if { $ipsecCfg != "" } { set destsgw [ getConfig $ipsecCfg "destination-SGW-address"] } else { set destsgw "" } $w.spd.destsgw.source insert end $destsgw + $w.spd.destsgw.source configure \ + -vcmd {checkIPv4Addr %P} pack $w.spd.destsgw.source $w.spd.destsgw.label \ -side right -padx 4 -pady 0 pack $w.spd.destsgw -side top -anchor w @@ -556,23 +576,24 @@ proc viewIpsecCfg { node delete view } { # frame $w.buttons pack $w.buttons -side bottom - button $w.buttons.close -text Close -command "destroy $w" + button $w.buttons.close -text Close -command \ + "set badentry -1 ; destroy $w" if { $view == "1" } { set edit "1" button $w.buttons.delete -text Delete \ -command "deleteIpsecCfg $w $node $viewid $edit" button $w.buttons.apply -text Apply \ - -command "editIpsecCfg $w $node $viewid $edit" + -command "editIpsecCfg $w $node $viewid $edit 0" + focus $w.buttons.apply pack $w.buttons.delete $w.buttons.close $w.buttons.apply -side left } else { set add "1" button $w.buttons.apply -text "Apply" \ - -command "ipsecConfigApply $w $node $add" + -command "ipsecConfigApply $w $node $add 0" + focus $w.buttons.apply pack $w.buttons.apply $w.buttons.close -side left } - } - return } @@ -598,7 +619,7 @@ proc viewIpsecCfg { node delete view } { proc deleteIpsecCfg { w node viewid edit } { set edit "0" - editIpsecCfg $w $node $viewid $edit + editIpsecCfg $w $node $viewid $edit 0 return } @@ -624,13 +645,27 @@ proc deleteIpsecCfg { w node viewid edit } { # * ipsecCfg -- new ipsec-config structure #**** -proc ipsecConfigApply { w node add } { - global changed - global ipsecalg spipsecalg mode ipcomp +proc ipsecConfigApply { w node add phase } { + global ipsecalg spipsecalg mode ipcompalg global cryptoalgesp cryptoalgah action traffic level + global badentry set ipsecCfg "" set error "" - + + if { $add == 1 } { + $w config -cursor watch + update + if { $phase == 0 } { + set badentry 0 + focus . + after 100 "ipsecConfigApply $w $node $add 1" + return + } elseif { $badentry } { + $w config -cursor left_ptr + return + } + } + set id [$w.id.text get] set sourceSA [$w.sad.sourceSA.source get] set destSA [$w.sad.destSA.dest get] @@ -643,10 +678,9 @@ proc ipsecConfigApply { w node add } { set destsgw [$w.spd.destsgw.source get] if { $add == "1" } { - set valid [checkIpsecCfg $node "ipsec-config-id" $id] - if { $valid == "0" } { + set error [checkIpsecCfg $node "ipsec-config-id" $id] + if { $error != "" } { destroy $w - set error "Choose another ipsec-config-id." showIpsecErrors $error return "" } @@ -656,7 +690,7 @@ proc ipsecConfigApply { w node add } { set ipsecCfg [setConfig $ipsecCfg $sourceSA "SA-source-address"] set ipsecCfg [setConfig $ipsecCfg $destSA "SA-destination-address"] set ipsecCfg [setConfig $ipsecCfg $ipsecalg "ipsec-algorithm"] - set ipsecCfg [setConfig $ipsecCfg $ipcomp "IPcomp-algorithm"] + set ipsecCfg [setConfig $ipsecCfg $ipcompalg "IPcomp-algorithm"] set ipsecCfg [setConfig $ipsecCfg $inboundspi "inbound-spi"] set ipsecCfg [setConfig $ipsecCfg $outboundspi "outbound-spi"] set ipsecCfg [setConfig $ipsecCfg $cryptoalgesp "esp-crypto-algorithm"] @@ -699,22 +733,31 @@ proc ipsecConfigApply { w node add } { # TODO: Add check for the IPv4/IPv6 addresses # TODO: Add check for the shared secret field +# Currently, if there are some errors in syntax +# od the setkey.conf, they will be shown after +# Experiment->Execute in error window. proc checkIpsecCfg { node strd str } { - set valid "1" + set error "" set ipsecCfgList [getIpsecConfig $node] switch $strd { ipsec-config-id { - foreach ipsecCfg $ipsecCfgList { - set currentid [getConfig $ipsecCfg "ipsec-config-id"] - if { $str == $currentid } { - set valid "0" + + if { $str == "" } { + set error "Please, enter ipsec-config-id." + } else { + + foreach ipsecCfg $ipsecCfgList { + set currentid [getConfig $ipsecCfg "ipsec-config-id"] + if { $str == $currentid } { + set error "Choose another ipsec-config-id." + } } } } } - return $valid + return $error } #****f* ipsec.tcl/setConfig @@ -914,7 +957,7 @@ proc ipsecCfggen { node } { set sourceSA "" set destSA "" set ipsecalg "" - set ipcomp "" + set ipcompalg "" set inboundspi "" set outboundspi "" set cryptoalgesp "" @@ -943,7 +986,7 @@ proc ipsecCfggen { node } { set sourceSA [getConfig $ipsecCfg "SA-source-address"] set destSA [getConfig $ipsecCfg "SA-destination-address"] set ipsecalg [getConfig $ipsecCfg "ipsec-algorithm"] - set ipcomp [getConfig $ipsecCfg "IPcomp-algorithm"] + set ipcompalg [getConfig $ipsecCfg "IPcomp-algorithm"] set inboundspi [getConfig $ipsecCfg "inbound-spi"] set outboundspi [getConfig $ipsecCfg "outbound-spi"] set cryptoalgesp [getConfig $ipsecCfg "esp-crypto-algorithm"] @@ -967,13 +1010,10 @@ proc ipsecCfggen { node } { return "" } - # - # TODO: IPcomp: deflate, lzs - # - #if { $ipcomp == "yes" } { - # set ipcompalg " -C deflate" - # append cryptoalg $ipcompalg - #} + if { $ipcompalg == "defalte" || $ipcompalg == "lzs" } { + set ipcompalgorithm " -C $ipcompalg" + append cryptoalg $ipcompalgorithm + } if { $sourceSA != "" && $destSA != "" && \ $ipsecalg != "" && $cryptoalg != "" && \ @@ -1008,7 +1048,7 @@ proc ipsecCfggen { node } { lappend cfg "spdadd $destSP $sourceSP $traffic -P in $action $spipsecalg/$mode//$level;" - } else { + } elseif { $mode == "tunnel" } { if { $sourcesgw != "" && $destsgw != "" } { @@ -1023,3 +1063,175 @@ proc ipsecCfggen { node } { } return $cfg } + +proc setkeyError { setkeyerror } { + set str "[lindex [split $setkeyerror "\."] 0]" + set errorstr "Error in created setkey.conf: " + append errorstr $str + showIpsecErrors $errorstr +} + +# TODO: SP range can be one of the following: +# address +# address/prefixlen +# address[port] +# address/prefixlen[port] +# +proc checkSPrange { SPrange } { + if { [checkSAaddress $SPrange] == 1 } { + return 1 + } elseif { [checkSPnet $SPrange] == 1 } { + return 1 + } elseif { [checkIPv46AddrPort $SPrange] == 1 } { + return 1 + } + return 0 +} + +# RETURN +# 1 for address[port] or address/prefixlen[port] +# (Address is IPv4/IPv6 address.) +# 0 otherwise +# + +#****f* ipsec.tcl/setConfig +# NAME +# checkIPv46AddrPort -- check SP range for spdadd +# setkey command +# SYNOPSIS +# checkIPv46AddrPort $addr +# FUNCTION +# Check if str has the following form: +# address[port] or address/prefixlen[port]. +# Address can be IPv4 or IPv6 address. +# INPUTS +# * str -- IPv4 or IPv6 address with port information +# RESULT +# * 1 -- if str has the form address[port] or +# address/prefixlen[port] +# * 0 -- otherwise +#**** + +proc checkIPv46AddrPort { str } { + if { $str == "" } { + return 1 + } + set addr [lindex [split $str "\["] 0] + set SAaddress [checkSAaddress $addr] + set SPnet [checkSPnet $addr] + if { $SAaddress == 0 && $SPnet == 0 } { + return 0 + } else { + set tmp [lindex [split $str "\["] 1] + set port [lindex [split $tmp "\]"] 0] + if { $port != "" } { + return [checkIntRange $port 0 65535] + } else { + return 0 + } + } +} + +#****f* ipsec.tcl/checkSAaddress +# NAME +# checkSAaddress -- check SA address for add +# setkey command +# SYNOPSIS +# checkSAaddress $str +# FUNCTION +# Check if str is valid IPv4/IPv6 address, without /prefixlen. +# INPUTS +# * str -- IPv4 or IPv6 address +# RESULT +# * 1 -- if str is valid address +# * 0 -- otherwise +#**** + +proc checkSAaddress { str } { + if { $str == "" } { + return 1 + } + if { [checkIPv4Addr $str] == 1 } { + return 1 + } elseif { [checkIPv6Addr $str] == 1 } { + return 1 + } + return 0 +} + +#****f* ipsec.tcl/checkSPnet +# NAME +# checkSPnet -- check if CIDR address is valid +# SYNOPSIS +# checkSAaddress $str +# FUNCTION +# Check if str is valid IPv4/IPv6 address with /prefixlen. +# INPUTS +# * str -- IPv4 or IPv6 address +# RESULT +# * 1 -- if str is valid address +# * 0 -- otherwise +#**** + +proc checkSPnet { str } { + if { $str == "" } { + return 1 + } + if { [checkIPv4Net $str] == 1 } { + return 1 + } elseif { [checkIPv6Net $str] == 1 } { + return 1 + } + return 0 +} + +#****f* ipsec.tcl/checkSharedSecret +# NAME +# checkSharedSecret -- check if the shared secret has the +# valid format +# SYNOPSIS +# checkSharedSecret $str +# FUNCTION +# Check if the shared secret has valid form. Allowed formats are: +# -- double-quoted character string +# -- series of hexadecimal digits +# (TODO: Check the length of the shared secret (in relation with +# choosen cryptographic algorithm)). +# INPUTS +# * str -- shared secret +# RESULT +# * 1 -- if shared secret has valid format +# * 0 -- otherwise +#**** + +proc checkSharedSecret { str } { + if { $str == "" } { + return 1 + } + set hexmark "" + set limiter1 "" + set limiter2 "" + set hexmark [string range $str 0 1] + set limiter1 [string index $str 0] + set limiter2 [string index $str end] + if { $hexmark == "0x" } { + set psk [string range $str 2 end] + if { $psk != "" } { + if { [string is integer $psk] } { + return 1 + } + } + } elseif { $limiter1 == "\"" && $limiter2 == "\"" } { + set psk [string replace $str 0 0] + set pskonly [string replace $psk end end] + if { $pskonly != "" } { + return 1 + } + } + return 0 +} + + + + + diff --git a/ipv4.tcl b/ipv4.tcl index c8c6c86..6541492 100755 --- a/ipv4.tcl +++ b/ipv4.tcl @@ -218,6 +218,9 @@ proc autoIPv4defaultroute { node iface } { proc checkIPv4Addr { str } { set n 0 + if { $str == "" } { + return 1 + } while { $n < 4 } { if { $n < 3 } { set i [string first . $str] -- 2.39.5