Several updates #2

* Reverse RDN components for all certs
* Less side effects in unittests
* Split help dialog shell snippets into separate files
* Restore 'admin subnets' config option
* Embedded subnets, IKE and ESP proposals now configurable in builder.conf
* Use expr instead of bc for math operations in shell
* Better frontend support for Let's Encrypt certificates

doc/builder/ap.sh

@@ -2,7 +2,7 @@
 
 source common.sh
 
-uci set certidude.@authority[0].trigger=lan
+sed -e 's/trigger wan/trigger lan/' -i $OVERLAY/etc/config/certidude
 
 cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
 
@@ -108,11 +108,11 @@ esac
 
 EOF
 
-make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="luci luci-app-commands \
+make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="luci \
     openssl-util curl ca-certificates dropbear \
     strongswan-mod-kernel-libipsec kmod-tun strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
     htop iftop tcpdump nmap nano -odhcp6c -odhcpd -dnsmasq \
     -luci-app-firewall \
     -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
-    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6 bc"
+    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
 

doc/builder/common.sh

@@ -45,19 +45,12 @@ config authority
 
 EOF
 
-
-cat << EOF > $OVERLAY/etc/uci-defaults/40-disable-ipsec
-/etc/init.d/ipsec disable
-EOF
-
 case $AUTHORITY_CERTIFICATE_ALGORITHM in
     rsa)
         echo ": RSA /etc/certidude/authority/$AUTHORITY/host_key.pem" >> $OVERLAY/etc/ipsec.secrets
-        DHGROUP=modp2048
         ;;
     ec)
         echo ": ECDSA /etc/certidude/authority/$AUTHORITY/host_key.pem" >> $OVERLAY/etc/ipsec.secrets
-        DHGROUP=ecp384
         ;;
     *)
         echo "Unknown algorithm $AUTHORITY_CERTIFICATE_ALGORITHM"
@@ -96,8 +89,8 @@ conn %default
     keyingtries=%forever
     dpdaction=restart
     closeaction=restart
-    ike=aes256-sha384-ecp384!
-    esp=aes128gcm16-aes128gmac!
+    ike=$IKE
+    esp=$ESP
     left=%defaultroute
     leftcert=/etc/certidude/authority/$AUTHORITY/host_cert.pem
     leftca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
@@ -106,7 +99,7 @@ conn %default
 conn client-to-site
     auto=start
     right="$ROUTER"
-    rightsubnet=0.0.0.0/0
+    rightsubnet="$SUBNETS"
     leftsourceip=%config
     leftupdown=/etc/certidude/authority/$AUTHORITY/updown
 

doc/builder/ipcam.sh

@@ -41,4 +41,4 @@ EOF
 make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates \
     strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm htop \
     iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci luci-app-mjpg-streamer kmod-video-uvc dropbear \
-    pciutils -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun bc"
+    pciutils -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun"

doc/overlay/etc/hotplug.d/iface/50-certidude

@@ -7,4 +7,4 @@ AUTHORITY=certidude.@authority[0]
 [ $ACTION == "ifup" ] || exit 0
 [ $INTERFACE == "$(uci get $AUTHORITY.trigger)" ] || exit 0
 
-/usr/bin/certidude-enroll
+/usr/bin/certidude-enroll > /var/log/certidude.log 2>&1

doc/overlay/usr/bin/certidude-enroll

@@ -1,5 +1,8 @@
 #!/bin/sh
 
+set -e
+set -x
+
 AUTHORITY=certidude.@authority[0]
 
 # TODO: iterate over all authorities
@@ -29,7 +32,6 @@ logger -t certidude -s "Time is now: $(date)"
 if [ -f $CERTIFICATE_PATH ]; then
     SERIAL=$(openssl x509 -in $CERTIFICATE_PATH -noout -serial | cut -d "=" -f 2 | tr [A-F] [a-f])
     logger -t certidude -s "Certificate with serial $SERIAL already exists in $CERTIFICATE_PATH, attempting to bring up VPN tunnel..."
-    ipsec restart
     exit 0
 fi
 
@@ -39,16 +41,20 @@ fi
 #########################################
 
 if [ ! -f $KEY_PATH ]; then
-
-    logger -t certidude -s "Generating $KEY_TYPE key for VPN..."
-
     case $KEY_TYPE in
         rsa)
+            logger -t certidude -s "Generating $KEY_LENGTH-bit RSA key..."
             openssl genrsa -out $KEY_PATH.part $KEY_LENGTH
+            openssl rsa -in $KEY_PATH.part -noout
             ;;
         ec)
+            logger -t certidude -s "Generating $KEY_CURVE ECDSA key..."
             openssl ecparam -name $KEY_CURVE -genkey -noout -out $KEY_PATH.part
             ;;
+        *)
+            logger -t certidude -s "Unsupported key type $KEY_TYPE"
+            exit 255
+            ;;
     esac
     mv $KEY_PATH.part $KEY_PATH
 fi
@@ -120,4 +126,5 @@ mv $CERTIFICATE_PATH.part $CERTIFICATE_PATH
 
 # Start services
 logger -t certidude -s "Starting IPSec IKEv2 daemon..."
-ipsec restart
+/etc/init.d/ipsec enable
+/etc/init.d/ipsec restart