Several updates #2

* Reverse RDN components for all certs
* Less side effects in unittests
* Split help dialog shell snippets into separate files
* Restore 'admin subnets' config option
* Embedded subnets, IKE and ESP proposals now configurable in builder.conf
* Use expr instead of bc for math operations in shell
* Better frontend support for Let's Encrypt certificates

doc/builder/ap.sh

@@ -2,7 +2,7 @@
 
 source common.sh
 
-uci set certidude.@authority[0].trigger=lan
+sed -e 's/trigger wan/trigger lan/' -i $OVERLAY/etc/config/certidude
 
 cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
 
@@ -108,11 +108,11 @@ esac
 
 EOF
 
-make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="luci luci-app-commands \
+make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="luci \
     openssl-util curl ca-certificates dropbear \
     strongswan-mod-kernel-libipsec kmod-tun strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
     htop iftop tcpdump nmap nano -odhcp6c -odhcpd -dnsmasq \
     -luci-app-firewall \
     -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
-    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6 bc"
+    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
 

doc/builder/common.sh

@@ -45,19 +45,12 @@ config authority
 
 EOF
 
-
-cat << EOF > $OVERLAY/etc/uci-defaults/40-disable-ipsec
-/etc/init.d/ipsec disable
-EOF
-
 case $AUTHORITY_CERTIFICATE_ALGORITHM in
     rsa)
         echo ": RSA /etc/certidude/authority/$AUTHORITY/host_key.pem" >> $OVERLAY/etc/ipsec.secrets
-        DHGROUP=modp2048
         ;;
     ec)
         echo ": ECDSA /etc/certidude/authority/$AUTHORITY/host_key.pem" >> $OVERLAY/etc/ipsec.secrets
-        DHGROUP=ecp384
         ;;
     *)
         echo "Unknown algorithm $AUTHORITY_CERTIFICATE_ALGORITHM"
@@ -96,8 +89,8 @@ conn %default
     keyingtries=%forever
     dpdaction=restart
     closeaction=restart
-    ike=aes256-sha384-ecp384!
-    esp=aes128gcm16-aes128gmac!
+    ike=$IKE
+    esp=$ESP
     left=%defaultroute
     leftcert=/etc/certidude/authority/$AUTHORITY/host_cert.pem
     leftca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
@@ -106,7 +99,7 @@ conn %default
 conn client-to-site
     auto=start
     right="$ROUTER"
-    rightsubnet=0.0.0.0/0
+    rightsubnet="$SUBNETS"
     leftsourceip=%config
     leftupdown=/etc/certidude/authority/$AUTHORITY/updown
 

doc/builder/ipcam.sh

@@ -41,4 +41,4 @@ EOF
 make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates \
     strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm htop \
     iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci luci-app-mjpg-streamer kmod-video-uvc dropbear \
-    pciutils -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun bc"
+    pciutils -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun"