Browse files

initial commit

  • Loading branch information...
0 parents commit 2a36aa53835522db74bf521dce4e33a21e62f11d @gebi gebi committed Nov 7, 2005
Showing with 1,175 additions and 0 deletions.
  1. +48 −0 Makefile
  2. +6 −0 TODO
  3. +77 −0 debian/changelog
  4. +1 −0 debian/compat
  5. 0 debian/conffiles
  6. +13 −0 debian/control
  7. +22 −0 debian/copyright
  8. +1 −0 debian/dirs
  9. +111 −0 debian/grml-vpn.8_handcoded
  10. +2 −0 debian/grml-vpn.docs
  11. +95 −0 debian/rules
  12. +527 −0 grml-vpn
  13. +108 −0 grml-vpn.8.txt
  14. +24 −0 tests/bash_fault.sh
  15. +19 −0 tests/bigtest.sh
  16. +21 −0 tests/smalltest.sh
  17. +29 −0 tests/spi.sh
  18. +4 −0 tests/test1
  19. +3 −0 tests/test2
  20. +24 −0 tests/test3
  21. +40 −0 tests/test4
48 Makefile
@@ -0,0 +1,48 @@
+install_ = "install"
+name = "grml-vpn"
+
+etc = ${DESTDIR}/etc/
+usr = ${DESTDIR}/usr
+usrbin = $(usr)/bin
+usrsbin = $(usr)/sbin
+usrshare = $(usr)/share/$(name)
+usrdoc = $(usr)/share/doc/$(name)
+man8 = $(usr)/share/man/man8/
+
+#%.html : %.txt ;
+# asciidoc -b xhtml11 $*.txt
+
+all: doc
+
+doc: doc_man doc_html
+
+doc_html: html-stamp
+
+html-stamp:
+ asciidoc -b xhtml11 grml-vpn.8.txt
+ touch html-stamp
+
+doc_man: man-stamp
+
+man-stamp:
+ asciidoc -d manpage -b docbook grml-vpn.8.txt
+ sed -i 's/<emphasis role="strong">/<emphasis role="bold">/' grml-vpn.8.xml
+ xsltproc /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl grml-vpn.8.xml
+ gzip --best grml-vpn.8
+ touch man-stamp
+
+
+install: all
+ $(install_) -d -m 755 $(usrdoc)
+ $(install_) -m 644 TODO $(usrdoc)
+ $(install_) -m 644 grml-vpn.8.html $(usrdoc)
+
+ $(install_) -d -m 755 $(man8)
+ $(install_) -m 644 grml-vpn.8.gz $(man8)
+
+ $(install_) -m 755 -d $(usrsbin)
+ $(install_) -m 755 grml-vpn $(usrsbin)
+
+clean:
+ rm -rf grml-vpn.8.html grml-vpn.8.xml grml-vpn.8 grml-vpn.8.gz html-stamp man-stamp
+
6 TODO
@@ -0,0 +1,6 @@
+ 1. autodetection of IPs on the local computer (should make -a nearly useless)
+ 2. better handling of "encryption" layers, let the user deside if tunnel/transport mode,
+ or ah, or ipcomp (or only a few of them). something like --use esp-tun:ah:ipcomp.
+ First use ipcomp to compress the data stream, then use ah on the package and then put
+ the package into an esp tunnel.
+ 3. better stand alone script (also with autodetection of local IPs) - could be quite hard!!
77 debian/changelog
@@ -0,0 +1,77 @@
+grml-vpn (0.10) unstable; urgency=low
+
+ * a few fixes
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 1 Nov 2005 20:08:43 +0100
+
+grml-vpn (0.09) unstable; urgency=low
+
+ * new working version
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Wed, 12 Oct 2005 16:08:36 +0200
+
+grml-vpn (0.08) unstable; urgency=low
+
+ * a few manpage fixes (thx to mika)
+ * fixed false prog_name from change to zsh
+ * added usage example to -h/help
+ * changed manpage to asciidoc (no more nroff, NEVER)
+ * updated build dependencies (sorry, are quite heavy now)
+ * fixed dir layout
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 8 Oct 2005 18:21:21 +0200
+
+grml-vpn (0.07) unstable; urgency=low
+
+ * added manpage fixes
+ * added TODO (for future features)
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 3 Oct 2005 21:50:45 +0200
+
+grml-vpn (0.06) unstable; urgency=low
+
+ * manpage added
+ * added fix in key lenght check
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 3 Oct 2005 15:18:07 +0200
+
+grml-vpn (0.05) unstable; urgency=low
+
+ * zsh compatibility fix
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 3 Oct 2005 11:16:43 +0200
+
+grml-vpn (0.04) unstable; urgency=low
+
+ * added fix for reading ips from cmd and vpn with only 2 computers (special
+ case without -a)
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Thu, 29 Sep 2005 21:01:16 +0200
+
+grml-vpn (0.03) unstable; urgency=low
+
+ * added fix for vpns >2 computers (problems with SPI)
+ * make grml-vpn zsh only, sorry, but bash could not count!
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Thu, 29 Sep 2005 18:48:53 +0200
+
+grml-vpn (0.02) unstable; urgency=low
+
+ * added options for different ciphers (-e)
+ * regular expression cipher name matching
+ * added option for key length (-b)
+ * generic checks if a keylenght is supported by a specific cipher
+ * added option for shell output (standalone shellscript)
+ * added option for raw key input (-K)
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 26 Sep 2005 04:05:09 +0200
+
+grml-vpn (0.01) unstable; urgency=low
+
+ * Initial Release.
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 24 Sep 2005 21:39:23 +0200
+
+Local variables:
+mode: debian-changelog
+End:
1 debian/compat
@@ -0,0 +1 @@
+4
0 debian/conffiles
No changes.
13 debian/control
@@ -0,0 +1,13 @@
+Source: grml-vpn
+Section: admin
+Priority: optional
+Maintainer: Michael Gebetsroither <gebi@grml.org>
+Build-Depends: debhelper (>= 4.0.0), xsltproc, docbook-xsl, asciidoc
+Standards-Version: 3.6.2
+
+Package: grml-vpn
+Architecture: all
+Depends: sh-lib (>=1.02.02), ipsec-tools, md5deep, zsh
+Description: program to establish encrypted communication channels in a network
+ This program should provide an easy interface to setkey and ipsec on linux
+ 2.6. Good luck!
22 debian/copyright
@@ -0,0 +1,22 @@
+This is grml-vpn, written and maintained by Michael Gebetsroither <gebi@grml.org>
+on Sun, 20 Mar 2005 19:39:26 +0100.
+
+Copyright (C) 2003 Michael Gebetsroither
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ 02111-1307, USA.
+
+On Debian systems, the complete text of the GNU General
+Public License can be found in `/usr/share/common-licenses/GPL'.
1 debian/dirs
@@ -0,0 +1 @@
+usr/sbin
111 debian/grml-vpn.8_handcoded
@@ -0,0 +1,111 @@
+.\" Hey, EMACS: -*- nroff -*-
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH GRML-VPN 8 "AUG 9, 2005"
+.\" Please adjust this date whenever revising the manpage.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for manpage-specific macros, see man(7)
+.SH NAME
+grml-vpn \- program to establish encrypted communication channels in a network
+.SH SYNOPSIS
+.B grml-vpn
+.RI [OPTIONS] " <ACTION> " <SPI> " [IPs]
+.br
+.SH DESCRIPTION
+This manual page documents briefly the
+.B grml-vpn program
+.PP
+.\" TeX users may be more comfortable with the \fB<whatever>\fP and
+.\" \fI<whatever>\fP escape sequences to invode bold face and italics,
+.\" respectively.
+\fBgrml-vpn\fP is a program that
+provides an easy wrapper arround ipsec and setkey (without any ike daemon).
+With this program you can create a vpn based uppon ipsec to any number of computers.
+It's intended purpose is for example for wlan sessions to create an encrypted network between all computers on the wlan.
+It is also possible to create a standalone shellscript which only needs the setkey command to setup the vpn (using the -x option).
+.TP
+.B add
+Add an ipsec entry
+.TP
+.B del
+Delete an specific ipsec entry
+.TP
+.B clear
+Delete all ipsec entries (attention, really deletes _all_ entrys, even from other setkey commands and isakmpd).
+.TP
+.B show
+Show all infos about ipsec entrys.
+.TP
+.B info
+Give infos about ciphers and there allowed keysizes.
+.TP
+.B help
+Show the help message.
+.SH OPTIONS
+These program follow the long option style without dashes and
+short options starting with one dash (`-').
+A summary of options is included below.
+.TP
+.B \-h, help
+Show summary of options.
+.TP
+.B \-v
+Show what is going on (more v => more output).
+.TP
+.B \-a <IP>
+Your IP (currently necessary for vpns with more than 2 computers).
+.TP
+.B \-e <ciphername> (default=rijndael-cbc, better known as AES)
+Cipher name. Will be matched against ciphers available for ipsec (all ciphers not only the available ciphers on your box).
+eg. "-e two" will match twofish-cbc. If more then one ciphers matches your regexp than the matches are printed and grml-vpn aborts.
+.TP
+.B \-b <keysize> (default=256 bit)
+Keysize used for your encryption.
+.TP
+.B \-k <key>
+Your key/password for the vpn (will be hashed).
+.TP
+.B \-K <raw-key>
+Set raw key (you determine the keysize, not -b).
+.TP
+.B \-f <input-file>
+Read IPs for encrypted connections from file (same as from stdin).
+.TP
+.B \-c
+Read IPs from stdin (setkey commands are not written until _all_ IPs are read from stdin).
+.TP
+.B \-p
+Only print the setkey commands (eg. grml-vpn -p ... |setkey -c).
+USE THIS if you create a vpn with many computers, because this is a bit faster).
+.TP
+.B \-x
+Print a standalone shellscript which only needs setkey to setup the vpn.
+.SH EXAMPLES
+.TP
+.B grml-vpn -k testpw -b 128 add 1000 192.168.0.1 192.168.0.2
+Creates encrypted connections between the two IPs possible, with the pre shared key (PSK) testpw and 128bit rijndael-cbc. You have to execute this command on both computers (if you type this command only on one computer, then it's impossible to create an connection between the two computers).
+NOTE: with only 2 computers it's not necessary to specify your own ip with -a.
+.TP
+.B grml-vpn -e bl -b 255 -a 192.168.0.2 add 2000 192.168.0.1 192.168.0.2 192.168.0.3
+Encrypted connections between all 3 computers. This command should be executed on 192.168.0.2 (-a) and on the other two computers with the appropriate -a <IP>.
+The cipher is blowfisch-cbc (no, -e bl is NO typo ;).
+.TP
+.B grml-vpn -a 192.168.0.2 del 2000 192.168.0.1 192.168.0.2 192.168.0.3
+This command deletes the previous created encrypted connections on 192.168.0.2 (after this command it's impossible to send data to 192.168.0.{1,3} until you delete the vpn entrys on them (no, even ssh does not work anymore).
+You should execute this command on all computers of the vpn (with the appropriate -a <IP> option). You could also use grml-crypt clear to clear all vpn settings.
+.SH SEE ALSO
+.BR setkey (8)
+.SH AUTHOR
+grml-vpn was written by Michael Gebetsroither <gebi@grml.org>.
+.PP
+This manual page was written by Michael Gebetsroither <gebi@grml.org>.
2 debian/grml-vpn.docs
@@ -0,0 +1,2 @@
+TODO
+grml-vpn.8.html
95 debian/rules
@@ -0,0 +1,95 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+
+
+
+CFLAGS = -Wall -g
+
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+ CFLAGS += -O0
+else
+ CFLAGS += -O2
+endif
+
+configure: configure-stamp
+configure-stamp:
+ dh_testdir
+ # Add here commands to configure the package.
+
+ touch configure-stamp
+
+
+build: build-stamp
+
+build-stamp: configure-stamp
+ dh_testdir
+
+ # Add here commands to compile the package.
+ $(MAKE)
+ #docbook-to-man debian/grml-terminalserver.sgml > grml-terminalserver.1
+
+ touch build-stamp
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp configure-stamp
+
+ # Add here commands to clean up after the build process.
+ $(MAKE) clean
+
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs
+ $(MAKE) install DESTDIR=debian/grml-vpn
+
+# Build architecture-independent files here.
+binary-indep: build install
+# We have nothing to do by default.
+
+# Build architecture-dependent files here.
+binary-arch: build install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs
+# dh_installdocs
+ dh_installexamples
+# dh_install
+# dh_installmenu
+# dh_installdebconf
+# dh_installlogrotate
+# dh_installemacsen
+# dh_installpam
+# dh_installmime
+# dh_installinit
+# dh_installcron
+# dh_installinfo
+# dh_installman grml-vpn.8
+ dh_link
+# dh_strip
+ dh_compress
+ dh_fixperms
+# dh_perl
+# dh_python
+# dh_makeshlibs
+ dh_installdeb
+# dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install configure
527 grml-vpn
@@ -0,0 +1,527 @@
+#!/usr/bin/zsh
+# Filename: grml-vpn
+# Purpose: Program to establish encrypted communication channels in a network
+# Authors: Michael Gebetsroither <gebi@grml.org>
+# Bug-Reports: see http://grml.org/bugs/
+# License: This file is licensed under the GPL v2.
+# Latest change: Mon Aug 08 11:37:20 CEST 2005
+################################################################################
+
+
+###
+### __INCLUDES
+###
+. /etc/grml/sh-lib
+#. /etc/grml/sysexits-sh
+
+
+
+###
+### __VARIABLES
+###
+
+verbose_=0
+SETKEY_='setkey' # setkey command for internal use
+SETKEY_PRINT_='setkey' # setkey command for ipsec use (could also be cat)
+SETKEY_ARG_='-c' # arguments for setkey
+IP_FILE_='' # file to read the IPs
+FROM_FILE_='false' # input methode file (default=cmd)
+FROM_STDIN_='false' # input methode stdin (default=cmd)
+READ_IP_F_='' # function to get IPs from
+SPI_='' # SPI to start with (user given)
+IP_="" # own ip
+KEY_='' # encryption key (allready hashed)
+ORIG_KEY_='' # untouched user key
+KEY_IS_SET_='false' # true if the user has given the key on the cmd
+KEY_IS_SET_RAW_='false' # true if the user wants to give us raw key material
+KEY_SIZE_='256' # keysize
+OUTPUT_SCRIPT_='false' # outputs standalone shell script
+TMP_='' # path to the tmp-file
+
+# 1. cipher-name
+# with 1 argument after name: only this is supported
+# with 2 arguments after name: from to
+# with 3 arguments after name: only they are supported
+CIPHER_='rijndael-cbc'
+CIPHERS_="des-cbc 64
+3des-cbc 192
+blowfish-cbc 40 448
+cast128-cbc 40 128
+des-deriv 64
+3des-deriv 192
+rijndael-cbc 128 192 256
+twofish-cbc 0 256
+aes-ctr 160 224 288"
+
+
+
+###
+### __FUNCTIONS
+###
+
+function printUsage
+{
+ cat <<EOT
+Usage: "$PROG_NAME__" [OPTIONS] <ACTION> <SPI> [IPs]
+
+$PROG_NAME__ is a program to establish encrypted communication channels in a network
+
+OPTIONS:
+ -a your IP (only necessary for vpn's with more than 2 computers)
+ -e encryption algorithm name regexp (default=$CIPHER_)
+ -b keysize (0-448 bits are allowed)
+ -k manually set the key (will be hashed, default=${KEY_SIZE_}bit)
+ -K set raw key (could be any keysize supported by the kernel)
+ -f read IPs from file (one IP per line)
+ -c read IPs from stdin (one IP per line)
+ -p only print commands for setkey (grml-vpn -p xxx |setkey)
+ -x print commands wrapped into an standalone shellscript (enables -p)
+ -h this help text
+
+ACTIONS:
+ show Shows the kernel ipsec entrys
+ add add ipsec entrys
+ del delete specific ipsec entrys
+ clear delete all ipsec entrys
+ info give info about ciphers and available keysizes
+ help this help text
+
+NOTICE:
+ IPs given to this programm should be ALWAYS in the SAME ORDER and with the SAME SPI
+ on all hosts of the vpn. THIS IS ABSOLUTY NECESSARY!!!
+ For vpns above 2 computers you have to specify your IP twice. Once in the IPs and once
+ with -n <your IP> (the IPs have to be in the same order on all hosts of the vpn).
+
+ SPI == Security Parameter Index (decimal value between 256 and ~2^32)
+
+USAGE EXAMPLE:
+ Vpn with 2 computers (same command on both computers):
+ grml-vpn -k testpw add 1000 192.168.0.1 192.168.0.2
+ Vpn with 3 computers:
+ 1.PC: grml-vpn -k testpw -n 192.168.0.1 add 1000 192.168.0.1 192.168.0.2 192.168.0.3
+ 2.PC: grml-vpn -k testpw -n 192.168.0.2 add 1000 192.168.0.1 192.168.0.2 192.168.0.3
+ 3.PC: grml-vpn -k testpw -n 192.168.0.3 add 1000 192.168.0.1 192.168.0.2 192.168.0.3
+
+EOT
+}
+
+
+function printShellHeader
+{
+ local date_=`date -Is`
+ cat <<EOT
+#!/bin/sh
+# standalone vpn script from grml-vpn
+# written on $date_
+
+cat <<EOX |setkey -c
+EOT
+}
+
+function printShellFooter
+{
+ cat <<EOT
+EOX
+
+# END OF FILE
+################################################################################
+EOT
+}
+
+function actionShow
+{
+ execute "$SETKEY_ -D" warn
+ execute "$SETKEY_ -DP" warn
+}
+
+
+function addIP
+{
+ local cnt_="$1"
+ local ip_="$2"
+ local ip2_="$3"
+
+ cat << EOT | $SETKEY_PRINT_ $SETKEY_ARG_ #|| warn "problems executing $SETKEY_PRINT_ ret($?)"
+add $ip_ $ip2_ esp $cnt_ -E rijndael-cbc
+ 0x$KEY_;
+spdadd $ip_ $ip2_ any -P out ipsec
+ esp/transport//require;
+
+EOT
+}
+
+function delIP
+{
+ local cnt_="$1"
+ local ip_="$2"
+ local ip2_="$3"
+
+ cat << EOT | $SETKEY_PRINT_ $SETKEY_ARG_ #|| warn "problems executing $SETKEY_PRINT_ ret($?)"
+delete $ip_ $ip2_ esp $cnt_;
+spddelete $ip_ $ip2_ any -P out;
+
+EOT
+
+}
+
+# ATTENTION IF YOU CHANGE ANYTHING IN THIS FUNCTION
+function generateRules
+{
+ local cnt_="$SPI_" # current value of spi
+ local ip_=''
+ local ip2_=''
+ local tmp_=''
+
+ cat "$TMP_" |while read ip_; do
+ cat "$TMP_" |while read ip2_; do
+ if [[ "$ip_" == "$ip2_" ]]; then
+ #((cnt_++)) not shure if necessary
+ continue
+ fi
+ if [[ "$ip_" != "$IP_" && "$ip2_" != "$IP_" ]]; then
+ ((cnt_++))
+ continue
+ fi
+ #echo "$cnt_ $ip_ $ip2_"
+ $ACTION_ "$cnt_" "$ip_" "$ip2_"
+ ((cnt_++))
+ done
+ done
+}
+
+
+function getIPsFromCmd
+{
+ while (( $# != 0 )); do
+ case "$1" in # Do not prozess
+ "") continue ;; # an empty IP
+ \#*) continue ;; # a comment
+ esac
+ echo "$1" >> "$TMP_"
+ shift
+ done
+
+ # yea... got all ip's
+ generateRules
+}
+
+function getIPsFromFile
+{
+ local ip_=""
+
+ isExistent "$IP_FILE_" die
+ cat "$IP_FILE_" |while read ip_; do
+ case "$ip_" in # Do not prozess
+ "") continue ;; # an empty IP
+ \#*) continue ;; # a comment
+ esac
+ echo "$ip_" >> "$TMP_"
+ done
+
+ generateRules
+}
+
+function getIPsFromStdin
+{
+ local ip_=""
+
+ while read ip_; do
+ case "$ip_" in
+ "") continue ;;
+ \#*) continue ;;
+ esac
+ echo "$ip_" >> "$TMP_"
+ done
+
+ generateRules
+}
+
+
+function actionClear
+{
+ cat << EOT | setkey -c
+flush;
+spdflush;
+EOT
+}
+
+function actionInfo
+{
+ cat << EOT
+ algorithm keylen (bits) documented in
+ -----------------------------------------------------------------
+ des-cbc 64 esp-old: rfc1829, esp: rfc2405
+ 3des-cbc 192 rfc2451
+ blowfish-cbc 40 to 448 rfc2451
+ cast128-cbc 40 to 128 rfc2451
+ des-deriv 64 ipsec-ciph-des-derived-01
+ 3des-deriv 192 no document
+ rijndael-cbc 128/192/256 rfc3602
+ twofish-cbc 0 to 256 draft-ietf-ipsec-ciph-aes-cbc-01
+ aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
+EOT
+}
+
+
+function checkKey
+{
+ local key_="$1"
+
+ if [[ "$key_" == "" ]]; then
+ die "invalied key \"$key_\""
+ fi
+}
+
+function checkCipher
+{
+ local cipher_="$1"
+
+ if [[ "$cipher_" == "" ]]; then
+ die "you have to give me an real cipher"
+ fi
+ echo "$CIPHERS_" |grep $cipher_ &>/dev/null || die "unsupported cipher \"$cipher_\""
+}
+
+# this function checks the keysize and matches the cipher name against
+# them in $CIPHERS_
+function checkKeySize
+{
+ local ciph_=''
+ local tmp_=''
+
+ ciph_=`echo -e "$CIPHERS_" |grep -E "$CIPHER_"`
+ tmp_=`echo -e "$ciph_" |wc -l`
+ case "$tmp_" in
+ 0) die "cipher \"$CIPHER_\" not supported" ;;
+ 1) dprint "checkKeySize(): ciphername \"$CIPHER_\" valied (unique)" ;;
+ *) warn "ciphername should be unique, but following matched:"
+ echo -e "$ciph_" |awk '{print "\t"$1}'
+ die "cipher \"$CIPHER_\" not unique" ;;
+ esac
+
+ # only one cipher matched
+ tmp_=`echo $ciph_ |awk '{print $1}'`
+ if [[ "$tmp_" != "$CIPHER_" ]]; then
+ warn "your cipher produced an unique match for $tmp_, using this"
+ CIPHER_="$tmp_"
+ fi
+
+ # check the keysize for the specific cipher
+ local one_=''
+ local two_=''
+ local three_=''
+ local i=''
+ tmp_=`echo "$ciph_" |wc -w`
+ case "$tmp_" in
+ 2) one_=`echo $ciph_ |awk '{print $2}'` # 1 value is one value ;)
+ if [[ "$one_" != "$KEY_SIZE_" ]]; then
+ die "keysize \"$KEY_SIZE_\" not supported by $CIPHER_ (only $one_ is allowed)"
+ else
+ dprint "checkKeySize(): keysize \"$KEY_SIZE_\" _IS_ supported by $CIPHER_ ($one_)"
+ fi
+ ;;
+ 3) one_=`echo $ciph_ |awk '{print $2}'` # 2 values are a range
+ two_=`echo $ciph_ |awk '{print $3}'`
+ if (( $KEY_SIZE_ >= $one_ && $KEY_SIZE_ <= $two_ )); then
+ dprint "checkKeySize(): keysize \"$KEY_SIZE_\" _IS_ supported by $CIPHER_ ($one_-$two_)"
+ else
+ die "keysize \"$KEY_SIZE_\" not supported by $CIPHER_ (must be between $one_ and $two_)"
+ fi
+ ;;
+ 4) one_=`echo $ciph_ |awk '{print $2}'` # 3 values are an enumeration
+ two_=`echo $ciph_ |awk '{print $3}'`
+ three_=`echo $ciph_ |awk '{print $4}'`
+ tmp_='false'
+ for i in $one_ $two_ $three_; do
+ if [[ "$i" == "$KEY_SIZE_" ]]; then
+ tmp_='true'
+ fi
+ done
+ $tmp_ || die "keysize \"$KEY_SIZE_\" not supported by $CIPHER_ (must be $one_, $two_ or $three_)"
+ $tmp_ && dprint "checkKeySize(): keysize \"$KEY_SIZE_\" _IS_ supported by $CIPHER_ ($one_, $two_, $three_)"
+ ;;
+ *) die "internal error (problem with CIPHERS_ $tmp_)"
+ esac
+
+ local byte_=''
+ byte_=`echo "$KEY_SIZE_/8"|bc -q`
+ tmp_=`echo "$KEY_SIZE_%4" |bc -q`
+ if [[ "$tmp_" != "0" ]]; then
+ die "your given keysize \"$KEY_SIZE_\" is not a multiple of 4"
+ fi
+ dprint "checkKeySize(): key is $byte_ byte long"
+
+}
+
+
+function hashKey
+{
+ local key_="$1"
+ local gen_="${2:-"false"}" # if false, do not generate a key
+
+ local to_die_='false'
+ local byte_=`echo "$KEY_SIZE_/4"|bc -q`
+ local tmp_=""
+
+ #case "$KEY_SIZE_" in
+ # 128) notice "key_size=$KEY_SIZE_"; echo "$key_" |md5deep ||to_die_='true'
+ # $to_die_ && die "problems with hashing your key"
+ # return 0 ;;
+ # 256) notice "key_size=$KEY_SIZE_"; echo "$key_" |sha256deep ||to_die_='true'
+ # $to_die_ && die "problems with hashing your key"
+ # return 0 ;;
+ #esac
+
+ dprint "hashKey(): oh.. i've to fiddle with the key"
+
+ if (( $KEY_SIZE_ == 0 )); then
+ tmp_=''
+ elif (( $KEY_SIZE_ <= 128 )); then
+ tmp_=`echo "$key_" |md5deep` ||to_die_='true'
+ elif (( $KEY_SIZE_ <= 256 )); then
+ tmp_=`echo "$key_" |sha256deep` ||to_die_='true'
+ elif (( $KEY_SIZE_ <= 512 )); then
+ # FIXME add support for keys > 512bit
+ die "key_sizes greater 256bit are _CURRENTLY_ not supported"
+ else
+ die "key_size \"$KEY_SIZE_\" not supported"
+ fi
+ $to_die_ && die "problems with hashing your key"
+
+ tmp_=`echo "$tmp_" |cut -c "-$byte_"`
+ dprint "hashKey(): key is \"$tmp_\""
+ echo "$tmp_"
+}
+
+
+function removeTmpFiles
+{
+ execute "rm -f $TMP_" warn
+}
+
+
+###
+### __MAIN
+###
+
+PROG_NAME__=`basename $0`
+while getopts "a:b:e:k:K:n:cf:pxhv" opt; do
+ case "$opt" in
+ a) IP_="$OPTARG" ;;
+ b) KEY_SIZE_="$OPTARG" ;;
+ e) CIPHER_="$OPTARG" ;;
+ k) ORIG_KEY_="$OPTARG"
+ KEY_IS_SET_='true' ;;
+ K) ORIG_KEY_="$OPTARG"
+ KEY_IS_SET_RAW_='true' ;;
+ n) NUM_HOSTS_="$OPTARG" ;;
+ c) FROM_STDIN_='true' ;;
+ f) FROM_FILE_='true'
+ IP_FILE_="$OPTARG" ;;
+ p) SETKEY_PRINT_='cat'; SETKEY_ARG_='' ;;
+ x) OUTPUT_SCRIPT_='true'
+ SETKEY_PRINT_='cat'; SETKEY_ARG_='' ;;
+ h) printUsage; exit ;;
+ v) let verbose_=$verbose_+1 ;;
+ ?) printUsage; exit 64 ;;
+ esac
+done
+shift $(($OPTIND - 1)) # set ARGV to the first not parsed commandline parameter
+setVerbose $verbose_
+
+checkRoot die "You have to be root to use this program"
+disableSyslog
+
+
+case "$1" in
+ show) ACTION_='show'; actionShow; exit 0 ;;
+ clear) ACTION_='clear'; actionClear; exit 0 ;;
+ info) ACTION_='info'; actionInfo; exit 0 ;;
+ help) ACTION_='help'; printUsage; exit 0 ;;
+ "") printUsage; exit 0 ;;
+esac
+
+# controle input methodes selected from user
+if [[ "$FROM_FILE_" == 'true' && "$FROM_STDIN_" == 'true' ]]; then
+ die "Please select only one input-methode" 1
+fi
+
+# tests to verify the keysize
+checkKeySize
+
+# control/hash the encryption key
+if [[ "$KEY_IS_SET_" == 'true' && "$KEY_IS_SET_RAW_" == 'true' ]]; then
+ die "Please specify only one key"
+elif [[ "$KEY_IS_SET_" == 'true' ]]; then
+ # user supplied key
+ KEY_=`hashKey "$ORIG_KEY_"`
+else
+ # RAW key
+ KEY_="$ORIG_KEY_"
+fi
+
+# get action
+USER_ACTION_="$1"
+shift
+
+# save SPI
+SPI_="$1"
+if [[ "$SPI_" == "" ]]; then
+ die "you should give me the Security Parameter Index (SPI)"
+fi
+if (( $SPI_ <= 255 )); then
+ die "SPI values between 0 and 255 cannot be used"
+fi
+shift
+
+# set aproppriate functions
+if [[ "$FROM_FILE_" == 'true' ]]; then
+ READ_IP_F_='getIPsFromFile'
+elif [[ "$FROM_STDIN_" == 'true' ]]; then
+ READ_IP_F_='getIPsFromStdin'
+else
+ READ_IP_F_='getIPsFromCmd'
+
+ # save own IP
+ if [[ "$IP_" == "" ]]; then
+ # if no ip is given with -a
+ if (( $# >= 3 )); then
+ # if vpn with more than 2 hosts
+ die "you have to give me YOUR ip with -a <your ip>"
+ fi
+ IP_="$1"
+ notice "no ip given, using $IP_ as your ip"
+ fi
+ if [[ "$IP_" == "" ]]; then
+ die "you should give me your ip"
+ fi
+fi
+TMP_=`mktemp -t grml-vpn-XXXXXX || die 'could not create tmp file' $?`
+setExitFunction 'removeTmpFiles'
+
+case "$USER_ACTION_" in
+ add) ACTION_='addIP'
+ # check if i have to generate a random key and print it for the user
+ if [[ "$KEY_IS_SET_" == 'false' && "$KEY_IS_SET_RAW_" == 'false' ]]; then
+ notice "key not set, generating"
+ ORIG_KEY_="`dd if=/dev/urandom bs=512 count=1 2>/dev/null`"
+ KEY_=`hashKey "$ORIG_KEY_"`
+ echo "$KEY_" >&2
+ checkKey "$KEY_"
+ fi
+
+ $OUTPUT_SCRIPT_ && printShellHeader
+ $READ_IP_F_ $@
+ ;;
+ del) ACTION_='delIP';
+ $OUTPUT_SCRIPT_ && printShellHeader
+ $READ_IP_F_ $@ ;;
+ *) printUsage; die "Unknown action $1" ;;
+esac
+
+$OUTPUT_SCRIPT_ && printShellFooter
+removeTmpFiles
+
+# END OF FILE
+################################################################################
+# vim:foldmethod=marker
108 grml-vpn.8.txt
@@ -0,0 +1,108 @@
+GRML-VPN(8)
+==========
+Michael Gebetsroither <michael.geb@gmx.at>
+
+
+NAME
+----
+grml-vpn - program to establish encrypted communication channels in a network
+
+
+SYNOPSIS
+--------
+*grml-vpn* [OPTIONS] '<ACTION>' '<SPI>' [IPs]
+
+
+DESCRIPTION
+-----------
+*grml-vpn* is a program that
+provides an easy wrapper arround ipsec and setkey (without any ike daemon).
+With this program you can create a vpn based uppon ipsec to any number of computers.
+It's intended purpose is for example for wlan sessions to create an encrypted network between all computers on the wlan.
+It is also possible to create a standalone shellscript which only needs the setkey command to setup the vpn (using the -x option).
+
+
+ACTIONS
+-------
+*add*::
+ Add an ipsec entry
+
+*del*::
+ Delete an specific ipsec entry
+
+*clear*::
+ Delete all ipsec entries (attention, really deletes _all_ entrys, even from other setkey commands and isakmpd).
+
+*show*::
+ Show all infos about ipsec entrys.
+
+*info*::
+ Give infos about ciphers and there allowed keysizes.
+
+*help*::
+ Show the help message.
+
+
+OPTIONS
+-------
+*-h, help*::
+Show summary of options.
+
+*-v*::
+Show what is going on (more v => more out).
+
+*-a <IP>*::
+Your IP (currently necessary for vpns with more than 2 computers).
+
+*-e <ciphername> (default=rijndael-cbc, better known as AES)*::
+Cipher name. Will be matched against ciphers available for ipsec (all ciphers not only the available ciphers on your box).
+eg. "-e two" will match twofish-cbc. If more then one ciphers matches your regexp than the matches are printed and grml-vpn aborts.
+
+*-b <keysize> (default=256 bit)*::
+Keysize used for your encryption.
+
+*-k <key>*::
+Your key/password for the vpn (will be hashed).
+
+*-K <raw-key>*::
+Set raw key (you determine the keysize, not -b).
+
+*-f <input-file>*::
+Read IPs for encrypted connections from file (same as from stdin).
+
+*-c*::
+Read IPs from stdin (setkey commands are not written until _all_ IPs are read from stdin).
+
+*-p*::
+Only print the setkey commands (eg. grml-vpn -p ... |setkey -c).
+USE THIS if you create a vpn with many computers, because this is a bit faster).
+
+*-x*::
+Print a standalone shellscript which only needs setkey to setup the vpn.
+
+
+EXAMPLES
+--------
+*grml-vpn -k testpw -b 128 add 1000 192.168.0.1 192.168.0.2*::
+Creates encrypted connections between the two IPs possible, with the pre shared key (PSK) testpw and 128bit rijndael-cbc. You have to execute this command on both computers (if you type this command only on one computer, then it's impossible to create an connection between the two computers).
+NOTE: with only 2 computers it's not necessary to specify your own ip with -a.
+
+*grml-vpn -e bl -b 255 -a 192.168.0.2 add 2000 192.168.0.1 192.168.0.2 192.168.0.3*::
+Encrypted connections between all 3 computers. This command should be executed on 192.168.0.2 (-a) and on the other two computers with the appropriate -a <IP>.
+The cipher is blowfisch-cbc (no, -e bl is NO typo ;).
+
+*grml-vpn -a 192.168.0.2 del 2000 192.168.0.1 192.168.0.2 192.168.0.3*::
+This command deletes the previous created encrypted connections on 192.168.0.2 (after this command it's impossible to send data to 192.168.0.{1,3} until you delete the vpn entrys on them (no, even ssh does not work anymore).
+You should execute this command on all computers of the vpn (with the appropriate -a <IP> option). You could also use grml-crypt clear to clear all vpn settings.
+
+
+SEE ALSO
+--------
+setkey(8)
+
+
+AUTHOR
+------
+grml-vpn was written by Michael Gebetsroither <michael.geb@gmx.at>.
+
+This manual page was written by Michael Gebetsroither <gebi@grml.org>.
24 tests/bash_fault.sh
@@ -0,0 +1,24 @@
+#!/bin/ash
+
+SPI_='1000'
+
+# bash runs a while/for/until loop in a subshell if input/output is a pipe
+# ksh also
+function generateRules
+{
+ local cnt_="$SPI_" # current value of spi
+ local ip_=''
+ local ip2_=''
+ local tmp_=''
+
+ cat "$TMP_" |while read ip_; do
+ cat "$TMP_" |while read ip2_; do
+ echo "$cnt_ $ip_ $ip2_"
+ ((cnt_++))
+ done
+ done
+}
+
+TMP_=${1:-test2}
+
+generateRules
19 tests/bigtest.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# test all 3 input methodes for vpn with 2 computers
+echo 'MIT USER PW'
+echo 'input = stdin'
+cat test2 |fakeroot ./grml-vpn -k testpw -p -c -a 192.168.9.10 add 1000
+echo 'input = file'
+fakeroot ./grml-vpn -k testpw -p -f test2 -a 192.168.9.10 add 1000
+echo 'input = cmd'
+fakeroot ./grml-vpn -k testpw -p -a 192.168.9.10 add 1000 192.168.9.10 192.168.9.20 192.168.9.1
+
+echo
+echo 'MIT AUTO PW'
+echo 'input = stdin'
+cat test2 |fakeroot ./grml-vpn -p -c -a 192.168.9.10 add 1000
+echo 'input = file'
+fakeroot ./grml-vpn -p -f test2 -a 192.168.9.10 add 1000
+echo 'input = cmd'
+fakeroot ./grml-vpn -p -a 192.168.9.10 add 1000 192.168.9.10 192.168.9.20 192.168.9.1
21 tests/smalltest.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# test all 3 input methodes for vpn with 2 computers
+echo 'MIT USER PW'
+echo 'input = stdin'
+cat test1 |fakeroot ./grml-vpn -k testpw -p -c -a 192.168.9.10 add 1000
+echo 'input = file'
+fakeroot ./grml-vpn -k testpw -p -f test1 -a 192.168.9.10 add 1000
+echo 'input = cmd'
+fakeroot ./grml-vpn -k testpw -p -a 192.168.9.10 add 1000 192.168.9.10 192.168.9.20
+echo "input = cmd SPECIAL CASE, without -a"
+fakeroot ./grml-vpn -k testpw -p add 1000 192.168.9.10 192.168.9.20
+
+echo
+echo 'MIT AUTO PW'
+echo 'input = stdin'
+cat test1 |fakeroot ./grml-vpn -p -c -a 192.168.9.10 add 1000
+echo 'input = file'
+fakeroot ./grml-vpn -p -f test1 -a 192.168.9.10 add 1000
+echo 'input = cmd'
+fakeroot ./grml-vpn -p -a 192.168.9.10 add 1000 192.168.9.10 192.168.9.20
29 tests/spi.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+TMP_=${1:-test2}
+
+function writeIPs
+{
+ local own_ip_="$1"
+ local ip_=''
+ local ip2_=''
+ local cnt_='1000'
+ local tmp_=''
+
+ cat "$TMP_" |while read ip_; do
+ cat "$TMP_" |while read ip2_; do
+ if [[ "$ip_" == "$ip2_" ]]; then
+ let cnt_=$cnt_+1
+ continue
+ fi
+ echo "$cnt_ - ""$ip_" "$ip2_"
+ let cnt_=$cnt_+1
+ done
+ done
+}
+
+for i in 192.168.9.20 192.168.9.10 192.168.9.1; do
+ echo
+ echo $i
+ writeIPs $i |grep -E "($i )|($i$)"
+done
4 tests/test1
@@ -0,0 +1,4 @@
+192.168.9.10
+# ha
+
+192.168.9.20
3 tests/test2
@@ -0,0 +1,3 @@
+192.168.9.1
+192.168.9.10
+192.168.9.20
24 tests/test3
@@ -0,0 +1,24 @@
+192.168.9.1
+192.168.9.2
+192.168.9.3
+192.168.9.4
+192.168.9.5
+192.168.9.6
+192.168.9.7
+192.168.9.8
+192.168.9.9
+192.168.9.10
+192.168.9.11
+192.168.9.12
+192.168.9.13
+192.168.9.14
+192.168.9.15
+192.168.9.16
+192.168.9.17
+192.168.9.18
+192.168.9.19
+# test
+192.168.9.20
+192.168.9.21
+192.168.9.22
+192.168.9.23
40 tests/test4
@@ -0,0 +1,40 @@
+192.168.9.1
+192.168.9.2
+192.168.9.3
+192.168.9.4
+192.168.9.5
+192.168.9.6
+192.168.9.7
+192.168.9.8
+192.168.9.9
+192.168.9.10
+192.168.9.11
+192.168.9.12
+192.168.9.13
+192.168.9.14
+192.168.9.15
+192.168.9.16
+192.168.9.17
+192.168.9.18
+192.168.9.19
+192.168.9.20
+192.168.9.21
+192.168.9.22
+192.168.9.23
+192.168.9.24
+192.168.9.25
+192.168.9.26
+192.168.9.27
+192.168.9.28
+192.168.9.29
+192.168.9.30
+192.168.9.31
+192.168.9.32
+192.168.9.33
+192.168.9.34
+192.168.9.35
+192.168.9.36
+192.168.9.37
+192.168.9.38
+192.168.9.39
+192.168.9.40

0 comments on commit 2a36aa5

Please sign in to comment.