Opportunistic Encryption program and various related tests added

docs/examples/oe-letsencrypt-client.conf

@@ -1,6 +1,3 @@
-
-# See https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec_using_LetsEncrypt
-#
 conn private-or-clear
 	rightid=%fromcert
 	rightrsasigkey=%cert

docs/examples/oe-letsencrypt-server.conf

@@ -1,13 +1,11 @@
-
 conn clear-or-private
 	leftid=%fromcert
 	leftrsasigkey=%cert
-	# nickname of your letsencrypt certificate imported to NSS
-	leftcert=letsencrypt.libreswan.org
+	# name of your generated letsencrypt certificate e.g. letsencrypt.libreswan.org
+	leftcert=YourServerDNSName
 	leftauth=rsasig
 	left=%defaultroute
-	leftaddresspool=100.64.0.1-100.64.255.254
-	leftmodecfgclient=yes
+	#leftmodecfgclient=yes
 	#
 	rightid=%null
 	rightauth=null
@@ -19,3 +17,6 @@ conn clear-or-private
 	ikev2=insist
 	sendca=issuer
 	auto=add
+	#
+	rightaddresspool=100.64.0.1-100.64.255.254
+	rightmodecfgclient=yes

programs/Makefile

@@ -33,6 +33,7 @@ SUBDIRS+=readwriteconf
 SUBDIRS+=_import_crl
 SUBDIRS+=algparse
 SUBDIRS+=cavp
+SUBDIRS+=letsencrypt
 
 ifeq ($(USE_PORTEXCLUDES),true)
 SUBDIRS+=portexcludes

programs/configs/private-or-clear.in

@@ -19,5 +19,7 @@
 # prefer encrypt all incoming smtp traffic
 #  0.0.0.0/0  tcp  25  0
 #
-# Ideally, enable this for every host on the internet
-# 0.0.0.0/0
+# The libreswan letsenccrypt test server - this can be left enabled at all times
+193.110.157.131/32
+# Attempt OE IPsec using letsencrypt for the entire Internet - Comment out to disable
+0.0.0.0/0

programs/ipsec/ipsec.in

@@ -460,6 +460,10 @@ while [ ${#} -gt 0 ]; do
 	    setupoption="--stop"
 	    shift
 	    ;;
+	letsencrypt)
+	    shift
+	    exec "${IPSEC_EXECDIR}/letsencrypt" "${@}"
+	    ;;
 	restart|--restart)
 	    cmd="setup"
 	    setupoption="--restart"

programs/letsencrypt/Makefile

@@ -0,0 +1,22 @@
+# Makefile for miscellaneous programs
+# Copyright (C) 2002-2006  Michael Richardson	<mcr@xelerance.com>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <https://www.gnu.org/licenses/gpl2.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+PROGRAM=letsencrypt
+
+ifdef top_srcdir
+include $(top_srcdir)/mk/program.mk
+else
+include ../../mk/program.mk
+endif
+
+programs: ${PROGRAM}

programs/letsencrypt/letsencrypt.8.xml

@@ -0,0 +1,92 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<!-- lifted from troff+man by doclifter -->
+<refentry>
+<refentryinfo>
+  <author><firstname>Rishabh</firstname><surname></surname><authorblurb><para></para> </authorblurb></author>
+</refentryinfo>
+<refmeta>
+<refentrytitle>IPSEC_LETSENCRYPT</refentrytitle>
+<manvolnum>8</manvolnum>
+<refmiscinfo class='date'>3 August 2019</refmiscinfo>
+<refmiscinfo class="source">libreswan</refmiscinfo>
+<refmiscinfo class="manual">Executable programs</refmiscinfo>
+</refmeta>
+<refnamediv id='name'>
+<refname>ipsec letsencrypt</refname>
+<refpurpose>invoke Opportunistic Encryption utilities</refpurpose>
+</refnamediv>
+<!-- body begins here -->
+<refsynopsisdiv id='synopsis'>
+<cmdsynopsis>
+  <command>ipsec</command>
+    <arg choice='plain'><replaceable>letsencrypt</replaceable></arg>
+    <arg choice='opt'>--client </arg>
+    <arg choice='opt'>--server </arg>
+    <arg choice='opt'>--test </arg>
+    <arg choice='opt'>--disable </arg>
+    <arg choice='opt'>--help </arg>
+    <sbr/>
+    <arg choice='opt'><arg choice='plain'>--generate-certificate </arg><arg choice='plain'><replaceable>hostname</replaceable></arg></arg>
+    <arg choice='opt'><arg choice='plain'>--renew </arg><arg choice='plain'><replaceable>hostname</replaceable></arg></arg>
+    <sbr/>
+</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1 id='examples'><title>EXAMPLES</title>
+<cmdsynopsis>
+  <command>ipsec</command>
+    <arg choice='plain'><replaceable>letsencrypt</replaceable></arg>
+    <arg choice='plain'>{ --client | --server | --test | --disable | -- help }</arg>
+</cmdsynopsis>
+<cmdsynopsis>
+  <command>ipsec</command>
+    <arg choice='plain'><replaceable>letsencrypt</replaceable></arg>
+    <arg choice='plain'>{ --generate-certificate | --renew }</arg>
+    <arg choice='plain'><replaceable>hostname</replaceable></arg>
+</cmdsynopsis>
+</refsect1>
+<refsect1 id='description'><title>DESCRIPTION</title>
+<para><emphasis remap='I'>Letsencrypt</emphasis>
+The command creates a secure Opportunistic Connection between the hosts commonly referred to as client and server.
+The client connects to the server and remains anonymous, whereas the server is authenticated before connecting to it.
+The server is not anonymous. The server uses Let's Encrypt certificates for authentication and encryption purposes.</para>
+
+<para>The
+<option>--client</option>
+operation is used for initial client setup.</para>
+
+<para>The
+<option>--server</option>
+operation is used for initial server setup.</para>
+
+<para>The
+<option>--test</option>
+operation is used for testing the configuration/connection.</para>
+
+<para>The
+<option>--generate-certificate hostname</option>
+operation is used for generating the certificate for the hostname.</para>
+
+<para>The
+<option>--renew hostname</option>
+operation is used for updating the generated certificate, it keeps the private key same.</para>
+
+<para>The
+<option>--disable</option>
+operation is used for disabling IPsec service.</para>
+
+<para>The
+<option>--help</option>
+operation is used for displaying all the available options.</para>
+</refsect1>
+<refsect1 id='see_also'><title>SEE ALSO</title>
+<para>
+<citerefentry><refentrytitle>ipsec.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+</para>
+</refsect1>
+<refsect1 id='history'><title>HISTORY</title>
+<para>Original Program written by &lt;<ulink url='https://github.com/Rishabh04-02/'>Rishabh</ulink>&gt; .</para>
+</refsect1>
+</refentry>