strongswan: miscellaneous cleanup of config file, etc

Use list's where appropriate for multi-value config variables.

Forbid absolute/relative paths for certificate and key files.

Get rid of last remnants of left/right naming.

Factor invariant code paths.

Drop redundant secrets.rsa.filename section.

Thanks to Vincent Wiemann <redacted> for calling
out many of these improvements.

Signed-off-by: Philip Prindeville <redacted>

diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init
index 6ccddb0769850870c5d48050d3dda865bbb77383..f498036d050d3a0f95ccb2d8f2c4ee4a8543a65c 100644 (file)
--- a/net/strongswan/files/swanctl.init
+++ b/net/strongswan/files/swanctl.init
@@ -19,8 +19,7 @@ WAIT_FOR_INTF=0
 
 CONFIG_FAIL=0
 
-time2seconds()
-{
+time2seconds() {
        local timestring="$1"
        local multiplier number suffix
 
@@ -42,8 +41,7 @@ time2seconds()
        echo $(( number * multiplier ))
 }
 
-seconds2time()
-{
+seconds2time() {
        local seconds="$1"
 
        if [ $seconds -eq 0 ]; then
@@ -135,6 +133,11 @@ fatal() {
        CONFIG_FAIL=1
 }
 
+append_var() {
+       local var="$2" value="$1" delim="${3:- }"
+       append "$var" "$value" "$delim"
+}
+
 is_aead() {
        local cipher="$1"
 
@@ -228,17 +231,18 @@ config_child() {
        local rekeytime
 
        config_get startaction "$1" startaction "route"
-       config_get local_subnet "$1" local_subnet ""
        config_get local_nat "$1" local_nat ""
        config_get updown "$1" updown ""
        config_get firewall "$1" firewall ""
-       config_get remote_subnet "$1" remote_subnet ""
        config_get lifetime "$1" lifetime ""
        config_get dpdaction "$1" dpdaction "none"
        config_get closeaction "$1" closeaction "none"
        config_get if_id "$1" if_id ""
        config_get rekeytime "$1" rekeytime ""
 
+       config_list_foreach "$1" local_subnet append_var local_subnet ","
+       config_list_foreach "$1" remote_subnet append_var remote_subnet ","
+
        local esp_proposal
        parse_esp_proposal "$1" esp_proposal
 
@@ -336,7 +340,7 @@ config_connection() {
        local gateway
        local local_gateway
        local local_sourceip
-       local local_leftip
+       local local_ip
        local remote_gateway
        local pre_shared_key
        local auth_method
@@ -359,8 +363,7 @@ config_connection() {
        config_get auth_method "$1" authentication_method
        config_get local_identifier "$1" local_identifier ""
        config_get remote_identifier "$1" remote_identifier ""
-       config_get local_sourceip "$1" local_sourceip ""
-       config_get local_leftip "$1" local_leftip "%any"
+       config_get local_ip "$1" local_ip "%any"
        config_get keyingtries "$1" keyingtries "3"
        config_get dpddelay "$1" dpddelay "30s"
        config_get inactivity "$1" inactivity
@@ -373,6 +376,8 @@ config_connection() {
        config_get rekeytime "$1" rekeytime
        config_get overtime "$1" overtime
 
+       config_list_foreach "$1" local_sourceip append_var local_sourceip ","
+
        case "$fragmentation" in
        0)
                fragmentation="no" ;;
@@ -389,22 +394,42 @@ config_connection() {
 
        [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
 
-       [ -z "$local_gateway" ] && {
-               local ipdest
+       local ipdest
+       [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
+       local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'`
 
-               [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
-               local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'`
-       }
+       if [ -n "$local_key" ]; then
+               [ "$(dirname "$local_key")" != "." ] && \
+                  fatal "local_key $local_key can't be pathname"
+               [ -f "/etc/swanctl/private/$local_key" ] || \
+                  fatal "local_key $local_key not found"
+       fi
 
        local ike_proposal
        parse_ike_proposal "$1" ike_proposal
 
        [ -n "$firewall" ] && fatal "Firewall not supported"
 
+       if [ "$auth_method" = pubkey ]; then
+               if [ -n "$ca_cert" ]; then
+                       [ "$(dirname "$ca_cert")" != "." ] && \
+                           fatal "ca_cert $ca_cert can't be pathname"
+                       [ -f "/etc/swanctl/x509ca/$ca_cert" ] || \
+                           fatal "ca_cert $ca_cert not found"
+               fi
+
+               if [ -n "$local_cert" ]; then
+                       [ "$(dirname "$local_cert")" != "." ] && \
+                           fatal "local_cert $local_cert can't be pathname"
+                       [ -f "/etc/swanctl/x509/$local_cert" ] || \
+                           fatal "local_cert $local_cert not found"
+               fi
+       fi
+
        swanctl_xappend0 "# config for $config_name"
        swanctl_xappend0 "connections {"
        swanctl_xappend1 "$config_name {"
-       swanctl_xappend2 "local_addrs = $local_leftip"
+       swanctl_xappend2 "local_addrs = $local_ip"
        swanctl_xappend2 "remote_addrs = $remote_gateway"
 
        [ -n "$local_sourceip" ] && swanctl_xappend2 "vips = $local_sourceip"
@@ -414,7 +439,8 @@ config_connection() {
        swanctl_xappend3 "auth = $auth_method"
 
        [ -n "$local_identifier" ] && swanctl_xappend3 "id = \"$local_identifier\""
-       [ "$auth_method" = pubkey ] && swanctl_xappend3 "certs = $local_cert"
+       [ "$auth_method" = pubkey ] && [ -n "$local_cert" ] && \
+           swanctl_xappend3 "certs = $local_cert"
        swanctl_xappend2 "}"
 
        swanctl_xappend2 "remote {"
@@ -464,14 +490,6 @@ config_connection() {
        if [ "$auth_method" = pubkey ]; then
                swanctl_xappend0 ""
 
-               swanctl_xappend0 "secrets {"
-               swanctl_xappend1 "rsa {"
-               swanctl_xappend2 "filename = $local_key"
-               swanctl_xappend1 "}"
-               swanctl_xappend0 "}"
-
-               swanctl_xappend0 ""
-
                if [ -n "$ca_cert" ]; then
                        swanctl_xappend0 "authorities {"
                        swanctl_xappend1 "$config_name {"
@@ -505,15 +523,12 @@ do_preamble() {
        swanctl_xappend0 "# generated by /etc/init.d/swanctl"
 }
 
-append_interface() {
-       append interface_list "$1" " "
-}
-
 config_ipsec() {
        local rtinstall_enabled
        local routing_table
        local routing_table_id
        local interface
+       local interface_list
 
        config_get debug "$1" debug 0
        config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
@@ -530,8 +545,7 @@ config_ipsec() {
                [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
        done
 
-       local interface_list
-       config_list_foreach "$1" interface append_interface
+       config_list_foreach "$1" interface append_var interface_list
 
        if [ -z "$interface_list" ]; then
                WAIT_FOR_INTF=0