Merge branch 'current' into lithiumlithium

Conflicts:
	lib/OPMode.pm
	scripts/vyatta-show-ipsec-status.pl
	templates/show/vpn/ipsec/sa/node.def
	templates/show/vpn/ipsec/sa/peer/node.def
	templates/show/vpn/ipsec/status/node.def

6 files changed, 55 insertions, 30 deletions

diff --git a/scripts/gen_local_rsa_key.pl b/scripts/gen_local_rsa_key.pl
index ce3f69b..e874316 100755
--- a/scripts/gen_local_rsa_key.pl
+++ b/scripts/gen_local_rsa_key.pl
@@ -31,20 +31,12 @@ use Vyatta::Misc qw(get_short_config_path);
 
 # Defaults
 my $bits = 2192;
-my $device = "/dev/random";
 
 if ($#ARGV > 1) {
     die "Usage: gen_local_rsa_key.pl <bits> <device>\n";
 }
 $bits = $ARGV[0] if $#ARGV >= 0;
 
-#
-# The ipsec newhostkey command seems to support up to 
-# 20000 bits for key generation, but xorp currently
-# can't handle a line that long when entered in the 
-# config.  Xorp seems to be able to handle keys generated
-# with up to 5840 bits.
-#
 my ($bits_min, $bits_max) = (16, 4096);
 
 if ($bits > $bits_max) {
@@ -56,10 +48,6 @@ if ($bits < $bits_min) {
 if ($bits % 16 != 0) {
     die "bits=$bits is not a multiple of 16\n";
 }
-$device = $ARGV[1] if $#ARGV >= 1;
-unless (-r $device) {
-    die "invalid random number device $device\n";
-}
 
 my $local_key_file = rsa_get_local_key_file();
 
@@ -100,13 +88,7 @@ if (-e $temp_key_file) {
     }
 }
 
-$cmd = "/usr/lib/ipsec/newhostkey --output $local_key_file --bits $bits";
-#
-# The default random number generator is /dev/random, but it will block 
-# if there isn't enough system activity to provide enough "good" random
-# bits.  Try /dev/urandom if it's taking too long.
-#
-$cmd .= " --random $device";
+$cmd = "/usr/bin/openssl genrsa -out $local_key_file $bits";
 
 # when presenting to users, show shortened /config path
 my $shortened_cfg_path_file = get_short_config_path($local_key_file);
diff --git a/scripts/key-pair.template b/scripts/key-pair.template
index 5b5b2a6..bbf5eb9 100644
--- a/scripts/key-pair.template
+++ b/scripts/key-pair.template
@@ -1,10 +1,15 @@
 [ req ]
- default_bits           = 1024
+ default_bits           = 2048
  default_keyfile        = privkey.pem
  distinguished_name     = req_distinguished_name
+ string_mask            = utf8only
  attributes             = req_attributes
+ dirstring_type         = nobmp
+# SHA-1 is deprecated, so use SHA-2 instead.
+ default_md             = sha256
+# Extension to add when the -x509 option is used.
  x509_extensions        = v3_ca
- dirstring_type = nobmp
+
 [ req_distinguished_name ]
  countryName                    = Country Name (2 letter code)
  countryName_min                = 2
@@ -24,4 +29,39 @@
 [ v3_ca ]
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
- basicConstraints = CA:true
+ basicConstraints = critical, CA:true
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ basicConstraints = critical, CA:true, pathlen:0
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = client, email
+ nsComment = "OpenSSL Generated Client Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+ extendedKeyUsage = clientAuth, emailProtection
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = server
+ nsComment = "OpenSSL Generated Server Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer:always
+ keyUsage = critical, digitalSignature, keyEncipherment
+ extendedKeyUsage = serverAuth
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+ authorityKeyIdentifier=keyid:always
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+ basicConstraints = CA:FALSE
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, digitalSignature
+ extendedKeyUsage = critical, OCSPSigning
\ No newline at end of file
diff --git a/scripts/vyatta-gen-x509-keypair.sh b/scripts/vyatta-gen-x509-keypair.in
index 5a66d0a..194ac4f 100755
--- a/scripts/vyatta-gen-x509-keypair.sh
+++ b/scripts/vyatta-gen-x509-keypair.in
@@ -1,7 +1,7 @@
 #!/bin/bash
 CN=$1
 genkeypair (){
-  openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config /opt/vyatta/etc/key-pair.template
+  openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config @sysconfdir@/key-pair.template
 }
 if [ -f /config/auth/$CN.csr ]; then
   read -p "A certificate request named $CN.csr already exists. Overwrite (y/n)?"
diff --git a/scripts/vyatta-op-vpn.pl b/scripts/vyatta-op-vpn.pl
index d6648ae..50cbcbd 100755
--- a/scripts/vyatta-op-vpn.pl
+++ b/scripts/vyatta-op-vpn.pl
@@ -73,10 +73,10 @@ if (defined $show_ipsec_sa_peer) {
 if (defined $show_ipsec_sa_peer_detail) {
   Vyatta::VPN::OPMode::show_ipsec_sa_peer_detail($show_ipsec_sa_peer_detail);
 }
-if (defined @show_ipsec_sa_conn_detail) {
+if (@show_ipsec_sa_conn_detail) {
   Vyatta::VPN::OPMode::show_ipsec_sa_conn_detail(@show_ipsec_sa_conn_detail);
 }
-if (defined @show_ipsec_sa_conn) {
+if (@show_ipsec_sa_conn) {
   Vyatta::VPN::OPMode::show_ipsec_sa_conn(@show_ipsec_sa_conn);
 }
 if (defined $show_ipsec_sa_natt) {
@@ -88,7 +88,7 @@ if (defined $show_ipsec_sa_stats) {
 if (defined $show_ipsec_sa_stats_peer) {
   Vyatta::VPN::OPMode::show_ipsec_sa_stats_peer($show_ipsec_sa_stats_peer);
 }
-if (defined @show_ipsec_sa_stats_conn) {
+if (@show_ipsec_sa_stats_conn) {
   Vyatta::VPN::OPMode::show_ipsec_sa_stats_conn(@show_ipsec_sa_stats_conn);
 }
 if (defined $show_ike_sa) {
diff --git a/scripts/vyatta-op-vpnprof.pl b/scripts/vyatta-op-vpnprof.pl
index 72124fa..4da46c4 100644
--- a/scripts/vyatta-op-vpnprof.pl
+++ b/scripts/vyatta-op-vpnprof.pl
@@ -52,11 +52,11 @@ if ( defined $show_ipsec_sa_profile_detail ) {
     Vyatta::vpnprof::OPMode::show_ipsec_sa_profile_detail(
         $show_ipsec_sa_profile_detail);
 }
-if ( defined @show_ipsec_sa_conn_detail ) {
+if ( @show_ipsec_sa_conn_detail ) {
     Vyatta::vpnprof::OPMode::show_ipsec_sa_conn_detail(
         @show_ipsec_sa_conn_detail);
 }
-if ( defined @show_ipsec_sa_conn ) {
+if ( @show_ipsec_sa_conn ) {
     Vyatta::vpnprof::OPMode::show_ipsec_sa_conn(@show_ipsec_sa_conn);
 }
 if ( defined $show_ipsec_sa_stats ) {
@@ -66,7 +66,7 @@ if ( defined $show_ipsec_sa_stats_profile ) {
     Vyatta::vpnprof::OPMode::show_ipsec_sa_stats_profile(
         $show_ipsec_sa_stats_profile);
 }
-if ( defined @show_ipsec_sa_stats_conn ) {
+if ( @show_ipsec_sa_stats_conn ) {
     Vyatta::vpnprof::OPMode::show_ipsec_sa_stats_conn(
         @show_ipsec_sa_stats_conn);
 }
diff --git a/scripts/vyatta-show-ipsec-status.pl b/scripts/vyatta-show-ipsec-status.pl
index a96d1dd..bff36c8 100644
--- a/scripts/vyatta-show-ipsec-status.pl
+++ b/scripts/vyatta-show-ipsec-status.pl
@@ -98,7 +98,10 @@ sub relate_intfs_with_localips {
 #
 
 my $process_id = `sudo cat /var/run/charon.pid`;
-my $active_tunnels = `sudo ipsec status 2>/dev/null | grep 'newest IPsec SA: #' | grep -v 'newest IPsec SA: #0' | wc -l`;
+# Update to deal with new strongswan syntax for ipsec status command.
+my $sa_summary = `sudo ipsec status 2>/dev/null | grep "Security Associations" `;
+my $active_tunnels;
+($active_tunnels) = $sa_summary =~ /\((.*?) up/;
 chomp $process_id;
 chomp $active_tunnels;
 my @vpn_interfaces = get_vpn_intfs();