From bdd95c4fa54015a37bbe5c206469bd1b0552d0dc Mon Sep 17 00:00:00 2001 From: DmitriyEshenko Date: Fri, 8 Nov 2019 16:05:48 +0000 Subject: QAT: T1788: Intel QAT implementation --- src/conf_mode/intel_qat.py | 108 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100755 src/conf_mode/intel_qat.py (limited to 'src/conf_mode') diff --git a/src/conf_mode/intel_qat.py b/src/conf_mode/intel_qat.py new file mode 100755 index 000000000..a1abd5e81 --- /dev/null +++ b/src/conf_mode/intel_qat.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# + +import sys +import os +import re +import subprocess + +from vyos.config import Config +from vyos import ConfigError + +# Define for recovering +gl_ipsec_conf = None + +def get_config(): + c = Config() + config_data = { + 'qat_conf' : None, + 'ipsec_conf' : None, + 'openvpn_conf' : None, + } + + if c.exists('system acceleration qat'): + config_data['qat_conf'] = True + + if c.exists('vpn ipsec '): + gl_ipsec_conf = True + config_data['ipsec_conf'] = True + + if c.exists('interfaces openvpn'): + config_data['openvpn_conf'] = True + + return config_data + +# Control configured VPN service which can use QAT +def vpn_control(action): + if action == 'restore' and gl_ipsec_conf: + ret = subprocess.Popen(['sudo', 'ipsec', 'start'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + (output, err) = ret.communicate() + return + + ret = subprocess.Popen(['sudo', 'ipsec', action], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + (output, err) = ret.communicate() + +def verify(c): + # Check if QAT service installed + if not os.path.exists('/etc/init.d/vyos-qat-utilities'): + raise ConfigError("Warning: QAT init file not found") + + if c['qat_conf'] == None: + return + + # Check if QAT device exist + ret = subprocess.Popen(['sudo', 'lspci', '-nn'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + (output, err) = ret.communicate() + if not err: + data = re.findall('(8086:19e2)|(8086:37c8)|(8086:0435)|(8086:6f54)', output.decode("utf-8")) + #If QAT devices found + if not data: + print("\t No QAT acceleration device found") + sys.exit(1) + +def apply(c): + if c['ipsec_conf']: + # Shutdown VPN service which can use QAT + vpn_control('stop') + + # Disable QAT service + if c['qat_conf'] == None: + ret = subprocess.Popen(['sudo', '/etc/init.d/vyos-qat-utilities', 'stop'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + (output, err) = ret.communicate() + if c['ipsec_conf']: + vpn_control('start') + + return + + # Run qat init.d script + ret = subprocess.Popen(['sudo', '/etc/init.d/vyos-qat-utilities', 'start'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + (output, err) = ret.communicate() + + if c['ipsec_conf']: + # Recovery VPN service + vpn_control('start') + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + apply(c) + except ConfigError as e: + print(e) + vpn_control('restore') + sys.exit(1) -- cgit v1.2.3 From fefb96e45b1eb48e2f0ad204528c62ba8c858aa3 Mon Sep 17 00:00:00 2001 From: DmitriyEshenko Date: Wed, 6 Nov 2019 23:11:21 +0000 Subject: l2tp: T1747: automatically calculate gw-ip-address --- src/conf_mode/accel_l2tp.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/accel_l2tp.py b/src/conf_mode/accel_l2tp.py index 244a720db..37fda2029 100755 --- a/src/conf_mode/accel_l2tp.py +++ b/src/conf_mode/accel_l2tp.py @@ -125,6 +125,9 @@ gw-ip-address={{outside_nexthop}} {% if authentication['mode'] == 'local' %} [chap-secrets] chap-secrets=/etc/accel-ppp/l2tp/chap-secrets +{% if outside_nexthop %} +gw-ip-address={{outside_nexthop}} +{% endif %} {% endif %} [ppp] @@ -287,7 +290,7 @@ def get_config(): 'mppe' : 'prefer' }, 'outside_addr' : '', - 'outside_nexthop' : '', + 'outside_nexthop' : '10.255.255.0', 'dns' : [], 'dnsv6' : [], 'wins' : [], @@ -429,7 +432,16 @@ def get_config(): ### gateway address if c.exists('outside-nexthop'): config_data['outside_nexthop'] = c.return_value('outside-nexthop') - + else: + ### calculate gw-ip-address + if c.exists('client-ip-pool start'): + ### use start ip as gw-ip-address + config_data['outside_nexthop'] = c.return_value('client-ip-pool start') + elif c.exists('client-ip-pool subnet'): + ### use first ip address from first defined pool + lst_ip = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", c.return_values('client-ip-pool subnet')[0]) + config_data['outside_nexthop'] = lst_ip[0] + if c.exists('authentication require'): auth_mods = {'pap' : 'pap','chap' : 'auth_chap_md5', 'mschap' : 'auth_mschap_v1', 'mschap-v2' : 'auth_mschap_v2'} for proto in c.return_values('authentication require'): -- cgit v1.2.3 From d13ed0f466f1e150159067c1b335fdc0317b6c20 Mon Sep 17 00:00:00 2001 From: vindenesen Date: Tue, 1 Oct 2019 21:49:35 +0200 Subject: [OpenVPN]: T1704: Added function for ncp-ciphers, and ability to disable it. [OpenVPN]: T1704: Changed config structure for OpenVPN encryption to support ncp-ciphers. [OpenVPN]: T1704: Added migration scripts for interface 2-to-3 --- interface-definitions/interfaces-openvpn.xml | 155 ++++++++++++++++++--------- src/conf_mode/interfaces-openvpn.py | 48 ++++++++- src/migration-scripts/interfaces/2-to-3 | 43 ++++++++ 3 files changed, 193 insertions(+), 53 deletions(-) create mode 100755 src/migration-scripts/interfaces/2-to-3 (limited to 'src/conf_mode') diff --git a/interface-definitions/interfaces-openvpn.xml b/interface-definitions/interfaces-openvpn.xml index 42c953fdc..10f8198f2 100644 --- a/interface-definitions/interfaces-openvpn.xml +++ b/interface-definitions/interfaces-openvpn.xml @@ -102,57 +102,114 @@ - + - Data Encryption Algorithm - - des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm - - - des - DES algorithm - - - 3des - DES algorithm with triple encryption - - - bf128 - Blowfish algorithm with 128-bit key - - - bf256 - Blowfish algorithm with 256-bit key - - - aes128 - AES algorithm with 128-bit key CBC - - - aes128gcm - AES algorithm with 128-bit key GCM - - - aes192 - AES algorithm with 192-bit key CBC - - - aes192gcm - AES algorithm with 192-bit key GCM - - - aes256 - AES algorithm with 256-bit key CBC - - - aes256gcm - AES algorithm with 256-bit key GCM - - - (des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm) - + Data Encryption settings - + + + + Standard Data Encryption Algorithm + + des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm + + + des + DES algorithm + + + 3des + DES algorithm with triple encryption + + + bf128 + Blowfish algorithm with 128-bit key + + + bf256 + Blowfish algorithm with 256-bit key + + + aes128 + AES algorithm with 128-bit key CBC + + + aes128gcm + AES algorithm with 128-bit key GCM + + + aes192 + AES algorithm with 192-bit key CBC + + + aes192gcm + AES algorithm with 192-bit key GCM + + + aes256 + AES algorithm with 256-bit key CBC + + + aes256gcm + AES algorithm with 256-bit key GCM + + + (des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm) + + + + + + Data Encryption Algorithm list for use in server or client mode + + des 3des aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm + + + des + DES algorithm + + + 3des + DES algorithm with triple encryption + + + aes128 + AES algorithm with 128-bit key CBC + + + aes128gcm + AES algorithm with 128-bit key GCM + + + aes192 + AES algorithm with 192-bit key CBC + + + aes192gcm + AES algorithm with 192-bit key GCM + + + aes256 + AES algorithm with 256-bit key CBC + + + aes256gcm + AES algorithm with 256-bit key GCM + + + (des|3des|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm) + + + + + + + Disable support for ncp-ciphers + + + + + Hashing Algorithm diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index cdd133904..5140cc468 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -220,6 +220,12 @@ cipher aes-256-gcm {%- elif 'aes256' in encryption %} cipher aes-256-cbc {% endif %} +{%- if ncp_ciphers %} +ncp-ciphers {{ncp_ciphers}} +{% endif %} +{% endif %} +{%- if disable_ncp %} +ncp-disable {% endif %} {%- if auth %} @@ -277,6 +283,7 @@ default_config_data = { 'deleted': False, 'description': '', 'disable': False, + 'disable_ncp': False, 'encryption': '', 'hash': '', 'intf': '', @@ -287,6 +294,7 @@ default_config_data = { 'local_host': '', 'local_port': '', 'mode': '', + 'ncp_ciphers': '', 'options': [], 'persistent_tunnel': False, 'protocol': '', @@ -410,10 +418,36 @@ def get_config(): if conf.exists('disable'): openvpn['disable'] = True - # data encryption algorithm - if conf.exists('encryption'): - openvpn['encryption'] = conf.return_value('encryption') - + # data encryption algorithm cipher + if conf.exists('encryption cipher'): + openvpn['encryption'] = conf.return_value('encryption cipher') + + # disable ncp-ciphers support + if conf.exists('encryption disable-ncp'): + openvpn['disable_ncp'] = True + + # data encryption algorithm ncp-list + if conf.exists('encryption ncp-ciphers'): + _ncp_ciphers = [] + for enc in conf.return_values('encryption ncp-ciphers'): + if enc == 'des': + _ncp_ciphers.append('des-cbc') + elif enc == '3des': + _ncp_ciphers.append('des-ede3-cbc') + elif enc == 'aes128': + _ncp_ciphers.append('aes-128-cbc') + elif enc == 'aes128gcm': + _ncp_ciphers.append('aes-128-gcm') + elif enc == 'aes192': + _ncp_ciphers.append('aes-192-cbc') + elif enc == 'aes192gcm': + _ncp_ciphers.append('aes-192-gcm') + elif enc == 'aes256': + _ncp_ciphers.append('aes-256-cbc') + elif enc == 'aes256gcm': + _ncp_ciphers.append('aes-256-gcm') + openvpn['ncp_ciphers'] = ':'.join(_ncp_ciphers) + # hash algorithm if conf.exists('hash'): openvpn['hash'] = conf.return_value('hash') @@ -621,6 +655,9 @@ def verify(openvpn): if openvpn['bridge_member']: raise ConfigError('Can not delete {} as it is a member interface of bridge {}!'.format(openvpn['intf'], bridge)) + # Check if we have disabled ncp and at the same time specified ncp-ciphers + if openvpn['disable_ncp'] and openvpn['ncp_ciphers']: + raise ConfigError('Cannot specify both "encryption disable-ncp" and "encryption ncp-ciphers"') # # OpenVPN client mode - VERIFY # @@ -661,6 +698,9 @@ def verify(openvpn): if openvpn['local_address'] == openvpn['local_host']: raise ConfigError('"local-address" cannot be the same as "local-host"') + if openvpn['ncp_ciphers']: + raise ConfigError('encryption ncp-ciphers cannot be specified in site-to-site mode, only server or client') + else: if openvpn['local_address'] or openvpn['remote_address']: raise ConfigError('Cannot specify "local-address" or "remote-address" in client-server mode') diff --git a/src/migration-scripts/interfaces/2-to-3 b/src/migration-scripts/interfaces/2-to-3 new file mode 100755 index 000000000..a63a54cdf --- /dev/null +++ b/src/migration-scripts/interfaces/2-to-3 @@ -0,0 +1,43 @@ +#!/usr/bin/env python3 + +# Change syntax of openvpn encryption settings +# - move cipher from encryption to encryption cipher +# https://phabricator.vyos.net/T1704 + +import sys +from vyos.configtree import ConfigTree + +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base = ['interfaces', 'openvpn'] + +if not config.exists(base): + # Nothing to do + sys.exit(0) +else: + # + # move cipher from "encryption" to "encryption cipher" + # + for intf in config.list_nodes(['interfaces', 'openvpn']): + # Check if encryption is set + if config.exists(['interfaces', 'openvpn', intf, 'encryption']): + # Get cipher used + cipher = config.return_value(['interfaces', 'openvpn', intf, 'encryption']) + # Delete old syntax + config.delete(['interfaces', 'openvpn', intf, 'encryption']) + # Add new syntax to config + config.set(['interfaces', 'openvpn', intf, 'encryption', 'cipher'], value=cipher) + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) -- cgit v1.2.3 From c77b9a6bdfab2658442ebcff660db2f031b772ea Mon Sep 17 00:00:00 2001 From: vindenesen Date: Mon, 21 Oct 2019 11:56:07 +0200 Subject: [OpenVPN]: T1704: Moved ncp-ciphers out of encryption block in config template --- src/conf_mode/interfaces-openvpn.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 5140cc468..321cef57c 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -220,10 +220,11 @@ cipher aes-256-gcm {%- elif 'aes256' in encryption %} cipher aes-256-cbc {% endif %} +{% endif %} + {%- if ncp_ciphers %} ncp-ciphers {{ncp_ciphers}} {% endif %} -{% endif %} {%- if disable_ncp %} ncp-disable {% endif %} -- cgit v1.2.3 From b8ea719ba035e52879b65157d01b60f67ca73868 Mon Sep 17 00:00:00 2001 From: vindenesen Date: Mon, 21 Oct 2019 11:58:40 +0200 Subject: [OpenVPN]: T1704: Added uppercase entries of ncp-ciphers, since there seems to be a bug in OpenVPN client when comparing pushed cipher with local ncp cipher list --- src/conf_mode/interfaces-openvpn.py | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src/conf_mode') diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 321cef57c..50d367f2f 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -433,20 +433,28 @@ def get_config(): for enc in conf.return_values('encryption ncp-ciphers'): if enc == 'des': _ncp_ciphers.append('des-cbc') + _ncp_ciphers.append('DES-CBC') elif enc == '3des': _ncp_ciphers.append('des-ede3-cbc') + _ncp_ciphers.append('DES-EDE3-CBC') elif enc == 'aes128': _ncp_ciphers.append('aes-128-cbc') + _ncp_ciphers.append('AES-128-CBC') elif enc == 'aes128gcm': _ncp_ciphers.append('aes-128-gcm') + _ncp_ciphers.append('AES-128-GCM') elif enc == 'aes192': _ncp_ciphers.append('aes-192-cbc') + _ncp_ciphers.append('AES-192-CBC') elif enc == 'aes192gcm': _ncp_ciphers.append('aes-192-gcm') + _ncp_ciphers.append('AES-192-GCM') elif enc == 'aes256': _ncp_ciphers.append('aes-256-cbc') + _ncp_ciphers.append('AES-256-CBC') elif enc == 'aes256gcm': _ncp_ciphers.append('aes-256-gcm') + _ncp_ciphers.append('AES-256-GCM') openvpn['ncp_ciphers'] = ':'.join(_ncp_ciphers) # hash algorithm -- cgit v1.2.3