security: Build crypto/integ from client

This commit allows for building the IKE and ESP crypto and integrty
pieces of the configuration files from the protobufs sent from the
client.

Related to #220

Signed-off-by: Kyle Mestery <mestery@mestery.com>

client/go.mod

@@ -3,7 +3,7 @@ module main
 go 1.18
 
 require (
-	github.com/opiproject/opi-api v0.0.0-20220802171938-93b3b2e251a1
+	github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a
 	google.golang.org/grpc v1.48.0
 )
 

client/go.sum

@@ -45,14 +45,8 @@ github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/opiproject/opi-api v0.0.0-20220801183322-60792219aef6 h1:8muNZUo0AoTckVD260IqPMX5iviAcNBjP0gri/4K3xs=
-github.com/opiproject/opi-api v0.0.0-20220801183322-60792219aef6/go.mod h1:92pv4ulvvPMuxCJ9ND3aYbmBfEMLx0VCjpkiR7ZTqPY=
-github.com/opiproject/opi-api v0.0.0-20220802161744-de0dcf18f402 h1:wn050GQJ+u7h7hLQ05rmVXXoTdKpao1W0yh+BNhoYug=
-github.com/opiproject/opi-api v0.0.0-20220802161744-de0dcf18f402/go.mod h1:92pv4ulvvPMuxCJ9ND3aYbmBfEMLx0VCjpkiR7ZTqPY=
-github.com/opiproject/opi-api v0.0.0-20220802163037-abf5cd660bb0 h1:wofUE2UNMShargRZR9vxwVC6LxpMlrl2FSRtoBwec0A=
-github.com/opiproject/opi-api v0.0.0-20220802163037-abf5cd660bb0/go.mod h1:92pv4ulvvPMuxCJ9ND3aYbmBfEMLx0VCjpkiR7ZTqPY=
-github.com/opiproject/opi-api v0.0.0-20220802171938-93b3b2e251a1 h1:BrzV2Lbhi5NOca92PRG19n8BHxReLyQPLcVn8MSlzWk=
-github.com/opiproject/opi-api v0.0.0-20220802171938-93b3b2e251a1/go.mod h1:92pv4ulvvPMuxCJ9ND3aYbmBfEMLx0VCjpkiR7ZTqPY=
+github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a h1:3cLfwe8RPdFtKrOy3PAOx1+erxL/EYU/VyfxfuU5g5I=
+github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a/go.mod h1:92pv4ulvvPMuxCJ9ND3aYbmBfEMLx0VCjpkiR7ZTqPY=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=

client/ipsec.go

@@ -25,12 +25,23 @@ func do_ipsec(conn grpc.ClientConnInterface, ctx context.Context) {
 					LocalIp: "192.168.200.200",
 					RemoteIp: "192.168.200.210",
 					LocalSpi: rand.Uint32(),
-					CryptoAlg: pb.CryptoAlgorithm_AES_GCM_256,
-					IntegAlg: pb.IntegAlgorithm_SHA_512_256,
+					CryptoAlg: pb.CryptoAlgorithm_AES256GCM128,
+					IntegAlg: pb.IntegAlgorithm_SHA256_96,
 					Mode: pb.IPsecMode_TUNNEL_MODE,
 				},
 			},
 		},
+		Sa: &pb.SecurityAssociations {
+			Sas: []*pb.SecurityAssociations_Sa {
+				{
+					Name: "Security Association One",
+					Spi: 8000,
+					Protocol: pb.SecurityAssociations_Sa_ESP,
+					CryptoAlg: pb.CryptoAlgorithm_AES256GMAC,
+					IntegAlg: pb.IntegAlgorithm_SHA512,
+				},
+			},
+		},
 	}
 
 	rs1, err := c1.IPsecCreate(ctx, &local_ipsec)
@@ -56,8 +67,8 @@ func do_ipsec(conn grpc.ClientConnInterface, ctx context.Context) {
 						LocalIp: "192.168.200.220",
 						RemoteIp: "192.168.200.250",
 						LocalSpi: rand.Uint32(),
-						CryptoAlg: pb.CryptoAlgorithm_AES_GMAC_256,
-						IntegAlg: pb.IntegAlgorithm_SHA1_96,
+						CryptoAlg: pb.CryptoAlgorithm_AES256,
+						IntegAlg: pb.IntegAlgorithm_MD5_128,
 						Mode: pb.IPsecMode_TRANSPORT_MODE,
 				},
 			},

server/go.mod

@@ -3,19 +3,19 @@ module main
 go 1.18
 
 require (
+	github.com/go-redis/redis/v8 v8.11.5
 	github.com/google/uuid v1.3.0
-	github.com/opiproject/opi-api v0.0.0-20220805132032-9ab6f7b71280
+	github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a
 	google.golang.org/grpc v1.48.0
+	google.golang.org/protobuf v1.28.1
 )
 
 require (
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/go-redis/redis/v8 v8.11.5 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48 // indirect
 	golang.org/x/sys v0.0.0-20220804214406-8e32c043e418 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	google.golang.org/genproto v0.0.0-20220805133916-01dd62135a58 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
 )

server/go.sum

@@ -22,6 +22,7 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
 github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
@@ -53,8 +54,11 @@ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/opiproject/opi-api v0.0.0-20220805132032-9ab6f7b71280 h1:AUBV7t1q7b7Qdhwa5Rb0UOSkHJJxZj5Yc9WjFKf+rkw=
-github.com/opiproject/opi-api v0.0.0-20220805132032-9ab6f7b71280/go.mod h1:92pv4ulvvPMuxCJ9ND3aYbmBfEMLx0VCjpkiR7ZTqPY=
+github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
+github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
+github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
+github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a h1:3cLfwe8RPdFtKrOy3PAOx1+erxL/EYU/VyfxfuU5g5I=
+github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a/go.mod h1:92pv4ulvvPMuxCJ9ND3aYbmBfEMLx0VCjpkiR7ZTqPY=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
@@ -135,8 +139,10 @@ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
 google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

server/ipsec_messages.go

@@ -56,37 +56,6 @@ func load_connection(command string, conn *pb.IPsecCreateRequest) error {
 	var sb strings.Builder
 	var tstr string
 
-	/*
-rw {
-   pools = rw_pool
-
-   local {
-      auth = pubkey
-      certs = serverCert.pem
-      id = server.strongswan.org
-   }
-   remote {
-      auth = pubkey
-      cacerts = caCert.pem
-   }
-   children {
-      net {
-         local_ts = 10.1.0.0/24
-
-         esp_proposals = aes256gcm128-chacha20poly1305-x25519
-         dpd_action = clear
-      }
-      host {
-         esp_proposals = aes256gcm128-chacha20poly1305-x25519
-         dpd_action = clear
-      }
-   }
-   version = 2
-   proposals = aes256-sha256-x25519
-   dpd_delay = 60s
-}
-*/
-
 	// What has to happen here is:
 	// 1. Write charon config file for connection
 	// 2. Send vici command to reload-configuration
@@ -144,7 +113,21 @@ rw {
 	tstr = "            remote_ts = 10.1.0.0/16\n"
 	sb.WriteString(tstr)
 
-	tstr = "            esp_proposals = aes256gcm128-chacha20poly1305-x25519\n"
+	tstr = "            esp_proposals = "
+	sb.WriteString(tstr)
+
+	for i := 0; i < len(conn.Tunnel.Tunnels); i++ {
+		sb.WriteString(strings.ToLower(conn.Tunnel.Tunnels[i].GetCryptoAlg().String()))
+		tstr = "-"
+		sb.WriteString(tstr)
+		sb.WriteString(strings.ToLower(conn.Tunnel.Tunnels[i].GetIntegAlg().String()))
+		if (i+1) < len(conn.Tunnel.Tunnels) {
+			tstr = "-"
+			sb.WriteString(tstr)
+		}
+	}
+
+	tstr = "\n"
 	sb.WriteString(tstr)
 
 	tstr = "            dpd_action = trap\n"
@@ -156,7 +139,21 @@ rw {
 	tstr = "        host {\n"
 	sb.WriteString(tstr)
 
-	tstr = "            esp_proposals = aes256gcm128-chacha20poly1305-x25519\n"
+	tstr = "            esp_proposals = "
+	sb.WriteString(tstr)
+
+	for i := 0; i < len(conn.Tunnel.Tunnels); i++ {
+		sb.WriteString(strings.ToLower(conn.Tunnel.Tunnels[i].GetCryptoAlg().String()))
+		tstr = "-"
+		sb.WriteString(tstr)
+		sb.WriteString(strings.ToLower(conn.Tunnel.Tunnels[i].GetIntegAlg().String()))
+		if (i+1) < len(conn.Tunnel.Tunnels) {
+			tstr = "-"
+			sb.WriteString(tstr)
+		}
+	}
+
+	tstr = "\n"
 	sb.WriteString(tstr)
 
 	tstr = "            dpd_action = trap\n"
@@ -171,7 +168,21 @@ rw {
 	tstr = "    version = 2\n"
 	sb.WriteString(tstr)
 
-	tstr = "    proposals = aes256-sha256-x25519\n"
+	tstr = "    proposals = "
+	sb.WriteString(tstr)
+
+	for i := 0; i < len(conn.Sa.Sas); i++ {
+		sb.WriteString(strings.ReplaceAll(strings.ToLower(conn.Sa.Sas[i].GetCryptoAlg().String()), "_", ""))
+		tstr = "-"
+		sb.WriteString(tstr)
+		sb.WriteString(strings.ReplaceAll(strings.ToLower(conn.Sa.Sas[i].GetIntegAlg().String()), "_", ""))
+		if (i+1) < len(conn.Tunnel.Tunnels) {
+			tstr = "-"
+			sb.WriteString(tstr)
+		}
+	}
+
+	tstr = "\n"
 	sb.WriteString(tstr)
 
 	tstr = "    dpd_delay = 60s\n"