wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-06 20:13:11 +02:00
Code Issues Projects Releases Wiki Activity

Merge a99fb0ee41 into 1edb95df9c

Browse source
This commit is contained in:
Ernesto Serrano 2018-03-26 07:52:43 +00:00 committed by GitHub
commit 26a7db8530
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 75 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
algo
View file

@ -519,12 +519,24 @@ if [ "x${IP_subject}" = "x" ]; then
exit 1 exit 1
fi fi
read -p "
Enter the public DNS name of your server: (IMPORTANT! This name is used to verify the certificate)
[$mydns]: " -r DNS_subject
DNS_subject=${DNS_subject:-$mydns}
if [ "x${DNS_subject}" = "x" ]; then
echo "no public DNS name given. exiting."
exit 1
fi
ROLES="local vpn" ROLES="local vpn"
EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" EXTRA_VARS="server_ip=$server_ip server_user=$server_user DNS_subject_alt_name=$DNS_subject IP_subject_alt_name=$IP_subject"
SKIP_TAGS+=" cloud update-alternatives" SKIP_TAGS+=" cloud update-alternatives"
read -p " read -p "
Was this server deployed by Algo previously? Was this server deployed by Algo previously?
[y/N]: " -r Deployed_By_Algo [y/N]: " -r Deployed_By_Algo
Deployed_By_Algo=${Deployed_By_Algo:-n} Deployed_By_Algo=${Deployed_By_Algo:-n}
@ -599,11 +611,22 @@ exit 1
fi fi
read -p " read -p "
Enter the public DNS name of your server: (IMPORTANT! This name is used to verify the certificate)
[$mydns]: " -r DNS_subject
DNS_subject=${DNS_subject:-$mydns}
if [ "x${DNS_subject}" = "x" ]; then
echo "no public DNS name given. exiting."
exit 1
fi
read -p "
Enter the password for the private CA key: Enter the password for the private CA key:
$ADDITIONAL_PROMPT $ADDITIONAL_PROMPT
: " -rs easyrsa_CA_password : " -rs easyrsa_CA_password
ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled IP_subject_alt_name=$IP_subject easyrsa_CA_password=$easyrsa_CA_password" -t update-users --skip-tags common ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled DNS_subject_alt_name=$DNS_subject IP_subject_alt_name=$IP_subject easyrsa_CA_password=$easyrsa_CA_password" -t update-users --skip-tags common
} }
case "$1" in case "$1" in

1
playbooks/facts/main.yml
View file

@ -43,3 +43,4 @@
- name: Define the commonName - name: Define the commonName
set_fact: set_fact:
IP_subject_alt_name: "{{ IP_subject_alt_name }}" IP_subject_alt_name: "{{ IP_subject_alt_name }}"
DNS_subject_alt_name: "{{ DNS_subject_alt_name }}"

22
roles/vpn/tasks/client_configs.yml
View file

@ -4,18 +4,18 @@
shell: cat private/{{ item }}.p12 | base64 shell: cat private/{{ item }}.p12 | base64
register: PayloadContent register: PayloadContent
args: args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/" chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Set facts for mobileconfigs - name: Set facts for mobileconfigs
set_fact: set_fact:
proxy_enabled: false proxy_enabled: false
PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}" PayloadContentCA: "{{ lookup('file' , 'configs/{{ DNS_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
- name: Build the mobileconfigs - name: Build the mobileconfigs
template: template:
src: mobileconfig.j2 src: mobileconfig.j2
dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig dest: configs/{{ DNS_subject_alt_name }}/{{ item.0 }}.mobileconfig
mode: 0600 mode: 0600
with_together: with_together:
- "{{ users }}" - "{{ users }}"
@ -25,7 +25,7 @@
- name: Build the strongswan app android config - name: Build the strongswan app android config
template: template:
src: sswan.j2 src: sswan.j2
dest: configs/{{ IP_subject_alt_name }}/android_{{ item.0 }}.sswan dest: configs/{{ DNS_subject_alt_name }}/android_{{ item.0 }}.sswan
mode: 0600 mode: 0600
with_together: with_together:
- "{{ users }}" - "{{ users }}"
@ -35,7 +35,7 @@
- name: Build the android helper html - name: Build the android helper html
template: template:
src: android_html_helper.j2 src: android_html_helper.j2
dest: configs/{{ IP_subject_alt_name }}/android_{{ item.0 }}_helper.html dest: configs/{{ DNS_subject_alt_name }}/android_{{ item.0 }}_helper.html
mode: 0600 mode: 0600
with_together: with_together:
- "{{ users }}" - "{{ users }}"
@ -44,7 +44,7 @@
- name: Build the client ipsec config file - name: Build the client ipsec config file
template: template:
src: client_ipsec.conf.j2 src: client_ipsec.conf.j2
dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf dest: configs/{{ DNS_subject_alt_name }}/ipsec_{{ item }}.conf
mode: 0600 mode: 0600
with_items: with_items:
- "{{ users }}" - "{{ users }}"
@ -52,7 +52,7 @@
- name: Build the client ipsec secret file - name: Build the client ipsec secret file
template: template:
src: client_ipsec.secrets.j2 src: client_ipsec.secrets.j2
dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets dest: configs/{{ DNS_subject_alt_name }}/ipsec_{{ item }}.secrets
mode: 0600 mode: 0600
with_items: with_items:
- "{{ users }}" - "{{ users }}"
@ -60,18 +60,18 @@
- name: Create the windows check file - name: Create the windows check file
file: file:
state: touch state: touch
path: configs/{{ IP_subject_alt_name }}/.supports_windows path: configs/{{ DNS_subject_alt_name }}/.supports_windows
when: Win10_Enabled is defined and Win10_Enabled == "Y" when: Win10_Enabled is defined and Win10_Enabled == "Y"
- name: Check if the windows check file exists - name: Check if the windows check file exists
stat: stat:
path: configs/{{ IP_subject_alt_name }}/.supports_windows path: configs/{{ DNS_subject_alt_name }}/.supports_windows
register: supports_windows register: supports_windows
- name: Build the windows client powershell script - name: Build the windows client powershell script
template: template:
src: client_windows.ps1.j2 src: client_windows.ps1.j2
dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1 dest: configs/{{ DNS_subject_alt_name }}/windows_{{ item }}.ps1
mode: 0600 mode: 0600
when: Win10_Enabled is defined and Win10_Enabled == "Y" or supports_windows.stat.exists == true when: Win10_Enabled is defined and Win10_Enabled == "Y" or supports_windows.stat.exists == true
with_items: "{{ users }}" with_items: "{{ users }}"
@ -82,4 +82,4 @@
state: directory state: directory
mode: 0700 mode: 0700
with_items: with_items:
- configs/{{ IP_subject_alt_name }} - configs/{{ DNS_subject_alt_name }}

10
roles/vpn/tasks/distribute_keys.yml
View file

@ -8,18 +8,18 @@
group: "{{ item.group }}" group: "{{ item.group }}"
mode: "{{ item.mode }}" mode: "{{ item.mode }}"
with_items: with_items:
- src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem" - src: "configs/{{ DNS_subject_alt_name }}/pki/cacert.pem"
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/cacerts/ca.crt" dest: "{{ config_prefix|default('/') }}etc/ipsec.d/cacerts/ca.crt"
owner: strongswan owner: strongswan
group: "{{ root_group|default('root') }}" group: "{{ root_group|default('root') }}"
mode: "0600" mode: "0600"
- src: "configs/{{ IP_subject_alt_name }}/pki/certs/{{ IP_subject_alt_name }}.crt" - src: "configs/{{ DNS_subject_alt_name }}/pki/certs/{{ DNS_subject_alt_name }}.crt"
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt" dest: "{{ config_prefix|default('/') }}etc/ipsec.d/certs/{{ DNS_subject_alt_name }}.crt"
owner: strongswan owner: strongswan
group: "{{ root_group|default('root') }}" group: "{{ root_group|default('root') }}"
mode: "0600" mode: "0600"
- src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ IP_subject_alt_name }}.key" - src: "configs/{{ DNS_subject_alt_name }}/pki/private/{{ DNS_subject_alt_name }}.key"
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/private/{{ IP_subject_alt_name }}.key" dest: "{{ config_prefix|default('/') }}etc/ipsec.d/private/{{ DNS_subject_alt_name }}.key"
owner: strongswan owner: strongswan
group: "{{ root_group|default('root') }}" group: "{{ root_group|default('root') }}"
mode: "0600" mode: "0600"

64
roles/vpn/tasks/openssl.yml
View file

@ -3,13 +3,13 @@
- block: - block:
- name: Ensure the pki directory does not exist - name: Ensure the pki directory does not exist
file: file:
dest: configs/{{ IP_subject_alt_name }}/pki dest: configs/{{ DNS_subject_alt_name }}/pki
state: absent state: absent
when: easyrsa_reinit_existent == True when: easyrsa_reinit_existent == True
- name: Ensure the pki directories exist - name: Ensure the pki directories exist
file: file:
dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}" dest: "configs/{{ DNS_subject_alt_name }}/pki/{{ item }}"
state: directory state: directory
recurse: yes recurse: yes
with_items: with_items:
@ -22,7 +22,7 @@
- name: Ensure the files exist - name: Ensure the files exist
file: file:
dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}" dest: "configs/{{ DNS_subject_alt_name }}/pki/{{ item }}"
state: touch state: touch
with_items: with_items:
- ".rnd" - ".rnd"
@ -34,56 +34,56 @@
- name: Generate the openssl server configs - name: Generate the openssl server configs
template: template:
src: openssl.cnf.j2 src: openssl.cnf.j2
dest: "configs/{{ IP_subject_alt_name }}/pki/openssl.cnf" dest: "configs/{{ DNS_subject_alt_name }}/pki/openssl.cnf"
- name: Build the CA pair - name: Build the CA pair
shell: > shell: >
{{ openssl_bin }} ecparam -name prime256v1 -out ecparams/prime256v1.pem && {{ openssl_bin }} ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
{{ openssl_bin }} req -utf8 -new {{ openssl_bin }} req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}")) -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ DNS_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
-keyout private/cakey.pem -keyout private/cakey.pem
-out cacert.pem -x509 -days 3650 -out cacert.pem -x509 -days 3650
-batch -batch
-passout pass:"{{ easyrsa_CA_password }}" && -passout pass:"{{ easyrsa_CA_password }}" &&
touch {{ IP_subject_alt_name }}_ca_generated touch {{ DNS_subject_alt_name }}_ca_generated
args: args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/" chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
creates: "{{ IP_subject_alt_name }}_ca_generated" creates: "{{ DNS_subject_alt_name }}_ca_generated"
executable: bash executable: bash
- name: Copy the CA certificate - name: Copy the CA certificate
copy: copy:
src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem" src: "configs/{{ DNS_subject_alt_name }}/pki/cacert.pem"
dest: "configs/{{ IP_subject_alt_name }}/cacert.pem" dest: "configs/{{ DNS_subject_alt_name }}/cacert.pem"
mode: 0600 mode: 0600
- name: Generate the serial number - name: Generate the serial number
shell: echo 01 > serial && touch serial_generated shell: echo 01 > serial && touch serial_generated
args: args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/" chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
creates: serial_generated creates: serial_generated
- name: Build the server pair - name: Build the server pair
shell: > shell: >
{{ openssl_bin }} req -utf8 -new {{ openssl_bin }} req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}")) -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ DNS_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
-keyout private/{{ IP_subject_alt_name }}.key -keyout private/{{ DNS_subject_alt_name }}.key
-out reqs/{{ IP_subject_alt_name }}.req -nodes -out reqs/{{ DNS_subject_alt_name }}.req -nodes
-passin pass:"{{ easyrsa_CA_password }}" -passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ IP_subject_alt_name }}" -batch && -subj "/CN={{ DNS_subject_alt_name }}" -batch &&
{{ openssl_bin }} ca -utf8 {{ openssl_bin }} ca -utf8
-in reqs/{{ IP_subject_alt_name }}.req -in reqs/{{ DNS_subject_alt_name }}.req
-out certs/{{ IP_subject_alt_name }}.crt -out certs/{{ DNS_subject_alt_name }}.crt
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}")) -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ DNS_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
-days 3650 -batch -days 3650 -batch
-passin pass:"{{ easyrsa_CA_password }}" -passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ IP_subject_alt_name }}" && -subj "/CN={{ DNS_subject_alt_name }}" &&
touch certs/{{ IP_subject_alt_name }}_crt_generated touch certs/{{ DNS_subject_alt_name }}_crt_generated
args: args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/" chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
creates: certs/{{ IP_subject_alt_name }}_crt_generated creates: certs/{{ DNS_subject_alt_name }}_crt_generated
executable: bash executable: bash
- name: Build the client's pair - name: Build the client's pair
@ -104,7 +104,7 @@
-subj "/CN={{ item }}" && -subj "/CN={{ item }}" &&
touch certs/{{ item }}_crt_generated touch certs/{{ item }}_crt_generated
args: args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/" chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
creates: certs/{{ item }}_crt_generated creates: certs/{{ item }}_crt_generated
executable: bash executable: bash
with_items: "{{ users }}" with_items: "{{ users }}"
@ -119,15 +119,15 @@
-out private/{{ item }}.p12 -out private/{{ item }}.p12
-passout pass:"{{ easyrsa_p12_export_password }}" -passout pass:"{{ easyrsa_p12_export_password }}"
args: args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/" chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
executable: bash executable: bash
with_items: "{{ users }}" with_items: "{{ users }}"
register: p12 register: p12
- name: Copy the p12 certificates - name: Copy the p12 certificates
copy: copy:
src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12" src: "configs/{{ DNS_subject_alt_name }}/pki/private/{{ item }}.p12"
dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12" dest: "configs/{{ DNS_subject_alt_name }}/{{ item }}.p12"
mode: 0600 mode: 0600
with_items: with_items:
- "{{ users }}" - "{{ users }}"
@ -135,11 +135,11 @@
- name: Get active users - name: Get active users
shell: > shell: >
grep ^V index.txt | grep ^V index.txt |
grep -v "{{ IP_subject_alt_name }}" | grep -v "{{ DNS_subject_alt_name }}" |
awk '{print $5}' | awk '{print $5}' |
sed 's/\/CN=//g' sed 's/\/CN=//g'
args: args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/" chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
register: valid_certs register: valid_certs
- name: Revoke non-existing users - name: Revoke non-existing users
@ -151,7 +151,7 @@
-out crl/{{ item }}.crt -out crl/{{ item }}.crt
register: gencrl register: gencrl
args: args:
chdir: configs/{{ IP_subject_alt_name }}/pki/ chdir: configs/{{ DNS_subject_alt_name }}/pki/
creates: crl/{{ item }}.crt creates: crl/{{ item }}.crt
executable: bash executable: bash
when: item not in users when: item not in users
@ -160,21 +160,21 @@
- name: Genereate new CRL file - name: Genereate new CRL file
shell: > shell: >
{{ openssl_bin }} ca -gencrl {{ openssl_bin }} ca -gencrl
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }}")) -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ DNS_subject_alt_name }}"))
-passin pass:"{{ easyrsa_CA_password }}" -passin pass:"{{ easyrsa_CA_password }}"
-out crl/algo.root.pem -out crl/algo.root.pem
when: when:
- gencrl is defined - gencrl is defined
- gencrl.changed - gencrl.changed
args: args:
chdir: configs/{{ IP_subject_alt_name }}/pki/ chdir: configs/{{ DNS_subject_alt_name }}/pki/
executable: bash executable: bash
delegate_to: localhost delegate_to: localhost
become: no become: no
- name: Copy the CRL to the vpn server - name: Copy the CRL to the vpn server
copy: copy:
src: configs/{{ IP_subject_alt_name }}/pki/crl/algo.root.pem src: configs/{{ DNS_subject_alt_name }}/pki/crl/algo.root.pem
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem" dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem"
when: when:
- gencrl is defined - gencrl is defined

2
tests/local-deploy.sh
View file

@ -2,7 +2,7 @@
set -e set -e
DEPLOY_ARGS="server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" DEPLOY_ARGS="server_ip=$LXC_IP server_user=root DNS_subject_alt_name=example.com IP_subject_alt_name=$LXC_IP local_dns=Y"
if [ "${LXC_NAME}" == "docker" ] if [ "${LXC_NAME}" == "docker" ]
then then