From dad8bd7543930ab5342a34f58791fce201186c2e Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Mon, 24 Jul 2023 09:33:33 +0200 Subject: [PATCH] system: add opnsense-crypt utility #6133 --- plist | 2 + src/man/man8/opnsense-crypt.8 | 55 ++++++++++++++++++++++++ src/sbin/opnsense-crypt | 81 +++++++++++++++++++++++++++++++++++ 3 files changed, 138 insertions(+) create mode 100644 src/man/man8/opnsense-crypt.8 create mode 100755 src/sbin/opnsense-crypt diff --git a/plist b/plist index c3a1ff718..93d9d2b99 100644 --- a/plist +++ b/plist @@ -1957,6 +1957,7 @@ /usr/local/sbin/configctl /usr/local/sbin/ifctl /usr/local/sbin/opnsense-beep +/usr/local/sbin/opnsense-crypt /usr/local/sbin/opnsense-importer /usr/local/sbin/opnsense-installer /usr/local/sbin/opnsense-log @@ -1967,6 +1968,7 @@ /usr/local/share/man/man8/configctl.8.gz /usr/local/share/man/man8/ifctl.8.gz /usr/local/share/man/man8/opnsense-beep.8.gz +/usr/local/share/man/man8/opnsense-crypt.8.gz /usr/local/share/man/man8/opnsense-importer.8.gz /usr/local/share/man/man8/opnsense-installer.8.gz /usr/local/share/man/man8/opnsense-log.8.gz diff --git a/src/man/man8/opnsense-crypt.8 b/src/man/man8/opnsense-crypt.8 new file mode 100644 index 000000000..d2d5f4aef --- /dev/null +++ b/src/man/man8/opnsense-crypt.8 @@ -0,0 +1,55 @@ +.\" +.\" Copyright (c) 2023 Franco Fichtner +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd July 24, 2023 +.Dt OPNSENSE-CRYPT 8 +.Os +.Sh NAME +.Nm opnsense-crypt +.Nd OPNsense configurtion encryption utility +.Sh SYNOPSIS +.Nm +.Ar file +.Sh DESCRIPTION +The +.Nm +utility will automatically encrypt or decrypt a given +.Pa path/to/config.xml +file using the matching supplied +.Pa path/to/config.secret +file. +After succesfull execution the original contents of +.Pa path/to/config.xml +will be replaced by the resulting contents of the respective operation. +.Pp +Please be aware that encrypting +.Pa /conf/config.xml +in a running system will invalidate and eventually reject this configuation. +Use with care. +.Sh EXIT STATUS +.Ex -std +.Sh AUTHORS +.An Franco Fichtner Aq Mt franco@opnsense.org diff --git a/src/sbin/opnsense-crypt b/src/sbin/opnsense-crypt new file mode 100755 index 000000000..35be4c7a0 --- /dev/null +++ b/src/sbin/opnsense-crypt @@ -0,0 +1,81 @@ +#!/usr/local/bin/php + + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once('script/load_phalcon.php'); + +$crypter = new OPNsense\Backup\Local(); + +$config_xml = $argv[1] ?? ''; +if ($config_xml == '') { + echo "No file given.\n"; + exit(1); +} + +if (!file_exists($config_xml)) { + echo "File not found: $config_xml\n"; + exit(1); +} + +$config_secret = preg_replace('/\.xml$/s', '.secret', $config_xml); +if ($config_xml == $config_secret) { + echo "File not ending with \".xml\": $config_xml\n"; + exit(1); +} + +if (!file_exists($config_secret)) { + echo "File not found: $config_secret\n"; + exit(1); +} + +$secret = file_get_contents($config_secret); +$secret = rtrim(file_get_contents($config_secret), "\n\r\t\v\x00"); + +if ($secret == '') { + echo "Secret is empty.\n"; + exit(1); +} + +$data = file_get_contents($config_xml); +$tagged = strpos($data, '---- BEGIN config.xml ----') === 0; + +if ($tagged) { + $data = $crypter->decrypt($data, $secret); +} else { + $data = $crypter->encrypt($data, $secret); +} + +if (empty($data)) { + echo sprintf("Could not %s file.\n", $tagged ? 'decrypt' : 'encrypt'); + exit(1); +} + +/* replace resulting file when ok as the operation is reversible */ +file_put_contents($config_xml, $data); + +exit(0);