LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

Merge pull request #15406 from pprindeville/strongswan-add-chacha20poly1305 

strongswan: handle chacha20poly1305 as AEAD
lilik-openwrt-22.03
Philip Prindeville 3 years ago
committed by GitHub
parent
fb4655ab35 ff33f4ccd3
commit
41b536e22c
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 34 additions and 14 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      net/strongswan/Makefile
  2. +33
    -13
      net/strongswan/files/swanctl.init

+ 1
- 1
net/strongswan/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=strongswan
PKG_VERSION:=5.9.2
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/


+ 33
- 13
net/strongswan/files/swanctl.init View File

@ -17,6 +17,8 @@ SWANCTL_VAR_CONF_FILE=/var/swanctl/swanctl.conf
WAIT_FOR_INTF=0
CONFIG_FAIL=0
time2seconds()
{
local timestring="$1"
@ -128,12 +130,19 @@ warning() {
echo "WARNING: $@" >&2
}
fatal() {
echo "ERROR: $@" >&2
CONFIG_FAIL=1
}
is_aead() {
local cipher="$1"
case "$cipher" in
aes*gcm*|aes*ccm*|aes*gmac*)
return 0 ;;
chacha20poly1305)
return 0 ;;
esac
return 1
@ -150,7 +159,7 @@ add_esp_proposal() {
# check for AEAD and clobber hash_algorithm if set
if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
warning "Can't have $hash_algorithm with $encryption_algorithm"
fatal "Can't have $hash_algorithm with $encryption_algorithm"
hash_algorithm=
fi
@ -160,11 +169,13 @@ add_esp_proposal() {
parse_esp_proposal() {
local conf="$1"
local var="$2"
local crypto=""
config_list_foreach "$conf" crypto_proposal add_esp_proposal
echo "$crypto"
export -n "$var=$crypto"
}
add_ike_proposal() {
@ -180,7 +191,7 @@ add_ike_proposal() {
# check for AEAD and clobber hash_algorithm if set
if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
warning "Can't have $hash_algorithm with $encryption_algorithm"
fatal "Can't have $hash_algorithm with $encryption_algorithm"
hash_algorithm=
fi
@ -190,11 +201,13 @@ add_ike_proposal() {
parse_ike_proposal() {
local conf="$1"
local var="$2"
local crypto=""
config_list_foreach "$conf" crypto_proposal add_ike_proposal
echo "$crypto"
export -n "$var=$crypto"
}
config_conn() {
@ -228,7 +241,8 @@ config_conn() {
config_get if_id "$1" if_id ""
config_get rekeytime "$1" rekeytime ""
local esp_proposal="$(parse_esp_proposal "$1")"
local esp_proposal
parse_esp_proposal "$1" esp_proposal
# translate from ipsec to swanctl
case "$startaction" in
@ -240,7 +254,7 @@ config_conn() {
# already using new syntax
;;
*)
warning "Startaction $startaction unknown"
fatal "Startaction $startaction unknown"
startaction=
;;
esac
@ -256,7 +270,7 @@ config_conn() {
# already using new syntax
;;
*)
warning "Closeaction $closeaction unknown"
fatal "Closeaction $closeaction unknown"
closeaction=
;;
esac
@ -278,7 +292,7 @@ config_conn() {
# already using new syntax
;;
*)
warning "Dpdaction $dpdaction unknown"
fatal "Dpdaction $dpdaction unknown"
dpdaction=
;;
esac
@ -373,7 +387,7 @@ config_remote() {
# already using new syntax
;;
*)
warning "Fragmentation $fragmentation not supported"
fatal "Fragmentation $fragmentation not supported"
fragmentation=
;;
esac
@ -387,9 +401,10 @@ config_remote() {
local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'`
}
local ike_proposal="$(parse_ike_proposal "$1")"
local ike_proposal
parse_ike_proposal "$1" ike_proposal
[ -n "$firewall" ] && warning "Firewall not supported"
[ -n "$firewall" ] && fatal "Firewall not supported"
swanctl_xappend0 "# config for $config_name"
swanctl_xappend0 "connections {"
@ -428,7 +443,7 @@ config_remote() {
ikev2)
swanctl_xappend2 "version = 2" ;;
*)
warning "Keyexchange $keyexchange not supported"
fatal "Keyexchange $keyexchange not supported"
keyexchange=
;;
esac
@ -483,7 +498,7 @@ config_remote() {
fi
fi
else
warning "AuthenticationMode $auth_mode not supported"
fatal "AuthenticationMode $auth_mode not supported"
fi
swanctl_xappend0 ""
@ -587,6 +602,11 @@ start_service() {
[ $WAIT_FOR_INTF -eq 1 ] && return
if [ $CONFIG_FAIL -ne 0 ]; then
procd_set_param error "Invalid configuration"
return
fi
procd_open_instance
procd_set_param command $PROG --daemon charon --nofork


Write Preview
Loading…
Cancel
Save