LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

Merge pull request #15406 from pprindeville/strongswan-add-chacha20poly1305 

strongswan: handle chacha20poly1305 as AEAD
lilik-openwrt-22.03
Philip Prindeville 4 years ago
committed by GitHub
parent
fb4655ab35 ff33f4ccd3
commit
41b536e22c
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 34 additions and 14 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      net/strongswan/Makefile
  2. +33
    -13
      net/strongswan/files/swanctl.init

+ 1
- 1
net/strongswan/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=strongswan PKG_NAME:=strongswan
PKG_VERSION:=5.9.2 PKG_VERSION:=5.9.2
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/ PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/


+ 33
- 13
net/strongswan/files/swanctl.init View File

@ -17,6 +17,8 @@ SWANCTL_VAR_CONF_FILE=/var/swanctl/swanctl.conf
WAIT_FOR_INTF=0 WAIT_FOR_INTF=0
CONFIG_FAIL=0
time2seconds() time2seconds()
{ {
local timestring="$1" local timestring="$1"
@ -128,12 +130,19 @@ warning() {
echo "WARNING: $@" >&2 echo "WARNING: $@" >&2
} }
fatal() {
echo "ERROR: $@" >&2
CONFIG_FAIL=1
}
is_aead() { is_aead() {
local cipher="$1" local cipher="$1"
case "$cipher" in case "$cipher" in
aes*gcm*|aes*ccm*|aes*gmac*) aes*gcm*|aes*ccm*|aes*gmac*)
return 0 ;; return 0 ;;
chacha20poly1305)
return 0 ;;
esac esac
return 1 return 1
@ -150,7 +159,7 @@ add_esp_proposal() {
# check for AEAD and clobber hash_algorithm if set # check for AEAD and clobber hash_algorithm if set
if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
warning "Can't have $hash_algorithm with $encryption_algorithm"
fatal "Can't have $hash_algorithm with $encryption_algorithm"
hash_algorithm= hash_algorithm=
fi fi
@ -160,11 +169,13 @@ add_esp_proposal() {
parse_esp_proposal() { parse_esp_proposal() {
local conf="$1" local conf="$1"
local var="$2"
local crypto="" local crypto=""
config_list_foreach "$conf" crypto_proposal add_esp_proposal config_list_foreach "$conf" crypto_proposal add_esp_proposal
echo "$crypto"
export -n "$var=$crypto"
} }
add_ike_proposal() { add_ike_proposal() {
@ -180,7 +191,7 @@ add_ike_proposal() {
# check for AEAD and clobber hash_algorithm if set # check for AEAD and clobber hash_algorithm if set
if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
warning "Can't have $hash_algorithm with $encryption_algorithm"
fatal "Can't have $hash_algorithm with $encryption_algorithm"
hash_algorithm= hash_algorithm=
fi fi
@ -190,11 +201,13 @@ add_ike_proposal() {
parse_ike_proposal() { parse_ike_proposal() {
local conf="$1" local conf="$1"
local var="$2"
local crypto="" local crypto=""
config_list_foreach "$conf" crypto_proposal add_ike_proposal config_list_foreach "$conf" crypto_proposal add_ike_proposal
echo "$crypto"
export -n "$var=$crypto"
} }
config_conn() { config_conn() {
@ -228,7 +241,8 @@ config_conn() {
config_get if_id "$1" if_id "" config_get if_id "$1" if_id ""
config_get rekeytime "$1" rekeytime "" config_get rekeytime "$1" rekeytime ""
local esp_proposal="$(parse_esp_proposal "$1")"
local esp_proposal
parse_esp_proposal "$1" esp_proposal
# translate from ipsec to swanctl # translate from ipsec to swanctl
case "$startaction" in case "$startaction" in
@ -240,7 +254,7 @@ config_conn() {
# already using new syntax # already using new syntax
;; ;;
*) *)
warning "Startaction $startaction unknown"
fatal "Startaction $startaction unknown"
startaction= startaction=
;; ;;
esac esac
@ -256,7 +270,7 @@ config_conn() {
# already using new syntax # already using new syntax
;; ;;
*) *)
warning "Closeaction $closeaction unknown"
fatal "Closeaction $closeaction unknown"
closeaction= closeaction=
;; ;;
esac esac
@ -278,7 +292,7 @@ config_conn() {
# already using new syntax # already using new syntax
;; ;;
*) *)
warning "Dpdaction $dpdaction unknown"
fatal "Dpdaction $dpdaction unknown"
dpdaction= dpdaction=
;; ;;
esac esac
@ -373,7 +387,7 @@ config_remote() {
# already using new syntax # already using new syntax
;; ;;
*) *)
warning "Fragmentation $fragmentation not supported"
fatal "Fragmentation $fragmentation not supported"
fragmentation= fragmentation=
;; ;;
esac esac
@ -387,9 +401,10 @@ config_remote() {
local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'` local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'`
} }
local ike_proposal="$(parse_ike_proposal "$1")"
local ike_proposal
parse_ike_proposal "$1" ike_proposal
[ -n "$firewall" ] && warning "Firewall not supported"
[ -n "$firewall" ] && fatal "Firewall not supported"
swanctl_xappend0 "# config for $config_name" swanctl_xappend0 "# config for $config_name"
swanctl_xappend0 "connections {" swanctl_xappend0 "connections {"
@ -428,7 +443,7 @@ config_remote() {
ikev2) ikev2)
swanctl_xappend2 "version = 2" ;; swanctl_xappend2 "version = 2" ;;
*) *)
warning "Keyexchange $keyexchange not supported"
fatal "Keyexchange $keyexchange not supported"
keyexchange= keyexchange=
;; ;;
esac esac
@ -483,7 +498,7 @@ config_remote() {
fi fi
fi fi
else else
warning "AuthenticationMode $auth_mode not supported"
fatal "AuthenticationMode $auth_mode not supported"
fi fi
swanctl_xappend0 "" swanctl_xappend0 ""
@ -587,6 +602,11 @@ start_service() {
[ $WAIT_FOR_INTF -eq 1 ] && return [ $WAIT_FOR_INTF -eq 1 ] && return
if [ $CONFIG_FAIL -ne 0 ]; then
procd_set_param error "Invalid configuration"
return
fi
procd_open_instance procd_open_instance
procd_set_param command $PROG --daemon charon --nofork procd_set_param command $PROG --daemon charon --nofork


Write Preview
Loading…
Cancel
Save