[][openwrt][common][crypto][Upgrade Strongswan to v5.9.11]
[Description]
Change Strongswan from v5.9.2 to v5.9.11 in feeds/packages/
[Release-log]
N/A
Change-Id: I9bfe74c6cc7771dabbcfa2477e81a1f1d875f630
Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/8110330
diff --git a/openwrt_patches-21.02/107-strongswan-5_9_11-upgrade.patch b/openwrt_patches-21.02/107-strongswan-5_9_11-upgrade.patch
new file mode 100644
index 0000000..1608a51
--- /dev/null
+++ b/openwrt_patches-21.02/107-strongswan-5_9_11-upgrade.patch
@@ -0,0 +1,2576 @@
+--- a/feeds/packages/net/strongswan/Makefile
++++ b/feeds/packages/net/strongswan/Makefile
+@@ -8,12 +8,12 @@
+ include $(TOPDIR)/rules.mk
+
+ PKG_NAME:=strongswan
+-PKG_VERSION:=5.9.2
+-PKG_RELEASE:=3
++PKG_VERSION:=5.9.11
++PKG_RELEASE:=1
+
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+ PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/
+-PKG_HASH:=61c72f741edb2c1295a7b7ccce0317a104b3f9d39efd04c52cd05b01b55ab063
++PKG_HASH:=ddf53f1f26ad26979d5f55e8da95bd389552f5de3682e35593f9a70b2584ed2d
+ PKG_LICENSE:=GPL-2.0-or-later
+ PKG_MAINTAINER:=Philip Prindeville <philipp@redfish-solutions.com>, Noel Kuntze <noel.kuntze@thermi.consulting>
+ PKG_CPE_ID:=cpe:/a:strongswan:strongswan
+@@ -25,8 +25,10 @@ PKG_MOD_AVAILABLE:= \
+ agent \
+ attr \
+ attr-sql \
++ bliss \
+ blowfish \
+ ccm \
++ chapoly \
+ cmac \
+ constraints \
+ connmark \
+@@ -37,6 +39,7 @@ PKG_MOD_AVAILABLE:= \
+ des \
+ dhcp \
+ dnskey \
++ drbg \
+ duplicheck \
+ eap-identity \
+ eap-md5 \
+@@ -52,15 +55,18 @@ PKG_MOD_AVAILABLE:= \
+ gmpdh \
+ ha \
+ hmac \
++ kdf \
+ kernel-libipsec \
+ kernel-netlink \
+ ldap \
+ led \
+ load-tester \
+- nonce \
+ md4 \
+ md5 \
++ mgf1 \
+ mysql \
++ newhope \
++ ntru \
+ openssl \
+ pem \
+ pgp \
+@@ -76,6 +82,7 @@ PKG_MOD_AVAILABLE:= \
+ revocation \
+ sha1 \
+ sha2 \
++ sha3 \
+ smp \
+ socket-default \
+ socket-dynamic \
+@@ -89,6 +96,7 @@ PKG_MOD_AVAILABLE:= \
+ updown \
+ vici \
+ whitelist \
++ wolfssl \
+ x509 \
+ xauth-eap \
+ xauth-generic \
+@@ -123,9 +131,17 @@ define Package/strongswan
+ $(call Package/strongswan/Default)
+ MENU:=1
+ DEPENDS:= +libpthread +ip \
++ +kmod-crypto-aead \
+ +kmod-crypto-authenc \
+- +kmod-ipsec +kmod-ipsec4 +IPV6:kmod-ipsec6 \
+- +kmod-ipt-ipsec +iptables-mod-ipsec
++ +kmod-crypto-cbc \
++ +kmod-lib-zlib-inflate \
++ +kmod-lib-zlib-deflate \
++ +kmod-crypto-des \
++ +kmod-crypto-echainiv \
++ +kmod-crypto-hmac \
++ +kmod-crypto-md5 \
++ +kmod-crypto-sha1 \
++ +kmod-ipsec +kmod-ipsec4 +IPV6:kmod-ipsec6
+ endef
+
+ define Package/strongswan/config
+@@ -144,14 +160,17 @@ $(call Package/strongswan/Default)
+ +strongswan-charon \
+ +strongswan-charon-cmd \
+ +strongswan-ipsec \
++ +strongswan-libnttfft \
+ +strongswan-mod-addrblock \
+ +strongswan-mod-aes \
+ +strongswan-mod-af-alg \
+ +strongswan-mod-agent \
+ +strongswan-mod-attr \
+ +strongswan-mod-attr-sql \
++ +strongswan-mod-bliss \
+ +strongswan-mod-blowfish \
+ +strongswan-mod-ccm \
++ +strongswan-mod-chapoly \
+ +strongswan-mod-cmac \
+ +strongswan-mod-constraints \
+ +strongswan-mod-connmark \
+@@ -162,6 +181,7 @@ $(call Package/strongswan/Default)
+ +strongswan-mod-des \
+ +strongswan-mod-dhcp \
+ +strongswan-mod-dnskey \
++ +strongswan-mod-drbg \
+ +strongswan-mod-duplicheck \
+ +strongswan-mod-eap-identity \
+ +strongswan-mod-eap-md5 \
+@@ -176,14 +196,17 @@ $(call Package/strongswan/Default)
+ +strongswan-mod-gmp \
+ +strongswan-mod-ha \
+ +strongswan-mod-hmac \
++ +strongswan-mod-kdf \
+ +strongswan-mod-kernel-netlink \
+ +strongswan-mod-ldap \
+ +strongswan-mod-led \
+ +strongswan-mod-load-tester \
+- +strongswan-mod-nonce \
+ +strongswan-mod-md4 \
+ +strongswan-mod-md5 \
++ +strongswan-mod-mgf1 \
+ +strongswan-mod-mysql \
++ +strongswan-mod-newhope \
++ +strongswan-mod-ntru \
+ +strongswan-mod-openssl \
+ +strongswan-mod-pem \
+ +strongswan-mod-pgp \
+@@ -199,6 +222,7 @@ $(call Package/strongswan/Default)
+ +strongswan-mod-revocation \
+ +strongswan-mod-sha1 \
+ +strongswan-mod-sha2 \
++ +strongswan-mod-sha3 \
+ +strongswan-mod-smp \
+ +strongswan-mod-socket-default \
+ +strongswan-mod-sql \
+@@ -211,12 +235,12 @@ $(call Package/strongswan/Default)
+ +strongswan-mod-updown \
+ +strongswan-mod-vici \
+ +strongswan-mod-whitelist \
++ +strongswan-mod-wolfssl \
+ +strongswan-mod-x509 \
+ +strongswan-mod-xauth-eap \
+ +strongswan-mod-xauth-generic \
+ +strongswan-mod-xcbc \
+ +strongswan-pki \
+- +strongswan-scepclient \
+ +strongswan-swanctl \
+ @DEVEL
+ endef
+@@ -235,7 +259,6 @@ $(call Package/strongswan/Default)
+ TITLE+= (default)
+ DEPENDS:= strongswan \
+ +strongswan-charon \
+- +strongswan-ipsec \
+ +strongswan-mod-aes \
+ +strongswan-mod-attr \
+ +strongswan-mod-connmark \
+@@ -245,9 +268,10 @@ $(call Package/strongswan/Default)
+ +strongswan-mod-fips-prf \
+ +strongswan-mod-gmp \
+ +strongswan-mod-hmac \
++ @(PACKAGE_strongswan-mod-kdf||PACKAGE_strongswan-mod-openssl||PACKAGE_strongswan-mod-wolfssl) \
+ +strongswan-mod-kernel-netlink \
+ +strongswan-mod-md5 \
+- +strongswan-mod-nonce \
++ +strongswan-mod-mgf1 \
+ +strongswan-mod-pem \
+ +strongswan-mod-pgp \
+ +strongswan-mod-pkcs1 \
+@@ -260,11 +284,11 @@ $(call Package/strongswan/Default)
+ +strongswan-mod-sha2 \
+ +strongswan-mod-socket-default \
+ +strongswan-mod-sshkey \
+- +strongswan-mod-stroke \
+ +strongswan-mod-updown \
+ +strongswan-mod-x509 \
+ +strongswan-mod-xauth-generic \
+- +strongswan-mod-xcbc
++ +strongswan-mod-xcbc \
++ +strongswan-swanctl
+ endef
+
+ define Package/strongswan-default/description
+@@ -283,9 +307,10 @@ $(call Package/strongswan/Default)
+ +strongswan-mod-des \
+ +strongswan-mod-gmpdh \
+ +strongswan-mod-hmac \
++ @(PACKAGE_strongswan-mod-kdf||PACKAGE_strongswan-mod-openssl||PACKAGE_strongswan-mod-wolfssl) \
+ +strongswan-mod-kernel-netlink \
+ +strongswan-mod-md5 \
+- +strongswan-mod-nonce \
++ +strongswan-mod-mgf1 \
+ +strongswan-mod-pubkey \
+ +strongswan-mod-random \
+ +strongswan-mod-sha1 \
+@@ -311,8 +336,9 @@ $(call Package/strongswan/Default)
+ +strongswan-mod-aes \
+ +strongswan-mod-gmp \
+ +strongswan-mod-hmac \
++ @(PACKAGE_strongswan-mod-kdf||PACKAGE_strongswan-mod-openssl||PACKAGE_strongswan-mod-wolfssl) \
+ +strongswan-mod-kernel-netlink \
+- +strongswan-mod-nonce \
++ +strongswan-mod-mgf1 \
+ +strongswan-mod-pubkey \
+ +strongswan-mod-random \
+ +strongswan-mod-sha1 \
+@@ -361,26 +387,26 @@ $(call Package/strongswan/description/De
+ This package contains the ipsec utility.
+ endef
+
+-define Package/strongswan-pki
++define Package/strongswan-libnttfft
+ $(call Package/strongswan/Default)
+- TITLE+= PKI tool
++ TITLE+= nttfft library
+ DEPENDS:= strongswan
+ endef
+
+-define Package/strongswan-pki/description
++define Package/strongswan-libnttfft/description
+ $(call Package/strongswan/description/Default)
+- This package contains the pki tool.
++ This package contains the Number Theoretic Transforms library.
+ endef
+
+-define Package/strongswan-scepclient
++define Package/strongswan-pki
+ $(call Package/strongswan/Default)
+- TITLE+= SCEP client
+- DEPENDS:= strongswan
++ TITLE+= PKI tool
++ DEPENDS:= strongswan strongswan-libtls
+ endef
+
+-define Package/strongswan-scepclient/description
++define Package/strongswan-pki/description
+ $(call Package/strongswan/description/Default)
+- This package contains the SCEP client.
++ This package contains the pki tool.
+ endef
+
+ define Package/strongswan-swanctl
+@@ -394,6 +420,17 @@ $(call Package/strongswan/description/De
+ This package contains the swanctl utility.
+ endef
+
++define Package/strongswan-gencerts
++$(call Package/strongswan/Default)
++ TITLE+= X.509 certificate generation utility
++ DEPENDS:= strongswan +strongswan-pki bash
++endef
++
++define Package/strongswan-gencerts/description
++$(call Package/strongswan/description/Default)
++ This package contains the X.509 certificate generation utility.
++endef
++
+ define Package/strongswan-libtls
+ $(call Package/strongswan/Default)
+ TITLE+= libtls
+@@ -430,11 +467,12 @@ CONFIGURE_ARGS+= \
+ --disable-scripts \
+ --disable-static \
+ --disable-fast \
++ --enable-nonce \
++ --enable-mgf1 \
+ --enable-mediation \
+ --with-systemdsystemunitdir=no \
+ $(if $(CONFIG_PACKAGE_strongswan-charon-cmd),--enable-cmd,--disable-cmd) \
+ $(if $(CONFIG_PACKAGE_strongswan-pki),--enable-pki,--disable-pki) \
+- $(if $(CONFIG_PACKAGE_strongswan-scepclient),--enable-scepclient,--disable-scepclient) \
+ --with-random-device=/dev/random \
+ --with-urandom-device=/dev/urandom \
+ --with-routing-table="$(call qstrip,$(CONFIG_STRONGSWAN_ROUTING_TABLE))" \
+@@ -444,8 +482,6 @@ CONFIGURE_ARGS+= \
+ ) \
+ ac_cv_search___atomic_load=no
+
+-EXTRA_LDFLAGS+= -Wl,-rpath-link,$(STAGING_DIR)/usr/lib
+-
+ define Package/strongswan/conffiles
+ /etc/strongswan.conf
+ /etc/strongswan.d/
+@@ -455,8 +491,11 @@ define Package/strongswan/install
+ $(INSTALL_DIR) $(1)/etc
+ $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/
+ echo -e "\ninclude /var/ipsec/strongswan.conf" >> $(1)/etc/strongswan.conf
+- $(INSTALL_DIR) $(1)/usr/lib/ipsec
++ $(INSTALL_DIR) $(1)/etc/strongswan.d/charon
++ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/strongswan.d/charon/nonce.conf $(1)/etc/strongswan.d/charon/
++ $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/
++ $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-nonce.so $(1)/usr/lib/ipsec/plugins/
+ endef
+
+ define Package/strongswan-default/install
+@@ -518,6 +557,11 @@ opkg list-changed-conffiles | grep -qx /
+ }
+ endef
+
++define Package/strongswan-libnttfft/install
++ $(INSTALL_DIR) $(1)/usr/lib/ipsec
++ $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libnttfft.so.* $(1)/usr/lib/ipsec/
++endef
++
+ define Package/strongswan-pki/install
+ $(INSTALL_DIR) $(1)/etc/strongswan.d
+ $(CP) $(PKG_INSTALL_DIR)/etc/strongswan.d/pki.conf $(1)/etc/strongswan.d/
+@@ -525,14 +569,8 @@ define Package/strongswan-pki/install
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/pki $(1)/usr/bin/
+ endef
+
+-define Package/strongswan-scepclient/install
+- $(INSTALL_DIR) $(1)/etc/strongswan.d
+- $(CP) $(PKG_INSTALL_DIR)/etc/strongswan.d/scepclient.conf $(1)/etc/strongswan.d/
+- $(INSTALL_DIR) $(1)/usr/lib/ipsec
+- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/scepclient $(1)/usr/lib/ipsec/
+-endef
+-
+ define Package/strongswan-swanctl/conffiles
++/etc/config/ipsec
+ /etc/swanctl/
+ endef
+
+@@ -547,6 +585,11 @@ define Package/strongswan-swanctl/instal
+ $(INSTALL_BIN) ./files/swanctl.init $(1)/etc/init.d/swanctl
+ endef
+
++define Package/strongswan-gencerts/install
++ $(INSTALL_DIR) $(1)/usr/bin
++ $(INSTALL_BIN) ./files/gencerts.sh $(1)/usr/bin/gencerts
++endef
++
+ define Package/strongswan-libtls/install
+ $(INSTALL_DIR) $(1)/usr/lib/ipsec
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libtls.so.* $(1)/usr/lib/ipsec/
+@@ -570,14 +613,7 @@ define Plugin/attr-sql/install
+ endef
+
+ define Plugin/stroke/install
+- $(INSTALL_DIR) $(1)/etc/ipsec.d/aacerts
+- $(INSTALL_DIR) $(1)/etc/ipsec.d/acerts
+- $(INSTALL_DIR) $(1)/etc/ipsec.d/cacerts
+- $(INSTALL_DIR) $(1)/etc/ipsec.d/certs
+- $(INSTALL_DIR) $(1)/etc/ipsec.d/crls
+- $(INSTALL_DIR) $(1)/etc/ipsec.d/ocspcerts
+- $(INSTALL_DIR) $(1)/etc/ipsec.d/private
+- $(INSTALL_DIR) $(1)/etc/ipsec.d/reqs
++ $(INSTALL_DIR) $(1)/etc/ipsec.d/{aacerts,acerts,cacerts,certs,crls,ocspcerts,private,reqs}
+
+ $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{starter,stroke} $(1)/usr/lib/ipsec/
+@@ -618,9 +654,10 @@ $(eval $(call BuildPackage,strongswan-is
+ $(eval $(call BuildPackage,strongswan-charon))
+ $(eval $(call BuildPackage,strongswan-charon-cmd))
+ $(eval $(call BuildPackage,strongswan-ipsec))
++$(eval $(call BuildPackage,strongswan-libnttfft))
+ $(eval $(call BuildPackage,strongswan-pki))
+-$(eval $(call BuildPackage,strongswan-scepclient))
+ $(eval $(call BuildPackage,strongswan-swanctl))
++$(eval $(call BuildPackage,strongswan-gencerts))
+ $(eval $(call BuildPackage,strongswan-libtls))
+ $(eval $(call BuildPlugin,addrblock,RFC 3779 address block constraint support,))
+ $(eval $(call BuildPlugin,aes,AES crypto,))
+@@ -628,10 +665,12 @@ $(eval $(call BuildPlugin,af-alg,AF_ALG
+ $(eval $(call BuildPlugin,agent,SSH agent signing,))
+ $(eval $(call BuildPlugin,attr,file based config,))
+ $(eval $(call BuildPlugin,attr-sql,SQL based config,+strongswan-charon))
++$(eval $(call BuildPlugin,bliss,BLISS crypto,+strongswan-libnttfft +strongswan-mod-mgf1 +strongswan-mod-hmac))
+ $(eval $(call BuildPlugin,blowfish,Blowfish crypto,))
+ $(eval $(call BuildPlugin,ccm,CCM AEAD wrapper crypto,))
++$(eval $(call BuildPlugin,chapoly,ChaCha20-Poly1305 AEAD crypto,+kmod-crypto-chacha20poly1305))
+ $(eval $(call BuildPlugin,cmac,CMAC crypto,))
+-$(eval $(call BuildPlugin,connmark,netfilter connection marking,))
++$(eval $(call BuildPlugin,connmark,netfilter connection marking,+libip4tc))
+ $(eval $(call BuildPlugin,constraints,advanced X509 constraint checking,))
+ $(eval $(call BuildPlugin,coupling,IKEv2 plugin to couple peer certificates permanently to authentication,))
+ $(eval $(call BuildPlugin,ctr,Counter Mode wrapper crypto,))
+@@ -640,6 +679,7 @@ $(eval $(call BuildPlugin,curve25519,Cur
+ $(eval $(call BuildPlugin,des,DES crypto,))
+ $(eval $(call BuildPlugin,dhcp,DHCP based attribute provider,))
+ $(eval $(call BuildPlugin,dnskey,DNS RR key decoding,))
++$(eval $(call BuildPlugin,drbg,Deterministic random bit generator,,))
+ $(eval $(call BuildPlugin,duplicheck,advanced duplicate checking,))
+ $(eval $(call BuildPlugin,eap-identity,EAP identity helper,))
+ $(eval $(call BuildPlugin,eap-md5,EAP MD5 (CHAP) EAP auth,))
+@@ -648,22 +688,25 @@ $(eval $(call BuildPlugin,eap-radius,EAP
+ $(eval $(call BuildPlugin,eap-tls,EAP TLS auth,+strongswan-libtls))
+ $(eval $(call BuildPlugin,farp,fake arp respsonses,))
+ $(eval $(call BuildPlugin,fips-prf,FIPS PRF crypto,+strongswan-mod-sha1))
+-$(eval $(call BuildPlugin,forecast,forward multi/broadcast traffic,+kmod-ipt-conntrack-extra))
++$(eval $(call BuildPlugin,forecast,forward multi/broadcast traffic,+libip4tc +kmod-ipt-conntrack-extra))
+ $(eval $(call BuildPlugin,gcm,GCM AEAD wrapper crypto,))
+ $(eval $(call BuildPlugin,gcrypt,libgcrypt,+PACKAGE_strongswan-mod-gcrypt:libgcrypt))
+ $(eval $(call BuildPlugin,gmp,libgmp,+PACKAGE_strongswan-mod-gmp:libgmp))
+ $(eval $(call BuildPlugin,gmpdh,DH-Groups; no libgmp dep,))
+ $(eval $(call BuildPlugin,ha,high availability cluster,))
+ $(eval $(call BuildPlugin,hmac,HMAC crypto,))
++$(eval $(call BuildPlugin,kdf,KDF/PRF+,))
+ $(eval $(call BuildPlugin,kernel-libipsec,libipsec kernel interface,))
+ $(eval $(call BuildPlugin,kernel-netlink,netlink kernel interface,))
+ $(eval $(call BuildPlugin,ldap,LDAP,+PACKAGE_strongswan-mod-ldap:libopenldap))
+ $(eval $(call BuildPlugin,led,LED blink on IKE activity,))
+ $(eval $(call BuildPlugin,load-tester,load testing,))
+-$(eval $(call BuildPlugin,nonce,nonce genereation,))
+ $(eval $(call BuildPlugin,md4,MD4 crypto,))
+ $(eval $(call BuildPlugin,md5,MD5 crypto,))
++$(eval $(call BuildPlugin,mgf1,MGF1 crypto,))
+ $(eval $(call BuildPlugin,mysql,MySQL database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-mysql:libmysqlclient-r))
++$(eval $(call BuildPlugin,newhope,New Hope crypto,+strongswan-libnttfft +strongswan-mod-chapoly +strongswan-mod-sha3))
++$(eval $(call BuildPlugin,ntru,NTRU crypto,+strongswan-mod-mgf1))
+ $(eval $(call BuildPlugin,openssl,OpenSSL crypto,+PACKAGE_strongswan-mod-openssl:libopenssl))
+ $(eval $(call BuildPlugin,pem,PEM decoding,))
+ $(eval $(call BuildPlugin,pgp,PGP key decoding,))
+@@ -679,6 +722,7 @@ $(eval $(call BuildPlugin,resolve,DNS re
+ $(eval $(call BuildPlugin,revocation,X509 CRL/OCSP revocation,))
+ $(eval $(call BuildPlugin,sha1,SHA1 crypto,))
+ $(eval $(call BuildPlugin,sha2,SHA2 crypto,))
++$(eval $(call BuildPlugin,sha3,SHA3 and SHAKE crypto,))
+ $(eval $(call BuildPlugin,smp,SMP configuration and control interface,+PACKAGE_strongswan-mod-smp:libxml2))
+ $(eval $(call BuildPlugin,socket-default,default socket implementation for charon,))
+ $(eval $(call BuildPlugin,socket-dynamic,dynamic socket implementation for charon,))
+@@ -689,9 +733,10 @@ $(eval $(call BuildPlugin,stroke,Stroke,
+ $(eval $(call BuildPlugin,test-vectors,crypto test vectors,))
+ $(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci))
+ $(eval $(call BuildPlugin,unity,Cisco Unity extension,))
+-$(eval $(call BuildPlugin,updown,updown firewall,))
++$(eval $(call BuildPlugin,updown,updown firewall,+iptables +IPV6:ip6tables +iptables-mod-ipsec +kmod-ipt-ipsec))
+ $(eval $(call BuildPlugin,vici,Versatile IKE Configuration Interface,))
+ $(eval $(call BuildPlugin,whitelist,peer identity whitelisting,))
++$(eval $(call BuildPlugin,wolfssl,WolfSSL crypto,+PACKAGE_strongswan-mod-wolfssl:libwolfssl))
+ $(eval $(call BuildPlugin,x509,x509 certificate,))
+ $(eval $(call BuildPlugin,xauth-eap,EAP XAuth backend,))
+ $(eval $(call BuildPlugin,xauth-generic,generic XAuth backend,))
+--- /dev/null
++++ b/feeds/packages/net/strongswan/files/gencerts.sh
+@@ -0,0 +1,155 @@
++#!/bin/sh
++
++#
++# see:
++# https://www.howtoforge.com/tutorial/strongswan-based-ipsec-vpn-using-certificates-and-pre-shared-key-on-ubuntu-16-04/
++#
++
++PROG=$(basename "$0")
++
++[ -z "$EUID" ] && EUID=$(id -u)
++
++if [ $# -lt 5 ]; then
++ echo "Usage: $PROG { -s | -c | -u } country domain organization identities [ ... ]" >&2
++ exit 1
++fi
++
++case "$1" in
++-s)
++ S_OPT=1 ;;
++-c)
++ C_OPT=1 ;;
++-u)
++ U_OPT=1 ;;
++*)
++ echo "$PROG: require an option specifying server/client/user credential type" >&2
++ exit 1
++ ;;
++esac
++shift
++
++C="$1"; shift
++DOMAIN="$1"; shift
++SHORT_DOMAIN="${DOMAIN%%.*}"
++ORG="$1"; shift
++
++# invariants...
++SYSCONFDIR=/etc
++SWANCTL_DIR="$SYSCONFDIR/swanctl"
++: ${KEYINFO:="rsa:4096"}
++: ${CADAYS:=3650}
++: ${CRTDAYS:=730}
++
++makeDN()
++{
++ printf "C=%s, O=%s, CN=%s" "$1" "$2" "$3"
++}
++
++field()
++{
++ local arg="$1"
++ local nth="$2"
++
++ echo "$arg" | cut -d ':' -f "$nth"
++}
++
++genmasterkey()
++{
++ local keytype keybits
++
++ keytype=$(field "$KEYINFO" 1)
++ keybits=$(field "$KEYINFO" 2)
++
++ pki --gen --type "$keytype" --size "$keybits" --outform pem > "$SWANCTL_DIR/private/$SHORT_DOMAIN.key"
++ chmod 0400 "$SWANCTL_DIR/private/$SHORT_DOMAIN.key"
++}
++
++genca()
++{
++ local keytype
++
++ keytype=$(field "$KEYINFO" 1)
++
++ pki --self --ca --lifetime "$CADAYS" --in "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" --type "$keytype" \
++ --dn "$ROOTDN" --outform pem > "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt"
++ chmod 0444 "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt"
++}
++
++genclientkey()
++{
++ local name="$1" keytype keybits
++
++ keytype=$(field "$KEYINFO" 1)
++ keybits=$(field "$KEYINFO" 2)
++
++ pki --gen --type "$keytype" --size "$keybits" --outform pem > "$SWANCTL_DIR/private/$name.key"
++ chmod 0400 "$SWANCTL_DIR/private/$name.key"
++}
++
++gendevcert()
++{
++ local dn="$1"
++ local san="$2"
++ local name="$3"
++
++ # reads key from input
++ pki --issue --lifetime "$CRTDAYS" \
++ --cacert "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt" \
++ --cakey "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" \
++ --dn "$dn" --san "$san" \
++ ${S_OPT:+--flag serverAuth} \
++ ${S_OPT:---flag clientAuth} \
++ --flag ikeIntermediate \
++ --outform pem > "$SWANCTL_DIR/x509/$name.crt"
++ chmod 0444 "$SWANCTL_DIR/x509/$name.crt"
++}
++
++gendev()
++{
++ local keytype
++
++ keytype=$(field "$KEYINFO" 1)
++
++ [ -f "$SWANCTL_DIR/private/$NAME.key" ] || genclientkey "$NAME"
++
++ [ -f "$SWANCTL_DIR/x509/$NAME.crt" ] || \
++ pki --pub --in "$SWANCTL_DIR/private/$NAME.key" --type "$keytype" \
++ | gendevcert "$DEVDN" "$DEVSAN" "$NAME"
++}
++
++setparams()
++{
++ NAME="$1"
++
++ if [ -n "$U_OPT" ]; then
++ DEVSAN="$NAME@$DOMAIN"
++ DEVDN="$(makeDN "$C" "$ORG" "$DEVSAN")"
++ else
++ DEVSAN="$NAME.$DOMAIN"
++ DEVDN="$(makeDN "$C" "$ORG" "$NAME")"
++ fi
++}
++
++umask 077
++
++[ "$EUID" -eq 0 ] || { echo "Must run as root!" >&2 ; exit 1; }
++
++ROOTDN="$(makeDN "$C" "$ORG" "Root CA")"
++
++[ -f "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" ] || genmasterkey
++
++[ -f "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt" ] || genca
++
++PARENT="$SYSCONFDIR"
++BASEDIR="${SWANCTL_DIR##$PARENT/}"
++
++for name in "$@"; do
++ setparams "$name"
++ gendev
++
++ tar -zcf "$name-certs.tar.gz" -C "$PARENT" "$BASEDIR/x509ca/$SHORT_DOMAIN.crt" "$BASEDIR/x509/$name.crt" "$BASEDIR/private/$name.key"
++ chmod 600 "$name-certs.tar.gz"
++ echo "Generated as $name-certs.tar.gz"
++done
++
++exit 0
+--- a/feeds/packages/net/strongswan/files/ipsec.init
++++ b/feeds/packages/net/strongswan/files/ipsec.init
+@@ -354,6 +354,8 @@ service_triggers() {
+ start_service() {
+ prepare_env
+
++ warning "Strongswan is deprecating the ipsec CLI; please migrate to swanctl."
++
+ [ $WAIT_FOR_INTF -eq 1 ] && return
+
+ procd_open_instance
+--- a/feeds/packages/net/strongswan/files/swanctl.init
++++ b/feeds/packages/net/strongswan/files/swanctl.init
+@@ -4,7 +4,7 @@ START=90
+ STOP=10
+
+ USE_PROCD=1
+-PROG=/usr/lib/ipsec/starter
++PROG=/usr/lib/ipsec/charon
+
+ . $IPKG_INSTROOT/lib/functions.sh
+ . $IPKG_INSTROOT/lib/functions/network.sh
+@@ -17,8 +17,9 @@ SWANCTL_VAR_CONF_FILE=/var/swanctl/swanc
+
+ WAIT_FOR_INTF=0
+
+-time2seconds()
+-{
++CONFIG_FAIL=0
++
++time2seconds() {
+ local timestring="$1"
+ local multiplier number suffix
+
+@@ -40,8 +41,7 @@ time2seconds()
+ echo $(( number * multiplier ))
+ }
+
+-seconds2time()
+-{
++seconds2time() {
+ local seconds="$1"
+
+ if [ $seconds -eq 0 ]; then
+@@ -63,9 +63,12 @@ file_reset() {
+
+ xappend() {
+ local file="$1"
+- shift
++ local indent="$2"
++ shift 2
+
+- echo "$@" >> "$file"
++ for cmd in "$@"; do
++ echo "$indent$cmd" >> "$file"
++ done
+ }
+
+ swan_reset() {
+@@ -77,23 +80,23 @@ swan_xappend() {
+ }
+
+ swan_xappend0() {
+- swan_xappend "$@"
++ swan_xappend "" "$@"
+ }
+
+ swan_xappend1() {
+- swan_xappend " ""$@"
++ swan_xappend " " "$@"
+ }
+
+ swan_xappend2() {
+- swan_xappend " ""$@"
++ swan_xappend " " "$@"
+ }
+
+ swan_xappend3() {
+- swan_xappend " ""$@"
++ swan_xappend " " "$@"
+ }
+
+ swan_xappend4() {
+- swan_xappend " ""$@"
++ swan_xappend " " "$@"
+ }
+
+ swanctl_reset() {
+@@ -105,52 +108,66 @@ swanctl_xappend() {
+ }
+
+ swanctl_xappend0() {
+- swanctl_xappend "$@"
++ swanctl_xappend "" "$@"
+ }
+
+ swanctl_xappend1() {
+- swanctl_xappend " ""$@"
++ swanctl_xappend " " "$@"
+ }
+
+ swanctl_xappend2() {
+- swanctl_xappend " ""$@"
++ swanctl_xappend " " "$@"
+ }
+
+ swanctl_xappend3() {
+- swanctl_xappend " ""$@"
++ swanctl_xappend " " "$@"
+ }
+
+ swanctl_xappend4() {
+- swanctl_xappend " ""$@"
++ swanctl_xappend " " "$@"
+ }
+
+ warning() {
+ echo "WARNING: $@" >&2
+ }
+
++fatal() {
++ echo "ERROR: $@" >&2
++ CONFIG_FAIL=1
++}
++
++append_var() {
++ local var="$2" value="$1" delim="${3:- }"
++ append "$var" "$value" "$delim"
++}
++
+ is_aead() {
+ local cipher="$1"
+
+ case "$cipher" in
+ aes*gcm*|aes*ccm*|aes*gmac*)
+ return 0 ;;
++ chacha20poly1305)
++ return 0 ;;
+ esac
+
+ return 1
+ }
+
+-add_esp_proposal() {
++config_esp_proposal() {
++ local conf="$1"
++
+ local encryption_algorithm
+ local hash_algorithm
+ local dh_group
+
+- config_get encryption_algorithm "$1" encryption_algorithm
+- config_get hash_algorithm "$1" hash_algorithm
+- config_get dh_group "$1" dh_group
++ config_get encryption_algorithm "$conf" encryption_algorithm
++ config_get hash_algorithm "$conf" hash_algorithm
++ config_get dh_group "$conf" dh_group
+
+ # check for AEAD and clobber hash_algorithm if set
+ if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
+- warning "Can't have $hash_algorithm with $encryption_algorithm"
++ fatal "Can't have $hash_algorithm with $encryption_algorithm"
+ hash_algorithm=
+ fi
+
+@@ -158,29 +175,33 @@ add_esp_proposal() {
+ crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
+ }
+
+-parse_esp_proposal() {
++iter_esp_proposal() {
+ local conf="$1"
++ local var="$2"
++
+ local crypto=""
+
+- config_list_foreach "$conf" crypto_proposal add_esp_proposal
++ config_list_foreach "$conf" crypto_proposal config_esp_proposal
+
+- echo "$crypto"
++ export -n "$var=$crypto"
+ }
+
+-add_ike_proposal() {
++config_ike_proposal() {
++ local conf="$1"
++
+ local encryption_algorithm
+ local hash_algorithm
+ local dh_group
+ local prf_algorithm
+
+- config_get encryption_algorithm "$1" encryption_algorithm
+- config_get hash_algorithm "$1" hash_algorithm
+- config_get dh_group "$1" dh_group
+- config_get prf_algorithm "$1" prf_algorithm
++ config_get encryption_algorithm "$conf" encryption_algorithm
++ config_get hash_algorithm "$conf" hash_algorithm
++ config_get dh_group "$conf" dh_group
++ config_get prf_algorithm "$conf" prf_algorithm
+
+ # check for AEAD and clobber hash_algorithm if set
+ if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
+- warning "Can't have $hash_algorithm with $encryption_algorithm"
++ fatal "Can't have $hash_algorithm with $encryption_algorithm"
+ hash_algorithm=
+ fi
+
+@@ -188,47 +209,65 @@ add_ike_proposal() {
+ crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${prf_algorithm:+-${prf_algorithm}}${dh_group:+-${dh_group}}"
+ }
+
+-parse_ike_proposal() {
++iter_ike_proposal() {
+ local conf="$1"
++ local var="$2"
++
+ local crypto=""
+
+- config_list_foreach "$conf" crypto_proposal add_ike_proposal
++ config_list_foreach "$conf" crypto_proposal config_ike_proposal
+
+- echo "$crypto"
++ export -n "$var=$crypto"
+ }
+
+-config_conn() {
++config_child() {
+ # Generic ipsec conn section shared by tunnel and transport
+- local config_name="$1"
++ local conf="$1"
+ local mode="$2"
+
++ local hw_offload
++ local interface
++ local ipcomp
++ local priority
+ local local_subnet
+ local local_nat
+ local updown
+ local firewall
+ local remote_subnet
+- local remote_sourceip
+ local lifetime
+ local dpdaction
+ local closeaction
+ local startaction
+ local if_id
+ local rekeytime
++ local rekeybytes
++ local lifebytes
++ local rekeypackets
++ local lifepackets
++
++ config_get startaction "$conf" startaction "route"
++ config_get local_nat "$conf" local_nat ""
++ config_get updown "$conf" updown ""
++ config_get firewall "$conf" firewall ""
++ config_get lifetime "$conf" lifetime ""
++ config_get dpdaction "$conf" dpdaction "none"
++ config_get closeaction "$conf" closeaction "none"
++ config_get if_id "$conf" if_id ""
++ config_get rekeytime "$conf" rekeytime ""
++ config_get_bool ipcomp "$conf" ipcomp 0
++ config_get interface "$conf" interface ""
++ config_get hw_offload "$conf" hw_offload ""
++ config_get priority "$conf" priority ""
++ config_get rekeybytes "$conf" rekeybytes ""
++ config_get lifebytes "$conf" lifebytes ""
++ config_get rekeypackets "$conf" rekeypackets ""
++ config_get lifepackets "$conf" lifepackets ""
+
+- config_get startaction "$1" startaction "route"
+- config_get local_subnet "$1" local_subnet ""
+- config_get local_nat "$1" local_nat ""
+- config_get updown "$1" updown ""
+- config_get firewall "$1" firewall ""
+- config_get remote_subnet "$1" remote_subnet ""
+- config_get remote_sourceip "$1" remote_sourceip ""
+- config_get lifetime "$1" lifetime ""
+- config_get dpdaction "$1" dpdaction "none"
+- config_get closeaction "$1" closeaction "none"
+- config_get if_id "$1" if_id ""
+- config_get rekeytime "$1" rekeytime ""
++ config_list_foreach "$conf" local_subnet append_var local_subnet ","
++ config_list_foreach "$conf" remote_subnet append_var remote_subnet ","
+
+- local esp_proposal="$(parse_esp_proposal "$1")"
++ local esp_proposal
++ iter_esp_proposal "$conf" esp_proposal
+
+ # translate from ipsec to swanctl
+ case "$startaction" in
+@@ -240,7 +279,7 @@ config_conn() {
+ # already using new syntax
+ ;;
+ *)
+- warning "Startaction $startaction unknown"
++ fatal "Startaction $startaction unknown"
+ startaction=
+ ;;
+ esac
+@@ -256,7 +295,7 @@ config_conn() {
+ # already using new syntax
+ ;;
+ *)
+- warning "Closeaction $closeaction unknown"
++ fatal "Closeaction $closeaction unknown"
+ closeaction=
+ ;;
+ esac
+@@ -278,18 +317,32 @@ config_conn() {
+ # already using new syntax
+ ;;
+ *)
+- warning "Dpdaction $dpdaction unknown"
++ fatal "Dpdaction $dpdaction unknown"
+ dpdaction=
+ ;;
+ esac
+
++ case "$hw_offload" in
++ yes|no|auto|"")
++ ;;
++ *)
++ fatal "hw_offload value $hw_offload invalid"
++ hw_offload=""
++ ;;
++ esac
++
+ [ -n "$local_nat" ] && local_subnet="$local_nat"
+
+- swanctl_xappend3 "$config_name {"
++ swanctl_xappend3 "$conf {"
+
+ [ -n "$local_subnet" ] && swanctl_xappend4 "local_ts = $local_subnet"
+ [ -n "$remote_subnet" ] && swanctl_xappend4 "remote_ts = $remote_subnet"
+- [ -n "$if_id" ] && { swanctl_xappend4 "if_id_in = $if_id" ; swanctl_xappend4 "if_id_out = $if_id" ; }
++
++ [ -n "$hw_offload" ] && swanctl_xappend4 "hw_offload = $hw_offload"
++ [ $ipcomp -eq 1 ] && swanctl_xappend4 "ipcomp = 1"
++ [ -n "$interface" ] && swanctl_xappend4 "interface = $interface"
++ [ -n "$priority" ] && swanctl_xappend4 "priority = $priority"
++ [ -n "$if_id" ] && swanctl_xappend4 "if_id_in = $if_id" "if_id_out = $if_id"
+ [ -n "$startaction" -a "$startaction" != "none" ] && swanctl_xappend4 "start_action = $startaction"
+ [ -n "$closeaction" -a "$closeaction" != "none" ] && swanctl_xappend4 "close_action = $closeaction"
+ swanctl_xappend4 "esp_proposals = $esp_proposal"
+@@ -301,6 +354,19 @@ config_conn() {
+ swanctl_xappend4 "life_time = $(seconds2time $(((110 * $(time2seconds $rekeytime)) / 100)))"
+ fi
+ [ -n "$rekeytime" ] && swanctl_xappend4 "rekey_time = $rekeytime"
++ if [ -n "$lifebytes" ]; then
++ swanctl_xappend4 "life_bytes = $lifebytes"
++ elif [ -n "$rekeybytes" ]; then
++ swanctl_xappend4 "life_bytes = $(((110 * rekeybytes) / 100))"
++ fi
++ [ -n "$rekeybytes" ] && swanctl_xappend4 "rekey_bytes = $rekeybytes"
++ if [ -n "$lifepackets" ]; then
++ swanctl_xappend4 "life_packets = $lifepackets"
++ elif [ -n "$rekeypackets" ]; then
++ swanctl_xappend4 "life_packets = $(((110 * rekeypackets) / 100))"
++ fi
++ [ -n "$rekeypackets" ] && swanctl_xappend4 "rekey_packets = $rekeypackets"
++ [ -n "$inactivity" ] && swanctl_xappend4 "inactivity = $inactivity"
+
+ [ -n "$updown" ] && swanctl_xappend4 "updown = $updown"
+ [ -n "$dpdaction" ] && swanctl_xappend4 "dpd_action = $dpdaction"
+@@ -309,21 +375,56 @@ config_conn() {
+ }
+
+ config_tunnel() {
+- config_conn "$1" "tunnel"
++ config_child "$1" "tunnel"
+ }
+
+ config_transport() {
+- config_conn "$1" "transport"
++ config_child "$1" "transport"
++}
++
++config_pool() {
++ local conf="$1"
++
++ local addrs
++ local dns
++ local nbns
++ local dhcp
++ local netmask
++ local server
++ local subnet
++ local split_include
++ local split_exclude
++
++ config_get addrs "$conf" addrs
++ config_list_foreach "$conf" dns append_var dns ","
++ config_list_foreach "$conf" nbns append_var nbns ","
++ config_list_foreach "$conf" dhcp append_var dhcp ","
++ config_list_foreach "$conf" netmask append_var netmask ","
++ config_list_foreach "$conf" server append_var server ","
++ config_list_foreach "$conf" subnet append_var subnet ","
++ config_list_foreach "$conf" split_include append_var split_include ","
++ config_list_foreach "$conf" split_exclude append_var split_exclude ","
++
++ swanctl_xappend1 "$conf {"
++ [ -n "$addrs" ] && swanctl_xappend2 "addrs = $addrs"
++ [ -n "$dns" ] && swanctl_xappend2 "dns = $dns"
++ [ -n "$nbns" ] && swanctl_xappend2 "nbns = $nbns"
++ [ -n "$dhcp" ] && swanctl_xappend2 "dhcp = $dhcp"
++ [ -n "$netmask" ] && swanctl_xappend2 "netmask = $netmask"
++ [ -n "$server" ] && swanctl_xappend2 "server = $server"
++ [ -n "$subnet" ] && swanctl_xappend2 "subnet = $subnet"
++ [ -n "$split_include" ] && swanctl_xappend2 "split_include = $split_include"
++ [ -n "$split_exclude" ] && swanctl_xappend2 "split_exclude = $split_exclude"
++ swanctl_xappend1 "}"
+ }
+
+ config_remote() {
+- local config_name="$1"
++ local conf="$1"
+
+ local enabled
+ local gateway
+- local local_gateway
+ local local_sourceip
+- local local_leftip
++ local local_ip
+ local remote_gateway
+ local pre_shared_key
+ local auth_method
+@@ -331,38 +432,39 @@ config_remote() {
+ local dpddelay
+ local inactivity
+ local keyexchange
+- local reqid
+- local packet_marker
+ local fragmentation
+ local mobike
+ local local_cert
+ local local_key
+ local ca_cert
+ local rekeytime
++ local remote_ca_certs
++ local pools
+
+- config_get_bool enabled "$1" enabled 0
++ config_get_bool enabled "$conf" enabled 0
+ [ $enabled -eq 0 ] && return
+
+- config_get gateway "$1" gateway
+- config_get pre_shared_key "$1" pre_shared_key
+- config_get auth_method "$1" authentication_method
+- config_get local_identifier "$1" local_identifier ""
+- config_get remote_identifier "$1" remote_identifier ""
+- config_get local_sourceip "$1" local_sourceip ""
+- config_get local_leftip "$1" local_leftip "%any"
+- config_get keyingtries "$1" keyingtries "3"
+- config_get dpddelay "$1" dpddelay "30s"
+- config_get inactivity "$1" inactivity
+- config_get keyexchange "$1" keyexchange "ikev2"
+- config_get reqid "$1" reqid
+- config_get packet_marker "$1" packet_marker
+- config_get fragmentation "$1" fragmentation "yes"
+- config_get_bool mobike "$1" mobike 1
+- config_get local_cert "$1" local_cert ""
+- config_get local_key "$1" local_key ""
+- config_get ca_cert "$1" ca_cert ""
+- config_get rekeytime "$1" rekeytime
+- config_get overtime "$1" overtime
++ config_get gateway "$conf" gateway
++ config_get pre_shared_key "$conf" pre_shared_key
++ config_get auth_method "$conf" authentication_method
++ config_get local_identifier "$conf" local_identifier ""
++ config_get remote_identifier "$conf" remote_identifier ""
++ config_get local_ip "$conf" local_ip "%any"
++ config_get keyingtries "$conf" keyingtries "3"
++ config_get dpddelay "$conf" dpddelay "30s"
++ config_get inactivity "$conf" inactivity
++ config_get keyexchange "$conf" keyexchange "ikev2"
++ config_get fragmentation "$conf" fragmentation "yes"
++ config_get_bool mobike "$conf" mobike 1
++ config_get local_cert "$conf" local_cert ""
++ config_get local_key "$conf" local_key ""
++ config_get ca_cert "$conf" ca_cert ""
++ config_get rekeytime "$conf" rekeytime
++ config_get overtime "$conf" overtime
++
++ config_list_foreach "$conf" local_sourceip append_var local_sourceip ","
++ config_list_foreach "$conf" remote_ca_certs append_var remote_ca_certs ","
++ config_list_foreach "$conf" pools append_var pools ","
+
+ case "$fragmentation" in
+ 0)
+@@ -373,50 +475,70 @@ config_remote() {
+ # already using new syntax
+ ;;
+ *)
+- warning "Fragmentation $fragmentation not supported"
++ fatal "Fragmentation $fragmentation not supported"
+ fragmentation=
+ ;;
+ esac
+
+ [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
+
+- [ -z "$local_gateway" ] && {
+- local ipdest
++ if [ -n "$local_key" ]; then
++ [ "$(dirname "$local_key")" != "." ] && \
++ fatal "local_key $local_key can't be pathname"
++ [ -f "/etc/swanctl/private/$local_key" ] || \
++ fatal "local_key $local_key not found"
++ fi
++
++ local ike_proposal
++ iter_ike_proposal "$conf" ike_proposal
+
+- [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
+- local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'`
+- }
++ [ -n "$firewall" ] && fatal "Firewall not supported"
+
+- local ike_proposal="$(parse_ike_proposal "$1")"
++ if [ "$auth_method" = pubkey ]; then
++ if [ -n "$ca_cert" ]; then
++ [ "$(dirname "$ca_cert")" != "." ] && \
++ fatal "ca_cert $ca_cert can't be pathname"
++ [ -f "/etc/swanctl/x509ca/$ca_cert" ] || \
++ fatal "ca_cert $ca_cert not found"
++ fi
+
+- [ -n "$firewall" ] && warning "Firewall not supported"
++ if [ -n "$local_cert" ]; then
++ [ "$(dirname "$local_cert")" != "." ] && \
++ fatal "local_cert $local_cert can't be pathname"
++ [ -f "/etc/swanctl/x509/$local_cert" ] || \
++ fatal "local_cert $local_cert not found"
++ fi
++ fi
+
+- swanctl_xappend0 "# config for $config_name"
++ swanctl_xappend0 "# config for $conf"
+ swanctl_xappend0 "connections {"
+- swanctl_xappend1 "$config_name {"
+- swanctl_xappend2 "local_addrs = $local_leftip"
++ swanctl_xappend1 "$conf {"
++ swanctl_xappend2 "local_addrs = $local_ip"
+ swanctl_xappend2 "remote_addrs = $remote_gateway"
+
+ [ -n "$local_sourceip" ] && swanctl_xappend2 "vips = $local_sourceip"
+ [ -n "$fragmentation" ] && swanctl_xappend2 "fragmentation = $fragmentation"
++ [ -n "$pools" ] && swanctl_xappend2 "pools = $pools"
+
+ swanctl_xappend2 "local {"
+ swanctl_xappend3 "auth = $auth_method"
+
+ [ -n "$local_identifier" ] && swanctl_xappend3 "id = \"$local_identifier\""
+- [ "$auth_method" = pubkey ] && swanctl_xappend3 "certs = $local_cert"
++ [ "$auth_method" = pubkey ] && [ -n "$local_cert" ] && \
++ swanctl_xappend3 "certs = $local_cert"
+ swanctl_xappend2 "}"
+
+ swanctl_xappend2 "remote {"
+ swanctl_xappend3 "auth = $auth_method"
+ [ -n "$remote_identifier" ] && swanctl_xappend3 "id = \"$remote_identifier\""
++ [ -n "$remote_ca_certs" ] && swanctl_xappend3 "cacerts = \"$remote_ca_certs\""
+ swanctl_xappend2 "}"
+
+ swanctl_xappend2 "children {"
+
+- config_list_foreach "$1" tunnel config_tunnel
++ config_list_foreach "$conf" tunnel config_tunnel
+
+- config_list_foreach "$1" transport config_transport
++ config_list_foreach "$conf" transport config_transport
+
+ swanctl_xappend2 "}"
+
+@@ -428,7 +550,7 @@ config_remote() {
+ ikev2)
+ swanctl_xappend2 "version = 2" ;;
+ *)
+- warning "Keyexchange $keyexchange not supported"
++ fatal "Keyexchange $keyexchange not supported"
+ keyexchange=
+ ;;
+ esac
+@@ -454,17 +576,9 @@ config_remote() {
+ if [ "$auth_method" = pubkey ]; then
+ swanctl_xappend0 ""
+
+- swanctl_xappend0 "secrets {"
+- swanctl_xappend1 "rsa {"
+- swanctl_xappend2 "filename = $local_key"
+- swanctl_xappend1 "}"
+- swanctl_xappend0 "}"
+-
+- swanctl_xappend0 ""
+-
+ if [ -n "$ca_cert" ]; then
+ swanctl_xappend0 "authorities {"
+- swanctl_xappend1 "$config_name {"
++ swanctl_xappend1 "$conf {"
+ swanctl_xappend2 "cacert = $ca_cert"
+ swanctl_xappend1 "}"
+ swanctl_xappend0 "}"
+@@ -474,18 +588,24 @@ config_remote() {
+ swanctl_xappend0 ""
+
+ swanctl_xappend0 "secrets {"
+- swanctl_xappend1 "ike {"
++ swanctl_xappend1 "ike-$conf {"
+ swanctl_xappend2 "secret = $pre_shared_key"
+- if [ -z "$local_id" ]; then
+- swanctl_xappend2 "id1 = $local_id"
+- if [ -z "$remote_id" ]; then
+- swanctl_xappend2 "id2 = $remote_id"
++ if [ -n "$local_identifier" ]; then
++ swanctl_xappend2 "id1 = $local_identifier"
++ if [ -n "$remote_identifier" ]; then
++ swanctl_xappend2 "id2 = $remote_identifier"
+ fi
+ fi
++ swanctl_xappend1 "}"
++ swanctl_xappend0 "}"
+ else
+- warning "AuthenticationMode $auth_mode not supported"
++ fatal "AuthenticationMode $auth_mode not supported"
+ fi
+
++ swanctl_xappend0 "pools {"
++ config_list_foreach "$conf" pools config_pool
++ swanctl_xappend0 "}"
++
+ swanctl_xappend0 ""
+ }
+
+@@ -494,24 +614,20 @@ do_preamble() {
+ }
+
+ config_ipsec() {
+- local debug
++ local conf="$1"
++
+ local rtinstall_enabled
+- local routing_tables_ignored
+ local routing_table
+ local routing_table_id
+ local interface
+- local device_list
+-
+- swan_reset
+- swanctl_reset
+- do_preamble
++ local interface_list
+
+- config_get debug "$1" debug 0
+- config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
++ config_get debug "$conf" debug 0
++ config_get_bool rtinstall_enabled "$conf" rtinstall_enabled 1
+ [ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no
+
+ # prepare extra charon config option ignore_routing_tables
+- for routing_table in $(config_get "$1" "ignore_routing_tables"); do
++ for routing_table in $(config_get "$conf" "ignore_routing_tables"); do
+ if [ "$routing_table" -ge 0 ] 2>/dev/null; then
+ routing_table_id=$routing_table
+ else
+@@ -521,7 +637,8 @@ config_ipsec() {
+ [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
+ done
+
+- local interface_list=$(config_get "$1" "interface")
++ config_list_foreach "$conf" interface append_var interface_list
++
+ if [ -z "$interface_list" ]; then
+ WAIT_FOR_INTF=0
+ else
+@@ -531,7 +648,9 @@ config_ipsec() {
+ done
+ [ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1
+ fi
++}
+
++do_postamble() {
+ swan_xappend0 "# generated by /etc/init.d/swanctl"
+ swan_xappend0 "charon {"
+ swan_xappend1 "install_routes = $install_routes"
+@@ -551,9 +670,19 @@ config_ipsec() {
+
+ prepare_env() {
+ mkdir -p /var/ipsec /var/swanctl
++
++ swan_reset
++ swanctl_reset
++ do_preamble
++
++ # needed by do_postamble
++ local debug install_routes routing_tables_ignored device_list
++
+ config_load ipsec
+ config_foreach config_ipsec ipsec
+ config_foreach config_remote remote
++
++ do_postamble
+ }
+
+ service_running() {
+@@ -587,9 +716,14 @@ start_service() {
+
+ [ $WAIT_FOR_INTF -eq 1 ] && return
+
++ if [ $CONFIG_FAIL -ne 0 ]; then
++ procd_set_param error "Invalid configuration"
++ return
++ fi
++
+ procd_open_instance
+
+- procd_set_param command $PROG --daemon charon --nofork
++ procd_set_param command $PROG
+
+ procd_set_param file $SWANCTL_CONF_FILE
+ procd_append_param file /etc/swanctl/conf.d/*.conf
+--- /dev/null
++++ b/feeds/packages/net/strongswan/patches/0900-src-Patch-for-building-with-musl-on-openwrt-taken-ve.patch
+@@ -0,0 +1,110 @@
++From 27a54379cf3c48ff63c02a4a9f023297bba60d45 Mon Sep 17 00:00:00 2001
++From: Noel Kuntze <noel.kuntze@thermi.consulting>
++Date: Mon, 12 Jul 2021 01:29:43 +0200
++Subject: [PATCH 900/904] src: Patch for building with musl on openwrt (taken
++ verbatim from openwrt package sources)
++
++---
++ .../kernel_netlink/kernel_netlink_ipsec.c | 1 +
++ .../kernel_netlink/kernel_netlink_net.c | 2 +
++ .../kernel_netlink/kernel_netlink_shared.c | 2 +
++ src/libstrongswan/library.h | 1 +
++ src/libstrongswan/musl.h | 38 +++++++++++++++++++
++ .../plugins/bliss/bliss_huffman.c | 2 +
++ 6 files changed, 46 insertions(+)
++ create mode 100644 src/libstrongswan/musl.h
++
++--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
++@@ -41,6 +41,7 @@
++ */
++
++ #define _GNU_SOURCE
+++#include <musl.h>
++ #include <sys/types.h>
++ #include <sys/socket.h>
++ #include <sys/ioctl.h>
++--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
+++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
++@@ -37,6 +37,8 @@
++ * THE SOFTWARE.
++ */
++
+++#include "musl.h"
+++
++ #include <sys/socket.h>
++ #include <sys/utsname.h>
++ #include <linux/netlink.h>
++--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
+++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
++@@ -37,6 +37,8 @@
++ * THE SOFTWARE.
++ */
++
+++#include "musl.h"
+++
++ #include <sys/socket.h>
++ #include <linux/netlink.h>
++ #include <linux/rtnetlink.h>
++--- a/src/libstrongswan/library.h
+++++ b/src/libstrongswan/library.h
++@@ -120,6 +120,7 @@
++ #include "utils/leak_detective.h"
++ #include "plugins/plugin_loader.h"
++ #include "settings/settings.h"
+++#include "musl.h"
++
++ typedef struct library_t library_t;
++
++--- /dev/null
+++++ b/src/libstrongswan/musl.h
++@@ -0,0 +1,38 @@
+++#include <sys/types.h>
+++
+++#define crypt x_crypt
+++#define encrypt x_encrypt
+++#include <unistd.h>
+++
+++#define fd_set x_fd_set
+++#define ino_t x_ino_t
+++#define off_t x_off_t
+++#define loff_t x_loff_t
+++#define dev_t x_dev_t
+++#define mode_t x_mode_t
+++#define uid_t x_uid_t
+++#define gid_t x_gid_t
+++#define uint64_t x_uint64_t
+++#define u_int64_t x_u_int64_t
+++#define int64_t x_int64_t
+++#define nlink_t x_nlink_t
+++#define timer_t x_timer_t
+++#define blkcnt_t x_blkcnt_t
+++
+++#include <linux/types.h>
+++
+++#undef fd_set
+++#undef ino_t
+++#undef off_t
+++#undef dev_t
+++#undef mode_t
+++#undef uid_t
+++#undef gid_t
+++#undef uint64_t
+++#undef u_int64_t
+++#undef int64_t
+++#undef nlink_t
+++#undef timer_t
+++#undef blkcnt_t
+++#undef crypt
+++#undef encrypt
++--- a/src/libstrongswan/plugins/bliss/bliss_huffman.c
+++++ b/src/libstrongswan/plugins/bliss/bliss_huffman.c
++@@ -18,6 +18,8 @@
++ #include "bliss_param_set.h"
++
++ #include <library.h>
+++#undef fprintf
+++#undef printf
++
++ #include <stdio.h>
++ #include <math.h>
+--- /dev/null
++++ b/feeds/packages/net/strongswan/patches/0901-uci-verbatim-patch-from-openwrt-package-sources.patch
+@@ -0,0 +1,29 @@
++From 81be4fa54760aa4fed53c6d93da443f57a66f262 Mon Sep 17 00:00:00 2001
++From: Noel Kuntze <noel.kuntze@thermi.consulting>
++Date: Mon, 12 Jul 2021 01:30:32 +0200
++Subject: [PATCH 901/904] uci: verbatim patch from openwrt package sources
++
++---
++ src/libcharon/plugins/uci/uci_parser.c | 4 ++--
++ 1 file changed, 2 insertions(+), 2 deletions(-)
++
++--- a/src/libcharon/plugins/uci/uci_parser.c
+++++ b/src/libcharon/plugins/uci/uci_parser.c
++@@ -76,7 +76,7 @@ METHOD(enumerator_t, section_enumerator_
++ if (uci_lookup(this->ctx, &element, this->package,
++ this->current->name, "name") == UCI_OK)
++ { /* use "name" attribute as config name if available ... */
++- *value = uci_to_option(element)->value;
+++ *value = uci_to_option(element)->v.string;
++ }
++ else
++ { /* ... or the section name becomes config name */
++@@ -91,7 +91,7 @@ METHOD(enumerator_t, section_enumerator_
++ if (value && uci_lookup(this->ctx, &element, this->package,
++ this->current->name, this->keywords[i]) == UCI_OK)
++ {
++- *value = uci_to_option(element)->value;
+++ *value = uci_to_option(element)->v.string;
++ }
++ }
++
+--- /dev/null
++++ b/feeds/packages/net/strongswan/patches/0902-ipsec-Patch-ipsec-script-to-work-with-musl-sleep-.-P.patch
+@@ -0,0 +1,21 @@
++From d71ec4f26a1334e78a38fa44a1271c52a029e3b4 Mon Sep 17 00:00:00 2001
++From: Noel Kuntze <noel.kuntze@thermi.consulting>
++Date: Mon, 12 Jul 2021 01:31:36 +0200
++Subject: [PATCH 902/904] ipsec: Patch `ipsec` script to work with musl
++ `sleep`. Patch taken verbatim from openwrt package sources.
++
++---
++ src/ipsec/_ipsec.in | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++--- a/src/ipsec/_ipsec.in
+++++ b/src/ipsec/_ipsec.in
++@@ -257,7 +257,7 @@ stop)
++ loop=110
++ while [ $loop -gt 0 ] ; do
++ kill -0 $spid 2>/dev/null || break
++- sleep 0.1 2>/dev/null
+++ sleep 1 2>/dev/null
++ if [ $? -ne 0 ]
++ then
++ sleep 1
+--- /dev/null
++++ b/feeds/packages/net/strongswan/patches/0903-updown-Call-sbin-hotplug-call-ipsec-1-in-updown-scri.patch
+@@ -0,0 +1,26 @@
++From c779da992bdd440e336383da0eb75ef3a2ea6cde Mon Sep 17 00:00:00 2001
++From: Noel Kuntze <noel.kuntze@thermi.consulting>
++Date: Mon, 12 Jul 2021 01:32:20 +0200
++Subject: [PATCH 903/904] updown: Call /sbin/hotplug-call ipsec "$1" in updown
++ script. Patch taken verbatim from openwrt package sources.
++
++---
++ src/_updown/_updown.in | 7 +++++++
++ 1 file changed, 7 insertions(+)
++
++--- a/src/_updown/_updown.in
+++++ b/src/_updown/_updown.in
++@@ -22,6 +22,13 @@
++ # that, and use the (left/right)updown parameters in ipsec.conf to make
++ # strongSwan use yours instead of this default one.
++
+++# Add your custom commands to the file "/etc/ipsec.user". Other packages could
+++# also install their scripts in the directory "/etc/hotplug.d/ipsec".
+++# This files/scripts are executed by the openwrt hotplug functionality on
+++# ipsec events.
+++
+++/sbin/hotplug-call ipsec "$1"
+++
++ # PLUTO_VERSION
++ # indicates what version of this interface is being
++ # used. This document describes version 1.1. This
+--- /dev/null
++++ b/feeds/packages/net/strongswan/patches/0904-gmpdh-Plugin-that-implements-gmp-DH-functions-in-an-.patch
+@@ -0,0 +1,239 @@
++From 9f60c2ea6394facac55b90ef66466e1b9edef2a9 Mon Sep 17 00:00:00 2001
++From: Noel Kuntze <noel.kuntze@thermi.consulting>
++Date: Mon, 12 Jul 2021 01:34:23 +0200
++Subject: [PATCH 904/904] gmpdh: Plugin that implements gmp DH functions in an
++ extra plugin. Links and uses gmp plugin source and header files. Patch taken
++ verbatim from openwrt package sources.
++
++---
++ configure.ac | 4 +
++ src/libstrongswan/Makefile.am | 7 ++
++ src/libstrongswan/plugins/gmpdh/Makefile.am | 19 ++++
++ .../plugins/gmpdh/gmpdh_plugin.c | 101 ++++++++++++++++++
++ .../plugins/gmpdh/gmpdh_plugin.h | 42 ++++++++
++ 5 files changed, 173 insertions(+)
++ create mode 100644 src/libstrongswan/plugins/gmpdh/Makefile.am
++ create mode 100644 src/libstrongswan/plugins/gmpdh/gmpdh_plugin.c
++ create mode 100644 src/libstrongswan/plugins/gmpdh/gmpdh_plugin.h
++
++--- a/configure.ac
+++++ b/configure.ac
++@@ -147,6 +147,7 @@ ARG_DISBL_SET([fips-prf], [disable
++ ARG_DISBL_SET([gcm], [disable the GCM AEAD wrapper crypto plugin.])
++ ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.])
++ ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.])
+++ARG_DISBL_SET([gmpdh], [disable GNU MP (libgmp) based static-linked crypto DH minimal implementation plugin.])
++ ARG_DISBL_SET([curve25519], [disable Curve25519 Diffie-Hellman plugin.])
++ ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
++ ARG_DISBL_SET([kdf], [disable KDF (prf+) implementation plugin.])
++@@ -1565,6 +1566,7 @@ ADD_PLUGIN([pkcs8], [s ch
++ ADD_PLUGIN([af-alg], [s charon pki scripts medsrv attest nm cmd aikgen])
++ ADD_PLUGIN([fips-prf], [s charon nm cmd])
++ ADD_PLUGIN([gmp], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
+++ADD_PLUGIN([gmpdh], [s charon pki scripts manager medsrv attest nm cmd aikgen])
++ ADD_PLUGIN([curve25519], [s charon pki scripts nm cmd])
++ ADD_PLUGIN([agent], [s charon nm cmd])
++ ADD_PLUGIN([keychain], [s charon cmd])
++@@ -1706,6 +1708,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x
++ AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue)
++ AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
++ AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
+++AM_CONDITIONAL(USE_GMPDH, test x$gmpdh = xtrue)
++ AM_CONDITIONAL(USE_CURVE25519, test x$curve25519 = xtrue)
++ AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
++ AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
++@@ -1983,6 +1986,7 @@ AC_CONFIG_FILES([
++ src/libstrongswan/plugins/mgf1/Makefile
++ src/libstrongswan/plugins/fips_prf/Makefile
++ src/libstrongswan/plugins/gmp/Makefile
+++ src/libstrongswan/plugins/gmpdh/Makefile
++ src/libstrongswan/plugins/curve25519/Makefile
++ src/libstrongswan/plugins/rdrand/Makefile
++ src/libstrongswan/plugins/aesni/Makefile
++--- a/src/libstrongswan/Makefile.am
+++++ b/src/libstrongswan/Makefile.am
++@@ -353,6 +353,13 @@ if MONOLITHIC
++ endif
++ endif
++
+++if USE_GMPDH
+++ SUBDIRS += plugins/gmpdh
+++if MONOLITHIC
+++ libstrongswan_la_LIBADD += plugins/gmpdh/libstrongswan-gmpdh.la
+++endif
+++endif
+++
++ if USE_CURVE25519
++ SUBDIRS += plugins/curve25519
++ if MONOLITHIC
++--- /dev/null
+++++ b/src/libstrongswan/plugins/gmpdh/Makefile.am
++@@ -0,0 +1,19 @@
+++AM_CPPFLAGS = \
+++ -I$(top_srcdir)/src/libstrongswan
+++
+++AM_CFLAGS = \
+++ $(PLUGIN_CFLAGS)
+++
+++if MONOLITHIC
+++noinst_LTLIBRARIES = libstrongswan-gmpdh.la
+++else
+++plugin_LTLIBRARIES = libstrongswan-gmpdh.la
+++endif
+++
+++libstrongswan_gmpdh_la_SOURCES = \
+++ gmpdh_plugin.h gmpdh_plugin.c \
+++ ../gmp/gmp_diffie_hellman.c ../gmp/gmp_diffie_hellman.h
+++
+++
+++libstrongswan_gmpdh_la_LDFLAGS = -module -avoid-version -Wl,-Bstatic -Wl,-lgmp -Wl,-Bdynamic -Wl,--as-needed $(FPIC)
+++libstrongswan_gmpdh_la_LIBADD =
++--- /dev/null
+++++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.c
++@@ -0,0 +1,101 @@
+++/*
+++ * Copyright (C) 2008-2009 Martin Willi
+++ * Hochschule fuer Technik Rapperswil
+++ *
+++ * This program is free software; you can redistribute it and/or modify it
+++ * under the terms of the GNU General Public License as published by the
+++ * Free Software Foundation; either version 2 of the License, or (at your
+++ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+++ *
+++ * This program is distributed in the hope that it will be useful, but
+++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+++ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+++ * for more details.
+++ */
+++
+++#include "gmpdh_plugin.h"
+++
+++#include <library.h>
+++#include "../gmp/gmp_diffie_hellman.h"
+++
+++typedef struct private_gmpdh_plugin_t private_gmpdh_plugin_t;
+++
+++/**
+++ * private data of gmp_plugin
+++ */
+++struct private_gmpdh_plugin_t {
+++
+++ /**
+++ * public functions
+++ */
+++ gmpdh_plugin_t public;
+++};
+++
+++METHOD(plugin_t, get_name, char*,
+++ private_gmpdh_plugin_t *this)
+++{
+++ return "gmpdh";
+++}
+++
+++METHOD(plugin_t, get_features, int,
+++ private_gmpdh_plugin_t *this, plugin_feature_t *features[])
+++{
+++ static plugin_feature_t f[] = {
+++ /* DH groups */
+++ PLUGIN_REGISTER(KE, gmp_diffie_hellman_create),
+++ PLUGIN_PROVIDE(KE, MODP_2048_BIT),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ PLUGIN_PROVIDE(KE, MODP_2048_224),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ PLUGIN_PROVIDE(KE, MODP_2048_256),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ PLUGIN_PROVIDE(KE, MODP_1536_BIT),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ PLUGIN_PROVIDE(KE, MODP_3072_BIT),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ PLUGIN_PROVIDE(KE, MODP_4096_BIT),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ PLUGIN_PROVIDE(KE, MODP_6144_BIT),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ PLUGIN_PROVIDE(KE, MODP_8192_BIT),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ PLUGIN_PROVIDE(KE, MODP_1024_BIT),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ PLUGIN_PROVIDE(KE, MODP_1024_160),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ PLUGIN_PROVIDE(KE, MODP_768_BIT),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ PLUGIN_REGISTER(KE, gmp_diffie_hellman_create_custom),
+++ PLUGIN_PROVIDE(KE, MODP_CUSTOM),
+++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+++ };
+++ *features = f;
+++ return countof(f);
+++}
+++
+++METHOD(plugin_t, destroy, void,
+++ private_gmpdh_plugin_t *this)
+++{
+++ free(this);
+++}
+++
+++/*
+++ * see header file
+++ */
+++plugin_t *gmpdh_plugin_create()
+++{
+++ private_gmpdh_plugin_t *this;
+++
+++ INIT(this,
+++ .public = {
+++ .plugin = {
+++ .get_name = _get_name,
+++ .get_features = _get_features,
+++ .destroy = _destroy,
+++ },
+++ },
+++ );
+++
+++ return &this->public.plugin;
+++}
+++
++--- /dev/null
+++++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.h
++@@ -0,0 +1,42 @@
+++/*
+++ * Copyright (C) 2008 Martin Willi
+++ * Hochschule fuer Technik Rapperswil
+++ *
+++ * This program is free software; you can redistribute it and/or modify it
+++ * under the terms of the GNU General Public License as published by the
+++ * Free Software Foundation; either version 2 of the License, or (at your
+++ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+++ *
+++ * This program is distributed in the hope that it will be useful, but
+++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+++ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+++ * for more details.
+++ */
+++
+++/**
+++ * @defgroup gmpdh_p gmpdh
+++ * @ingroup plugins
+++ *
+++ * @defgroup gmpdh_plugin gmpdh_plugin
+++ * @{ @ingroup gmpdh_p
+++ */
+++
+++#ifndef GMPDH_PLUGIN_H_
+++#define GMPDH_PLUGIN_H_
+++
+++#include <plugins/plugin.h>
+++
+++typedef struct gmpdh_plugin_t gmpdh_plugin_t;
+++
+++/**
+++ * Plugin implementing asymmetric crypto algorithms using the GNU MP library.
+++ */
+++struct gmpdh_plugin_t {
+++
+++ /**
+++ * implements plugin interface
+++ */
+++ plugin_t plugin;
+++};
+++
+++#endif /** GMPDH_PLUGIN_H_ @}*/
+--- /dev/null
++++ b/feeds/packages/net/strongswan/patches/0905-undef-wolfssl-RNG.patch
+@@ -0,0 +1,12 @@
++--- a/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
+++++ b/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
++@@ -50,6 +50,9 @@
++ #ifndef FIPS_MODE
++ #define FIPS_MODE 0
++ #endif
+++#ifdef RNG
+++#undef RNG
+++#endif
++
++ typedef struct private_wolfssl_plugin_t private_wolfssl_plugin_t;
++
+--- a/feeds/packages/net/strongswan/patches/101-musl-fixes.patch
++++ /dev/null
+@@ -1,83 +0,0 @@
+---- a/src/libstrongswan/library.h
+-+++ b/src/libstrongswan/library.h
+-@@ -118,6 +118,7 @@
+- #include "utils/leak_detective.h"
+- #include "plugins/plugin_loader.h"
+- #include "settings/settings.h"
+-+#include "musl.h"
+-
+- typedef struct library_t library_t;
+-
+---- /dev/null
+-+++ b/src/libstrongswan/musl.h
+-@@ -0,0 +1,38 @@
+-+#include <sys/types.h>
+-+
+-+#define crypt x_crypt
+-+#define encrypt x_encrypt
+-+#include <unistd.h>
+-+
+-+#define fd_set x_fd_set
+-+#define ino_t x_ino_t
+-+#define off_t x_off_t
+-+#define loff_t x_loff_t
+-+#define dev_t x_dev_t
+-+#define mode_t x_mode_t
+-+#define uid_t x_uid_t
+-+#define gid_t x_gid_t
+-+#define uint64_t x_uint64_t
+-+#define u_int64_t x_u_int64_t
+-+#define int64_t x_int64_t
+-+#define nlink_t x_nlink_t
+-+#define timer_t x_timer_t
+-+#define blkcnt_t x_blkcnt_t
+-+
+-+#include <linux/types.h>
+-+
+-+#undef fd_set
+-+#undef ino_t
+-+#undef off_t
+-+#undef dev_t
+-+#undef mode_t
+-+#undef uid_t
+-+#undef gid_t
+-+#undef uint64_t
+-+#undef u_int64_t
+-+#undef int64_t
+-+#undef nlink_t
+-+#undef timer_t
+-+#undef blkcnt_t
+-+#undef crypt
+-+#undef encrypt
+---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+-+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+-@@ -40,6 +40,7 @@
+- */
+-
+- #define _GNU_SOURCE
+-+#include <musl.h>
+- #include <sys/types.h>
+- #include <sys/socket.h>
+- #include <sys/ioctl.h>
+---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
+-+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
+-@@ -37,6 +37,8 @@
+- * THE SOFTWARE.
+- */
+-
+-+#include "musl.h"
+-+
+- #include <sys/socket.h>
+- #include <sys/utsname.h>
+- #include <linux/netlink.h>
+---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
+-+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
+-@@ -39,6 +39,8 @@
+- * THE SOFTWARE.
+- */
+-
+-+#include "musl.h"
+-+
+- #include <sys/socket.h>
+- #include <linux/netlink.h>
+- #include <linux/rtnetlink.h>
+--- a/feeds/packages/net/strongswan/patches/203-uci.patch
++++ /dev/null
+@@ -1,20 +0,0 @@
+---- a/src/libcharon/plugins/uci/uci_parser.c
+-+++ b/src/libcharon/plugins/uci/uci_parser.c
+-@@ -75,7 +75,7 @@ METHOD(enumerator_t, section_enumerator_
+- if (uci_lookup(this->ctx, &element, this->package,
+- this->current->name, "name") == UCI_OK)
+- { /* use "name" attribute as config name if available ... */
+-- *value = uci_to_option(element)->value;
+-+ *value = uci_to_option(element)->v.string;
+- }
+- else
+- { /* ... or the section name becomes config name */
+-@@ -90,7 +90,7 @@ METHOD(enumerator_t, section_enumerator_
+- if (value && uci_lookup(this->ctx, &element, this->package,
+- this->current->name, this->keywords[i]) == UCI_OK)
+- {
+-- *value = uci_to_option(element)->value;
+-+ *value = uci_to_option(element)->v.string;
+- }
+- }
+-
+--- a/feeds/packages/net/strongswan/patches/210-sleep.patch
++++ /dev/null
+@@ -1,11 +0,0 @@
+---- a/src/ipsec/_ipsec.in
+-+++ b/src/ipsec/_ipsec.in
+-@@ -257,7 +257,7 @@ stop)
+- loop=110
+- while [ $loop -gt 0 ] ; do
+- kill -0 $spid 2>/dev/null || break
+-- sleep 0.1 2>/dev/null
+-+ sleep 1 2>/dev/null
+- if [ $? -ne 0 ]
+- then
+- sleep 1
+--- a/feeds/packages/net/strongswan/patches/300-include-ipsec-hotplug.patch
++++ /dev/null
+@@ -1,16 +0,0 @@
+---- a/src/_updown/_updown.in
+-+++ b/src/_updown/_updown.in
+-@@ -22,6 +22,13 @@
+- # that, and use the (left/right)updown parameters in ipsec.conf to make
+- # strongSwan use yours instead of this default one.
+-
+-+# Add your custom commands to the file "/etc/ipsec.user". Other packages could
+-+# also install their scripts in the directory "/etc/hotplug.d/ipsec".
+-+# This files/scripts are executed by the openwrt hotplug functionality on
+-+# ipsec events.
+-+
+-+/sbin/hotplug-call ipsec "$1"
+-+
+- # PLUTO_VERSION
+- # indicates what version of this interface is being
+- # used. This document describes version 1.1. This
+--- a/feeds/packages/net/strongswan/patches/305-minimal_dh_plugin.patch
++++ /dev/null
+@@ -1,221 +0,0 @@
+---- a/configure.ac
+-+++ b/configure.ac
+-@@ -146,6 +146,7 @@ ARG_DISBL_SET([fips-prf], [disable
+- ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.])
+- ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.])
+- ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.])
+-+ARG_DISBL_SET([gmpdh], [disable GNU MP (libgmp) based static-linked crypto DH minimal implementation plugin.])
+- ARG_DISBL_SET([curve25519], [disable Curve25519 Diffie-Hellman plugin.])
+- ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
+- ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.])
+-@@ -1478,6 +1479,7 @@ ADD_PLUGIN([botan], [s ch
+- ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+- ADD_PLUGIN([fips-prf], [s charon nm cmd])
+- ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
+-+ADD_PLUGIN([gmpdh], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
+- ADD_PLUGIN([curve25519], [s charon pki scripts nm cmd])
+- ADD_PLUGIN([agent], [s charon nm cmd])
+- ADD_PLUGIN([keychain], [s charon cmd])
+-@@ -1619,6 +1621,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x
+- AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue)
+- AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
+- AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
+-+AM_CONDITIONAL(USE_GMPDH, test x$gmpdh = xtrue)
+- AM_CONDITIONAL(USE_CURVE25519, test x$curve25519 = xtrue)
+- AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
+- AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
+-@@ -1896,6 +1899,7 @@ AC_CONFIG_FILES([
+- src/libstrongswan/plugins/mgf1/Makefile
+- src/libstrongswan/plugins/fips_prf/Makefile
+- src/libstrongswan/plugins/gmp/Makefile
+-+ src/libstrongswan/plugins/gmpdh/Makefile
+- src/libstrongswan/plugins/curve25519/Makefile
+- src/libstrongswan/plugins/rdrand/Makefile
+- src/libstrongswan/plugins/aesni/Makefile
+---- a/src/libstrongswan/Makefile.am
+-+++ b/src/libstrongswan/Makefile.am
+-@@ -345,6 +345,13 @@ if MONOLITHIC
+- endif
+- endif
+-
+-+if USE_GMPDH
+-+ SUBDIRS += plugins/gmpdh
+-+if MONOLITHIC
+-+ libstrongswan_la_LIBADD += plugins/gmpdh/libstrongswan-gmpdh.la
+-+endif
+-+endif
+-+
+- if USE_CURVE25519
+- SUBDIRS += plugins/curve25519
+- if MONOLITHIC
+---- /dev/null
+-+++ b/src/libstrongswan/plugins/gmpdh/Makefile.am
+-@@ -0,0 +1,19 @@
+-+AM_CPPFLAGS = \
+-+ -I$(top_srcdir)/src/libstrongswan
+-+
+-+AM_CFLAGS = \
+-+ $(PLUGIN_CFLAGS)
+-+
+-+if MONOLITHIC
+-+noinst_LTLIBRARIES = libstrongswan-gmpdh.la
+-+else
+-+plugin_LTLIBRARIES = libstrongswan-gmpdh.la
+-+endif
+-+
+-+libstrongswan_gmpdh_la_SOURCES = \
+-+ gmpdh_plugin.h gmpdh_plugin.c \
+-+ ../gmp/gmp_diffie_hellman.c ../gmp/gmp_diffie_hellman.h
+-+
+-+
+-+libstrongswan_gmpdh_la_LDFLAGS = -module -avoid-version -Wl,-Bstatic -Wl,-lgmp -Wl,-Bdynamic -Wl,--as-needed $(FPIC)
+-+libstrongswan_gmpdh_la_LIBADD =
+---- /dev/null
+-+++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.c
+-@@ -0,0 +1,101 @@
+-+/*
+-+ * Copyright (C) 2008-2009 Martin Willi
+-+ * Hochschule fuer Technik Rapperswil
+-+ *
+-+ * This program is free software; you can redistribute it and/or modify it
+-+ * under the terms of the GNU General Public License as published by the
+-+ * Free Software Foundation; either version 2 of the License, or (at your
+-+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+-+ *
+-+ * This program is distributed in the hope that it will be useful, but
+-+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+-+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+-+ * for more details.
+-+ */
+-+
+-+#include "gmpdh_plugin.h"
+-+
+-+#include <library.h>
+-+#include "../gmp/gmp_diffie_hellman.h"
+-+
+-+typedef struct private_gmpdh_plugin_t private_gmpdh_plugin_t;
+-+
+-+/**
+-+ * private data of gmp_plugin
+-+ */
+-+struct private_gmpdh_plugin_t {
+-+
+-+ /**
+-+ * public functions
+-+ */
+-+ gmpdh_plugin_t public;
+-+};
+-+
+-+METHOD(plugin_t, get_name, char*,
+-+ private_gmpdh_plugin_t *this)
+-+{
+-+ return "gmpdh";
+-+}
+-+
+-+METHOD(plugin_t, get_features, int,
+-+ private_gmpdh_plugin_t *this, plugin_feature_t *features[])
+-+{
+-+ static plugin_feature_t f[] = {
+-+ /* DH groups */
+-+ PLUGIN_REGISTER(DH, gmp_diffie_hellman_create),
+-+ PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ PLUGIN_PROVIDE(DH, MODP_2048_224),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ PLUGIN_PROVIDE(DH, MODP_2048_256),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ PLUGIN_PROVIDE(DH, MODP_1536_BIT),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ PLUGIN_PROVIDE(DH, MODP_3072_BIT),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ PLUGIN_PROVIDE(DH, MODP_4096_BIT),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ PLUGIN_PROVIDE(DH, MODP_6144_BIT),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ PLUGIN_PROVIDE(DH, MODP_1024_BIT),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ PLUGIN_PROVIDE(DH, MODP_1024_160),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ PLUGIN_PROVIDE(DH, MODP_768_BIT),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ PLUGIN_REGISTER(DH, gmp_diffie_hellman_create_custom),
+-+ PLUGIN_PROVIDE(DH, MODP_CUSTOM),
+-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+-+ };
+-+ *features = f;
+-+ return countof(f);
+-+}
+-+
+-+METHOD(plugin_t, destroy, void,
+-+ private_gmpdh_plugin_t *this)
+-+{
+-+ free(this);
+-+}
+-+
+-+/*
+-+ * see header file
+-+ */
+-+plugin_t *gmpdh_plugin_create()
+-+{
+-+ private_gmpdh_plugin_t *this;
+-+
+-+ INIT(this,
+-+ .public = {
+-+ .plugin = {
+-+ .get_name = _get_name,
+-+ .get_features = _get_features,
+-+ .destroy = _destroy,
+-+ },
+-+ },
+-+ );
+-+
+-+ return &this->public.plugin;
+-+}
+-+
+---- /dev/null
+-+++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.h
+-@@ -0,0 +1,42 @@
+-+/*
+-+ * Copyright (C) 2008 Martin Willi
+-+ * Hochschule fuer Technik Rapperswil
+-+ *
+-+ * This program is free software; you can redistribute it and/or modify it
+-+ * under the terms of the GNU General Public License as published by the
+-+ * Free Software Foundation; either version 2 of the License, or (at your
+-+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+-+ *
+-+ * This program is distributed in the hope that it will be useful, but
+-+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+-+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+-+ * for more details.
+-+ */
+-+
+-+/**
+-+ * @defgroup gmpdh_p gmpdh
+-+ * @ingroup plugins
+-+ *
+-+ * @defgroup gmpdh_plugin gmpdh_plugin
+-+ * @{ @ingroup gmpdh_p
+-+ */
+-+
+-+#ifndef GMPDH_PLUGIN_H_
+-+#define GMPDH_PLUGIN_H_
+-+
+-+#include <plugins/plugin.h>
+-+
+-+typedef struct gmpdh_plugin_t gmpdh_plugin_t;
+-+
+-+/**
+-+ * Plugin implementing asymmetric crypto algorithms using the GNU MP library.
+-+ */
+-+struct gmpdh_plugin_t {
+-+
+-+ /**
+-+ * implements plugin interface
+-+ */
+-+ plugin_t plugin;
+-+};
+-+
+-+#endif /** GMPDH_PLUGIN_H_ @}*/
+--- a/feeds/packages/net/strongswan/patches/700-strongswan-4.4.1-5.9.3_cert-cache-random.patch
++++ /dev/null
+@@ -1,30 +0,0 @@
+-From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001
+-From: Tobias Brunner <tobias@strongswan.org>
+-Date: Tue, 28 Sep 2021 19:38:22 +0200
+-Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change
+-
+-random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
+-equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added
+-directly to that offset before applying`% CACHE_SIZE` to get an index into
+-the cache array. If the random value was very high, this resulted in an
+-integer overflow and a negative index value and, therefore, an out-of-bounds
+-access of the array and in turn dereferencing invalid pointers when trying
+-to acquire the read lock. This most likely results in a segmentation fault.
+-
+-Fixes: 764e8b2211ce ("reimplemented certificate cache")
+-Fixes: CVE-2021-41991
+----
+- src/libstrongswan/credentials/sets/cert_cache.c | 2 +-
+- 1 file changed, 1 insertion(+), 1 deletion(-)
+-
+---- a/src/libstrongswan/credentials/sets/cert_cache.c
+-+++ b/src/libstrongswan/credentials/sets/cert_cache.c
+-@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *
+- for (try = 0; try < REPLACE_TRIES; try++)
+- {
+- /* replace a random relation */
+-- offset = random();
+-+ offset = random() % CACHE_SIZE;
+- for (i = 0; i < CACHE_SIZE; i++)
+- {
+- rel = &this->relations[(i + offset) % CACHE_SIZE];
+--- a/feeds/packages/net/strongswan/patches/710-strongswan-5.5.0-5.9.4_eap_success.patch
++++ /dev/null
+@@ -1,138 +0,0 @@
+-From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001
+-From: Tobias Brunner <tobias@strongswan.org>
+-Date: Tue, 14 Dec 2021 10:51:35 +0100
+-Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails
+-
+-Without this, the authentication succeeded if the server sent an early
+-EAP-Success message for mutual, key-generating EAP methods like EAP-TLS,
+-which may be used in EAP-only scenarios but would complete without server
+-or client authentication. For clients configured for such EAP-only
+-scenarios, a rogue server could capture traffic after the tunnel is
+-established or even access hosts behind the client. For non-mutual EAP
+-methods, public key server authentication has been enforced for a while.
+-
+-A server previously could also crash a client by sending an EAP-Success
+-immediately without initiating an actual EAP method.
+-
+-Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK")
+-Fixes: CVE-2021-45079
+----
+- src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +-
+- src/libcharon/plugins/eap_md5/eap_md5.c | 2 +-
+- src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++-
+- src/libcharon/sa/eap/eap_method.h | 8 ++++-
+- .../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++---
+- 5 files changed, 40 insertions(+), 8 deletions(-)
+-
+---- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
+-+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
+-@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_
+- METHOD(eap_method_t, get_msk, status_t,
+- private_eap_gtc_t *this, chunk_t *msk)
+- {
+-- return FAILED;
+-+ return NOT_SUPPORTED;
+- }
+-
+- METHOD(eap_method_t, get_identifier, uint8_t,
+---- a/src/libcharon/plugins/eap_md5/eap_md5.c
+-+++ b/src/libcharon/plugins/eap_md5/eap_md5.c
+-@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_
+- METHOD(eap_method_t, get_msk, status_t,
+- private_eap_md5_t *this, chunk_t *msk)
+- {
+-- return FAILED;
+-+ return NOT_SUPPORTED;
+- }
+-
+- METHOD(eap_method_t, is_mutual, bool,
+---- a/src/libcharon/plugins/eap_radius/eap_radius.c
+-+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
+-@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t,
+- *out = msk;
+- return SUCCESS;
+- }
+-- return FAILED;
+-+ /* we assume the selected method did not establish an MSK, if it failed
+-+ * to establish one, process() would have failed */
+-+ return NOT_SUPPORTED;
+- }
+-
+- METHOD(eap_method_t, get_identifier, uint8_t,
+---- a/src/libcharon/sa/eap/eap_method.h
+-+++ b/src/libcharon/sa/eap/eap_method.h
+-@@ -114,10 +114,16 @@ struct eap_method_t {
+- * Not all EAP methods establish a shared secret. For implementations of
+- * the EAP-Identity method, get_msk() returns the received identity.
+- *
+-+ * @note Returning NOT_SUPPORTED is important for implementations of EAP
+-+ * methods that don't establish an MSK. In particular as client because
+-+ * key-generating EAP methods MUST fail to process EAP-Success messages if
+-+ * no MSK is established.
+-+ *
+- * @param msk chunk receiving internal stored MSK
+- * @return
+-- * - SUCCESS, or
+-+ * - SUCCESS, if MSK is established
+- * - FAILED, if MSK not established (yet)
+-+ * - NOT_SUPPORTED, for non-MSK-establishing methods
+- */
+- status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
+-
+---- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+-+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+-@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap
+- this->method->destroy(this->method);
+- return server_initiate_eap(this, FALSE);
+- }
+-- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
+-+ switch (this->method->get_msk(this->method, &this->msk))
+- {
+-- this->msk = chunk_clone(this->msk);
+-+ case SUCCESS:
+-+ this->msk = chunk_clone(this->msk);
+-+ break;
+-+ case NOT_SUPPORTED:
+-+ break;
+-+ case FAILED:
+-+ default:
+-+ DBG1(DBG_IKE, "failed to establish MSK");
+-+ goto failure;
+- }
+- if (vendor)
+- {
+-@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap
+- return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
+- case FAILED:
+- default:
+-+failure:
+- /* type might have changed for virtual methods */
+- type = this->method->get_type(this->method, &vendor);
+- if (vendor)
+-@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client,
+- uint32_t vendor;
+- auth_cfg_t *cfg;
+-
+-- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
+-+ if (!this->method)
+- {
+-- this->msk = chunk_clone(this->msk);
+-+ DBG1(DBG_IKE, "received unexpected %N",
+-+ eap_code_names, eap_payload->get_code(eap_payload));
+-+ return FAILED;
+-+ }
+-+ switch (this->method->get_msk(this->method, &this->msk))
+-+ {
+-+ case SUCCESS:
+-+ this->msk = chunk_clone(this->msk);
+-+ break;
+-+ case NOT_SUPPORTED:
+-+ break;
+-+ case FAILED:
+-+ default:
+-+ DBG1(DBG_IKE, "received %N but failed to establish MSK",
+-+ eap_code_names, eap_payload->get_code(eap_payload));
+-+ return FAILED;
+- }
+- type = this->method->get_type(this->method, &vendor);
+- if (vendor)
+--- a/feeds/packages/net/strongswan/patches/720-strongswan-5.6.1-5.9.3_gmp-rsa-ssa-salt-len.patch
++++ /dev/null
+@@ -1,49 +0,0 @@
+-From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001
+-From: Tobias Brunner <tobias@strongswan.org>
+-Date: Tue, 28 Sep 2021 17:52:08 +0200
+-Subject: [PATCH] Reject RSASSA-PSS params with negative salt length
+-
+-The `salt_len` member in the struct is of type `ssize_t` because we use
+-negative values for special automatic salt lengths when generating
+-signatures.
+-
+-Not checking this could lead to an integer overflow. The value is assigned
+-to the `len` field of a chunk (`size_t`), which is further used in
+-calculations to check the padding structure and (if that is passed by a
+-matching crafted signature value) eventually a memcpy() that will result
+-in a segmentation fault.
+-
+-Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")
+-Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
+-Fixes: CVE-2021-41990
+----
+- src/libstrongswan/credentials/keys/signature_params.c | 6 +++++-
+- src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +-
+- 2 files changed, 6 insertions(+), 2 deletions(-)
+-
+---- a/src/libstrongswan/credentials/keys/signature_params.c
+-+++ b/src/libstrongswan/credentials/keys/signature_params.c
+-@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1,
+- case RSASSA_PSS_PARAMS_SALT_LEN:
+- if (object.len)
+- {
+-- params->salt_len = (size_t)asn1_parse_integer_uint64(object);
+-+ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object);
+-+ if (params->salt_len < 0)
+-+ {
+-+ goto end;
+-+ }
+- }
+- break;
+- case RSASSA_PSS_PARAMS_TRAILER:
+---- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+-+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+-@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(pr
+- int i;
+- bool success = FALSE;
+-
+-- if (!params)
+-+ if (!params || params->salt_len < 0)
+- {
+- return FALSE;
+- }
+--- a/feeds/packages/net/strongswan/patches/730-strongswan-5.1.0-5.9.7_cert_online_validate.patch
++++ /dev/null
+@@ -1,200 +0,0 @@
+-From 66d3b2e0e596a6eac1ebcd15c83a8d9368fe7b34 Mon Sep 17 00:00:00 2001
+-From: Tobias Brunner <tobias@strongswan.org>
+-Date: Fri, 22 Jul 2022 15:37:43 +0200
+-Subject: [PATCH] credential-manager: Do online revocation checks only after
+- basic trust chain validation
+-
+-This avoids querying URLs of potentially untrusted certificates, e.g. if
+-an attacker sends a specially crafted end-entity and intermediate CA
+-certificate with a CDP that points to a server that completes the
+-TCP handshake but then does not send any further data, which will block
+-the fetcher thread (depending on the plugin) for as long as the default
+-timeout for TCP. Doing that multiple times will block all worker threads,
+-leading to a DoS attack.
+-
+-The logging during the certificate verification obviously changes. The
+-following example shows the output of `pki --verify` for the current
+-strongswan.org certificate:
+-
+-new:
+-
+- using certificate "CN=www.strongswan.org"
+- using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3"
+- using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+- reached self-signed root ca with a path length of 1
+-checking certificate status of "CN=www.strongswan.org"
+- requesting ocsp status from 'http://r3.o.lencr.org' ...
+- ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3"
+- ocsp response is valid: until Jul 27 12:59:58 2022
+-certificate status is good
+-checking certificate status of "C=US, O=Let's Encrypt, CN=R3"
+-ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found
+- fetching crl from 'http://x1.c.lencr.org/' ...
+- using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+- crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+- crl is valid: until Apr 18 01:59:59 2023
+-certificate status is good
+-certificate trusted, lifetimes valid, certificate not revoked
+-
+-old:
+-
+- using certificate "CN=www.strongswan.org"
+- using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3"
+-checking certificate status of "CN=www.strongswan.org"
+- requesting ocsp status from 'http://r3.o.lencr.org' ...
+- ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3"
+- ocsp response is valid: until Jul 27 12:59:58 2022
+-certificate status is good
+- using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+-checking certificate status of "C=US, O=Let's Encrypt, CN=R3"
+-ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found
+- fetching crl from 'http://x1.c.lencr.org/' ...
+- using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+- crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+- crl is valid: until Apr 18 01:59:59 2023
+-certificate status is good
+- reached self-signed root ca with a path length of 1
+-certificate trusted, lifetimes valid, certificate not revoked
+-
+-Note that this also fixes an issue with the previous dual-use of the
+-`trusted` flag. It not only indicated whether the chain is trusted but
+-also whether the current issuer is the root anchor (the corresponding
+-flag in the `cert_validator_t` interface is called `anchor`). This was
+-a problem when building multi-level trust chains for pre-trusted
+-end-entity certificates (i.e. where `trusted` is TRUE from the start).
+-This caused the main loop to get aborted after the first intermediate CA
+-certificate and the mentioned `anchor` flag wasn't correct in any calls
+-to `cert_validator_t` implementations.
+-
+-Fixes: CVE-2022-40617
+----
+- .../credentials/credential_manager.c | 54 +++++++++++++++----
+- 1 file changed, 45 insertions(+), 9 deletions(-)
+-
+---- a/src/libstrongswan/credentials/credential_manager.c
+-+++ b/src/libstrongswan/credentials/credential_manager.c
+-@@ -555,7 +555,7 @@ static void cache_queue(private_credenti
+- */
+- static bool check_lifetime(private_credential_manager_t *this,
+- certificate_t *cert, char *label,
+-- int pathlen, bool trusted, auth_cfg_t *auth)
+-+ int pathlen, bool anchor, auth_cfg_t *auth)
+- {
+- time_t not_before, not_after;
+- cert_validator_t *validator;
+-@@ -570,7 +570,7 @@ static bool check_lifetime(private_crede
+- continue;
+- }
+- status = validator->check_lifetime(validator, cert,
+-- pathlen, trusted, auth);
+-+ pathlen, anchor, auth);
+- if (status != NEED_MORE)
+- {
+- break;
+-@@ -603,13 +603,13 @@ static bool check_lifetime(private_crede
+- */
+- static bool check_certificate(private_credential_manager_t *this,
+- certificate_t *subject, certificate_t *issuer, bool online,
+-- int pathlen, bool trusted, auth_cfg_t *auth)
+-+ int pathlen, bool anchor, auth_cfg_t *auth)
+- {
+- cert_validator_t *validator;
+- enumerator_t *enumerator;
+-
+- if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) ||
+-- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth))
+-+ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth))
+- {
+- return FALSE;
+- }
+-@@ -622,7 +622,7 @@ static bool check_certificate(private_cr
+- continue;
+- }
+- if (!validator->validate(validator, subject, issuer,
+-- online, pathlen, trusted, auth))
+-+ online, pathlen, anchor, auth))
+- {
+- enumerator->destroy(enumerator);
+- return FALSE;
+-@@ -725,6 +725,7 @@ static bool verify_trust_chain(private_c
+- auth_cfg_t *auth;
+- signature_params_t *scheme;
+- int pathlen;
+-+ bool is_anchor = FALSE;
+-
+- auth = auth_cfg_create();
+- get_key_strength(subject, auth);
+-@@ -742,7 +743,7 @@ static bool verify_trust_chain(private_c
+- auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
+- DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"",
+- issuer->get_subject(issuer));
+-- trusted = TRUE;
+-+ trusted = is_anchor = TRUE;
+- }
+- else
+- {
+-@@ -777,11 +778,18 @@ static bool verify_trust_chain(private_c
+- DBG1(DBG_CFG, " issuer is \"%Y\"",
+- current->get_issuer(current));
+- call_hook(this, CRED_HOOK_NO_ISSUER, current);
+-+ if (trusted)
+-+ {
+-+ DBG1(DBG_CFG, " reached end of incomplete trust chain for "
+-+ "trusted certificate \"%Y\"",
+-+ subject->get_subject(subject));
+-+ }
+- break;
+- }
+- }
+-- if (!check_certificate(this, current, issuer, online,
+-- pathlen, trusted, auth))
+-+ /* don't do online verification here */
+-+ if (!check_certificate(this, current, issuer, FALSE,
+-+ pathlen, is_anchor, auth))
+- {
+- trusted = FALSE;
+- issuer->destroy(issuer);
+-@@ -793,7 +801,7 @@ static bool verify_trust_chain(private_c
+- }
+- current->destroy(current);
+- current = issuer;
+-- if (trusted)
+-+ if (is_anchor)
+- {
+- DBG1(DBG_CFG, " reached self-signed root ca with a "
+- "path length of %d", pathlen);
+-@@ -806,6 +814,34 @@ static bool verify_trust_chain(private_c
+- DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN);
+- call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject);
+- }
+-+ else if (trusted && online)
+-+ {
+-+ enumerator_t *enumerator;
+-+ auth_rule_t rule;
+-+
+-+ /* do online revocation checks after basic validation of the chain */
+-+ pathlen = 0;
+-+ current = subject;
+-+ enumerator = auth->create_enumerator(auth);
+-+ while (enumerator->enumerate(enumerator, &rule, &issuer))
+-+ {
+-+ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT)
+-+ {
+-+ if (!check_certificate(this, current, issuer, TRUE, pathlen++,
+-+ rule == AUTH_RULE_CA_CERT, auth))
+-+ {
+-+ trusted = FALSE;
+-+ break;
+-+ }
+-+ else if (rule == AUTH_RULE_CA_CERT)
+-+ {
+-+ break;
+-+ }
+-+ current = issuer;
+-+ }
+-+ }
+-+ enumerator->destroy(enumerator);
+-+ }
+- if (trusted)
+- {
+- result->merge(result, auth, FALSE);
diff --git a/openwrt_patches-21.02/107-strongswan-add-uci-support.patch b/openwrt_patches-21.02/107-strongswan-add-uci-support.patch
deleted file mode 100644
index cff3b8e..0000000
--- a/openwrt_patches-21.02/107-strongswan-add-uci-support.patch
+++ /dev/null
@@ -1,42 +0,0 @@
---- a/feeds/packages/net/strongswan/files/ipsec.conf
-+++ b/feeds/packages/net/strongswan/files/ipsec.conf
-@@ -0,0 +1,28 @@
-+config 'ipsec'
-+
-+config 'remote' 'TEST'
-+ option 'enabled' '1'
-+ option 'gateway' '10.10.20.253'
-+ option 'authentication_method' 'psk'
-+ option 'pre_shared_key' '123456789'
-+ list 'crypto_proposal' 'phase_1_settings'
-+ list 'tunnel' 'TUNNEL'
-+
-+config 'crypto_proposal' 'phase_1_settings'
-+ option 'encryption_algorithm' 'aes128'
-+ option 'hash_algorithm' 'sha1'
-+ option 'dh_group' 'modp768'
-+
-+config 'tunnel' 'TUNNEL'
-+ option 'mode' 'add'
-+ option 'local_subnet' '192.168.1.0/24'
-+ option 'remote_subnet' '192.168.2.0/24'
-+ option 'crypto_proposal' 'phase_2_settings'
-+ option 'keyexchange' 'ikev2'
-+ option 'ikelifetime' '10800'
-+ option 'lifetime' '3600'
-+
-+config 'crypto_proposal' 'phase_2_settings'
-+ option 'encryption_algorithm' 'aes128'
-+ option 'hash_algorithm' 'sha1'
-+ option 'dh_group' 'modp768'
---- a/feeds/packages/net/strongswan/Makefile
-+++ b/feeds/packages/net/strongswan/Makefile
-@@ -505,6 +505,8 @@
- $(INSTALL_CONF) ./files/ipsec.user $(1)/etc/
- $(INSTALL_DIR) $(1)/etc/init.d
- $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
-+ $(INSTALL_DIR) $(1)/etc/config
-+ $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/config/ipsec
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin/
- endef
-
diff --git a/openwrt_patches-21.02/108-strongswan-add-uci-support.patch b/openwrt_patches-21.02/108-strongswan-add-uci-support.patch
new file mode 100644
index 0000000..218c5b6
--- /dev/null
+++ b/openwrt_patches-21.02/108-strongswan-add-uci-support.patch
@@ -0,0 +1,77 @@
+--- a/feeds/packages/net/strongswan/Makefile
++++ b/feeds/packages/net/strongswan/Makefile
+@@ -544,6 +544,8 @@ define Package/strongswan-ipsec/install
+ $(INSTALL_CONF) ./files/ipsec.user $(1)/etc/
+ $(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
++ $(INSTALL_DIR) $(1)/etc/config
++ $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/config/ipsec
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin/
+ endef
+
+--- /dev/null
++++ b/feeds/packages/net/strongswan/files/ipsec.conf
+@@ -0,0 +1,28 @@
++config 'ipsec'
++
++config 'remote' 'TEST'
++ option 'enabled' '1'
++ option 'gateway' '10.10.20.253'
++ option 'authentication_method' 'psk'
++ option 'pre_shared_key' '123456789'
++ list 'crypto_proposal' 'phase_1_settings'
++ list 'tunnel' 'TUNNEL'
++
++config 'crypto_proposal' 'phase_1_settings'
++ option 'encryption_algorithm' 'aes128'
++ option 'hash_algorithm' 'sha1'
++ option 'dh_group' 'modp768'
++
++config 'tunnel' 'TUNNEL'
++ option 'mode' 'add'
++ option 'local_subnet' '192.168.1.0/24'
++ option 'remote_subnet' '192.168.2.0/24'
++ option 'crypto_proposal' 'phase_2_settings'
++ option 'keyexchange' 'ikev2'
++ option 'ikelifetime' '10800'
++ option 'lifetime' '3600'
++
++config 'crypto_proposal' 'phase_2_settings'
++ option 'encryption_algorithm' 'aes128'
++ option 'hash_algorithm' 'sha1'
++ option 'dh_group' 'modp768'
+--- a/feeds/packages/net/strongswan/files/swanctl.init
++++ b/feeds/packages/net/strongswan/files/swanctl.init
+@@ -241,6 +241,7 @@ config_child() {
+ local if_id
+ local rekeytime
+ local rekeybytes
++ local replay_window
+ local lifebytes
+ local rekeypackets
+ local lifepackets
+@@ -258,6 +259,7 @@ config_child() {
+ config_get interface "$conf" interface ""
+ config_get hw_offload "$conf" hw_offload ""
+ config_get priority "$conf" priority ""
++ config_get replay_window "$conf" replay_window 32
+ config_get rekeybytes "$conf" rekeybytes ""
+ config_get lifebytes "$conf" lifebytes ""
+ config_get rekeypackets "$conf" rekeypackets ""
+@@ -323,7 +325,7 @@ config_child() {
+ esac
+
+ case "$hw_offload" in
+- yes|no|auto|"")
++ yes|no|auto|crypto|packet|"")
+ ;;
+ *)
+ fatal "hw_offload value $hw_offload invalid"
+@@ -339,6 +341,7 @@ config_child() {
+ [ -n "$remote_subnet" ] && swanctl_xappend4 "remote_ts = $remote_subnet"
+
+ [ -n "$hw_offload" ] && swanctl_xappend4 "hw_offload = $hw_offload"
++ [ -n "$replay_window" ] && swanctl_xappend4 "replay_window = $replay_window"
+ [ $ipcomp -eq 1 ] && swanctl_xappend4 "ipcomp = 1"
+ [ -n "$interface" ] && swanctl_xappend4 "interface = $interface"
+ [ -n "$priority" ] && swanctl_xappend4 "priority = $priority"