blob: 1284aee652d18780ab4fd27feeacb885acaea2cb [file] [log] [blame]
developer82183d82023-10-13 12:08:31 +08001--- a/feeds/packages/net/strongswan/Makefile
2+++ b/feeds/packages/net/strongswan/Makefile
3@@ -8,12 +8,12 @@
4 include $(TOPDIR)/rules.mk
5
6 PKG_NAME:=strongswan
7-PKG_VERSION:=5.9.2
8-PKG_RELEASE:=3
9+PKG_VERSION:=5.9.11
10+PKG_RELEASE:=1
11
12 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
13 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/
14-PKG_HASH:=61c72f741edb2c1295a7b7ccce0317a104b3f9d39efd04c52cd05b01b55ab063
15+PKG_HASH:=ddf53f1f26ad26979d5f55e8da95bd389552f5de3682e35593f9a70b2584ed2d
16 PKG_LICENSE:=GPL-2.0-or-later
17 PKG_MAINTAINER:=Philip Prindeville <philipp@redfish-solutions.com>, Noel Kuntze <noel.kuntze@thermi.consulting>
18 PKG_CPE_ID:=cpe:/a:strongswan:strongswan
19@@ -25,8 +25,10 @@ PKG_MOD_AVAILABLE:= \
20 agent \
21 attr \
22 attr-sql \
23+ bliss \
24 blowfish \
25 ccm \
26+ chapoly \
27 cmac \
28 constraints \
29 connmark \
30@@ -37,6 +39,7 @@ PKG_MOD_AVAILABLE:= \
31 des \
32 dhcp \
33 dnskey \
34+ drbg \
35 duplicheck \
36 eap-identity \
37 eap-md5 \
38@@ -52,15 +55,18 @@ PKG_MOD_AVAILABLE:= \
39 gmpdh \
40 ha \
41 hmac \
42+ kdf \
43 kernel-libipsec \
44 kernel-netlink \
45 ldap \
46 led \
47 load-tester \
48- nonce \
49 md4 \
50 md5 \
51+ mgf1 \
52 mysql \
53+ newhope \
54+ ntru \
55 openssl \
56 pem \
57 pgp \
58@@ -76,6 +82,7 @@ PKG_MOD_AVAILABLE:= \
59 revocation \
60 sha1 \
61 sha2 \
62+ sha3 \
63 smp \
64 socket-default \
65 socket-dynamic \
66@@ -89,6 +96,7 @@ PKG_MOD_AVAILABLE:= \
67 updown \
68 vici \
69 whitelist \
70+ wolfssl \
71 x509 \
72 xauth-eap \
73 xauth-generic \
74@@ -123,9 +131,17 @@ define Package/strongswan
75 $(call Package/strongswan/Default)
76 MENU:=1
77 DEPENDS:= +libpthread +ip \
78+ +kmod-crypto-aead \
79 +kmod-crypto-authenc \
80- +kmod-ipsec +kmod-ipsec4 +IPV6:kmod-ipsec6 \
81- +kmod-ipt-ipsec +iptables-mod-ipsec
82+ +kmod-crypto-cbc \
83+ +kmod-lib-zlib-inflate \
84+ +kmod-lib-zlib-deflate \
85+ +kmod-crypto-des \
86+ +kmod-crypto-echainiv \
87+ +kmod-crypto-hmac \
88+ +kmod-crypto-md5 \
89+ +kmod-crypto-sha1 \
90+ +kmod-ipsec +kmod-ipsec4 +IPV6:kmod-ipsec6
91 endef
92
93 define Package/strongswan/config
94@@ -144,14 +160,17 @@ $(call Package/strongswan/Default)
95 +strongswan-charon \
96 +strongswan-charon-cmd \
97 +strongswan-ipsec \
98+ +strongswan-libnttfft \
99 +strongswan-mod-addrblock \
100 +strongswan-mod-aes \
101 +strongswan-mod-af-alg \
102 +strongswan-mod-agent \
103 +strongswan-mod-attr \
104 +strongswan-mod-attr-sql \
105+ +strongswan-mod-bliss \
106 +strongswan-mod-blowfish \
107 +strongswan-mod-ccm \
108+ +strongswan-mod-chapoly \
109 +strongswan-mod-cmac \
110 +strongswan-mod-constraints \
111 +strongswan-mod-connmark \
112@@ -162,6 +181,7 @@ $(call Package/strongswan/Default)
113 +strongswan-mod-des \
114 +strongswan-mod-dhcp \
115 +strongswan-mod-dnskey \
116+ +strongswan-mod-drbg \
117 +strongswan-mod-duplicheck \
118 +strongswan-mod-eap-identity \
119 +strongswan-mod-eap-md5 \
120@@ -176,14 +196,17 @@ $(call Package/strongswan/Default)
121 +strongswan-mod-gmp \
122 +strongswan-mod-ha \
123 +strongswan-mod-hmac \
124+ +strongswan-mod-kdf \
125 +strongswan-mod-kernel-netlink \
126 +strongswan-mod-ldap \
127 +strongswan-mod-led \
128 +strongswan-mod-load-tester \
129- +strongswan-mod-nonce \
130 +strongswan-mod-md4 \
131 +strongswan-mod-md5 \
132+ +strongswan-mod-mgf1 \
133 +strongswan-mod-mysql \
134+ +strongswan-mod-newhope \
135+ +strongswan-mod-ntru \
136 +strongswan-mod-openssl \
137 +strongswan-mod-pem \
138 +strongswan-mod-pgp \
139@@ -199,6 +222,7 @@ $(call Package/strongswan/Default)
140 +strongswan-mod-revocation \
141 +strongswan-mod-sha1 \
142 +strongswan-mod-sha2 \
143+ +strongswan-mod-sha3 \
144 +strongswan-mod-smp \
145 +strongswan-mod-socket-default \
146 +strongswan-mod-sql \
147@@ -211,12 +235,12 @@ $(call Package/strongswan/Default)
148 +strongswan-mod-updown \
149 +strongswan-mod-vici \
150 +strongswan-mod-whitelist \
151+ +strongswan-mod-wolfssl \
152 +strongswan-mod-x509 \
153 +strongswan-mod-xauth-eap \
154 +strongswan-mod-xauth-generic \
155 +strongswan-mod-xcbc \
156 +strongswan-pki \
157- +strongswan-scepclient \
158 +strongswan-swanctl \
159 @DEVEL
160 endef
161@@ -235,7 +259,6 @@ $(call Package/strongswan/Default)
162 TITLE+= (default)
163 DEPENDS:= strongswan \
164 +strongswan-charon \
165- +strongswan-ipsec \
166 +strongswan-mod-aes \
167 +strongswan-mod-attr \
168 +strongswan-mod-connmark \
169@@ -245,9 +268,10 @@ $(call Package/strongswan/Default)
170 +strongswan-mod-fips-prf \
171 +strongswan-mod-gmp \
172 +strongswan-mod-hmac \
developer7afdacb2023-11-15 13:24:33 +0800173+ +strongswan-mod-kdf \
developer82183d82023-10-13 12:08:31 +0800174 +strongswan-mod-kernel-netlink \
175 +strongswan-mod-md5 \
176- +strongswan-mod-nonce \
177+ +strongswan-mod-mgf1 \
178 +strongswan-mod-pem \
179 +strongswan-mod-pgp \
180 +strongswan-mod-pkcs1 \
181@@ -260,11 +284,11 @@ $(call Package/strongswan/Default)
182 +strongswan-mod-sha2 \
183 +strongswan-mod-socket-default \
184 +strongswan-mod-sshkey \
185- +strongswan-mod-stroke \
186 +strongswan-mod-updown \
187 +strongswan-mod-x509 \
188 +strongswan-mod-xauth-generic \
189- +strongswan-mod-xcbc
190+ +strongswan-mod-xcbc \
191+ +strongswan-swanctl
192 endef
193
194 define Package/strongswan-default/description
195@@ -283,9 +307,10 @@ $(call Package/strongswan/Default)
196 +strongswan-mod-des \
197 +strongswan-mod-gmpdh \
198 +strongswan-mod-hmac \
199+ @(PACKAGE_strongswan-mod-kdf||PACKAGE_strongswan-mod-openssl||PACKAGE_strongswan-mod-wolfssl) \
200 +strongswan-mod-kernel-netlink \
201 +strongswan-mod-md5 \
202- +strongswan-mod-nonce \
203+ +strongswan-mod-mgf1 \
204 +strongswan-mod-pubkey \
205 +strongswan-mod-random \
206 +strongswan-mod-sha1 \
207@@ -311,8 +336,9 @@ $(call Package/strongswan/Default)
208 +strongswan-mod-aes \
209 +strongswan-mod-gmp \
210 +strongswan-mod-hmac \
211+ @(PACKAGE_strongswan-mod-kdf||PACKAGE_strongswan-mod-openssl||PACKAGE_strongswan-mod-wolfssl) \
212 +strongswan-mod-kernel-netlink \
213- +strongswan-mod-nonce \
214+ +strongswan-mod-mgf1 \
215 +strongswan-mod-pubkey \
216 +strongswan-mod-random \
217 +strongswan-mod-sha1 \
218@@ -361,26 +387,26 @@ $(call Package/strongswan/description/De
219 This package contains the ipsec utility.
220 endef
221
222-define Package/strongswan-pki
223+define Package/strongswan-libnttfft
224 $(call Package/strongswan/Default)
225- TITLE+= PKI tool
226+ TITLE+= nttfft library
227 DEPENDS:= strongswan
228 endef
229
230-define Package/strongswan-pki/description
231+define Package/strongswan-libnttfft/description
232 $(call Package/strongswan/description/Default)
233- This package contains the pki tool.
234+ This package contains the Number Theoretic Transforms library.
235 endef
236
237-define Package/strongswan-scepclient
238+define Package/strongswan-pki
239 $(call Package/strongswan/Default)
240- TITLE+= SCEP client
241- DEPENDS:= strongswan
242+ TITLE+= PKI tool
243+ DEPENDS:= strongswan strongswan-libtls
244 endef
245
246-define Package/strongswan-scepclient/description
247+define Package/strongswan-pki/description
248 $(call Package/strongswan/description/Default)
249- This package contains the SCEP client.
250+ This package contains the pki tool.
251 endef
252
253 define Package/strongswan-swanctl
254@@ -394,6 +420,17 @@ $(call Package/strongswan/description/De
255 This package contains the swanctl utility.
256 endef
257
258+define Package/strongswan-gencerts
259+$(call Package/strongswan/Default)
260+ TITLE+= X.509 certificate generation utility
261+ DEPENDS:= strongswan +strongswan-pki bash
262+endef
263+
264+define Package/strongswan-gencerts/description
265+$(call Package/strongswan/description/Default)
266+ This package contains the X.509 certificate generation utility.
267+endef
268+
269 define Package/strongswan-libtls
270 $(call Package/strongswan/Default)
271 TITLE+= libtls
272@@ -430,11 +467,12 @@ CONFIGURE_ARGS+= \
273 --disable-scripts \
274 --disable-static \
275 --disable-fast \
276+ --enable-nonce \
277+ --enable-mgf1 \
278 --enable-mediation \
279 --with-systemdsystemunitdir=no \
280 $(if $(CONFIG_PACKAGE_strongswan-charon-cmd),--enable-cmd,--disable-cmd) \
281 $(if $(CONFIG_PACKAGE_strongswan-pki),--enable-pki,--disable-pki) \
282- $(if $(CONFIG_PACKAGE_strongswan-scepclient),--enable-scepclient,--disable-scepclient) \
283 --with-random-device=/dev/random \
284 --with-urandom-device=/dev/urandom \
285 --with-routing-table="$(call qstrip,$(CONFIG_STRONGSWAN_ROUTING_TABLE))" \
286@@ -444,8 +482,6 @@ CONFIGURE_ARGS+= \
287 ) \
288 ac_cv_search___atomic_load=no
289
290-EXTRA_LDFLAGS+= -Wl,-rpath-link,$(STAGING_DIR)/usr/lib
291-
292 define Package/strongswan/conffiles
293 /etc/strongswan.conf
294 /etc/strongswan.d/
295@@ -455,8 +491,11 @@ define Package/strongswan/install
296 $(INSTALL_DIR) $(1)/etc
297 $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/
298 echo -e "\ninclude /var/ipsec/strongswan.conf" >> $(1)/etc/strongswan.conf
299- $(INSTALL_DIR) $(1)/usr/lib/ipsec
300+ $(INSTALL_DIR) $(1)/etc/strongswan.d/charon
301+ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/strongswan.d/charon/nonce.conf $(1)/etc/strongswan.d/charon/
302+ $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
303 $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/
304+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-nonce.so $(1)/usr/lib/ipsec/plugins/
305 endef
306
307 define Package/strongswan-default/install
308@@ -518,6 +557,11 @@ opkg list-changed-conffiles | grep -qx /
309 }
310 endef
311
312+define Package/strongswan-libnttfft/install
313+ $(INSTALL_DIR) $(1)/usr/lib/ipsec
314+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libnttfft.so.* $(1)/usr/lib/ipsec/
315+endef
316+
317 define Package/strongswan-pki/install
318 $(INSTALL_DIR) $(1)/etc/strongswan.d
319 $(CP) $(PKG_INSTALL_DIR)/etc/strongswan.d/pki.conf $(1)/etc/strongswan.d/
320@@ -525,14 +569,8 @@ define Package/strongswan-pki/install
321 $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/pki $(1)/usr/bin/
322 endef
323
324-define Package/strongswan-scepclient/install
325- $(INSTALL_DIR) $(1)/etc/strongswan.d
326- $(CP) $(PKG_INSTALL_DIR)/etc/strongswan.d/scepclient.conf $(1)/etc/strongswan.d/
327- $(INSTALL_DIR) $(1)/usr/lib/ipsec
328- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/scepclient $(1)/usr/lib/ipsec/
329-endef
330-
331 define Package/strongswan-swanctl/conffiles
332+/etc/config/ipsec
333 /etc/swanctl/
334 endef
335
336@@ -547,6 +585,11 @@ define Package/strongswan-swanctl/instal
337 $(INSTALL_BIN) ./files/swanctl.init $(1)/etc/init.d/swanctl
338 endef
339
340+define Package/strongswan-gencerts/install
341+ $(INSTALL_DIR) $(1)/usr/bin
342+ $(INSTALL_BIN) ./files/gencerts.sh $(1)/usr/bin/gencerts
343+endef
344+
345 define Package/strongswan-libtls/install
346 $(INSTALL_DIR) $(1)/usr/lib/ipsec
347 $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libtls.so.* $(1)/usr/lib/ipsec/
348@@ -570,14 +613,7 @@ define Plugin/attr-sql/install
349 endef
350
351 define Plugin/stroke/install
352- $(INSTALL_DIR) $(1)/etc/ipsec.d/aacerts
353- $(INSTALL_DIR) $(1)/etc/ipsec.d/acerts
354- $(INSTALL_DIR) $(1)/etc/ipsec.d/cacerts
355- $(INSTALL_DIR) $(1)/etc/ipsec.d/certs
356- $(INSTALL_DIR) $(1)/etc/ipsec.d/crls
357- $(INSTALL_DIR) $(1)/etc/ipsec.d/ocspcerts
358- $(INSTALL_DIR) $(1)/etc/ipsec.d/private
359- $(INSTALL_DIR) $(1)/etc/ipsec.d/reqs
360+ $(INSTALL_DIR) $(1)/etc/ipsec.d/{aacerts,acerts,cacerts,certs,crls,ocspcerts,private,reqs}
361
362 $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
363 $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{starter,stroke} $(1)/usr/lib/ipsec/
364@@ -618,9 +654,10 @@ $(eval $(call BuildPackage,strongswan-is
365 $(eval $(call BuildPackage,strongswan-charon))
366 $(eval $(call BuildPackage,strongswan-charon-cmd))
367 $(eval $(call BuildPackage,strongswan-ipsec))
368+$(eval $(call BuildPackage,strongswan-libnttfft))
369 $(eval $(call BuildPackage,strongswan-pki))
370-$(eval $(call BuildPackage,strongswan-scepclient))
371 $(eval $(call BuildPackage,strongswan-swanctl))
372+$(eval $(call BuildPackage,strongswan-gencerts))
373 $(eval $(call BuildPackage,strongswan-libtls))
374 $(eval $(call BuildPlugin,addrblock,RFC 3779 address block constraint support,))
375 $(eval $(call BuildPlugin,aes,AES crypto,))
376@@ -628,10 +665,12 @@ $(eval $(call BuildPlugin,af-alg,AF_ALG
377 $(eval $(call BuildPlugin,agent,SSH agent signing,))
378 $(eval $(call BuildPlugin,attr,file based config,))
379 $(eval $(call BuildPlugin,attr-sql,SQL based config,+strongswan-charon))
380+$(eval $(call BuildPlugin,bliss,BLISS crypto,+strongswan-libnttfft +strongswan-mod-mgf1 +strongswan-mod-hmac))
381 $(eval $(call BuildPlugin,blowfish,Blowfish crypto,))
382 $(eval $(call BuildPlugin,ccm,CCM AEAD wrapper crypto,))
383+$(eval $(call BuildPlugin,chapoly,ChaCha20-Poly1305 AEAD crypto,+kmod-crypto-chacha20poly1305))
384 $(eval $(call BuildPlugin,cmac,CMAC crypto,))
385-$(eval $(call BuildPlugin,connmark,netfilter connection marking,))
386+$(eval $(call BuildPlugin,connmark,netfilter connection marking,+libip4tc))
387 $(eval $(call BuildPlugin,constraints,advanced X509 constraint checking,))
388 $(eval $(call BuildPlugin,coupling,IKEv2 plugin to couple peer certificates permanently to authentication,))
389 $(eval $(call BuildPlugin,ctr,Counter Mode wrapper crypto,))
390@@ -640,6 +679,7 @@ $(eval $(call BuildPlugin,curve25519,Cur
391 $(eval $(call BuildPlugin,des,DES crypto,))
392 $(eval $(call BuildPlugin,dhcp,DHCP based attribute provider,))
393 $(eval $(call BuildPlugin,dnskey,DNS RR key decoding,))
394+$(eval $(call BuildPlugin,drbg,Deterministic random bit generator,,))
395 $(eval $(call BuildPlugin,duplicheck,advanced duplicate checking,))
396 $(eval $(call BuildPlugin,eap-identity,EAP identity helper,))
397 $(eval $(call BuildPlugin,eap-md5,EAP MD5 (CHAP) EAP auth,))
398@@ -648,22 +688,25 @@ $(eval $(call BuildPlugin,eap-radius,EAP
399 $(eval $(call BuildPlugin,eap-tls,EAP TLS auth,+strongswan-libtls))
400 $(eval $(call BuildPlugin,farp,fake arp respsonses,))
401 $(eval $(call BuildPlugin,fips-prf,FIPS PRF crypto,+strongswan-mod-sha1))
402-$(eval $(call BuildPlugin,forecast,forward multi/broadcast traffic,+kmod-ipt-conntrack-extra))
403+$(eval $(call BuildPlugin,forecast,forward multi/broadcast traffic,+libip4tc +kmod-ipt-conntrack-extra))
404 $(eval $(call BuildPlugin,gcm,GCM AEAD wrapper crypto,))
405 $(eval $(call BuildPlugin,gcrypt,libgcrypt,+PACKAGE_strongswan-mod-gcrypt:libgcrypt))
406 $(eval $(call BuildPlugin,gmp,libgmp,+PACKAGE_strongswan-mod-gmp:libgmp))
407 $(eval $(call BuildPlugin,gmpdh,DH-Groups; no libgmp dep,))
408 $(eval $(call BuildPlugin,ha,high availability cluster,))
409 $(eval $(call BuildPlugin,hmac,HMAC crypto,))
410+$(eval $(call BuildPlugin,kdf,KDF/PRF+,))
411 $(eval $(call BuildPlugin,kernel-libipsec,libipsec kernel interface,))
412 $(eval $(call BuildPlugin,kernel-netlink,netlink kernel interface,))
413 $(eval $(call BuildPlugin,ldap,LDAP,+PACKAGE_strongswan-mod-ldap:libopenldap))
414 $(eval $(call BuildPlugin,led,LED blink on IKE activity,))
415 $(eval $(call BuildPlugin,load-tester,load testing,))
416-$(eval $(call BuildPlugin,nonce,nonce genereation,))
417 $(eval $(call BuildPlugin,md4,MD4 crypto,))
418 $(eval $(call BuildPlugin,md5,MD5 crypto,))
419+$(eval $(call BuildPlugin,mgf1,MGF1 crypto,))
420 $(eval $(call BuildPlugin,mysql,MySQL database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-mysql:libmysqlclient-r))
421+$(eval $(call BuildPlugin,newhope,New Hope crypto,+strongswan-libnttfft +strongswan-mod-chapoly +strongswan-mod-sha3))
422+$(eval $(call BuildPlugin,ntru,NTRU crypto,+strongswan-mod-mgf1))
423 $(eval $(call BuildPlugin,openssl,OpenSSL crypto,+PACKAGE_strongswan-mod-openssl:libopenssl))
424 $(eval $(call BuildPlugin,pem,PEM decoding,))
425 $(eval $(call BuildPlugin,pgp,PGP key decoding,))
426@@ -679,6 +722,7 @@ $(eval $(call BuildPlugin,resolve,DNS re
427 $(eval $(call BuildPlugin,revocation,X509 CRL/OCSP revocation,))
428 $(eval $(call BuildPlugin,sha1,SHA1 crypto,))
429 $(eval $(call BuildPlugin,sha2,SHA2 crypto,))
430+$(eval $(call BuildPlugin,sha3,SHA3 and SHAKE crypto,))
431 $(eval $(call BuildPlugin,smp,SMP configuration and control interface,+PACKAGE_strongswan-mod-smp:libxml2))
432 $(eval $(call BuildPlugin,socket-default,default socket implementation for charon,))
433 $(eval $(call BuildPlugin,socket-dynamic,dynamic socket implementation for charon,))
434@@ -689,9 +733,10 @@ $(eval $(call BuildPlugin,stroke,Stroke,
435 $(eval $(call BuildPlugin,test-vectors,crypto test vectors,))
436 $(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci))
437 $(eval $(call BuildPlugin,unity,Cisco Unity extension,))
438-$(eval $(call BuildPlugin,updown,updown firewall,))
439+$(eval $(call BuildPlugin,updown,updown firewall,+iptables +IPV6:ip6tables +iptables-mod-ipsec +kmod-ipt-ipsec))
440 $(eval $(call BuildPlugin,vici,Versatile IKE Configuration Interface,))
441 $(eval $(call BuildPlugin,whitelist,peer identity whitelisting,))
442+$(eval $(call BuildPlugin,wolfssl,WolfSSL crypto,+PACKAGE_strongswan-mod-wolfssl:libwolfssl))
443 $(eval $(call BuildPlugin,x509,x509 certificate,))
444 $(eval $(call BuildPlugin,xauth-eap,EAP XAuth backend,))
445 $(eval $(call BuildPlugin,xauth-generic,generic XAuth backend,))
446--- /dev/null
447+++ b/feeds/packages/net/strongswan/files/gencerts.sh
448@@ -0,0 +1,155 @@
449+#!/bin/sh
450+
451+#
452+# see:
453+# https://www.howtoforge.com/tutorial/strongswan-based-ipsec-vpn-using-certificates-and-pre-shared-key-on-ubuntu-16-04/
454+#
455+
456+PROG=$(basename "$0")
457+
458+[ -z "$EUID" ] && EUID=$(id -u)
459+
460+if [ $# -lt 5 ]; then
461+ echo "Usage: $PROG { -s | -c | -u } country domain organization identities [ ... ]" >&2
462+ exit 1
463+fi
464+
465+case "$1" in
466+-s)
467+ S_OPT=1 ;;
468+-c)
469+ C_OPT=1 ;;
470+-u)
471+ U_OPT=1 ;;
472+*)
473+ echo "$PROG: require an option specifying server/client/user credential type" >&2
474+ exit 1
475+ ;;
476+esac
477+shift
478+
479+C="$1"; shift
480+DOMAIN="$1"; shift
481+SHORT_DOMAIN="${DOMAIN%%.*}"
482+ORG="$1"; shift
483+
484+# invariants...
485+SYSCONFDIR=/etc
486+SWANCTL_DIR="$SYSCONFDIR/swanctl"
487+: ${KEYINFO:="rsa:4096"}
488+: ${CADAYS:=3650}
489+: ${CRTDAYS:=730}
490+
491+makeDN()
492+{
493+ printf "C=%s, O=%s, CN=%s" "$1" "$2" "$3"
494+}
495+
496+field()
497+{
498+ local arg="$1"
499+ local nth="$2"
500+
501+ echo "$arg" | cut -d ':' -f "$nth"
502+}
503+
504+genmasterkey()
505+{
506+ local keytype keybits
507+
508+ keytype=$(field "$KEYINFO" 1)
509+ keybits=$(field "$KEYINFO" 2)
510+
511+ pki --gen --type "$keytype" --size "$keybits" --outform pem > "$SWANCTL_DIR/private/$SHORT_DOMAIN.key"
512+ chmod 0400 "$SWANCTL_DIR/private/$SHORT_DOMAIN.key"
513+}
514+
515+genca()
516+{
517+ local keytype
518+
519+ keytype=$(field "$KEYINFO" 1)
520+
521+ pki --self --ca --lifetime "$CADAYS" --in "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" --type "$keytype" \
522+ --dn "$ROOTDN" --outform pem > "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt"
523+ chmod 0444 "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt"
524+}
525+
526+genclientkey()
527+{
528+ local name="$1" keytype keybits
529+
530+ keytype=$(field "$KEYINFO" 1)
531+ keybits=$(field "$KEYINFO" 2)
532+
533+ pki --gen --type "$keytype" --size "$keybits" --outform pem > "$SWANCTL_DIR/private/$name.key"
534+ chmod 0400 "$SWANCTL_DIR/private/$name.key"
535+}
536+
537+gendevcert()
538+{
539+ local dn="$1"
540+ local san="$2"
541+ local name="$3"
542+
543+ # reads key from input
544+ pki --issue --lifetime "$CRTDAYS" \
545+ --cacert "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt" \
546+ --cakey "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" \
547+ --dn "$dn" --san "$san" \
548+ ${S_OPT:+--flag serverAuth} \
549+ ${S_OPT:---flag clientAuth} \
550+ --flag ikeIntermediate \
551+ --outform pem > "$SWANCTL_DIR/x509/$name.crt"
552+ chmod 0444 "$SWANCTL_DIR/x509/$name.crt"
553+}
554+
555+gendev()
556+{
557+ local keytype
558+
559+ keytype=$(field "$KEYINFO" 1)
560+
561+ [ -f "$SWANCTL_DIR/private/$NAME.key" ] || genclientkey "$NAME"
562+
563+ [ -f "$SWANCTL_DIR/x509/$NAME.crt" ] || \
564+ pki --pub --in "$SWANCTL_DIR/private/$NAME.key" --type "$keytype" \
565+ | gendevcert "$DEVDN" "$DEVSAN" "$NAME"
566+}
567+
568+setparams()
569+{
570+ NAME="$1"
571+
572+ if [ -n "$U_OPT" ]; then
573+ DEVSAN="$NAME@$DOMAIN"
574+ DEVDN="$(makeDN "$C" "$ORG" "$DEVSAN")"
575+ else
576+ DEVSAN="$NAME.$DOMAIN"
577+ DEVDN="$(makeDN "$C" "$ORG" "$NAME")"
578+ fi
579+}
580+
581+umask 077
582+
583+[ "$EUID" -eq 0 ] || { echo "Must run as root!" >&2 ; exit 1; }
584+
585+ROOTDN="$(makeDN "$C" "$ORG" "Root CA")"
586+
587+[ -f "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" ] || genmasterkey
588+
589+[ -f "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt" ] || genca
590+
591+PARENT="$SYSCONFDIR"
592+BASEDIR="${SWANCTL_DIR##$PARENT/}"
593+
594+for name in "$@"; do
595+ setparams "$name"
596+ gendev
597+
598+ tar -zcf "$name-certs.tar.gz" -C "$PARENT" "$BASEDIR/x509ca/$SHORT_DOMAIN.crt" "$BASEDIR/x509/$name.crt" "$BASEDIR/private/$name.key"
599+ chmod 600 "$name-certs.tar.gz"
600+ echo "Generated as $name-certs.tar.gz"
601+done
602+
603+exit 0
604--- a/feeds/packages/net/strongswan/files/ipsec.init
605+++ b/feeds/packages/net/strongswan/files/ipsec.init
606@@ -354,6 +354,8 @@ service_triggers() {
607 start_service() {
608 prepare_env
609
610+ warning "Strongswan is deprecating the ipsec CLI; please migrate to swanctl."
611+
612 [ $WAIT_FOR_INTF -eq 1 ] && return
613
614 procd_open_instance
615--- a/feeds/packages/net/strongswan/files/swanctl.init
616+++ b/feeds/packages/net/strongswan/files/swanctl.init
617@@ -4,7 +4,7 @@ START=90
618 STOP=10
619
620 USE_PROCD=1
621-PROG=/usr/lib/ipsec/starter
622+PROG=/usr/lib/ipsec/charon
623
624 . $IPKG_INSTROOT/lib/functions.sh
625 . $IPKG_INSTROOT/lib/functions/network.sh
626@@ -17,8 +17,9 @@ SWANCTL_VAR_CONF_FILE=/var/swanctl/swanc
627
628 WAIT_FOR_INTF=0
629
630-time2seconds()
631-{
632+CONFIG_FAIL=0
633+
634+time2seconds() {
635 local timestring="$1"
636 local multiplier number suffix
637
638@@ -40,8 +41,7 @@ time2seconds()
639 echo $(( number * multiplier ))
640 }
641
642-seconds2time()
643-{
644+seconds2time() {
645 local seconds="$1"
646
647 if [ $seconds -eq 0 ]; then
648@@ -63,9 +63,12 @@ file_reset() {
649
650 xappend() {
651 local file="$1"
652- shift
653+ local indent="$2"
654+ shift 2
655
656- echo "$@" >> "$file"
657+ for cmd in "$@"; do
658+ echo "$indent$cmd" >> "$file"
659+ done
660 }
661
662 swan_reset() {
663@@ -77,23 +80,23 @@ swan_xappend() {
664 }
665
666 swan_xappend0() {
667- swan_xappend "$@"
668+ swan_xappend "" "$@"
669 }
670
671 swan_xappend1() {
672- swan_xappend " ""$@"
673+ swan_xappend " " "$@"
674 }
675
676 swan_xappend2() {
677- swan_xappend " ""$@"
678+ swan_xappend " " "$@"
679 }
680
681 swan_xappend3() {
682- swan_xappend " ""$@"
683+ swan_xappend " " "$@"
684 }
685
686 swan_xappend4() {
687- swan_xappend " ""$@"
688+ swan_xappend " " "$@"
689 }
690
691 swanctl_reset() {
692@@ -105,52 +108,66 @@ swanctl_xappend() {
693 }
694
695 swanctl_xappend0() {
696- swanctl_xappend "$@"
697+ swanctl_xappend "" "$@"
698 }
699
700 swanctl_xappend1() {
701- swanctl_xappend " ""$@"
702+ swanctl_xappend " " "$@"
703 }
704
705 swanctl_xappend2() {
706- swanctl_xappend " ""$@"
707+ swanctl_xappend " " "$@"
708 }
709
710 swanctl_xappend3() {
711- swanctl_xappend " ""$@"
712+ swanctl_xappend " " "$@"
713 }
714
715 swanctl_xappend4() {
716- swanctl_xappend " ""$@"
717+ swanctl_xappend " " "$@"
718 }
719
720 warning() {
721 echo "WARNING: $@" >&2
722 }
723
724+fatal() {
725+ echo "ERROR: $@" >&2
726+ CONFIG_FAIL=1
727+}
728+
729+append_var() {
730+ local var="$2" value="$1" delim="${3:- }"
731+ append "$var" "$value" "$delim"
732+}
733+
734 is_aead() {
735 local cipher="$1"
736
737 case "$cipher" in
738 aes*gcm*|aes*ccm*|aes*gmac*)
739 return 0 ;;
740+ chacha20poly1305)
741+ return 0 ;;
742 esac
743
744 return 1
745 }
746
747-add_esp_proposal() {
748+config_esp_proposal() {
749+ local conf="$1"
750+
751 local encryption_algorithm
752 local hash_algorithm
753 local dh_group
754
755- config_get encryption_algorithm "$1" encryption_algorithm
756- config_get hash_algorithm "$1" hash_algorithm
757- config_get dh_group "$1" dh_group
758+ config_get encryption_algorithm "$conf" encryption_algorithm
759+ config_get hash_algorithm "$conf" hash_algorithm
760+ config_get dh_group "$conf" dh_group
761
762 # check for AEAD and clobber hash_algorithm if set
763 if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
764- warning "Can't have $hash_algorithm with $encryption_algorithm"
765+ fatal "Can't have $hash_algorithm with $encryption_algorithm"
766 hash_algorithm=
767 fi
768
769@@ -158,29 +175,33 @@ add_esp_proposal() {
770 crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
771 }
772
773-parse_esp_proposal() {
774+iter_esp_proposal() {
775 local conf="$1"
776+ local var="$2"
777+
778 local crypto=""
779
780- config_list_foreach "$conf" crypto_proposal add_esp_proposal
781+ config_list_foreach "$conf" crypto_proposal config_esp_proposal
782
783- echo "$crypto"
784+ export -n "$var=$crypto"
785 }
786
787-add_ike_proposal() {
788+config_ike_proposal() {
789+ local conf="$1"
790+
791 local encryption_algorithm
792 local hash_algorithm
793 local dh_group
794 local prf_algorithm
795
796- config_get encryption_algorithm "$1" encryption_algorithm
797- config_get hash_algorithm "$1" hash_algorithm
798- config_get dh_group "$1" dh_group
799- config_get prf_algorithm "$1" prf_algorithm
800+ config_get encryption_algorithm "$conf" encryption_algorithm
801+ config_get hash_algorithm "$conf" hash_algorithm
802+ config_get dh_group "$conf" dh_group
803+ config_get prf_algorithm "$conf" prf_algorithm
804
805 # check for AEAD and clobber hash_algorithm if set
806 if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
807- warning "Can't have $hash_algorithm with $encryption_algorithm"
808+ fatal "Can't have $hash_algorithm with $encryption_algorithm"
809 hash_algorithm=
810 fi
811
812@@ -188,47 +209,65 @@ add_ike_proposal() {
813 crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${prf_algorithm:+-${prf_algorithm}}${dh_group:+-${dh_group}}"
814 }
815
816-parse_ike_proposal() {
817+iter_ike_proposal() {
818 local conf="$1"
819+ local var="$2"
820+
821 local crypto=""
822
823- config_list_foreach "$conf" crypto_proposal add_ike_proposal
824+ config_list_foreach "$conf" crypto_proposal config_ike_proposal
825
826- echo "$crypto"
827+ export -n "$var=$crypto"
828 }
829
830-config_conn() {
831+config_child() {
832 # Generic ipsec conn section shared by tunnel and transport
833- local config_name="$1"
834+ local conf="$1"
835 local mode="$2"
836
837+ local hw_offload
838+ local interface
839+ local ipcomp
840+ local priority
841 local local_subnet
842 local local_nat
843 local updown
844 local firewall
845 local remote_subnet
846- local remote_sourceip
847 local lifetime
848 local dpdaction
849 local closeaction
850 local startaction
851 local if_id
852 local rekeytime
853+ local rekeybytes
854+ local lifebytes
855+ local rekeypackets
856+ local lifepackets
857+
858+ config_get startaction "$conf" startaction "route"
859+ config_get local_nat "$conf" local_nat ""
860+ config_get updown "$conf" updown ""
861+ config_get firewall "$conf" firewall ""
862+ config_get lifetime "$conf" lifetime ""
863+ config_get dpdaction "$conf" dpdaction "none"
864+ config_get closeaction "$conf" closeaction "none"
865+ config_get if_id "$conf" if_id ""
866+ config_get rekeytime "$conf" rekeytime ""
867+ config_get_bool ipcomp "$conf" ipcomp 0
868+ config_get interface "$conf" interface ""
869+ config_get hw_offload "$conf" hw_offload ""
870+ config_get priority "$conf" priority ""
871+ config_get rekeybytes "$conf" rekeybytes ""
872+ config_get lifebytes "$conf" lifebytes ""
873+ config_get rekeypackets "$conf" rekeypackets ""
874+ config_get lifepackets "$conf" lifepackets ""
875
876- config_get startaction "$1" startaction "route"
877- config_get local_subnet "$1" local_subnet ""
878- config_get local_nat "$1" local_nat ""
879- config_get updown "$1" updown ""
880- config_get firewall "$1" firewall ""
881- config_get remote_subnet "$1" remote_subnet ""
882- config_get remote_sourceip "$1" remote_sourceip ""
883- config_get lifetime "$1" lifetime ""
884- config_get dpdaction "$1" dpdaction "none"
885- config_get closeaction "$1" closeaction "none"
886- config_get if_id "$1" if_id ""
887- config_get rekeytime "$1" rekeytime ""
888+ config_list_foreach "$conf" local_subnet append_var local_subnet ","
889+ config_list_foreach "$conf" remote_subnet append_var remote_subnet ","
890
891- local esp_proposal="$(parse_esp_proposal "$1")"
892+ local esp_proposal
893+ iter_esp_proposal "$conf" esp_proposal
894
895 # translate from ipsec to swanctl
896 case "$startaction" in
897@@ -240,7 +279,7 @@ config_conn() {
898 # already using new syntax
899 ;;
900 *)
901- warning "Startaction $startaction unknown"
902+ fatal "Startaction $startaction unknown"
903 startaction=
904 ;;
905 esac
906@@ -256,7 +295,7 @@ config_conn() {
907 # already using new syntax
908 ;;
909 *)
910- warning "Closeaction $closeaction unknown"
911+ fatal "Closeaction $closeaction unknown"
912 closeaction=
913 ;;
914 esac
915@@ -278,18 +317,32 @@ config_conn() {
916 # already using new syntax
917 ;;
918 *)
919- warning "Dpdaction $dpdaction unknown"
920+ fatal "Dpdaction $dpdaction unknown"
921 dpdaction=
922 ;;
923 esac
924
925+ case "$hw_offload" in
926+ yes|no|auto|"")
927+ ;;
928+ *)
929+ fatal "hw_offload value $hw_offload invalid"
930+ hw_offload=""
931+ ;;
932+ esac
933+
934 [ -n "$local_nat" ] && local_subnet="$local_nat"
935
936- swanctl_xappend3 "$config_name {"
937+ swanctl_xappend3 "$conf {"
938
939 [ -n "$local_subnet" ] && swanctl_xappend4 "local_ts = $local_subnet"
940 [ -n "$remote_subnet" ] && swanctl_xappend4 "remote_ts = $remote_subnet"
941- [ -n "$if_id" ] && { swanctl_xappend4 "if_id_in = $if_id" ; swanctl_xappend4 "if_id_out = $if_id" ; }
942+
943+ [ -n "$hw_offload" ] && swanctl_xappend4 "hw_offload = $hw_offload"
944+ [ $ipcomp -eq 1 ] && swanctl_xappend4 "ipcomp = 1"
945+ [ -n "$interface" ] && swanctl_xappend4 "interface = $interface"
946+ [ -n "$priority" ] && swanctl_xappend4 "priority = $priority"
947+ [ -n "$if_id" ] && swanctl_xappend4 "if_id_in = $if_id" "if_id_out = $if_id"
948 [ -n "$startaction" -a "$startaction" != "none" ] && swanctl_xappend4 "start_action = $startaction"
949 [ -n "$closeaction" -a "$closeaction" != "none" ] && swanctl_xappend4 "close_action = $closeaction"
950 swanctl_xappend4 "esp_proposals = $esp_proposal"
951@@ -301,6 +354,19 @@ config_conn() {
952 swanctl_xappend4 "life_time = $(seconds2time $(((110 * $(time2seconds $rekeytime)) / 100)))"
953 fi
954 [ -n "$rekeytime" ] && swanctl_xappend4 "rekey_time = $rekeytime"
955+ if [ -n "$lifebytes" ]; then
956+ swanctl_xappend4 "life_bytes = $lifebytes"
957+ elif [ -n "$rekeybytes" ]; then
958+ swanctl_xappend4 "life_bytes = $(((110 * rekeybytes) / 100))"
959+ fi
960+ [ -n "$rekeybytes" ] && swanctl_xappend4 "rekey_bytes = $rekeybytes"
961+ if [ -n "$lifepackets" ]; then
962+ swanctl_xappend4 "life_packets = $lifepackets"
963+ elif [ -n "$rekeypackets" ]; then
964+ swanctl_xappend4 "life_packets = $(((110 * rekeypackets) / 100))"
965+ fi
966+ [ -n "$rekeypackets" ] && swanctl_xappend4 "rekey_packets = $rekeypackets"
967+ [ -n "$inactivity" ] && swanctl_xappend4 "inactivity = $inactivity"
968
969 [ -n "$updown" ] && swanctl_xappend4 "updown = $updown"
970 [ -n "$dpdaction" ] && swanctl_xappend4 "dpd_action = $dpdaction"
971@@ -309,21 +375,56 @@ config_conn() {
972 }
973
974 config_tunnel() {
975- config_conn "$1" "tunnel"
976+ config_child "$1" "tunnel"
977 }
978
979 config_transport() {
980- config_conn "$1" "transport"
981+ config_child "$1" "transport"
982+}
983+
984+config_pool() {
985+ local conf="$1"
986+
987+ local addrs
988+ local dns
989+ local nbns
990+ local dhcp
991+ local netmask
992+ local server
993+ local subnet
994+ local split_include
995+ local split_exclude
996+
997+ config_get addrs "$conf" addrs
998+ config_list_foreach "$conf" dns append_var dns ","
999+ config_list_foreach "$conf" nbns append_var nbns ","
1000+ config_list_foreach "$conf" dhcp append_var dhcp ","
1001+ config_list_foreach "$conf" netmask append_var netmask ","
1002+ config_list_foreach "$conf" server append_var server ","
1003+ config_list_foreach "$conf" subnet append_var subnet ","
1004+ config_list_foreach "$conf" split_include append_var split_include ","
1005+ config_list_foreach "$conf" split_exclude append_var split_exclude ","
1006+
1007+ swanctl_xappend1 "$conf {"
1008+ [ -n "$addrs" ] && swanctl_xappend2 "addrs = $addrs"
1009+ [ -n "$dns" ] && swanctl_xappend2 "dns = $dns"
1010+ [ -n "$nbns" ] && swanctl_xappend2 "nbns = $nbns"
1011+ [ -n "$dhcp" ] && swanctl_xappend2 "dhcp = $dhcp"
1012+ [ -n "$netmask" ] && swanctl_xappend2 "netmask = $netmask"
1013+ [ -n "$server" ] && swanctl_xappend2 "server = $server"
1014+ [ -n "$subnet" ] && swanctl_xappend2 "subnet = $subnet"
1015+ [ -n "$split_include" ] && swanctl_xappend2 "split_include = $split_include"
1016+ [ -n "$split_exclude" ] && swanctl_xappend2 "split_exclude = $split_exclude"
1017+ swanctl_xappend1 "}"
1018 }
1019
1020 config_remote() {
1021- local config_name="$1"
1022+ local conf="$1"
1023
1024 local enabled
1025 local gateway
1026- local local_gateway
1027 local local_sourceip
1028- local local_leftip
1029+ local local_ip
1030 local remote_gateway
1031 local pre_shared_key
1032 local auth_method
1033@@ -331,38 +432,39 @@ config_remote() {
1034 local dpddelay
1035 local inactivity
1036 local keyexchange
1037- local reqid
1038- local packet_marker
1039 local fragmentation
1040 local mobike
1041 local local_cert
1042 local local_key
1043 local ca_cert
1044 local rekeytime
1045+ local remote_ca_certs
1046+ local pools
1047
1048- config_get_bool enabled "$1" enabled 0
1049+ config_get_bool enabled "$conf" enabled 0
1050 [ $enabled -eq 0 ] && return
1051
1052- config_get gateway "$1" gateway
1053- config_get pre_shared_key "$1" pre_shared_key
1054- config_get auth_method "$1" authentication_method
1055- config_get local_identifier "$1" local_identifier ""
1056- config_get remote_identifier "$1" remote_identifier ""
1057- config_get local_sourceip "$1" local_sourceip ""
1058- config_get local_leftip "$1" local_leftip "%any"
1059- config_get keyingtries "$1" keyingtries "3"
1060- config_get dpddelay "$1" dpddelay "30s"
1061- config_get inactivity "$1" inactivity
1062- config_get keyexchange "$1" keyexchange "ikev2"
1063- config_get reqid "$1" reqid
1064- config_get packet_marker "$1" packet_marker
1065- config_get fragmentation "$1" fragmentation "yes"
1066- config_get_bool mobike "$1" mobike 1
1067- config_get local_cert "$1" local_cert ""
1068- config_get local_key "$1" local_key ""
1069- config_get ca_cert "$1" ca_cert ""
1070- config_get rekeytime "$1" rekeytime
1071- config_get overtime "$1" overtime
1072+ config_get gateway "$conf" gateway
1073+ config_get pre_shared_key "$conf" pre_shared_key
1074+ config_get auth_method "$conf" authentication_method
1075+ config_get local_identifier "$conf" local_identifier ""
1076+ config_get remote_identifier "$conf" remote_identifier ""
1077+ config_get local_ip "$conf" local_ip "%any"
1078+ config_get keyingtries "$conf" keyingtries "3"
1079+ config_get dpddelay "$conf" dpddelay "30s"
1080+ config_get inactivity "$conf" inactivity
1081+ config_get keyexchange "$conf" keyexchange "ikev2"
1082+ config_get fragmentation "$conf" fragmentation "yes"
1083+ config_get_bool mobike "$conf" mobike 1
1084+ config_get local_cert "$conf" local_cert ""
1085+ config_get local_key "$conf" local_key ""
1086+ config_get ca_cert "$conf" ca_cert ""
1087+ config_get rekeytime "$conf" rekeytime
1088+ config_get overtime "$conf" overtime
1089+
1090+ config_list_foreach "$conf" local_sourceip append_var local_sourceip ","
1091+ config_list_foreach "$conf" remote_ca_certs append_var remote_ca_certs ","
1092+ config_list_foreach "$conf" pools append_var pools ","
1093
1094 case "$fragmentation" in
1095 0)
1096@@ -373,50 +475,70 @@ config_remote() {
1097 # already using new syntax
1098 ;;
1099 *)
1100- warning "Fragmentation $fragmentation not supported"
1101+ fatal "Fragmentation $fragmentation not supported"
1102 fragmentation=
1103 ;;
1104 esac
1105
1106 [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
1107
1108- [ -z "$local_gateway" ] && {
1109- local ipdest
1110+ if [ -n "$local_key" ]; then
1111+ [ "$(dirname "$local_key")" != "." ] && \
1112+ fatal "local_key $local_key can't be pathname"
1113+ [ -f "/etc/swanctl/private/$local_key" ] || \
1114+ fatal "local_key $local_key not found"
1115+ fi
1116+
1117+ local ike_proposal
1118+ iter_ike_proposal "$conf" ike_proposal
1119
1120- [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
1121- local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'`
1122- }
1123+ [ -n "$firewall" ] && fatal "Firewall not supported"
1124
1125- local ike_proposal="$(parse_ike_proposal "$1")"
1126+ if [ "$auth_method" = pubkey ]; then
1127+ if [ -n "$ca_cert" ]; then
1128+ [ "$(dirname "$ca_cert")" != "." ] && \
1129+ fatal "ca_cert $ca_cert can't be pathname"
1130+ [ -f "/etc/swanctl/x509ca/$ca_cert" ] || \
1131+ fatal "ca_cert $ca_cert not found"
1132+ fi
1133
1134- [ -n "$firewall" ] && warning "Firewall not supported"
1135+ if [ -n "$local_cert" ]; then
1136+ [ "$(dirname "$local_cert")" != "." ] && \
1137+ fatal "local_cert $local_cert can't be pathname"
1138+ [ -f "/etc/swanctl/x509/$local_cert" ] || \
1139+ fatal "local_cert $local_cert not found"
1140+ fi
1141+ fi
1142
1143- swanctl_xappend0 "# config for $config_name"
1144+ swanctl_xappend0 "# config for $conf"
1145 swanctl_xappend0 "connections {"
1146- swanctl_xappend1 "$config_name {"
1147- swanctl_xappend2 "local_addrs = $local_leftip"
1148+ swanctl_xappend1 "$conf {"
1149+ swanctl_xappend2 "local_addrs = $local_ip"
1150 swanctl_xappend2 "remote_addrs = $remote_gateway"
1151
1152 [ -n "$local_sourceip" ] && swanctl_xappend2 "vips = $local_sourceip"
1153 [ -n "$fragmentation" ] && swanctl_xappend2 "fragmentation = $fragmentation"
1154+ [ -n "$pools" ] && swanctl_xappend2 "pools = $pools"
1155
1156 swanctl_xappend2 "local {"
1157 swanctl_xappend3 "auth = $auth_method"
1158
1159 [ -n "$local_identifier" ] && swanctl_xappend3 "id = \"$local_identifier\""
1160- [ "$auth_method" = pubkey ] && swanctl_xappend3 "certs = $local_cert"
1161+ [ "$auth_method" = pubkey ] && [ -n "$local_cert" ] && \
1162+ swanctl_xappend3 "certs = $local_cert"
1163 swanctl_xappend2 "}"
1164
1165 swanctl_xappend2 "remote {"
1166 swanctl_xappend3 "auth = $auth_method"
1167 [ -n "$remote_identifier" ] && swanctl_xappend3 "id = \"$remote_identifier\""
1168+ [ -n "$remote_ca_certs" ] && swanctl_xappend3 "cacerts = \"$remote_ca_certs\""
1169 swanctl_xappend2 "}"
1170
1171 swanctl_xappend2 "children {"
1172
1173- config_list_foreach "$1" tunnel config_tunnel
1174+ config_list_foreach "$conf" tunnel config_tunnel
1175
1176- config_list_foreach "$1" transport config_transport
1177+ config_list_foreach "$conf" transport config_transport
1178
1179 swanctl_xappend2 "}"
1180
1181@@ -428,7 +550,7 @@ config_remote() {
1182 ikev2)
1183 swanctl_xappend2 "version = 2" ;;
1184 *)
1185- warning "Keyexchange $keyexchange not supported"
1186+ fatal "Keyexchange $keyexchange not supported"
1187 keyexchange=
1188 ;;
1189 esac
1190@@ -454,17 +576,9 @@ config_remote() {
1191 if [ "$auth_method" = pubkey ]; then
1192 swanctl_xappend0 ""
1193
1194- swanctl_xappend0 "secrets {"
1195- swanctl_xappend1 "rsa {"
1196- swanctl_xappend2 "filename = $local_key"
1197- swanctl_xappend1 "}"
1198- swanctl_xappend0 "}"
1199-
1200- swanctl_xappend0 ""
1201-
1202 if [ -n "$ca_cert" ]; then
1203 swanctl_xappend0 "authorities {"
1204- swanctl_xappend1 "$config_name {"
1205+ swanctl_xappend1 "$conf {"
1206 swanctl_xappend2 "cacert = $ca_cert"
1207 swanctl_xappend1 "}"
1208 swanctl_xappend0 "}"
1209@@ -474,18 +588,24 @@ config_remote() {
1210 swanctl_xappend0 ""
1211
1212 swanctl_xappend0 "secrets {"
1213- swanctl_xappend1 "ike {"
1214+ swanctl_xappend1 "ike-$conf {"
1215 swanctl_xappend2 "secret = $pre_shared_key"
1216- if [ -z "$local_id" ]; then
1217- swanctl_xappend2 "id1 = $local_id"
1218- if [ -z "$remote_id" ]; then
1219- swanctl_xappend2 "id2 = $remote_id"
1220+ if [ -n "$local_identifier" ]; then
1221+ swanctl_xappend2 "id1 = $local_identifier"
1222+ if [ -n "$remote_identifier" ]; then
1223+ swanctl_xappend2 "id2 = $remote_identifier"
1224 fi
1225 fi
1226+ swanctl_xappend1 "}"
1227+ swanctl_xappend0 "}"
1228 else
1229- warning "AuthenticationMode $auth_mode not supported"
1230+ fatal "AuthenticationMode $auth_mode not supported"
1231 fi
1232
1233+ swanctl_xappend0 "pools {"
1234+ config_list_foreach "$conf" pools config_pool
1235+ swanctl_xappend0 "}"
1236+
1237 swanctl_xappend0 ""
1238 }
1239
1240@@ -494,24 +614,20 @@ do_preamble() {
1241 }
1242
1243 config_ipsec() {
1244- local debug
1245+ local conf="$1"
1246+
1247 local rtinstall_enabled
1248- local routing_tables_ignored
1249 local routing_table
1250 local routing_table_id
1251 local interface
1252- local device_list
1253-
1254- swan_reset
1255- swanctl_reset
1256- do_preamble
1257+ local interface_list
1258
1259- config_get debug "$1" debug 0
1260- config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
1261+ config_get debug "$conf" debug 0
1262+ config_get_bool rtinstall_enabled "$conf" rtinstall_enabled 1
1263 [ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no
1264
1265 # prepare extra charon config option ignore_routing_tables
1266- for routing_table in $(config_get "$1" "ignore_routing_tables"); do
1267+ for routing_table in $(config_get "$conf" "ignore_routing_tables"); do
1268 if [ "$routing_table" -ge 0 ] 2>/dev/null; then
1269 routing_table_id=$routing_table
1270 else
1271@@ -521,7 +637,8 @@ config_ipsec() {
1272 [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
1273 done
1274
1275- local interface_list=$(config_get "$1" "interface")
1276+ config_list_foreach "$conf" interface append_var interface_list
1277+
1278 if [ -z "$interface_list" ]; then
1279 WAIT_FOR_INTF=0
1280 else
1281@@ -531,7 +648,9 @@ config_ipsec() {
1282 done
1283 [ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1
1284 fi
1285+}
1286
1287+do_postamble() {
1288 swan_xappend0 "# generated by /etc/init.d/swanctl"
1289 swan_xappend0 "charon {"
1290 swan_xappend1 "install_routes = $install_routes"
1291@@ -551,9 +670,19 @@ config_ipsec() {
1292
1293 prepare_env() {
1294 mkdir -p /var/ipsec /var/swanctl
1295+
1296+ swan_reset
1297+ swanctl_reset
1298+ do_preamble
1299+
1300+ # needed by do_postamble
1301+ local debug install_routes routing_tables_ignored device_list
1302+
1303 config_load ipsec
1304 config_foreach config_ipsec ipsec
1305 config_foreach config_remote remote
1306+
1307+ do_postamble
1308 }
1309
1310 service_running() {
1311@@ -587,9 +716,14 @@ start_service() {
1312
1313 [ $WAIT_FOR_INTF -eq 1 ] && return
1314
1315+ if [ $CONFIG_FAIL -ne 0 ]; then
1316+ procd_set_param error "Invalid configuration"
1317+ return
1318+ fi
1319+
1320 procd_open_instance
1321
1322- procd_set_param command $PROG --daemon charon --nofork
1323+ procd_set_param command $PROG
1324
1325 procd_set_param file $SWANCTL_CONF_FILE
1326 procd_append_param file /etc/swanctl/conf.d/*.conf
1327--- /dev/null
1328+++ b/feeds/packages/net/strongswan/patches/0900-src-Patch-for-building-with-musl-on-openwrt-taken-ve.patch
1329@@ -0,0 +1,110 @@
1330+From 27a54379cf3c48ff63c02a4a9f023297bba60d45 Mon Sep 17 00:00:00 2001
1331+From: Noel Kuntze <noel.kuntze@thermi.consulting>
1332+Date: Mon, 12 Jul 2021 01:29:43 +0200
1333+Subject: [PATCH 900/904] src: Patch for building with musl on openwrt (taken
1334+ verbatim from openwrt package sources)
1335+
1336+---
1337+ .../kernel_netlink/kernel_netlink_ipsec.c | 1 +
1338+ .../kernel_netlink/kernel_netlink_net.c | 2 +
1339+ .../kernel_netlink/kernel_netlink_shared.c | 2 +
1340+ src/libstrongswan/library.h | 1 +
1341+ src/libstrongswan/musl.h | 38 +++++++++++++++++++
1342+ .../plugins/bliss/bliss_huffman.c | 2 +
1343+ 6 files changed, 46 insertions(+)
1344+ create mode 100644 src/libstrongswan/musl.h
1345+
1346+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
1347++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
1348+@@ -41,6 +41,7 @@
1349+ */
1350+
1351+ #define _GNU_SOURCE
1352++#include <musl.h>
1353+ #include <sys/types.h>
1354+ #include <sys/socket.h>
1355+ #include <sys/ioctl.h>
1356+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
1357++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
1358+@@ -37,6 +37,8 @@
1359+ * THE SOFTWARE.
1360+ */
1361+
1362++#include "musl.h"
1363++
1364+ #include <sys/socket.h>
1365+ #include <sys/utsname.h>
1366+ #include <linux/netlink.h>
1367+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
1368++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
1369+@@ -37,6 +37,8 @@
1370+ * THE SOFTWARE.
1371+ */
1372+
1373++#include "musl.h"
1374++
1375+ #include <sys/socket.h>
1376+ #include <linux/netlink.h>
1377+ #include <linux/rtnetlink.h>
1378+--- a/src/libstrongswan/library.h
1379++++ b/src/libstrongswan/library.h
1380+@@ -120,6 +120,7 @@
1381+ #include "utils/leak_detective.h"
1382+ #include "plugins/plugin_loader.h"
1383+ #include "settings/settings.h"
1384++#include "musl.h"
1385+
1386+ typedef struct library_t library_t;
1387+
1388+--- /dev/null
1389++++ b/src/libstrongswan/musl.h
1390+@@ -0,0 +1,38 @@
1391++#include <sys/types.h>
1392++
1393++#define crypt x_crypt
1394++#define encrypt x_encrypt
1395++#include <unistd.h>
1396++
1397++#define fd_set x_fd_set
1398++#define ino_t x_ino_t
1399++#define off_t x_off_t
1400++#define loff_t x_loff_t
1401++#define dev_t x_dev_t
1402++#define mode_t x_mode_t
1403++#define uid_t x_uid_t
1404++#define gid_t x_gid_t
1405++#define uint64_t x_uint64_t
1406++#define u_int64_t x_u_int64_t
1407++#define int64_t x_int64_t
1408++#define nlink_t x_nlink_t
1409++#define timer_t x_timer_t
1410++#define blkcnt_t x_blkcnt_t
1411++
1412++#include <linux/types.h>
1413++
1414++#undef fd_set
1415++#undef ino_t
1416++#undef off_t
1417++#undef dev_t
1418++#undef mode_t
1419++#undef uid_t
1420++#undef gid_t
1421++#undef uint64_t
1422++#undef u_int64_t
1423++#undef int64_t
1424++#undef nlink_t
1425++#undef timer_t
1426++#undef blkcnt_t
1427++#undef crypt
1428++#undef encrypt
1429+--- a/src/libstrongswan/plugins/bliss/bliss_huffman.c
1430++++ b/src/libstrongswan/plugins/bliss/bliss_huffman.c
1431+@@ -18,6 +18,8 @@
1432+ #include "bliss_param_set.h"
1433+
1434+ #include <library.h>
1435++#undef fprintf
1436++#undef printf
1437+
1438+ #include <stdio.h>
1439+ #include <math.h>
1440--- /dev/null
1441+++ b/feeds/packages/net/strongswan/patches/0901-uci-verbatim-patch-from-openwrt-package-sources.patch
1442@@ -0,0 +1,29 @@
1443+From 81be4fa54760aa4fed53c6d93da443f57a66f262 Mon Sep 17 00:00:00 2001
1444+From: Noel Kuntze <noel.kuntze@thermi.consulting>
1445+Date: Mon, 12 Jul 2021 01:30:32 +0200
1446+Subject: [PATCH 901/904] uci: verbatim patch from openwrt package sources
1447+
1448+---
1449+ src/libcharon/plugins/uci/uci_parser.c | 4 ++--
1450+ 1 file changed, 2 insertions(+), 2 deletions(-)
1451+
1452+--- a/src/libcharon/plugins/uci/uci_parser.c
1453++++ b/src/libcharon/plugins/uci/uci_parser.c
1454+@@ -76,7 +76,7 @@ METHOD(enumerator_t, section_enumerator_
1455+ if (uci_lookup(this->ctx, &element, this->package,
1456+ this->current->name, "name") == UCI_OK)
1457+ { /* use "name" attribute as config name if available ... */
1458+- *value = uci_to_option(element)->value;
1459++ *value = uci_to_option(element)->v.string;
1460+ }
1461+ else
1462+ { /* ... or the section name becomes config name */
1463+@@ -91,7 +91,7 @@ METHOD(enumerator_t, section_enumerator_
1464+ if (value && uci_lookup(this->ctx, &element, this->package,
1465+ this->current->name, this->keywords[i]) == UCI_OK)
1466+ {
1467+- *value = uci_to_option(element)->value;
1468++ *value = uci_to_option(element)->v.string;
1469+ }
1470+ }
1471+
1472--- /dev/null
1473+++ b/feeds/packages/net/strongswan/patches/0902-ipsec-Patch-ipsec-script-to-work-with-musl-sleep-.-P.patch
1474@@ -0,0 +1,21 @@
1475+From d71ec4f26a1334e78a38fa44a1271c52a029e3b4 Mon Sep 17 00:00:00 2001
1476+From: Noel Kuntze <noel.kuntze@thermi.consulting>
1477+Date: Mon, 12 Jul 2021 01:31:36 +0200
1478+Subject: [PATCH 902/904] ipsec: Patch `ipsec` script to work with musl
1479+ `sleep`. Patch taken verbatim from openwrt package sources.
1480+
1481+---
1482+ src/ipsec/_ipsec.in | 2 +-
1483+ 1 file changed, 1 insertion(+), 1 deletion(-)
1484+
1485+--- a/src/ipsec/_ipsec.in
1486++++ b/src/ipsec/_ipsec.in
1487+@@ -257,7 +257,7 @@ stop)
1488+ loop=110
1489+ while [ $loop -gt 0 ] ; do
1490+ kill -0 $spid 2>/dev/null || break
1491+- sleep 0.1 2>/dev/null
1492++ sleep 1 2>/dev/null
1493+ if [ $? -ne 0 ]
1494+ then
1495+ sleep 1
1496--- /dev/null
1497+++ b/feeds/packages/net/strongswan/patches/0903-updown-Call-sbin-hotplug-call-ipsec-1-in-updown-scri.patch
1498@@ -0,0 +1,26 @@
1499+From c779da992bdd440e336383da0eb75ef3a2ea6cde Mon Sep 17 00:00:00 2001
1500+From: Noel Kuntze <noel.kuntze@thermi.consulting>
1501+Date: Mon, 12 Jul 2021 01:32:20 +0200
1502+Subject: [PATCH 903/904] updown: Call /sbin/hotplug-call ipsec "$1" in updown
1503+ script. Patch taken verbatim from openwrt package sources.
1504+
1505+---
1506+ src/_updown/_updown.in | 7 +++++++
1507+ 1 file changed, 7 insertions(+)
1508+
1509+--- a/src/_updown/_updown.in
1510++++ b/src/_updown/_updown.in
1511+@@ -22,6 +22,13 @@
1512+ # that, and use the (left/right)updown parameters in ipsec.conf to make
1513+ # strongSwan use yours instead of this default one.
1514+
1515++# Add your custom commands to the file "/etc/ipsec.user". Other packages could
1516++# also install their scripts in the directory "/etc/hotplug.d/ipsec".
1517++# This files/scripts are executed by the openwrt hotplug functionality on
1518++# ipsec events.
1519++
1520++/sbin/hotplug-call ipsec "$1"
1521++
1522+ # PLUTO_VERSION
1523+ # indicates what version of this interface is being
1524+ # used. This document describes version 1.1. This
1525--- /dev/null
1526+++ b/feeds/packages/net/strongswan/patches/0904-gmpdh-Plugin-that-implements-gmp-DH-functions-in-an-.patch
1527@@ -0,0 +1,239 @@
1528+From 9f60c2ea6394facac55b90ef66466e1b9edef2a9 Mon Sep 17 00:00:00 2001
1529+From: Noel Kuntze <noel.kuntze@thermi.consulting>
1530+Date: Mon, 12 Jul 2021 01:34:23 +0200
1531+Subject: [PATCH 904/904] gmpdh: Plugin that implements gmp DH functions in an
1532+ extra plugin. Links and uses gmp plugin source and header files. Patch taken
1533+ verbatim from openwrt package sources.
1534+
1535+---
1536+ configure.ac | 4 +
1537+ src/libstrongswan/Makefile.am | 7 ++
1538+ src/libstrongswan/plugins/gmpdh/Makefile.am | 19 ++++
1539+ .../plugins/gmpdh/gmpdh_plugin.c | 101 ++++++++++++++++++
1540+ .../plugins/gmpdh/gmpdh_plugin.h | 42 ++++++++
1541+ 5 files changed, 173 insertions(+)
1542+ create mode 100644 src/libstrongswan/plugins/gmpdh/Makefile.am
1543+ create mode 100644 src/libstrongswan/plugins/gmpdh/gmpdh_plugin.c
1544+ create mode 100644 src/libstrongswan/plugins/gmpdh/gmpdh_plugin.h
1545+
1546+--- a/configure.ac
1547++++ b/configure.ac
1548+@@ -147,6 +147,7 @@ ARG_DISBL_SET([fips-prf], [disable
1549+ ARG_DISBL_SET([gcm], [disable the GCM AEAD wrapper crypto plugin.])
1550+ ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.])
1551+ ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.])
1552++ARG_DISBL_SET([gmpdh], [disable GNU MP (libgmp) based static-linked crypto DH minimal implementation plugin.])
1553+ ARG_DISBL_SET([curve25519], [disable Curve25519 Diffie-Hellman plugin.])
1554+ ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
1555+ ARG_DISBL_SET([kdf], [disable KDF (prf+) implementation plugin.])
1556+@@ -1565,6 +1566,7 @@ ADD_PLUGIN([pkcs8], [s ch
1557+ ADD_PLUGIN([af-alg], [s charon pki scripts medsrv attest nm cmd aikgen])
1558+ ADD_PLUGIN([fips-prf], [s charon nm cmd])
1559+ ADD_PLUGIN([gmp], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
1560++ADD_PLUGIN([gmpdh], [s charon pki scripts manager medsrv attest nm cmd aikgen])
1561+ ADD_PLUGIN([curve25519], [s charon pki scripts nm cmd])
1562+ ADD_PLUGIN([agent], [s charon nm cmd])
1563+ ADD_PLUGIN([keychain], [s charon cmd])
1564+@@ -1706,6 +1708,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x
1565+ AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue)
1566+ AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
1567+ AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
1568++AM_CONDITIONAL(USE_GMPDH, test x$gmpdh = xtrue)
1569+ AM_CONDITIONAL(USE_CURVE25519, test x$curve25519 = xtrue)
1570+ AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
1571+ AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
1572+@@ -1983,6 +1986,7 @@ AC_CONFIG_FILES([
1573+ src/libstrongswan/plugins/mgf1/Makefile
1574+ src/libstrongswan/plugins/fips_prf/Makefile
1575+ src/libstrongswan/plugins/gmp/Makefile
1576++ src/libstrongswan/plugins/gmpdh/Makefile
1577+ src/libstrongswan/plugins/curve25519/Makefile
1578+ src/libstrongswan/plugins/rdrand/Makefile
1579+ src/libstrongswan/plugins/aesni/Makefile
1580+--- a/src/libstrongswan/Makefile.am
1581++++ b/src/libstrongswan/Makefile.am
1582+@@ -353,6 +353,13 @@ if MONOLITHIC
1583+ endif
1584+ endif
1585+
1586++if USE_GMPDH
1587++ SUBDIRS += plugins/gmpdh
1588++if MONOLITHIC
1589++ libstrongswan_la_LIBADD += plugins/gmpdh/libstrongswan-gmpdh.la
1590++endif
1591++endif
1592++
1593+ if USE_CURVE25519
1594+ SUBDIRS += plugins/curve25519
1595+ if MONOLITHIC
1596+--- /dev/null
1597++++ b/src/libstrongswan/plugins/gmpdh/Makefile.am
1598+@@ -0,0 +1,19 @@
1599++AM_CPPFLAGS = \
1600++ -I$(top_srcdir)/src/libstrongswan
1601++
1602++AM_CFLAGS = \
1603++ $(PLUGIN_CFLAGS)
1604++
1605++if MONOLITHIC
1606++noinst_LTLIBRARIES = libstrongswan-gmpdh.la
1607++else
1608++plugin_LTLIBRARIES = libstrongswan-gmpdh.la
1609++endif
1610++
1611++libstrongswan_gmpdh_la_SOURCES = \
1612++ gmpdh_plugin.h gmpdh_plugin.c \
1613++ ../gmp/gmp_diffie_hellman.c ../gmp/gmp_diffie_hellman.h
1614++
1615++
1616++libstrongswan_gmpdh_la_LDFLAGS = -module -avoid-version -Wl,-Bstatic -Wl,-lgmp -Wl,-Bdynamic -Wl,--as-needed $(FPIC)
1617++libstrongswan_gmpdh_la_LIBADD =
1618+--- /dev/null
1619++++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.c
1620+@@ -0,0 +1,101 @@
1621++/*
1622++ * Copyright (C) 2008-2009 Martin Willi
1623++ * Hochschule fuer Technik Rapperswil
1624++ *
1625++ * This program is free software; you can redistribute it and/or modify it
1626++ * under the terms of the GNU General Public License as published by the
1627++ * Free Software Foundation; either version 2 of the License, or (at your
1628++ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
1629++ *
1630++ * This program is distributed in the hope that it will be useful, but
1631++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
1632++ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
1633++ * for more details.
1634++ */
1635++
1636++#include "gmpdh_plugin.h"
1637++
1638++#include <library.h>
1639++#include "../gmp/gmp_diffie_hellman.h"
1640++
1641++typedef struct private_gmpdh_plugin_t private_gmpdh_plugin_t;
1642++
1643++/**
1644++ * private data of gmp_plugin
1645++ */
1646++struct private_gmpdh_plugin_t {
1647++
1648++ /**
1649++ * public functions
1650++ */
1651++ gmpdh_plugin_t public;
1652++};
1653++
1654++METHOD(plugin_t, get_name, char*,
1655++ private_gmpdh_plugin_t *this)
1656++{
1657++ return "gmpdh";
1658++}
1659++
1660++METHOD(plugin_t, get_features, int,
1661++ private_gmpdh_plugin_t *this, plugin_feature_t *features[])
1662++{
1663++ static plugin_feature_t f[] = {
1664++ /* DH groups */
1665++ PLUGIN_REGISTER(KE, gmp_diffie_hellman_create),
1666++ PLUGIN_PROVIDE(KE, MODP_2048_BIT),
1667++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1668++ PLUGIN_PROVIDE(KE, MODP_2048_224),
1669++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1670++ PLUGIN_PROVIDE(KE, MODP_2048_256),
1671++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1672++ PLUGIN_PROVIDE(KE, MODP_1536_BIT),
1673++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1674++ PLUGIN_PROVIDE(KE, MODP_3072_BIT),
1675++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1676++ PLUGIN_PROVIDE(KE, MODP_4096_BIT),
1677++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1678++ PLUGIN_PROVIDE(KE, MODP_6144_BIT),
1679++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1680++ PLUGIN_PROVIDE(KE, MODP_8192_BIT),
1681++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1682++ PLUGIN_PROVIDE(KE, MODP_1024_BIT),
1683++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1684++ PLUGIN_PROVIDE(KE, MODP_1024_160),
1685++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1686++ PLUGIN_PROVIDE(KE, MODP_768_BIT),
1687++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1688++ PLUGIN_REGISTER(KE, gmp_diffie_hellman_create_custom),
1689++ PLUGIN_PROVIDE(KE, MODP_CUSTOM),
1690++ PLUGIN_DEPENDS(RNG, RNG_STRONG),
1691++ };
1692++ *features = f;
1693++ return countof(f);
1694++}
1695++
1696++METHOD(plugin_t, destroy, void,
1697++ private_gmpdh_plugin_t *this)
1698++{
1699++ free(this);
1700++}
1701++
1702++/*
1703++ * see header file
1704++ */
1705++plugin_t *gmpdh_plugin_create()
1706++{
1707++ private_gmpdh_plugin_t *this;
1708++
1709++ INIT(this,
1710++ .public = {
1711++ .plugin = {
1712++ .get_name = _get_name,
1713++ .get_features = _get_features,
1714++ .destroy = _destroy,
1715++ },
1716++ },
1717++ );
1718++
1719++ return &this->public.plugin;
1720++}
1721++
1722+--- /dev/null
1723++++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.h
1724+@@ -0,0 +1,42 @@
1725++/*
1726++ * Copyright (C) 2008 Martin Willi
1727++ * Hochschule fuer Technik Rapperswil
1728++ *
1729++ * This program is free software; you can redistribute it and/or modify it
1730++ * under the terms of the GNU General Public License as published by the
1731++ * Free Software Foundation; either version 2 of the License, or (at your
1732++ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
1733++ *
1734++ * This program is distributed in the hope that it will be useful, but
1735++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
1736++ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
1737++ * for more details.
1738++ */
1739++
1740++/**
1741++ * @defgroup gmpdh_p gmpdh
1742++ * @ingroup plugins
1743++ *
1744++ * @defgroup gmpdh_plugin gmpdh_plugin
1745++ * @{ @ingroup gmpdh_p
1746++ */
1747++
1748++#ifndef GMPDH_PLUGIN_H_
1749++#define GMPDH_PLUGIN_H_
1750++
1751++#include <plugins/plugin.h>
1752++
1753++typedef struct gmpdh_plugin_t gmpdh_plugin_t;
1754++
1755++/**
1756++ * Plugin implementing asymmetric crypto algorithms using the GNU MP library.
1757++ */
1758++struct gmpdh_plugin_t {
1759++
1760++ /**
1761++ * implements plugin interface
1762++ */
1763++ plugin_t plugin;
1764++};
1765++
1766++#endif /** GMPDH_PLUGIN_H_ @}*/
1767--- /dev/null
1768+++ b/feeds/packages/net/strongswan/patches/0905-undef-wolfssl-RNG.patch
1769@@ -0,0 +1,12 @@
1770+--- a/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
1771++++ b/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
1772+@@ -50,6 +50,9 @@
1773+ #ifndef FIPS_MODE
1774+ #define FIPS_MODE 0
1775+ #endif
1776++#ifdef RNG
1777++#undef RNG
1778++#endif
1779+
1780+ typedef struct private_wolfssl_plugin_t private_wolfssl_plugin_t;
1781+
1782--- a/feeds/packages/net/strongswan/patches/101-musl-fixes.patch
1783+++ /dev/null
1784@@ -1,83 +0,0 @@
1785---- a/src/libstrongswan/library.h
1786-+++ b/src/libstrongswan/library.h
1787-@@ -118,6 +118,7 @@
1788- #include "utils/leak_detective.h"
1789- #include "plugins/plugin_loader.h"
1790- #include "settings/settings.h"
1791-+#include "musl.h"
1792-
1793- typedef struct library_t library_t;
1794-
1795---- /dev/null
1796-+++ b/src/libstrongswan/musl.h
1797-@@ -0,0 +1,38 @@
1798-+#include <sys/types.h>
1799-+
1800-+#define crypt x_crypt
1801-+#define encrypt x_encrypt
1802-+#include <unistd.h>
1803-+
1804-+#define fd_set x_fd_set
1805-+#define ino_t x_ino_t
1806-+#define off_t x_off_t
1807-+#define loff_t x_loff_t
1808-+#define dev_t x_dev_t
1809-+#define mode_t x_mode_t
1810-+#define uid_t x_uid_t
1811-+#define gid_t x_gid_t
1812-+#define uint64_t x_uint64_t
1813-+#define u_int64_t x_u_int64_t
1814-+#define int64_t x_int64_t
1815-+#define nlink_t x_nlink_t
1816-+#define timer_t x_timer_t
1817-+#define blkcnt_t x_blkcnt_t
1818-+
1819-+#include <linux/types.h>
1820-+
1821-+#undef fd_set
1822-+#undef ino_t
1823-+#undef off_t
1824-+#undef dev_t
1825-+#undef mode_t
1826-+#undef uid_t
1827-+#undef gid_t
1828-+#undef uint64_t
1829-+#undef u_int64_t
1830-+#undef int64_t
1831-+#undef nlink_t
1832-+#undef timer_t
1833-+#undef blkcnt_t
1834-+#undef crypt
1835-+#undef encrypt
1836---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
1837-+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
1838-@@ -40,6 +40,7 @@
1839- */
1840-
1841- #define _GNU_SOURCE
1842-+#include <musl.h>
1843- #include <sys/types.h>
1844- #include <sys/socket.h>
1845- #include <sys/ioctl.h>
1846---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
1847-+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
1848-@@ -37,6 +37,8 @@
1849- * THE SOFTWARE.
1850- */
1851-
1852-+#include "musl.h"
1853-+
1854- #include <sys/socket.h>
1855- #include <sys/utsname.h>
1856- #include <linux/netlink.h>
1857---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
1858-+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
1859-@@ -39,6 +39,8 @@
1860- * THE SOFTWARE.
1861- */
1862-
1863-+#include "musl.h"
1864-+
1865- #include <sys/socket.h>
1866- #include <linux/netlink.h>
1867- #include <linux/rtnetlink.h>
1868--- a/feeds/packages/net/strongswan/patches/203-uci.patch
1869+++ /dev/null
1870@@ -1,20 +0,0 @@
1871---- a/src/libcharon/plugins/uci/uci_parser.c
1872-+++ b/src/libcharon/plugins/uci/uci_parser.c
1873-@@ -75,7 +75,7 @@ METHOD(enumerator_t, section_enumerator_
1874- if (uci_lookup(this->ctx, &element, this->package,
1875- this->current->name, "name") == UCI_OK)
1876- { /* use "name" attribute as config name if available ... */
1877-- *value = uci_to_option(element)->value;
1878-+ *value = uci_to_option(element)->v.string;
1879- }
1880- else
1881- { /* ... or the section name becomes config name */
1882-@@ -90,7 +90,7 @@ METHOD(enumerator_t, section_enumerator_
1883- if (value && uci_lookup(this->ctx, &element, this->package,
1884- this->current->name, this->keywords[i]) == UCI_OK)
1885- {
1886-- *value = uci_to_option(element)->value;
1887-+ *value = uci_to_option(element)->v.string;
1888- }
1889- }
1890-
1891--- a/feeds/packages/net/strongswan/patches/210-sleep.patch
1892+++ /dev/null
1893@@ -1,11 +0,0 @@
1894---- a/src/ipsec/_ipsec.in
1895-+++ b/src/ipsec/_ipsec.in
1896-@@ -257,7 +257,7 @@ stop)
1897- loop=110
1898- while [ $loop -gt 0 ] ; do
1899- kill -0 $spid 2>/dev/null || break
1900-- sleep 0.1 2>/dev/null
1901-+ sleep 1 2>/dev/null
1902- if [ $? -ne 0 ]
1903- then
1904- sleep 1
1905--- a/feeds/packages/net/strongswan/patches/300-include-ipsec-hotplug.patch
1906+++ /dev/null
1907@@ -1,16 +0,0 @@
1908---- a/src/_updown/_updown.in
1909-+++ b/src/_updown/_updown.in
1910-@@ -22,6 +22,13 @@
1911- # that, and use the (left/right)updown parameters in ipsec.conf to make
1912- # strongSwan use yours instead of this default one.
1913-
1914-+# Add your custom commands to the file "/etc/ipsec.user". Other packages could
1915-+# also install their scripts in the directory "/etc/hotplug.d/ipsec".
1916-+# This files/scripts are executed by the openwrt hotplug functionality on
1917-+# ipsec events.
1918-+
1919-+/sbin/hotplug-call ipsec "$1"
1920-+
1921- # PLUTO_VERSION
1922- # indicates what version of this interface is being
1923- # used. This document describes version 1.1. This
1924--- a/feeds/packages/net/strongswan/patches/305-minimal_dh_plugin.patch
1925+++ /dev/null
1926@@ -1,221 +0,0 @@
1927---- a/configure.ac
1928-+++ b/configure.ac
1929-@@ -146,6 +146,7 @@ ARG_DISBL_SET([fips-prf], [disable
1930- ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.])
1931- ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.])
1932- ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.])
1933-+ARG_DISBL_SET([gmpdh], [disable GNU MP (libgmp) based static-linked crypto DH minimal implementation plugin.])
1934- ARG_DISBL_SET([curve25519], [disable Curve25519 Diffie-Hellman plugin.])
1935- ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
1936- ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.])
1937-@@ -1478,6 +1479,7 @@ ADD_PLUGIN([botan], [s ch
1938- ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
1939- ADD_PLUGIN([fips-prf], [s charon nm cmd])
1940- ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
1941-+ADD_PLUGIN([gmpdh], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
1942- ADD_PLUGIN([curve25519], [s charon pki scripts nm cmd])
1943- ADD_PLUGIN([agent], [s charon nm cmd])
1944- ADD_PLUGIN([keychain], [s charon cmd])
1945-@@ -1619,6 +1621,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x
1946- AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue)
1947- AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
1948- AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
1949-+AM_CONDITIONAL(USE_GMPDH, test x$gmpdh = xtrue)
1950- AM_CONDITIONAL(USE_CURVE25519, test x$curve25519 = xtrue)
1951- AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
1952- AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
1953-@@ -1896,6 +1899,7 @@ AC_CONFIG_FILES([
1954- src/libstrongswan/plugins/mgf1/Makefile
1955- src/libstrongswan/plugins/fips_prf/Makefile
1956- src/libstrongswan/plugins/gmp/Makefile
1957-+ src/libstrongswan/plugins/gmpdh/Makefile
1958- src/libstrongswan/plugins/curve25519/Makefile
1959- src/libstrongswan/plugins/rdrand/Makefile
1960- src/libstrongswan/plugins/aesni/Makefile
1961---- a/src/libstrongswan/Makefile.am
1962-+++ b/src/libstrongswan/Makefile.am
1963-@@ -345,6 +345,13 @@ if MONOLITHIC
1964- endif
1965- endif
1966-
1967-+if USE_GMPDH
1968-+ SUBDIRS += plugins/gmpdh
1969-+if MONOLITHIC
1970-+ libstrongswan_la_LIBADD += plugins/gmpdh/libstrongswan-gmpdh.la
1971-+endif
1972-+endif
1973-+
1974- if USE_CURVE25519
1975- SUBDIRS += plugins/curve25519
1976- if MONOLITHIC
1977---- /dev/null
1978-+++ b/src/libstrongswan/plugins/gmpdh/Makefile.am
1979-@@ -0,0 +1,19 @@
1980-+AM_CPPFLAGS = \
1981-+ -I$(top_srcdir)/src/libstrongswan
1982-+
1983-+AM_CFLAGS = \
1984-+ $(PLUGIN_CFLAGS)
1985-+
1986-+if MONOLITHIC
1987-+noinst_LTLIBRARIES = libstrongswan-gmpdh.la
1988-+else
1989-+plugin_LTLIBRARIES = libstrongswan-gmpdh.la
1990-+endif
1991-+
1992-+libstrongswan_gmpdh_la_SOURCES = \
1993-+ gmpdh_plugin.h gmpdh_plugin.c \
1994-+ ../gmp/gmp_diffie_hellman.c ../gmp/gmp_diffie_hellman.h
1995-+
1996-+
1997-+libstrongswan_gmpdh_la_LDFLAGS = -module -avoid-version -Wl,-Bstatic -Wl,-lgmp -Wl,-Bdynamic -Wl,--as-needed $(FPIC)
1998-+libstrongswan_gmpdh_la_LIBADD =
1999---- /dev/null
2000-+++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.c
2001-@@ -0,0 +1,101 @@
2002-+/*
2003-+ * Copyright (C) 2008-2009 Martin Willi
2004-+ * Hochschule fuer Technik Rapperswil
2005-+ *
2006-+ * This program is free software; you can redistribute it and/or modify it
2007-+ * under the terms of the GNU General Public License as published by the
2008-+ * Free Software Foundation; either version 2 of the License, or (at your
2009-+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
2010-+ *
2011-+ * This program is distributed in the hope that it will be useful, but
2012-+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
2013-+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
2014-+ * for more details.
2015-+ */
2016-+
2017-+#include "gmpdh_plugin.h"
2018-+
2019-+#include <library.h>
2020-+#include "../gmp/gmp_diffie_hellman.h"
2021-+
2022-+typedef struct private_gmpdh_plugin_t private_gmpdh_plugin_t;
2023-+
2024-+/**
2025-+ * private data of gmp_plugin
2026-+ */
2027-+struct private_gmpdh_plugin_t {
2028-+
2029-+ /**
2030-+ * public functions
2031-+ */
2032-+ gmpdh_plugin_t public;
2033-+};
2034-+
2035-+METHOD(plugin_t, get_name, char*,
2036-+ private_gmpdh_plugin_t *this)
2037-+{
2038-+ return "gmpdh";
2039-+}
2040-+
2041-+METHOD(plugin_t, get_features, int,
2042-+ private_gmpdh_plugin_t *this, plugin_feature_t *features[])
2043-+{
2044-+ static plugin_feature_t f[] = {
2045-+ /* DH groups */
2046-+ PLUGIN_REGISTER(DH, gmp_diffie_hellman_create),
2047-+ PLUGIN_PROVIDE(DH, MODP_2048_BIT),
2048-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2049-+ PLUGIN_PROVIDE(DH, MODP_2048_224),
2050-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2051-+ PLUGIN_PROVIDE(DH, MODP_2048_256),
2052-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2053-+ PLUGIN_PROVIDE(DH, MODP_1536_BIT),
2054-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2055-+ PLUGIN_PROVIDE(DH, MODP_3072_BIT),
2056-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2057-+ PLUGIN_PROVIDE(DH, MODP_4096_BIT),
2058-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2059-+ PLUGIN_PROVIDE(DH, MODP_6144_BIT),
2060-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2061-+ PLUGIN_PROVIDE(DH, MODP_8192_BIT),
2062-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2063-+ PLUGIN_PROVIDE(DH, MODP_1024_BIT),
2064-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2065-+ PLUGIN_PROVIDE(DH, MODP_1024_160),
2066-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2067-+ PLUGIN_PROVIDE(DH, MODP_768_BIT),
2068-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2069-+ PLUGIN_REGISTER(DH, gmp_diffie_hellman_create_custom),
2070-+ PLUGIN_PROVIDE(DH, MODP_CUSTOM),
2071-+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
2072-+ };
2073-+ *features = f;
2074-+ return countof(f);
2075-+}
2076-+
2077-+METHOD(plugin_t, destroy, void,
2078-+ private_gmpdh_plugin_t *this)
2079-+{
2080-+ free(this);
2081-+}
2082-+
2083-+/*
2084-+ * see header file
2085-+ */
2086-+plugin_t *gmpdh_plugin_create()
2087-+{
2088-+ private_gmpdh_plugin_t *this;
2089-+
2090-+ INIT(this,
2091-+ .public = {
2092-+ .plugin = {
2093-+ .get_name = _get_name,
2094-+ .get_features = _get_features,
2095-+ .destroy = _destroy,
2096-+ },
2097-+ },
2098-+ );
2099-+
2100-+ return &this->public.plugin;
2101-+}
2102-+
2103---- /dev/null
2104-+++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.h
2105-@@ -0,0 +1,42 @@
2106-+/*
2107-+ * Copyright (C) 2008 Martin Willi
2108-+ * Hochschule fuer Technik Rapperswil
2109-+ *
2110-+ * This program is free software; you can redistribute it and/or modify it
2111-+ * under the terms of the GNU General Public License as published by the
2112-+ * Free Software Foundation; either version 2 of the License, or (at your
2113-+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
2114-+ *
2115-+ * This program is distributed in the hope that it will be useful, but
2116-+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
2117-+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
2118-+ * for more details.
2119-+ */
2120-+
2121-+/**
2122-+ * @defgroup gmpdh_p gmpdh
2123-+ * @ingroup plugins
2124-+ *
2125-+ * @defgroup gmpdh_plugin gmpdh_plugin
2126-+ * @{ @ingroup gmpdh_p
2127-+ */
2128-+
2129-+#ifndef GMPDH_PLUGIN_H_
2130-+#define GMPDH_PLUGIN_H_
2131-+
2132-+#include <plugins/plugin.h>
2133-+
2134-+typedef struct gmpdh_plugin_t gmpdh_plugin_t;
2135-+
2136-+/**
2137-+ * Plugin implementing asymmetric crypto algorithms using the GNU MP library.
2138-+ */
2139-+struct gmpdh_plugin_t {
2140-+
2141-+ /**
2142-+ * implements plugin interface
2143-+ */
2144-+ plugin_t plugin;
2145-+};
2146-+
2147-+#endif /** GMPDH_PLUGIN_H_ @}*/
2148--- a/feeds/packages/net/strongswan/patches/700-strongswan-4.4.1-5.9.3_cert-cache-random.patch
2149+++ /dev/null
2150@@ -1,30 +0,0 @@
2151-From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001
2152-From: Tobias Brunner <tobias@strongswan.org>
2153-Date: Tue, 28 Sep 2021 19:38:22 +0200
2154-Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change
2155-
2156-random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
2157-equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added
2158-directly to that offset before applying`% CACHE_SIZE` to get an index into
2159-the cache array. If the random value was very high, this resulted in an
2160-integer overflow and a negative index value and, therefore, an out-of-bounds
2161-access of the array and in turn dereferencing invalid pointers when trying
2162-to acquire the read lock. This most likely results in a segmentation fault.
2163-
2164-Fixes: 764e8b2211ce ("reimplemented certificate cache")
2165-Fixes: CVE-2021-41991
2166----
2167- src/libstrongswan/credentials/sets/cert_cache.c | 2 +-
2168- 1 file changed, 1 insertion(+), 1 deletion(-)
2169-
2170---- a/src/libstrongswan/credentials/sets/cert_cache.c
2171-+++ b/src/libstrongswan/credentials/sets/cert_cache.c
2172-@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *
2173- for (try = 0; try < REPLACE_TRIES; try++)
2174- {
2175- /* replace a random relation */
2176-- offset = random();
2177-+ offset = random() % CACHE_SIZE;
2178- for (i = 0; i < CACHE_SIZE; i++)
2179- {
2180- rel = &this->relations[(i + offset) % CACHE_SIZE];
2181--- a/feeds/packages/net/strongswan/patches/710-strongswan-5.5.0-5.9.4_eap_success.patch
2182+++ /dev/null
2183@@ -1,138 +0,0 @@
2184-From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001
2185-From: Tobias Brunner <tobias@strongswan.org>
2186-Date: Tue, 14 Dec 2021 10:51:35 +0100
2187-Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails
2188-
2189-Without this, the authentication succeeded if the server sent an early
2190-EAP-Success message for mutual, key-generating EAP methods like EAP-TLS,
2191-which may be used in EAP-only scenarios but would complete without server
2192-or client authentication. For clients configured for such EAP-only
2193-scenarios, a rogue server could capture traffic after the tunnel is
2194-established or even access hosts behind the client. For non-mutual EAP
2195-methods, public key server authentication has been enforced for a while.
2196-
2197-A server previously could also crash a client by sending an EAP-Success
2198-immediately without initiating an actual EAP method.
2199-
2200-Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK")
2201-Fixes: CVE-2021-45079
2202----
2203- src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +-
2204- src/libcharon/plugins/eap_md5/eap_md5.c | 2 +-
2205- src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++-
2206- src/libcharon/sa/eap/eap_method.h | 8 ++++-
2207- .../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++---
2208- 5 files changed, 40 insertions(+), 8 deletions(-)
2209-
2210---- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
2211-+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
2212-@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_
2213- METHOD(eap_method_t, get_msk, status_t,
2214- private_eap_gtc_t *this, chunk_t *msk)
2215- {
2216-- return FAILED;
2217-+ return NOT_SUPPORTED;
2218- }
2219-
2220- METHOD(eap_method_t, get_identifier, uint8_t,
2221---- a/src/libcharon/plugins/eap_md5/eap_md5.c
2222-+++ b/src/libcharon/plugins/eap_md5/eap_md5.c
2223-@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_
2224- METHOD(eap_method_t, get_msk, status_t,
2225- private_eap_md5_t *this, chunk_t *msk)
2226- {
2227-- return FAILED;
2228-+ return NOT_SUPPORTED;
2229- }
2230-
2231- METHOD(eap_method_t, is_mutual, bool,
2232---- a/src/libcharon/plugins/eap_radius/eap_radius.c
2233-+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
2234-@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t,
2235- *out = msk;
2236- return SUCCESS;
2237- }
2238-- return FAILED;
2239-+ /* we assume the selected method did not establish an MSK, if it failed
2240-+ * to establish one, process() would have failed */
2241-+ return NOT_SUPPORTED;
2242- }
2243-
2244- METHOD(eap_method_t, get_identifier, uint8_t,
2245---- a/src/libcharon/sa/eap/eap_method.h
2246-+++ b/src/libcharon/sa/eap/eap_method.h
2247-@@ -114,10 +114,16 @@ struct eap_method_t {
2248- * Not all EAP methods establish a shared secret. For implementations of
2249- * the EAP-Identity method, get_msk() returns the received identity.
2250- *
2251-+ * @note Returning NOT_SUPPORTED is important for implementations of EAP
2252-+ * methods that don't establish an MSK. In particular as client because
2253-+ * key-generating EAP methods MUST fail to process EAP-Success messages if
2254-+ * no MSK is established.
2255-+ *
2256- * @param msk chunk receiving internal stored MSK
2257- * @return
2258-- * - SUCCESS, or
2259-+ * - SUCCESS, if MSK is established
2260- * - FAILED, if MSK not established (yet)
2261-+ * - NOT_SUPPORTED, for non-MSK-establishing methods
2262- */
2263- status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
2264-
2265---- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
2266-+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
2267-@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap
2268- this->method->destroy(this->method);
2269- return server_initiate_eap(this, FALSE);
2270- }
2271-- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
2272-+ switch (this->method->get_msk(this->method, &this->msk))
2273- {
2274-- this->msk = chunk_clone(this->msk);
2275-+ case SUCCESS:
2276-+ this->msk = chunk_clone(this->msk);
2277-+ break;
2278-+ case NOT_SUPPORTED:
2279-+ break;
2280-+ case FAILED:
2281-+ default:
2282-+ DBG1(DBG_IKE, "failed to establish MSK");
2283-+ goto failure;
2284- }
2285- if (vendor)
2286- {
2287-@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap
2288- return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
2289- case FAILED:
2290- default:
2291-+failure:
2292- /* type might have changed for virtual methods */
2293- type = this->method->get_type(this->method, &vendor);
2294- if (vendor)
2295-@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client,
2296- uint32_t vendor;
2297- auth_cfg_t *cfg;
2298-
2299-- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
2300-+ if (!this->method)
2301- {
2302-- this->msk = chunk_clone(this->msk);
2303-+ DBG1(DBG_IKE, "received unexpected %N",
2304-+ eap_code_names, eap_payload->get_code(eap_payload));
2305-+ return FAILED;
2306-+ }
2307-+ switch (this->method->get_msk(this->method, &this->msk))
2308-+ {
2309-+ case SUCCESS:
2310-+ this->msk = chunk_clone(this->msk);
2311-+ break;
2312-+ case NOT_SUPPORTED:
2313-+ break;
2314-+ case FAILED:
2315-+ default:
2316-+ DBG1(DBG_IKE, "received %N but failed to establish MSK",
2317-+ eap_code_names, eap_payload->get_code(eap_payload));
2318-+ return FAILED;
2319- }
2320- type = this->method->get_type(this->method, &vendor);
2321- if (vendor)
2322--- a/feeds/packages/net/strongswan/patches/720-strongswan-5.6.1-5.9.3_gmp-rsa-ssa-salt-len.patch
2323+++ /dev/null
2324@@ -1,49 +0,0 @@
2325-From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001
2326-From: Tobias Brunner <tobias@strongswan.org>
2327-Date: Tue, 28 Sep 2021 17:52:08 +0200
2328-Subject: [PATCH] Reject RSASSA-PSS params with negative salt length
2329-
2330-The `salt_len` member in the struct is of type `ssize_t` because we use
2331-negative values for special automatic salt lengths when generating
2332-signatures.
2333-
2334-Not checking this could lead to an integer overflow. The value is assigned
2335-to the `len` field of a chunk (`size_t`), which is further used in
2336-calculations to check the padding structure and (if that is passed by a
2337-matching crafted signature value) eventually a memcpy() that will result
2338-in a segmentation fault.
2339-
2340-Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")
2341-Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
2342-Fixes: CVE-2021-41990
2343----
2344- src/libstrongswan/credentials/keys/signature_params.c | 6 +++++-
2345- src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +-
2346- 2 files changed, 6 insertions(+), 2 deletions(-)
2347-
2348---- a/src/libstrongswan/credentials/keys/signature_params.c
2349-+++ b/src/libstrongswan/credentials/keys/signature_params.c
2350-@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1,
2351- case RSASSA_PSS_PARAMS_SALT_LEN:
2352- if (object.len)
2353- {
2354-- params->salt_len = (size_t)asn1_parse_integer_uint64(object);
2355-+ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object);
2356-+ if (params->salt_len < 0)
2357-+ {
2358-+ goto end;
2359-+ }
2360- }
2361- break;
2362- case RSASSA_PSS_PARAMS_TRAILER:
2363---- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
2364-+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
2365-@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(pr
2366- int i;
2367- bool success = FALSE;
2368-
2369-- if (!params)
2370-+ if (!params || params->salt_len < 0)
2371- {
2372- return FALSE;
2373- }
2374--- a/feeds/packages/net/strongswan/patches/730-strongswan-5.1.0-5.9.7_cert_online_validate.patch
2375+++ /dev/null
2376@@ -1,200 +0,0 @@
2377-From 66d3b2e0e596a6eac1ebcd15c83a8d9368fe7b34 Mon Sep 17 00:00:00 2001
2378-From: Tobias Brunner <tobias@strongswan.org>
2379-Date: Fri, 22 Jul 2022 15:37:43 +0200
2380-Subject: [PATCH] credential-manager: Do online revocation checks only after
2381- basic trust chain validation
2382-
2383-This avoids querying URLs of potentially untrusted certificates, e.g. if
2384-an attacker sends a specially crafted end-entity and intermediate CA
2385-certificate with a CDP that points to a server that completes the
2386-TCP handshake but then does not send any further data, which will block
2387-the fetcher thread (depending on the plugin) for as long as the default
2388-timeout for TCP. Doing that multiple times will block all worker threads,
2389-leading to a DoS attack.
2390-
2391-The logging during the certificate verification obviously changes. The
2392-following example shows the output of `pki --verify` for the current
2393-strongswan.org certificate:
2394-
2395-new:
2396-
2397- using certificate "CN=www.strongswan.org"
2398- using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3"
2399- using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
2400- reached self-signed root ca with a path length of 1
2401-checking certificate status of "CN=www.strongswan.org"
2402- requesting ocsp status from 'http://r3.o.lencr.org' ...
2403- ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3"
2404- ocsp response is valid: until Jul 27 12:59:58 2022
2405-certificate status is good
2406-checking certificate status of "C=US, O=Let's Encrypt, CN=R3"
2407-ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found
2408- fetching crl from 'http://x1.c.lencr.org/' ...
2409- using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
2410- crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
2411- crl is valid: until Apr 18 01:59:59 2023
2412-certificate status is good
2413-certificate trusted, lifetimes valid, certificate not revoked
2414-
2415-old:
2416-
2417- using certificate "CN=www.strongswan.org"
2418- using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3"
2419-checking certificate status of "CN=www.strongswan.org"
2420- requesting ocsp status from 'http://r3.o.lencr.org' ...
2421- ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3"
2422- ocsp response is valid: until Jul 27 12:59:58 2022
2423-certificate status is good
2424- using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
2425-checking certificate status of "C=US, O=Let's Encrypt, CN=R3"
2426-ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found
2427- fetching crl from 'http://x1.c.lencr.org/' ...
2428- using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
2429- crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
2430- crl is valid: until Apr 18 01:59:59 2023
2431-certificate status is good
2432- reached self-signed root ca with a path length of 1
2433-certificate trusted, lifetimes valid, certificate not revoked
2434-
2435-Note that this also fixes an issue with the previous dual-use of the
2436-`trusted` flag. It not only indicated whether the chain is trusted but
2437-also whether the current issuer is the root anchor (the corresponding
2438-flag in the `cert_validator_t` interface is called `anchor`). This was
2439-a problem when building multi-level trust chains for pre-trusted
2440-end-entity certificates (i.e. where `trusted` is TRUE from the start).
2441-This caused the main loop to get aborted after the first intermediate CA
2442-certificate and the mentioned `anchor` flag wasn't correct in any calls
2443-to `cert_validator_t` implementations.
2444-
2445-Fixes: CVE-2022-40617
2446----
2447- .../credentials/credential_manager.c | 54 +++++++++++++++----
2448- 1 file changed, 45 insertions(+), 9 deletions(-)
2449-
2450---- a/src/libstrongswan/credentials/credential_manager.c
2451-+++ b/src/libstrongswan/credentials/credential_manager.c
2452-@@ -555,7 +555,7 @@ static void cache_queue(private_credenti
2453- */
2454- static bool check_lifetime(private_credential_manager_t *this,
2455- certificate_t *cert, char *label,
2456-- int pathlen, bool trusted, auth_cfg_t *auth)
2457-+ int pathlen, bool anchor, auth_cfg_t *auth)
2458- {
2459- time_t not_before, not_after;
2460- cert_validator_t *validator;
2461-@@ -570,7 +570,7 @@ static bool check_lifetime(private_crede
2462- continue;
2463- }
2464- status = validator->check_lifetime(validator, cert,
2465-- pathlen, trusted, auth);
2466-+ pathlen, anchor, auth);
2467- if (status != NEED_MORE)
2468- {
2469- break;
2470-@@ -603,13 +603,13 @@ static bool check_lifetime(private_crede
2471- */
2472- static bool check_certificate(private_credential_manager_t *this,
2473- certificate_t *subject, certificate_t *issuer, bool online,
2474-- int pathlen, bool trusted, auth_cfg_t *auth)
2475-+ int pathlen, bool anchor, auth_cfg_t *auth)
2476- {
2477- cert_validator_t *validator;
2478- enumerator_t *enumerator;
2479-
2480- if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) ||
2481-- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth))
2482-+ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth))
2483- {
2484- return FALSE;
2485- }
2486-@@ -622,7 +622,7 @@ static bool check_certificate(private_cr
2487- continue;
2488- }
2489- if (!validator->validate(validator, subject, issuer,
2490-- online, pathlen, trusted, auth))
2491-+ online, pathlen, anchor, auth))
2492- {
2493- enumerator->destroy(enumerator);
2494- return FALSE;
2495-@@ -725,6 +725,7 @@ static bool verify_trust_chain(private_c
2496- auth_cfg_t *auth;
2497- signature_params_t *scheme;
2498- int pathlen;
2499-+ bool is_anchor = FALSE;
2500-
2501- auth = auth_cfg_create();
2502- get_key_strength(subject, auth);
2503-@@ -742,7 +743,7 @@ static bool verify_trust_chain(private_c
2504- auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
2505- DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"",
2506- issuer->get_subject(issuer));
2507-- trusted = TRUE;
2508-+ trusted = is_anchor = TRUE;
2509- }
2510- else
2511- {
2512-@@ -777,11 +778,18 @@ static bool verify_trust_chain(private_c
2513- DBG1(DBG_CFG, " issuer is \"%Y\"",
2514- current->get_issuer(current));
2515- call_hook(this, CRED_HOOK_NO_ISSUER, current);
2516-+ if (trusted)
2517-+ {
2518-+ DBG1(DBG_CFG, " reached end of incomplete trust chain for "
2519-+ "trusted certificate \"%Y\"",
2520-+ subject->get_subject(subject));
2521-+ }
2522- break;
2523- }
2524- }
2525-- if (!check_certificate(this, current, issuer, online,
2526-- pathlen, trusted, auth))
2527-+ /* don't do online verification here */
2528-+ if (!check_certificate(this, current, issuer, FALSE,
2529-+ pathlen, is_anchor, auth))
2530- {
2531- trusted = FALSE;
2532- issuer->destroy(issuer);
2533-@@ -793,7 +801,7 @@ static bool verify_trust_chain(private_c
2534- }
2535- current->destroy(current);
2536- current = issuer;
2537-- if (trusted)
2538-+ if (is_anchor)
2539- {
2540- DBG1(DBG_CFG, " reached self-signed root ca with a "
2541- "path length of %d", pathlen);
2542-@@ -806,6 +814,34 @@ static bool verify_trust_chain(private_c
2543- DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN);
2544- call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject);
2545- }
2546-+ else if (trusted && online)
2547-+ {
2548-+ enumerator_t *enumerator;
2549-+ auth_rule_t rule;
2550-+
2551-+ /* do online revocation checks after basic validation of the chain */
2552-+ pathlen = 0;
2553-+ current = subject;
2554-+ enumerator = auth->create_enumerator(auth);
2555-+ while (enumerator->enumerate(enumerator, &rule, &issuer))
2556-+ {
2557-+ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT)
2558-+ {
2559-+ if (!check_certificate(this, current, issuer, TRUE, pathlen++,
2560-+ rule == AUTH_RULE_CA_CERT, auth))
2561-+ {
2562-+ trusted = FALSE;
2563-+ break;
2564-+ }
2565-+ else if (rule == AUTH_RULE_CA_CERT)
2566-+ {
2567-+ break;
2568-+ }
2569-+ current = issuer;
2570-+ }
2571-+ }
2572-+ enumerator->destroy(enumerator);
2573-+ }
2574- if (trusted)
2575- {
2576- result->merge(result, auth, FALSE);
developer5f389fd2023-11-23 17:16:30 +08002577--- a/package/kernel/linux/modules/crypto.mk
2578+++ b/package/kernel/linux/modules/crypto.mk
2579@@ -95,6 +95,18 @@ endef
2580 $(eval $(call KernelPackage,crypto-ccm))
2581
2582
2583+define KernelPackage/crypto-chacha20poly1305
2584+ TITLE:=ChaCha20-Poly1305 AEAD support, RFC7539 (used by strongSwan IPsec VPN)
2585+ DEPENDS:=+kmod-crypto-aead +kmod-crypto-manager
2586+ KCONFIG:=CONFIG_CRYPTO_CHACHA20POLY1305
2587+ FILES:=$(LINUX_DIR)/crypto/chacha20poly1305.ko
2588+ AUTOLOAD:=$(call AutoLoad,09,chacha20poly1305)
2589+ $(call AddDepends/crypto)
2590+endef
2591+
2592+$(eval $(call KernelPackage,crypto-chacha20poly1305))
2593+
2594+
2595 define KernelPackage/crypto-cmac
2596 TITLE:=Support for Cipher-based Message Authentication Code (CMAC)
2597 DEPENDS:=+kmod-crypto-hash