Merge pull request #15406 from pprindeville/strongswan-add-chacha20poly1305

strongswan: handle chacha20poly1305 as AEAD

diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile
index 25249c81e81994adeca40a42022331b436994355..d58afad99871d94871e0183ccbcb8915f583faa1 100644 (file)
--- a/net/strongswan/Makefile
+++ b/net/strongswan/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=strongswan
 PKG_VERSION:=5.9.2
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/

diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init
index 21fc7e8ec5e066884344128467f9fae87d1fc6ab..58f168dcf53b835e1149899e81b779bb9290f903 100644 (file)
--- a/net/strongswan/files/swanctl.init
+++ b/net/strongswan/files/swanctl.init
@@ -17,6 +17,8 @@ SWANCTL_VAR_CONF_FILE=/var/swanctl/swanctl.conf
 
 WAIT_FOR_INTF=0
 
+CONFIG_FAIL=0
+
 time2seconds()
 {
        local timestring="$1"
@@ -128,12 +130,19 @@ warning() {
        echo "WARNING: $@" >&2
 }
 
+fatal() {
+       echo "ERROR: $@" >&2
+       CONFIG_FAIL=1
+}
+
 is_aead() {
        local cipher="$1"
 
        case "$cipher" in
        aes*gcm*|aes*ccm*|aes*gmac*)
                return 0 ;;
+       chacha20poly1305)
+               return 0 ;;
        esac
 
        return 1
@@ -150,7 +159,7 @@ add_esp_proposal() {
 
        # check for AEAD and clobber hash_algorithm if set
        if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
-               warning "Can't have $hash_algorithm with $encryption_algorithm"
+               fatal "Can't have $hash_algorithm with $encryption_algorithm"
                hash_algorithm=
        fi
 
@@ -160,11 +169,13 @@ add_esp_proposal() {
 
 parse_esp_proposal() {
        local conf="$1"
+       local var="$2"
+
        local crypto=""
 
        config_list_foreach "$conf" crypto_proposal add_esp_proposal
 
-       echo "$crypto"
+       export -n "$var=$crypto"
 }
 
 add_ike_proposal() {
@@ -180,7 +191,7 @@ add_ike_proposal() {
 
        # check for AEAD and clobber hash_algorithm if set
        if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
-               warning "Can't have $hash_algorithm with $encryption_algorithm"
+               fatal "Can't have $hash_algorithm with $encryption_algorithm"
                hash_algorithm=
        fi
 
@@ -190,11 +201,13 @@ add_ike_proposal() {
 
 parse_ike_proposal() {
        local conf="$1"
+       local var="$2"
+
        local crypto=""
 
        config_list_foreach "$conf" crypto_proposal add_ike_proposal
 
-       echo "$crypto"
+       export -n "$var=$crypto"
 }
 
 config_conn() {
@@ -228,7 +241,8 @@ config_conn() {
        config_get if_id "$1" if_id ""
        config_get rekeytime "$1" rekeytime ""
 
-       local esp_proposal="$(parse_esp_proposal "$1")"
+       local esp_proposal
+       parse_esp_proposal "$1" esp_proposal
 
        # translate from ipsec to swanctl
        case "$startaction" in
@@ -240,7 +254,7 @@ config_conn() {
                # already using new syntax
                ;;
        *)
-               warning "Startaction $startaction unknown"
+               fatal "Startaction $startaction unknown"
                startaction=
                ;;
        esac
@@ -256,7 +270,7 @@ config_conn() {
                # already using new syntax
                ;;
        *)
-               warning "Closeaction $closeaction unknown"
+               fatal "Closeaction $closeaction unknown"
                closeaction=
                ;;
        esac
@@ -278,7 +292,7 @@ config_conn() {
                # already using new syntax
                ;;
        *)
-               warning "Dpdaction $dpdaction unknown"
+               fatal "Dpdaction $dpdaction unknown"
                dpdaction=
                ;;
        esac
@@ -373,7 +387,7 @@ config_remote() {
                # already using new syntax
                ;;
        *)
-               warning "Fragmentation $fragmentation not supported"
+               fatal "Fragmentation $fragmentation not supported"
                fragmentation=
                ;;
        esac
@@ -387,9 +401,10 @@ config_remote() {
                local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'`
        }
 
-       local ike_proposal="$(parse_ike_proposal "$1")"
+       local ike_proposal
+       parse_ike_proposal "$1" ike_proposal
 
-       [ -n "$firewall" ] && warning "Firewall not supported"
+       [ -n "$firewall" ] && fatal "Firewall not supported"
 
        swanctl_xappend0 "# config for $config_name"
        swanctl_xappend0 "connections {"
@@ -428,7 +443,7 @@ config_remote() {
        ikev2)
                swanctl_xappend2 "version = 2" ;;
        *)
-               warning "Keyexchange $keyexchange not supported"
+               fatal "Keyexchange $keyexchange not supported"
                keyexchange=
                ;;
        esac
@@ -483,7 +498,7 @@ config_remote() {
                        fi
                fi
        else
-               warning "AuthenticationMode $auth_mode not supported"
+               fatal "AuthenticationMode $auth_mode not supported"
        fi
 
        swanctl_xappend0 ""
@@ -587,6 +602,11 @@ start_service() {
 
        [ $WAIT_FOR_INTF -eq 1 ] && return
 
+       if [ $CONFIG_FAIL -ne 0 ]; then
+               procd_set_param error "Invalid configuration"
+               return
+       fi
+
        procd_open_instance
 
        procd_set_param command $PROG --daemon charon --nofork