From 210640d6069575f7e00e4ddd4ea5f3e773bfef94 Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Tue, 13 Apr 2021 12:32:57 -0600 Subject: [PATCH 1/3] strongswan: drop subshell when possible A subshell caused by $(...) can't persistently modify globals as a side-effect. Signed-off-by: Philip Prindeville --- net/strongswan/Makefile | 2 +- net/strongswan/files/swanctl.init | 14 ++++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index 25249c81e..d58afad99 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=strongswan PKG_VERSION:=5.9.2 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/ diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init index 21fc7e8ec..344518e3c 100644 --- a/net/strongswan/files/swanctl.init +++ b/net/strongswan/files/swanctl.init @@ -160,11 +160,13 @@ add_esp_proposal() { parse_esp_proposal() { local conf="$1" + local var="$2" + local crypto="" config_list_foreach "$conf" crypto_proposal add_esp_proposal - echo "$crypto" + export -n "$var=$crypto" } add_ike_proposal() { @@ -190,11 +192,13 @@ add_ike_proposal() { parse_ike_proposal() { local conf="$1" + local var="$2" + local crypto="" config_list_foreach "$conf" crypto_proposal add_ike_proposal - echo "$crypto" + export -n "$var=$crypto" } config_conn() { @@ -228,7 +232,8 @@ config_conn() { config_get if_id "$1" if_id "" config_get rekeytime "$1" rekeytime "" - local esp_proposal="$(parse_esp_proposal "$1")" + local esp_proposal + parse_esp_proposal "$1" esp_proposal # translate from ipsec to swanctl case "$startaction" in @@ -387,7 +392,8 @@ config_remote() { local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'` } - local ike_proposal="$(parse_ike_proposal "$1")" + local ike_proposal + parse_ike_proposal "$1" ike_proposal [ -n "$firewall" ] && warning "Firewall not supported" From c95fd699730c6671e8e719dccad3acfab3f3eca7 Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Mon, 12 Apr 2021 22:42:05 -0600 Subject: [PATCH 2/3] strongswan: fail on serious configuration errors Signed-off-by: Philip Prindeville --- net/strongswan/files/swanctl.init | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init index 344518e3c..692cc2bbe 100644 --- a/net/strongswan/files/swanctl.init +++ b/net/strongswan/files/swanctl.init @@ -17,6 +17,8 @@ SWANCTL_VAR_CONF_FILE=/var/swanctl/swanctl.conf WAIT_FOR_INTF=0 +CONFIG_FAIL=0 + time2seconds() { local timestring="$1" @@ -128,6 +130,11 @@ warning() { echo "WARNING: $@" >&2 } +fatal() { + echo "ERROR: $@" >&2 + CONFIG_FAIL=1 +} + is_aead() { local cipher="$1" @@ -150,7 +157,7 @@ add_esp_proposal() { # check for AEAD and clobber hash_algorithm if set if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then - warning "Can't have $hash_algorithm with $encryption_algorithm" + fatal "Can't have $hash_algorithm with $encryption_algorithm" hash_algorithm= fi @@ -182,7 +189,7 @@ add_ike_proposal() { # check for AEAD and clobber hash_algorithm if set if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then - warning "Can't have $hash_algorithm with $encryption_algorithm" + fatal "Can't have $hash_algorithm with $encryption_algorithm" hash_algorithm= fi @@ -245,7 +252,7 @@ config_conn() { # already using new syntax ;; *) - warning "Startaction $startaction unknown" + fatal "Startaction $startaction unknown" startaction= ;; esac @@ -261,7 +268,7 @@ config_conn() { # already using new syntax ;; *) - warning "Closeaction $closeaction unknown" + fatal "Closeaction $closeaction unknown" closeaction= ;; esac @@ -283,7 +290,7 @@ config_conn() { # already using new syntax ;; *) - warning "Dpdaction $dpdaction unknown" + fatal "Dpdaction $dpdaction unknown" dpdaction= ;; esac @@ -378,7 +385,7 @@ config_remote() { # already using new syntax ;; *) - warning "Fragmentation $fragmentation not supported" + fatal "Fragmentation $fragmentation not supported" fragmentation= ;; esac @@ -395,7 +402,7 @@ config_remote() { local ike_proposal parse_ike_proposal "$1" ike_proposal - [ -n "$firewall" ] && warning "Firewall not supported" + [ -n "$firewall" ] && fatal "Firewall not supported" swanctl_xappend0 "# config for $config_name" swanctl_xappend0 "connections {" @@ -434,7 +441,7 @@ config_remote() { ikev2) swanctl_xappend2 "version = 2" ;; *) - warning "Keyexchange $keyexchange not supported" + fatal "Keyexchange $keyexchange not supported" keyexchange= ;; esac @@ -489,7 +496,7 @@ config_remote() { fi fi else - warning "AuthenticationMode $auth_mode not supported" + fatal "AuthenticationMode $auth_mode not supported" fi swanctl_xappend0 "" @@ -593,6 +600,11 @@ start_service() { [ $WAIT_FOR_INTF -eq 1 ] && return + if [ $CONFIG_FAIL -ne 0 ]; then + procd_set_param error "Invalid configuration" + return + fi + procd_open_instance procd_set_param command $PROG --daemon charon --nofork From ff33f4ccd358a8f4a9981a83c7b3807fa16cafb5 Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Mon, 12 Apr 2021 21:59:30 -0600 Subject: [PATCH 3/3] strongswan: handle chacha20poly1305 as AEAD chacha20policy1305 is also an AEAD cipher, and hence does not permit a hash algorithm. Fixes issue #15397. Signed-off-by: Philip Prindeville --- net/strongswan/files/swanctl.init | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init index 692cc2bbe..58f168dcf 100644 --- a/net/strongswan/files/swanctl.init +++ b/net/strongswan/files/swanctl.init @@ -141,6 +141,8 @@ is_aead() { case "$cipher" in aes*gcm*|aes*ccm*|aes*gmac*) return 0 ;; + chacha20poly1305) + return 0 ;; esac return 1