Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

strongswan: fail on serious configuration errors

Browse source 
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This commit is contained in:
Philip Prindeville 2021-04-12 22:42:05 -06:00
parent 210640d606
commit c95fd69973
1 changed files with 21 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
net/strongswan/files/swanctl.init
View file

@ -17,6 +17,8 @@ SWANCTL_VAR_CONF_FILE=/var/swanctl/swanctl.conf
WAIT_FOR_INTF=0 WAIT_FOR_INTF=0
CONFIG_FAIL=0
time2seconds() time2seconds()
{ {
local timestring="$1" local timestring="$1"
@ -128,6 +130,11 @@ warning() {
echo "WARNING: $@" >&2 echo "WARNING: $@" >&2
} }
fatal() {
echo "ERROR: $@" >&2
CONFIG_FAIL=1
}
is_aead() { is_aead() {
local cipher="$1" local cipher="$1"
@ -150,7 +157,7 @@ add_esp_proposal() {
# check for AEAD and clobber hash_algorithm if set # check for AEAD and clobber hash_algorithm if set
if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
warning "Can't have $hash_algorithm with $encryption_algorithm" fatal "Can't have $hash_algorithm with $encryption_algorithm"
hash_algorithm= hash_algorithm=
fi fi
@ -182,7 +189,7 @@ add_ike_proposal() {
# check for AEAD and clobber hash_algorithm if set # check for AEAD and clobber hash_algorithm if set
if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
warning "Can't have $hash_algorithm with $encryption_algorithm" fatal "Can't have $hash_algorithm with $encryption_algorithm"
hash_algorithm= hash_algorithm=
fi fi
@ -245,7 +252,7 @@ config_conn() {
# already using new syntax # already using new syntax
;; ;;
*) *)
warning "Startaction $startaction unknown" fatal "Startaction $startaction unknown"
startaction= startaction=
;; ;;
esac esac
@ -261,7 +268,7 @@ config_conn() {
# already using new syntax # already using new syntax
;; ;;
*) *)
warning "Closeaction $closeaction unknown" fatal "Closeaction $closeaction unknown"
closeaction= closeaction=
;; ;;
esac esac
@ -283,7 +290,7 @@ config_conn() {
# already using new syntax # already using new syntax
;; ;;
*) *)
warning "Dpdaction $dpdaction unknown" fatal "Dpdaction $dpdaction unknown"
dpdaction= dpdaction=
;; ;;
esac esac
@ -378,7 +385,7 @@ config_remote() {
# already using new syntax # already using new syntax
;; ;;
*) *)
warning "Fragmentation $fragmentation not supported" fatal "Fragmentation $fragmentation not supported"
fragmentation= fragmentation=
;; ;;
esac esac
@ -395,7 +402,7 @@ config_remote() {
local ike_proposal local ike_proposal
parse_ike_proposal "$1" ike_proposal parse_ike_proposal "$1" ike_proposal
[ -n "$firewall" ] && warning "Firewall not supported" [ -n "$firewall" ] && fatal "Firewall not supported"
swanctl_xappend0 "# config for $config_name" swanctl_xappend0 "# config for $config_name"
swanctl_xappend0 "connections {" swanctl_xappend0 "connections {"
@ -434,7 +441,7 @@ config_remote() {
ikev2) ikev2)
swanctl_xappend2 "version = 2" ;; swanctl_xappend2 "version = 2" ;;
*) *)
warning "Keyexchange $keyexchange not supported" fatal "Keyexchange $keyexchange not supported"
keyexchange= keyexchange=
;; ;;
esac esac
@ -489,7 +496,7 @@ config_remote() {
fi fi
fi fi
else else
warning "AuthenticationMode $auth_mode not supported" fatal "AuthenticationMode $auth_mode not supported"
fi fi
swanctl_xappend0 "" swanctl_xappend0 ""
@ -593,6 +600,11 @@ start_service() {
[ $WAIT_FOR_INTF -eq 1 ] && return [ $WAIT_FOR_INTF -eq 1 ] && return
if [ $CONFIG_FAIL -ne 0 ]; then
procd_set_param error "Invalid configuration"
return
fi
procd_open_instance procd_open_instance
procd_set_param command $PROG --daemon charon --nofork procd_set_param command $PROG --daemon charon --nofork