This is now a requirement for AEAD ciphers and strongswan
refuses to start.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
COMPRESSION="off"
GROUP_TYPE="ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
INTEGRITY="SHA256"
COMPRESSION="off"
GROUP_TYPE="ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
INTEGRITY="SHA256"
+PSEUDO_RANDOM_FUNCTION="SHA256"
KEY_EXCHANGE="ikev2"
LIFETIME="28800"
PFS="on"
KEY_EXCHANGE="ikev2"
LIFETIME="28800"
PFS="on"
CIPHER="CHACHA20-POLY1305 AES256-GCM128 AES192-GCM128 AES128-GCM128 AES256-CBC AES192-CBC AES128-CBC"
INTEGRITY="SHA512 SHA384 SHA256"
GROUP_TYPE="MODP8192 MODP6144 MODP4096 MODP2048 ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
CIPHER="CHACHA20-POLY1305 AES256-GCM128 AES192-GCM128 AES128-GCM128 AES256-CBC AES192-CBC AES128-CBC"
INTEGRITY="SHA512 SHA384 SHA256"
GROUP_TYPE="MODP8192 MODP6144 MODP4096 MODP2048 ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
+PSEUDO_RANDOM_FUNCTION="SHA512 SHA384 SHA256"
LIFETIME="28800"
PFS="on"
COMPRESSION="off"
LIFETIME="28800"
PFS="on"
COMPRESSION="off"
# #
###############################################################################
# #
###############################################################################
-VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE INTEGRITY KEY_EXCHANGE LIFETIME PFS"
+VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE \
+ INTEGRITY PSEUDO_RANDOM_FUNCTION KEY_EXCHANGE LIFETIME PFS"
VPN_SECURITY_POLICIES_READONLY="system performance"
VPN_DEFAULT_SECURITY_POLICY="system"
VPN_SECURITY_POLICIES_READONLY="system performance"
VPN_DEFAULT_SECURITY_POLICY="system"
+declare -A VPN_SUPPORTED_PSEUDO_RANDOM_FUNCTION=(
+ [MD5]="MD5"
+
+ # SHA
+ [SHA1]="SHA1"
+ [SHA256]="SHA256"
+ [SHA384]="SHA384"
+ [SHA512]="SHA512"
+
+ # AES
+ [AES-XCBC]="AES-XCBC"
+ [AES-CMAC]="AES-CMAC"
+)
+
+declare -A PSEUDO_RANDOM_FUNCTION_TO_STRONGSWAN=(
+ [MD5]="prfmd5"
+
+ # SHA
+ [SHA1]="prfsha1"
+ [SHA256]="prfsha256"
+ [SHA384]="prfsha384"
+ [SHA512]="prfsha512"
+
+ # AES
+ [AES-XCBC]="prfaesxcbc"
+ [AES-CMAC]="prfaescmac"
+)
+
declare -A VPN_SUPPORTED_INTEGRITY=(
[MD5]="MD5-HMAC"
declare -A VPN_SUPPORTED_INTEGRITY=(
[MD5]="MD5-HMAC"
- local integrity
- for integrity in ${INTEGRITY}; do
- local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]}
+ if vpn_security_policies_cipher_is_aead "${cipher}"; then
+ local prf
+ for prf in ${PSEUDO_RANDOM_FUNCTION}; do
+ local _prf="${PSEUDO_RANDOM_FUNCTION_TO_STRONGSWAN[${prf}]}"
- if ! isset _integrity; then
- log WARN "Unsupported integrity: ${integrity}"
- continue
- fi
+ if ! isset _prf; then
+ log WARN "Unsupported pseudo random function: ${prf}"
+ continue
+ fi
- local group_type
- for group_type in ${GROUP_TYPE}; do
- local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
+ local group_type
+ for group_type in ${GROUP_TYPE}; do
+ local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
- if ! isset _group_type; then
- log WARN "Unsupported group-type: ${group_type}"
+ if ! isset _group_type; then
+ log WARN "Unsupported group-type: ${group_type}"
+ continue
+ fi
+
+ # Put everything together
+ list_append proposals "${_cipher}-${_prf}-${_group_type}"
+ done
+ done
+ else
+ local integrity
+ for integrity in ${INTEGRITY}; do
+ local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]}
+
+ if ! isset _integrity; then
+ log WARN "Unsupported integrity: ${integrity}"
- # Put everything together
- list_append proposals "${_cipher}-${_integrity}-${_group_type}"
+ local group_type
+ for group_type in ${GROUP_TYPE}; do
+ local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
+
+ if ! isset _group_type; then
+ log WARN "Unsupported group-type: ${group_type}"
+ continue
+ fi
+
+ # Put everything together
+ list_append proposals "${_cipher}-${_integrity}-${_group_type}"
+ done
done
# Returns as a comma-separated list
done
# Returns as a comma-separated list