From 9e4b2cdcc9e7d043cdf8da238c114de45fece605 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 16 Sep 2018 15:19:55 +0200 Subject: [PATCH] ipsec: Generate IKE proposals with PRFs This is now a requirement for AEAD ciphers and strongswan refuses to start. Signed-off-by: Michael Tremer --- config/vpn/security-policies/performance | 1 + config/vpn/security-policies/system | 1 + src/functions/functions.vpn-security-policies | 86 +++++++++++++++---- 3 files changed, 72 insertions(+), 16 deletions(-) diff --git a/config/vpn/security-policies/performance b/config/vpn/security-policies/performance index 0d4f0ee..30904b7 100644 --- a/config/vpn/security-policies/performance +++ b/config/vpn/security-policies/performance @@ -2,6 +2,7 @@ CIPHER="CHACHA20-POLY1305 AES128-GCM128 AES128-CBC" COMPRESSION="off" GROUP_TYPE="ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519" INTEGRITY="SHA256" +PSEUDO_RANDOM_FUNCTION="SHA256" KEY_EXCHANGE="ikev2" LIFETIME="28800" PFS="on" diff --git a/config/vpn/security-policies/system b/config/vpn/security-policies/system index 5073447..3506f68 100644 --- a/config/vpn/security-policies/system +++ b/config/vpn/security-policies/system @@ -2,6 +2,7 @@ KEY_EXCHANGE="ikev2" CIPHER="CHACHA20-POLY1305 AES256-GCM128 AES192-GCM128 AES128-GCM128 AES256-CBC AES192-CBC AES128-CBC" INTEGRITY="SHA512 SHA384 SHA256" GROUP_TYPE="MODP8192 MODP6144 MODP4096 MODP2048 ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519" +PSEUDO_RANDOM_FUNCTION="SHA512 SHA384 SHA256" LIFETIME="28800" PFS="on" COMPRESSION="off" diff --git a/src/functions/functions.vpn-security-policies b/src/functions/functions.vpn-security-policies index 8486617..26b1799 100644 --- a/src/functions/functions.vpn-security-policies +++ b/src/functions/functions.vpn-security-policies @@ -19,7 +19,8 @@ # # ############################################################################### -VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE INTEGRITY KEY_EXCHANGE LIFETIME PFS" +VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE \ + INTEGRITY PSEUDO_RANDOM_FUNCTION KEY_EXCHANGE LIFETIME PFS" VPN_SECURITY_POLICIES_READONLY="system performance" VPN_DEFAULT_SECURITY_POLICY="system" @@ -174,6 +175,34 @@ declare -A CIPHER_TO_STRONGSWAN=( [NULL]="null" ) +declare -A VPN_SUPPORTED_PSEUDO_RANDOM_FUNCTION=( + [MD5]="MD5" + + # SHA + [SHA1]="SHA1" + [SHA256]="SHA256" + [SHA384]="SHA384" + [SHA512]="SHA512" + + # AES + [AES-XCBC]="AES-XCBC" + [AES-CMAC]="AES-CMAC" +) + +declare -A PSEUDO_RANDOM_FUNCTION_TO_STRONGSWAN=( + [MD5]="prfmd5" + + # SHA + [SHA1]="prfsha1" + [SHA256]="prfsha256" + [SHA384]="prfsha384" + [SHA512]="prfsha512" + + # AES + [AES-XCBC]="prfaesxcbc" + [AES-CMAC]="prfaescmac" +) + declare -A VPN_SUPPORTED_INTEGRITY=( [MD5]="MD5-HMAC" @@ -1082,28 +1111,53 @@ _vpn_security_policies_make_ike_proposal() { continue fi - local integrity - for integrity in ${INTEGRITY}; do - local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]} + if vpn_security_policies_cipher_is_aead "${cipher}"; then + local prf + for prf in ${PSEUDO_RANDOM_FUNCTION}; do + local _prf="${PSEUDO_RANDOM_FUNCTION_TO_STRONGSWAN[${prf}]}" - if ! isset _integrity; then - log WARN "Unsupported integrity: ${integrity}" - continue - fi + if ! isset _prf; then + log WARN "Unsupported pseudo random function: ${prf}" + continue + fi - local group_type - for group_type in ${GROUP_TYPE}; do - local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} + local group_type + for group_type in ${GROUP_TYPE}; do + local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} - if ! isset _group_type; then - log WARN "Unsupported group-type: ${group_type}" + if ! isset _group_type; then + log WARN "Unsupported group-type: ${group_type}" + continue + fi + + # Put everything together + list_append proposals "${_cipher}-${_prf}-${_group_type}" + done + done + else + local integrity + for integrity in ${INTEGRITY}; do + local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]} + + if ! isset _integrity; then + log WARN "Unsupported integrity: ${integrity}" continue fi - # Put everything together - list_append proposals "${_cipher}-${_integrity}-${_group_type}" + local group_type + for group_type in ${GROUP_TYPE}; do + local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]} + + if ! isset _group_type; then + log WARN "Unsupported group-type: ${group_type}" + continue + fi + + # Put everything together + list_append proposals "${_cipher}-${_integrity}-${_group_type}" + done done - done + fi done # Returns as a comma-separated list -- 2.39.2