ipsec: Generate IKE proposals with PRFs

This is now a requirement for AEAD ciphers and strongswan
refuses to start.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/vpn/security-policies/performance b/config/vpn/security-policies/performance
index 0d4f0ee6363962f72c8719bc637089eaa7bb644e..30904b78b106f7d2ce71f4358e530bc5e998ac6d 100644 (file)
--- a/config/vpn/security-policies/performance
+++ b/config/vpn/security-policies/performance
@@ -2,6 +2,7 @@ CIPHER="CHACHA20-POLY1305 AES128-GCM128 AES128-CBC"
 COMPRESSION="off"
 GROUP_TYPE="ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
 INTEGRITY="SHA256"
+PSEUDO_RANDOM_FUNCTION="SHA256"
 KEY_EXCHANGE="ikev2"
 LIFETIME="28800"
 PFS="on"

diff --git a/config/vpn/security-policies/system b/config/vpn/security-policies/system
index 5073447021a46434f1623176de3f3c959a88d9bd..3506f6892e568b3409b8b1bb603be682a05041ec 100644 (file)
--- a/config/vpn/security-policies/system
+++ b/config/vpn/security-policies/system
@@ -2,6 +2,7 @@ KEY_EXCHANGE="ikev2"
 CIPHER="CHACHA20-POLY1305 AES256-GCM128 AES192-GCM128 AES128-GCM128 AES256-CBC AES192-CBC AES128-CBC"
 INTEGRITY="SHA512 SHA384 SHA256"
 GROUP_TYPE="MODP8192 MODP6144 MODP4096 MODP2048 ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
+PSEUDO_RANDOM_FUNCTION="SHA512 SHA384 SHA256"
 LIFETIME="28800"
 PFS="on"
 COMPRESSION="off"

diff --git a/src/functions/functions.vpn-security-policies b/src/functions/functions.vpn-security-policies
index 8486617d26efe5e588d2e8ebb449b3b7808c9951..26b179985b91d132080eec754977605ddf2a86fc 100644 (file)
--- a/src/functions/functions.vpn-security-policies
+++ b/src/functions/functions.vpn-security-policies
@@ -19,7 +19,8 @@
 #                                                                             #
 ###############################################################################
 
-VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE INTEGRITY KEY_EXCHANGE LIFETIME PFS"
+VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE \
+       INTEGRITY PSEUDO_RANDOM_FUNCTION KEY_EXCHANGE LIFETIME PFS"
 VPN_SECURITY_POLICIES_READONLY="system performance"
 
 VPN_DEFAULT_SECURITY_POLICY="system"
@@ -174,6 +175,34 @@ declare -A CIPHER_TO_STRONGSWAN=(
        [NULL]="null"
 )
 
+declare -A VPN_SUPPORTED_PSEUDO_RANDOM_FUNCTION=(
+       [MD5]="MD5"
+
+       # SHA
+       [SHA1]="SHA1"
+       [SHA256]="SHA256"
+       [SHA384]="SHA384"
+       [SHA512]="SHA512"
+
+       # AES
+       [AES-XCBC]="AES-XCBC"
+       [AES-CMAC]="AES-CMAC"
+)
+
+declare -A PSEUDO_RANDOM_FUNCTION_TO_STRONGSWAN=(
+       [MD5]="prfmd5"
+
+       # SHA
+       [SHA1]="prfsha1"
+       [SHA256]="prfsha256"
+       [SHA384]="prfsha384"
+       [SHA512]="prfsha512"
+
+       # AES
+       [AES-XCBC]="prfaesxcbc"
+       [AES-CMAC]="prfaescmac"
+)
+
 declare -A VPN_SUPPORTED_INTEGRITY=(
        [MD5]="MD5-HMAC"
 
@@ -1082,28 +1111,53 @@ _vpn_security_policies_make_ike_proposal() {
                        continue
                fi
 
-               local integrity
-               for integrity in ${INTEGRITY}; do
-                       local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]}
+               if vpn_security_policies_cipher_is_aead "${cipher}"; then
+                       local prf
+                       for prf in ${PSEUDO_RANDOM_FUNCTION}; do
+                               local _prf="${PSEUDO_RANDOM_FUNCTION_TO_STRONGSWAN[${prf}]}"
 
-                       if ! isset _integrity; then
-                               log WARN "Unsupported integrity: ${integrity}"
-                               continue
-                       fi
+                               if ! isset _prf; then
+                                       log WARN "Unsupported pseudo random function: ${prf}"
+                                       continue
+                               fi
 
-                       local group_type
-                       for group_type in ${GROUP_TYPE}; do
-                               local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
+                               local group_type
+                               for group_type in ${GROUP_TYPE}; do
+                                       local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
 
-                               if ! isset _group_type; then
-                                       log WARN "Unsupported group-type: ${group_type}"
+                                       if ! isset _group_type; then
+                                               log WARN "Unsupported group-type: ${group_type}"
+                                               continue
+                                       fi
+
+                                       # Put everything together
+                                       list_append proposals "${_cipher}-${_prf}-${_group_type}"
+                               done
+                       done
+               else
+                       local integrity
+                       for integrity in ${INTEGRITY}; do
+                               local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]}
+
+                               if ! isset _integrity; then
+                                       log WARN "Unsupported integrity: ${integrity}"
                                        continue
                                fi
 
-                               # Put everything together
-                               list_append proposals "${_cipher}-${_integrity}-${_group_type}"
+                               local group_type
+                               for group_type in ${GROUP_TYPE}; do
+                                       local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
+
+                                       if ! isset _group_type; then
+                                               log WARN "Unsupported group-type: ${group_type}"
+                                               continue
+                                       fi
+
+                                       # Put everything together
+                                       list_append proposals "${_cipher}-${_integrity}-${_group_type}"
+                               done
                        done
-               done
+               fi
        done
 
        # Returns as a comma-separated list