strongswan: Add support for EAP-MSCHAPv2 authentication

Support for EAP-MSCHAPv2 authentication scheme is added.

Different from the previously supported schemes, this one is
usually asymmetric in the way that server auth method (pubkey) is
different from the client auth method (eap-mschapv2).
The code handles this asymmetry automatically.

A new UCI config section mschapv2_secrets is added where the user
can specify the EAP identities and their passwords that are
accepted by the server. AFAIK, there is no way to select which
EAP IDs should be accepted by which remote, except setting
`eap_id` to something different than `%any`. But `eap_id`
does not support template matching, so either only a single
identity or all can be configured for one remote. This is why
the EAP identities are not subsections of remotes, but are
a standalone section.

Signed-off-by: Martin Pecka <peci1@seznam.cz>
Signed-off-by: Martin Pecka <peckama2@fel.cvut.cz>

diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile
index 63525bfa05ad5cf9e7a902ac171b68e74d91a22f..d9869cc7d4105800f30507a8a64ab877b59a3cfc 100644 (file)
--- a/net/strongswan/Makefile
+++ b/net/strongswan/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=strongswan
 PKG_VERSION:=5.9.14
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/

diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init
index 8a7e9a3ec5b62cdb78c4cf17e60fe1dc0d4d2c54..7fc4a0d10bc1b38ace63e48b92a088d4852e67eb 100644 (file)
--- a/net/strongswan/files/swanctl.init
+++ b/net/strongswan/files/swanctl.init
@@ -421,6 +421,21 @@ config_pool() {
        swanctl_xappend1 "}"
 }
 
+config_mschapv2_secret() {
+       local conf="$1"
+
+       local id
+       local secret
+
+       config_get id "$conf" id
+       config_get secret "$conf" secret
+
+       swanctl_xappend1 "eap-${conf} {"
+       swanctl_xappend2 "id = $id"
+       swanctl_xappend2 "secret = $secret"
+       swanctl_xappend1 "}"
+}
+
 config_remote() {
        local conf="$1"
 
@@ -445,6 +460,7 @@ config_remote() {
        local rekeytime
        local remote_ca_certs
        local pools
+       local eap_id
 
        config_get_bool enabled "$conf" enabled 0
        [ $enabled -eq 0 ] && return
@@ -467,6 +483,7 @@ config_remote() {
        config_get rekeytime "$conf" rekeytime
        config_get overtime "$conf" overtime
        config_get send_cert "$conf" send_cert
+       config_get eap_id "$conf" eap_id "%any"
 
        config_list_foreach "$conf" local_sourceip append_var local_sourceip ","
        config_list_foreach "$conf" remote_ca_certs append_var remote_ca_certs ","
@@ -526,11 +543,14 @@ config_remote() {
        [ -n "$fragmentation" ] && swanctl_xappend2 "fragmentation = $fragmentation"
        [ -n "$pools" ] && swanctl_xappend2 "pools = $pools"
 
+       local local_auth_method="$auth_method"
+       [ "$auth_method" = "eap-mschapv2" ] && local_auth_method="pubkey"
+
        swanctl_xappend2 "local {"
-       swanctl_xappend3 "auth = $auth_method"
+       swanctl_xappend3 "auth = $local_auth_method"
 
        [ -n "$local_identifier" ] && swanctl_xappend3 "id = \"$local_identifier\""
-       [ "$auth_method" = pubkey ] && [ -n "$local_cert" ] && \
+       [ "$local_auth_method" = pubkey ] && [ -n "$local_cert" ] && \
            swanctl_xappend3 "certs = $local_cert"
        swanctl_xappend2 "}"
 
@@ -538,6 +558,7 @@ config_remote() {
        swanctl_xappend3 "auth = $auth_method"
        [ -n "$remote_identifier" ] && swanctl_xappend3 "id = \"$remote_identifier\""
        [ -n "$remote_ca_certs" ] && swanctl_xappend3 "cacerts = \"$remote_ca_certs\""
+       [ "$auth_method" = eap-mschapv2 ] && swanctl_xappend3 "eap_id = $eap_id"
        swanctl_xappend2 "}"
 
        swanctl_xappend2 "children {"
@@ -606,6 +627,9 @@ config_remote() {
                fi
                swanctl_xappend1 "}"
                swanctl_xappend0 "}"
+       elif [ "$auth_method" = eap-mschapv2 ]; then
+               # EAP-MSCHAPv2 secrets are handled in config_mschapv2_secrets globally
+               :  # empty command
        else
                fatal "AuthenticationMode $auth_mode not supported"
        fi
@@ -686,10 +710,17 @@ prepare_env() {
        config_foreach config_ipsec ipsec
        config_foreach config_remote remote
        
+       swanctl_xappend0 "# Global config"
+       swanctl_xappend0 ""
+       
        swanctl_xappend0 "pools {"
        config_foreach config_pool pools
        swanctl_xappend0 "}"
 
+       swanctl_xappend0 "secrets {"
+       config_foreach config_mschapv2_secret mschapv2_secrets
+       swanctl_xappend0 "}"
+
        do_postamble
 }