From 88d1876f382f3fad99502679abb9914c429c7a7d Mon Sep 17 00:00:00 2001
From: Martin Pecka <peci1@seznam.cz>
Date: Mon, 8 Jan 2024 01:24:07 +0100
Subject: [PATCH] strongswan: Add support for EAP-MSCHAPv2 authentication

Support for EAP-MSCHAPv2 authentication scheme is added.

Different from the previously supported schemes, this one is
usually asymmetric in the way that server auth method (pubkey) is
different from the client auth method (eap-mschapv2).
The code handles this asymmetry automatically.

A new UCI config section mschapv2_secrets is added where the user
can specify the EAP identities and their passwords that are
accepted by the server. AFAIK, there is no way to select which
EAP IDs should be accepted by which remote, except setting
`eap_id` to something different than `%any`. But `eap_id`
does not support template matching, so either only a single
identity or all can be configured for one remote. This is why
the EAP identities are not subsections of remotes, but are
a standalone section.

Signed-off-by: Martin Pecka <peci1@seznam.cz>
Signed-off-by: Martin Pecka <peckama2@fel.cvut.cz>
---
 net/strongswan/Makefile           |  2 +-
 net/strongswan/files/swanctl.init | 35 +++++++++++++++++++++++++++++--
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile
index 63525bfa05..d9869cc7d4 100644
--- a/net/strongswan/Makefile
+++ b/net/strongswan/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=strongswan
 PKG_VERSION:=5.9.14
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/
diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init
index 8a7e9a3ec5..7fc4a0d10b 100644
--- a/net/strongswan/files/swanctl.init
+++ b/net/strongswan/files/swanctl.init
@@ -421,6 +421,21 @@ config_pool() {
 	swanctl_xappend1 "}"
 }
 
+config_mschapv2_secret() {
+	local conf="$1"
+
+	local id
+	local secret
+
+	config_get id "$conf" id
+	config_get secret "$conf" secret
+
+	swanctl_xappend1 "eap-${conf} {"
+	swanctl_xappend2 "id = $id"
+	swanctl_xappend2 "secret = $secret"
+	swanctl_xappend1 "}"
+}
+
 config_remote() {
 	local conf="$1"
 
@@ -445,6 +460,7 @@ config_remote() {
 	local rekeytime
 	local remote_ca_certs
 	local pools
+	local eap_id
 
 	config_get_bool enabled "$conf" enabled 0
 	[ $enabled -eq 0 ] && return
@@ -467,6 +483,7 @@ config_remote() {
 	config_get rekeytime "$conf" rekeytime
 	config_get overtime "$conf" overtime
 	config_get send_cert "$conf" send_cert
+	config_get eap_id "$conf" eap_id "%any"
 
 	config_list_foreach "$conf" local_sourceip append_var local_sourceip ","
 	config_list_foreach "$conf" remote_ca_certs append_var remote_ca_certs ","
@@ -526,11 +543,14 @@ config_remote() {
 	[ -n "$fragmentation" ] && swanctl_xappend2 "fragmentation = $fragmentation"
 	[ -n "$pools" ] && swanctl_xappend2 "pools = $pools"
 
+	local local_auth_method="$auth_method"
+	[ "$auth_method" = "eap-mschapv2" ] && local_auth_method="pubkey"
+
 	swanctl_xappend2 "local {"
-	swanctl_xappend3 "auth = $auth_method"
+	swanctl_xappend3 "auth = $local_auth_method"
 
 	[ -n "$local_identifier" ] && swanctl_xappend3 "id = \"$local_identifier\""
-	[ "$auth_method" = pubkey ] && [ -n "$local_cert" ] && \
+	[ "$local_auth_method" = pubkey ] && [ -n "$local_cert" ] && \
 	    swanctl_xappend3 "certs = $local_cert"
 	swanctl_xappend2 "}"
 
@@ -538,6 +558,7 @@ config_remote() {
 	swanctl_xappend3 "auth = $auth_method"
 	[ -n "$remote_identifier" ] && swanctl_xappend3 "id = \"$remote_identifier\""
 	[ -n "$remote_ca_certs" ] && swanctl_xappend3 "cacerts = \"$remote_ca_certs\""
+	[ "$auth_method" = eap-mschapv2 ] && swanctl_xappend3 "eap_id = $eap_id"
 	swanctl_xappend2 "}"
 
 	swanctl_xappend2 "children {"
@@ -606,6 +627,9 @@ config_remote() {
 		fi
 		swanctl_xappend1 "}"
 		swanctl_xappend0 "}"
+	elif [ "$auth_method" = eap-mschapv2 ]; then
+		# EAP-MSCHAPv2 secrets are handled in config_mschapv2_secrets globally
+		:  # empty command
 	else
 		fatal "AuthenticationMode $auth_mode not supported"
 	fi
@@ -686,10 +710,17 @@ prepare_env() {
 	config_foreach config_ipsec ipsec
 	config_foreach config_remote remote
 	
+	swanctl_xappend0 "# Global config"
+	swanctl_xappend0 ""
+	
 	swanctl_xappend0 "pools {"
 	config_foreach config_pool pools
 	swanctl_xappend0 "}"
 
+	swanctl_xappend0 "secrets {"
+	config_foreach config_mschapv2_secret mschapv2_secrets
+	swanctl_xappend0 "}"
+
 	do_postamble
 }
 
-- 
2.30.2