strongswan: swanctl: Add support for prf_algorithm

Support configuring the [Pseudo-Random Function] in addition to the encryption, integrity/hash, and DH group. This is particularly useful with AEAD ciphers, which don't have an integrity/hash algorithm from which the PRF can be derived, which can result in errors such as > a PRF algorithm is mandatory in IKE proposals The PRF algorithm can also be used with an integrity/hash algorithm to override the default mapping. [Pseudo-Random Function]: https://docs.strongswan.org/docs/latest/config/IKEv2CipherSuites.html#_pseudo_random_functions Fixes: openwrt#22245 Signed-off-by: Kevin Locke <[email protected]>
kevinoid · Dec 1, 2024 · cafdeef · cafdeef
1 parent 55a6cd4
commit cafdeef
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init
@@ -159,10 +159,12 @@ config_esp_proposal() {
 
 	local encryption_algorithm
 	local hash_algorithm
+	local prf_algorithm
 	local dh_group
 
 	config_get encryption_algorithm "$conf" encryption_algorithm
 	config_get hash_algorithm "$conf" hash_algorithm
+	config_get prf_algorithm "$conf" prf_algorithm
 	config_get dh_group "$conf" dh_group
 
 	# check for AEAD and clobber hash_algorithm if set
@@ -172,7 +174,7 @@ config_esp_proposal() {
 	fi
 
 	[ -n "$encryption_algorithm" ] && \
-		crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
+		crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${prf_algorithm:+-${prf_algorithm}}${dh_group:+-${dh_group}}"
 }
 
 iter_esp_proposal() {