strongswan: Add support for EAP-MSCHAPv2 authentication

Support for EAP-MSCHAPv2 authentication scheme is added.

Different from the previously supported schemes, this one is
usually asymmetric in the way that server auth method (pubkey) is
different from the client auth method (eap-mschapv2).
The code handles this asymmetry automatically.

A new UCI config section mschapv2_secrets is added where the user
can specify the EAP identities and their passwords that are
accepted by the server. AFAIK, there is no way to select which
EAP IDs should be accepted by which remote, except setting
`eap_id` to something different than `%any`. But `eap_id`
does not support template matching, so either only a single
identity or all can be configured for one remote. This is why
the EAP identities are not subsections of remotes, but are
a standalone section.

Signed-off-by: Martin Pecka <peci1@seznam.cz>
Signed-off-by: Martin Pecka <peckama2@fel.cvut.cz>

net/strongswan/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=strongswan
 PKG_VERSION:=5.9.14
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/

net/strongswan/files/swanctl.init

@@ -421,6 +421,21 @@ config_pool() {
 	swanctl_xappend1 "}"
 }
 
+config_mschapv2_secret() {
+	local conf="$1"
+
+	local id
+	local secret
+
+	config_get id "$conf" id
+	config_get secret "$conf" secret
+
+	swanctl_xappend1 "eap-${conf} {"
+	swanctl_xappend2 "id = $id"
+	swanctl_xappend2 "secret = $secret"
+	swanctl_xappend1 "}"
+}
+
 config_remote() {
 	local conf="$1"
 
@@ -445,6 +460,7 @@ config_remote() {
 	local rekeytime
 	local remote_ca_certs
 	local pools
+	local eap_id
 
 	config_get_bool enabled "$conf" enabled 0
 	[ $enabled -eq 0 ] && return
@@ -467,6 +483,7 @@ config_remote() {
 	config_get rekeytime "$conf" rekeytime
 	config_get overtime "$conf" overtime
 	config_get send_cert "$conf" send_cert
+	config_get eap_id "$conf" eap_id "%any"
 
 	config_list_foreach "$conf" local_sourceip append_var local_sourceip ","
 	config_list_foreach "$conf" remote_ca_certs append_var remote_ca_certs ","
@@ -526,11 +543,14 @@ config_remote() {
 	[ -n "$fragmentation" ] && swanctl_xappend2 "fragmentation = $fragmentation"
 	[ -n "$pools" ] && swanctl_xappend2 "pools = $pools"
 
+	local local_auth_method="$auth_method"
+	[ "$auth_method" = "eap-mschapv2" ] && local_auth_method="pubkey"
+
 	swanctl_xappend2 "local {"
-	swanctl_xappend3 "auth = $auth_method"
+	swanctl_xappend3 "auth = $local_auth_method"
 
 	[ -n "$local_identifier" ] && swanctl_xappend3 "id = \"$local_identifier\""
-	[ "$auth_method" = pubkey ] && [ -n "$local_cert" ] && \
+	[ "$local_auth_method" = pubkey ] && [ -n "$local_cert" ] && \
 	    swanctl_xappend3 "certs = $local_cert"
 	swanctl_xappend2 "}"
 
@@ -538,6 +558,7 @@ config_remote() {
 	swanctl_xappend3 "auth = $auth_method"
 	[ -n "$remote_identifier" ] && swanctl_xappend3 "id = \"$remote_identifier\""
 	[ -n "$remote_ca_certs" ] && swanctl_xappend3 "cacerts = \"$remote_ca_certs\""
+	[ "$auth_method" = eap-mschapv2 ] && swanctl_xappend3 "eap_id = $eap_id"
 	swanctl_xappend2 "}"
 
 	swanctl_xappend2 "children {"
@@ -606,6 +627,9 @@ config_remote() {
 		fi
 		swanctl_xappend1 "}"
 		swanctl_xappend0 "}"
+	elif [ "$auth_method" = eap-mschapv2 ]; then
+		# EAP-MSCHAPv2 secrets are handled in config_mschapv2_secrets globally
+		:  # empty command
 	else
 		fatal "AuthenticationMode $auth_mode not supported"
 	fi
@@ -686,10 +710,17 @@ prepare_env() {
 	config_foreach config_ipsec ipsec
 	config_foreach config_remote remote
 	
+	swanctl_xappend0 "# Global config"
+	swanctl_xappend0 ""
+	
 	swanctl_xappend0 "pools {"
 	config_foreach config_pool pools
 	swanctl_xappend0 "}"
 
+	swanctl_xappend0 "secrets {"
+	config_foreach config_mschapv2_secret mschapv2_secrets
+	swanctl_xappend0 "}"
+
 	do_postamble
 }