summaryrefslogtreecommitdiffhomepage
path: root/applications/luci-app-strongswan-swanctl
diff options
context:
space:
mode:
Diffstat (limited to 'applications/luci-app-strongswan-swanctl')
-rw-r--r--applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js143
-rw-r--r--applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js166
2 files changed, 242 insertions, 67 deletions
diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js
new file mode 100644
index 0000000000..1ebbe59084
--- /dev/null
+++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js
@@ -0,0 +1,143 @@
+'use strict';
+'require baseclass';
+
+return baseclass.extend({
+
+ _encryptionAlgorithms: new Map([
+ ['3des', true],
+ ['cast128', true],
+ ['blowfish128', true],
+ ['blowfish192', true],
+ ['blowfish256', true],
+ ['null', true],
+ ['aes128'],
+ ['aes192'],
+ ['aes256'],
+ ['aes128ctr'],
+ ['aes192ctr'],
+ ['aes256ctr'],
+ ['camellia128'],
+ ['camellia192'],
+ ['camellia256'],
+ ['camellia128ctr'],
+ ['camellia192ctr'],
+ ['camellia256ctr']
+ ]),
+
+ _authenticatedEncryptionAlgorithms: new Map([
+ ['aes128ccm64'],
+ ['aes192ccm64'],
+ ['aes256ccm64'],
+ ['aes128ccm96'],
+ ['aes192ccm96'],
+ ['aes256ccm96'],
+ ['aes128ccm128'],
+ ['aes192ccm128'],
+ ['aes256ccm128'],
+ ['aes128gcm64'],
+ ['aes192gcm64'],
+ ['aes256gcm64'],
+ ['aes128gcm96'],
+ ['aes192gcm96'],
+ ['aes256gcm96'],
+ ['aes128gcm128'],
+ ['aes192gcm128'],
+ ['aes256gcm128'],
+ ['aes128gmac'],
+ ['aes192gmac'],
+ ['aes256gmac'],
+ ['camellia128ccm64'],
+ ['camellia192ccm64'],
+ ['camellia256ccm64'],
+ ['camellia128ccm96'],
+ ['camellia192ccm96'],
+ ['camellia256ccm96'],
+ ['camellia128ccm128'],
+ ['camellia192ccm128'],
+ ['camellia256ccm128'],
+ ['chacha20poly1305']
+ ]),
+
+ _hashAlgorithms: new Map([
+ ['md5', true],
+ ['md5_128', true],
+ ['sha1', true],
+ ['sha1_160', true],
+ ['aesxcbc'],
+ ['aescmac'],
+ ['aes128gmac'],
+ ['aes192gmac'],
+ ['aes256gmac'],
+ ['sha256'],
+ ['sha384'],
+ ['sha512'],
+ ['sha256_96']
+ ]),
+
+ _dhAlgorithms: new Map([
+ ['modp768', true],
+ ['modp1024', true],
+ ['modp1536', true],
+ ['modp2048'],
+ ['modp3072'],
+ ['modp4096'],
+ ['modp6144'],
+ ['modp8192'],
+ ['modp1024s160', true],
+ ['modp2048s224', true],
+ ['modp2048s256', true],
+ ['ecp192', true],
+ ['ecp224'],
+ ['ecp256'],
+ ['ecp384'],
+ ['ecp521'],
+ ['ecp224bp'],
+ ['ecp256bp'],
+ ['ecp384bp'],
+ ['ecp512bp'],
+ ['curve25519'],
+ ['curve448']
+ ]),
+
+ _prfAlgorithms: new Map([
+ ['prfmd5', true],
+ ['prfsha1', true],
+ ['prfaesxcbc'],
+ ['prfaescmac'],
+ ['prfsha256'],
+ ['prfsha384'],
+ ['prfsha512']
+ ]),
+
+ _getAlgorithmNames: function (algorithms) {
+ return Array.from(algorithms.keys());
+ },
+
+ isInsecure: function (algorithmName) {
+ return this._encryptionAlgorithms.get(algorithmName) == true
+ || this._authenticatedEncryptionAlgorithms.get(algorithmName) == true
+ || this._hashAlgorithms.get(algorithmName) == true
+ || this._dhAlgorithms.get(algorithmName) == true
+ || this._prfAlgorithms.get(algorithmName) == true;
+ },
+
+ getEncryptionAlgorithms: function () {
+ return this._getAlgorithmNames(this._encryptionAlgorithms);
+ },
+
+ getAuthenticatedEncryptionAlgorithms: function () {
+ return this._getAlgorithmNames(this._authenticatedEncryptionAlgorithms);
+ },
+
+ getHashAlgorithms: function () {
+ return this._getAlgorithmNames(this._hashAlgorithms);
+ },
+
+ getDiffieHellmanAlgorithms: function () {
+ return this._getAlgorithmNames(this._dhAlgorithms);
+ },
+
+ getPrfAlgorithms: function () {
+ return this._getAlgorithmNames(this._prfAlgorithms);
+ }
+});
diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js
index 59d0db3f4a..c2aeff2a7b 100644
--- a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js
+++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js
@@ -3,6 +3,17 @@
'require form';
'require uci';
'require tools.widgets as widgets';
+'require strongswan_algorithms';
+
+function addAlgorithms(o, algorithms) {
+ algorithms.forEach(function (algorithm) {
+ if (strongswan_algorithms.isInsecure(algorithm)) {
+ o.value(algorithm, '%s*'.format(algorithm));
+ } else {
+ o.value(algorithm);
+ }
+ });
+}
return view.extend({
render: function () {
@@ -103,12 +114,26 @@ return view.extend({
o.default = 'yes';
o.modalonly = true;
- o = s.option(form.ListValue, 'crypto_proposal', _('Crypto Proposal'),
+ o = s.option(form.MultiValue, 'crypto_proposal', _('Crypto Proposal'),
_('List of IKE (phase 1) proposals to use for authentication'));
- o.value('encryption_algorithm');
- o.value('hash_algorithm');
- o.value('dh_group');
- o.value('prf_algorithm');
+ o.load = function (section_id) {
+ this.keylist = [];
+ this.vallist = [];
+
+ var sections = uci.sections('ipsec', 'crypto_proposal');
+ if (sections.length == 0) {
+ this.value('', _('Please create a Proposal first'));
+ } else {
+ sections.forEach(L.bind(function (section) {
+ if (section.is_esp != '1') {
+ this.value(section['.name']);
+ }
+ }, this));
+ }
+
+ return this.super('load', [section_id]);
+ };
+ o.rmempty = false;
o = s.option(form.MultiValue, 'tunnel', _('Tunnel'),
_('Name of ESP (phase 2) section'));
@@ -129,61 +154,6 @@ return view.extend({
};
o.rmempty = false;
- o = s.option(form.Value, 'authentication_method',
- _('Authentication Method'), _('IKE authentication (phase 1)'));
- o.datatype = 'string';
-
- s = m.section(form.TypedSection, 'ipsec',
- _('strongSwan General Settings'));
- s.anonymous = true;
-
- o = s.option(form.ListValue, 'encryption_algorithm',
- _('Encryption Algorithm'),
- '%s (aes128, aes192, aes256, 3des)'.format(_('Encryption method')));
- o.value('aes128');
- o.value('aes192');
- o.value('aes256');
- o.value('3des');
- o.rmempty = false;
-
- o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'),
- '%s (md5, sha1, sha2, ...)'.format(_('Hash algorithm')));
- o.value('md5');
- o.value('sha1');
- o.value('sha2');
- o.value('sha256');
- o.value('sha384');
- o.value('sha512');
- o.value('sha3_256');
- o.value('sha3_384');
- o.value('sha3_512');
- o.value('blake2s256');
- o.value('blake2b512');
- o.value('blake2s256');
- o.value('blake2b512');
- o.value('whirlpool');
- o.value('tiger');
- o.rmempty = false;
-
- o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'),
- '%s (modp768, modp1024, ...)'.format(_('Diffie-Hellman exponentiation')));
- o.value('modp768');
- o.value('modp1024');
- o.value('modp1536');
- o.value('modp2048');
- o.value('modp3072');
- o.value('modp4096');
- o.rmempty = false;
-
- o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'),
- _('Pseudo-Random Functions to use with IKE'));
- o.value('prf_hmac_md5');
- o.value('prfmd5');
- o.value('prfsha1');
- o.value('prfsha256');
- o.value('pfsha384');
- o.value('prfsha512');
-
// Tunnel Configuration
s = m.section(form.GridSection, 'tunnel', _('Tunnel Configuration'),
_('Define Connection Children to be used as Tunnels in Remote Configurations.'));
@@ -207,13 +177,27 @@ return view.extend({
o.datatype = 'subnet';
o.modalonly = true;
- o = s.option(form.ListValue, 'crypto_proposal',
- _('Crypto Proposal (Phase 2)'), _('List of ESP (phase two) proposals'));
- o.value('encryption_algorithm');
- o.value('hash_algorithm');
- o.value('dh_group');
- o.value('prf_algorithm');
- o.required = true;
+ o = s.option(form.MultiValue, 'crypto_proposal',
+ _('Crypto Proposal (Phase 2)'),
+ _('List of ESP (phase two) proposals. Only Proposals with checked ESP flag are selectable'));
+ o.load = function (section_id) {
+ this.keylist = [];
+ this.vallist = [];
+
+ var sections = uci.sections('ipsec', 'crypto_proposal');
+ if (sections.length == 0) {
+ this.value('', _('Please create an ESP Proposal first'));
+ } else {
+ sections.forEach(L.bind(function (section) {
+ if (section.is_esp == '1') {
+ this.value(section['.name']);
+ }
+ }, this));
+ }
+
+ return this.super('load', [section_id]);
+ };
+ o.rmempty = false;
o = s.option(form.ListValue, 'startaction', _('Start Action'),
_('Action on initial configuration load'));
@@ -228,6 +212,54 @@ return view.extend({
o.datatype = 'file';
o.modalonly = true;
+ // Crypto Proposals
+ s = m.section(form.GridSection, 'crypto_proposal',
+ _('Encryption Proposals'),
+ _('Configure Cipher Suites to define IKE (Phase 1) or ESP (Phase 2) Proposals.'));
+ s.addremove = true;
+ s.nodescriptions = true;
+
+ o = s.option(form.Flag, 'is_esp', _('ESP Proposal'),
+ _('Whether this is an ESP (phase 2) proposal or not'));
+
+ o = s.option(form.ListValue, 'encryption_algorithm',
+ _('Encryption Algorithm'),
+ _('Algorithms marked with * are considered insecure'));
+ o.default = 'aes256gcm128';
+ addAlgorithms(o, strongswan_algorithms.getEncryptionAlgorithms());
+ addAlgorithms(o, strongswan_algorithms.getAuthenticatedEncryptionAlgorithms());
+
+
+ o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'),
+ _('Algorithms marked with * are considered insecure'));
+ strongswan_algorithms.getEncryptionAlgorithms().forEach(function (algorithm) {
+ o.depends('encryption_algorithm', algorithm);
+ });
+ o.default = 'sha512';
+ o.rmempty = false;
+ addAlgorithms(o, strongswan_algorithms.getHashAlgorithms());
+
+ o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'),
+ _('Algorithms marked with * are considered insecure'));
+ o.default = 'modp3072';
+ addAlgorithms(o, strongswan_algorithms.getDiffieHellmanAlgorithms());
+
+ o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'),
+ _('Algorithms marked with * are considered insecure'));
+ o.validate = function (section_id, value) {
+ var encryptionAlgorithm = this.section.formvalue(section_id, 'encryption_algorithm');
+
+ if (strongswan_algorithms.getAuthenticatedEncryptionAlgorithms().includes(
+ encryptionAlgorithm) && !value) {
+ return _('PRF Algorithm must be configured when using an Authenticated Encryption Algorithm');
+ }
+
+ return true;
+ };
+ o.optional = true;
+ o.depends('is_esp', '0');
+ addAlgorithms(o, strongswan_algorithms.getPrfAlgorithms());
+
return m.render();
}
});