.

　晋太元中，武陵人捕鱼为业。缘溪行，忘路之远近。忽逢桃花林，夹岸数百步，中无杂树，芳草鲜美，落英缤纷。渔人甚异之，复前行，欲穷其林。　　林尽水源，便得一山，山有小口，仿佛若有光。便舍船，从口入。初极狭，才通人。复行数十步，豁然开朗。土地平旷，屋舍俨然，有良田、美池、桑竹之属。阡陌交通，鸡犬相闻。其中往来种作，男女衣着，悉如外人。黄发垂髫，并怡然自乐。　　见渔人，乃大惊，问所从来。具答之。便要还家，设酒杀鸡作食。村中闻有此人，咸来问讯。自云先世避秦时乱，率妻子邑人来此绝境，不复出焉，遂与外人间隔。问今是何世，乃不知有汉，无论魏晋。此人一一为具言所闻，皆叹惋。余人各复延至其家，皆出酒食。停数日，辞去。此中人语云：“不足为外人道也。”(间隔一作：隔绝) 　　既出，得其船，便扶向路，处处志之。及郡下，诣太守，说如此。太守即遣人随其往，寻向所志，遂迷，不复得路。　　南阳刘子骥，高尚士也，闻之，欣然规往。未果，寻病终。后遂无问津者。 . Prv8 Shell

Server : Apache
System : Linux srv.rainic.com 4.18.0-553.47.1.el8_10.x86_64 #1 SMP Wed Apr 2 05:45:37 EDT 2025 x86_64
User : rainic ( 1014)
PHP Version : 7.4.33
Disable Function : exec,passthru,shell_exec,system
Directory : /proc/thread-self/root/usr/share/crypto-policies/python/policygenerators/

Upload File :

Current File : //proc/thread-self/root/usr/share/crypto-policies/python/policygenerators/libreswan.py

# SPDX-License-Identifier: LGPL-2.1-or-later

# Copyright (c) 2019 Red Hat, Inc.
# Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>

from subprocess import call, CalledProcessError
from tempfile import mkstemp

import os

from .configgenerator import ConfigGenerator


class LibreswanGenerator(ConfigGenerator):
	CONFIG_NAME = 'libreswan'
	SCOPES = {'ipsec', 'ike', 'libreswan'}

	RELOAD_CMD = 'systemctl try-restart ipsec.service 2>/dev/null || :\n'

	group_map = {
		'X448':'',
		'X25519':'',
		# Disabled for now as it cannot be prioritized over others
		# 'X25519':'dh31',
		'SECP256R1':'dh19',
		'SECP384R1':'dh20',
		'SECP521R1':'dh21',
		'FFDHE-6144':'',
		'FFDHE-1536':'dh5',
		'FFDHE-2048':'dh14',
		'FFDHE-3072':'dh15',
		'FFDHE-4096':'dh16',
		'FFDHE-8192':'dh18'
	}

	cipher_map = {
		'AES-256-CBC':'aes256',
		'AES-192-CBC':'aes192',
		'AES-128-CBC':'aes128',
		'AES-256-GCM':'aes_gcm256',
		'AES-192-GCM':'aes_gcm192',
		'AES-128-GCM':'aes_gcm128',
		'CHACHA20-POLY1305':'chacha20_poly1305'
		# Unused for IKEv2
		# '3DES-CBC':'3des'
	}

	cipher_prf_map = {
		'AES-256-CBC-HMAC-SHA2-512':'sha2_512',
		'AES-256-CBC-HMAC-SHA2-256':'sha2_256',
		'AES-192-CBC-HMAC-SHA2-512':'sha2_512',
		'AES-192-CBC-HMAC-SHA2-256':'sha2_256',
		'AES-128-CBC-HMAC-SHA2-256':'sha2_256',
		# Not needed for IKEv2
		# 'AES-256-CBC-HMAC-SHA1':'sha1',
		# 'AES-128-CBC-HMAC-SHA1':'sha1',
		'AES-256-GCM-HMAC-SHA2-512':'sha2_512',
		'AES-256-GCM-HMAC-SHA2-256':'sha2_256',
		'AES-192-GCM-HMAC-SHA2-512':'sha2_512',
		'AES-192-GCM-HMAC-SHA2-256':'sha2_256',
		'AES-128-GCM-HMAC-SHA2-512':'sha2_512',
		'AES-128-GCM-HMAC-SHA2-256':'sha2_256',
		'CHACHA20-POLY1305-HMAC-SHA2-512':'sha2_512',
		'CHACHA20-POLY1305-HMAC-SHA2-256':'sha2_256'
		# '3DES-CBC-HMAC-SHA1':'sha1'
	}

	cipher_mac_map = {
		'AES-256-CBC-HMAC-SHA2-512':'sha2_512',
		'AES-192-CBC-HMAC-SHA2-512':'sha2_512',
		'AES-256-CBC-HMAC-SHA2-256':'sha2_256',
		'AES-192-CBC-HMAC-SHA2-256':'sha2_256',
		'AES-128-CBC-HMAC-SHA2-256':'sha2_256',
		'AES-256-CBC-HMAC-SHA1':'sha1',
		'AES-192-CBC-HMAC-SHA1':'sha1',
		'AES-128-CBC-HMAC-SHA1':'sha1',
		'AES-256-GCM-AEAD':'',
		'AES-192-GCM-AEAD':'',
		'AES-128-GCM-AEAD':'',
		'CHACHA20-POLY1305-AEAD':''
		# '3DES-CBC-HMAC-SHA1':'3des-sha1'
	}

	mac_ike_prio_map = {
		'AEAD':0,
		'HMAC-SHA2-512':1,
		'HMAC-SHA2-256':2,
		'HMAC-SHA1':3
	}

	mac_esp_prio_map = {
		'AEAD':0,
		'HMAC-SHA2-512':1,
		'HMAC-SHA1':2,
		'HMAC-SHA2-256':3
	}

	@classmethod
	def __get_ike_prio(cls, key):
		if key not in cls.mac_ike_prio_map:
			return 99
		return cls.mac_ike_prio_map[key]

	@classmethod
	def __get_esp_prio(cls, key):
		if key not in cls.mac_esp_prio_map:
			return 99
		return cls.mac_esp_prio_map[key]

	@classmethod
	def generate_config(cls, policy):
		cfg = 'conn %default\n'
		sep = ','
		p = policy.enabled

		s = ''
		proto = p['protocol']
		if 'IKEv2' in proto:
			s = 'ikev2=insist'
		elif 'IKEv1' in proto:  # and 'IKEv2' not in proto
			s = 'ikev2=never'
		if s:
			cfg += '\t' + s + '\n'

		cfg += '\tpfs=yes\n'

		sorted_macs = sorted(p['mac'],
			key=cls.__get_ike_prio)

		tmp = ''
		for cipher in p['cipher']:
			try:
				cm = cls.cipher_map[cipher]
			except KeyError:
				continue
			combo = cm + '-'
			s = ''
			for mac in sorted_macs:
				try:
					mm = cls.cipher_prf_map[cipher + '-' + mac]
				except KeyError:
					continue
				s = cls.append(s, mm, '+')
			if not s:
				continue
			combo += s
			s = ''
			for i in p['group']:
				try:
					group = cls.group_map[i]
				except KeyError:
					continue
				s = cls.append(s, group, '+')
			combo = cls.append(combo, s, '-')
			tmp = cls.append(tmp, combo, sep)

		if tmp:
			cfg += '\tike=' + tmp + '\n'

		sorted_macs = sorted(p['mac'], key=cls.__get_esp_prio)

		tmp = ''
		for cipher in p['cipher']:
			try:
				cm = cls.cipher_map[cipher]
			except KeyError:
				continue
			combo = cm + '-'
			s = ''
			for mac in sorted_macs:
				try:
					mm = cls.cipher_mac_map[cipher + '-' + mac]
				except KeyError:
					continue
				if not mm:
					# Special handling for AEAD
					combo = cm
					break
				s = cls.append(s, mm, '+')
			combo += s
			if combo[-1:] == '-':
				continue
			tmp = cls.append(tmp, combo, sep)

		if tmp:
			cfg += '\tesp=' + tmp + '\n'

		return cfg

	@classmethod
	def test_config(cls, config):
		if not os.access('/usr/sbin/ipsec', os.X_OK):
			return True

		fd, path = mkstemp()

		ret = 255
		try:
			with os.fdopen(fd, 'w') as f:
				f.write(config)
			try:
				ret = call('/usr/sbin/ipsec readwriteconf --config ' + path +
					' >/dev/null',
					shell=True)
			except CalledProcessError:
				cls.eprint("/usr/sbin/ipsec: Execution failed")
		finally:
			os.unlink(path)

		if ret:
			cls.eprint("There is an error in libreswan generated policy")
			cls.eprint("Policy:\n%s" % config)
			return False
		return True

haha - 2025