From a05eeb55749e9d71d334852e48a5e6fe59196dab Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Sun, 24 May 2026 13:23:01 -0600 Subject: [PATCH] strongswan: drop deprecated crypto protocols AEAD, CCM, MD4, and MS CHAP v2 are all deprecated due to insecurity. Signed-off-by: Philip Prindeville --- net/strongswan/Config.in | 5 +++++ net/strongswan/Makefile | 21 +++++++++++---------- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/net/strongswan/Config.in b/net/strongswan/Config.in index b38493af2e..0936c95811 100644 --- a/net/strongswan/Config.in +++ b/net/strongswan/Config.in @@ -14,6 +14,11 @@ config STRONGSWAN_ROUTING_TABLE_PRIO prompt "Set the IPsec routing table priority" default "220" +config STRONGSWAN_INCLUDE_INSECURE + bool + prompt "Include cryptographically weak protocols" + default !PACKAGE_libopenssl + comment "Packages" endif diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index cd5aac86d4..2cd590ad2c 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=strongswan PKG_VERSION:=6.0.6 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/ @@ -26,7 +26,7 @@ PKG_MOD_AVAILABLE:= \ attr \ attr-sql \ blowfish \ - ccm \ + $(if $(CONFIG_STRONGSWAN_INCLUDE_INSECURE),ccm,) \ chapoly \ cmac \ constraints \ @@ -43,7 +43,7 @@ PKG_MOD_AVAILABLE:= \ eap-dynamic \ eap-identity \ eap-md5 \ - eap-mschapv2 \ + $(if $(CONFIG_STRONGSWAN_INCLUDE_INSECURE),eap-mschapv2,) \ eap-radius \ eap-tls \ farp \ @@ -62,7 +62,7 @@ PKG_MOD_AVAILABLE:= \ led \ load-tester \ lookip \ - md4 \ + $(if $(CONFIG_STRONGSWAN_INCLUDE_INSECURE),md4,) \ md5 \ mgf1 \ mysql \ @@ -103,7 +103,8 @@ PKG_MOD_AVAILABLE:= \ PKG_CONFIG_DEPENDS:= \ CONFIG_STRONGSWAN_ROUTING_TABLE \ CONFIG_STRONGSWAN_ROUTING_TABLE_PRIO \ - $(patsubst %,CONFIG_PACKAGE_strongswan-mod-%,$(PKG_MOD_AVAILABLE)) \ + CONFIG_STRONGSWAN_INCLUDE_INSECURE \ + $(patsubst %,CONFIG_PACKAGE_strongswan-mod-%,$(PKG_MOD_AVAILABLE)) PKG_FIXUP:=autoreconf PKG_INSTALL:=1 @@ -130,7 +131,7 @@ define Package/strongswan $(call Package/strongswan/Default) MENU:=1 DEPENDS:= +libpthread +ip \ - +kmod-crypto-aead \ + +STRONGSWAN_INCLUDE_INSECURE:kmod-crypto-aead \ +kmod-crypto-authenc \ +kmod-crypto-cbc \ +kmod-lib-zlib-inflate \ @@ -166,7 +167,7 @@ $(call Package/strongswan/Default) +strongswan-mod-attr \ +strongswan-mod-attr-sql \ +strongswan-mod-blowfish \ - +strongswan-mod-ccm \ + +STRONGSWAN_INCLUDE_INSECURE:strongswan-mod-ccm \ +strongswan-mod-chapoly \ +strongswan-mod-cmac \ +strongswan-mod-constraints \ @@ -183,7 +184,7 @@ $(call Package/strongswan/Default) +strongswan-mod-eap-dynamic \ +strongswan-mod-eap-identity \ +strongswan-mod-eap-md5 \ - +strongswan-mod-eap-mschapv2 \ + +STRONGSWAN_INCLUDE_INSECURE:strongswan-mod-eap-mschapv2 \ +strongswan-mod-eap-radius \ +strongswan-mod-eap-tls \ +strongswan-mod-farp \ @@ -200,7 +201,7 @@ $(call Package/strongswan/Default) +strongswan-mod-led \ +strongswan-mod-load-tester \ +strongswan-mod-lookip \ - +strongswan-mod-md4 \ + +STRONGSWAN_INCLUDE_INSECURE:strongswan-mod-md4 \ +strongswan-mod-md5 \ +strongswan-mod-mgf1 \ +strongswan-mod-mysql \ @@ -467,7 +468,7 @@ CONFIGURE_ARGS+= \ --with-urandom-device=/dev/urandom \ --with-routing-table="$(call qstrip,$(CONFIG_STRONGSWAN_ROUTING_TABLE))" \ --with-routing-table-prio="$(call qstrip,$(CONFIG_STRONGSWAN_ROUTING_TABLE_PRIO))" \ - $(foreach m,$(PKG_MOD_AVAILABLE), \ + $(foreach m,$(PKG_MOD_AVAILABLE) ccm eap-mschapv2 md4, \ $(if $(CONFIG_PACKAGE_strongswan-mod-$(m)),--enable-$(m),--disable-$(m)) \ ) \ ac_cv_search___atomic_load=no