Message ID | 20210920152831.2489077-2-martin.elshuber@theobroma-systems.com |
---|---|
State | Accepted |
Headers | show |
Series | [v2,1/2] package/strongswan: Add options to select EAP plugins | expand |
Arnout, All, On 2021-09-27 19:00 +0200, Arnout Vandecappelle spake thusly: > On 20/09/2021 17:28, Martin Elshuber wrote: > >Add the option to enable the md4 hash algorithm and default it to 'no' > >since this is a new option. > > > >Since md4 is required by EAP-MSCHAPv2 it is selected by > >BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2. See > >https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf for > >further details. > > > >--- > >Changes v1 -> v2: > >- change git title > > > >Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com> > >--- > > package/strongswan/Config.in | 4 ++++ > > package/strongswan/strongswan.mk | 1 + > > 2 files changed, 5 insertions(+) > > > >diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in > >index 8eae568b6a..21f84ebb71 100644 > >--- a/package/strongswan/Config.in > >+++ b/package/strongswan/Config.in > >@@ -73,6 +73,9 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_20 > > config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC > > bool "Enable dynamic TNCCS protocol discovery module" > >+config BR2_PACKAGE_STRONGSWAN_MD4 > >+ bool "Enable MD4 hash algorithm" > >+ > > config BR2_PACKAGE_STRONGSWAN_EAP > > bool "Enable EAP protocols" > >@@ -127,6 +130,7 @@ config BR2_PACKAGE_STRONGSWAN_EAP_GTC > > config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2 > > bool "Enable EAP-MSCHAPv2" > > default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy > >+ select BR2_PACKAGE_STRONGSWAN_MD4 > > This md4 option makes me realize: do we really want to add options for > broken security in a security package? OpenSSL has just deprecated MD4 in > 3.0.0. Well, there is a nice side effect to addign the md4 option: it is selected by EAP-MSCHAPv2, so a user that is concerned about the ude of nd4 will notice that they should also disable EAP-MSCHAPv2. If we do not add this option, it is forcibly enabled by strongswan when EAP-MSCHAPv2 is enabled, so this is hidden to the user... Regards, Yann E. MORIN. > Regards, > Arnout > > > config BR2_PACKAGE_STRONGSWAN_EAP_PEAP > > bool "Enable EAP-PEAP" > >diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk > >index 5fb4e6821a..c308d3a4f3 100644 > >--- a/package/strongswan/strongswan.mk > >+++ b/package/strongswan/strongswan.mk > >@@ -37,6 +37,7 @@ STRONGSWAN_CONF_OPTS += \ > > --enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \ > > --enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \ > > --enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \ > >+ --enable-md4=$(if $(BR2_PACKAGE_STRONGSWAN_MD4),yes,no) \ > > --enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \ > > --enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \ > > --enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \ > > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
Martin, All, On 2021-09-20 17:28 +0200, Martin Elshuber spake thusly: > Add the option to enable the md4 hash algorithm and default it to 'no' > since this is a new option. > > Since md4 is required by EAP-MSCHAPv2 it is selected by > BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2. See > https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf for > further details. Applied to master, thanks. Regards, Yann E. MORIN. > --- > Changes v1 -> v2: > - change git title > > Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com> > --- > package/strongswan/Config.in | 4 ++++ > package/strongswan/strongswan.mk | 1 + > 2 files changed, 5 insertions(+) > > diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in > index 8eae568b6a..21f84ebb71 100644 > --- a/package/strongswan/Config.in > +++ b/package/strongswan/Config.in > @@ -73,6 +73,9 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_20 > config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC > bool "Enable dynamic TNCCS protocol discovery module" > > +config BR2_PACKAGE_STRONGSWAN_MD4 > + bool "Enable MD4 hash algorithm" > + > config BR2_PACKAGE_STRONGSWAN_EAP > bool "Enable EAP protocols" > > @@ -127,6 +130,7 @@ config BR2_PACKAGE_STRONGSWAN_EAP_GTC > config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2 > bool "Enable EAP-MSCHAPv2" > default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy > + select BR2_PACKAGE_STRONGSWAN_MD4 > > config BR2_PACKAGE_STRONGSWAN_EAP_PEAP > bool "Enable EAP-PEAP" > diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk > index 5fb4e6821a..c308d3a4f3 100644 > --- a/package/strongswan/strongswan.mk > +++ b/package/strongswan/strongswan.mk > @@ -37,6 +37,7 @@ STRONGSWAN_CONF_OPTS += \ > --enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \ > --enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \ > --enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \ > + --enable-md4=$(if $(BR2_PACKAGE_STRONGSWAN_MD4),yes,no) \ > --enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \ > --enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \ > --enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \ > -- > 2.30.2 >
diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in index 8eae568b6a..21f84ebb71 100644 --- a/package/strongswan/Config.in +++ b/package/strongswan/Config.in @@ -73,6 +73,9 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_20 config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC bool "Enable dynamic TNCCS protocol discovery module" +config BR2_PACKAGE_STRONGSWAN_MD4 + bool "Enable MD4 hash algorithm" + config BR2_PACKAGE_STRONGSWAN_EAP bool "Enable EAP protocols" @@ -127,6 +130,7 @@ config BR2_PACKAGE_STRONGSWAN_EAP_GTC config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2 bool "Enable EAP-MSCHAPv2" default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy + select BR2_PACKAGE_STRONGSWAN_MD4 config BR2_PACKAGE_STRONGSWAN_EAP_PEAP bool "Enable EAP-PEAP" diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk index 5fb4e6821a..c308d3a4f3 100644 --- a/package/strongswan/strongswan.mk +++ b/package/strongswan/strongswan.mk @@ -37,6 +37,7 @@ STRONGSWAN_CONF_OPTS += \ --enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \ --enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \ --enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \ + --enable-md4=$(if $(BR2_PACKAGE_STRONGSWAN_MD4),yes,no) \ --enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \ --enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \ --enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
Add the option to enable the md4 hash algorithm and default it to 'no' since this is a new option. Since md4 is required by EAP-MSCHAPv2 it is selected by BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2. See https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf for further details. --- Changes v1 -> v2: - change git title Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com> --- package/strongswan/Config.in | 4 ++++ package/strongswan/strongswan.mk | 1 + 2 files changed, 5 insertions(+)