| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
| |
Add patch to remove definition of RNG leaking in from wolfssl.h.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
| |
Fixes: #16691
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.
Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original PR for this change is #16373, where it's cleary stated it
doesn't work. This should have never been merged. It causes the
following recursive dependency:
tmp/.config-package.in:122354:error: recursive dependency detected!
tmp/.config-package.in:122354: symbol PACKAGE_strongswan-default depends on PACKAGE_strongswan-mod-socket-default
tmp/.config-package.in:123534: symbol PACKAGE_strongswan-mod-socket-default is selected by PACKAGE_strongswan-default
This reverts commit 603f70e96b4dc1b9e442a38cb692de519c1cd54a.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |\
| |
| | |
strongswan: Add dependency to virtual package strongswan-mod-socket
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This a virtual package that is satisfied by either
strongswan-mod-socket-default or strongswan-mod-socket-dynamic, and is
required by the charon daemon. When neither of these packages is
installed, charon will not function.
Closes #16261, #16263 and #16367.
Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting>
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |\ \
| | |
| | | |
strongswan: bundle mgf1 with everything
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting>
|
| |/ /
| |
| |
| | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |\ \
| | |
| | | |
strongswan: add kernel module dependency on chapoly
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |\ \ \
| | | |
| | | | |
strongswan: add wolfssl plugin
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Derek Yerger <derek@altdevs.net>
Signed-off-by: Joel Low <joel@joelsplace.sg>
|
| |\ \ \ \
| |_|/ /
|/| | | |
strongswan: Update to 5.9.6
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The default firewall is the fw4, which uses nft. In order to not
install the legacy implementation when installing strongswan, the build
system should decide which firewall backend to use.
While we are at it, I have also added the dependency packages for IPV6.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The forecast plugin does not require the iptables binary, it uses
libiptc instead.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The connmark plugin does not require the iptables binary, it uses
libiptc instead.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Let's move the iptables IPsec dependencies out of the strongswan package
and into the plugin package that actually depends on it,
strongswan-mod-updown. As the default updown script calls the iptables
binary, also add a dependency on the iptables-legacy package.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| | |
| |
| |
| |
| |
| | |
Most usages seem to be outdated and fixed a long time ago.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix the following build failures by adding the missing dependencies:
Package strongswan-mod-connmark is missing dependencies for the following libraries:
libip4tc.so.2
Package strongswan-mod-forecast is missing dependencies for the following libraries:
libip4tc.so.2
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |/
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
| |
There were closing curly braces missing and it was checking for empty
strings while it should have been checking for non-empty strings.
Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
| |
Variables set in config_ipsec() need to be shared with do_postamble()
function, so change scoping to parent (prepare_env()).
Also, remove unused settings like "remote_sourceip", "reqid", and
"packet_marker".
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
ipsec uses starter, and reads /etc/ipsec.conf (which then includes
/var/ipsec/ipsec.conf, etc). This is overly complicated, and can
be problematic if you're using both swanctl and ipsec for migration.
Running charon directly from procd via the init.d script avoid
all of this.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
| |
A subshell caused by $(...) can't persistently modify globals as a
side-effect.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
| |
The strongswan-libnttfft package should not select the strongswan
package, but should depend on it instead. Otherwise a circular
dependency is created.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| |\
| |
| | |
strongswan: add more crypto plugins
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Adds modules for BLISS signature scheme, NTRU and New Hope key
exchange algorithms, and dependencies ChaCha20-Poly1305 AEAD,
ChaCha20 XOF, MGF1 mask generation function, SHA3 hasher SHAKE
XOF, and the Number Theoretic Transform library.
Signed-off-by: Derek Yerger <derek@altdevs.net>
|
| | |
| |
| |
| |
| |
| | |
Retire weak algorithms like MD5 and 3DES.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |
| |
| |
| | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Derived from the ipsec initd script, with the following changes:
(1) various code improvements, corrections (get rid of left/right
updown scripts, since there's only one), etc;
(2) add reauth and fragmentation parameters;
(3) add x.509 certificate-based authentication;
and other minor changes.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If you shutdown ipsec service, and it doesn't clean up
/var/ipsec/ipsec.conf, then when you start swanctl service it
might see an incompatible file on startup. Remedy is to
remove unneeded files when shutting down the service. They
can always be regenerated when the service starts again.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |/
|
|
|
|
|
| |
These config files are only used by the ipsec interface to charon,
and shouldn't be part of the base package.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having scripts diddle user written config files seems potentially
dangerous. Plus there's really no downside to including some
empty files. Best to just make the includes be permanent.
Additional feature suggested by Luiz: if a -opkg version of the
config file was created unnecessarily, remove it as part of the
upgrade process since changes won't be happening to that file
as an artifact of the service starting. The include lines are
now permanent, which means that (1) additional configuration
synthesized by UCI won't be anywhere that opkg (or sysupgrade,
for that matter) cares about since it won't be persistent, and
(2) if changes are being made, then they're being done by a
person with an editor and they really should be distinguished.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This has been observed by myself and @luizluca: ip route get is
appending uid0 to the output, as seen from:
root@OpenWrt2:~# ip route get 1.1.1.1
1.1.1.1 via 174.27.160.1 dev eth3 src 174.27.182.184 uid 0
cache
root@OpenWrt2:~#
so the fix is an anchored match, discarding all else. Also, using
ip -o means never having to do multiline matches...
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|