| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
| |
Fixes: #16691
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |\
| |
| | |
strongswan: Fix PSK's when using multiple connections
|
| | |
| |
| |
| | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |/
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.
Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original PR for this change is #16373, where it's cleary stated it
doesn't work. This should have never been merged. It causes the
following recursive dependency:
tmp/.config-package.in:122354:error: recursive dependency detected!
tmp/.config-package.in:122354: symbol PACKAGE_strongswan-default depends on PACKAGE_strongswan-mod-socket-default
tmp/.config-package.in:123534: symbol PACKAGE_strongswan-mod-socket-default is selected by PACKAGE_strongswan-default
This reverts commit 603f70e96b4dc1b9e442a38cb692de519c1cd54a.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |\
| |
| | |
strongswan: Add dependency to virtual package strongswan-mod-socket
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This a virtual package that is satisfied by either
strongswan-mod-socket-default or strongswan-mod-socket-dynamic, and is
required by the charon daemon. When neither of these packages is
installed, charon will not function.
Closes #16261, #16263 and #16367.
Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting>
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |\ \
| | |
| | | |
strongswan: bundle mgf1 with everything
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting>
|
| |/ /
| |
| |
| | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |\ \
| | |
| | | |
strongswan: add kernel module dependency on chapoly
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This adds support for the child SA to be rekeyed through the byte/packet
threshold. The default is blank (which disables the byte/packet thresholds).
Signed-off-by: Joel Low <joel@joelsplace.sg>
|
| |\ \ \
| | | |
| | | | |
strongswan: add wolfssl plugin
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Derek Yerger <derek@altdevs.net>
Signed-off-by: Joel Low <joel@joelsplace.sg>
|
| |\ \ \ \
| |_|/ /
|/| | | |
strongswan: Update to 5.9.6
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The default firewall is the fw4, which uses nft. In order to not
install the legacy implementation when installing strongswan, the build
system should decide which firewall backend to use.
While we are at it, I have also added the dependency packages for IPV6.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The forecast plugin does not require the iptables binary, it uses
libiptc instead.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The connmark plugin does not require the iptables binary, it uses
libiptc instead.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Let's move the iptables IPsec dependencies out of the strongswan package
and into the plugin package that actually depends on it,
strongswan-mod-updown. As the default updown script calls the iptables
binary, also add a dependency on the iptables-legacy package.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| | |
| |
| |
| |
| |
| | |
Most usages seem to be outdated and fixed a long time ago.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix the following build failures by adding the missing dependencies:
Package strongswan-mod-connmark is missing dependencies for the following libraries:
libip4tc.so.2
Package strongswan-mod-forecast is missing dependencies for the following libraries:
libip4tc.so.2
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |/
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
| |
Also from Vincent Wiemann <vincent.wiemann@ironai.com>.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
| |
Also from Vincent Wiemann <vincent.wiemann@ironai.com>.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
| |
This option sets the interface of the policy.
Also from Vincent Wiemann <vincent.wiemann@ironai.com>.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
| |
Also from Vincent Wiemann <vincent.wiemann@ironai.com>.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use list's where appropriate for multi-value config variables.
Forbid absolute/relative paths for certificate and key files.
Get rid of last remnants of left/right naming.
Factor invariant code paths.
Drop redundant secrets.rsa.filename section.
Thanks to Vincent Wiemann <vincent.wiemann@ironai.com> for calling
out many of these improvements.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
| |
There were closing curly braces missing and it was checking for empty
strings while it should have been checking for non-empty strings.
Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
| |
Variables set in config_ipsec() need to be shared with do_postamble()
function, so change scoping to parent (prepare_env()).
Also, remove unused settings like "remote_sourceip", "reqid", and
"packet_marker".
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
ipsec uses starter, and reads /etc/ipsec.conf (which then includes
/var/ipsec/ipsec.conf, etc). This is overly complicated, and can
be problematic if you're using both swanctl and ipsec for migration.
Running charon directly from procd via the init.d script avoid
all of this.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |\
| |
| | |
strongswan: make default bundle use swanctl
|
| | |
| |
| |
| | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |/
|
|
|
|
| |
Fixes issue #15446
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
| |
chacha20policy1305 is also an AEAD cipher, and hence does not
permit a hash algorithm.
Fixes issue #15397.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
| |
A subshell caused by $(...) can't persistently modify globals as a
side-effect.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
| |
The strongswan-libnttfft package should not select the strongswan
package, but should depend on it instead. Otherwise a circular
dependency is created.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|