aboutsummaryrefslogtreecommitdiff
path: root/net/strongswan
Commit message (Collapse)AuthorAge
* strongswan: Backport upstream fix for RNG definition conflictPhilip Prindeville2024-04-03
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: drop unneeded sleep patchPhilip Prindeville2024-03-27
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: backport upstream MUSL fix for farp_spoofer.cPhilip Prindeville2024-03-27
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: backport upstream MUSL fix for pf_handler.cPhilip Prindeville2024-03-27
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: simplify MUSL patchPhilip Prindeville2024-03-27
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: Update to 5.9.14Philip Prindeville2024-03-27
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: add empty configGlen Huang2024-02-20
| | | | | | | Without it, using uci to manipulate ipsec config can result in errors, making it much difficult to use in uci-defaults for example. Signed-off-by: Glen Huang <me@glenhuang.com>
* strongswan: trigger reload when interfaces are specifiedJoel Low2023-12-18
| | | | | | | | | | Fixes #20848 Add interface triggers if interfaces to listen to are specified in `/etc/config/ipsec`. This fixes the "running with no instances" scenario after rebooting a router. Signed-off-by: Joel Low <joel@joelsplace.sg>
* strongswan: Update to 5.9.13Philip Prindeville2023-12-03
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: Update to 5.9.12Philip Prindeville2023-11-26
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: swanctl: add support for replay windowTiago Gaspar2023-11-17
| | | | | | Add support for replay window configuration in UCI. Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
* strongswan: add eap-dynamic pluginTarvi Pillessaar2023-10-23
| | | | | | | | | | | | This plugin acts as a proxy that dynamically selects an EAP method that is supported/preferred by the client. If the original EAP method initiated by the plugin is rejected with an EAP-NAK message, it will select a different method that is supported/requested by the client. For example it is possible to configure eap-tls as preferred authentication method for your connection while still allow eap-mschapv2. Signed-off-by: Tarvi Pillessaar <tarvip@gmail.com>
* strongswan: Update to 5.9.11Philip Prindeville2023-06-30
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: make parsing more consistentPhilip Prindeville2023-06-15
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: add missing PKG_MOD_AVAILABLEGlen Huang2023-04-24
| | | | | | | | | Without these charon will warn with messages like: plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available plugin 'drbg': failed to load - drbg_plugin_create not found and no plugin file available Signed-off-by: Glen Huang <me@glenhuang.com>
* Merge pull request #20832 from hgl/strongswanPhilip Prindeville2023-04-24
|\ | | | | strongswan: enable nonce unconditionally
| * strongswan: enable nonce unconditionallyGlen Huang2023-04-24
| | | | | | | | | | | | | | | | | | | | | | Without nonce, charon won't start, so it's not an optional plugin. I asked one of the strongSwan maintainers (ecdsa), and he confirmed this: > It definitely has to be enabled unconditionally. The only other > provider for the NONCE_GEN plugin feature is in charon-tkm, so > completely irrelevant on OpenWrt Signed-off-by: Glen Huang <me@glenhuang.com>
* | strongswan: local_gateway unused in swanctl.initPhilip Prindeville2023-04-22
|/ | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: add support for remote cacertsGlen Huang2023-04-10
| | | | Signed-off-by: Glen Huang <me@glenhuang.com>
* strongswan: add support for pools sectionGlen Huang2023-04-10
| | | | Signed-off-by: Glen Huang <me@glenhuang.com>
* strongswan: Fix CI/CD complaints about kmod dependenciesPhilip Prindeville2023-03-28
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: simplify indentationPhilip Prindeville2023-03-26
| | | | | | Allow passing multiple config lines with the same indent level. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: Fix indent for hw_offload, interface, priorityPhilip Prindeville2023-03-26
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: Update to 5.9.10Philip Prindeville2023-03-12
| | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: Update to 5.9.9Philip Prindeville2023-03-12
| | | | | | Add patch to remove definition of RNG leaking in from wolfssl.h. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* strongswan: fix typo in strongswan-mod-nonce descriptionStijn Tintel2022-12-28
| | | | | Fixes: #16691 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* Merge pull request #19865 from pprindeville/issue#19757Philip Prindeville2022-11-11
|\ | | | | strongswan: Fix PSK's when using multiple connections
| * strongswan: Fix PSK's when using multiple connectionsPhilip Prindeville2022-11-08
| | | | | | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | strongswan: Update to 5.9.8Philip Prindeville2022-11-08
|/ | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* treewide: fix security issues by bumping all packages using libwolfsslPetr Štetiar2022-10-04
| | | | | | | | | | | | | | | | | | | | As wolfSSL is having hard time maintaining ABI compatibility between releases, we need to manually force rebuild of packages depending on libwolfssl and thus force their upgrade. Otherwise due to the ABI handling we would endup with possibly two libwolfssl libraries in the system, including the patched libwolfssl-5.5.1, but still have vulnerable services running using the vulnerable libwolfssl-5.4.0. So in order to propagate update of libwolfssl to latest stable release done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages using wolfSSL library. Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide: fix security issues by bumping all packages using libwolfssl"). Signed-off-by: Petr Štetiar <ynezz@true.cz>
* Revert "strongswan: add strongswan-mod-socket"Stijn Tintel2022-08-16
| | | | | | | | | | | | | | The original PR for this change is #16373, where it's cleary stated it doesn't work. This should have never been merged. It causes the following recursive dependency: tmp/.config-package.in:122354:error: recursive dependency detected! tmp/.config-package.in:122354: symbol PACKAGE_strongswan-default depends on PACKAGE_strongswan-mod-socket-default tmp/.config-package.in:123534: symbol PACKAGE_strongswan-mod-socket-default is selected by PACKAGE_strongswan-default This reverts commit 603f70e96b4dc1b9e442a38cb692de519c1cd54a. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* Merge pull request #16367 from pprindeville/strongswan-mod-socket-depPhilip Prindeville2022-08-15
|\ | | | | strongswan: Add dependency to virtual package strongswan-mod-socket
| * strongswan: add strongswan-mod-socketStijn Tintel2022-02-03
| | | | | | | | | | | | | | | | | | | | | | | | | | This a virtual package that is satisfied by either strongswan-mod-socket-default or strongswan-mod-socket-dynamic, and is required by the charon daemon. When neither of these packages is installed, charon will not function. Closes #16261, #16263 and #16367. Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting> Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* | Merge pull request #19146 from pprindeville/strongswan-include-mgf1Philip Prindeville2022-08-10
|\ \ | | | | | | strongswan: bundle mgf1 with everything
| * | strongswan: bundle mgf1 with everythingPhilip Prindeville2022-08-10
| | | | | | | | | | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | | strongswan: try to model kdf optional dependenciesNoel Kuntze2022-08-11
| | | | | | | | | | | | Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting>
* | | strongswan: Update to 5.9.7Philip Prindeville2022-08-08
|/ / | | | | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | Merge pull request #18654 from pprindeville/strongswan-need-kmod-chapolyPhilip Prindeville2022-06-02
|\ \ | | | | | | strongswan: add kernel module dependency on chapoly
| * | strongswan: add kernel module dependency on chapolyPhilip Prindeville2022-05-31
| | | | | | | | | | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | | strongswan: support child rekey by bytes and packetsJoel Low2022-05-09
| | | | | | | | | | | | | | | | | | | | | This adds support for the child SA to be rekeyed through the byte/packet threshold. The default is blank (which disables the byte/packet thresholds). Signed-off-by: Joel Low <joel@joelsplace.sg>
* | | Merge pull request #18312 from lowjoel/strongswan-wolfsslPhilip Prindeville2022-05-06
|\ \ \ | | | | | | | | strongswan: add wolfssl plugin
| * | | strongswan: add wolfssl pluginDerek Yerger2022-04-16
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Derek Yerger <derek@altdevs.net> Signed-off-by: Joel Low <joel@joelsplace.sg>
* | | | Merge pull request #18439 from pprindeville/strongswan-update-5.9.6Philip Prindeville2022-05-06
|\ \ \ \ | |_|/ / |/| | | strongswan: Update to 5.9.6
| * | | strongswan: Update to 5.9.6Philip Prindeville2022-05-02
| | | | | | | | | | | | | | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | | | strongswan: do not force to use iptable-legacyFlorian Eckert2022-04-06
| |/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | The default firewall is the fw4, which uses nft. In order to not install the legacy implementation when installing strongswan, the build system should decide which firewall backend to use. While we are at it, I have also added the dependency packages for IPV6. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* | | strongswan: fix forecast plugin dependencyStijn Tintel2022-03-30
| | | | | | | | | | | | | | | | | | | | | The forecast plugin does not require the iptables binary, it uses libiptc instead. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* | | strongswan: fix connmark plugin dependencyStijn Tintel2022-03-30
| | | | | | | | | | | | | | | | | | | | | The connmark plugin does not require the iptables binary, it uses libiptc instead. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* | | strongswan: move iptables deps to updown pluginStijn Tintel2022-03-30
|/ / | | | | | | | | | | | | | | | | Let's move the iptables IPsec dependencies out of the strongswan package and into the plugin package that actually depends on it, strongswan-mod-updown. As the default updown script calls the iptables binary, also add a dependency on the iptables-legacy package. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* | treewide: remove rpath-linkRosen Penev2022-03-13
| | | | | | | | | | | | Most usages seem to be outdated and fixed a long time ago. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* | strongswan: add missing dependenciesStijn Tintel2022-03-04
| | | | | | | | | | | | | | | | | | | | | | | | Fix the following build failures by adding the missing dependencies: Package strongswan-mod-connmark is missing dependencies for the following libraries: libip4tc.so.2 Package strongswan-mod-forecast is missing dependencies for the following libraries: libip4tc.so.2 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Powered by cgit, Themed by Ted Yin.