strongswan: drop deprecated crypto protocols

AEAD, CCM, MD4, and MS CHAP v2 are all deprecated due to insecurity.

Signed-off-by: Philip Prindeville <redacted>

diff --git a/net/strongswan/Config.in b/net/strongswan/Config.in
index b38493af2ed4cf268f1b1ec405932123b58a75c8..0936c958119fc1bcc87fd90cbe1e481ced99bb91 100644 (file)
--- a/net/strongswan/Config.in
+++ b/net/strongswan/Config.in
@@ -14,6 +14,11 @@ config STRONGSWAN_ROUTING_TABLE_PRIO
        prompt "Set the IPsec routing table priority"
        default "220"
 
+config STRONGSWAN_INCLUDE_INSECURE
+       bool
+       prompt "Include cryptographically weak protocols"
+       default !PACKAGE_libopenssl
+
 comment "Packages"
 
 endif

diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile
index cd5aac86d4c117fd69e2c8baaee8c5d8c9b543e7..2cd590ad2c76e341f1c45e866d8a04d554d27ec6 100644 (file)
--- a/net/strongswan/Makefile
+++ b/net/strongswan/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=strongswan
 PKG_VERSION:=6.0.6
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/
@@ -26,7 +26,7 @@ PKG_MOD_AVAILABLE:= \
        attr \
        attr-sql \
        blowfish \
-       ccm \
+       $(if $(CONFIG_STRONGSWAN_INCLUDE_INSECURE),ccm,) \
        chapoly \
        cmac \
        constraints \
@@ -43,7 +43,7 @@ PKG_MOD_AVAILABLE:= \
        eap-dynamic \
        eap-identity \
        eap-md5 \
-       eap-mschapv2 \
+       $(if $(CONFIG_STRONGSWAN_INCLUDE_INSECURE),eap-mschapv2,) \
        eap-radius \
        eap-tls \
        farp \
@@ -62,7 +62,7 @@ PKG_MOD_AVAILABLE:= \
        led \
        load-tester \
        lookip \
-       md4 \
+       $(if $(CONFIG_STRONGSWAN_INCLUDE_INSECURE),md4,) \
        md5 \
        mgf1 \
        mysql \
@@ -103,7 +103,8 @@ PKG_MOD_AVAILABLE:= \
 PKG_CONFIG_DEPENDS:= \
        CONFIG_STRONGSWAN_ROUTING_TABLE \
        CONFIG_STRONGSWAN_ROUTING_TABLE_PRIO \
-       $(patsubst %,CONFIG_PACKAGE_strongswan-mod-%,$(PKG_MOD_AVAILABLE)) \
+       CONFIG_STRONGSWAN_INCLUDE_INSECURE \
+       $(patsubst %,CONFIG_PACKAGE_strongswan-mod-%,$(PKG_MOD_AVAILABLE))
 
 PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
@@ -130,7 +131,7 @@ define Package/strongswan
 $(call Package/strongswan/Default)
   MENU:=1
   DEPENDS:= +libpthread +ip \
-       +kmod-crypto-aead \
+       +STRONGSWAN_INCLUDE_INSECURE:kmod-crypto-aead \
        +kmod-crypto-authenc \
        +kmod-crypto-cbc \
        +kmod-lib-zlib-inflate \
@@ -166,7 +167,7 @@ $(call Package/strongswan/Default)
        +strongswan-mod-attr \
        +strongswan-mod-attr-sql \
        +strongswan-mod-blowfish \
-       +strongswan-mod-ccm \
+       +STRONGSWAN_INCLUDE_INSECURE:strongswan-mod-ccm \
        +strongswan-mod-chapoly \
        +strongswan-mod-cmac \
        +strongswan-mod-constraints \
@@ -183,7 +184,7 @@ $(call Package/strongswan/Default)
        +strongswan-mod-eap-dynamic \
        +strongswan-mod-eap-identity \
        +strongswan-mod-eap-md5 \
-       +strongswan-mod-eap-mschapv2 \
+       +STRONGSWAN_INCLUDE_INSECURE:strongswan-mod-eap-mschapv2 \
        +strongswan-mod-eap-radius \
        +strongswan-mod-eap-tls \
        +strongswan-mod-farp \
@@ -200,7 +201,7 @@ $(call Package/strongswan/Default)
        +strongswan-mod-led \
        +strongswan-mod-load-tester \
        +strongswan-mod-lookip \
-       +strongswan-mod-md4 \
+       +STRONGSWAN_INCLUDE_INSECURE:strongswan-mod-md4 \
        +strongswan-mod-md5 \
        +strongswan-mod-mgf1 \
        +strongswan-mod-mysql \
@@ -467,7 +468,7 @@ CONFIGURE_ARGS+= \
        --with-urandom-device=/dev/urandom \
        --with-routing-table="$(call qstrip,$(CONFIG_STRONGSWAN_ROUTING_TABLE))" \
        --with-routing-table-prio="$(call qstrip,$(CONFIG_STRONGSWAN_ROUTING_TABLE_PRIO))" \
-       $(foreach m,$(PKG_MOD_AVAILABLE), \
+       $(foreach m,$(PKG_MOD_AVAILABLE) ccm eap-mschapv2 md4, \
          $(if $(CONFIG_PACKAGE_strongswan-mod-$(m)),--enable-$(m),--disable-$(m)) \
        ) \
        ac_cv_search___atomic_load=no