[Buildroot] [PATCH v2 2/2] package/strongswan: add md4 hash algorithm option
Yann E. MORIN
yann.morin.1998 at free.fr
Tue Sep 28 20:26:51 UTC 2021
Arnout, All,
On 2021-09-27 19:00 +0200, Arnout Vandecappelle spake thusly:
> On 20/09/2021 17:28, Martin Elshuber wrote:
> >Add the option to enable the md4 hash algorithm and default it to 'no'
> >since this is a new option.
> >
> >Since md4 is required by EAP-MSCHAPv2 it is selected by
> >BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2. See
> >https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf for
> >further details.
> >
> >---
> >Changes v1 -> v2:
> >- change git title
> >
> >Signed-off-by: Martin Elshuber <martin.elshuber at theobroma-systems.com>
> >---
> > package/strongswan/Config.in | 4 ++++
> > package/strongswan/strongswan.mk | 1 +
> > 2 files changed, 5 insertions(+)
> >
> >diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
> >index 8eae568b6a..21f84ebb71 100644
> >--- a/package/strongswan/Config.in
> >+++ b/package/strongswan/Config.in
> >@@ -73,6 +73,9 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_20
> > config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
> > bool "Enable dynamic TNCCS protocol discovery module"
> >+config BR2_PACKAGE_STRONGSWAN_MD4
> >+ bool "Enable MD4 hash algorithm"
> >+
> > config BR2_PACKAGE_STRONGSWAN_EAP
> > bool "Enable EAP protocols"
> >@@ -127,6 +130,7 @@ config BR2_PACKAGE_STRONGSWAN_EAP_GTC
> > config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2
> > bool "Enable EAP-MSCHAPv2"
> > default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> >+ select BR2_PACKAGE_STRONGSWAN_MD4
>
> This md4 option makes me realize: do we really want to add options for
> broken security in a security package? OpenSSL has just deprecated MD4 in
> 3.0.0.
Well, there is a nice side effect to addign the md4 option: it is
selected by EAP-MSCHAPv2, so a user that is concerned about the ude of
nd4 will notice that they should also disable EAP-MSCHAPv2.
If we do not add this option, it is forcibly enabled by strongswan when
EAP-MSCHAPv2 is enabled, so this is hidden to the user...
Regards,
Yann E. MORIN.
> Regards,
> Arnout
>
> > config BR2_PACKAGE_STRONGSWAN_EAP_PEAP
> > bool "Enable EAP-PEAP"
> >diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
> >index 5fb4e6821a..c308d3a4f3 100644
> >--- a/package/strongswan/strongswan.mk
> >+++ b/package/strongswan/strongswan.mk
> >@@ -37,6 +37,7 @@ STRONGSWAN_CONF_OPTS += \
> > --enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
> > --enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
> > --enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \
> >+ --enable-md4=$(if $(BR2_PACKAGE_STRONGSWAN_MD4),yes,no) \
> > --enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \
> > --enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \
> > --enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
> >
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list