[Buildroot] [PATCH v2 2/2] package/strongswan: add md4 hash algorithm option

Yann E. MORIN yann.morin.1998 at free.fr
Tue Sep 28 20:26:51 UTC 2021 

Arnout, All,

On 2021-09-27 19:00 +0200, Arnout Vandecappelle spake thusly:
> On 20/09/2021 17:28, Martin Elshuber wrote:
> >Add the option to enable the md4 hash algorithm and default it to 'no'
> >since this is a new option.
> >
> >Since md4 is required by EAP-MSCHAPv2 it is selected by
> >BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2. See
> >https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf for
> >further details.
> >
> >---
> >Changes v1 -> v2:
> >- change git title
> >
> >Signed-off-by: Martin Elshuber <martin.elshuber at theobroma-systems.com>
> >---
> >  package/strongswan/Config.in     | 4 ++++
> >  package/strongswan/strongswan.mk | 1 +
> >  2 files changed, 5 insertions(+)
> >
> >diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
> >index 8eae568b6a..21f84ebb71 100644
> >--- a/package/strongswan/Config.in
> >+++ b/package/strongswan/Config.in
> >@@ -73,6 +73,9 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_20
> >  config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
> >  	bool "Enable dynamic TNCCS protocol discovery module"
> >+config BR2_PACKAGE_STRONGSWAN_MD4
> >+	bool "Enable MD4 hash algorithm"
> >+
> >  config BR2_PACKAGE_STRONGSWAN_EAP
> >  	bool "Enable EAP protocols"
> >@@ -127,6 +130,7 @@ config BR2_PACKAGE_STRONGSWAN_EAP_GTC
> >  config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2
> >  	bool "Enable EAP-MSCHAPv2"
> >  	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> >+	select BR2_PACKAGE_STRONGSWAN_MD4
> 
>  This md4 option makes me realize: do we really want to add options for
> broken security in a security package? OpenSSL has just deprecated MD4 in
> 3.0.0.

Well, there is a nice side effect to addign the md4 option: it is
selected by EAP-MSCHAPv2, so a user that is concerned about the ude of
nd4 will notice that they should also disable EAP-MSCHAPv2.

If we do not add this option, it is forcibly enabled by strongswan when
EAP-MSCHAPv2 is enabled, so this is hidden to the user...

Regards,
Yann E. MORIN.

>  Regards,
>  Arnout
> 
> >  config BR2_PACKAGE_STRONGSWAN_EAP_PEAP
> >  	bool "Enable EAP-PEAP"
> >diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
> >index 5fb4e6821a..c308d3a4f3 100644
> >--- a/package/strongswan/strongswan.mk
> >+++ b/package/strongswan/strongswan.mk
> >@@ -37,6 +37,7 @@ STRONGSWAN_CONF_OPTS += \
> >  	--enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
> >  	--enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
> >  	--enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \
> >+	--enable-md4=$(if $(BR2_PACKAGE_STRONGSWAN_MD4),yes,no) \
> >  	--enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \
> >  	--enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \
> >  	--enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
> >
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

More information about the buildroot mailing list