[Buildroot] [PATCH 1/3] package/strongswan: fix broken dependency relation

[Buildroot] [PATCH 1/3] package/strongswan: fix broken dependency relation

[Martin Elshuber]

The AKA backend for 3GPP2 requires libgmp (see
https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf). Since
the AKA backend for 3GPP2 is included by BR2_PACKAGE_STRONGSWAN_EAP,
when selecting a crypto backend different from
BR2_PACKAGE_STRONGSWAN_GMP, there is no guarantee the gmp package is
selected as well. When doing so, make fails since the package is in the
dependency chain but not selected:

  $ make
  Makefile:585: *** gmp is in the dependency chain of strongswan that has added it to its _DEPENDENCIES variable without selecting it or depending on it from Config.in.  Stop.
  make: *** [Makefile:23: _all] Error 2

To fix this, select BR2_PACKAGE_GMP when selecting BR2_PACKAGE_STRONGSWAN_EAP.

Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
---
 package/strongswan/Config.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
index 47c7107f59..368cd1ecc0 100644
--- a/package/strongswan/Config.in
+++ b/package/strongswan/Config.in
@@ -75,6 +75,7 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
 
 config BR2_PACKAGE_STRONGSWAN_EAP
 	bool "Enable EAP protocols"
+	select BR2_PACKAGE_GMP
 	help
 	  Enable various EAP protocols:
 	    - mschapv2
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/3] package/strongswan: Add options to select EAP plugins

[Martin Elshuber]

Add options to chose EAP plugins.

Since the only plugin requiring libgmp is
BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2, the selection of BR2_PACKAGE_GMP
is moved down accordingly.

Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
---
 package/strongswan/Config.in     | 89 +++++++++++++++++++++++++-------
 package/strongswan/strongswan.mk | 36 ++++++-------
 2 files changed, 87 insertions(+), 38 deletions(-)

diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
index 368cd1ecc0..77d437d7d9 100644
--- a/package/strongswan/Config.in
+++ b/package/strongswan/Config.in
@@ -75,34 +75,83 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
 
 config BR2_PACKAGE_STRONGSWAN_EAP
 	bool "Enable EAP protocols"
-	select BR2_PACKAGE_GMP
-	help
-	  Enable various EAP protocols:
-	    - mschapv2
-	    - tls
-	    - ttls
-	    - peap
-	    - sim
-	    - sim-file
-	    - aka
-	    - aka-3gpp2
-	    - simaka-sql
-	    - simaka-pseudonym
-	    - simaka-reauth
-	    - identity
-	    - md5
-	    - gtc
-	    - tnc
-	    - dynamic
-	    - radius
 
 if BR2_PACKAGE_STRONGSWAN_EAP
 
+config BR2_PACKAGE_STRONGSWAN_EAP_SIM
+	bool "Enable EAP-SIM"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE
+	bool "Enable EAP-SIM file backend"
+	default y
+
 config BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC
 	bool "Enable EAP-SIM smart card backend"
 	depends on !BR2_STATIC_LIBS # pcsc-lite
 	select BR2_PACKAGE_PCSC_LITE
 
+config BR2_PACKAGE_STRONGSWAN_EAP_AKA
+	bool "Enable EAP-AKA"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2
+	bool "Enable EAP-AKA 3GPP2 algorithms"
+	default y
+	select BR2_PACKAGE_GMP
+
+config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_SQL
+	bool "Enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_PSEUDONYM
+	bool "Enable EAP-SIM/AKA pseudonym storage"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_REAUTH
+	bool "Enable EAP-SIM/AKA reauthentication data storage"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_IDENTITY
+	bool "Enable EAP-Identity"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_MD5
+	bool "Enable EAP-MD5"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_GTC
+	bool "Enable EAP-GDC"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2
+	bool "Enable EAP-MSCHAPv2"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_PEAP
+	bool "Enable EAP-PEAP"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_RADIUS
+	bool "Enable EAP-RADIUS"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_TLS
+	bool "Enable EAP-TLS"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_TTLS
+	bool "Enable EAP-TTLS"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC
+	bool "Enable EAP-TTLS"
+	default y
+
+config BR2_PACKAGE_STRONGSWAN_EAP_TNC
+	bool "Enable EAP-TNC"
+	default y
+
 endif
 
 config BR2_PACKAGE_STRONGSWAN_UNITY
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index 322abfbd7b..ebfa1a11f3 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -48,30 +48,30 @@ endif
 
 ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y)
 STRONGSWAN_CONF_OPTS += \
-	--enable-eap-sim \
-	--enable-eap-sim-file \
-	--enable-eap-aka \
-	--enable-eap-aka-3gpp2 \
-	--enable-eap-simaka-sql \
-	--enable-eap-simaka-pseudonym \
-	--enable-eap-simaka-reauth \
-	--enable-eap-identity \
-	--enable-eap-md5 \
-	--enable-eap-gtc \
-	--enable-eap-mschapv2 \
-	--enable-eap-tls \
-	--enable-eap-ttls \
-	--enable-eap-peap \
-	--enable-eap-tnc \
-	--enable-eap-dynamic \
-	--enable-eap-radius
-STRONGSWAN_DEPENDENCIES += gmp
+	--enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \
+	--enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \
+	--enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
+	--enable-eap-aka-3gpp2=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2),yes,no) \
+	--enable-eap-simaka-sql=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_SQL),yes,no) \
+	--enable-eap-simaka-pseudonym=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_PSEUDONYM),yes,no) \
+	--enable-eap-simaka-reauth=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_REAUTH),yes,no) \
+	--enable-eap-identity=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_IDENTITY),yes,no) \
+	--enable-eap-md5=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_MD5),yes,no) \
+	--enable-eap-gtc=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_GTC),yes,no) \
+	--enable-eap-mschapv2=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2),yes,no) \
+	--enable-eap-tls=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TLS),yes,no) \
+	--enable-eap-ttls=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TTLS),yes,no) \
+	--enable-eap-peap=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_PEAP),yes,no) \
+	--enable-eap-tnc=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TNC),yes,no) \
+	--enable-eap-dynamic=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC),yes,no) \
+	--enable-eap-radius=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_RADIUS),yes,no)
 endif
 
 STRONGSWAN_DEPENDENCIES += \
 	$(if $(BR2_PACKAGE_STRONGSWAN_OPENSSL),openssl) \
 	$(if $(BR2_PACKAGE_STRONGSWAN_GCRYPT),libgcrypt) \
 	$(if $(BR2_PACKAGE_STRONGSWAN_GMP),gmp) \
+	$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2),gmp) \
 	$(if $(BR2_PACKAGE_STRONGSWAN_CURL),libcurl) \
 	$(if $(BR2_PACKAGE_STRONGSWAN_TNCCS_11),libxml2) \
 	$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC),pcsc-lite) \
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 3/3] strongswan: add md4 hash algorithm option

[Martin Elshuber]

Add the option to enable the md4 hash algorithm and default it to 'no'
since this is a new option.

Since md4 is required by EAP-MSCHAPv2 it is selected by
BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2. See
https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf for
further details.

Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
---
 package/strongswan/Config.in     | 4 ++++
 package/strongswan/strongswan.mk | 1 +
 2 files changed, 5 insertions(+)

diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
index 77d437d7d9..2d972f525a 100644
--- a/package/strongswan/Config.in
+++ b/package/strongswan/Config.in
@@ -73,6 +73,9 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_20
 config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
 	bool "Enable dynamic TNCCS protocol discovery module"
 
+config BR2_PACKAGE_STRONGSWAN_MD4
+	bool "Enable MD4 hash algorithm"
+
 config BR2_PACKAGE_STRONGSWAN_EAP
 	bool "Enable EAP protocols"
 
@@ -126,6 +129,7 @@ config BR2_PACKAGE_STRONGSWAN_EAP_GTC
 
 config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2
 	bool "Enable EAP-MSCHAPv2"
+	select BR2_PACKAGE_STRONGSWAN_MD4
 	default y
 
 config BR2_PACKAGE_STRONGSWAN_EAP_PEAP
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index ebfa1a11f3..b9f3de83bc 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -37,6 +37,7 @@ STRONGSWAN_CONF_OPTS += \
 	--enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
 	--enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
 	--enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \
+	--enable-md4=$(if $(BR2_PACKAGE_STRONGSWAN_MD4),yes,no) \
 	--with-ipseclibdir=/usr/lib \
 	--with-plugindir=/usr/lib/ipsec/plugins \
 	--with-imcvdir=/usr/lib/ipsec/imcvs \
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/3] package/strongswan: Add options to select EAP plugins

[Yann E. MORIN]

Martin, All,

On 2021-09-13 16:26 +0200, Martin Elshuber spake thusly:
> Add options to chose EAP plugins.
> 
> Since the only plugin requiring libgmp is
> BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2, the selection of BR2_PACKAGE_GMP
> is moved down accordingly.
> 
> Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
> ---
>  package/strongswan/Config.in     | 89 +++++++++++++++++++++++++-------
>  package/strongswan/strongswan.mk | 36 ++++++-------
>  2 files changed, 87 insertions(+), 38 deletions(-)
> 
> diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
> index 368cd1ecc0..77d437d7d9 100644
> --- a/package/strongswan/Config.in
> +++ b/package/strongswan/Config.in
> @@ -75,34 +75,83 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
>  
>  config BR2_PACKAGE_STRONGSWAN_EAP
>  	bool "Enable EAP protocols"

If I understand correctly, BR2_PACKAGE_STRONGSWAN_EAP no drives no
option directly, right? As such, it can be moved to legacy, and
then [...]

> -	select BR2_PACKAGE_GMP
> -	help
> -	  Enable various EAP protocols:
> -	    - mschapv2
> -	    - tls
> -	    - ttls
> -	    - peap
> -	    - sim
> -	    - sim-file
> -	    - aka
> -	    - aka-3gpp2
> -	    - simaka-sql
> -	    - simaka-pseudonym
> -	    - simaka-reauth
> -	    - identity
> -	    - md5
> -	    - gtc
> -	    - tnc
> -	    - dynamic
> -	    - radius
>  
>  if BR2_PACKAGE_STRONGSWAN_EAP
>  
> +config BR2_PACKAGE_STRONGSWAN_EAP_SIM
> +	bool "Enable EAP-SIM"
> +	default y

[...] each individual EAP option would have a conditional default:

    default y if BR2_PACKAGE_STRONGSWAN_EAP  # legacy

This would have the added benefit that, when we eventually get rid of
the legacy entry, we can also get rid of the legacy default.

[--SNIP--]
> diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
> index 322abfbd7b..ebfa1a11f3 100644
> --- a/package/strongswan/strongswan.mk
> +++ b/package/strongswan/strongswan.mk
> @@ -48,30 +48,30 @@ endif
>  
>  ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y)
>  STRONGSWAN_CONF_OPTS += \
> -	--enable-eap-sim \
> -	--enable-eap-sim-file \
> -	--enable-eap-aka \
> -	--enable-eap-aka-3gpp2 \
> -	--enable-eap-simaka-sql \
> -	--enable-eap-simaka-pseudonym \
> -	--enable-eap-simaka-reauth \
> -	--enable-eap-identity \
> -	--enable-eap-md5 \
> -	--enable-eap-gtc \
> -	--enable-eap-mschapv2 \
> -	--enable-eap-tls \
> -	--enable-eap-ttls \
> -	--enable-eap-peap \
> -	--enable-eap-tnc \
> -	--enable-eap-dynamic \
> -	--enable-eap-radius
> -STRONGSWAN_DEPENDENCIES += gmp
> +	--enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \
> +	--enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \
> +	--enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
> +	--enable-eap-aka-3gpp2=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2),yes,no) \
> +	--enable-eap-simaka-sql=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_SQL),yes,no) \
> +	--enable-eap-simaka-pseudonym=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_PSEUDONYM),yes,no) \
> +	--enable-eap-simaka-reauth=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_REAUTH),yes,no) \
> +	--enable-eap-identity=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_IDENTITY),yes,no) \
> +	--enable-eap-md5=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_MD5),yes,no) \
> +	--enable-eap-gtc=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_GTC),yes,no) \
> +	--enable-eap-mschapv2=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2),yes,no) \
> +	--enable-eap-tls=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TLS),yes,no) \
> +	--enable-eap-ttls=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TTLS),yes,no) \
> +	--enable-eap-peap=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_PEAP),yes,no) \
> +	--enable-eap-tnc=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TNC),yes,no) \
> +	--enable-eap-dynamic=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC),yes,no) \
> +	--enable-eap-radius=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_RADIUS),yes,no)
>  endif

And indeed, from the above list, BR2_PACKAGE_STRONGSWAN_EAP by itself no
longer means anything; setting it to 'n' does not even forces all
sub-options to 'no', but leaves them to their default value (as was the
case previously, though, so not a regression).

I think this ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y) can be dropped
altogether, now.

Unless I missed something?

Regards,
Yann E. MORIN.

>  STRONGSWAN_DEPENDENCIES += \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_OPENSSL),openssl) \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_GCRYPT),libgcrypt) \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_GMP),gmp) \
> +	$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2),gmp) \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_CURL),libcurl) \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_TNCCS_11),libxml2) \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC),pcsc-lite) \
> -- 
> 2.30.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@lists.buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/3] package/strongswan: fix broken dependency relation

[Yann E. MORIN]

Martin, All,

On 2021-09-13 16:26 +0200, Martin Elshuber spake thusly:
> The AKA backend for 3GPP2 requires libgmp (see
> https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf). Since
> the AKA backend for 3GPP2 is included by BR2_PACKAGE_STRONGSWAN_EAP,
> when selecting a crypto backend different from
> BR2_PACKAGE_STRONGSWAN_GMP, there is no guarantee the gmp package is
> selected as well. When doing so, make fails since the package is in the
> dependency chain but not selected:
> 
>   $ make
>   Makefile:585: *** gmp is in the dependency chain of strongswan that has added it to its _DEPENDENCIES variable without selecting it or depending on it from Config.in.  Stop.
>   make: *** [Makefile:23: _all] Error 2
> 
> To fix this, select BR2_PACKAGE_GMP when selecting BR2_PACKAGE_STRONGSWAN_EAP.
> 
> Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>

Applied to master, thanks.

I was a bit confused as to what would happen if both gmp and other
crypto backend were used to gether, but there are explicitl options to
select each of them at ./configure time, so it seems it should be OK, I
guess...

Regards,
Yann E. MORIN.

> ---
>  package/strongswan/Config.in | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
> index 47c7107f59..368cd1ecc0 100644
> --- a/package/strongswan/Config.in
> +++ b/package/strongswan/Config.in
> @@ -75,6 +75,7 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
>  
>  config BR2_PACKAGE_STRONGSWAN_EAP
>  	bool "Enable EAP protocols"
> +	select BR2_PACKAGE_GMP
>  	help
>  	  Enable various EAP protocols:
>  	    - mschapv2
> -- 
> 2.30.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@lists.buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/3] package/strongswan: Add options to select EAP plugins

[Martin Elshuber]

[-- Attachment #1.1: Type: text/plain, Size: 5646 bytes --]

Hi Yann, All,

thank for the feedback.

On 18/09/2021 23:06, Yann E. MORIN wrote:
> Martin, All,
>
> On 2021-09-13 16:26 +0200, Martin Elshuber spake thusly:
>> Add options to chose EAP plugins.
>>
>> Since the only plugin requiring libgmp is
>> BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2, the selection of BR2_PACKAGE_GMP
>> is moved down accordingly.
>>
>> Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
>> ---
>>  package/strongswan/Config.in     | 89 +++++++++++++++++++++++++-------
>>  package/strongswan/strongswan.mk | 36 ++++++-------
>>  2 files changed, 87 insertions(+), 38 deletions(-)
>>
>> diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
>> index 368cd1ecc0..77d437d7d9 100644
>> --- a/package/strongswan/Config.in
>> +++ b/package/strongswan/Config.in
>> @@ -75,34 +75,83 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
>>  
>>  config BR2_PACKAGE_STRONGSWAN_EAP
>>  	bool "Enable EAP protocols"
> If I understand correctly, BR2_PACKAGE_STRONGSWAN_EAP no drives no
> option directly, right? As such, it can be moved to legacy, and
> then [...]

Correct. Will update

>> -	select BR2_PACKAGE_GMP
>> -	help
>> -	  Enable various EAP protocols:
>> -	    - mschapv2
>> -	    - tls
>> -	    - ttls
>> -	    - peap
>> -	    - sim
>> -	    - sim-file
>> -	    - aka
>> -	    - aka-3gpp2
>> -	    - simaka-sql
>> -	    - simaka-pseudonym
>> -	    - simaka-reauth
>> -		    - identity
>> -	    - md5
>> -	    - gtc
>> -	    - tnc
>> -	    - dynamic
>> -	    - radius
>>  
>>  if BR2_PACKAGE_STRONGSWAN_EAP
>>  
>> +config BR2_PACKAGE_STRONGSWAN_EAP_SIM
>> +	bool "Enable EAP-SIM"
>> +	default y
> [...] each individual EAP option would have a conditional default:
>
>     default y if BR2_PACKAGE_STRONGSWAN_EAP  # legacy
>
> This would have the added benefit that, when we eventually get rid of
> the legacy entry, we can also get rid of the legacy default.

Ack. However I am not sure if you want to get rid of the defaults in 
the future, since it might introduce a pitfall for the person configuring
strongswan. But that is a problem for another day :).

>
> [--SNIP--]
>> diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
>> index 322abfbd7b..ebfa1a11f3 100644
>> --- a/package/strongswan/strongswan.mk
>> +++ b/package/strongswan/strongswan.mk
>> @@ -48,30 +48,30 @@ endif
>>  
>>  ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y)
>>  STRONGSWAN_CONF_OPTS += \
>> -	--enable-eap-sim \
>> -	--enable-eap-sim-file \
>> -	--enable-eap-aka \
>> -	--enable-eap-aka-3gpp2 \
>> -	--enable-eap-simaka-sql \
>> -	--enable-eap-simaka-pseudonym \
>> -	--enable-eap-simaka-reauth \
>> -	--enable-eap-identity \
>> -	--enable-eap-md5 \
>> -	--enable-eap-gtc \
>> -	--enable-eap-mschapv2 \
>> -	--enable-eap-tls \
>> -	--enable-eap-ttls \
>> -	--enable-eap-peap \
>> -	--enable-eap-tnc \
>> -	--enable-eap-dynamic \
>> -	--enable-eap-radius
>> -STRONGSWAN_DEPENDENCIES += gmp
>> +	--enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \
>> +	--enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \
>> +	--enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
>> +	--enable-eap-aka-3gpp2=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2),yes,no) \
>> +	--enable-eap-simaka-sql=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_SQL),yes,no) \
>> +	--enable-eap-simaka-pseudonym=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_PSEUDONYM),yes,no) \
>> +	--enable-eap-simaka-reauth=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_REAUTH),yes,no) \
>> +	--enable-eap-identity=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_IDENTITY),yes,no) \
>> +	--enable-eap-md5=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_MD5),yes,no) \
>> +	--enable-eap-gtc=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_GTC),yes,no) \
>> +	--enable-eap-mschapv2=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2),yes,no) \
>> +	--enable-eap-tls=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TLS),yes,no) \
>> +	--enable-eap-ttls=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TTLS),yes,no) \
>> +	--enable-eap-peap=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_PEAP),yes,no) \
>> +	--enable-eap-tnc=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TNC),yes,no) \
>> +	--enable-eap-dynamic=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC),yes,no) \
>> +	--enable-eap-radius=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_RADIUS),yes,no)
>>  endif
> And indeed, from the above list, BR2_PACKAGE_STRONGSWAN_EAP by itself no
> longer means anything; setting it to 'n' does not even forces all
> sub-options to 'no', but leaves them to their default value (as was the
> case previously, though, so not a regression).
>
> I think this ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y) can be dropped
> altogether, now.

It can. Will move the whole block into the general 
  STRONGSWAN_CONF_OPTS = {...} block

>
> Unless I missed something?

I guess no.

>
> Regards,
> Yann E. MORIN.
>
>>  STRONGSWAN_DEPENDENCIES += \
>>  	$(if $(BR2_PACKAGE_STRONGSWAN_OPENSSL),openssl) \
>>  	$(if $(BR2_PACKAGE_STRONGSWAN_GCRYPT),libgcrypt) \
>>  	$(if $(BR2_PACKAGE_STRONGSWAN_GMP),gmp) \
>> +	$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2),gmp) \
>>  	$(if $(BR2_PACKAGE_STRONGSWAN_CURL),libcurl) \
>>  	$(if $(BR2_PACKAGE_STRONGSWAN_TNCCS_11),libxml2) \
>>  	$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC),pcsc-lite) \
>> -- 
>> 2.30.2
>>
>> _______________________________________________
>> buildroot mailing list
>> buildroot@lists.buildroot.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.buildroot.org_mailman_listinfo_buildroot&d=DwIBaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=WUaTHm7595mhxO1H3AMKtTdzXTgwvezJrC62UXYMTfsy0k4SqBTM2mfmbqYdqwva&m=4FTeZDHlQL1GQdkl2pRk8-ZlLhvtYhPEPMLF24oTSBs&s=wWkgHAeyK-THzsFI1NUPxoJcZAcdAN1PYD3Y2geLV18&e= 


[-- Attachment #1.2: Type: text/html, Size: 7444 bytes --]

[-- Attachment #2: Type: text/plain, Size: 156 bytes --]

_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 1/2] package/strongswan: Add options to select EAP plugins

[Martin Elshuber]

Add options to chose EAP plugins.

Since the only plugin requiring libgmp is
BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2, the selection of BR2_PACKAGE_GMP
is moved down accordingly.

Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>

---
Changes v1 -> v2:
  - use conditional defaults and mark as legacy
  - drop 'ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y)'
  - fix title for BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC

Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
---
 package/strongswan/Config.in     | 89 +++++++++++++++++++++++++-------
 package/strongswan/strongswan.mk | 40 +++++++-------
 2 files changed, 87 insertions(+), 42 deletions(-)

diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
index 368cd1ecc0..8eae568b6a 100644
--- a/package/strongswan/Config.in
+++ b/package/strongswan/Config.in
@@ -75,34 +75,83 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
 
 config BR2_PACKAGE_STRONGSWAN_EAP
 	bool "Enable EAP protocols"
-	select BR2_PACKAGE_GMP
-	help
-	  Enable various EAP protocols:
-	    - mschapv2
-	    - tls
-	    - ttls
-	    - peap
-	    - sim
-	    - sim-file
-	    - aka
-	    - aka-3gpp2
-	    - simaka-sql
-	    - simaka-pseudonym
-	    - simaka-reauth
-	    - identity
-	    - md5
-	    - gtc
-	    - tnc
-	    - dynamic
-	    - radius
 
 if BR2_PACKAGE_STRONGSWAN_EAP
 
+config BR2_PACKAGE_STRONGSWAN_EAP_SIM
+	bool "Enable EAP-SIM"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE
+	bool "Enable EAP-SIM file backend"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
 config BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC
 	bool "Enable EAP-SIM smart card backend"
 	depends on !BR2_STATIC_LIBS # pcsc-lite
 	select BR2_PACKAGE_PCSC_LITE
 
+config BR2_PACKAGE_STRONGSWAN_EAP_AKA
+	bool "Enable EAP-AKA"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2
+	bool "Enable EAP-AKA 3GPP2 algorithms"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+	select BR2_PACKAGE_GMP
+
+config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_SQL
+	bool "Enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_PSEUDONYM
+	bool "Enable EAP-SIM/AKA pseudonym storage"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_REAUTH
+	bool "Enable EAP-SIM/AKA reauthentication data storage"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_IDENTITY
+	bool "Enable EAP-Identity"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_MD5
+	bool "Enable EAP-MD5"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_GTC
+	bool "Enable EAP-GDC"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2
+	bool "Enable EAP-MSCHAPv2"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_PEAP
+	bool "Enable EAP-PEAP"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_RADIUS
+	bool "Enable EAP-RADIUS"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_TLS
+	bool "Enable EAP-TLS"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_TTLS
+	bool "Enable EAP-TTLS"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC
+	bool "Enable EAP-DYNAMIC"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
+config BR2_PACKAGE_STRONGSWAN_EAP_TNC
+	bool "Enable EAP-TNC"
+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+
 endif
 
 config BR2_PACKAGE_STRONGSWAN_UNITY
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index 322abfbd7b..5fb4e6821a 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -37,6 +37,23 @@ STRONGSWAN_CONF_OPTS += \
 	--enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
 	--enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
 	--enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \
+	--enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \
+	--enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \
+	--enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
+	--enable-eap-aka-3gpp2=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2),yes,no) \
+	--enable-eap-simaka-sql=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_SQL),yes,no) \
+	--enable-eap-simaka-pseudonym=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_PSEUDONYM),yes,no) \
+	--enable-eap-simaka-reauth=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_REAUTH),yes,no) \
+	--enable-eap-identity=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_IDENTITY),yes,no) \
+	--enable-eap-md5=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_MD5),yes,no) \
+	--enable-eap-gtc=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_GTC),yes,no) \
+	--enable-eap-mschapv2=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2),yes,no) \
+	--enable-eap-tls=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TLS),yes,no) \
+	--enable-eap-ttls=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TTLS),yes,no) \
+	--enable-eap-peap=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_PEAP),yes,no) \
+	--enable-eap-tnc=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TNC),yes,no) \
+	--enable-eap-dynamic=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC),yes,no) \
+	--enable-eap-radius=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_RADIUS),yes,no)
 	--with-ipseclibdir=/usr/lib \
 	--with-plugindir=/usr/lib/ipsec/plugins \
 	--with-imcvdir=/usr/lib/ipsec/imcvs \
@@ -46,32 +63,11 @@ ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y)
 STRONGSWAN_CONF_ENV += LIBS='-latomic'
 endif
 
-ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y)
-STRONGSWAN_CONF_OPTS += \
-	--enable-eap-sim \
-	--enable-eap-sim-file \
-	--enable-eap-aka \
-	--enable-eap-aka-3gpp2 \
-	--enable-eap-simaka-sql \
-	--enable-eap-simaka-pseudonym \
-	--enable-eap-simaka-reauth \
-	--enable-eap-identity \
-	--enable-eap-md5 \
-	--enable-eap-gtc \
-	--enable-eap-mschapv2 \
-	--enable-eap-tls \
-	--enable-eap-ttls \
-	--enable-eap-peap \
-	--enable-eap-tnc \
-	--enable-eap-dynamic \
-	--enable-eap-radius
-STRONGSWAN_DEPENDENCIES += gmp
-endif
-
 STRONGSWAN_DEPENDENCIES += \
 	$(if $(BR2_PACKAGE_STRONGSWAN_OPENSSL),openssl) \
 	$(if $(BR2_PACKAGE_STRONGSWAN_GCRYPT),libgcrypt) \
 	$(if $(BR2_PACKAGE_STRONGSWAN_GMP),gmp) \
+	$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2),gmp) \
 	$(if $(BR2_PACKAGE_STRONGSWAN_CURL),libcurl) \
 	$(if $(BR2_PACKAGE_STRONGSWAN_TNCCS_11),libxml2) \
 	$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC),pcsc-lite) \
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 2/2] package/strongswan: add md4 hash algorithm option

[Martin Elshuber]

Add the option to enable the md4 hash algorithm and default it to 'no'
since this is a new option.

Since md4 is required by EAP-MSCHAPv2 it is selected by
BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2. See
https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf for
further details.

---
Changes v1 -> v2:
- change git title

Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
---
 package/strongswan/Config.in     | 4 ++++
 package/strongswan/strongswan.mk | 1 +
 2 files changed, 5 insertions(+)

diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
index 8eae568b6a..21f84ebb71 100644
--- a/package/strongswan/Config.in
+++ b/package/strongswan/Config.in
@@ -73,6 +73,9 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_20
 config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
 	bool "Enable dynamic TNCCS protocol discovery module"
 
+config BR2_PACKAGE_STRONGSWAN_MD4
+	bool "Enable MD4 hash algorithm"
+
 config BR2_PACKAGE_STRONGSWAN_EAP
 	bool "Enable EAP protocols"
 
@@ -127,6 +130,7 @@ config BR2_PACKAGE_STRONGSWAN_EAP_GTC
 config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2
 	bool "Enable EAP-MSCHAPv2"
 	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
+	select BR2_PACKAGE_STRONGSWAN_MD4
 
 config BR2_PACKAGE_STRONGSWAN_EAP_PEAP
 	bool "Enable EAP-PEAP"
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index 5fb4e6821a..c308d3a4f3 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -37,6 +37,7 @@ STRONGSWAN_CONF_OPTS += \
 	--enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
 	--enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
 	--enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \
+	--enable-md4=$(if $(BR2_PACKAGE_STRONGSWAN_MD4),yes,no) \
 	--enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \
 	--enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \
 	--enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] package/strongswan: Add options to select EAP plugins

[Arnout Vandecappelle]

On 20/09/2021 17:28, Martin Elshuber wrote:
> Add options to chose EAP plugins.
> 
> Since the only plugin requiring libgmp is
> BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2, the selection of BR2_PACKAGE_GMP
> is moved down accordingly.
> 
> Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
> 
> ---
> Changes v1 -> v2:
>    - use conditional defaults and mark as legacy
>    - drop 'ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y)'
>    - fix title for BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC
> 
> Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
> ---
>   package/strongswan/Config.in     | 89 +++++++++++++++++++++++++-------
>   package/strongswan/strongswan.mk | 40 +++++++-------
>   2 files changed, 87 insertions(+), 42 deletions(-)
> 
> diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
> index 368cd1ecc0..8eae568b6a 100644
> --- a/package/strongswan/Config.in
> +++ b/package/strongswan/Config.in
> @@ -75,34 +75,83 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
>   
>   config BR2_PACKAGE_STRONGSWAN_EAP
>   	bool "Enable EAP protocols"
> -	select BR2_PACKAGE_GMP
> -	help
> -	  Enable various EAP protocols:
> -	    - mschapv2
> -	    - tls
> -	    - ttls
> -	    - peap
> -	    - sim
> -	    - sim-file
> -	    - aka
> -	    - aka-3gpp2
> -	    - simaka-sql
> -	    - simaka-pseudonym
> -	    - simaka-reauth
> -	    - identity
> -	    - md5
> -	    - gtc
> -	    - tnc
> -	    - dynamic
> -	    - radius
>   
>   if BR2_PACKAGE_STRONGSWAN_EAP
>   
> +config BR2_PACKAGE_STRONGSWAN_EAP_SIM
> +	bool "Enable EAP-SIM"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy

  This is already inside if BR2_PACKAGE_STRONGSWAN_EAP, so the condition on the 
default is meaningless. Yann said something about this legacy stuff which I 
don't quite follow, since the BR2_PACKAGE_STRONGSWAN_EAP is not legacy. Yann, 
did you mean that BR2_PACKAGE_STRONGSWAN_EAP should be removed (i.e. moved to 
Config.in.legacy), or was it a mistake?


  Regards,
  Arnout

[snip]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 2/2] package/strongswan: add md4 hash algorithm option

[Arnout Vandecappelle]

On 20/09/2021 17:28, Martin Elshuber wrote:
> Add the option to enable the md4 hash algorithm and default it to 'no'
> since this is a new option.
> 
> Since md4 is required by EAP-MSCHAPv2 it is selected by
> BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2. See
> https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf for
> further details.
> 
> ---
> Changes v1 -> v2:
> - change git title
> 
> Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
> ---
>   package/strongswan/Config.in     | 4 ++++
>   package/strongswan/strongswan.mk | 1 +
>   2 files changed, 5 insertions(+)
> 
> diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
> index 8eae568b6a..21f84ebb71 100644
> --- a/package/strongswan/Config.in
> +++ b/package/strongswan/Config.in
> @@ -73,6 +73,9 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_20
>   config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
>   	bool "Enable dynamic TNCCS protocol discovery module"
>   
> +config BR2_PACKAGE_STRONGSWAN_MD4
> +	bool "Enable MD4 hash algorithm"
> +
>   config BR2_PACKAGE_STRONGSWAN_EAP
>   	bool "Enable EAP protocols"
>   
> @@ -127,6 +130,7 @@ config BR2_PACKAGE_STRONGSWAN_EAP_GTC
>   config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2
>   	bool "Enable EAP-MSCHAPv2"
>   	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +	select BR2_PACKAGE_STRONGSWAN_MD4

  This md4 option makes me realize: do we really want to add options for broken 
security in a security package? OpenSSL has just deprecated MD4 in 3.0.0.

  Regards,
  Arnout

>   
>   config BR2_PACKAGE_STRONGSWAN_EAP_PEAP
>   	bool "Enable EAP-PEAP"
> diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
> index 5fb4e6821a..c308d3a4f3 100644
> --- a/package/strongswan/strongswan.mk
> +++ b/package/strongswan/strongswan.mk
> @@ -37,6 +37,7 @@ STRONGSWAN_CONF_OPTS += \
>   	--enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
>   	--enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
>   	--enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \
> +	--enable-md4=$(if $(BR2_PACKAGE_STRONGSWAN_MD4),yes,no) \
>   	--enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \
>   	--enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \
>   	--enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
> 
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] package/strongswan: Add options to select EAP plugins

[Yann E. MORIN]

Arnout, Martin, All,

On 2021-09-27 18:56 +0200, Arnout Vandecappelle spake thusly:
> On 20/09/2021 17:28, Martin Elshuber wrote:
> >Add options to chose EAP plugins.
> >
> >Since the only plugin requiring libgmp is
> >BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2, the selection of BR2_PACKAGE_GMP
> >is moved down accordingly.
> >
> >Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
> >
> >---
> >Changes v1 -> v2:
> >   - use conditional defaults and mark as legacy
> >   - drop 'ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y)'
> >   - fix title for BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC
> >
> >Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
> >---
> >  package/strongswan/Config.in     | 89 +++++++++++++++++++++++++-------
> >  package/strongswan/strongswan.mk | 40 +++++++-------
> >  2 files changed, 87 insertions(+), 42 deletions(-)
> >
> >diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
> >index 368cd1ecc0..8eae568b6a 100644
> >--- a/package/strongswan/Config.in
> >+++ b/package/strongswan/Config.in
> >@@ -75,34 +75,83 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
> >  config BR2_PACKAGE_STRONGSWAN_EAP
> >  	bool "Enable EAP protocols"
> >-	select BR2_PACKAGE_GMP
> >-	help
> >-	  Enable various EAP protocols:
> >-	    - mschapv2
> >-	    - tls
> >-	    - ttls
> >-	    - peap
> >-	    - sim
> >-	    - sim-file
> >-	    - aka
> >-	    - aka-3gpp2
> >-	    - simaka-sql
> >-	    - simaka-pseudonym
> >-	    - simaka-reauth
> >-	    - identity
> >-	    - md5
> >-	    - gtc
> >-	    - tnc
> >-	    - dynamic
> >-	    - radius
> >  if BR2_PACKAGE_STRONGSWAN_EAP
> >+config BR2_PACKAGE_STRONGSWAN_EAP_SIM
> >+	bool "Enable EAP-SIM"
> >+	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> 
>  This is already inside if BR2_PACKAGE_STRONGSWAN_EAP, so the condition on
> the default is meaningless. Yann said something about this legacy stuff
> which I don't quite follow, since the BR2_PACKAGE_STRONGSWAN_EAP is not
> legacy. Yann, did you mean that BR2_PACKAGE_STRONGSWAN_EAP should be removed
> (i.e. moved to Config.in.legacy), or was it a mistake?

Yes, BR2_PACKAGE_STRONGSWAN_EAP should be moved to legacy, i.e. to
Config.in.legacy. Sorry, I was not so clear in my previous review...

My understanding is that, with this change, BR2_PACKAGE_STRONGSWAN_EAP
by itself will no longer enable/disable anything; only the new
sub-options will.

As such, BR2_PACKAGE_STRONGSWAN_EAP serves no other purpose that to
hide/show a bunch of options; this is superfluous. Hence, my suggestion
to move it to legacy.

Regards,
Yann E. MORIN.

>  Regards,
>  Arnout
> 
> [snip]

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 2/2] package/strongswan: add md4 hash algorithm option

[Yann E. MORIN]

Arnout, All,

On 2021-09-27 19:00 +0200, Arnout Vandecappelle spake thusly:
> On 20/09/2021 17:28, Martin Elshuber wrote:
> >Add the option to enable the md4 hash algorithm and default it to 'no'
> >since this is a new option.
> >
> >Since md4 is required by EAP-MSCHAPv2 it is selected by
> >BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2. See
> >https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf for
> >further details.
> >
> >---
> >Changes v1 -> v2:
> >- change git title
> >
> >Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
> >---
> >  package/strongswan/Config.in     | 4 ++++
> >  package/strongswan/strongswan.mk | 1 +
> >  2 files changed, 5 insertions(+)
> >
> >diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
> >index 8eae568b6a..21f84ebb71 100644
> >--- a/package/strongswan/Config.in
> >+++ b/package/strongswan/Config.in
> >@@ -73,6 +73,9 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_20
> >  config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
> >  	bool "Enable dynamic TNCCS protocol discovery module"
> >+config BR2_PACKAGE_STRONGSWAN_MD4
> >+	bool "Enable MD4 hash algorithm"
> >+
> >  config BR2_PACKAGE_STRONGSWAN_EAP
> >  	bool "Enable EAP protocols"
> >@@ -127,6 +130,7 @@ config BR2_PACKAGE_STRONGSWAN_EAP_GTC
> >  config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2
> >  	bool "Enable EAP-MSCHAPv2"
> >  	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> >+	select BR2_PACKAGE_STRONGSWAN_MD4
> 
>  This md4 option makes me realize: do we really want to add options for
> broken security in a security package? OpenSSL has just deprecated MD4 in
> 3.0.0.

Well, there is a nice side effect to addign the md4 option: it is
selected by EAP-MSCHAPv2, so a user that is concerned about the ude of
nd4 will notice that they should also disable EAP-MSCHAPv2.

If we do not add this option, it is forcibly enabled by strongswan when
EAP-MSCHAPv2 is enabled, so this is hidden to the user...

Regards,
Yann E. MORIN.

>  Regards,
>  Arnout
> 
> >  config BR2_PACKAGE_STRONGSWAN_EAP_PEAP
> >  	bool "Enable EAP-PEAP"
> >diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
> >index 5fb4e6821a..c308d3a4f3 100644
> >--- a/package/strongswan/strongswan.mk
> >+++ b/package/strongswan/strongswan.mk
> >@@ -37,6 +37,7 @@ STRONGSWAN_CONF_OPTS += \
> >  	--enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
> >  	--enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
> >  	--enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \
> >+	--enable-md4=$(if $(BR2_PACKAGE_STRONGSWAN_MD4),yes,no) \
> >  	--enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \
> >  	--enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \
> >  	--enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
> >
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] package/strongswan: Add options to select EAP plugins

[Yann E. MORIN]

Martin, All,

On 2021-09-20 17:28 +0200, Martin Elshuber spake thusly:
> Add options to chose EAP plugins.
> 
> Since the only plugin requiring libgmp is
> BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2, the selection of BR2_PACKAGE_GMP
> is moved down accordingly.
> 
> Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>

Applied to master with the following changes:

  - move BR2_PACKAGE_STRONGSWAN_EAP to legacy
  - extend commit log accordingly
  - fix check-package:
        package/strongswan/strongswan.mk:57: unexpected indent with tabs

Thanks!

Regards,
Yann E. MORIN.

    
> ---
> Changes v1 -> v2:
>   - use conditional defaults and mark as legacy
>   - drop 'ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y)'
>   - fix title for BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC
> 
> Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
> ---
>  package/strongswan/Config.in     | 89 +++++++++++++++++++++++++-------
>  package/strongswan/strongswan.mk | 40 +++++++-------
>  2 files changed, 87 insertions(+), 42 deletions(-)
> 
> diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
> index 368cd1ecc0..8eae568b6a 100644
> --- a/package/strongswan/Config.in
> +++ b/package/strongswan/Config.in
> @@ -75,34 +75,83 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
>  
>  config BR2_PACKAGE_STRONGSWAN_EAP
>  	bool "Enable EAP protocols"
> -	select BR2_PACKAGE_GMP
> -	help
> -	  Enable various EAP protocols:
> -	    - mschapv2
> -	    - tls
> -	    - ttls
> -	    - peap
> -	    - sim
> -	    - sim-file
> -	    - aka
> -	    - aka-3gpp2
> -	    - simaka-sql
> -	    - simaka-pseudonym
> -	    - simaka-reauth
> -	    - identity
> -	    - md5
> -	    - gtc
> -	    - tnc
> -	    - dynamic
> -	    - radius
>  
>  if BR2_PACKAGE_STRONGSWAN_EAP
>  
> +config BR2_PACKAGE_STRONGSWAN_EAP_SIM
> +	bool "Enable EAP-SIM"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE
> +	bool "Enable EAP-SIM file backend"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
>  config BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC
>  	bool "Enable EAP-SIM smart card backend"
>  	depends on !BR2_STATIC_LIBS # pcsc-lite
>  	select BR2_PACKAGE_PCSC_LITE
>  
> +config BR2_PACKAGE_STRONGSWAN_EAP_AKA
> +	bool "Enable EAP-AKA"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2
> +	bool "Enable EAP-AKA 3GPP2 algorithms"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +	select BR2_PACKAGE_GMP
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_SQL
> +	bool "Enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_PSEUDONYM
> +	bool "Enable EAP-SIM/AKA pseudonym storage"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_REAUTH
> +	bool "Enable EAP-SIM/AKA reauthentication data storage"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_IDENTITY
> +	bool "Enable EAP-Identity"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_MD5
> +	bool "Enable EAP-MD5"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_GTC
> +	bool "Enable EAP-GDC"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2
> +	bool "Enable EAP-MSCHAPv2"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_PEAP
> +	bool "Enable EAP-PEAP"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_RADIUS
> +	bool "Enable EAP-RADIUS"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_TLS
> +	bool "Enable EAP-TLS"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_TTLS
> +	bool "Enable EAP-TTLS"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC
> +	bool "Enable EAP-DYNAMIC"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
> +config BR2_PACKAGE_STRONGSWAN_EAP_TNC
> +	bool "Enable EAP-TNC"
> +	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +
>  endif
>  
>  config BR2_PACKAGE_STRONGSWAN_UNITY
> diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
> index 322abfbd7b..5fb4e6821a 100644
> --- a/package/strongswan/strongswan.mk
> +++ b/package/strongswan/strongswan.mk
> @@ -37,6 +37,23 @@ STRONGSWAN_CONF_OPTS += \
>  	--enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
>  	--enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
>  	--enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \
> +	--enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \
> +	--enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \
> +	--enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
> +	--enable-eap-aka-3gpp2=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2),yes,no) \
> +	--enable-eap-simaka-sql=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_SQL),yes,no) \
> +	--enable-eap-simaka-pseudonym=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_PSEUDONYM),yes,no) \
> +	--enable-eap-simaka-reauth=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_REAUTH),yes,no) \
> +	--enable-eap-identity=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_IDENTITY),yes,no) \
> +	--enable-eap-md5=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_MD5),yes,no) \
> +	--enable-eap-gtc=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_GTC),yes,no) \
> +	--enable-eap-mschapv2=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2),yes,no) \
> +	--enable-eap-tls=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TLS),yes,no) \
> +	--enable-eap-ttls=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TTLS),yes,no) \
> +	--enable-eap-peap=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_PEAP),yes,no) \
> +	--enable-eap-tnc=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_TNC),yes,no) \
> +	--enable-eap-dynamic=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC),yes,no) \
> +	--enable-eap-radius=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_RADIUS),yes,no)
>  	--with-ipseclibdir=/usr/lib \
>  	--with-plugindir=/usr/lib/ipsec/plugins \
>  	--with-imcvdir=/usr/lib/ipsec/imcvs \
> @@ -46,32 +63,11 @@ ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y)
>  STRONGSWAN_CONF_ENV += LIBS='-latomic'
>  endif
>  
> -ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y)
> -STRONGSWAN_CONF_OPTS += \
> -	--enable-eap-sim \
> -	--enable-eap-sim-file \
> -	--enable-eap-aka \
> -	--enable-eap-aka-3gpp2 \
> -	--enable-eap-simaka-sql \
> -	--enable-eap-simaka-pseudonym \
> -	--enable-eap-simaka-reauth \
> -	--enable-eap-identity \
> -	--enable-eap-md5 \
> -	--enable-eap-gtc \
> -	--enable-eap-mschapv2 \
> -	--enable-eap-tls \
> -	--enable-eap-ttls \
> -	--enable-eap-peap \
> -	--enable-eap-tnc \
> -	--enable-eap-dynamic \
> -	--enable-eap-radius
> -STRONGSWAN_DEPENDENCIES += gmp
> -endif
> -
>  STRONGSWAN_DEPENDENCIES += \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_OPENSSL),openssl) \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_GCRYPT),libgcrypt) \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_GMP),gmp) \
> +	$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2),gmp) \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_CURL),libcurl) \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_TNCCS_11),libxml2) \
>  	$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC),pcsc-lite) \
> -- 
> 2.30.2
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 2/2] package/strongswan: add md4 hash algorithm option

[Yann E. MORIN]

Martin, All,

On 2021-09-20 17:28 +0200, Martin Elshuber spake thusly:
> Add the option to enable the md4 hash algorithm and default it to 'no'
> since this is a new option.
> 
> Since md4 is required by EAP-MSCHAPv2 it is selected by
> BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2. See
> https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf for
> further details.

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
> Changes v1 -> v2:
> - change git title
> 
> Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
> ---
>  package/strongswan/Config.in     | 4 ++++
>  package/strongswan/strongswan.mk | 1 +
>  2 files changed, 5 insertions(+)
> 
> diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in
> index 8eae568b6a..21f84ebb71 100644
> --- a/package/strongswan/Config.in
> +++ b/package/strongswan/Config.in
> @@ -73,6 +73,9 @@ config BR2_PACKAGE_STRONGSWAN_TNCCS_20
>  config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
>  	bool "Enable dynamic TNCCS protocol discovery module"
>  
> +config BR2_PACKAGE_STRONGSWAN_MD4
> +	bool "Enable MD4 hash algorithm"
> +
>  config BR2_PACKAGE_STRONGSWAN_EAP
>  	bool "Enable EAP protocols"
>  
> @@ -127,6 +130,7 @@ config BR2_PACKAGE_STRONGSWAN_EAP_GTC
>  config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2
>  	bool "Enable EAP-MSCHAPv2"
>  	default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
> +	select BR2_PACKAGE_STRONGSWAN_MD4
>  
>  config BR2_PACKAGE_STRONGSWAN_EAP_PEAP
>  	bool "Enable EAP-PEAP"
> diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
> index 5fb4e6821a..c308d3a4f3 100644
> --- a/package/strongswan/strongswan.mk
> +++ b/package/strongswan/strongswan.mk
> @@ -37,6 +37,7 @@ STRONGSWAN_CONF_OPTS += \
>  	--enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
>  	--enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \
>  	--enable-wolfssl=$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),yes,no) \
> +	--enable-md4=$(if $(BR2_PACKAGE_STRONGSWAN_MD4),yes,no) \
>  	--enable-eap-sim=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM),yes,no) \
>  	--enable-eap-sim-file=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE),yes,no) \
>  	--enable-eap-aka=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_AKA),yes,no) \
> -- 
> 2.30.2
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/3] package/strongswan: fix broken dependency relation

[Peter Korsgaard]

>>>>> "Martin" == Martin Elshuber <martin.elshuber@theobroma-systems.com> writes:

 > The AKA backend for 3GPP2 requires libgmp (see
 > https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf). Since
 > the AKA backend for 3GPP2 is included by BR2_PACKAGE_STRONGSWAN_EAP,
 > when selecting a crypto backend different from
 > BR2_PACKAGE_STRONGSWAN_GMP, there is no guarantee the gmp package is
 > selected as well. When doing so, make fails since the package is in the
 > dependency chain but not selected:

 >   $ make
 >   Makefile:585: *** gmp is in the dependency chain of strongswan that has added it to its _DEPENDENCIES variable without selecting it or depending on it from Config.in.  Stop.
 >   make: *** [Makefile:23: _all] Error 2

 > To fix this, select BR2_PACKAGE_GMP when selecting BR2_PACKAGE_STRONGSWAN_EAP.

 > Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>

Committed to 2021.02.x, 2021.05.x and 2021.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot