libreswan: reduce crypto deps#29313
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR reduces kernel crypto module dependencies for the libreswan OpenWrt package, removing algorithms/modules deemed obsolete or irrelevant to typical IPSec usage.
Changes:
- Bumped
PKG_RELEASEto reflect dependency changes. - Removed several
kmod-crypto-*dependencies (e.g.,aead,ccm,cts,md4,rng, etc.). - Kept a narrower set of crypto modules commonly used by IPSec (e.g.,
gcm,sha256,chacha20poly1305).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
LGTM |
|
I see some of those dependencies are also used in strongswan. Can we remove it from there, too? |
ARC4, MD4, CTS, CBC, CCM etc. are all deprecated or slated to be. I say having fewer choices limits interoperability, but it also saves the user from making poor (weak) choices or in the case of CBC, no integrity checks. |
|
ping @neheb |
This comment was marked as spam.
This comment was marked as spam.
|
No one seems to object so I'm merging. |
This comment was marked as spam.
This comment was marked as spam.
We have received numerous complaints about your comments and behaviour in the OpenWrt organisation repos. Your behaviour is demotivating contributors and reviewers who donate their free time to keep this project going forward. So, please consider this a formal warning requesting you to change your behaviour and be a positive contributor to this project. In case your behaviour continues being negative towards others trying to contribute in whatever way they can: So, I urge you to contribute in a positive way as I and the rest of the team DO NOT practice blocking people but you will leave no choice. Regards, |
|
Related: openwrt/openwrt#23236 Specifically commit 4. |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as resolved.
This comment was marked as resolved.
|
For what it's worth, I've not taken umbrage to any of the comments I've seen and I'm happy for any feedback. |
|
@Thermi Even if the use of |
This comment was marked as spam.
This comment was marked as spam.
It was for @Neustradamus, sorry for the confusion, keep up the good work |
|
Then the native md4 module can still be used
On May 25, 2026 9:56:08 PM UTC, Philip Prindeville ***@***.***> wrote:
pprindeville left a comment (openwrt/packages#29313)
@Thermi Even if the use of `MD4` isn't insecure in this case, for instance, my concern is that including it might force "weak" builds of Openssl that don't satisfy FIPS-140.2 or FIPS-140.3 standards because of their presence.
--
Reply to this email directly or view it on GitHub:
#29313 (comment)
You are receiving this because you were mentioned.
Message ID: ***@***.***>
--
Sent from mobile. Please excuse any typos or brevity
|
|
@GeorgeSapkin Do we want to add a |
|
@pprindeville I don't use any of these packages, so I don't have a strong opinion. My rule of the thumb is - build less with better defaults. If these are indeed insecure, why support them? There are enough security issues going around as is. People who want support for older stuff are free to use older firmware. And I'd check what the bigger Linux distros like Fedora are doing. Perhaps those kmods shouldn't be built in the first place? For example, looks like this is the only md4 consumer: |
@GeorgeSapkin @lucize @Neustradamus: @Thermi pointed out that there are implementations out there that require legacy protocols (I guess just Windows at this point), and that ARC/MD4 aren't congenitally insecure... it depends on how they are used. I've not gone down that rabbit-hole so I'll take Noel's word for it. |
|
@lucize: It looks like a |
|
There's something going on with packaging that I think needs to be addressed first: |
|
@GeorgeSapkin I don’t understand those warnings. The |
|
@jow-: Any idea why we're seeing the build breakage? |
|
Breathlessly waiting on the CI/CD pipeline... |
libreswan-iptables depends on firewall. Both firewall and firewall4 provide Both libreswan and libreswan-iptables provide |
Some of these are obsolete. Others like CTS make no sense for IPSec. Others are already selected by kmod-ipsec. Simplify the list. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Some of these are obsolete. Others like CTS make no sense for IPSec.
📦 Package Details
Maintainer: @lucize