Skip to content

libreswan: reduce crypto deps#29313

Open
neheb wants to merge 1 commit into
openwrt:masterfrom
neheb:n
Open

libreswan: reduce crypto deps#29313
neheb wants to merge 1 commit into
openwrt:masterfrom
neheb:n

Conversation

@neheb

@neheb neheb commented May 6, 2026

Copy link
Copy Markdown
Contributor

Some of these are obsolete. Others like CTS make no sense for IPSec.

📦 Package Details

Maintainer: @lucize

@BKPepe BKPepe requested a review from Copilot May 6, 2026 06:02

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR reduces kernel crypto module dependencies for the libreswan OpenWrt package, removing algorithms/modules deemed obsolete or irrelevant to typical IPSec usage.

Changes:

  • Bumped PKG_RELEASE to reflect dependency changes.
  • Removed several kmod-crypto-* dependencies (e.g., aead, ccm, cts, md4, rng, etc.).
  • Kept a narrower set of crypto modules commonly used by IPSec (e.g., gcm, sha256, chacha20poly1305).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread net/libreswan/Makefile Outdated
Comment thread net/libreswan/Makefile Outdated
@lucize

lucize commented May 8, 2026

Copy link
Copy Markdown
Contributor

LGTM

@BKPepe

BKPepe commented May 10, 2026

Copy link
Copy Markdown
Member

I see some of those dependencies are also used in strongswan. Can we remove it from there, too?
cc: @pprindeville , @Thermi

@pprindeville

Copy link
Copy Markdown
Member

I see some of those dependencies are also used in strongswan. Can we remove it from there, too? cc: @pprindeville , @Thermi

ARC4, MD4, CTS, CBC, CCM etc. are all deprecated or slated to be. I say having fewer choices limits interoperability, but it also saves the user from making poor (weak) choices or in the case of CBC, no integrity checks.

@BKPepe

BKPepe commented May 24, 2026

Copy link
Copy Markdown
Member

ping @neheb

@pprindeville pprindeville left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Neustradamus

This comment was marked as spam.

@pprindeville

Copy link
Copy Markdown
Member

No one seems to object so I'm merging.

@Neustradamus

This comment was marked as spam.

@robimarko

Copy link
Copy Markdown
Contributor

@pprindeville: Have you seen my comment here: #29313 (comment)

To follow the talk in other good @pprindeville PR:

And @Thermi comments like this one:

@pprindeville has planned a "CONFIG_STRONGSWAN_INCLUDE_INSECURE" feature, it can be same logic for libreswan.

I have commented:

It is not possible to have separated features to disable/enable a specified protocol?

Users would like to disable or enable only one and not all unsecure protocols...

We have received numerous complaints about your comments and behaviour in the OpenWrt organisation repos.

Your behaviour is demotivating contributors and reviewers who donate their free time to keep this project going forward.

So, please consider this a formal warning requesting you to change your behaviour and be a positive contributor to this project.

In case your behaviour continues being negative towards others trying to contribute in whatever way they can:
WE WILL BE FORCED TO BLOCK YOU from the organisation as a whole.

So, I urge you to contribute in a positive way as I and the rest of the team DO NOT practice blocking people but you will leave no choice.

Regards,
Robert

@neheb

neheb commented May 25, 2026

Copy link
Copy Markdown
Contributor Author

Related: openwrt/openwrt#23236

Specifically commit 4.

@Neustradamus

This comment was marked as spam.

@pprindeville

This comment was marked as resolved.

@pprindeville

Copy link
Copy Markdown
Member

For what it's worth, I've not taken umbrage to any of the comments I've seen and I'm happy for any feedback.

@pprindeville

Copy link
Copy Markdown
Member

@Thermi Even if the use of MD4 isn't insecure in this case, for instance, my concern is that including it might force "weak" builds of Openssl that don't satisfy FIPS-140.2 or FIPS-140.3 standards because of their presence.

@Neustradamus

This comment was marked as spam.

@robimarko

robimarko commented May 25, 2026

Copy link
Copy Markdown
Contributor

We have received numerous complaints about your comments and behaviour in the OpenWrt organisation repos.

@robimarko I'm sorry, who is this addressed to? @Neustradamus? Or me?

It was for @Neustradamus, sorry for the confusion, keep up the good work

@Thermi

Thermi commented May 26, 2026 via email

Copy link
Copy Markdown
Contributor

@pprindeville

Copy link
Copy Markdown
Member

@GeorgeSapkin Do we want to add a LIBRESWAN_INCLUDE_INSECURE flag?

@GeorgeSapkin

GeorgeSapkin commented May 28, 2026

Copy link
Copy Markdown
Member

@pprindeville I don't use any of these packages, so I don't have a strong opinion. My rule of the thumb is - build less with better defaults. If these are indeed insecure, why support them? There are enough security issues going around as is. People who want support for older stuff are free to use older firmware. And I'd check what the bigger Linux distros like Fedora are doing. Perhaps those kmods shouldn't be built in the first place?

For example, looks like this is the only md4 consumer:

@pprindeville

Copy link
Copy Markdown
Member

@pprindeville I don't use any of these packages, so I don't have a strong opinion. My rule of the thumb is - build less with better defaults. If these are indeed insecure, why support them? There are enough security issues going around as is. People who want support for older stuff are free to use older firmware. And I'd check what the bigger Linux distros like Fedora are doing. Perhaps those kmods shouldn't be built in the first place?

@GeorgeSapkin @lucize @Neustradamus: @Thermi pointed out that there are implementations out there that require legacy protocols (I guess just Windows at this point), and that ARC/MD4 aren't congenitally insecure... it depends on how they are used. I've not gone down that rabbit-hole so I'll take Noel's word for it.

@pprindeville

Copy link
Copy Markdown
Member

@lucize: It looks like a test-version.sh script is needed. Look at what @GeorgeSapkin did for strongswan.

@GeorgeSapkin

Copy link
Copy Markdown
Member

There's something going on with packaging that I think needs to be addressed first:


ERROR: unable to select packages:
  firewall4-2025.03.17~b6e51575-r2:
    conflicts: firewall-2025.10.03~3a65fde5-r2[uci-firewall=2025.03.17~b6e51575-r2]
    satisfies: world[firewall4]
  firewall-2025.10.03~3a65fde5-r2:
    conflicts: firewall4-2025.03.17~b6e51575-r2[uci-firewall=2025.10.03~3a65fde5-r2]
    satisfies: libreswan-iptables-4.12-r5[firewall]
  libreswan-4.12-r5:
    conflicts: libreswan-iptables-4.12-r5[openswan=4.12-r5]
    satisfies: libreswan-iptables-4.12-r5[libreswan]
  libreswan-iptables-4.12-r5:
    conflicts: libreswan-4.12-r5[openswan=4.12-r5]
    satisfies: world[libreswan-iptables><Q1W939N62oKB+mXwycM/mOptOygUs=]

@pprindeville

Copy link
Copy Markdown
Member

@GeorgeSapkin I don’t understand those warnings. The PROVIDES value doesn’t clash with firewall4

@pprindeville

Copy link
Copy Markdown
Member

@jow-: Any idea why we're seeing the build breakage?

@pprindeville

Copy link
Copy Markdown
Member

Breathlessly waiting on the CI/CD pipeline...

@GeorgeSapkin

Copy link
Copy Markdown
Member

I don’t understand those warnings. The PROVIDES value doesn’t clash with firewall4

ERROR: unable to select packages:
  firewall4-2025.03.17~b6e51575-r2:
    conflicts: firewall-2025.10.03~3a65fde5-r2[uci-firewall=2025.03.17~b6e51575-r2]
    satisfies: world[firewall4]
               luci-app-firewall-26.133.20346~e9ebca7[uci-firewall]
  firewall-2025.10.03~3a65fde5-r2:
    conflicts: firewall4-2025.03.17~b6e51575-r2[uci-firewall=2025.10.03~3a65fde5-r2]
    satisfies: libreswan-iptables-4.12-r4[firewall]
               luci-app-firewall-26.133.20346~e9ebca7[uci-firewall]

libreswan-iptables depends on firewall. Both firewall and firewall4 provide uci-firewall, so they can't be installed at the same time. firewall4 is in apk world, so it can't be removed.

  libreswan-4.12-r4:
    conflicts: libreswan-iptables-4.12-r4[openswan=4.12-r4]
    satisfies: libreswan-iptables-4.12-r4[libreswan]
  libreswan-iptables-4.12-r4:
    conflicts: libreswan-4.12-r4[openswan=4.12-r4]
    satisfies: world[libreswan-iptables]

Both libreswan and libreswan-iptables provide openswan via default. libreswan-iptables depends on libreswan. They can't be installed at the same time due to having the same provider. Based on the package description, libreswan-iptables is a plugin, so it shouldn't have that provider.

@neheb

neheb commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

related: https://lore.kernel.org/linux-crypto/20260622234803.6982-1-ebiggers@kernel.org/T/#u

Some of these are obsolete. Others like CTS make no sense for IPSec.

Others are already selected by kmod-ipsec. Simplify the list.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants