Skip to content

strongswan: drop deprecated crypto protocols#29547

Merged
pprindeville merged 2 commits into
openwrt:masterfrom
pprindeville:strongswan-drop-deprecated-crypto
May 29, 2026
Merged

strongswan: drop deprecated crypto protocols#29547
pprindeville merged 2 commits into
openwrt:masterfrom
pprindeville:strongswan-drop-deprecated-crypto

Conversation

@pprindeville

@pprindeville pprindeville commented May 24, 2026

Copy link
Copy Markdown
Member

📦 Package Details

Maintainer: me, @Thermi

Description:
AEAD, CCM, MD4, and MS CHAP v2 are all deprecated due to insecurity.


🧪 Run Testing Details

  • OpenWrt Version: HEAD
  • OpenWrt Target/Subtarget: x86_64/generic
  • OpenWrt Device: pc-engines-apu6

✅ Formalities

  • I have reviewed the CONTRIBUTING.md file for detailed contributing guidelines.

If your PR contains a patch:

  • It can be applied using git am
  • It has been refreshed to avoid offsets, fuzzes, etc., using
  • It is structured in a way that it is potentially upstreamable

@pprindeville

Copy link
Copy Markdown
Member Author

cc: @lucize

@Thermi

Thermi commented May 24, 2026 via email

Copy link
Copy Markdown
Contributor

@pprindeville

pprindeville commented May 24, 2026

Copy link
Copy Markdown
Member Author

@Thermi: Uhh... which and what will it break?

@Thermi

Thermi commented May 24, 2026 via email

Copy link
Copy Markdown
Contributor

@pprindeville

Copy link
Copy Markdown
Member Author

Yeah, but I'm not comfortable shipping cryptographically insecure protocols. It gives a false sense of security. Literally.

@Thermi

Thermi commented May 24, 2026 via email

Copy link
Copy Markdown
Contributor

@pprindeville pprindeville force-pushed the strongswan-drop-deprecated-crypto branch 3 times, most recently from ee9e935 to 7f55355 Compare May 25, 2026 02:07
@pprindeville

pprindeville commented May 25, 2026

Copy link
Copy Markdown
Member Author

Is Windows still shipping CHAP v2?

https://spaces.at.internet2.edu/spaces/eduroam/pages/256936628/2023-07-07+Update+-+MSCHAPv2+deprecation

My read was that they encourage everyone to use certificate based EAP.

@pprindeville pprindeville force-pushed the strongswan-drop-deprecated-crypto branch from 7f55355 to cec73df Compare May 25, 2026 03:53
@pprindeville

pprindeville commented May 25, 2026

Copy link
Copy Markdown
Member Author

@Thermi: Okay, reworked it. if CONFIG_STRONGSWAN_INCLUDE_INSECURE it set, then ccm, md4, and mschapv4 are exposed.

@BKPepe

BKPepe commented May 25, 2026

Copy link
Copy Markdown
Member

Similar PR related to libreswan #29313

@Thermi

Thermi commented May 25, 2026 via email

Copy link
Copy Markdown
Contributor

@pprindeville

Copy link
Copy Markdown
Member Author

@Thermi: We could also do:

default !PACKAGE_openssl

per your earlier comment.

@pprindeville pprindeville force-pushed the strongswan-drop-deprecated-crypto branch from cec73df to 8b84e6c Compare May 25, 2026 18:18
@pprindeville

Copy link
Copy Markdown
Member Author

Casting a wider net.

@Thermi

Thermi commented May 25, 2026 via email

Copy link
Copy Markdown
Contributor

@pprindeville pprindeville force-pushed the strongswan-drop-deprecated-crypto branch from 8b84e6c to dc36431 Compare May 25, 2026 18:39
@pprindeville

Copy link
Copy Markdown
Member Author

Amended to default to n if building against Openssl and y otherwise.

@Neustradamus

Neustradamus commented May 25, 2026

Copy link
Copy Markdown

@pprindeville: It is not possible to disable or enable a specified protocol instead all unsecure protocols?

@pprindeville

pprindeville commented May 25, 2026

Copy link
Copy Markdown
Member Author

@pprindeville: It is not possible to disable or enable a specified protocol instead all unsecure protocols?

@Neustradamus: Not sure I understand the question. As my PR is written, if STRONGSWAN_INCLUDE_INSECURE is set, then you can optionally select ccm, eap-mschapv2, or md4. Isn't that what's desired?

And if you don't enable STRONGSWAN_INCLUDE_INSECURE, then those aren't selectable.

@Neustradamus

Copy link
Copy Markdown

@pprindeville: Ok, it is good! :)

It will be nice to have same for libreswan!

@nmeyerhans nmeyerhans left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

AEAD, CCM, MD4, and MS CHAP v2 are all deprecated due to insecurity.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
@GeorgeSapkin

GeorgeSapkin commented May 28, 2026

Copy link
Copy Markdown
Member

I'll add the version check override commit here.

@GeorgeSapkin GeorgeSapkin force-pushed the strongswan-drop-deprecated-crypto branch from dc36431 to b7c6ae4 Compare May 28, 2026 13:34
Add version check override script.

Signed-off-by: George Sapkin <george@sapk.in>
@GeorgeSapkin GeorgeSapkin force-pushed the strongswan-drop-deprecated-crypto branch from b7c6ae4 to 95d4405 Compare May 28, 2026 17:03
@pprindeville pprindeville merged commit a513752 into openwrt:master May 29, 2026
12 checks passed
@pprindeville pprindeville deleted the strongswan-drop-deprecated-crypto branch May 29, 2026 17:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants