Support for configuring EAP-TLS authentication scheme is added.
Similar to EAP-MSCHAPv2, this one is usually asymmetric
in the way that server auth method (pubkey) is different from
the client auth method (eap-tls).
The code handles this asymmetry automatically.
Signed-off-by: Torbjorn Tyridal <torbjorn@tyridal.no>
Before:
checking for python... /myworkingdir/build/staging_dir/host/bin/python
checking for python version... xcode-select: Failed to locate 'python', requesting installation of command line developer tools.
checking for python platform... xcode-select: Failed to locate 'python', requesting installation of command line developer tools.
checking for GNU default python prefix... ${prefix}
checking for GNU default python exec_prefix... ${exec_prefix}
checking for python script directory (pythondir)... xcode-select: Failed to locate 'python', requesting installation of command line developer tools.
checking for python extension module directory (pyexecdir)... xcode-select: Failed to locate 'python', requesting installation of command line developer tools.
After:
checking for python version... 3.11
checking for python platform... darwin
checking for GNU default python prefix... ${prefix}
checking for GNU default python exec_prefix... ${exec_prefix}
checking for python script directory (pythondir)... ${PYTHON_PREFIX}/lib/python3.11/site-packages
checking for python extension module directory (pyexecdir)... ${PYTHON_EXEC_PREFIX}/lib/python3.11/site-packages
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This symbol is an enum defined both in wolfssl and strongswan. This
creates a clash in C's flat namespace. A workaround is to redefine it
when we include wolfssl headers, but really one of the other should
pick a better name.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
UCI plugin in strongswan has been broken for years, and now its causing
strongswan to fail compilation.
So, instead of the whole strongswan package to be failing and missing from
feeds simply make UCI plug depend on @BROKEN.
Signed-off-by: Robert Marko <robimarko@gmail.com>
After reinstalling the packages with the preserved configuration files
after a sysupgrade, the reinstalled package config files overwrite what
is on disk rather than being placed as conf-opkg. Defining these config
files will preserve them appropriately.
Signed-off-by: Joel Low <joel@joelsplace.sg>
Support for EAP-MSCHAPv2 authentication scheme is added.
Different from the previously supported schemes, this one is
usually asymmetric in the way that server auth method (pubkey) is
different from the client auth method (eap-mschapv2).
The code handles this asymmetry automatically.
A new UCI config section mschapv2_secrets is added where the user
can specify the EAP identities and their passwords that are
accepted by the server. AFAIK, there is no way to select which
EAP IDs should be accepted by which remote, except setting
`eap_id` to something different than `%any`. But `eap_id`
does not support template matching, so either only a single
identity or all can be configured for one remote. This is why
the EAP identities are not subsections of remotes, but are
a standalone section.
Signed-off-by: Martin Pecka <peci1@seznam.cz>
Signed-off-by: Martin Pecka <peckama2@fel.cvut.cz>
Without it, using uci to manipulate ipsec config can result in errors,
making it much difficult to use in uci-defaults for example.
Signed-off-by: Glen Huang <me@glenhuang.com>
Fixes#20848
Add interface triggers if interfaces to listen to are specified in
`/etc/config/ipsec`. This fixes the "running with no instances" scenario
after rebooting a router.
Signed-off-by: Joel Low <joel@joelsplace.sg>
This plugin acts as a proxy that dynamically selects an EAP method that is
supported/preferred by the client. If the original EAP method initiated by
the plugin is rejected with an EAP-NAK message, it will select a different
method that is supported/requested by the client.
For example it is possible to configure eap-tls as preferred
authentication method for your connection while still allow eap-mschapv2.
Signed-off-by: Tarvi Pillessaar <tarvip@gmail.com>
Without these charon will warn with messages like:
plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
plugin 'drbg': failed to load - drbg_plugin_create not found and no plugin file available
Signed-off-by: Glen Huang <me@glenhuang.com>
Without nonce, charon won't start, so it's not an optional plugin. I
asked one of the strongSwan maintainers (ecdsa), and he confirmed this:
> It definitely has to be enabled unconditionally. The only other
> provider for the NONCE_GEN plugin feature is in charon-tkm, so
> completely irrelevant on OpenWrt
Signed-off-by: Glen Huang <me@glenhuang.com>
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.
Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The original PR for this change is #16373, where it's cleary stated it
doesn't work. This should have never been merged. It causes the
following recursive dependency:
tmp/.config-package.in:122354:error: recursive dependency detected!
tmp/.config-package.in:122354: symbol PACKAGE_strongswan-default depends on PACKAGE_strongswan-mod-socket-default
tmp/.config-package.in:123534: symbol PACKAGE_strongswan-mod-socket-default is selected by PACKAGE_strongswan-default
This reverts commit 603f70e96b.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Wei-Ting Yang
Philip Prindeville
Yanase Yuki
Torbjorn Tyridal
Josef Schlehofer
Kevin Locke
Robert Marko
Joel Low
Matt Eaton
Martin Pecka
Stephen Baker
Glen Huang
Tiago Gaspar
Tarvi Pillessaar
Stijn Tintel
Petr Štetiar
Noel Kuntze