* [ptxdist] [PATCH 1/2] strongswan: added openssl plugin option
@ 2014-12-12 12:21 Bruno Thomsen
2014-12-12 12:21 ` [ptxdist] [PATCH 2/2] strongswan: aes-gcm support enabled Bruno Thomsen
2015-01-12 15:34 ` [ptxdist] [PATCH 1/2] strongswan: added openssl plugin option Michael Olbrich
0 siblings, 2 replies; 3+ messages in thread
From: Bruno Thomsen @ 2014-12-12 12:21 UTC (permalink / raw)
To: ptxdist; +Cc: bth
OpenSSL adds Elliptic Curve support in IKE Diffie-Hellman key exchange.
Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
---
rules/strongswan.in | 8 ++++++++
rules/strongswan.make | 5 ++++-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/rules/strongswan.in b/rules/strongswan.in
index 5402ffb..d50ea8d 100644
--- a/rules/strongswan.in
+++ b/rules/strongswan.in
@@ -5,6 +5,7 @@ menuconfig STRONGSWAN
prompt "strongswan "
select LIBGMP
select LIBCURL if STRONGSWAN_LIBCURL
+ select OPENSSL if STRONGSWAN_OPENSSL
help
strongSwan is a complete IPsec implementation.
Please keep in mind to configure the kernel accordingly to fulfill
@@ -22,6 +23,13 @@ config STRONGSWAN_LIBCURL
(CRLs) from an HTTP server or as an alternative want to use
the Online Certificate Status Protocol (OCSP) say yes.
+config STRONGSWAN_OPENSSL
+ bool
+ default n
+ prompt "OpenSSL crypto library for IKE"
+ help
+ This will add Elliptic Curve support in IKE Diffie-Hellman key exchange.
+
config STRONGSWAN_AFALG
bool
default y
diff --git a/rules/strongswan.make b/rules/strongswan.make
index 57fc7da..df4f9c8 100644
--- a/rules/strongswan.make
+++ b/rules/strongswan.make
@@ -34,6 +34,7 @@ STRONGSWAN_CONF_TOOL := autoconf
STRONGSWAN_CONF_OPT := \
$(CROSS_AUTOCONF_USR) \
--$(call ptx/endis, PTXCONF_STRONGSWAN_LIBCURL)-curl \
+ --$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \
--disable-unbound \
--disable-soup \
--disable-ldap \
@@ -150,7 +151,6 @@ STRONGSWAN_CONF_OPT := \
--disable-osx-attr \
--enable-resolve \
--disable-padlock \
- --disable-openssl \
--disable-gcrypt \
--disable-agent \
--disable-pkcs11 \
@@ -228,6 +228,9 @@ STRONGSWAN_PLUGINS := \
ifdef PTXCONF_STRONGSWAN_LIBCURL
STRONGSWAN_PLUGINS += libstrongswan-curl.so
endif
+ifdef PTXCONF_STRONGSWAN_OPENSSL
+ STRONGSWAN_PLUGINS += libstrongswan-openssl.so
+endif
ifdef PTXCONF_STRONGSWAN_AFALG
STRONGSWAN_PLUGINS += libstrongswan-af-alg.so
endif
--
1.9.1
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ptxdist] [PATCH 2/2] strongswan: aes-gcm support enabled
2014-12-12 12:21 [ptxdist] [PATCH 1/2] strongswan: added openssl plugin option Bruno Thomsen
@ 2014-12-12 12:21 ` Bruno Thomsen
2015-01-12 15:34 ` [ptxdist] [PATCH 1/2] strongswan: added openssl plugin option Michael Olbrich
1 sibling, 0 replies; 3+ messages in thread
From: Bruno Thomsen @ 2014-12-12 12:21 UTC (permalink / raw)
To: ptxdist; +Cc: bth
Enabled support for AES-GCM (Galois/Counter Mode) which is an
Authenticated Encryption with Associated Data (AEAD) cipher.
This seems like a good moment to reiterate that everything less than
TLS 1.2 with an AEAD cipher suite is cryptographically broken.
-- Adam Langley
Source: https://www.imperialviolet.org/2014/12/08/poodleagain.html
Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
---
rules/strongswan.make | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/rules/strongswan.make b/rules/strongswan.make
index df4f9c8..dad1e10 100644
--- a/rules/strongswan.make
+++ b/rules/strongswan.make
@@ -156,7 +156,7 @@ STRONGSWAN_CONF_OPT := \
--disable-pkcs11 \
--disable-ctr \
--disable-ccm \
- --disable-gcm \
+ --enable-gcm \
--disable-addrblock \
--enable-acert \
--disable-unity \
@@ -202,6 +202,7 @@ STRONGSWAN_PLUGINS := \
libstrongswan-des.so \
libstrongswan-dnskey.so \
libstrongswan-fips-prf.so \
+ libstrongswan-gcm.so \
libstrongswan-gmp.so \
libstrongswan-hmac.so \
libstrongswan-kernel-netlink.so \
--
1.9.1
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ptxdist] [PATCH 1/2] strongswan: added openssl plugin option
2014-12-12 12:21 [ptxdist] [PATCH 1/2] strongswan: added openssl plugin option Bruno Thomsen
2014-12-12 12:21 ` [ptxdist] [PATCH 2/2] strongswan: aes-gcm support enabled Bruno Thomsen
@ 2015-01-12 15:34 ` Michael Olbrich
1 sibling, 0 replies; 3+ messages in thread
From: Michael Olbrich @ 2015-01-12 15:34 UTC (permalink / raw)
To: ptxdist
On Fri, Dec 12, 2014 at 01:21:03PM +0100, Bruno Thomsen wrote:
> OpenSSL adds Elliptic Curve support in IKE Diffie-Hellman key exchange.
Thanks, both applied.
Michael
>
> Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
> ---
> rules/strongswan.in | 8 ++++++++
> rules/strongswan.make | 5 ++++-
> 2 files changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/rules/strongswan.in b/rules/strongswan.in
> index 5402ffb..d50ea8d 100644
> --- a/rules/strongswan.in
> +++ b/rules/strongswan.in
> @@ -5,6 +5,7 @@ menuconfig STRONGSWAN
> prompt "strongswan "
> select LIBGMP
> select LIBCURL if STRONGSWAN_LIBCURL
> + select OPENSSL if STRONGSWAN_OPENSSL
> help
> strongSwan is a complete IPsec implementation.
> Please keep in mind to configure the kernel accordingly to fulfill
> @@ -22,6 +23,13 @@ config STRONGSWAN_LIBCURL
> (CRLs) from an HTTP server or as an alternative want to use
> the Online Certificate Status Protocol (OCSP) say yes.
>
> +config STRONGSWAN_OPENSSL
> + bool
> + default n
> + prompt "OpenSSL crypto library for IKE"
> + help
> + This will add Elliptic Curve support in IKE Diffie-Hellman key exchange.
> +
> config STRONGSWAN_AFALG
> bool
> default y
> diff --git a/rules/strongswan.make b/rules/strongswan.make
> index 57fc7da..df4f9c8 100644
> --- a/rules/strongswan.make
> +++ b/rules/strongswan.make
> @@ -34,6 +34,7 @@ STRONGSWAN_CONF_TOOL := autoconf
> STRONGSWAN_CONF_OPT := \
> $(CROSS_AUTOCONF_USR) \
> --$(call ptx/endis, PTXCONF_STRONGSWAN_LIBCURL)-curl \
> + --$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \
> --disable-unbound \
> --disable-soup \
> --disable-ldap \
> @@ -150,7 +151,6 @@ STRONGSWAN_CONF_OPT := \
> --disable-osx-attr \
> --enable-resolve \
> --disable-padlock \
> - --disable-openssl \
> --disable-gcrypt \
> --disable-agent \
> --disable-pkcs11 \
> @@ -228,6 +228,9 @@ STRONGSWAN_PLUGINS := \
> ifdef PTXCONF_STRONGSWAN_LIBCURL
> STRONGSWAN_PLUGINS += libstrongswan-curl.so
> endif
> +ifdef PTXCONF_STRONGSWAN_OPENSSL
> + STRONGSWAN_PLUGINS += libstrongswan-openssl.so
> +endif
> ifdef PTXCONF_STRONGSWAN_AFALG
> STRONGSWAN_PLUGINS += libstrongswan-af-alg.so
> endif
> --
> 1.9.1
>
>
> --
> ptxdist mailing list
> ptxdist@pengutronix.de
>
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-01-12 15:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-12-12 12:21 [ptxdist] [PATCH 1/2] strongswan: added openssl plugin option Bruno Thomsen
2014-12-12 12:21 ` [ptxdist] [PATCH 2/2] strongswan: aes-gcm support enabled Bruno Thomsen
2015-01-12 15:34 ` [ptxdist] [PATCH 1/2] strongswan: added openssl plugin option Michael Olbrich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox