From 8099c11a121f47bd3a54fab7b6c53fa162c830bc Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Fri, 4 Feb 2022 01:53:47 +0300
Subject: fix(tazjin/tverskoy): Downgrade strongswan to 5.9.4

Comments contain all the relevant info.

Change-Id: I6d4a715889b562dc79148314092f698ceefcac88
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5221
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
---
 third_party/overlays/strongswan-workaround.nix | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 third_party/overlays/strongswan-workaround.nix

(limited to 'third_party')

diff --git a/third_party/overlays/strongswan-workaround.nix b/third_party/overlays/strongswan-workaround.nix
new file mode 100644
index 000000000000..a5c3c26ec981
--- /dev/null
+++ b/third_party/overlays/strongswan-workaround.nix
@@ -0,0 +1,25 @@
+# Workaround for an issue where strongswan 5.9.5 can not connect to
+# some servers that do not have a mitigation for CVE-2021-45079
+# applied.
+#
+# Of course ideally the servers would be patched, but the world is not
+# ideal.
+#
+# Only intended for use by //users/tazjin/nixos/...
+{ ... }:
+
+self: super: {
+  # Downgrade strongswan to 5.9.4
+  #
+  # See https://github.com/NixOS/nixpkgs/pull/156567
+  strongswan = super.strongswan.overrideAttrs (_: rec {
+    version = "5.9.4";
+
+    src = self.fetchFromGitHub {
+      owner = "strongswan";
+      repo = "strongswan";
+      rev = version;
+      sha256 = "1y1gs232x7hsbccjga9nbkf4bbi5wxazlkg00qd2v1nz86sfy4cd";
+    };
+  });
+}
-- 
cgit 1.4.1