From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-508-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b5kmp05gFz32TZ
	for <archive@lists.ipfire.org>; Mon, 26 May 2025 18:28:58 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b5kmk4BMLz2xnJ
	for <development@lists.ipfire.org>; Mon, 26 May 2025 18:28:54 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4b5kmj4n48zrD
	for <development@lists.ipfire.org>; Mon, 26 May 2025 18:28:53 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1748284134;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=+Qk3ngRivOlCALaDHI7CioLNYTccV5bycyWVqSfaIp4=;
	b=fY5dqHa1sLV7pnfby9iUtTLcVtqCMMlINYwyC8kde8EcNioqaFDWvbKkHzbfgLYR5myOZ/
	GkmDmzNjYGyN4CAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1748284134;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=+Qk3ngRivOlCALaDHI7CioLNYTccV5bycyWVqSfaIp4=;
	b=mqCdTRDXQi23Ezh6Z4bgB8i8ptSiH7l1JQcfOlqT0QCV96qjXNAA9vYxOJatbByy81db2p
	9ASp3Kp/gu8S8liuHbLs0udhKqE4aYaX/iBnXRtjsMAr7H0rIGT4UrmAEPbxDkT/2RZDQQ
	M6aRRjL9bdVVNYdJBFwn0f8OoAdzS9oGpOa3ZZ1G7gYTEiUXKvAAvSc3mgd031eQUZExrK
	k6Y/6CWYhjD8LroiIyroIYbTsUXZ5PEY8nRxSpBkpPOiC/+cicBlB/yxrhCCUxx5xwmCHE
	ajGzLZrtLFmTQz1BTGiMFRrAW9zL0miI7hexSoz3JFOjaTCBpKKGd/ADmk9LEQ==
Message-ID: <b3f8f54c-df72-4124-ac1b-59924e3e9a78@ipfire.org>
Date: Mon, 26 May 2025 18:28:00 +0000
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Subject: [PATCH v2 2/2] Core Update 196: Adjust existing IPsec connections
 using ML-KEM
From: =?UTF-8?Q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
To: "IPFire: Development" <development@lists.ipfire.org>
References: <3d399f8b-3f71-4ca4-beaa-88c7c4ecbaf7@ipfire.org>
In-Reply-To: <3d399f8b-3f71-4ca4-beaa-88c7c4ecbaf7@ipfire.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This causes existing IPsec connections using ML-KEM to always use it in
conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2
implements for newly configured IPsec connections.

Again, we can reasonably assume an IPsec peer supporting ML-KEM also
supports Curve 25519. In case such a peer does not support RFC 9370, and
the IPsec connection was created using our default ciphers, it will fall
back to Curve 448, Curve 25519, or any other traditional algorithm.

This patch will break existing IPsec connections only if they are
exclusively using ML-KEM (which means the IPFire user reconfigured them
manually using the "advanced connection settings" section in the WebUI),
and the IPsec peer is configured in the same manner, and/or is an IPFire
machine not yet updated to Core Update 196. Any other IPFire-to-IPFire
IPsec connection will continue working, potentially falling back to
Curve 448 or 25519 until both peers are updated to Core Update 196,
after which ML-KEM in conjunction with Curve 25519 will be used again.

The second version of this patch modifies IPFire's own configuration
file for IPsec connections, rather than applying these changes directly
to /etc/ipsec.conf, where they would have been overwritten by the next
WebUI change.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/rootfiles/core/196/update.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh
index 0138fabcf..b8f92322f 100644
--- a/config/rootfiles/core/196/update.sh
+++ b/config/rootfiles/core/196/update.sh
@@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
 done
 
 # Stop services
+/etc/rc.d/init.d/ipsec stop
 
 # Remove files
 rm -rfv \
@@ -65,7 +66,17 @@ esac
 # Apply SSH configuration
 #/usr/local/bin/sshctrl
 
+# Change IPsec configuration of existing connections using ML-KEM
+# to always make use of hybrid key exchange in conjunction with Curve 25519.
+sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config
+
+# Apply changes to ipsec.conf
+/srv/web/ipfire/cgi-bin/vpnmain.cgi
+
 # Start services
+if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
+	/etc/rc.d/init.d/ipsec start
+fi
 
 # This update needs a reboot...
 #touch /var/run/need_reboot
-- 
2.43.0