This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 4b02b4045b619b207235b34882a000ef088f0df1 (commit)
from 1f15cc0993aebc53870c685836db2eaeafdc767a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 4b02b4045b619b207235b34882a000ef088f0df1
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jun 2 20:24:04 2015 +0200
ipsec: Allow selection of ESP group type
If a connection is edited, the IKE group types will be used instead.
Fixes #10860
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Tested-by: Wolfgang Apolinarski <wolfgang.apolinarski(a)web.de>
-----------------------------------------------------------------------
Summary of changes:
doc/language_issues.de | 1 +
doc/language_issues.es | 1 +
doc/language_issues.fr | 1 +
doc/language_issues.it | 1 +
doc/language_issues.nl | 1 +
doc/language_issues.pl | 1 +
doc/language_issues.ru | 1 +
doc/language_issues.tr | 1 +
html/cgi-bin/vpnmain.cgi | 73 ++++++++++++++++++++++++++++++++++++++++++------
langs/en/cgi-bin/en.pl | 1 +
10 files changed, 74 insertions(+), 8 deletions(-)
Difference in files:
diff --git a/doc/language_issues.de b/doc/language_issues.de
index 90accb3..0d86987 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -644,6 +644,7 @@ WARNING: untranslated string: fwhost cust geoipgrp
WARNING: untranslated string: fwhost err hostip
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
WARNING: untranslated string: no data
+WARNING: untranslated string: none
WARNING: untranslated string: qos add subclass
WARNING: untranslated string: route config changed
WARNING: untranslated string: routing config added
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 9910db6..2a50200 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -917,6 +917,7 @@ WARNING: untranslated string: most preferred
WARNING: untranslated string: nameserver
WARNING: untranslated string: no data
WARNING: untranslated string: no hardware random number generator
+WARNING: untranslated string: none
WARNING: untranslated string: not a valid dh key
WARNING: untranslated string: notice
WARNING: untranslated string: openvpn default
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index ef01a1e..aa4951d 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -932,6 +932,7 @@ WARNING: untranslated string: most preferred
WARNING: untranslated string: nameserver
WARNING: untranslated string: no data
WARNING: untranslated string: no hardware random number generator
+WARNING: untranslated string: none
WARNING: untranslated string: not a valid dh key
WARNING: untranslated string: notice
WARNING: untranslated string: ntp common settings
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 522fee3..1669e79 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -705,6 +705,7 @@ WARNING: untranslated string: masquerading disabled
WARNING: untranslated string: masquerading enabled
WARNING: untranslated string: messages
WARNING: untranslated string: no data
+WARNING: untranslated string: none
WARNING: untranslated string: outgoing compression in bytes per second
WARNING: untranslated string: outgoing overhead in bytes per second
WARNING: untranslated string: ovpn add conf
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index e7d8e08..11d7657 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -737,6 +737,7 @@ WARNING: untranslated string: modem status
WARNING: untranslated string: monitor interface
WARNING: untranslated string: nameserver
WARNING: untranslated string: no data
+WARNING: untranslated string: none
WARNING: untranslated string: not a valid dh key
WARNING: untranslated string: outgoing compression in bytes per second
WARNING: untranslated string: outgoing overhead in bytes per second
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 9910db6..2a50200 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -917,6 +917,7 @@ WARNING: untranslated string: most preferred
WARNING: untranslated string: nameserver
WARNING: untranslated string: no data
WARNING: untranslated string: no hardware random number generator
+WARNING: untranslated string: none
WARNING: untranslated string: not a valid dh key
WARNING: untranslated string: notice
WARNING: untranslated string: openvpn default
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 95caaa5..d2215b6 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -917,6 +917,7 @@ WARNING: untranslated string: most preferred
WARNING: untranslated string: nameserver
WARNING: untranslated string: no data
WARNING: untranslated string: no hardware random number generator
+WARNING: untranslated string: none
WARNING: untranslated string: not a valid dh key
WARNING: untranslated string: notice
WARNING: untranslated string: openvpn default
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index d57c721..a9d6332 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -684,6 +684,7 @@ WARNING: untranslated string: incoming compression in bytes per second
WARNING: untranslated string: incoming overhead in bytes per second
WARNING: untranslated string: invalid input for valid till days
WARNING: untranslated string: no data
+WARNING: untranslated string: none
WARNING: untranslated string: outgoing compression in bytes per second
WARNING: untranslated string: outgoing overhead in bytes per second
WARNING: untranslated string: ovpn add conf
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 218dafa..8c44b7e 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -329,7 +329,13 @@ sub writeipsecfiles {
if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
my @encs = split('\|', $lconfighash{$key}[21]);
my @ints = split('\|', $lconfighash{$key}[22]);
- my @groups = split('\|', $lconfighash{$key}[20]);
+ my @groups = split('\|', $lconfighash{$key}[23]);
+
+ # Use IKE grouptype if no ESP group type has been selected
+ # (for backwards compatibility)
+ if ($lconfighash{$key}[23] eq "") {
+ @groups = split('\|', $lconfighash{$key}[20]);
+ }
my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on"));
print CONF "\tesp=" . join(",", @algos);
@@ -1270,6 +1276,9 @@ END
$cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
$cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
$cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
+ if ($cgiparams{'ESP_GROUPTYPE'} eq "") {
+ $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'};
+ }
$cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
$cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
$cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
@@ -1865,7 +1874,7 @@ END
$cgiparams{'IKE_LIFETIME'} = '3'; #[16];
$cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
$cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22];
- $cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
+ $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23];
$cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
$cgiparams{'COMPRESSION'} = 'on'; #[13];
$cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
@@ -2175,13 +2184,17 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
goto ADVANCED_ERROR;
}
}
- if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
- $cgiparams{'ESP_GROUPTYPE'} !~ /^ecp(192|224|256|384|512)(bp)?$/ &&
- $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|2048s(256|224|160)|3072|4096|6144|8192)$/) {
+ @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'});
+ if ($#temp < 0) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
-
+ foreach my $val (@temp) {
+ if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) {
$errormessage = $Lang::tr{'invalid input for esp keylife'};
goto ADVANCED_ERROR;
@@ -2244,6 +2257,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
$cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
$cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
$cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
+ if ($cgiparams{'ESP_GROUPTYPE'} eq "") {
+ $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'};
+ }
$cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
$cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
$cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
@@ -2333,7 +2349,17 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
$checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
@temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
- $checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'";
+ $checked{'ESP_GROUPTYPE'}{'768'} = '';
+ $checked{'ESP_GROUPTYPE'}{'1024'} = '';
+ $checked{'ESP_GROUPTYPE'}{'1536'} = '';
+ $checked{'ESP_GROUPTYPE'}{'2048'} = '';
+ $checked{'ESP_GROUPTYPE'}{'3072'} = '';
+ $checked{'ESP_GROUPTYPE'}{'4096'} = '';
+ $checked{'ESP_GROUPTYPE'}{'6144'} = '';
+ $checked{'ESP_GROUPTYPE'}{'8192'} = '';
+ $checked{'ESP_GROUPTYPE'}{'none'} = '';
+ @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'});
+ foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; }
$checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ;
$checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ;
@@ -2494,7 +2520,30 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
<option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024</option>
</select>
</td>
- <td></td>
+ <td class='boldbase'>
+ <select name='ESP_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
+ <option value='e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
+ <option value='e512bp' $checked{'ESP_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
+ <option value='e384' $checked{'ESP_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
+ <option value='e384bp' $checked{'ESP_GROUPTYPE'}{'e384bp'}>ECP-384 (Brainpool)</option>
+ <option value='e256' $checked{'ESP_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option>
+ <option value='e256bp' $checked{'ESP_GROUPTYPE'}{'e256bp'}>ECP-256 (Brainpool)</option>
+ <option value='e224' $checked{'ESP_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option>
+ <option value='e224bp' $checked{'ESP_GROUPTYPE'}{'e224bp'}>ECP-224 (Brainpool)</option>
+ <option value='e192' $checked{'ESP_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option>
+ <option value='8192' $checked{'ESP_GROUPTYPE'}{'8192'}>MODP-8192</option>
+ <option value='6144' $checked{'ESP_GROUPTYPE'}{'6144'}>MODP-6144</option>
+ <option value='4096' $checked{'ESP_GROUPTYPE'}{'4096'}>MODP-4096</option>
+ <option value='3072' $checked{'ESP_GROUPTYPE'}{'3072'}>MODP-3072</option>
+ <option value='2048s256' $checked{'ESP_GROUPTYPE'}{'2048s256'}>MODP-2048/256</option>
+ <option value='2048s224' $checked{'ESP_GROUPTYPE'}{'2048s224'}>MODP-2048/224</option>
+ <option value='2048s160' $checked{'ESP_GROUPTYPE'}{'2048s160'}>MODP-2048/160</option>
+ <option value='2048' $checked{'ESP_GROUPTYPE'}{'2048'}>MODP-2048</option>
+ <option value='1536' $checked{'ESP_GROUPTYPE'}{'1536'}>MODP-1536</option>
+ <option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024</option>
+ <option value='none' $checked{'ESP_GROUPTYPE'}{'none'}>- $Lang::tr{'none'} -</option>
+ </select>
+ </td>
</tr>
</tbody>
</table>
@@ -3039,6 +3088,14 @@ sub make_algos($$$$$) {
if (!$is_aead) {
push(@algo, $int);
}
+
+ if ($grp eq "none") {
+ # noop
+ } elsif ($grp =~ m/^e(.*)$/) {
+ push(@algo, "ecp$1");
+ } else {
+ push(@algo, "modp$grp");
+ }
}
push(@algos, join("-", @algo));
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 7964644..af7fda9 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1645,6 +1645,7 @@
'no modem selected' => 'No modem selected',
'no set selected' => 'No set was selected',
'no time limit' => 'unlimited time',
+'none' => 'none',
'none found' => 'none found',
'nonetworkname' => 'No Network Name entered',
'noservicename' => 'No Service Name entered',
hooks/post-receive
--
IPFire 2.x development tree