This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 2dbfc4020d18e65b525104b13891921411cb6322 (commit)
via 9bc2e596d0805171e5a25e1be33fdcd9c114066d (commit)
via 64056cae466b49993af8fe831731d2eed77f683a (commit)
via 1ef80c435225c6bd35df4d510b728ea6bfad772a (commit)
via 570d54fd84ead452753ac7fd498c7ee760caa3ff (commit)
from 4f6790a7e48c1c5bf52ad53c060ef6f3274bd5a1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2dbfc4020d18e65b525104b13891921411cb6322
Author: Daniel Weismüller <daniel.weismueller(a)ipfire.org>
Date: Wed Apr 5 12:25:16 2017 +0200
netsnmpd: added lmsensors and some other mibs
Signed-off-by: Daniel Weismüller <daniel.weismueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 9bc2e596d0805171e5a25e1be33fdcd9c114066d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 5 12:16:52 2017 +0100
IPsec: Include Curve 25519 in default proposal
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 64056cae466b49993af8fe831731d2eed77f683a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 5 12:15:20 2017 +0100
IPsec: Allow selecting Curve 25519 as group type
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 1ef80c435225c6bd35df4d510b728ea6bfad772a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 5 12:08:39 2017 +0100
strongswan: Update to version 5.5.2
Introduces support for Curve25519 for IKE as defined by RFC8031.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 570d54fd84ead452753ac7fd498c7ee760caa3ff
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 5 11:42:55 2017 +0100
IPsec: Drop SHA1 and MODP<=1536 from proposed ciphers
IPsec is still proposing to use SHA1 and MODP-1536 or MODP-1024
when initiating a connection. These are considered weak although
many off-the-shelf hardware is still using this as defaults.
This patch disables those algorithms and additionally changes
default behaviour to only accept the configured cipher suites.
This might create some interoperability issues, but increases
security of IPFire-to-IPFire IPsec connections.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/strongswan | 8 ++++++++
config/rootfiles/packages/netsnmpd | 3 +++
html/cgi-bin/vpnmain.cgi | 18 +++++++++++-------
lfs/netsnmpd | 13 ++++++++++---
lfs/strongswan | 4 ++--
5 files changed, 34 insertions(+), 12 deletions(-)
Difference in files:
diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan
index 354ecd7..fbc5786 100644
--- a/config/rootfiles/common/strongswan
+++ b/config/rootfiles/common/strongswan
@@ -21,6 +21,7 @@ etc/strongswan.d/charon/cmac.conf
etc/strongswan.d/charon/constraints.conf
etc/strongswan.d/charon/ctr.conf
etc/strongswan.d/charon/curl.conf
+etc/strongswan.d/charon/curve25519.conf
etc/strongswan.d/charon/des.conf
etc/strongswan.d/charon/dhcp.conf
etc/strongswan.d/charon/dnskey.conf
@@ -105,6 +106,11 @@ usr/lib/ipsec/libstrongswan.so.0.0.0
usr/lib/ipsec/libtls.so
usr/lib/ipsec/libtls.so.0
usr/lib/ipsec/libtls.so.0.0.0
+#usr/lib/ipsec/libtpmtss.a
+#usr/lib/ipsec/libtpmtss.la
+usr/lib/ipsec/libtpmtss.so
+usr/lib/ipsec/libtpmtss.so.0
+usr/lib/ipsec/libtpmtss.so.0.0.0
#usr/lib/ipsec/libvici.a
#usr/lib/ipsec/libvici.la
usr/lib/ipsec/libvici.so
@@ -118,6 +124,7 @@ usr/lib/ipsec/plugins/libstrongswan-cmac.so
usr/lib/ipsec/plugins/libstrongswan-constraints.so
usr/lib/ipsec/plugins/libstrongswan-ctr.so
usr/lib/ipsec/plugins/libstrongswan-curl.so
+usr/lib/ipsec/plugins/libstrongswan-curve25519.so
usr/lib/ipsec/plugins/libstrongswan-des.so
usr/lib/ipsec/plugins/libstrongswan-dhcp.so
usr/lib/ipsec/plugins/libstrongswan-dnskey.so
@@ -201,6 +208,7 @@ usr/sbin/swanctl
#usr/share/strongswan/templates/config/plugins/constraints.conf
#usr/share/strongswan/templates/config/plugins/ctr.conf
#usr/share/strongswan/templates/config/plugins/curl.conf
+#usr/share/strongswan/templates/config/plugins/curve25519.conf
#usr/share/strongswan/templates/config/plugins/des.conf
#usr/share/strongswan/templates/config/plugins/dhcp.conf
#usr/share/strongswan/templates/config/plugins/dnskey.conf
diff --git a/config/rootfiles/packages/netsnmpd b/config/rootfiles/packages/netsnmpd
index 6328949..9d80ec2 100644
--- a/config/rootfiles/packages/netsnmpd
+++ b/config/rootfiles/packages/netsnmpd
@@ -542,6 +542,8 @@ usr/share/snmp/mibs/IPV6-MIB.txt
usr/share/snmp/mibs/IPV6-TC.txt
usr/share/snmp/mibs/IPV6-TCP-MIB.txt
usr/share/snmp/mibs/IPV6-UDP-MIB.txt
+usr/share/snmp/mibs/LM-SENSORS-MIB.txt
+usr/share/snmp/mibs/MTA-MIB.txt
usr/share/snmp/mibs/NET-SNMP-AGENT-MIB.txt
usr/share/snmp/mibs/NET-SNMP-EXAMPLES-MIB.txt
usr/share/snmp/mibs/NET-SNMP-EXTEND-MIB.txt
@@ -549,6 +551,7 @@ usr/share/snmp/mibs/NET-SNMP-MIB.txt
usr/share/snmp/mibs/NET-SNMP-PASS-MIB.txt
usr/share/snmp/mibs/NET-SNMP-TC.txt
usr/share/snmp/mibs/NET-SNMP-VACM-MIB.txt
+usr/share/snmp/mibs/NETWORK-SERVICES-MIB.txt
usr/share/snmp/mibs/NOTIFICATION-LOG-MIB.txt
usr/share/snmp/mibs/RFC-1215.txt
usr/share/snmp/mibs/RFC1155-SMI.txt
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index f4eccb1..cc891c9 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1897,15 +1897,15 @@ END
#use default advanced value
$cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
- $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19];
- $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20];
+ $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19];
+ $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[20];
$cgiparams{'IKE_LIFETIME'} = '3'; #[16];
$cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
- $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22];
- $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23];
+ $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22];
+ $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[23];
$cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
$cgiparams{'COMPRESSION'} = 'on'; #[13];
- $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
+ $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
}
@@ -2178,7 +2178,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) {
+ if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
@@ -2219,7 +2219,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) {
+ if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
@@ -2338,6 +2338,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
$checked{'IKE_INTEGRITY'}{'aesxcbc'} = '';
@temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
+ $checked{'IKE_GROUPTYPE'}{'curve25519'} = '';
$checked{'IKE_GROUPTYPE'}{'768'} = '';
$checked{'IKE_GROUPTYPE'}{'1024'} = '';
$checked{'IKE_GROUPTYPE'}{'1536'} = '';
@@ -2378,6 +2379,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
$checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
@temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
+ $checked{'ESP_GROUPTYPE'}{'curve25519'} = '';
$checked{'ESP_GROUPTYPE'}{'768'} = '';
$checked{'ESP_GROUPTYPE'}{'1024'} = '';
$checked{'ESP_GROUPTYPE'}{'1536'} = '';
@@ -2532,6 +2534,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
<td class='boldbase' width="15%">$Lang::tr{'grouptype'}</td>
<td class='boldbase'>
<select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
+ <option value='curve25519' $checked{'IKE_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
<option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
<option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
<option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
@@ -2555,6 +2558,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
</td>
<td class='boldbase'>
<select name='ESP_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
+ <option value='curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
<option value='e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
<option value='e512bp' $checked{'ESP_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
<option value='e384' $checked{'ESP_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
diff --git a/lfs/netsnmpd b/lfs/netsnmpd
index 1e59457..12fb342 100644
--- a/lfs/netsnmpd
+++ b/lfs/netsnmpd
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = netsnmpd
-PAK_VER = 4
+PAK_VER = 5
DEPS = ""
###############################################################################
@@ -83,15 +83,22 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--with-sys-location="localhost" \
--with-logfile="/var/log/snmpd.log" \
--with-persistent-directory="/var/net-snmp" \
+ --with-mib-modules="host agentx smux \
+ ucd-snmp/diskio tcp-mib udp-mib mibII/mta_sendmail \
+ ip-mib/ipv4InterfaceTable ip-mib/ipv6InterfaceTable \
+ ip-mib/ipAddressPrefixTable/ipAddressPrefixTable \
+ ip-mib/ipDefaultRouterTable/ipDefaultRouterTable \
+ ip-mib/ipv6ScopeZoneIndexTable ip-mib/ipIfStatsTable \
+ sctp-mib rmon-mib etherlike-mib ucd-snmp/lmsensorsMib"
--libdir=/usr/lib \
--sysconfdir="/etc"
cd $(DIR_APP) && make
cd $(DIR_APP) && make install
- install -v -m644 $(DIR_SRC)/config/netsnmpd/snmpd.conf /etc/snmpd.conf
+ install -v -m 644 $(DIR_SRC)/config/netsnmpd/snmpd.conf /etc/snmpd.conf
install -v -m 644 $(DIR_SRC)/config/backup/includes/netsnmpd \
/var/ipfire/backup/addons/includes/netsnmpd
- #install initscripts
+ # install initscripts
$(call INSTALL_INITSCRIPT,netsnmpd)
ln -sf ../init.d/netsnmpd /etc/rc.d/rc3.d/S65netsnmpd
diff --git a/lfs/strongswan b/lfs/strongswan
index fffa9af..7f6a95b 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
include Config
-VER = 5.5.1
+VER = 5.5.2
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4eba9474f7dc6c8c8d7037261358e68d
+$(DL_FILE)_MD5 = 546f7e5346b754f5946ff1282702ceb9
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree