This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 2dbfc4020d18e65b525104b13891921411cb6322 (commit) via 9bc2e596d0805171e5a25e1be33fdcd9c114066d (commit) via 64056cae466b49993af8fe831731d2eed77f683a (commit) via 1ef80c435225c6bd35df4d510b728ea6bfad772a (commit) via 570d54fd84ead452753ac7fd498c7ee760caa3ff (commit) from 4f6790a7e48c1c5bf52ad53c060ef6f3274bd5a1 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 2dbfc4020d18e65b525104b13891921411cb6322 Author: Daniel Weismüller daniel.weismueller@ipfire.org Date: Wed Apr 5 12:25:16 2017 +0200
netsnmpd: added lmsensors and some other mibs
Signed-off-by: Daniel Weismüller daniel.weismueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9bc2e596d0805171e5a25e1be33fdcd9c114066d Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 5 12:16:52 2017 +0100
IPsec: Include Curve 25519 in default proposal
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 64056cae466b49993af8fe831731d2eed77f683a Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 5 12:15:20 2017 +0100
IPsec: Allow selecting Curve 25519 as group type
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1ef80c435225c6bd35df4d510b728ea6bfad772a Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 5 12:08:39 2017 +0100
strongswan: Update to version 5.5.2
Introduces support for Curve25519 for IKE as defined by RFC8031.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 570d54fd84ead452753ac7fd498c7ee760caa3ff Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 5 11:42:55 2017 +0100
IPsec: Drop SHA1 and MODP<=1536 from proposed ciphers
IPsec is still proposing to use SHA1 and MODP-1536 or MODP-1024 when initiating a connection. These are considered weak although many off-the-shelf hardware is still using this as defaults.
This patch disables those algorithms and additionally changes default behaviour to only accept the configured cipher suites.
This might create some interoperability issues, but increases security of IPFire-to-IPFire IPsec connections.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/strongswan | 8 ++++++++ config/rootfiles/packages/netsnmpd | 3 +++ html/cgi-bin/vpnmain.cgi | 18 +++++++++++------- lfs/netsnmpd | 13 ++++++++++--- lfs/strongswan | 4 ++-- 5 files changed, 34 insertions(+), 12 deletions(-)
Difference in files: diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index 354ecd7..fbc5786 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -21,6 +21,7 @@ etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/constraints.conf etc/strongswan.d/charon/ctr.conf etc/strongswan.d/charon/curl.conf +etc/strongswan.d/charon/curve25519.conf etc/strongswan.d/charon/des.conf etc/strongswan.d/charon/dhcp.conf etc/strongswan.d/charon/dnskey.conf @@ -105,6 +106,11 @@ usr/lib/ipsec/libstrongswan.so.0.0.0 usr/lib/ipsec/libtls.so usr/lib/ipsec/libtls.so.0 usr/lib/ipsec/libtls.so.0.0.0 +#usr/lib/ipsec/libtpmtss.a +#usr/lib/ipsec/libtpmtss.la +usr/lib/ipsec/libtpmtss.so +usr/lib/ipsec/libtpmtss.so.0 +usr/lib/ipsec/libtpmtss.so.0.0.0 #usr/lib/ipsec/libvici.a #usr/lib/ipsec/libvici.la usr/lib/ipsec/libvici.so @@ -118,6 +124,7 @@ usr/lib/ipsec/plugins/libstrongswan-cmac.so usr/lib/ipsec/plugins/libstrongswan-constraints.so usr/lib/ipsec/plugins/libstrongswan-ctr.so usr/lib/ipsec/plugins/libstrongswan-curl.so +usr/lib/ipsec/plugins/libstrongswan-curve25519.so usr/lib/ipsec/plugins/libstrongswan-des.so usr/lib/ipsec/plugins/libstrongswan-dhcp.so usr/lib/ipsec/plugins/libstrongswan-dnskey.so @@ -201,6 +208,7 @@ usr/sbin/swanctl #usr/share/strongswan/templates/config/plugins/constraints.conf #usr/share/strongswan/templates/config/plugins/ctr.conf #usr/share/strongswan/templates/config/plugins/curl.conf +#usr/share/strongswan/templates/config/plugins/curve25519.conf #usr/share/strongswan/templates/config/plugins/des.conf #usr/share/strongswan/templates/config/plugins/dhcp.conf #usr/share/strongswan/templates/config/plugins/dnskey.conf diff --git a/config/rootfiles/packages/netsnmpd b/config/rootfiles/packages/netsnmpd index 6328949..9d80ec2 100644 --- a/config/rootfiles/packages/netsnmpd +++ b/config/rootfiles/packages/netsnmpd @@ -542,6 +542,8 @@ usr/share/snmp/mibs/IPV6-MIB.txt usr/share/snmp/mibs/IPV6-TC.txt usr/share/snmp/mibs/IPV6-TCP-MIB.txt usr/share/snmp/mibs/IPV6-UDP-MIB.txt +usr/share/snmp/mibs/LM-SENSORS-MIB.txt +usr/share/snmp/mibs/MTA-MIB.txt usr/share/snmp/mibs/NET-SNMP-AGENT-MIB.txt usr/share/snmp/mibs/NET-SNMP-EXAMPLES-MIB.txt usr/share/snmp/mibs/NET-SNMP-EXTEND-MIB.txt @@ -549,6 +551,7 @@ usr/share/snmp/mibs/NET-SNMP-MIB.txt usr/share/snmp/mibs/NET-SNMP-PASS-MIB.txt usr/share/snmp/mibs/NET-SNMP-TC.txt usr/share/snmp/mibs/NET-SNMP-VACM-MIB.txt +usr/share/snmp/mibs/NETWORK-SERVICES-MIB.txt usr/share/snmp/mibs/NOTIFICATION-LOG-MIB.txt usr/share/snmp/mibs/RFC-1215.txt usr/share/snmp/mibs/RFC1155-SMI.txt diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index f4eccb1..cc891c9 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1897,15 +1897,15 @@ END
#use default advanced value $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; - $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; + $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19]; + $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; - $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22]; - $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23]; + $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22]; + $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[23]; $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; $cgiparams{'COMPRESSION'} = 'on'; #[13]; - $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; + $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; }
@@ -2178,7 +2178,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { + if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2219,7 +2219,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { + if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2338,6 +2338,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('|', $cgiparams{'IKE_INTEGRITY'}); foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'IKE_GROUPTYPE'}{'curve25519'} = ''; $checked{'IKE_GROUPTYPE'}{'768'} = ''; $checked{'IKE_GROUPTYPE'}{'1024'} = ''; $checked{'IKE_GROUPTYPE'}{'1536'} = ''; @@ -2378,6 +2379,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'ESP_GROUPTYPE'}{'curve25519'} = ''; $checked{'ESP_GROUPTYPE'}{'768'} = ''; $checked{'ESP_GROUPTYPE'}{'1024'} = ''; $checked{'ESP_GROUPTYPE'}{'1536'} = ''; @@ -2532,6 +2534,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <td class='boldbase' width="15%">$Lang::tr{'grouptype'}</td> <td class='boldbase'> <select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'> + <option value='curve25519' $checked{'IKE_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option> <option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option> <option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option> <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option> @@ -2555,6 +2558,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || </td> <td class='boldbase'> <select name='ESP_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'> + <option value='curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option> <option value='e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option> <option value='e512bp' $checked{'ESP_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option> <option value='e384' $checked{'ESP_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option> diff --git a/lfs/netsnmpd b/lfs/netsnmpd index 1e59457..12fb342 100644 --- a/lfs/netsnmpd +++ b/lfs/netsnmpd @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = netsnmpd -PAK_VER = 4 +PAK_VER = 5 DEPS = ""
############################################################################### @@ -83,15 +83,22 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --with-sys-location="localhost" \ --with-logfile="/var/log/snmpd.log" \ --with-persistent-directory="/var/net-snmp" \ + --with-mib-modules="host agentx smux \ + ucd-snmp/diskio tcp-mib udp-mib mibII/mta_sendmail \ + ip-mib/ipv4InterfaceTable ip-mib/ipv6InterfaceTable \ + ip-mib/ipAddressPrefixTable/ipAddressPrefixTable \ + ip-mib/ipDefaultRouterTable/ipDefaultRouterTable \ + ip-mib/ipv6ScopeZoneIndexTable ip-mib/ipIfStatsTable \ + sctp-mib rmon-mib etherlike-mib ucd-snmp/lmsensorsMib" --libdir=/usr/lib \ --sysconfdir="/etc" cd $(DIR_APP) && make cd $(DIR_APP) && make install - install -v -m644 $(DIR_SRC)/config/netsnmpd/snmpd.conf /etc/snmpd.conf + install -v -m 644 $(DIR_SRC)/config/netsnmpd/snmpd.conf /etc/snmpd.conf install -v -m 644 $(DIR_SRC)/config/backup/includes/netsnmpd \ /var/ipfire/backup/addons/includes/netsnmpd
- #install initscripts + # install initscripts $(call INSTALL_INITSCRIPT,netsnmpd)
ln -sf ../init.d/netsnmpd /etc/rc.d/rc3.d/S65netsnmpd diff --git a/lfs/strongswan b/lfs/strongswan index fffa9af..7f6a95b 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 5.5.1 +VER = 5.5.2
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4eba9474f7dc6c8c8d7037261358e68d +$(DL_FILE)_MD5 = 546f7e5346b754f5946ff1282702ceb9
install : $(TARGET)
hooks/post-receive -- IPFire 2.x development tree