This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 07e1b6c0afaf2cc7ee42c6d7a2a58bfda5d33af0 (commit) via a4d24f90525ff980c36decfda4755777f3974004 (commit) via 78039c1585df96ae932d3b9c50168c052186ec16 (commit) via e8b3bb0edcf5b6768326b01620f318a56aaf4814 (commit) from 0a11f8761ae9464e6321e2259899c3d5ec71a7a4 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 07e1b6c0afaf2cc7ee42c6d7a2a58bfda5d33af0 Merge: a4d24f9 0a11f87 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 22 16:08:42 2015 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit a4d24f90525ff980c36decfda4755777f3974004 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 22 14:45:10 2015 +0200
vpnmain.cgi: Order ciphers by strength
strongSwan uses them in the defined order. Hence it makes much more sense to present them to the user as well in that order.
commit 78039c1585df96ae932d3b9c50168c052186ec16 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 22 14:44:16 2015 +0200
vpnmain.cgi: Use integrity functions as PRF for AEAD
commit e8b3bb0edcf5b6768326b01620f318a56aaf4814 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 22 14:08:41 2015 +0200
vpnmain.cgi: Rewrite algorithm generation code
-----------------------------------------------------------------------
Summary of changes: html/cgi-bin/vpnmain.cgi | 191 ++++++++++++++++++++++++++--------------------- 1 file changed, 105 insertions(+), 86 deletions(-)
Difference in files: diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index b25cb6a..0d23d0d 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -310,67 +310,33 @@ sub writeipsecfiles {
# Algorithms if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { - print CONF "\tike="; - my @encs = split('|', $lconfighash{$key}[18]); - my @ints = split('|', $lconfighash{$key}[19]); - my @groups = split('|', $lconfighash{$key}[20]); - my $comma = 0; - foreach my $i (@encs) { - foreach my $j (@ints) { - foreach my $k (@groups) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - - my @l = split("", $k); - if ($l[0] eq "e") { - shift @l; - print CONF "$i-$j-ecp".join("", @l); - } else { - print CONF "$i-$j-modp$k"; - } - } - } - } - if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; - } + my @encs = split('|', $lconfighash{$key}[18]); + my @ints = split('|', $lconfighash{$key}[19]); + my @groups = split('|', $lconfighash{$key}[20]); + + my @algos = &make_algos("ike", @encs, @ints, @groups, 1); + print CONF "\tike=" . join(",", @algos); + + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; + } } + if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { - print CONF "\tesp="; - my @encs = split('|', $lconfighash{$key}[21]); - my @ints = split('|', $lconfighash{$key}[22]); - my @groups = split('|', $lconfighash{$key}[20]); - my $comma = 0; - foreach my $i (@encs) { - foreach my $j (@ints) { - my $modp = ""; - if ($pfs eq "on") { - foreach my $k (@groups) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - if ($pfs eq "on") { - my @l = split("", $k); - if ($l[0] eq "e") { - $modp = ""; - } else { - $modp = "-modp$k"; - } - } else { - $modp = ""; - } - print CONF "$i-$j$modp"; - } - } else { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j"; - } + my @encs = split('|', $lconfighash{$key}[21]); + my @ints = split('|', $lconfighash{$key}[22]); + my @groups = split('|', $lconfighash{$key}[20]); + + my @algos = &make_algos("esp", @encs, @ints, @groups, ($pfs eq "on")); + print CONF "\tesp=" . join(",", @algos); + + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; } - } - if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; - } }
# IKE V1 or V2 @@ -1883,11 +1849,11 @@ END $cgiparams{'REMOTE_ID'} = '';
#use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64'; #[18]; + $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19]; $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64'; #[21]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = ''; #[23]; $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; @@ -2421,42 +2387,42 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <td class='boldbase' width="15%">$Lang::tr{'encryption'}</td> <td class='boldbase'> <select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'> - <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option> - <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option> - <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option> <option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option> - <option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option> - <option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option> <option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option> - <option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option> - <option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option> <option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option> - <option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option> - <option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option> - <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option> + <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option> <option value='camellia256' $checked{'IKE_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option> + <option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option> + <option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option> + <option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option> + <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option> <option value='camellia192' $checked{'IKE_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option> + <option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option> + <option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option> + <option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option> + <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option> <option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option> + <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option> </select> </td> <td class='boldbase'> <select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'> - <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option> - <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option> - <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option> <option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option> - <option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option> - <option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option> <option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option> - <option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option> - <option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option> <option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option> - <option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option> - <option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option> - <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option> + <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option> <option value='camellia256' $checked{'ESP_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option> + <option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option> + <option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option> + <option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option> + <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option> <option value='camellia192' $checked{'ESP_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option> + <option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option> + <option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option> + <option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option> + <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option> <option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option> + <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option> </select> </td> </tr> @@ -2468,9 +2434,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <option value='sha2_512' $checked{'IKE_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option> <option value='sha2_384' $checked{'IKE_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option> <option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option> + <option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option> <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1</option> <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option> - <option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option> </select> </td> <td class='boldbase'> @@ -2478,9 +2444,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <option value='sha2_512' $checked{'ESP_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option> <option value='sha2_384' $checked{'ESP_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option> <option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option> + <option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option> <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option> <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option> - <option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option> </select> </td> </tr> @@ -2498,14 +2464,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <td class='boldbase'> <select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'> <option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option> - <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option> - <option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option> - <option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option> - <option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option> <option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option> + <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option> <option value='e384bp' $checked{'IKE_GROUPTYPE'}{'e384bp'}>ECP-384 (Brainpool)</option> + <option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option> <option value='e256bp' $checked{'IKE_GROUPTYPE'}{'e256bp'}>ECP-256 (Brainpool)</option> + <option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option> <option value='e224bp' $checked{'IKE_GROUPTYPE'}{'e224bp'}>ECP-224 (Brainpool)</option> + <option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option> <option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option> <option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option> <option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option> @@ -3025,3 +2991,56 @@ END &Header::closebox(); &Header::closebigbox(); &Header::closepage(); + +sub array_unique($) { + my $array = shift; + my @unique = (); + + my %seen = (); + foreach my $e (@$array) { + next if $seen{$e}++; + push(@unique, $e); + } + + return @unique; +} + +sub make_algos($$$$$) { + my ($mode, $encs, $ints, $grps, $pfs) = @_; + my @algos = (); + + foreach my $enc (@$encs) { + foreach my $int (@$ints) { + foreach my $grp (@$grps) { + my @algo = ($enc); + + if ($mode eq "ike") { + push(@algo, $int); + + if ($grp =~ m/^e(\d+)/) { + push(@algo, "ecp$1"); + } else { + push(@algo, "modp$grp"); + } + + } elsif ($mode eq "esp" && $pfs) { + my $is_aead = ($enc =~ m/[cg]cm/); + + if (!$is_aead) { + push(@algo, $int); + } + + if ($grp =~ m/^e\d+/) { + push(@algo, $grp); + } else { + push(@algo, "modp$grp"); + } + } + + push(@algos, join("-", @algo)); + } + } + } + + return &array_unique(@algos); +}
hooks/post-receive -- IPFire 2.x development tree