This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  07e1b6c0afaf2cc7ee42c6d7a2a58bfda5d33af0 (commit)
       via  a4d24f90525ff980c36decfda4755777f3974004 (commit)
       via  78039c1585df96ae932d3b9c50168c052186ec16 (commit)
       via  e8b3bb0edcf5b6768326b01620f318a56aaf4814 (commit)
      from  0a11f8761ae9464e6321e2259899c3d5ec71a7a4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 07e1b6c0afaf2cc7ee42c6d7a2a58bfda5d33af0
Merge: a4d24f9 0a11f87
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Wed Apr 22 16:08:42 2015 +0200

    Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

commit a4d24f90525ff980c36decfda4755777f3974004
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Wed Apr 22 14:45:10 2015 +0200

    vpnmain.cgi: Order ciphers by strength
    
    strongSwan uses them in the defined order. Hence it makes
    much more sense to present them to the user as well in that
    order.

commit 78039c1585df96ae932d3b9c50168c052186ec16
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Wed Apr 22 14:44:16 2015 +0200

    vpnmain.cgi: Use integrity functions as PRF for AEAD

commit e8b3bb0edcf5b6768326b01620f318a56aaf4814
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Wed Apr 22 14:08:41 2015 +0200

    vpnmain.cgi: Rewrite algorithm generation code

-----------------------------------------------------------------------

Summary of changes:
 html/cgi-bin/vpnmain.cgi | 191 ++++++++++++++++++++++++++---------------------
 1 file changed, 105 insertions(+), 86 deletions(-)

Difference in files:
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index b25cb6a..0d23d0d 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -310,67 +310,33 @@ sub writeipsecfiles {
 
 	# Algorithms
 	if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
-	    print CONF "\tike=";
-	    my @encs   = split('\|', $lconfighash{$key}[18]);
-	    my @ints   = split('\|', $lconfighash{$key}[19]);
-	    my @groups = split('\|', $lconfighash{$key}[20]);
-	    my $comma = 0;
-	    foreach my $i (@encs) {
-	        foreach my $j (@ints) {
-	    	    foreach my $k (@groups) {
-		        if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-
-		        my @l = split("", $k);
-		        if ($l[0] eq "e") {
-		            shift @l;
-		            print CONF "$i-$j-ecp".join("", @l);
-		        } else {
-		            print CONF "$i-$j-modp$k";
-		        }
-		    }
-	        }
-	    }
-	    if ($lconfighash{$key}[24] eq 'on') {	#only proposed algorythms?
-		print CONF "!\n";
-	    } else {
-	        print CONF "\n";
-	    }
+		my @encs   = split('\|', $lconfighash{$key}[18]);
+		my @ints   = split('\|', $lconfighash{$key}[19]);
+		my @groups = split('\|', $lconfighash{$key}[20]);
+
+		my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1);
+		print CONF "\tike=" . join(",", @algos);
+
+		if ($lconfighash{$key}[24] eq 'on') {	#only proposed algorythms?
+			print CONF "!\n";
+		} else {
+			print CONF "\n";
+		}
 	}
+
 	if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
-	    print CONF "\tesp=";
-	    my @encs   = split('\|', $lconfighash{$key}[21]);
-	    my @ints   = split('\|', $lconfighash{$key}[22]);
-	    my @groups = split('\|', $lconfighash{$key}[20]);
-	    my $comma = 0;
-	    foreach my $i (@encs) {
-		foreach my $j (@ints) {
-			my $modp = "";
-			if ($pfs eq "on") {
-				foreach my $k (@groups) {
-				    if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-				    if ($pfs eq "on") {
-					my @l = split("", $k);
-					if ($l[0] eq "e") {
-						$modp = "";
-					} else {
-						$modp = "-modp$k";
-					}
-				    } else {
-				        $modp = "";
-				    }
-				    print CONF "$i-$j$modp";
-				}
-			} else {
-				if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-				print CONF "$i-$j";
-			}
+		my @encs   = split('\|', $lconfighash{$key}[21]);
+		my @ints   = split('\|', $lconfighash{$key}[22]);
+		my @groups = split('\|', $lconfighash{$key}[20]);
+
+		my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on"));
+		print CONF "\tesp=" . join(",", @algos);
+
+		if ($lconfighash{$key}[24] eq 'on') {	#only proposed algorythms?
+			print CONF "!\n";
+		} else {
+			print CONF "\n";
 		}
-	    }
-	    if ($lconfighash{$key}[24] eq 'on') {	#only proposed algorythms?
-		print CONF "!\n";
-	    } else {
-		print CONF "\n";
-	    }
 	}
 
 	# IKE V1 or V2
@@ -1883,11 +1849,11 @@ END
 	$cgiparams{'REMOTE_ID'} = '';
 
 	#use default advanced value
-	$cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64';	#[18];
+	$cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128';	#[18];
 	$cgiparams{'IKE_INTEGRITY'}  = 'sha2_512|sha2_256|sha';	#[19];
 	$cgiparams{'IKE_GROUPTYPE'}  = '4096|3072|2048|1536|1024';		#[20];
 	$cgiparams{'IKE_LIFETIME'}   = '3';		#[16];
-	$cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64';	#[21];
+	$cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128';	#[21];
 	$cgiparams{'ESP_INTEGRITY'}  = 'sha2_512|sha2_256|sha1';	#[22];
 	$cgiparams{'ESP_GROUPTYPE'}  = '';		#[23];
 	$cgiparams{'ESP_KEYLIFE'}    = '1';		#[17];
@@ -2421,42 +2387,42 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			<td class='boldbase' width="15%">$Lang::tr{'encryption'}</td>
 			<td class='boldbase'>
 				<select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
-					<option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
-					<option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
-					<option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
 					<option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
-					<option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
-					<option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
 					<option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
-					<option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
-					<option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
 					<option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
-					<option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
-					<option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
-					<option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+					<option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
 					<option value='camellia256' $checked{'IKE_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+					<option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+					<option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+					<option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+					<option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
 					<option value='camellia192' $checked{'IKE_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+					<option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+					<option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+					<option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+					<option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
 					<option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
+					<option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
 				</select>
 			</td>
 			<td class='boldbase'>
 				<select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
-					<option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
-					<option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
-					<option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
 					<option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
-					<option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
-					<option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
 					<option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
-					<option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
-					<option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
 					<option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
-					<option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
-					<option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
-					<option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+					<option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
 					<option value='camellia256' $checked{'ESP_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+					<option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+					<option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+					<option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+					<option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
 					<option value='camellia192' $checked{'ESP_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+					<option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+					<option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+					<option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+					<option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
 					<option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
+					<option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
 				</select>
 			</td>
 		</tr>
@@ -2468,9 +2434,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 					<option value='sha2_512' $checked{'IKE_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option>
 					<option value='sha2_384' $checked{'IKE_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
 					<option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
+					<option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
 					<option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1</option>
 					<option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option>
-					<option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
 				</select>
 			</td>
 			<td class='boldbase'>
@@ -2478,9 +2444,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 					<option value='sha2_512' $checked{'ESP_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option>
 					<option value='sha2_384' $checked{'ESP_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
 					<option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
+					<option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
 					<option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option>
 					<option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option>
-					<option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
 				</select>
 			</td>
 		</tr>
@@ -2498,14 +2464,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			<td class='boldbase'>
 				<select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
 					<option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
-					<option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
-					<option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option>
-					<option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option>
-					<option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option>
 					<option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
+					<option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
 					<option value='e384bp' $checked{'IKE_GROUPTYPE'}{'e384bp'}>ECP-384 (Brainpool)</option>
+					<option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option>
 					<option value='e256bp' $checked{'IKE_GROUPTYPE'}{'e256bp'}>ECP-256 (Brainpool)</option>
+					<option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option>
 					<option value='e224bp' $checked{'IKE_GROUPTYPE'}{'e224bp'}>ECP-224 (Brainpool)</option>
+					<option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option>
 					<option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option>
 					<option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
 					<option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>
@@ -3025,3 +2991,56 @@ END
     &Header::closebox();
     &Header::closebigbox();
     &Header::closepage();
+
+sub array_unique($) {
+	my $array = shift;
+	my @unique = ();
+
+	my %seen = ();
+	foreach my $e (@$array) {
+		next if $seen{$e}++;
+		push(@unique, $e);
+	}
+
+	return @unique;
+}
+
+sub make_algos($$$$$) {
+	my ($mode, $encs, $ints, $grps, $pfs) = @_;
+	my @algos = ();
+
+	foreach my $enc (@$encs) {
+		foreach my $int (@$ints) {
+			foreach my $grp (@$grps) {
+				my @algo = ($enc);
+
+				if ($mode eq "ike") {
+					push(@algo, $int);
+
+					if ($grp =~ m/^e(\d+)/) {
+						push(@algo, "ecp$1");
+					} else {
+						push(@algo, "modp$grp");
+					}
+
+				} elsif ($mode eq "esp" && $pfs) {
+					my $is_aead = ($enc =~ m/[cg]cm/);
+
+					if (!$is_aead) {
+						push(@algo, $int);
+					}
+
+					if ($grp =~ m/^e\d+/) {
+						push(@algo, $grp);
+					} else {
+						push(@algo, "modp$grp");
+					}
+				}
+
+				push(@algos, join("-", @algo));
+			}
+		}
+	}
+
+	return &array_unique(\@algos);
+}


hooks/post-receive
--
IPFire 2.x development tree