From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 2dbfc4020d18e65b525104b13891921411cb6322 Date: Wed, 05 Apr 2017 12:25:04 +0100 Message-ID: <20170405112505.1F1C010853C3@git01.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0865699034146311886==" List-Id: --===============0865699034146311886== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 2dbfc4020d18e65b525104b13891921411cb6322 (commit) via 9bc2e596d0805171e5a25e1be33fdcd9c114066d (commit) via 64056cae466b49993af8fe831731d2eed77f683a (commit) via 1ef80c435225c6bd35df4d510b728ea6bfad772a (commit) via 570d54fd84ead452753ac7fd498c7ee760caa3ff (commit) from 4f6790a7e48c1c5bf52ad53c060ef6f3274bd5a1 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 2dbfc4020d18e65b525104b13891921411cb6322 Author: Daniel Weism=C3=BCller Date: Wed Apr 5 12:25:16 2017 +0200 netsnmpd: added lmsensors and some other mibs =20 Signed-off-by: Daniel Weism=C3=BCller Signed-off-by: Michael Tremer commit 9bc2e596d0805171e5a25e1be33fdcd9c114066d Author: Michael Tremer Date: Wed Apr 5 12:16:52 2017 +0100 IPsec: Include Curve 25519 in default proposal =20 Signed-off-by: Michael Tremer commit 64056cae466b49993af8fe831731d2eed77f683a Author: Michael Tremer Date: Wed Apr 5 12:15:20 2017 +0100 IPsec: Allow selecting Curve 25519 as group type =20 Signed-off-by: Michael Tremer commit 1ef80c435225c6bd35df4d510b728ea6bfad772a Author: Michael Tremer Date: Wed Apr 5 12:08:39 2017 +0100 strongswan: Update to version 5.5.2 =20 Introduces support for Curve25519 for IKE as defined by RFC8031. =20 Signed-off-by: Michael Tremer commit 570d54fd84ead452753ac7fd498c7ee760caa3ff Author: Michael Tremer Date: Wed Apr 5 11:42:55 2017 +0100 IPsec: Drop SHA1 and MODP<=3D1536 from proposed ciphers =20 IPsec is still proposing to use SHA1 and MODP-1536 or MODP-1024 when initiating a connection. These are considered weak although many off-the-shelf hardware is still using this as defaults. =20 This patch disables those algorithms and additionally changes default behaviour to only accept the configured cipher suites. =20 This might create some interoperability issues, but increases security of IPFire-to-IPFire IPsec connections. =20 Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/rootfiles/common/strongswan | 8 ++++++++ config/rootfiles/packages/netsnmpd | 3 +++ html/cgi-bin/vpnmain.cgi | 18 +++++++++++------- lfs/netsnmpd | 13 ++++++++++--- lfs/strongswan | 4 ++-- 5 files changed, 34 insertions(+), 12 deletions(-) Difference in files: diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/str= ongswan index 354ecd7..fbc5786 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -21,6 +21,7 @@ etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/constraints.conf etc/strongswan.d/charon/ctr.conf etc/strongswan.d/charon/curl.conf +etc/strongswan.d/charon/curve25519.conf etc/strongswan.d/charon/des.conf etc/strongswan.d/charon/dhcp.conf etc/strongswan.d/charon/dnskey.conf @@ -105,6 +106,11 @@ usr/lib/ipsec/libstrongswan.so.0.0.0 usr/lib/ipsec/libtls.so usr/lib/ipsec/libtls.so.0 usr/lib/ipsec/libtls.so.0.0.0 +#usr/lib/ipsec/libtpmtss.a +#usr/lib/ipsec/libtpmtss.la +usr/lib/ipsec/libtpmtss.so +usr/lib/ipsec/libtpmtss.so.0 +usr/lib/ipsec/libtpmtss.so.0.0.0 #usr/lib/ipsec/libvici.a #usr/lib/ipsec/libvici.la usr/lib/ipsec/libvici.so @@ -118,6 +124,7 @@ usr/lib/ipsec/plugins/libstrongswan-cmac.so usr/lib/ipsec/plugins/libstrongswan-constraints.so usr/lib/ipsec/plugins/libstrongswan-ctr.so usr/lib/ipsec/plugins/libstrongswan-curl.so +usr/lib/ipsec/plugins/libstrongswan-curve25519.so usr/lib/ipsec/plugins/libstrongswan-des.so usr/lib/ipsec/plugins/libstrongswan-dhcp.so usr/lib/ipsec/plugins/libstrongswan-dnskey.so @@ -201,6 +208,7 @@ usr/sbin/swanctl #usr/share/strongswan/templates/config/plugins/constraints.conf #usr/share/strongswan/templates/config/plugins/ctr.conf #usr/share/strongswan/templates/config/plugins/curl.conf +#usr/share/strongswan/templates/config/plugins/curve25519.conf #usr/share/strongswan/templates/config/plugins/des.conf #usr/share/strongswan/templates/config/plugins/dhcp.conf #usr/share/strongswan/templates/config/plugins/dnskey.conf diff --git a/config/rootfiles/packages/netsnmpd b/config/rootfiles/packages/n= etsnmpd index 6328949..9d80ec2 100644 --- a/config/rootfiles/packages/netsnmpd +++ b/config/rootfiles/packages/netsnmpd @@ -542,6 +542,8 @@ usr/share/snmp/mibs/IPV6-MIB.txt usr/share/snmp/mibs/IPV6-TC.txt usr/share/snmp/mibs/IPV6-TCP-MIB.txt usr/share/snmp/mibs/IPV6-UDP-MIB.txt +usr/share/snmp/mibs/LM-SENSORS-MIB.txt +usr/share/snmp/mibs/MTA-MIB.txt usr/share/snmp/mibs/NET-SNMP-AGENT-MIB.txt usr/share/snmp/mibs/NET-SNMP-EXAMPLES-MIB.txt usr/share/snmp/mibs/NET-SNMP-EXTEND-MIB.txt @@ -549,6 +551,7 @@ usr/share/snmp/mibs/NET-SNMP-MIB.txt usr/share/snmp/mibs/NET-SNMP-PASS-MIB.txt usr/share/snmp/mibs/NET-SNMP-TC.txt usr/share/snmp/mibs/NET-SNMP-VACM-MIB.txt +usr/share/snmp/mibs/NETWORK-SERVICES-MIB.txt usr/share/snmp/mibs/NOTIFICATION-LOG-MIB.txt usr/share/snmp/mibs/RFC-1215.txt usr/share/snmp/mibs/RFC1155-SMI.txt diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index f4eccb1..cc891c9 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1897,15 +1897,15 @@ END =20 #use default advanced value $cgiparams{'IKE_ENCRYPTION'} =3D 'aes256gcm128|aes256gcm96|aes256gcm64|aes2= 56|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes12= 8gcm64|aes128'; #[18]; - $cgiparams{'IKE_INTEGRITY'} =3D 'sha2_512|sha2_256|sha'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} =3D '4096|3072|2048|1536|1024'; #[20]; + $cgiparams{'IKE_INTEGRITY'} =3D 'sha2_512|sha2_256'; #[19]; + $cgiparams{'IKE_GROUPTYPE'} =3D 'curve25519|4096|3072|2048'; #[20]; $cgiparams{'IKE_LIFETIME'} =3D '3'; #[16]; $cgiparams{'ESP_ENCRYPTION'} =3D 'aes256gcm128|aes256gcm96|aes256gcm64|aes2= 56|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes12= 8gcm64|aes128'; #[21]; - $cgiparams{'ESP_INTEGRITY'} =3D 'sha2_512|sha2_256|sha1'; #[22]; - $cgiparams{'ESP_GROUPTYPE'} =3D '4096|3072|2048|1536|1024'; #[23]; + $cgiparams{'ESP_INTEGRITY'} =3D 'sha2_512|sha2_256'; #[22]; + $cgiparams{'ESP_GROUPTYPE'} =3D 'curve25519|4096|3072|2048'; #[23]; $cgiparams{'ESP_KEYLIFE'} =3D '1'; #[17]; $cgiparams{'COMPRESSION'} =3D 'on'; #[13]; - $cgiparams{'ONLY_PROPOSED'} =3D 'off'; #[24]; + $cgiparams{'ONLY_PROPOSED'} =3D 'on'; #[24]; $cgiparams{'PFS'} =3D 'on'; #[28]; } =20 @@ -2178,7 +2178,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|= 1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { + if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e= 224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { $errormessage =3D $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2219,7 +2219,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|= 1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { + if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e= 224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { $errormessage =3D $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2338,6 +2338,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'IKE_INTEGRITY'}{'aesxcbc'} =3D ''; @temp =3D split('\|', $cgiparams{'IKE_INTEGRITY'}); foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} =3D "selected=3D's= elected'"; } + $checked{'IKE_GROUPTYPE'}{'curve25519'} =3D ''; $checked{'IKE_GROUPTYPE'}{'768'} =3D ''; $checked{'IKE_GROUPTYPE'}{'1024'} =3D ''; $checked{'IKE_GROUPTYPE'}{'1536'} =3D ''; @@ -2378,6 +2379,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'ESP_INTEGRITY'}{'aesxcbc'} =3D ''; @temp =3D split('\|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} =3D "selected=3D's= elected'"; } + $checked{'ESP_GROUPTYPE'}{'curve25519'} =3D ''; $checked{'ESP_GROUPTYPE'}{'768'} =3D ''; $checked{'ESP_GROUPTYPE'}{'1024'} =3D ''; $checked{'ESP_GROUPTYPE'}{'1536'} =3D ''; @@ -2532,6 +2534,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'grouptype'} + diff --git a/lfs/netsnmpd b/lfs/netsnmpd index 1e59457..12fb342 100644 --- a/lfs/netsnmpd +++ b/lfs/netsnmpd @@ -32,7 +32,7 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D netsnmpd -PAK_VER =3D 4 +PAK_VER =3D 5 DEPS =3D "" =20 ############################################################################= ### @@ -83,15 +83,22 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --with-sys-location=3D"localhost" \ --with-logfile=3D"/var/log/snmpd.log" \ --with-persistent-directory=3D"/var/net-snmp" \ + --with-mib-modules=3D"host agentx smux \ + ucd-snmp/diskio tcp-mib udp-mib mibII/mta_sendmail \ + ip-mib/ipv4InterfaceTable ip-mib/ipv6InterfaceTable \ + ip-mib/ipAddressPrefixTable/ipAddressPrefixTable \ + ip-mib/ipDefaultRouterTable/ipDefaultRouterTable \ + ip-mib/ipv6ScopeZoneIndexTable ip-mib/ipIfStatsTable \ + sctp-mib rmon-mib etherlike-mib ucd-snmp/lmsensorsMib" --libdir=3D/usr/lib \ --sysconfdir=3D"/etc" cd $(DIR_APP) && make=20 cd $(DIR_APP) && make install - install -v -m644 $(DIR_SRC)/config/netsnmpd/snmpd.conf /etc/snmpd.conf + install -v -m 644 $(DIR_SRC)/config/netsnmpd/snmpd.conf /etc/snmpd.conf install -v -m 644 $(DIR_SRC)/config/backup/includes/netsnmpd \ /var/ipfire/backup/addons/includes/netsnmpd =20 - #install initscripts + # install initscripts $(call INSTALL_INITSCRIPT,netsnmpd) =20 ln -sf ../init.d/netsnmpd /etc/rc.d/rc3.d/S65netsnmpd diff --git a/lfs/strongswan b/lfs/strongswan index fffa9af..7f6a95b 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 5.5.1 +VER =3D 5.5.2 =20 THISAPP =3D strongswan-$(VER) DL_FILE =3D $(THISAPP).tar.bz2 @@ -48,7 +48,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 4eba9474f7dc6c8c8d7037261358e68d +$(DL_FILE)_MD5 =3D 546f7e5346b754f5946ff1282702ceb9 =20 install : $(TARGET) =20 hooks/post-receive -- IPFire 2.x development tree --===============0865699034146311886==--