From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b6s3F3fMMz30C6 for ; Wed, 28 May 2025 14:15:21 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b6s3F3QYqz30Bt for ; Wed, 28 May 2025 14:15:21 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4b6s3D5RlLzrD for ; Wed, 28 May 2025 14:15:20 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1748441720; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=w3D6OVRf4BqUdEwoqtXplQgvh3YWe7d0A2GQn/9D4Ao=; b=Iz0/dqb6aZWV+d0BxVoH52i4HQUom0HAVudmhUcFIq22TB5VA5cMsFyPBkAbgGsJVtEkll 7zwWp3F8ZqwSwvAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1748441720; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=w3D6OVRf4BqUdEwoqtXplQgvh3YWe7d0A2GQn/9D4Ao=; b=eO19CJZFWfsy+xCajCMoBvNK/Fy6DctjyiabQ3kb1q5CCsYmaNrpIIHU07O6N9d5h4RBtw KsQAXlxaJ4R+2AU6Q+guBZOMiNMrTvmFpaTQIP/xYzDKjW6a0YqWNCLyml5SAwx/Nm0upk n4rd6YGquzFr/l1zDAoF0+HSJ/ktiKwOEb1o/55yRzEVDcXvZGyljEM8cvI0iLF9ZIn0YU qWZPutTrFiRGny3TFHOaXHm/EatgPtIYuiplYb1u8Zg0blYoG2YnmuVzGh7QVso9AB/lkD dBb+zEzocoBiKMWxfkfITlRvVk6dCS1lJ77fTHSh3de+LqLlIDeDkpzLqtYfrQ== Received: by people01.haj.ipfire.org (Postfix, from userid 1000) id 4b6s3D3Lrsz2yTg; Wed, 28 May 2025 14:15:20 +0000 (UTC) To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. b2bd76188198b0d4fd4ee85c55a6ccb5cc38a427 X-Git-Refname: refs/heads/next X-Git-Reftype: branch X-Git-Oldrev: 313b34669c2d67635a473b6e3fa2ed5c593fc4c4 X-Git-Newrev: b2bd76188198b0d4fd4ee85c55a6ccb5cc38a427 Message-Id: <4b6s3D3Lrsz2yTg@people01.haj.ipfire.org> Date: Wed, 28 May 2025 14:15:20 +0000 (UTC) From: Michael Tremer Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via b2bd76188198b0d4fd4ee85c55a6ccb5cc38a427 (commit) via 5d0b4d3b9df0d93aeb3d2400550c5ee355ba7146 (commit) via 6ed4634be943fe125b61f0348063016fcacb89ee (commit) via cb95115f5af2002830cb2bda255133ebb3619f64 (commit) via 5ed68a18b06ac84e994b1065398370533f59eea0 (commit) via 23026ecc8531dfc41bd4cd7ca909b023f6fdc9a7 (commit) via 1a89896a79d0060e08df287f9c4536dba12927d3 (commit) from 313b34669c2d67635a473b6e3fa2ed5c593fc4c4 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit b2bd76188198b0d4fd4ee85c55a6ccb5cc38a427 Author: Michael Tremer Date: Wed May 28 14:14:54 2025 +0000 core196: Ship backup.pl Signed-off-by: Michael Tremer commit 5d0b4d3b9df0d93aeb3d2400550c5ee355ba7146 Author: Michael Tremer Date: Wed May 28 14:14:04 2025 +0000 backup: Also update MLKEM configuration if a backup is being restored Signed-off-by: Michael Tremer commit 6ed4634be943fe125b61f0348063016fcacb89ee Author: Michael Tremer Date: Wed May 28 14:11:07 2025 +0000 core196: Don't break IPsec tunnels that use MLKEM The previous patch was changing the string regardless of it having been changed before. The CGI script also has to be called as nobody. Signed-off-by: Michael Tremer commit cb95115f5af2002830cb2bda255133ebb3619f64 Author: Peter Müller Date: Mon May 26 18:28:00 2025 +0000 Core Update 196: Adjust existing IPsec connections using ML-KEM This causes existing IPsec connections using ML-KEM to always use it in conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2 implements for newly configured IPsec connections. Again, we can reasonably assume an IPsec peer supporting ML-KEM also supports Curve 25519. In case such a peer does not support RFC 9370, and the IPsec connection was created using our default ciphers, it will fall back to Curve 448, Curve 25519, or any other traditional algorithm. This patch will break existing IPsec connections only if they are exclusively using ML-KEM (which means the IPFire user reconfigured them manually using the "advanced connection settings" section in the WebUI), and the IPsec peer is configured in the same manner, and/or is an IPFire machine not yet updated to Core Update 196. Any other IPFire-to-IPFire IPsec connection will continue working, potentially falling back to Curve 448 or 25519 until both peers are updated to Core Update 196, after which ML-KEM in conjunction with Curve 25519 will be used again. The second version of this patch modifies IPFire's own configuration file for IPsec connections, rather than applying these changes directly to /etc/ipsec.conf, where they would have been overwritten by the next WebUI change. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit 5ed68a18b06ac84e994b1065398370533f59eea0 Author: Peter Müller Date: Mon May 26 18:27:00 2025 +0000 vpnmain.cgi: Use ML-KEM only as a hybrid with Curve 25519 In commit 887778e0888d51eb9942ae310a43f6d2813efad3, the post-quantum key exchange algorithm ML-KEM was introduced, due to its support being added in strongSwan 6.0. However, using PQC key exchanges is commonly recommended only in conjunction with a traditional one, to avoid encrypted traffic becoming subject to trivial decryption in case a PQC algorithm proves weak, broken, or backdoored. OpenSSH, for instance, combines ML-KEM 768 with Curve 25519 (mlkem768x25519-sha256), rather than using ML-KEM alone. This patch changes the cipher suites offered for IPsec connections to always use ML-KEM as a hybrid with Curve 25519. This is possible due to strongSwan 6.0 having added support for IKE intermediary key exchanges (RFC 9370); see https://docs.strongswan.org/docs/latest/config/proposals.html#_key_exchange_methods for additional information. We can reasonably assume an IPsec peer supporting ML-KEM will also support Curve 25519, as this has been around for much longer, and is used quite commonly. Even if this is not the case, or if the IPsec peer does not implement RFC 9370, any IPsec connection using our default cipher selection will fall back to Curve 448, Curve 25519, or other, hence continue working. IPsec connections already created will need their ciphers to be changed once during the Core Update routine where this patch will be incorporated. Tested-by: Peter Müller Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit 23026ecc8531dfc41bd4cd7ca909b023f6fdc9a7 Author: Michael Tremer Date: Wed May 28 09:27:44 2025 +0000 core196: Ship header.pl Signed-off-by: Michael Tremer commit 1a89896a79d0060e08df287f9c4536dba12927d3 Author: Stephen Cuka Date: Wed May 28 00:42:23 2025 -0600 header.pl: Fixbug13857 - Disable Blue Access submenu if no BLUE network - Fix reference to BlueAccess menu item so that it is disabled when BLUE network is not in use. Signed-off-by: Stephen Cuka Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/backup/backup.pl | 8 +++++++ config/cfgroot/header.pl | 2 +- config/rootfiles/core/196/filelists/files | 2 ++ config/rootfiles/core/196/update.sh | 13 +++++++++++ html/cgi-bin/vpnmain.cgi | 36 +++++++++++++++---------------- 5 files changed, 42 insertions(+), 19 deletions(-) Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index a830e8c07..0b8272266 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -331,6 +331,14 @@ restore_backup() { sed -i 'd' /var/ipfire/certs/index.txt fi + # Update MLKEM to only be used in combination with x25519 + if ! grep -q "x25519-ke1_mlkem" /var/ipfire/vpn/config; then + sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config + + # Regenerate /etc/ipsec.conf + sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi + fi + # Restart ipsec if enabled # This will ensure that the restored certs and secrets etc are loaded and used if [ $(grep -c "ENABLED=on" /var/ipfire/vpn/settings) -eq 1 ] ; then diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl index 5a4d41308..48ca16996 100644 --- a/config/cfgroot/header.pl +++ b/config/cfgroot/header.pl @@ -457,7 +457,7 @@ sub genmenu { eval `/bin/cat /var/ipfire/menu.d/*.main`; if (! blue_used()) { - $menu->{'05.firewall'}{'subMenu'}->{'60.wireless'}{'enabled'} = 0; + $menu->{'05.firewall'}{'subMenu'}->{'70.wireless'}{'enabled'} = 0; } if ( $Network::ethernet{'CONFIG_TYPE'} =~ /^(1|2|3|4)$/ && $Network::ethernet{'RED_TYPE'} eq 'STATIC' ) { $menu->{'03.network'}{'subMenu'}->{'70.aliases'}{'enabled'} = 1; diff --git a/config/rootfiles/core/196/filelists/files b/config/rootfiles/core/196/filelists/files index 57731bead..0949c2397 100644 --- a/config/rootfiles/core/196/filelists/files +++ b/config/rootfiles/core/196/filelists/files @@ -5,8 +5,10 @@ srv/web/ipfire/cgi-bin/netovpnsrv.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/wireguard.cgi +var/ipfire/backup/bin/backup.pl var/ipfire/fwhosts/customservices var/ipfire/graphs.pl +var/ipfire/header.pl var/ipfire/ipblocklist-functions.pl var/ipfire/langs/list var/ipfire/wireguard-functions.pl diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh index 0138fabcf..bd9e80f42 100644 --- a/config/rootfiles/core/196/update.sh +++ b/config/rootfiles/core/196/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done # Stop services +/etc/rc.d/init.d/ipsec stop # Remove files rm -rfv \ @@ -65,7 +66,19 @@ esac # Apply SSH configuration #/usr/local/bin/sshctrl +# Change IPsec configuration of existing connections using ML-KEM +# to always make use of hybrid key exchange in conjunction with Curve 25519. +if ! grep -q "x25519-ke1_mlkem" /var/ipfire/vpn/config; then + sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config +fi + +# Apply changes to ipsec.conf +sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi + # Start services +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then + /etc/rc.d/init.d/ipsec start +fi # This update needs a reboot... #touch /var/run/need_reboot diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 4f81fecdf..154b94033 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2374,11 +2374,11 @@ END #use default advanced value $cgiparams{'IKE_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256'; #[18]; $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = 'mlkem1024|mlkem768|mlkem512|curve448|curve25519|e521|e384|4096|3072'; #[20]; + $cgiparams{'IKE_GROUPTYPE'} = 'x25519-ke1_mlkem1024|x25519-ke1_mlkem768|x25519-ke1_mlkem512|curve448|curve25519|e521|e384|4096|3072'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; $cgiparams{'ESP_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256'; #[21]; $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22]; - $cgiparams{'ESP_GROUPTYPE'} = 'mlkem1024|mlkem768|mlkem512|curve448|curve25519|e521|e384|4096|3072'; #[23]; + $cgiparams{'ESP_GROUPTYPE'} = 'x25519-ke1_mlkem1024|x25519-ke1_mlkem768|x25519-ke1_mlkem512|curve448|curve25519|e521|e384|4096|3072'; #[23]; $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; $cgiparams{'COMPRESSION'} = 'off'; #[13]; $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24]; @@ -2759,7 +2759,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(mlkem(1024|768|512)|curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) { + if ($val !~ /^(x25519-ke1_mlkem(1024|768|512)|curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2800,7 +2800,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(mlkem(1024|768|512)|curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) { + if ($val !~ /^(x25519-ke1_mlkem(1024|768|512)|curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2940,9 +2940,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'IKE_GROUPTYPE'}{'mlkem1024'} = ''; - $checked{'IKE_GROUPTYPE'}{'mlkem768'} = ''; - $checked{'IKE_GROUPTYPE'}{'mlkem512'} = ''; + $checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem1024'} = ''; + $checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem768'} = ''; + $checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem512'} = ''; $checked{'IKE_GROUPTYPE'}{'curve448'} = ''; $checked{'IKE_GROUPTYPE'}{'curve25519'} = ''; $checked{'IKE_GROUPTYPE'}{'768'} = ''; @@ -2983,9 +2983,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'ESP_GROUPTYPE'}{'mlkem1024'} = ''; - $checked{'ESP_GROUPTYPE'}{'mlkem768'} = ''; - $checked{'ESP_GROUPTYPE'}{'mlkem512'} = ''; + $checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem1024'} = ''; + $checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem768'} = ''; + $checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem512'} = ''; $checked{'ESP_GROUPTYPE'}{'curve448'} = ''; $checked{'ESP_GROUPTYPE'}{'curve25519'} = ''; $checked{'ESP_GROUPTYPE'}{'768'} = ''; @@ -3151,9 +3151,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'grouptype'} - - - + + + @@ -3757,7 +3757,7 @@ sub make_algos($$$$$) { if ($mode eq "ike") { push(@algo, $int); - if ($grp =~ m/^mlkem(\d+)$/) { + if ($grp =~ m/^x25519-ke1_mlkem(\d+)$/) { push(@algo, "$grp"); } elsif ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); @@ -3776,7 +3776,7 @@ sub make_algos($$$$$) { if (!$pfs || $grp eq "none") { # noop - } elsif ($grp =~ m/^mlkem(\d+)$/) { + } elsif ($grp =~ m/^x25519-ke1_mlkem(\d+)$/) { push(@algo, "$grp"); } elsif ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); hooks/post-receive -- IPFire 2.x development tree