diff mbox series

[v2,2/2] Core Update 196: Adjust existing IPsec connections using ML-KEM

Message ID b3f8f54c-df72-4124-ac1b-59924e3e9a78@ipfire.org
State Staged
Commit cb95115f5af2002830cb2bda255133ebb3619f64
Headers
Series [v2,1/2] vpnmain.cgi: Use ML-KEM only as a hybrid with Curve 25519 |

Commit Message

Peter Müller May 26, 2025, 6:28 p.m. UTC 
  This causes existing IPsec connections using ML-KEM to always use it in
conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2
implements for newly configured IPsec connections.

Again, we can reasonably assume an IPsec peer supporting ML-KEM also
supports Curve 25519. In case such a peer does not support RFC 9370, and
the IPsec connection was created using our default ciphers, it will fall
back to Curve 448, Curve 25519, or any other traditional algorithm.

This patch will break existing IPsec connections only if they are
exclusively using ML-KEM (which means the IPFire user reconfigured them
manually using the "advanced connection settings" section in the WebUI),
and the IPsec peer is configured in the same manner, and/or is an IPFire
machine not yet updated to Core Update 196. Any other IPFire-to-IPFire
IPsec connection will continue working, potentially falling back to
Curve 448 or 25519 until both peers are updated to Core Update 196,
after which ML-KEM in conjunction with Curve 25519 will be used again.

The second version of this patch modifies IPFire's own configuration
file for IPsec connections, rather than applying these changes directly
to /etc/ipsec.conf, where they would have been overwritten by the next
WebUI change.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/rootfiles/core/196/update.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

Comments

Michael Tremer May 28, 2025, 2:16 p.m. UTC | #1 
Hello Peter,

Thanks for the updated patch.

I applied it, but there were further changes necessary because if an update has been applied more than once, it would have broken the IPsec configuration. The update also needed to happen when a backup is being restored, and vpnmain.cgi needs to be called as nobody only.

Please review these changes:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=6ed4634be943fe125b61f0348063016fcacb89ee
  https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=5d0b4d3b9df0d93aeb3d2400550c5ee355ba7146

Best,
-Michael

> On 26 May 2025, at 19:28, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> This causes existing IPsec connections using ML-KEM to always use it in
> conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2
> implements for newly configured IPsec connections.
> 
> Again, we can reasonably assume an IPsec peer supporting ML-KEM also
> supports Curve 25519. In case such a peer does not support RFC 9370, and
> the IPsec connection was created using our default ciphers, it will fall
> back to Curve 448, Curve 25519, or any other traditional algorithm.
> 
> This patch will break existing IPsec connections only if they are
> exclusively using ML-KEM (which means the IPFire user reconfigured them
> manually using the "advanced connection settings" section in the WebUI),
> and the IPsec peer is configured in the same manner, and/or is an IPFire
> machine not yet updated to Core Update 196. Any other IPFire-to-IPFire
> IPsec connection will continue working, potentially falling back to
> Curve 448 or 25519 until both peers are updated to Core Update 196,
> after which ML-KEM in conjunction with Curve 25519 will be used again.
> 
> The second version of this patch modifies IPFire's own configuration
> file for IPsec connections, rather than applying these changes directly
> to /etc/ipsec.conf, where they would have been overwritten by the next
> WebUI change.
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/rootfiles/core/196/update.sh | 11 +++++++++++
> 1 file changed, 11 insertions(+)
> 
> diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh
> index 0138fabcf..b8f92322f 100644
> --- a/config/rootfiles/core/196/update.sh
> +++ b/config/rootfiles/core/196/update.sh
> @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
> done
> 
> # Stop services
> +/etc/rc.d/init.d/ipsec stop
> 
> # Remove files
> rm -rfv \
> @@ -65,7 +66,17 @@ esac
> # Apply SSH configuration
> #/usr/local/bin/sshctrl
> 
> +# Change IPsec configuration of existing connections using ML-KEM
> +# to always make use of hybrid key exchange in conjunction with Curve 25519.
> +sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config
> +
> +# Apply changes to ipsec.conf
> +/srv/web/ipfire/cgi-bin/vpnmain.cgi
> +
> # Start services
> +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
> + /etc/rc.d/init.d/ipsec start
> +fi
> 
> # This update needs a reboot...
> #touch /var/run/need_reboot
> -- 
> 2.43.0
>
diff mbox series

Patch

diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh
index 0138fabcf..b8f92322f 100644
--- a/config/rootfiles/core/196/update.sh
+++ b/config/rootfiles/core/196/update.sh
@@ -32,6 +32,7 @@  for (( i=1; i<=$core; i++ )); do
 done
 
 # Stop services
+/etc/rc.d/init.d/ipsec stop
 
 # Remove files
 rm -rfv \
@@ -65,7 +66,17 @@  esac
 # Apply SSH configuration
 #/usr/local/bin/sshctrl
 
+# Change IPsec configuration of existing connections using ML-KEM
+# to always make use of hybrid key exchange in conjunction with Curve 25519.
+sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config
+
+# Apply changes to ipsec.conf
+/srv/web/ipfire/cgi-bin/vpnmain.cgi
+
 # Start services
+if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
+	/etc/rc.d/init.d/ipsec start
+fi
 
 # This update needs a reboot...
 #touch /var/run/need_reboot