From patchwork Wed Oct 2 10:31:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2458 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 46jsrm1Sw4z3yqJ for ; Wed, 2 Oct 2019 10:32:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 46jsrk26RGz2MX; Wed, 2 Oct 2019 10:32:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 46jsrk15Sgz2yxN; Wed, 2 Oct 2019 10:32:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 46jsrh2QXGz2ytC for ; Wed, 2 Oct 2019 10:32:04 +0000 (UTC) Received: from michael.haj.ipfire.org (fw01.haj.ipfire.org [172.28.1.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 46jsrh0GnLz2fm; Wed, 2 Oct 2019 10:32:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1570012324; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=S33UBHQhKV4gGBgqu4hTjZB+UsMtCJsjMMiieiXXSZw=; b=JUh3NR6klfYpmr7Uc2tUViKmo8Er5fiSsI8GL8nGSevh34gPL2LWeywAeraKy4egwBpno0 5zEU8aqP0hZrIh7VgopmUswRuylUUp8ZAVORasC4TIw9Xg+/Um5NnMj06XlFHXDzdbqaSP smLq1wF39yPSEO3xxJkpovij3ZIPDF1fWsVqpGSE3o5mz1h4+AXLhQzKZiquKzMWeJKSLv xee/J0MdWK5AHyQ3Up8KywgRZb1r0v5gElUqY6CI3NchdbTkbOAL7aIgL8B2H8QthDgFoA RdzLYV8owSGLOaa9f30W127RmGtsCBOkRVccCFUisYsqRQZZ28J990//ZIAQtw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1570012324; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=S33UBHQhKV4gGBgqu4hTjZB+UsMtCJsjMMiieiXXSZw=; b=pBF2hGrbIlRWGVQfu8zUURmEnF0p9Ge8n8g4yrW9EaGoGdHrlethOsgiUcDgN+PnNOrCf+ YUw6E+j/eG5n1FCA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/2] IPsec: Add support for Curve448 Date: Wed, 2 Oct 2019 10:31:54 +0000 Message-Id: <20191002103154.3874-2-michael.tremer@ipfire.org> In-Reply-To: <20191002103154.3874-1-michael.tremer@ipfire.org> References: <20191002103154.3874-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This is supported since strongswan 5.7.2 and is a good alternative to Curve25519 because Curve448 is almost equally secure but performs faster. https://en.wikipedia.org/wiki/Curve448 This is enabled by default although we do not expect many other implementations to be able to support this. Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 750b69b1d..1cd7cb84b 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2000,11 +2000,11 @@ END #use default advanced value $cgiparams{'IKE_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[20]; + $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|curve448|4096|3072|2048'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; $cgiparams{'ESP_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22]; - $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[23]; + $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|curve448|4096|3072|2048'; #[23]; $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; $cgiparams{'COMPRESSION'} = 'off'; #[13]; $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24]; @@ -2368,7 +2368,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) { + if ($val !~ /^(curve25519|curve448|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2409,7 +2409,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) { + if ($val !~ /^(curve25519|curve448|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2549,6 +2549,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } $checked{'IKE_GROUPTYPE'}{'curve25519'} = ''; + $checked{'IKE_GROUPTYPE'}{'curve448'} = ''; $checked{'IKE_GROUPTYPE'}{'768'} = ''; $checked{'IKE_GROUPTYPE'}{'1024'} = ''; $checked{'IKE_GROUPTYPE'}{'1536'} = ''; @@ -2588,6 +2589,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } $checked{'ESP_GROUPTYPE'}{'curve25519'} = ''; + $checked{'ESP_GROUPTYPE'}{'curve448'} = ''; $checked{'ESP_GROUPTYPE'}{'768'} = ''; $checked{'ESP_GROUPTYPE'}{'1024'} = ''; $checked{'ESP_GROUPTYPE'}{'1536'} = ''; @@ -2752,6 +2754,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || + @@ -3325,7 +3329,7 @@ sub make_algos($$$$$) { if ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); - } elsif ($grp =~ m/curve25519/) { + } elsif ($grp =~ m/curve(25519|448)/) { push(@algo, "$grp"); } else { push(@algo, "modp$grp"); @@ -3342,7 +3346,7 @@ sub make_algos($$$$$) { # noop } elsif ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); - } elsif ($grp =~ m/curve25519/) { + } elsif ($grp =~ m/curve(25519|448)/) { push(@algo, "$grp"); } else { push(@algo, "modp$grp");