From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v3] OpenVPN: Update to version 2.4.4
Date: Mon, 29 Jan 2018 11:54:03 +0000
Message-ID: <1517226843.2586.40.camel@ipfire.org>
In-Reply-To: <1517136670-6712-1-git-send-email-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1099463516776298796=="
List-Id: <development.lists.ipfire.org>

--===============1099463516776298796==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

this is a very patch. We need to break it down into many many smaller ones,
because this is hard to review. I have comments on many of them and I think t=
hat
we can already ship some changes (like the weak ciphers), but not others. A h=
uge
patch won't allow us to merge parts into different branches.

So I would propose to take this apart into:

a) The update of the OpenVPN package (i.e. lfs/openvpn) and rootfile
b) The script that updates the CRL
c) The markings of weak ciphers
d) Making the CGI ready for OpenVPN 2.4

Would you be able to split this?

Best,
-Michael

On Sun, 2018-01-28 at 11:51 +0100, Erik Kapfer wrote:
> ovpnmain.cgi includes new directive '--ncp-disable' to disable for the first
> the cipher negotiation.
>     script-security flag 'system' has been dropped cause of security concer=
ns.
>     Directive changes/explanations can be found in here https://community.o=
pen
> vpn.net/openvpn/wiki/Openvpn24ManPage .
>=20
>     Added new AES-GCM cipher with 128, 196 and 256 bit.
>=20
>     DH-parameter with 1024 bit has been marked as 'weak'.
>     All 64 bit block ciphers (DES, BF and CAST5) has also been marked as
> 'weak'.
>=20
> Update script for OpenVPN CRL has been integrated since OpenVPN refactors t=
he
> CRL handling since v.2.4.0 .
>     Script checks the next update field from the CRL and preforms an update
> two days before it expires.
>     Script is placed under fcron.daily for daily checks.
>     OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn=
/co
> mmit/160504a2955c4478cd2c0323452929e07016a336 .
>=20
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
>  config/ovpn/ovpn_crl_updater.sh | 53
> +++++++++++++++++++++++++++++++++++++++++
>  config/rootfiles/common/openvpn |  5 +++-
>  html/cgi-bin/ovpnmain.cgi       | 37 ++++++++++++++++++----------
>  lfs/openvpn                     | 11 ++++++---
>  4 files changed, 90 insertions(+), 16 deletions(-)
>  create mode 100644 config/ovpn/ovpn_crl_updater.sh
>=20
> diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater=
.sh
> new file mode 100644
> index 0000000..309edc2
> --- /dev/null
> +++ b/config/ovpn/ovpn_crl_updater.sh
> @@ -0,0 +1,53 @@
> +#!/bin/bash
> +
> +#
> +# Script Name: ovpn_crl_updater.sh
> +# Description: This script checks the "Next Update:" field of the CRL and
> renews it if needed,
> +#     which prevents the expiration of OpenVPNs CRL.
> +#     With OpenVPN 2.4.x the CRL handling has been refactored,
> +#     whereby the verification logic has been removed from
> ssl_verify_<backend>.c .
> +#     See for more infos:
> +#     https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c032345=
292
> 9e07016a336
> +#
> +# Run Information: If OpenVPNs CRL is presant,=20
> +#     this script provides a cronjob which checks daily if an update of the
> CRL is needed.
> +#     If the expiring date reaches the value (defined in the 'UPDATE'
> variable in days)
> +#     before the CRL expiration, an openssl command will be executed to re=
new
> the CRL.
> +#     The renewing of the CRL will be logged into /var/log/messages.
> +#=20
> +# Author: Erik Kapfer
> +#
> +# Date: 17.01.2018
> +#
> +##########################################################################=
###
> ##################
> +
> +# Check if OpenVPN is active or if the CRL is presant
> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
> +	exit 0;
> +fi
> +
> +## Paths
> +OVPN=3D"/var/ipfire/ovpn";
> +CRL=3D"${OVPN}/crls/cacrl.pem";
> +CAKEY=3D"${OVPN}/ca/cakey.pem";
> +CACERT=3D"${OVPN}/ca/cacert.pem";
> +OPENSSLCONF=3D"${OVPN}/openssl/ovpn.cnf";
> +## Values
> +# CRL check for the the 'Next Update:' in seconds
> +EXPIRINGDATEINSEC=3D"$(( $(date -d "$(openssl crl -in "${CRL}" -text | gre=
p -oP
> 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
> +# Day in seconds to calculate
> +DAYINSEC=3D"86400";
> +# Convert seconds to days
> +NEXTUPDATE=3D"$((EXPIRINGDATEINSEC / DAYINSEC))";
> +# Update of the CRL in days before CRL expiring date
> +UPDATE=3D"2";
> +
> +# Check if OpenVPNs CRL needs to be renewed
> +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
> +	openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out
> "${CRL}" -config "${OPENSSLCONF}";
> +	logger -t openssl "OpenVPN CRL has been renewed";
> +fi
> +
> +exit 0
> +
> +# EOF
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/open=
vpn
> index b58e30c..cbfd03e 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -1,3 +1,5 @@
> +etc/fcron.daily/ovpn_crl_updater.sh
> +#usr/include/openvpn-msg.h
>  #usr/include/openvpn-plugin.h
>  #usr/lib/openvpn
>  #usr/lib/openvpn/plugins
> @@ -10,11 +12,12 @@ usr/sbin/openvpn
>  #usr/share/doc/openvpn
>  #usr/share/doc/openvpn/COPYING
>  #usr/share/doc/openvpn/COPYRIGHT.GPL
> +#usr/share/doc/openvpn/Changes.rst
>  #usr/share/doc/openvpn/README
>  #usr/share/doc/openvpn/README.IPv6
>  #usr/share/doc/openvpn/README.auth-pam
>  #usr/share/doc/openvpn/README.down-root
> -#usr/share/doc/openvpn/README.polarssl
> +#usr/share/doc/openvpn/README.mbedtls
>  #usr/share/doc/openvpn/management-notes.txt
>  #usr/share/man/man8/openvpn.8
>  var/ipfire/ovpn/ca
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 9f5e682..8e5d1ae 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -216,7 +216,7 @@ sub writeserverconf {
>      print CONF "dev tun\n";
>      print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
>      print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
> -    print CONF "script-security 3 system\n";
> +    print CONF "script-security 3\n";
>      print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db
> 3600\n";
>      print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
>      print CONF "tls-server\n";
> @@ -289,6 +289,7 @@ sub writeserverconf {
>      }=09
>      print CONF "status-version 1\n";
>      print CONF "status /var/run/ovpnserver.log 30\n";
> +    print CONF "ncp-disable\n";
>      print CONF "cipher $sovpnsettings{DCIPHER}\n";
>      if ($sovpnsettings{'DAUTH'} eq '') {
>          print CONF "";
> @@ -2002,7 +2003,7 @@ END
>  	    </select></td>
>  	<tr><td class=3D'base'>$Lang::tr{'ovpn dh'}:</td>
>  		<td class=3D'base'><select name=3D'DHLENGHT'>
> -				<option value=3D'1024'
> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
> +				<option value=3D'1024'
> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn
> weak'})</option>
>  				<option value=3D'2048'
> $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
>  				<option value=3D'3072'
> $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
>  				<option value=3D'4096'
> $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
> @@ -4543,6 +4544,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
>      }
>      $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} =3D
> 'checked=3D\'checked\'';
> =20
> +    $selected{'DCIPHER'}{'AES-256-GCM'} =3D '';
> +    $selected{'DCIPHER'}{'AES-192-GCM'} =3D '';
> +    $selected{'DCIPHER'}{'AES-128-GCM'} =3D '';
>      $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} =3D '';
>      $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} =3D '';
>      $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} =3D '';
> @@ -4707,18 +4711,21 @@ if ($cgiparams{'TYPE'} eq 'net') {
> =20
>  	<tr><td class=3D'boldbase'>$Lang::tr{'cipher'}</td>
>  		<td><select name=3D'DCIPHER'>
> +				<option value=3D'AES-256-GCM'		$s
> elected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
> +				<option value=3D'AES-192-GCM' 	 =09
> $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
> +				<option value=3D'AES-128-GCM' 	 =09
> $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
>  				<option value=3D'CAMELLIA-256-CBC'	$sele
> cted{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256
> $Lang::tr{'bit'})</option>
>  				<option value=3D'CAMELLIA-192-CBC'	$sele
> cted{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192
> $Lang::tr{'bit'})</option>
>  				<option value=3D'CAMELLIA-128-CBC'	$sele
> cted{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128
> $Lang::tr{'bit'})</option>
>  				<option value=3D'AES-256-CBC' 	 =09
> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'},
> $Lang::tr{'default'})</option>
>  				<option value=3D'AES-192-CBC' 	 =09
> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
>  				<option value=3D'AES-128-CBC' 	 =09
> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'DES-EDE3-CBC'	 =09
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
> $Lang::tr{'bit'})</option>
> -				<option value=3D'DESX-CBC' 		$sel
> ected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
>  				<option value=3D'SEED-CBC' 		$sel
> ected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'DES-EDE-CBC' 		$
> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</opti=
on>
> -				<option value=3D'BF-CBC' 		=09
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'CAST5-CBC' 		$se
> lected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
> +				<option value=3D'DES-EDE3-CBC'	 =09
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'DESX-CBC' 		$sel
> ected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn
> weak'})</option>
> +				<option value=3D'DES-EDE-CBC' 		$
> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'BF-CBC' 		=09
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
> weak'})</option>
> +				<option value=3D'CAST5-CBC' 		$se
> lected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'=
vpn
> weak'})</option>
>  			</select>
>  		</td>
> =20
> @@ -5108,6 +5115,9 @@ END
>      $selected{'DPROTOCOL'}{'tcp'} =3D '';
>      $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} =3D 'SELECTED';
> =20
> +    $selected{'DCIPHER'}{'AES-256-GCM'} =3D '';
> +    $selected{'DCIPHER'}{'AES-192-GCM'} =3D '';
> +    $selected{'DCIPHER'}{'AES-128-GCM'} =3D '';
>      $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} =3D '';
>      $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} =3D '';
>      $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} =3D '';
> @@ -5204,18 +5214,21 @@ END
> =20
>  		<td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'cipher'}</td>
>  		<td><select name=3D'DCIPHER'>
> +				<option value=3D'AES-256-GCM'
> $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
> +				<option value=3D'AES-192-GCM'
> $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
> +				<option value=3D'AES-128-GCM'
> $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
>  				<option value=3D'CAMELLIA-256-CBC'
> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256
> $Lang::tr{'bit'})</option>
>  				<option value=3D'CAMELLIA-192-CBC'
> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192
> $Lang::tr{'bit'})</option>
>  				<option value=3D'CAMELLIA-128-CBC'
> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128
> $Lang::tr{'bit'})</option>
>  				<option value=3D'AES-256-CBC'
> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
>  				<option value=3D'AES-192-CBC'
> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
>  				<option value=3D'AES-128-CBC'
> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
> $Lang::tr{'bit'})</option>
> -				<option value=3D'DESX-CBC'
> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
>  				<option value=3D'SEED-CBC'
> $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'DES-EDE-CBC'
> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128
> $Lang::tr{'bit'})</option>
> -				<option value=3D'BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'CAST5-CBC'
> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
> +				<option value=3D'DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'DESX-CBC'
> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'DES-EDE-CBC'
> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
> weak'})</option>
> +				<option value=3D'CAST5-CBC'
> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
>  			</select>
>  		</td>
>      <tr><td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'comp-lzo'}</td>
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 8307d01..e7f9bc2 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -1,7 +1,7 @@
>  ##########################################################################=
###
> ##
>  #                                                                         =
  =20
>  #
>  # IPFire.org - A linux based
> firewall                                         #
> -# Copyright (C) 2017  IPFire Team  <info(a)ipfire.org>                    =
    =20
>  #
> +# Copyright (C) 2018  IPFire Team  <info(a)ipfire.org>                    =
    =20
>  #
>  #                                                                         =
  =20
>  #
>  # This program is free software: you can redistribute it and/or
> modify        #
>  # it under the terms of the GNU General Public License as published
> by        #
> @@ -24,7 +24,7 @@
> =20
>  include Config
> =20
> -VER        =3D 2.3.18
> +VER        =3D 2.4.4
> =20
>  THISAPP    =3D openvpn-$(VER)
>  DL_FILE    =3D $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
> =20
>  $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
> =20
> -$(DL_FILE)_MD5 =3D 844ec9c64aae62051478784b8562f881
> +$(DL_FILE)_MD5 =3D 7a2002aad1671b24457bc9432a0c5c52
> =20
>  install : $(TARGET)
> =20
> @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
>  	chown root:root /usr/lib/openvpn/verify
>  	chmod 755 /usr/lib/openvpn/verify
> +	mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
> +	chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
> +	chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
> +
>  	@rm -rf $(DIR_APP)
>  	@$(POSTBUILD)
> +

--===============1099463516776298796==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl
Mnlwa3R4Z0hudy8yK1FDUWNGQWxwdkMxc0FDZ2tRZ0hudy8yK1EKQ1FkRzhRLzlISmdsZ2gvOTJy
YWU2QTFJTGdDY1Q2VXdDcytuYkllS0l0TVFqYk8xR01La2VJaEpicDF3K3Q0YgoydWhzZFc4Ukdk
dGpwdmlSblAvUDNRcUc4VzVkbjk1L01xM2ZTamJOengzR29xbkhuSHNUelJrR3FiK2pVTytaCnVo
QWJmOU9KMWRMTjBhWlJ1eVVVOTYzTFo0L2F4YnhZZWpCVWlPbzdoc0t1SzNGd0hFTDVGRnNmOUxI
aXN4YWsKNUo3c2xvSWVwOXV4SFN0ampGbXNYbTRZUWRFdXVVU3gwM2tRNmJTK0RYd2hNQVM2alk5
QUQ1MmpqWmRmaTAzUQo4TFNZV0xFclBwQWNTOUpjSWJ2cy9YR3ZoWXdDOU5WYWpBd2oveUVvYkZP
SlZUNDFoRVlMSStSZnZFWExSTDBSCjE5WjQxSGRqVHJ6aXg5MjlYd3FkQWx0QUxKaGozY3VNdUN1
YU1Ub3hidWhqSGExQjVjU1V2Qmc4amJMWlAwMXgKU1p4ejRLTTQweTBIeTdKSnlIM2tRbyt2a2JP
Wlhzamt4UVZrSEZyMmlNcWFmUC9zVlg3eEtCNkhxL0daSThJZwo1bW5lWEhUUCt1djhUU0VSVU5x
RzFQRmJLa0dJUFRBREIwWm5GblhTQzRpT2h1bDJwM20zVkFsWlJ5NkVtNWh0CjJEZ0RXRWFRL3d2
UlVQaXpoenNSOTJOZFRqcWZENHlraTAyQ1N0S3VBRmlBNVZDMnNrYWNNaldMNHcrSmdvYmEKN25l
Q3hBd1hqczgyL0VvSGVya1ZjQXBqOVdSRGZXQ3BUZnpSbGNJVnFDMTQwWG9YbXhHaFQrZkNaRi9a
WEFINwoxamNPU3cwMlMvZjd2UGFCUG1JcDZJUkljN0hYcEk1ejJpVUpqK0xDNFVFdkJZSHpKZmM9
Cj0yL3JBCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============1099463516776298796==--