From mboxrd@z Thu Jan 1 00:00:00 1970 From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] OpenVPN: Introduce new AES-GCM cipher for N2N and RW Date: Wed, 14 Feb 2018 13:45:13 +0100 Message-ID: <1518612313-30683-1-git-send-email-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3158535266932254225==" List-Id: --===============3158535266932254225== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior sec= tion. Cipher menu description has been changed for N2N and RW since AES-GCM uses ow= n authentication encryption (GMAC). More information can be found in here https://tools.ietf.org/html/rfc5288= . Added java script snipped to disable HMAC selection for N2N if AES-GCM has be= en selected. 'auth *' line in N2N.conf won=C2=B4t be deleted even if AES-GCM is used s= o possible individual '--tls-auth' configurations won=C2=B4t broke. 'auth *' line in N2N.conf will also be ignored if AES-GCM is used and no = '--tls-auth' are configured. Left HMAC selection menu for Roadwarriors as it was since the WUI do provides= '--tls-auth' which uses the configuered HMAC even AES-GCM has been applied. Signed-off-by: Erik Kapfer --- config/rootfiles/common/openssl-compat | 2 -- html/cgi-bin/ovpnmain.cgi | 32 ++++++++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 4 deletions(-) delete mode 100644 config/rootfiles/common/openssl-compat diff --git a/config/rootfiles/common/openssl-compat b/config/rootfiles/common= /openssl-compat deleted file mode 100644 index 7ef11e6..0000000 --- a/config/rootfiles/common/openssl-compat +++ /dev/null @@ -1,2 +0,0 @@ -usr/lib/libcrypto.so.10 -usr/lib/libssl.so.10 diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9f5e682..0a18ec7 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4543,6 +4543,9 @@ if ($cgiparams{'TYPE'} eq 'net') { } $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} =3D 'checked=3D= \'checked\''; =20 + $selected{'DCIPHER'}{'AES-256-GCM'} =3D ''; + $selected{'DCIPHER'}{'AES-192-GCM'} =3D ''; + $selected{'DCIPHER'}{'AES-128-GCM'} =3D ''; $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} =3D ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} =3D ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} =3D ''; @@ -4706,7 +4709,10 @@ if ($cgiparams{'TYPE'} eq 'net') { =20 $Lang::tr{'cipher'} - + + + @@ -4723,7 +4729,7 @@ if ($cgiparams{'TYPE'} eq 'net') { =20 $Lang::tr{'ovpn ha'}: - @@ -4737,6 +4743,22 @@ if ($cgiparams{'TYPE'} eq 'net') { END ; } + +#### JAVA SCRIPT #### +# Validate N2N cipher. If GCM is used, disable HMAC menu +print< + var disable_options =3D false; + document.getElementById('n2ncipher').onchange =3D function () { + if((this.value =3D=3D "AES-256-GCM"||this.value =3D=3D "AES-192-GCM"||thi= s.value =3D=3D "AES-128-GCM")) { + document.getElementById('n2nhmac').setAttribute('disabled', true); + } else { + document.getElementById('n2nhmac').removeAttribute('disabled'); + } + } + +END + #jumper print "$Lang::tr{'remark title'}"; print ""; @@ -5108,6 +5130,9 @@ END $selected{'DPROTOCOL'}{'tcp'} =3D ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} =3D 'SELECTED'; =20 + $selected{'DCIPHER'}{'AES-256-GCM'} =3D ''; + $selected{'DCIPHER'}{'AES-192-GCM'} =3D ''; + $selected{'DCIPHER'}{'AES-128-GCM'} =3D ''; $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} =3D ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} =3D ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} =3D ''; @@ -5204,6 +5229,9 @@ END =20 $Lang::tr{'cipher'}