From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [PATCH] OpenVPN: Introduce new AES-GCM cipher for N2N and RW Date: Wed, 14 Feb 2018 15:28:07 +0100 Message-ID: <1518618487.5544.2.camel@ipfire.org> In-Reply-To: <1518612313-30683-1-git-send-email-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8354423219766008393==" List-Id: --===============8354423219766008393== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit openssl-compat deletion has been accidentally included in the patch. Will ship a version 2 . Sorry for that....  Am Mittwoch, den 14.02.2018, 13:45 +0100 schrieb Erik Kapfer: > AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and > Roadwarrior section. > > Cipher menu description has been changed for N2N and RW since AES-GCM > uses own authentication encryption (GMAC). >     More information can be found in here https://tools.ietf.org/html > /rfc5288 . > Added java script snipped to disable HMAC selection for N2N if AES- > GCM has been selected. >     'auth *' line in N2N.conf won´t be deleted even if AES-GCM is > used so possible individual '--tls-auth' configurations won´t broke. >     'auth *' line in N2N.conf will also be ignored if AES-GCM is used > and no '--tls-auth' are configured. > Left HMAC selection menu for Roadwarriors as it was since the WUI do > provides '--tls-auth' which uses the configuered HMAC even AES-GCM > has been applied. > > Signed-off-by: Erik Kapfer > --- >  config/rootfiles/common/openssl-compat |  2 -- >  html/cgi-bin/ovpnmain.cgi              | 32 > ++++++++++++++++++++++++++++++-- >  2 files changed, 30 insertions(+), 4 deletions(-) >  delete mode 100644 config/rootfiles/common/openssl-compat > > diff --git a/config/rootfiles/common/openssl-compat > b/config/rootfiles/common/openssl-compat > deleted file mode 100644 > index 7ef11e6..0000000 > --- a/config/rootfiles/common/openssl-compat > +++ /dev/null > @@ -1,2 +0,0 @@ > -usr/lib/libcrypto.so.10 > -usr/lib/libssl.so.10 > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index 9f5e682..0a18ec7 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -4543,6 +4543,9 @@ if ($cgiparams{'TYPE'} eq 'net') { >      } >      $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = > 'checked=\'checked\''; >   > +    $selected{'DCIPHER'}{'AES-256-GCM'} = ''; > +    $selected{'DCIPHER'}{'AES-192-GCM'} = ''; > +    $selected{'DCIPHER'}{'AES-128-GCM'} = ''; >      $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; >      $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; >      $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; > @@ -4706,7 +4709,10 @@ if ($cgiparams{'TYPE'} eq 'net') { >   >   >   $Lang::tr{'cipher'} > - > + > + > + >   >   >   > @@ -4723,7 +4729,7 @@ if ($cgiparams{'TYPE'} eq 'net') { >   >   >   $Lang::tr{'ovpn ha'}: > - >   >   >   > @@ -4737,6 +4743,22 @@ if ($cgiparams{'TYPE'} eq 'net') { >  END >  ; >   } > + > +#### JAVA SCRIPT #### > +# Validate N2N cipher. If GCM is used, disable HMAC menu > +print< + > +END > + >  #jumper >   print "$Lang::tr{'remark > title'}"; >   print " value='$cgiparams{'REMARK'}' size='55' maxlength='50' > />"; > @@ -5108,6 +5130,9 @@ END >      $selected{'DPROTOCOL'}{'tcp'} = ''; >      $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; >   > +    $selected{'DCIPHER'}{'AES-256-GCM'} = ''; > +    $selected{'DCIPHER'}{'AES-192-GCM'} = ''; > +    $selected{'DCIPHER'}{'AES-128-GCM'} = ''; >      $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; >      $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; >      $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; > @@ -5204,6 +5229,9 @@ END >   >   nowrap='nowrap'>$Lang::tr{'cipher'} >