Re: [PATCH v2] OpenVPN: Introduce new AES-GCM cipher for N2N and RW

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] OpenVPN: Introduce new AES-GCM cipher for N2N and RW
Date: Wed, 14 Feb 2018 20:20:50 +0000	[thread overview]
Message-ID: <1518639650.15001.10.camel@ipfire.org> (raw)
In-Reply-To: <1518619253-22278-1-git-send-email-erik.kapfer@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 5932 bytes --]

Hi,

this patch is actually quite big and introduces a new feature by adding AES-GCM. 
It would have been better to get the necessary stuff done first.

On Wed, 2018-02-14 at 15:40 +0100, Erik Kapfer wrote:
> AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior
> section.
> 
> Cipher menu description has been changed for N2N and RW since AES-GCM uses own
> authentication encryption (GMAC).
>     More information can be found in here https://tools.ietf.org/html/rfc5288
> .
> Added java script snipped to disable HMAC selection for N2N if AES-GCM has
> been selected.
>     'auth *' line in N2N.conf won´t be deleted even if AES-GCM is used so
> possible individual '--tls-auth' configurations won´t broke.
>     'auth *' line in N2N.conf will also be ignored if AES-GCM is used and no
> '--tls-auth' are configured.
> Left HMAC selection menu for Roadwarriors as it was since the WUI do provides
> '--tls-auth' which uses the configuered HMAC even AES-GCM has been applied.
> 
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
>  html/cgi-bin/ovpnmain.cgi | 32 ++++++++++++++++++++++++++++++--
>  1 file changed, 30 insertions(+), 2 deletions(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 9f5e682..0a18ec7 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -4543,6 +4543,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
>      }
>      $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} =
> 'checked=\'checked\'';
>  
> +    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
> +    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
> +    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
>      $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
>      $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
>      $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
> @@ -4706,7 +4709,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
>  	</tr>
>  
>  	<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
> -		<td><select name='DCIPHER'>
> +		<td><select name='DCIPHER'  id="n2ncipher" required>
> +				<option value='AES-256-GCM'		$s
> elected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'}) with
> SHA384</option>
> +				<option value='AES-192-GCM'		$s
> elected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'}) with
> SHA256</option>
> +				<option value='AES-128-GCM'		$s
> elected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'}) with
> SHA256</option>

This has nothing to do with SHA* and SHA is not being used at all. The message
authentication is in GCM and only AES is being use as a cipher in counter mode.

So it would only be AES-GCM (X bit).

Also "with" was not translated.

>  				<option value='CAMELLIA-256-CBC'	$sele
> cted{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256
> $Lang::tr{'bit'})</option>
>  				<option value='CAMELLIA-192-CBC'	$sele
> cted{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192
> $Lang::tr{'bit'})</option>
>  				<option value='CAMELLIA-128-CBC'	$sele
> cted{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128
> $Lang::tr{'bit'})</option>
> @@ -4723,7 +4729,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
>  		</td>
>  
>  		<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
> -		<td><select name='DAUTH'>
> +		<td><select name='DAUTH' id="n2nhmac">
>  				<option value='whirlpool'		$sel
> ected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
>  				<option value='SHA512'			
> $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
>  				<option value='SHA384'			
> $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
> @@ -4737,6 +4743,22 @@ if ($cgiparams{'TYPE'} eq 'net') {
>  END
>  ;
>  	}
> +
> +#### JAVA SCRIPT ####
> +# Validate N2N cipher. If GCM is used, disable HMAC menu
> +print<<END;
> +	<script>
> +		var disable_options = false;
> +		document.getElementById('n2ncipher').onchange = function () {
> +			if((this.value == "AES-256-GCM"||this.value == "AES-
> 192-GCM"||this.value == "AES-128-GCM")) {
> +				document.getElementById('n2nhmac').setAttribu
> te('disabled', true);
> +			} else {
> +				document.getElementById('n2nhmac').removeAttr
> ibute('disabled');
> +			}
> +		}
> +	</script>
> +END
> +
>  #jumper
>  	print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>";
>  	print "<td colspan='3'><input type='text' name='REMARK'
> value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>";
> @@ -5108,6 +5130,9 @@ END
>      $selected{'DPROTOCOL'}{'tcp'} = '';
>      $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
>  
> +    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
> +    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
> +    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
>      $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
>      $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
>      $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
> @@ -5204,6 +5229,9 @@ END
>  
>  		<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
>  		<td><select name='DCIPHER'>
> +				<option value='AES-256-GCM'
> $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'}) with
> SHA384</option>
> +				<option value='AES-192-GCM'
> $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'}) with
> SHA256</option>
> +				<option value='AES-128-GCM'
> $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'}) with
> SHA256</option>

Same as above.

>  				<option value='CAMELLIA-256-CBC'
> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256
> $Lang::tr{'bit'})</option>
>  				<option value='CAMELLIA-192-CBC'
> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192
> $Lang::tr{'bit'})</option>
>  				<option value='CAMELLIA-128-CBC'
> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128
> $Lang::tr{'bit'})</option>

-Michael

next prev parent reply	other threads:[~2018-02-14 20:20 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-14 12:45 [PATCH] " Erik Kapfer
2018-02-14 14:28 ` ummeegge
2018-02-14 14:40 ` [PATCH v2] " Erik Kapfer
2018-02-14 19:11   ` ummeegge
2018-02-14 20:23     ` Michael Tremer
2018-02-15  6:09       ` ummeegge
2018-02-15 10:59         ` Michael Tremer
2018-02-15 13:30           ` ummeegge
2018-02-14 20:20   ` Michael Tremer [this message]
2018-02-15  5:02     ` ummeegge
2018-02-15 10:42       ` Michael Tremer
2018-02-15 13:35         ` ummeegge
2018-02-25 13:49 ` [PATCH v3] OpenVPN: New " Erik Kapfer
2018-02-25 17:06   ` Michael Tremer
2018-02-26  6:48     ` ummeegge
2018-02-26 10:24       ` Michael Tremer
2018-02-27  6:23         ` ummeegge

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1518639650.15001.10.camel@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox