From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH v2] OpenVPN: Introduce new AES-GCM cipher for N2N and RW Date: Wed, 14 Feb 2018 20:20:50 +0000 Message-ID: <1518639650.15001.10.camel@ipfire.org> In-Reply-To: <1518619253-22278-1-git-send-email-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8027893970343686070==" List-Id: --===============8027893970343686070== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, this patch is actually quite big and introduces a new feature by adding AES-G= CM.=20 It would have been better to get the necessary stuff done first. On Wed, 2018-02-14 at 15:40 +0100, Erik Kapfer wrote: > AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior > section. >=20 > Cipher menu description has been changed for N2N and RW since AES-GCM uses = own > authentication encryption (GMAC). > More information can be found in here https://tools.ietf.org/html/rfc52= 88 > . > Added java script snipped to disable HMAC selection for N2N if AES-GCM has > been selected. > 'auth *' line in N2N.conf won=C2=B4t be deleted even if AES-GCM is used= so > possible individual '--tls-auth' configurations won=C2=B4t broke. > 'auth *' line in N2N.conf will also be ignored if AES-GCM is used and no > '--tls-auth' are configured. > Left HMAC selection menu for Roadwarriors as it was since the WUI do provid= es > '--tls-auth' which uses the configuered HMAC even AES-GCM has been applied. >=20 > Signed-off-by: Erik Kapfer > --- > html/cgi-bin/ovpnmain.cgi | 32 ++++++++++++++++++++++++++++++-- > 1 file changed, 30 insertions(+), 2 deletions(-) >=20 > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index 9f5e682..0a18ec7 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -4543,6 +4543,9 @@ if ($cgiparams{'TYPE'} eq 'net') { > } > $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} =3D > 'checked=3D\'checked\''; > =20 > + $selected{'DCIPHER'}{'AES-256-GCM'} =3D ''; > + $selected{'DCIPHER'}{'AES-192-GCM'} =3D ''; > + $selected{'DCIPHER'}{'AES-128-GCM'} =3D ''; > $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} =3D ''; > $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} =3D ''; > $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} =3D ''; > @@ -4706,7 +4709,10 @@ if ($cgiparams{'TYPE'} eq 'net') { > > =20 > $Lang::tr{'cipher'} > - > + > + > + This has nothing to do with SHA* and SHA is not being used at all. The message authentication is in GCM and only AES is being use as a cipher in counter mod= e. So it would only be AES-GCM (X bit). Also "with" was not translated. > > > > @@ -4723,7 +4729,7 @@ if ($cgiparams{'TYPE'} eq 'net') { > > =20 > $Lang::tr{'ovpn ha'}: > - > > > > @@ -4737,6 +4743,22 @@ if ($cgiparams{'TYPE'} eq 'net') { > END > ; > } > + > +#### JAVA SCRIPT #### > +# Validate N2N cipher. If GCM is used, disable HMAC menu > +print< + > +END > + > #jumper > print "$Lang::tr{'remark title'}"; > print " value=3D'$cgiparams{'REMARK'}' size=3D'55' maxlength=3D'50' />"; > @@ -5108,6 +5130,9 @@ END > $selected{'DPROTOCOL'}{'tcp'} =3D ''; > $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} =3D 'SELECTED'; > =20 > + $selected{'DCIPHER'}{'AES-256-GCM'} =3D ''; > + $selected{'DCIPHER'}{'AES-192-GCM'} =3D ''; > + $selected{'DCIPHER'}{'AES-128-GCM'} =3D ''; > $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} =3D ''; > $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} =3D ''; > $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} =3D ''; > @@ -5204,6 +5229,9 @@ END > =20 > $Lang::tr{'cipher'} >