From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v3] OpenVPN: New AES-GCM cipher for N2N and RW
Date: Sun, 25 Feb 2018 14:49:49 +0100 [thread overview]
Message-ID: <1519566589-18901-1-git-send-email-erik.kapfer@ipfire.org> (raw)
In-Reply-To: <1518612313-30683-1-git-send-email-erik.kapfer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 8772 bytes --]
AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section.
HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC).
'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N.
HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs
which uses the configuered HMAC even AES-GCM has been applied.
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 84 ++++++++++++++++++++++++++++++++++++++---------
1 file changed, 69 insertions(+), 15 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c52e8ba..ff3d055 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -970,12 +970,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
print SERVERCONF "# Cipher\n";
print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
- if ($cgiparams{'DAUTH'} eq '') {
- print SERVERCONF "auth SHA1\n";
+
+ # If GCM cipher is used, do not use --auth
+ if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+ print SERVERCONF unless "# HMAC algorithm\n";
+ print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
} else {
- print SERVERCONF "# HMAC algorithm\n";
- print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
+ print SERVERCONF "# HMAC algorithm\n";
+ print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
}
+
if ($cgiparams{'COMPLZO'} eq 'on') {
print SERVERCONF "# Enable Compression\n";
print SERVERCONF "comp-lzo\n";
@@ -1076,12 +1082,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print CLIENTCONF "# Cipher\n";
print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
- if ($cgiparams{'DAUTH'} eq '') {
- print CLIENTCONF "auth SHA1\n";
+
+ # If GCM cipher is used, do not use --auth
+ if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+ print CLIENTCONF unless "# HMAC algorithm\n";
+ print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
} else {
- print CLIENTCONF "# HMAC algorithm\n";
- print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
+ print CLIENTCONF "# HMAC algorithm\n";
+ print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
}
+
if ($cgiparams{'COMPLZO'} eq 'on') {
print CLIENTCONF "# Enable Compression\n";
print CLIENTCONF "comp-lzo\n";
@@ -2198,13 +2210,18 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
}
- if ($confighash{$cgiparams{'KEY'}}[39] eq '') {
- print CLIENTCONF "# HMAC algorithm\n";
- print CLIENTCONF "auth SHA1\n";
+
+ # If GCM cipher is used, do not use --auth
+ if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+ print CLIENTCONF unless "# HMAC algorithm\n";
+ print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
} else {
- print CLIENTCONF "# HMAC algorithm\n";
- print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
+ print CLIENTCONF "# HMAC algorithm\n";
+ print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
}
+
if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
print CLIENTCONF "# Enable Compression\n";
print CLIENTCONF "comp-lzo\n";
@@ -4544,6 +4561,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
}
$checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
+ $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-128-GCM'} = '';
$selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -4629,6 +4649,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
} else {
print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
}
+
+ # If GCM ciphers are in usage, HMAC menu is disabled
+ my $hmacdisabled;
+ if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+ $hmacdisabled = "disabled='disabled'";
+ };
+
print <<END;
<td width='25%'> </td>
<td width='25%'> </td></tr>
@@ -4707,7 +4736,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
</tr>
<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
- <td><select name='DCIPHER'>
+ <td><select name='DCIPHER' id="n2ncipher" required>
+ <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+ <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+ <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
@@ -4724,7 +4756,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
</td>
<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
- <td><select name='DAUTH'>
+ <td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
<option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
<option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
<option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
@@ -4738,6 +4770,22 @@ if ($cgiparams{'TYPE'} eq 'net') {
END
;
}
+
+#### JAVA SCRIPT ####
+# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange
+print<<END;
+ <script>
+ var disable_options = false;
+ document.getElementById('n2ncipher').onchange = function () {
+ if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+ document.getElementById('n2nhmac').setAttribute('disabled', true);
+ } else {
+ document.getElementById('n2nhmac').removeAttribute('disabled');
+ }
+ }
+ </script>
+END
+
#jumper
print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>";
print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>";
@@ -5109,6 +5157,9 @@ END
$selected{'DPROTOCOL'}{'tcp'} = '';
$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
+ $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-128-GCM'} = '';
$selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -5205,6 +5256,9 @@ END
<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
<td><select name='DCIPHER'>
+ <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+ <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+ <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
--
2.7.4
next prev parent reply other threads:[~2018-02-25 13:49 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-14 12:45 [PATCH] OpenVPN: Introduce new " Erik Kapfer
2018-02-14 14:28 ` ummeegge
2018-02-14 14:40 ` [PATCH v2] " Erik Kapfer
2018-02-14 19:11 ` ummeegge
2018-02-14 20:23 ` Michael Tremer
2018-02-15 6:09 ` ummeegge
2018-02-15 10:59 ` Michael Tremer
2018-02-15 13:30 ` ummeegge
2018-02-14 20:20 ` Michael Tremer
2018-02-15 5:02 ` ummeegge
2018-02-15 10:42 ` Michael Tremer
2018-02-15 13:35 ` ummeegge
2018-02-25 13:49 ` Erik Kapfer [this message]
2018-02-25 17:06 ` [PATCH v3] OpenVPN: New " Michael Tremer
2018-02-26 6:48 ` ummeegge
2018-02-26 10:24 ` Michael Tremer
2018-02-27 6:23 ` ummeegge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1519566589-18901-1-git-send-email-erik.kapfer@ipfire.org \
--to=erik.kapfer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox