From mboxrd@z Thu Jan  1 00:00:00 1970
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2] OpenVPN: x509 and DH-parameter check with Warnings and
 error messages in WUI
Date: Wed, 27 Jun 2018 09:34:21 +0200
Message-ID: <1530084861-21062-1-git-send-email-erik.kapfer@ipfire.org>
In-Reply-To: <1529574397-30471-1-git-send-email-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5076483307586208455=="
List-Id: <development.lists.ipfire.org>

--===============5076483307586208455==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Changes includes:
Own crypto warning and error message in WUI (can be extended to configuration=
 too).
Check if DH-parameter is < 2048 bit with an error message and howto fix it.
Check if md5 is still in use with an error message and suggestion how to proc=
eed further to fix it.
Check for soon needed RFC3280 TLS rules compliants and suggestion how to proc=
eed further to fix it.
Disabled 1024 bit DH-parameter upload.
Changed de and en language files for DH-parameter upload (deleted 1024 bit).
Added explanations to de and en language files for the above changes.
Fixed Typo in en language file.

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 61 +++++++++++++++++++++++++++++++++++++++++++++=
--
 langs/de/cgi-bin/de.pl    |  9 +++++--
 langs/en/cgi-bin/en.pl    | 11 ++++++---
 3 files changed, 74 insertions(+), 7 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 4bc3473..d16c753 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -64,6 +64,8 @@ my %cahash=3D();
 my %selected=3D();
 my $warnmessage =3D '';
 my $errormessage =3D '';
+my $cryptoerror =3D '';
+my $cryptowarning =3D '';
 my %settings=3D();
 my $routes_push_file =3D '';
 my $confighost=3D"${General::swroot}/fwhosts/customhosts";
@@ -97,6 +99,8 @@ $cgiparams{'DCIPHER'} =3D '';
 $cgiparams{'DAUTH'} =3D '';
 $cgiparams{'TLSAUTH'} =3D '';
 $routes_push_file =3D "${General::swroot}/ovpn/routes_push";
+# Perform crypto and configration test
+&pkiconfigcheck;
=20
 # Add CCD files if not already presant
 unless (-e $routes_push_file) {
@@ -199,6 +203,45 @@ sub deletebackupcert
 	}
 }
=20
+###
+### Check for PKI and configure problems
+###
+
+sub pkiconfigcheck
+{
+	# Warning if DH parameter is 1024 bit
+	if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
+		my $dhparameter =3D `/usr/bin/openssl dhparam -text -in ${General::swroot}=
/ovpn/ca/$cgiparams{'DH_NAME'}`;
+		my @dhbit =3D ($dhparameter =3D~ /(\d+)/);
+		if ($1 < 2048) {
+			$cryptoerror =3D "$Lang::tr{'ovpn error dh'}";
+			goto CRYPTO_ERROR;
+		}
+	}
+
+	# Warning if md5 is in usage
+	if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+		my $signature =3D `/usr/bin/openssl x509 -noout -text -in ${General::swroo=
t}/ovpn/certs/servercert.pem`;
+		if ($signature =3D~ /md5WithRSAEncryption/) {
+			$cryptoerror =3D "$Lang::tr{'ovpn error md5'}";
+			goto CRYPTO_ERROR;
+		}
+	}
+
+	CRYPTO_ERROR:
+
+	# Warning if certificate is not compliant to RFC3280 TLS rules
+	if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+		my $extendkeyusage =3D `/usr/bin/openssl x509 -noout -text -in ${General::=
swroot}/ovpn/certs/servercert.pem`;
+		if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+			$cryptowarning =3D "$Lang::tr{'ovpn warning rfc3280'}";
+			goto CRYPTO_WARNING;
+		}
+	}
+
+	CRYPTO_WARNING:
+}
+
 sub writeserverconf {
     my %sovpnsettings =3D (); =20
     my @temp =3D (); =20
@@ -1069,7 +1112,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'=
NAME'}"){mkdir "${General
   close(CLIENTCONF);
=20
 }
- =20
+
 ###
 ### Save main settings
 ###
@@ -1336,7 +1379,7 @@ END
 	goto UPLOADCA_ERROR;
     }
     my $temp =3D `/usr/bin/openssl dhparam -text -in $filename`;
-    if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) {
+    if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) {
         $errormessage =3D $Lang::tr{'not a valid dh key'};
         unlink ($filename);
         goto UPLOADCA_ERROR;
@@ -5135,6 +5178,20 @@ END
 	&Header::closebox();
     }
=20
+	if ($cryptoerror) {
+		&Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
+		print "<class name=3D'base'>$cryptoerror";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
+	if ($cryptowarning) {
+		&Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
+		print "<class name=3D'base'>$cryptowarning";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
 	if ($warnmessage) {
 		&Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
 		print "$warnmessage<br>";
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 630d9b2..1fee282 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -661,6 +661,8 @@
 'credits' =3D> 'Credits',
 'crl' =3D> 'Certificate Revocation List',
 'cron server' =3D> 'Cron-Server',
+'crypto error' =3D> 'Kryptografiefehler',
+'crypto warning' =3D> 'Kryptografiewarnungen',
 'current' =3D> 'Aktuell',
 'current aliases' =3D> 'Aktuelle Alias-Adresse',
 'current class' =3D> 'Aktuelle Klasse',
@@ -730,7 +732,7 @@
 'devices on blue' =3D> 'Ger=C3=A4te auf BLAU',
 'dh' =3D> 'Diffie-Hellman-Parameter',
 'dh key move failed' =3D> 'Verschieben der Diffie-Hellman-Parameter fehlgesc=
hlagen.',
-'dh key warn' =3D> 'Das Generieren der DH-Parameter mit 1024 oder 2048 Bit d=
auert =C3=BCblicherweise mehrere Minuten. Schl=C3=BCssell=C3=A4ngen von 3072 =
oder 4096 Bit beanspruchen mehrere Stunden. Bitte haben Sie etwas Geduld.',
+'dh key warn' =3D> 'Das Generieren eines DH-Parameter mit 2048 Bit dauert =
=C3=BCblicherweise mehrere Minuten. Schl=C3=BCssell=C3=A4ngen von 3072 oder 4=
096 Bit beanspruchen mehrere Stunden. Bitte haben Sie etwas Geduld.',
 'dh key warn1' =3D> 'Bei schwachen Systemen oder Systeme mit wenig Entropie =
wird empfohlen lange Diffie-Hellman-Parameter =C3=BCber die Upload-Funktion h=
ochzuladen.',
 'dh parameter' =3D> 'Diffie-Hellman-Parameter',
 'dhcp advopt add' =3D> 'DHCP Option hinzuf=C3=BCgen',
@@ -1708,7 +1710,7 @@
 'nonetworkname' =3D> 'Kein Netzwerkname wurde eingegeben',
 'noservicename' =3D> 'Kein Dienstname wurde eingegeben',
 'not a valid ca certificate' =3D> 'Kein g=C3=BCltiges CA Zertifikat.',
-'not a valid dh key' =3D> 'Kein g=C3=BCltiger Diffie-Hellman-Parameter. Es s=
ind nur Parameter mit einer L=C3=A4nge von 1024, 2048, 3072 oder 4096 Bit im =
PKCS#3-Format erlaubt.',
+'not a valid dh key' =3D> 'Kein g=C3=BCltiger Diffie-Hellman-Parameter. Es s=
ind nur Parameter mit einer L=C3=A4nge von 2048, 3072 oder 4096 Bit im PKCS#3=
-Format erlaubt.',
 'not enough disk space' =3D> 'Nicht gen=C3=BCgend Plattenplatz vorhanden',
 'not present' =3D> '<B>Nicht</B> vorhanden',
 'not running' =3D> 'nicht gestartet',
@@ -1817,6 +1819,8 @@
 'ovpn engines' =3D> 'Krypto Engine',
 'ovpn errmsg green already pushed' =3D> 'Route f=C3=BCr gr=C3=BCnes Netzwerk=
 wird immer gesetzt',
 'ovpn errmsg invalid ip or mask' =3D> 'Ung=C3=BCltige Netzwerk-Adresse oder =
Subnetzmaske',
+'ovpn error dh' =3D> 'Der Diffie-Hellman Parameter muss mindestens 2048 bit =
lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochl=
aden, dies kann unten =C3=BCber den Bereich "Diffie-Hellman-Parameter Optione=
n" gemacht werden.</br>',
+'ovpn error md5' =3D> 'Das Host Zertifikat nutzt einen MD5 Algorithmus welch=
er nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updat=
en und generieren sie ein neues Root und Host Zertifikate.</br><br>Es m=C3=BC=
ssen dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn generating the root and host certificates' =3D> 'Die Erzeugung der Roo=
t- und Host-Zertifikate kann lange Zeit dauern.',
 'ovpn ha' =3D> 'Hash-Algorithmus',
 'ovpn hmac' =3D> 'HMAC-Optionen',
@@ -1840,6 +1844,7 @@
 'ovpn server status' =3D> 'OpenVPN-Server-Status',
 'ovpn subnet' =3D> 'OpenVPN-Subnetz:',
 'ovpn subnet is invalid' =3D> 'Das OpenVPN-Subnetz ist ung=C3=BCltig.',
+'ovpn warning rfc3280' =3D> 'Das Host Zertifikat ist nicht RFC3280 Regelkonf=
orm. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein n=
eues Root und Host Zertifikat so bald wie m=C3=B6glich.</br><br>Es m=C3=BCsse=
n dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn subnet overlap' =3D> 'OpenVPNSubnetz =C3=BCberschneidet sich mit  ',
 'ovpn_fastio' =3D> 'Fast-IO',
 'ovpn_fragment' =3D> 'Fragmentgr=C3=B6sse',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 8ec5bf4..3ec5af5 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -682,6 +682,8 @@
 'credits' =3D> 'Credits',
 'crl' =3D> 'Certificate Revocation List',
 'cron server' =3D> 'CRON Server',
+'crypto error' =3D> 'Cryptographic error',
+'crypto warning' =3D> 'Cryptographic warning',
 'current' =3D> 'Current',
 'current aliases' =3D> 'Current aliases',
 'current class' =3D> 'Current class',
@@ -752,7 +754,7 @@
 'devices on blue' =3D> 'Devices on BLUE',
 'dh' =3D> 'Diffie-Hellman parameters',
 'dh key move failed' =3D> 'Diffie-Hellman parameters move failed.',
-'dh key warn' =3D> 'Creating DH-parameters with lengths of 1024 or 2048 bits=
 takes up to several minutes. Lengths of 3072 or 4096 bits might needs severa=
l hours. Please be patient.',
+'dh key warn' =3D> 'Creating DH-parameters with a length of 2048 bits takes =
up to several minutes. Lengths of 3072 or 4096 bits might needs several hours=
. Please be patient.',
 'dh key warn1' =3D> 'For weak systems or systems with little entropy, it is =
recommended to upload long Diffie-Hellman parameters by usage of the upload f=
unction.',
 'dh name is invalid' =3D> 'Name is invalid, please use "dh1024.pem".',
 'dh parameter' =3D> 'Diffie-Hellman parameters',
@@ -1740,7 +1742,7 @@
 'nonetworkname' =3D> 'No Network Name entered',
 'noservicename' =3D> 'No Service Name entered',
 'not a valid ca certificate' =3D> 'Not a valid CA certificate.',
-'not a valid dh key' =3D> 'Not a valid Diffie-Hellman parameters file. Pleas=
e use a length of 1024, 2048, 3072 or 4096 bits and the PKCS#3 format.',
+'not a valid dh key' =3D> 'Not a valid Diffie-Hellman parameters file. Pleas=
e use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.',
 'not enough disk space' =3D> 'Not enough disk space',
 'not present' =3D> '<b>Not</b> present',
 'not running' =3D> 'not running',
@@ -1850,7 +1852,9 @@
 'ovpn engines' =3D> 'Crypto engine',
 'ovpn errmsg green already pushed' =3D> 'Route for green network is always s=
et',
 'ovpn errmsg invalid ip or mask' =3D> 'Invalid network-address or subnetmask=
',
-'ovpn generating the root and host certificates' =3D> 'Generating the root a=
nd host certifictae can take a long time.',
+'ovpn error dh' =3D> 'The Diffie-Hellman parameter needs to be in minimum 20=
48 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this ca=
n be made below in the section "Diffie-Hellman parameters options".</br>',
+'ovpn error md5' =3D> 'You host certificate uses MD5 for the signature which=
 is not accepted anymore. <br>Please update to the latest IPFire version and =
generate a new root and host certificate.</br><br>All OpenVPN clients needs t=
hen to be renewed!</br>',
+'ovpn generating the root and host certificates' =3D> 'Generating the root a=
nd host certificate can take a long time.',
 'ovpn ha' =3D> 'Hash algorithm',
 'ovpn hmac' =3D> 'HMAC options',
 'ovpn log' =3D> 'OVPN-Log',
@@ -1874,6 +1878,7 @@
 'ovpn subnet' =3D> 'OpenVPN subnet:',
 'ovpn subnet is invalid' =3D> 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' =3D> 'OpenVPN Subnet overlaps with : ',
+'ovpn warning rfc3280' =3D> 'Your host certificate is not RFC3280 compliant.=
 <br>Please update to the latest IPFire version and generate as soon as possi=
ble a new root and host certificate.</br><br>All OpenVPN clients needs then t=
o be renewed!</br>',
 'ovpn_fastio' =3D> 'Fast-IO',
 'ovpn_mssfix' =3D> 'MSSFIX Size',
 'ovpn_mtudisc' =3D> 'MTU-Discovery',
--=20
2.7.4


--===============5076483307586208455==--