From: ummeegge <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/3] OpenVPN: Introduce advanced encryption section
Date: Thu, 03 Dec 2020 12:08:05 +0000 [thread overview]
Message-ID: <20201203120807.20694-1-erik.kapfer@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 31864 bytes --]
- The whole crypto section has been outsorted from the global section to
an extra page.
- Since --cipher is deprecated and will be handled via
--data-cipher-fallback, the VAR name and the index has been kept but
renamed from --cipher to --data-cipher-fallback. Old default AES-256-CBC
has also been kept.
- The new directive --data-ciphers has been introduced for RWs which negotiates
now between the GCM family and the new CHACHA20-POLY1305. All ciphers
can be combined.
- The new directive --data-ciphers substitutes --ncp-disable, there
--ncp-disable has been removed which fixes the deprecation warning in
the updated OpenVPN-2.5.0.
- While client generation the client version can be set which enables, if
client is >=2.5.0 a full cipher negotiation. Existing clients can also
subsequently be enhanced via edit.
- The new ciphers and HMACs as been completely integrated into N2N
environment without further modification.
Code for update process via update.sh needs to be integrated:
/usr/local/bin/openvpnctrl -k > /dev/null
if grep -q 'cipher' /var/ipfire/ovpn/server.conf; then
sed -i 's/cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf
fi
/usr/local/bin/openvpnctrl -s > /dev/null
Signed-off-by: ummeegge <erik.kapfer(a)ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 330 ++++++++++++++++++++++++++++----------
langs/de/cgi-bin/de.pl | 11 +-
langs/en/cgi-bin/en.pl | 11 +-
3 files changed, 269 insertions(+), 83 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 68a70d147..fc4c6193a 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -75,6 +75,7 @@ my $name;
my $col="";
my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
+my @advcipherchar=();
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
$cgiparams{'ENABLED'} = 'off';
@@ -98,6 +99,7 @@ $cgiparams{'number'} = '';
$cgiparams{'DCIPHER'} = '';
$cgiparams{'DAUTH'} = '';
$cgiparams{'TLSAUTH'} = '';
+$cgiparams{'DATACIPHERS'} = '';
$routes_push_file = "${General::swroot}/ovpn/routes_push";
# Perform crypto and configration test
&pkiconfigcheck;
@@ -325,8 +327,16 @@ sub writeserverconf {
}
print CONF "status-version 1\n";
print CONF "status /var/run/ovpnserver.log 30\n";
- print CONF "ncp-disable\n";
- print CONF "cipher $sovpnsettings{DCIPHER}\n";
+ print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n";
+
+ # Data channel encryption
+ # Set seperator for data ciphers
+ @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+ # Add also algorithm from --cipher directive
+ if ($sovpnsettings{'DATACIPHERS'} ne '') {
+ print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
+ }
+
print CONF "auth $sovpnsettings{'DAUTH'}\n";
# Set TLSv2 as minimum
print CONF "tls-version-min 1.2\n";
@@ -911,6 +921,28 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
&writeserverconf();#hier ok
}
+###
+### Save Advanced encryption
+###
+
+if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+ &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
+
+ $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
+ $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
+
+ # --data-ciphers needs at least one cipher
+ if ($cgiparams{'DATACIPHERS'} eq '') {
+ $errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'};
+ goto ADV_ENC_ERROR;
+ }
+
+ &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
+ &writeserverconf();
+}
+
+### End Save advanced encryption
+
###
# m.a.d net2net
###
@@ -982,10 +1014,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print SERVERCONF "# Cipher\n";
print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
- # If GCM cipher is used, do not use --auth
+ # If AEAD cipher is used, do not use --auth
if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
- ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+ ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {
print SERVERCONF unless "# HMAC algorithm\n";
print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
} else {
@@ -1087,10 +1120,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
- # If GCM cipher is used, do not use --auth
+ # If AEAD cipher is used, do not use --auth
if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
- ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+ ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {
print CLIENTCONF unless "# HMAC algorithm\n";
print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
} else {
@@ -1214,7 +1248,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
$vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
$vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
$vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
- $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
$vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
#wrtie enable
@@ -2344,7 +2377,15 @@ else
$zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
}
- print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
+ # Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0
+ if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') {
+ @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+ print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n";
+ } else {
+ print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
+ }
+
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2859,7 +2900,169 @@ END
&Header::closebigbox();
&Header::closepage();
exit(0);
-
+
+###
+### Advanced encryption settings
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn advanced encryption'}) {
+ %cgiparams = ();
+ %confighash = ();
+ my @temp=();
+ my $disabled;
+ &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
+
+ my $key = $cgiparams{'KEY'};
+ if (! $key) {
+ $key = &General::findhasharraykey (\%confighash);
+ foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; }
+ }
+ $confighash{$key}[40] = $cgiparams{'DCIPHER'};
+ $confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
+
+ADV_ENC_ERROR:
+
+ # Set default for data-cipher-fallback (the old --cipher directive)
+ if ($cgiparams{'DCIPHER'} eq '') {
+ $cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40]
+ }
+ $checked{'DCIPHER'}{'AES-256-CBC'} = '';
+ $checked{'DCIPHER'}{'AES-192-CBC'} = '';
+ $checked{'DCIPHER'}{'AES-128-CBC'} = '';
+ $checked{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
+ $checked{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
+ $checked{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
+ $checked{'DCIPHER'}{'SEED-CBC'} = '';
+ $checked{'DCIPHER'}{'DES-EDE3-CBC'} = '';
+ $checked{'DCIPHER'}{'DESX-CBC'} = '';
+ $checked{'DCIPHER'}{'DES-EDE-CBC'} = '';
+ $checked{'DCIPHER'}{'BF-CBC'} = '';
+ $checked{'DCIPHER'}{'CAST5-CBC'} = '';
+ @temp = split('\|', $cgiparams{'DCIPHER'});
+ foreach my $key (@temp) {$checked{'DCIPHER'}{$key} = "selected='selected'"; }
+
+ # Set default data channel ciphers
+ if ($cgiparams{'DATACIPHERS'} eq '') {
+ $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42];
+ }
+ $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+ $checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+ @temp = split('\|', $cgiparams{'DATACIPHERS'});
+ foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
+ # Save settings and display default if not configured
+ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+ $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
+ $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
+ } else {
+ $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
+ $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
+ }
+
+ADV_ENC_ERROR:
+
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ovpn'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', $errormessage);
+ if ($errormessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+ print "<class name='base'>$errormessage";
+ print " </class>";
+ &Header::closebox();
+ }
+ if ($warnmessage) {
+ &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:");
+ print "<class name='base'>$warnmessage";
+ print " </class>";
+ &Header::closebox();
+ }
+ print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
+ &Header::openbox('100%', 'left', "$Lang::tr{'ovpn advanced encryption'}:");
+ print<<END
+
+ <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+
+ <table width='100%'>
+ <thead>
+ <tr>
+ <th width="15%"></th>
+ <th>$Lang::tr{'ovpn data channel'}</th>
+ <th>$Lang::tr{'ovpn data channel fallback'}</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td class='boldbase' width="27%">$Lang::tr{'ovpn data encryption'}</td>
+ <td class='boldbase'>
+ <select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'>
+ <option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option>
+ <option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option>
+ <option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option>
+ <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
+ </select>
+ </td>
+
+ <td class='boldbase'>
+ <select name='DCIPHER' size='6' style='width: 100%'>
+ <option value='AES-256-CBC' $checked{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option>
+ <option value='AES-192-CBC' $checked{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option>
+ <option value='AES-128-CBC' $checked{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option>
+ <option value='CAMELLIA-256-CBC' $checked{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option>
+ <option value='CAMELLIA-192-CBC' $checked{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option>
+ <option value='CAMELLIA-128-CBC' $checked{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option>
+ <option value='SEED-CBC' $checked{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option>
+ <option value='DES-EDE3-CBC' $checked{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='DESX-CBC' $checked{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='DES-EDE-CBC' $checked{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='BF-CBC' $checked{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='CAST5-CBC' $checked{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+ </select>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ <hr>
+END
+;
+ if ( -e "/var/run/openvpn.pid") {
+ print" <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>$Lang::tr{'server restart'}<br><br><hr>";
+ print<<END;
+ <table width='100%'>
+ <tr>
+ <td> </td>
+ <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' disabled='disabled' /></td>
+ <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
+ <td> </td>
+ </tr>
+ </table>
+ </form>
+END
+;
+
+ } else {
+ print<<END;
+ <table width='100%'>
+ <tr>
+ <td> </td>
+ <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' /></td>
+ <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
+ <td> </td>
+ </tr>
+ </table>
+ </form>
+END
+;
+
+ }
+
+ &Header::closebox();
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+
+### END advanced encryption
# A.Marx CCD Add,delete or edit CCD net
@@ -3595,6 +3798,8 @@ if ($confighash{$cgiparams{'KEY'}}) {
$cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39];
$cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40];
$cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41];
+ # Index from [39] to [44] has been reserved by advanced encryption
+ $cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45];
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
@@ -4338,6 +4543,8 @@ if ($cgiparams{'TYPE'} eq 'net') {
if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
$confighash{$key}[41] = "no-pass";
}
+ # Index from [39] to [44] has been reserved by advanced encryption
+ $confighash{$key}[45] = $cgiparams{'CLIENTVERSION'};
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
@@ -4508,28 +4715,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
$checked{'MSSFIX'}{'on'} = '';
$checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $selected{'DCIPHER'}{'AES-256-GCM'} = '';
- $selected{'DCIPHER'}{'AES-192-GCM'} = '';
- $selected{'DCIPHER'}{'AES-128-GCM'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
- $selected{'DCIPHER'}{'AES-256-CBC'} = '';
- $selected{'DCIPHER'}{'AES-192-CBC'} = '';
- $selected{'DCIPHER'}{'AES-128-CBC'} = '';
- $selected{'DCIPHER'}{'DESX-CBC'} = '';
- $selected{'DCIPHER'}{'SEED-CBC'} = '';
- $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
- $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
- $selected{'DCIPHER'}{'CAST5-CBC'} = '';
- $selected{'DCIPHER'}{'BF-CBC'} = '';
- $selected{'DCIPHER'}{'DES-CBC'} = '';
- # If no cipher has been chossen yet, select
- # the old default (AES-256-CBC) for compatiblity reasons.
- if ($cgiparams{'DCIPHER'} eq '') {
- $cgiparams{'DCIPHER'} = 'AES-256-CBC';
- }
- $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
$selected{'DAUTH'}{'whirlpool'} = '';
$selected{'DAUTH'}{'SHA512'} = '';
$selected{'DAUTH'}{'SHA384'} = '';
@@ -4595,11 +4780,12 @@ if ($cgiparams{'TYPE'} eq 'net') {
print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
}
- # If GCM ciphers are in usage, HMAC menu is disabled
+ # If AEAD ciphers are in usage, HMAC menu is disabled
my $hmacdisabled;
if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
- ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'ChaCha20-Poly1305')) {
$hmacdisabled = "disabled='disabled'";
};
@@ -4673,9 +4859,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
<td><select name='DCIPHER' id="n2ncipher" required>
- <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
- <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
- <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
+ <option value='ChaCha20-Poly1305' $selected{'DCIPHER'}{'ChaCha20-Poly1305'}>CHACHA20-POLY1305 (256 $Lang::tr{'bit'})</option>
+ <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+ <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+ <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
@@ -4693,10 +4880,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
<td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
- <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
+ <option value='BLAKE2b512' $selected{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option>
+ <option value='BLAKE2s256' $selected{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option>
+ <option value='SHA3-512' $selected{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option>
+ <option value='SHA3-384' $selected{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option>
+ <option value='SHA3-256' $selected{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option>
<option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
<option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
<option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
+ <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
<option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
@@ -4713,7 +4905,7 @@ print<<END;
<script>
var disable_options = false;
document.getElementById('n2ncipher').onchange = function () {
- if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+ if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM"||this.value == "CHACHA20-POLY1305")) {
document.getElementById('n2nhmac').setAttribute('disabled', true);
} else {
document.getElementById('n2nhmac').removeAttribute('disabled');
@@ -4749,6 +4941,7 @@ if ($cgiparams{'TYPE'} eq 'host') {
print"</td></tr></table><br><br>";
my $name=$cgiparams{'CHECK1'};
$checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED';
+ $checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED';
if (! -z "${General::swroot}/ovpn/ccd.conf"){
print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>";
@@ -4884,7 +5077,13 @@ if ($cgiparams{'TYPE'} eq 'host') {
print <<END;
<table border='0' width='100%'>
- <tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
+
+ <tr><td width='30%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
+ <tr>
+ <td width='30%'>$Lang::tr{'ovpn client version 25 cipher negotiation'}:</td>
+ <td colspan='3'><input type='checkbox' name='CLIENTVERSION' $checked{'CLIENTVERSION'}{'on'} />
+ <font color='red'> $Lang::tr{'ovpn client version 25 warning'}</font></td>
+ </tr>
<tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr>
<tr><td colspan='4'> </td></tr>
<tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'>
@@ -5061,9 +5260,6 @@ END
}
#default setzen
- if ($cgiparams{'DCIPHER'} eq '') {
- $cgiparams{'DCIPHER'} = 'AES-256-CBC';
- }
if ($cgiparams{'DDEST_PORT'} eq '') {
$cgiparams{'DDEST_PORT'} = '1194';
}
@@ -5105,24 +5301,6 @@ END
$selected{'DPROTOCOL'}{'tcp'} = '';
$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $selected{'DCIPHER'}{'AES-256-GCM'} = '';
- $selected{'DCIPHER'}{'AES-192-GCM'} = '';
- $selected{'DCIPHER'}{'AES-128-GCM'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
- $selected{'DCIPHER'}{'AES-256-CBC'} = '';
- $selected{'DCIPHER'}{'AES-192-CBC'} = '';
- $selected{'DCIPHER'}{'AES-128-CBC'} = '';
- $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
- $selected{'DCIPHER'}{'DESX-CBC'} = '';
- $selected{'DCIPHER'}{'SEED-CBC'} = '';
- $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
- $selected{'DCIPHER'}{'CAST5-CBC'} = '';
- $selected{'DCIPHER'}{'BF-CBC'} = '';
- $selected{'DCIPHER'}{'DES-CBC'} = '';
- $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
-
$selected{'DAUTH'}{'whirlpool'} = '';
$selected{'DAUTH'}{'SHA512'} = '';
$selected{'DAUTH'}{'SHA384'} = '';
@@ -5138,6 +5316,13 @@ END
$checked{'DCOMPLZO'}{'on'} = '';
$checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
+ if ($cgiparams{'CLIENTVERSION'} = '' ) {
+ $cgiparams{'CLIENTVERSION'} = 'off';
+ }
+ $checked{'CLIENTVERSION'}{'off'} = '';
+ $checked{'CLIENTVERSION'}{'on'} = '';
+ $checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED';
+
# m.a.d
$checked{'MSSFIX'}{'off'} = '';
$checked{'MSSFIX'}{'on'} = '';
@@ -5245,26 +5430,6 @@ END
<option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
-
- <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
- <td><select name='DCIPHER'>
- <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
- <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
- <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
- <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
- <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
- <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
- <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
- <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
- <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
- <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
- <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- </select>
- </td>
</tr>
<tr><td colspan='4'><br></td></tr>
@@ -5280,12 +5445,14 @@ END
if ( $srunning eq "yes" ) {
print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />";
print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
- print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
+ print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
+ print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />";
print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>";
} else{
print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
+ print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />";
if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
-e "${General::swroot}/ovpn/ca/dh1024.pem" &&
-e "${General::swroot}/ovpn/certs/servercert.pem" &&
@@ -5818,3 +5985,4 @@ END
&Header::closepage();
+
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 2fb46e741..614f8a16c 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1901,10 +1901,17 @@
'override mtu' => 'Überschreibe Standard-MTU',
'ovpn' => 'OpenVPN',
'ovpn add conf' => 'Erweiterte Konfiguration',
+'ovpn advanced encryption' => 'Erweiterte Kryptografie Einstellung',
+'ovpn client version 25 cipher negotiation' => 'Verschlüsselung aushandeln',
+'ovpn client version 25 warning' => 'Erst ab Client Version 2.5.0 verfügbar',
'ovpn con stat' => 'OpenVPN Verbindungs-Statistik',
'ovpn config' => 'OVPN-Konfiguration',
'ovpn connection name' => 'Verbindungs-Name',
'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
+'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation',
+'ovpn data channel' => 'Daten-Kanal',
+'ovpn data channel fallback' => 'Daten-Kanal Fallback',
'ovpn device' => 'OpenVPN-Gerät',
'ovpn dh' => 'Diffie-Hellman-Parameter-Länge',
'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen',
@@ -1913,6 +1920,7 @@
'ovpn dl' => 'OVPN-Konfiguration downloaden',
'ovpn engines' => 'Krypto Engine',
'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
+'ovpn errmsg invalid data cipher input' => 'Der Daten-Kanal benötigt mindestens einen Algorithmus',
'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
@@ -2163,6 +2171,7 @@
'save error' => 'Konfigurationsarchiv-Datei konnte nicht gespeichert werden',
'save settings' => 'Einstellungen speichern',
'save-adv-options' => 'Erweiterte Optionen speichern',
+'save-enc-options' => 'Kryptografie Optionen speichern',
'script name' => 'Skriptname:',
'search' => 'Suchen',
'secondary dns' => 'Sekundärer DNS-Server:',
@@ -2853,7 +2862,7 @@
'vpn subjectaltname missing' => 'SubjectAlternativeName darf nicht leer bleiben.',
'vpn wait' => 'WARTE',
'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).',
-'vpn weak' => 'schwach',
+'vpn weak' => 'Unsicher',
'vulnerability' => 'Verwundbarkeit',
'vulnerable' => 'Verwundbar',
'waiting to synchronize clock' => 'Bitte warten, die Uhr wird synchronisiert',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index b5284effa..714d7c81e 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1933,10 +1933,17 @@
'override mtu' => 'Override default MTU',
'ovpn' => 'OpenVPN',
'ovpn add conf' => 'Additional configuration',
+'ovpn advanced encryption' => 'Advanced encryption settings',
+'ovpn client version 25 cipher negotiation' => 'Negotiate encryption',
+'ovpn client version 25 warning' => 'Available with client version 2.5.0 and higher',
'ovpn con stat' => 'OpenVPN Connection Statistics',
'ovpn config' => 'OVPN-Config',
'ovpn connection name' => 'Connection Name',
'ovpn crypt options' => 'Cryptographic options',
+'ovpn data encryption' => 'Data-Channel encryption',
+'ovpn data channel authentication' => 'Data and channel authentication',
+'ovpn data channel' => 'Data-Channel',
+'ovpn data channel fallback' => 'Data-Channel fallback',
'ovpn device' => 'OpenVPN device:',
'ovpn dh' => 'Diffie-Hellman parameters length',
'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
@@ -1945,6 +1952,7 @@
'ovpn dl' => 'OVPN-Config Download',
'ovpn engines' => 'Crypto engine',
'ovpn errmsg green already pushed' => 'Route for green network is always set',
+'ovpn errmsg invalid data cipher input' => 'The data cipher needs at least one cipher',
'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
@@ -2196,6 +2204,7 @@
'save error' => 'Unable to save configuration archive file',
'save settings' => 'Save settings',
'save-adv-options' => 'Save advanced options',
+'save-enc-options' => 'Save encryption options',
'script name' => 'Script name:',
'search' => 'Search',
'secondary dns' => 'Secondary DNS:',
@@ -2897,7 +2906,7 @@
'vpn subjectaltname missing' => 'SubjectAlternativeName cannot be emtpy.',
'vpn wait' => 'WAITING',
'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).',
-'vpn weak' => 'Weak',
+'vpn weak' => 'Insecure',
'vulnerability' => 'Vulnerability',
'vulnerable' => 'Vulnerable',
'waiting to synchronize clock' => 'Waiting to synchronize clock',
--
2.20.1
next reply other threads:[~2020-12-03 12:08 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-03 12:08 ummeegge [this message]
2020-12-03 12:08 ` [PATCH 2/3] OpenVPN: Control-Channel encryption settings ummeegge
2020-12-03 12:08 ` [PATCH 3/3] OpenVPN: Integrate TLS-Authentication and HMAC selection ummeegge
2020-12-08 17:28 ` [PATCH 1/3] OpenVPN: Introduce advanced encryption section ummeegge
2020-12-29 10:29 ` Michael Tremer
2020-12-10 16:59 ` [PATCH v2 1/7] " ummeegge
2020-12-10 16:59 ` [PATCH v2 2/7] OpenVPN: Substitute --cipher with --data-cipher-fallback ummeegge
2020-12-10 16:59 ` [PATCH v2 3/7] OpenVPN: Warning for broken algorithms ummeegge
2020-12-10 16:59 ` [PATCH v2 4/7] OpenVPN: New ciphers and HMACs for N2N ummeegge
2020-12-10 16:59 ` [PATCH v2 5/7] OpenVPN: Control-Channel encryption settings ummeegge
2020-12-10 16:59 ` [PATCH v2 6/7] OpenVPN: Moved HMAC to advanced crypto section ummeegge
2020-12-10 16:59 ` [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section ummeegge
2020-12-14 13:03 ` ummeegge
2020-12-14 13:43 ` Michael Tremer
2020-12-14 15:12 ` ummeegge
2020-12-15 11:58 ` Michael Tremer
2020-12-14 13:44 ` Paul Simmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201203120807.20694-1-erik.kapfer@ipfire.org \
--to=erik.kapfer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox