[PATCH 2/3] OpenVPN: Control-Channel encryption settings

[ummeegge <erik.kapfer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 10747 bytes --]

- The --tls-ciphers for the control channel TLSv2 crypto can now be
combined for negotiation.
- The --tls-ciphersuite crypto does the same but with TLSv3 and can also be
combined for negotiation. There are no defaults for both, so this
features are deactivated unless the user decides to use them.
- The --tls-ciphersuite directive will only be printed into client.ovpn
if the client is >=2.5.0 ready.

Signed-off-by: ummeegge <erik.kapfer(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 109 ++++++++++++++++++++++++++++++++++++++
 langs/de/cgi-bin/de.pl    |   3 ++
 langs/en/cgi-bin/en.pl    |   3 ++
 3 files changed, 115 insertions(+)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index fc4c6193a..f2b8b79da 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -100,6 +100,8 @@ $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
 $cgiparams{'DATACIPHERS'} = '';
+$cgiparams{'CHANNELCIPHERS'} = '';
+$cgiparams{'NCHANNELCIPHERS'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
 # Perform crypto and configration test
 &pkiconfigcheck;
@@ -337,6 +339,20 @@ sub writeserverconf {
 		print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
 	}
 
+	# Control channel encryption TLSv2 needs own line cause directive differs
+	if ($sovpnsettings{'CHANNELCIPHERS'} ne '') {
+		# Set seperator for TLSv2 channel ciphers
+		@advcipherchar = ($sovpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g);
+		print CONF "tls-cipher $sovpnsettings{'CHANNELCIPHERS'}\n";
+	}
+
+	# Controll channel encryption >= TLSv3
+	if ($sovpnsettings{'NCHANNELCIPHERS'} ne '') {
+		# Set seperator for TLSv3 channel ciphers
+		@advcipherchar = ($sovpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g);
+		print CONF "tls-ciphersuites $sovpnsettings{'NCHANNELCIPHERS'}\n";
+	}
+
 	print CONF "auth $sovpnsettings{'DAUTH'}\n";
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
@@ -937,6 +953,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 		goto ADV_ENC_ERROR;
 	}
 
+	# If no value for --tls-cipher has been set, delete setting
+	if ($cgiparams{'CHANNELCIPHERS'} eq '') {
+		delete $vpnsettings{'CHANNELCIPHERS'};
+	} else {
+		$vpnsettings{'CHANNELCIPHERS'} = $cgiparams{'CHANNELCIPHERS'};
+	}
+
+	# If no value for --tls-ciphersuites has been set, delete setting
+	if ($cgiparams{'NCHANNELCIPHERS'} eq '') {
+		delete $vpnsettings{'NCHANNELCIPHERS'};
+	} else {
+		$vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'};
+	}
+
 	&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
 	&writeserverconf();
 }
@@ -2380,12 +2410,30 @@ else
 
 	# Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0
 	if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') {
+		# Set seperator for --data-ciphers algorithms
 		@advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
 		print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n";
 	} else {
 		print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
 	}
 
+	# Set --tls-cipher TLSv2 if configured
+	if ($vpnsettings{'CHANNELCIPHERS'} ne '') {
+		# Set seperator for TLSv2 channel ciphers
+		@advcipherchar = ($vpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g);
+		print CLIENTCONF "tls-cipher $vpnsettings{'CHANNELCIPHERS'}\r\n";
+	}
+
+	# Print new tls-ciphersuites TLSv3 only if client is >=2.5.0
+	if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') {
+		# Set --tls-ciphersuites TLSv3 if configured
+		if ($vpnsettings{'NCHANNELCIPHERS'} ne '') {
+			# Set seperator for TLSv3 channel ciphers
+			@advcipherchar = ($vpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g);
+			print CLIENTCONF "tls-ciphersuites $vpnsettings{'NCHANNELCIPHERS'}\r\n";
+		}
+	}
+
 	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
 
     if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2918,6 +2966,8 @@ END
 	}
 	$confighash{$key}[40] = $cgiparams{'DCIPHER'};
 	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
+	$confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'};
+	$confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'};
 
 ADV_ENC_ERROR:
 
@@ -2951,13 +3001,37 @@ ADV_ENC_ERROR:
 	@temp = split('\|', $cgiparams{'DATACIPHERS'});
 	foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
 
+	# No default settings for --tls-cipher so OpenVPN makes his own choice
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'} = '';
+	@temp = split('\|', $cgiparams{'CHANNELCIPHERS'});
+	foreach my $key (@temp) {$checked{'CHANNELCIPHERS'}{$key} = "selected='selected'"; }
+
+	# No default settings for --tls-ciphersuites so OpenVPN makes his own choice
+	$checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'} = '';
+	$checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'} = '';
+	$checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'} = '';
+	@temp = split('\|', $cgiparams{'NCHANNELCIPHERS'});
+	foreach my $key (@temp) {$checked{'NCHANNELCIPHERS'}{$key} = "selected='selected'"; }
+
 	# Save settings and display default if not configured
 	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 		$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
 		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
+		$confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'};
+		$confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'};
 	} else {
 		$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
 		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
+		$cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'};
+		$cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'};
 	}
 
 ADV_ENC_ERROR:
@@ -3021,8 +3095,43 @@ ADV_ENC_ERROR:
 					</select>
 				</td>
 			</tr>
+
+			<tr>
+				<th width="15%"></th>
+				<th>$Lang::tr{'ovpn control channel v3'}</th>
+				<th>$Lang::tr{'ovpn control channel v2'}</th>
+			</tr>
+
+			<tr>
+				</td>
+				<td class='boldbase' width="27%">$Lang::tr{'ovpn channel encryption'}</td>
+				<td class='boldbase'>
+					<select name='NCHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%'>
+						<option value='TLS_AES_256_GCM_SHA384' $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'}>256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+						<option value='TLS_CHACHA20_POLY1305_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'}>256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+						<option value='TLS_AES_128_GCM_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'}>128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+					</select>
+				</td>
+
+				<td class='boldbase'>
+					<select name='CHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%' style="margin-right:-17px" size="11">
+						<option value='TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} AES-GCM SHA384</option>
+						<option value='TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+						<option value='TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-ECDSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+						<option value='TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+						<option value='TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} CHACHA20_POLY1305 SHA256</option>
+						<option value='TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+						<option value='TLS-DHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+						<option value='TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+						<option value='TLS-DHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-DHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+					</select>
+				</td>
+			</tr>
 		</tbody>
 	</table>
+
+	<br><br>
+
 	<hr>
 END
 ;
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 614f8a16c..cc7755018 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1908,6 +1908,9 @@
 'ovpn config' => 'OVPN-Konfiguration',
 'ovpn connection name' => 'Verbindungs-Name',
 'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn channel encryption' => 'Kontroll-Kanal Verschlüsselung',
+'ovpn control channel v2' => 'Kontroll-Kanal TLSv2',
+'ovpn control channel v3' => 'Kontroll-Kanal TLSv3',
 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
 'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation',
 'ovpn data channel' => 'Daten-Kanal',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 714d7c81e..3dcb8d46e 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1940,6 +1940,9 @@
 'ovpn config' => 'OVPN-Config',
 'ovpn connection name' => 'Connection Name',
 'ovpn crypt options' => 'Cryptographic options',
+'ovpn channel encryption' => 'Control-Channel encryption',
+'ovpn control channel v2' => 'Control-Channel TLSv2',
+'ovpn control channel v3' => 'Control-Channel TLSv3',
 'ovpn data encryption' => 'Data-Channel encryption',
 'ovpn data channel authentication' => 'Data and channel authentication',
 'ovpn data channel' => 'Data-Channel',
-- 
2.20.1