From: ummeegge <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 3/3] OpenVPN: Integrate TLS-Authentication and HMAC selection
Date: Thu, 03 Dec 2020 12:08:07 +0000 [thread overview]
Message-ID: <20201203120807.20694-3-erik.kapfer@ipfire.org> (raw)
In-Reply-To: <20201203120807.20694-1-erik.kapfer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 26863 bytes --]
- The --auth directive has been enhanced with the Keccak (SHA3) family
but also BLAKE2 has been integrated.
- The TLS authentication has been enhanced with --tls-crypt and with
OpenVPN version 2.5.0 new introduced --tls-crypt-v2 .
- New keys will be shown and can partly be downloaded over the
"Certificate Authorities and -Keys" table.
- The global section has been completely cleaned up from encryption
settings which follows the IPSec WUI style.
Signed-off-by: ummeegge <erik.kapfer(a)ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 367 +++++++++++++++++++++++++++++---------
langs/de/cgi-bin/de.pl | 10 +-
langs/en/cgi-bin/en.pl | 12 +-
3 files changed, 298 insertions(+), 91 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index f2b8b79da..455b0a8a4 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -357,9 +357,19 @@ sub writeserverconf {
# Set TLSv2 as minimum
print CONF "tls-version-min 1.2\n";
- if ($sovpnsettings{'TLSAUTH'} eq 'on') {
- print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
- }
+ # TLS control channel authentication
+ if ($sovpnsettings{'TLSAUTH'} ne 'off') {
+ if ($sovpnsettings{'TLSAUTH'} eq 'on') {
+ print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
+ }
+ if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+ print CONF "tls-crypt ${General::swroot}/ovpn/certs/tc.key\n";
+ }
+ if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+ print CONF "tls-crypt-v2 ${General::swroot}/ovpn/certs/tc-v2-server.key\n";
+ }
+ }
+
if ($sovpnsettings{DCOMPLZO} eq 'on') {
print CONF "comp-lzo\n";
}
@@ -944,6 +954,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
+ $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
+ $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
$vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
@@ -967,6 +979,39 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
$vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'};
}
+ # Create ta.key for tls-auth if not presant
+ if ($cgiparams{'TLSAUTH'} eq 'on') {
+ if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
+ system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ goto ADV_ENC_ERROR;
+ }
+ }
+ }
+
+ # Create tc.key for tls-crypt if not presant
+ if ($cgiparams{'TLSAUTH'} eq 'tls-crypt') {
+ if ( ! -e "${General::swroot}/ovpn/certs/tc.key") {
+ system('/usr/sbin/openvpn', '--genkey', 'tls-crypt', "${General::swroot}/ovpn/certs/tc.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ goto ADV_ENC_ERROR;
+ }
+ }
+ }
+
+ # Create tc-v2-server.key for tls-crypt-v2 server if not presant
+ if ($cgiparams{'TLSAUTH'} eq 'tls-crypt-v2') {
+ if ( ! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+ system('/usr/sbin/openvpn', '--genkey', 'tls-crypt-v2-server', "${General::swroot}/ovpn/certs/tc-v2-server.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ goto ADV_ENC_ERROR;
+ }
+ }
+ }
+
&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
&writeserverconf();
}
@@ -1257,17 +1302,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
goto SETTINGS_ERROR;
}
- # Create ta.key for tls-auth if not presant
- if ($cgiparams{'TLSAUTH'} eq 'on') {
- if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
- system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- goto SETTINGS_ERROR;
- }
- }
- }
-
$vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
$vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
@@ -1278,8 +1312,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
$vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
$vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
$vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
- $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
- $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
#wrtie enable
if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");}
@@ -1708,14 +1740,36 @@ END
###
### Download tls-auth key
###
-}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
- print "Content-Type: application/octet-stream\r\n";
- print "Content-Disposition: filename=ta.key\r\n\r\n";
- print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
- exit(0);
+ print "Content-Type: application/octet-stream\r\n";
+ print "Content-Disposition: filename=ta.key\r\n\r\n";
+ print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
+ exit(0);
}
+###
+### Download tls-crypt key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt key'}) {
+ if ( -f "${General::swroot}/ovpn/certs/tc.key" ) {
+ print "Content-Type: application/octet-stream\r\n";
+ print "Content-Disposition: filename=tc.key\r\n\r\n";
+ print `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+ exit(0);
+ }
+
+###
+### Download tls-crypt-v2 key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt-v2 key'}) {
+ if ( -f "${General::swroot}/ovpn/certs/tc-v2-server.key" ) {
+ print "Content-Type: application/octet-stream\r\n";
+ print "Content-Disposition: filename=tc-v2-server.key\r\n\r\n";
+ print `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`;
+ exit(0);
+ }
+
###
### Form for generating a root certificate
###
@@ -2443,6 +2497,29 @@ else
print CLIENTCONF "tls-auth ta.key\r\n";
$zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
}
+
+ # Add tls-crypt to client ovpn
+ if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ print CLIENTCONF ";";
+ }
+ print CLIENTCONF "tls-crypt tc.key\r\n";
+ $zip->addFile( "${General::swroot}/ovpn/certs/tc.key", "tc.key") or die "Can't add file tc.key\n";
+ }
+
+ # Add client specific tls-crypt-v2 key to client.ovpn
+ if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ print CLIENTCONF ";";
+ }
+ print CLIENTCONF "tls-crypt-v2 tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\r\n";
+ # Generate individual tls-crypt-v2 client key
+ my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key";
+ system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile");
+ # Add individual tls-crypt-v2 client key to client package
+ $zip->addFile( "$cryptfile", "tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key") or die "Can't add file tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\n";
+ }
+
if ($vpnsettings{DCOMPLZO} eq 'on') {
print CLIENTCONF "comp-lzo\r\n";
}
@@ -2499,6 +2576,20 @@ else
print CLIENTCONF "</key>\r\n\r\n";
close(FILE);
+ # Create individual tls-crypt-v2 client key and print it to client.conf
+ if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+ my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key";
+ system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile");
+ open(FILE, "<$cryptfile");
+ print CLIENTCONF "<tls-crypt-v2>\r\n";
+ while (<FILE>) {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "</tls-crypt-v2>\r\n\r\n";
+ close(FILE);
+ }
+
# TLS auth
if ($vpnsettings{'TLSAUTH'} eq 'on') {
open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
@@ -2680,7 +2771,7 @@ else
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'ovpn'}, 1, '');
&Header::openbigbox('100%', 'LEFT', '', '');
- &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:");
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}");
my $output = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
$output = &Header::cleanhtml($output,"y");
print "<pre>$output</pre>\n";
@@ -2691,6 +2782,50 @@ else
exit(0);
}
+###
+### Display tls-crypt key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt key'}) {
+
+ if (! -e "${General::swroot}/ovpn/certs/tc.key") {
+ $errormessage = $Lang::tr{'not present'};
+ } else {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ovpn'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', '');
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc key'}");
+ my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+ $output = &Header::cleanhtml($output,"y");
+ print "<pre>$output</pre>\n";
+ &Header::closebox();
+ print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+ }
+
+###
+### Display tls-crypt-v2 server key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt-v2 key'}) {
+
+ if (! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+ $errormessage = $Lang::tr{'not present'};
+ } else {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ovpn'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', '');
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc v2 key'}");
+ my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`;
+ $output = &Header::cleanhtml($output,"y");
+ print "<pre>$output</pre>\n";
+ &Header::closebox();
+ print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+ }
+
###
### Display Certificate Revoke List
###
@@ -2743,9 +2878,6 @@ ADV_ERROR:
if ($cgiparams{'LOG_VERB'} eq '') {
$cgiparams{'LOG_VERB'} = '3';
}
- if ($cgiparams{'TLSAUTH'} eq '') {
- $cgiparams{'TLSAUTH'} = 'off';
- }
$checked{'CLIENT2CLIENT'}{'off'} = '';
$checked{'CLIENT2CLIENT'}{'on'} = '';
$checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
@@ -2964,13 +3096,43 @@ END
$key = &General::findhasharraykey (\%confighash);
foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; }
}
+ $confighash{$key}[39] = $cgiparams{'DAUTH'};
$confighash{$key}[40] = $cgiparams{'DCIPHER'};
+ $confighash{$key}[41] = $cgiparams{'TLSAUTH'};
$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
$confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'};
$confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'};
ADV_ENC_ERROR:
+ # Set default for hash message authentication code
+ if ($cgiparams{'DAUTH'} eq '') {
+ $cgiparams{'DAUTH'} = 'SHA512'; #[39];
+ }
+ $checked{'DAUTH'}{'BLAKE2b512'} = '';
+ $checked{'DAUTH'}{'BLAKE2s256'} = '';
+ $checked{'DAUTH'}{'SHA3-512'} = '';
+ $checked{'DAUTH'}{'SHA3-384'} = '';
+ $checked{'DAUTH'}{'SHA3-256'} = '';
+ $checked{'DAUTH'}{'SHA512'} = '';
+ $checked{'DAUTH'}{'SHA384'} = '';
+ $checked{'DAUTH'}{'SHA256'} = '';
+ $checked{'DAUTH'}{'whirlpool'} = '';
+ $checked{'DAUTH'}{'SHA1'} = '';
+ @temp = split('\|', $cgiparams{'DAUTH'});
+ foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; }
+
+ # Set default for TLS control authentication
+ if ($cgiparams{'TLSAUTH'} eq '') {
+ $cgiparams{'TLSAUTH'} = 'tls-crypt'; #[41]
+ }
+ $checked{'TLSAUTH'}{'on'} = '';
+ $checked{'TLSAUTH'}{'off'} = '';
+ $checked{'TLSAUTH'}{'tls-crypt'} = '';
+ $checked{'TLSAUTH'}{'tls-crypt-v2'} = '';
+ @temp = split('\|', $cgiparams{'TLSAUTH'});
+ foreach my $key (@temp) {$checked{'TLSAUTH'}{$key} = "selected='selected'"; }
+
# Set default for data-cipher-fallback (the old --cipher directive)
if ($cgiparams{'DCIPHER'} eq '') {
$cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40]
@@ -3023,12 +3185,16 @@ ADV_ENC_ERROR:
# Save settings and display default if not configured
if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+ $confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'};
$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
+ $confighash{$cgiparams{'KEY'}}[41] = $cgiparams{'TLSAUTH'};
$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
$confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'};
$confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'};
} else {
+ $cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'};
$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
+ $cgiparams{'TLSAUTH'} = $vpnsettings{'TLSAUTH'};
$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
$cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'};
$cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'};
@@ -3132,6 +3298,44 @@ ADV_ENC_ERROR:
<br><br>
+ <h2>$Lang::tr{'ovpn crypt options'}:</h2>
+
+ <table width="100%">
+ <thead>
+ <tr>
+ <th width="15%"></th>
+ <th>$Lang::tr{'ovpn ha'}</th>
+ <th>$Lang::tr{'ovpn tls auth'}</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td width="27%">$Lang::tr{'ovpn data channel authentication'}</td>
+ <td class='boldbase'>
+ <select name='DAUTH' size='6' style='width: 100%'>
+ <option value='BLAKE2b512' $checked{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option>
+ <option value='BLAKE2s256' $checked{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option>
+ <option value='SHA3-512' $checked{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option>
+ <option value='SHA3-384' $checked{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option>
+ <option value='SHA3-256' $checked{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option>
+ <option value='SHA512' $checked{'DAUTH'}{'SHA512'}>SHA2 512 $Lang::tr{'bit'}</option>
+ <option value='SHA384' $checked{'DAUTH'}{'SHA384'}>SHA2 384 $Lang::tr{'bit'}</option>
+ <option value='SHA256' $checked{'DAUTH'}{'SHA256'}>SHA2 256 $Lang::tr{'bit'}</option>
+ <option value='whirlpool' $checked{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
+ <option value='SHA1' $checked{'DAUTH'}{'SHA1'}>SHA1 160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+ </select>
+
+ <td class='boldbase'>
+ <select name='TLSAUTH' size='6' style='width: 100%' style="margin-right:-17px" size="11">
+ <option value='tls-crypt-v2' $checked{'TLSAUTH'}{'tls-crypt-v2'}>TLS-Crypt-v2</option>
+ <option value='tls-crypt' $checked{'TLSAUTH'}{'tls-crypt'}>TLS-Crypt</option>
+ <option value='on' $checked{'TLSAUTH'}{'on'}>TLS-Auth</option>
+ <option value='off' $checked{'TLSAUTH'}{'off'}>Off</option>
+ </select>
+ </td>
+ </tr>
+ </tbody>
+ </table>
<hr>
END
;
@@ -3906,7 +4110,6 @@ if ($confighash{$cgiparams{'KEY'}}) {
$cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37];
$cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39];
$cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40];
- $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41];
# Index from [39] to [44] has been reserved by advanced encryption
$cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45];
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
@@ -4824,16 +5027,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
$checked{'MSSFIX'}{'on'} = '';
$checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $selected{'DAUTH'}{'whirlpool'} = '';
- $selected{'DAUTH'}{'SHA512'} = '';
- $selected{'DAUTH'}{'SHA384'} = '';
- $selected{'DAUTH'}{'SHA256'} = '';
- $selected{'DAUTH'}{'SHA1'} = '';
- $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
- $checked{'TLSAUTH'}{'off'} = '';
- $checked{'TLSAUTH'}{'on'} = '';
- $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
-
if (1) {
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'ovpn'}, 1, '');
@@ -5378,21 +5571,6 @@ END
if ($cgiparams{'MSSFIX'} eq '') {
$cgiparams{'MSSFIX'} = 'off';
}
- if ($cgiparams{'DAUTH'} eq '') {
- if (-z "${General::swroot}/ovpn/ovpnconfig") {
- $cgiparams{'DAUTH'} = 'SHA512';
- }
- foreach my $key (keys %confighash) {
- if ($confighash{$key}[3] ne 'host') {
- $cgiparams{'DAUTH'} = 'SHA512';
- } else {
- $cgiparams{'DAUTH'} = 'SHA1';
- }
- }
- }
- if ($cgiparams{'TLSAUTH'} eq '') {
- $cgiparams{'TLSAUTH'} = 'off';
- }
if ($cgiparams{'DOVPN_SUBNET'} eq '') {
$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
}
@@ -5410,17 +5588,6 @@ END
$selected{'DPROTOCOL'}{'tcp'} = '';
$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $selected{'DAUTH'}{'whirlpool'} = '';
- $selected{'DAUTH'}{'SHA512'} = '';
- $selected{'DAUTH'}{'SHA384'} = '';
- $selected{'DAUTH'}{'SHA256'} = '';
- $selected{'DAUTH'}{'SHA1'} = '';
- $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
-
- $checked{'TLSAUTH'}{'off'} = '';
- $checked{'TLSAUTH'}{'on'} = '';
- $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
-
$checked{'DCOMPLZO'}{'off'} = '';
$checked{'DCOMPLZO'}{'on'} = '';
$checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
@@ -5523,30 +5690,6 @@ END
<td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td>
</tr>
- <tr><td colspan='4'><br></td></tr>
- <tr>
- <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
- </tr>
- <tr><td colspan='1'><br></td></tr>
-
- <tr>
- <td class='base'>$Lang::tr{'ovpn ha'}</td>
- <td><select name='DAUTH'>
- <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
- <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
- <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
- <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
- <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- </select>
- </td>
- </tr>
-
- <tr><td colspan='4'><br></td></tr>
- <tr>
- <td class='base'>$Lang::tr{'ovpn tls auth'}</td>
- <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
- </tr>
-
<tr><td colspan='4'><br><br></td></tr>
END
;
@@ -5845,6 +5988,10 @@ END
my $col3="bgcolor='$color{'color22'}'";
# ta.key line
my $col4="bgcolor='$color{'color20'}'";
+ # tc-v2.key line
+ my $col5="bgcolor='$color{'color22'}'";
+ # tc.key
+ my $col6="bgcolor='$color{'color20'}'";
if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
@@ -5974,7 +6121,7 @@ END
# Nothing
print <<END;
<tr>
- <td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td>
+ <td width='25%' class='base' $col4>$Lang::tr{'ta key'}</td>
<td class='base' $col4>$Lang::tr{'not present'}</td>
<td colspan='3' $col4> </td>
</tr>
@@ -5982,6 +6129,52 @@ END
;
}
+ # Adding tc-v2.key to chart
+ if (-f "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+ my $tcvsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`;
+ $tcvsubject =~ /-----BEGIN (.*)-----[\n]/;
+ $tcvsubject = $1;
+ print <<END;
+
+ <tr>
+ <td class='base' $col5>$Lang::tr{'tc v2 key'}</td>
+ <td class='base' $col5>$tcvsubject</td>
+ <form method='post' name='frmtcv2key'><td width='3%' align='center' $col5>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt-v2 key'}' />
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt-v2 key'}' title='$Lang::tr{'show tls-crypt-v2 key key'}' width='20' height='20' border='0' />
+ </form>
+ <form method='post' name='frmtckey'><td width='3%' align='center' $col5>
+ <td width='4%' $col5> </td>
+ </tr>
+END
+;
+ }
+
+ # Adding tc.key to chart
+ if (-f "${General::swroot}/ovpn/certs/tc.key") {
+ my $tcsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+ $tcsubject =~ /# (.*)[\n]/;
+ $tcsubject = $1;
+ print <<END;
+
+ <tr>
+ <td class='base' $col6>$Lang::tr{'tc key'}</td>
+ <td class='base' $col6>$tcsubject</td>
+ <form method='post' name='frmtckey'><td width='3%' align='center' $col6>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt key'}' />
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt key'}' title='$Lang::tr{'show tls-crypt key'}' width='20' height='20' border='0' />
+ </form>
+ <form method='post' name='frmtckey'><td width='3%' align='center' $col6>
+ <input type='image' name='$Lang::tr{'download tls-crypt key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-crypt key'}' title='$Lang::tr{'download tls-crypt key'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download tls-crypt key'}' />
+ </form>
+ <td width='4%' $col6> </td>
+ </tr>
+END
+;
+ }
+
+
if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
print "<tr><td colspan='5' align='center'><form method='post'>";
print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index cc7755018..9ffbbf432 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -894,6 +894,9 @@
'download new ruleset' => 'Neuen Regelsatz herunterladen',
'download pkcs12 file' => 'PKCS12-Datei herunterladen',
'download root certificate' => 'Root-Zertifikat herunterladen',
+'download tls-auth key' => 'TLS-Auth Schlüssel herunterladen',
+'download tls-crypt key' => 'TLS-Crypt Schlüssel herunterladen',
+'download tls-crypt-v2 key' => 'TLS-Crypt-v2 Schlüssel herunterladen',
'download tls-auth key' => 'tls-auth Key herunterladen',
'dpd action' => 'Aktion für Erkennung toter Gegenstellen (Dead Peer Detection)',
'dpd delay' => 'Verzögerung',
@@ -1951,7 +1954,7 @@
'ovpn subnet' => 'OpenVPN-Subnetz:',
'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.',
'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ',
-'ovpn tls auth' => 'TLS-Kanalabsicherung:',
+'ovpn tls auth' => 'TLS-Kanalabsicherung',
'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
'ovpn_fastio' => 'Fast-IO',
'ovpn_fragment' => 'Fragmentgrösse',
@@ -2224,6 +2227,9 @@
'show last x lines' => 'die letzten x Zeilen anzeigen',
'show root certificate' => 'Root-Zertifikat anzeigen',
'show share options' => 'Anzeige der Freigabeeinstellungen',
+'show tls-auth key' => 'TLS-Auth Schlüssel anzeigen',
+'show tls-crypt key' => 'TLS-Crypt Schlüssel anzeigen',
+'show tls-crypt-v2 key' => 'TLS-Crypt-v2 Schlüssel anzeigen',
'shuffle' => 'Zufall',
'shutdown' => 'Herunterfahren',
'shutdown ask' => 'Herunterfahren?',
@@ -2350,6 +2356,8 @@
'system logs' => 'Systemprotokolldateien',
'system status information' => 'System-Statusinformationen',
'ta key' => 'TLS-Authentifizierungsschlüssel',
+'tc key' => 'TLS-Kryptografie-Schlüssel',
+'tc v2 key' => 'TLS-Kryptografie-Schlüssel-Version2',
'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2',
'tcp more reliable' => 'TCP (zuverlässiger)',
'telephone not set' => 'Telefonnummer nicht angegeben.',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 3dcb8d46e..6707a3a71 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -918,7 +918,9 @@
'download new ruleset' => 'Download new ruleset',
'download pkcs12 file' => 'Download PKCS12 file',
'download root certificate' => 'Download root certificate',
-'download tls-auth key' => 'Download tls-auth key',
+'download tls-auth key' => 'Download TLS-Auth key',
+'download tls-crypt key' => 'Download TLS-Crypt key',
+'download tls-crypt-v2 key' => 'Download TLS-Crypt-v2 server key',
'dpd action' => 'Action',
'dpd delay' => 'Delay',
'dpd timeout' => 'Timeout',
@@ -1983,7 +1985,7 @@
'ovpn subnet' => 'OpenVPN subnet:',
'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
-'ovpn tls auth' => 'TLS Channel Protection:',
+'ovpn tls auth' => 'TLS Channel Protection',
'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
'ovpn_fastio' => 'Fast-IO',
'ovpn_mssfix' => 'MSSFIX Size',
@@ -2260,7 +2262,9 @@
'show lines' => 'Show lines',
'show root certificate' => 'Show root certificate',
'show share options' => 'Show shares options',
-'show tls-auth key' => 'Show tls-auth key',
+'show tls-auth key' => 'Show TLS-Auth key',
+'show tls-crypt key' => 'Show TLS-Crypt key',
+'show tls-crypt-v2 key' => 'Show TLS-Crypt-v2 key',
'shuffle' => 'Shuffle',
'shutdown' => 'Shutdown',
'shutdown ask' => 'Shutdown?',
@@ -2388,6 +2392,8 @@
'system logs' => 'System Logs',
'system status information' => 'System Status Information',
'ta key' => 'TLS-Authentification-Key',
+'tc key' => 'TLS-Cryptografic-Key',
+'tc v2 key' => 'TLS-Cryptografic-Key-version2',
'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2',
'tcp more reliable' => 'TCP (more reliable)',
'telephone not set' => 'Telephone not set.',
--
2.20.1
next prev parent reply other threads:[~2020-12-03 12:08 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-03 12:08 [PATCH 1/3] OpenVPN: Introduce advanced encryption section ummeegge
2020-12-03 12:08 ` [PATCH 2/3] OpenVPN: Control-Channel encryption settings ummeegge
2020-12-03 12:08 ` ummeegge [this message]
2020-12-08 17:28 ` [PATCH 1/3] OpenVPN: Introduce advanced encryption section ummeegge
2020-12-29 10:29 ` Michael Tremer
2020-12-10 16:59 ` [PATCH v2 1/7] " ummeegge
2020-12-10 16:59 ` [PATCH v2 2/7] OpenVPN: Substitute --cipher with --data-cipher-fallback ummeegge
2020-12-10 16:59 ` [PATCH v2 3/7] OpenVPN: Warning for broken algorithms ummeegge
2020-12-10 16:59 ` [PATCH v2 4/7] OpenVPN: New ciphers and HMACs for N2N ummeegge
2020-12-10 16:59 ` [PATCH v2 5/7] OpenVPN: Control-Channel encryption settings ummeegge
2020-12-10 16:59 ` [PATCH v2 6/7] OpenVPN: Moved HMAC to advanced crypto section ummeegge
2020-12-10 16:59 ` [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section ummeegge
2020-12-14 13:03 ` ummeegge
2020-12-14 13:43 ` Michael Tremer
2020-12-14 15:12 ` ummeegge
2020-12-15 11:58 ` Michael Tremer
2020-12-14 13:44 ` Paul Simmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201203120807.20694-3-erik.kapfer@ipfire.org \
--to=erik.kapfer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox