From mboxrd@z Thu Jan  1 00:00:00 1970
From: ummeegge <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2 3/7] OpenVPN: Warning for broken algorithms
Date: Thu, 10 Dec 2020 16:59:21 +0000
Message-ID: <20201210165925.25037-3-erik.kapfer@ipfire.org>
In-Reply-To: <20201210165925.25037-1-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8440955490639743758=="
List-Id: <development.lists.ipfire.org>

--===============8440955490639743758==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

The user will be warned in the WUI if he uses BF, CAST, DES* or SHA1
since those algorithms will "soon be removed".

Signed-off-by: ummeegge <erik.kapfer(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 17 +++++++++++++++++
 langs/de/cgi-bin/de.pl    |  2 ++
 langs/en/cgi-bin/en.pl    |  2 ++
 langs/es/cgi-bin/es.pl    |  4 ++++
 langs/fr/cgi-bin/fr.pl    |  2 ++
 langs/it/cgi-bin/it.pl    |  4 ++++
 langs/nl/cgi-bin/nl.pl    |  5 +++++
 langs/pl/cgi-bin/pl.pl    |  4 ++++
 langs/ru/cgi-bin/ru.pl    |  4 ++++
 langs/tr/cgi-bin/tr.pl    |  4 ++++
 10 files changed, 48 insertions(+)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index dbf8a8d2e..7a2f8a5a3 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -250,6 +250,20 @@ sub pkiconfigcheck
 		}
 	}
=20
+	# Warning if deprecated 64-bit-block ciphers or weak HMAC is in usage
+	if (-f "${General::swroot}/ovpn/server.conf") {
+		my $oldciphers =3D "${General::swroot}/ovpn/server.conf";
+		open(FH, $oldciphers);
+		while(my $cipherstring =3D <FH>) {
+			if ($cipherstring =3D~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CB=
C|SHA1/) {
+				my @tempcipherstring =3D split(" ", $cipherstring);
+				$cryptowarning =3D "<br>$Lang::tr{'ovpn warning algorithm'}: <font color=
=3D'red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block=
 cipher'}";
+				goto CRYPTO_WARNING;
+			}
+		}
+		close(FH);
+	}
+
 	CRYPTO_WARNING:
 }
=20
@@ -5242,6 +5256,9 @@ END
=20
     my @status =3D `/bin/cat /var/run/ovpnserver.log`;
=20
+	# Perform crypto and configration test to display warnings or errors
+	&pkiconfigcheck;
+
     if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
 		if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
 		    my $ipaddr =3D <IPADDR>;
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 08827b08a..ae05d5e55 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1948,6 +1948,8 @@
 'ovpn subnet is invalid' =3D> 'Das OpenVPN-Subnetz ist ung=C3=BCltig.',
 'ovpn subnet overlap' =3D> 'OpenVPNSubnetz =C3=BCberschneidet sich mit  ',
 'ovpn tls auth' =3D> 'TLS-Kanalabsicherung:',
+'ovpn warning 64 bit block cipher' =3D> 'Diser Algorithmus ist unsicher und =
wird bald entfernt. <br>Bitte =C3=A4ndern Sie dies so schnell wie m=C3=B6glic=
h!</br>',
+'ovpn warning algorithm' =3D> 'Folgender Algorithmus wurde konfiguriert',
 'ovpn warning rfc3280' =3D> 'Das Host Zertifikat ist nicht RFC3280 Regelkonf=
orm. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein n=
eues Root und Host Zertifikat so bald wie m=C3=B6glich.</br><br>Es m=C3=BCsse=
n dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn_fastio' =3D> 'Fast-IO',
 'ovpn_fragment' =3D> 'Fragmentgr=C3=B6sse',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 880cae5f7..321503d67 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1980,6 +1980,8 @@
 'ovpn subnet is invalid' =3D> 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' =3D> 'OpenVPN Subnet overlaps with : ',
 'ovpn tls auth' =3D> 'TLS Channel Protection:',
+'ovpn warning 64 bit block cipher' =3D> 'This encryption algorithm is broken=
 and will soon be removed. <br>Please change this as soon as possible!</br>',
+'ovpn warning algorithm' =3D> 'You configured the algorithm',
 'ovpn warning rfc3280' =3D> 'Your host certificate is not RFC3280 compliant.=
 <br>Please update to the latest IPFire version and generate as soon as possi=
ble a new root and host certificate.</br><br>All OpenVPN clients needs then t=
o be renewed!</br>',
 'ovpn_fastio' =3D> 'Fast-IO',
 'ovpn_mssfix' =3D> 'MSSFIX Size',
diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
index c86580e81..752093552 100644
--- a/langs/es/cgi-bin/es.pl
+++ b/langs/es/cgi-bin/es.pl
@@ -552,6 +552,8 @@
 'credits' =3D> 'Creditos',
 'crl' =3D> 'Lista de revocaci=C3=B3n de certificados',
 'cron server' =3D> 'Servidor CRON',
+'crypto error' =3D> 'Error de criptograf=C3=ADa',
+'crypto warning' =3D> 'Advertencias sobre la criptograf=C3=ADa',
 'current' =3D> 'Actual',
 'current aliases' =3D> 'Alias actuales',
 'current class' =3D> 'Clase actual',
@@ -1345,6 +1347,8 @@
 'ovpn subnet' =3D> 'Subred de OpenVPN (ej. 10.0.10.0/255.255.255.0',
 'ovpn subnet is invalid' =3D> 'Subred de OpenVPN no es v=C3=A1lida.',
 'ovpn subnet overlap' =3D> 'La subred de OpenVPN se traslapa con:',
+'ovpn warning 64 bit block cipher' =3D> 'Este algoritmo de cifrado del  est=
=C3=A1 roto y pronto se eliminar=C3=A1. <br>=C2=A1Por favor, cambie esto lo a=
ntes posible!</br>',
+'ovpn warning algorithm' =3D> 'Se configur=C3=B3 el siguiente algoritmo',
 'ovpn_fastio' =3D> 'Fast-IO',
 'ovpn_fragment' =3D> 'Tama=C3=B1o de Fragmento',
 'ovpn_mssfix' =3D> 'Tama=C3=B1o MSSFIX',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index 1a1f37cbe..f931bc70e 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -1981,6 +1981,8 @@
 'ovpn subnet is invalid' =3D> 'Sous-r=C3=A9seau OpenVPN non valide.',
 'ovpn subnet overlap' =3D> 'Le sous-r=C3=A9seau OpenVPN se chevauche avec : =
',
 'ovpn tls auth' =3D> 'Protection du canal TLS :',
+'ovpn warning 64 bit block cipher' =3D> 'Ce L\'algorithme de chiffage du n\'=
est plus s=C3=BBr et sera bient=C3=B4t supprim=C3=A9. <br>Veuillez changer ce=
la d=C3=A8s que possible!</br>',
+'ovpn warning algorithm' =3D> 'L\'algorithme suivant a =C3=A9t=C3=A9 configu=
r=C3=A9',
 'ovpn warning rfc3280' =3D> 'Votre certificat d\'h=C3=B4te n\'est pas confor=
me avec la RFC3280.<br>Veuillez mettre =C3=A0 jour la derni=C3=A8re version d=
\'IPFire et g=C3=A9n=C3=A9rer d=C3=A8s que possible un nouveau certificat rac=
ine et h=C3=B4te.</br><br>Tous les clients OpenVPN doivent ensuite =C3=AAtre =
renouvel=C3=A9s !</br>',
 'ovpn_fastio' =3D> 'Fast-IO',
 'ovpn_fragment' =3D> 'Taille du fragment',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index 2c1dc9559..3779de3f6 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -622,6 +622,8 @@
 'credits' =3D> 'Credits',
 'crl' =3D> 'Certificate Revocation List',
 'cron server' =3D> 'CRON Server',
+'crypto error' =3D> 'Errore di crittografia',
+'crypto warning' =3D> 'Avvertenze di crittografia',
 'current' =3D> 'Current',
 'current aliases' =3D> 'Current aliases',
 'current class' =3D> 'Current class',
@@ -1733,6 +1735,8 @@
 'ovpn subnet' =3D> 'OpenVPN subnet (e.g. 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' =3D> 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' =3D> 'OpenVPN Subnet overlaps with : ',
+'ovpn warning 64 bit block cipher' =3D> 'L\'algoritmo di crittografia =C3=A8=
 insicuro e verr=C3=A0 presto disinstallato.<br>Si prega di cambiare il pi=C3=
=B9 presto possibile!</br>',
+'ovpn warning algorithm' =3D> '=C3=88 stato configurato il seguente algoritm=
o',
 'ovpn_fastio' =3D> 'Fast-IO',
 'ovpn_mssfix' =3D> 'MSSFIX Size',
 'ovpn_mtudisc' =3D> 'MTU-Discovery',
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index 635cbd3b8..dc9ea350f 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -616,6 +616,8 @@
 'credits' =3D> 'Credits',
 'crl' =3D> 'Certificaatintrekkingslijst',
 'cron server' =3D> 'CRON Server',
+'crypto error' =3D> 'Cryptografische fout',
+'crypto warning' =3D> 'Cryptografie waarschuwingen',
 'current' =3D> 'Huidig',
 'current aliases' =3D> 'Huidige aliassen:',
 'current class' =3D> 'Huidige klasse',
@@ -1686,6 +1688,9 @@
 'ovpn subnet' =3D> 'OpenVPN subnet (bijv. 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' =3D> 'OpenVPN subnet is ongeldig.',
 'ovpn subnet overlap' =3D> 'OpenVPN subnet overlapt met : ',
+'ovpn warning 64 bit block cipher' =3D> 'Dit encryptie algoritme is verbroke=
n en zal binnenkort worden verwijderd. <br>Verander dit zo snel mogelijk!</br=
>',
+'ovpn warning algorithm' =3D> 'U hebt het algoritme geconfigureerd',
+'ovpn warning rfc3280' =3D> 'Uw gastheercertificaat is niet RFC3280-conform.=
 <br>Please-update naar de nieuwste IPFire-versie en genereer zo snel mogelij=
k een nieuw root- en host-certificaat.</br><br>Alle OpenVPN-clients moeten da=
n vernieuwd worden!</br>',
 'ovpn_fastio' =3D> 'Fast-IO',
 'ovpn_fragment' =3D> 'Fragmentgrootte',
 'ovpn_mssfix' =3D> 'MSSFIX-grootte',
diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
index 4ceaeef8a..96e9a95ae 100644
--- a/langs/pl/cgi-bin/pl.pl
+++ b/langs/pl/cgi-bin/pl.pl
@@ -553,6 +553,8 @@
 'credits' =3D> 'Credits',
 'crl' =3D> 'Lista odwo=C5=82a=C5=84 certyfikat=C3=B3w',
 'cron server' =3D> 'Serwer CRON',
+'crypto error' =3D> 'B=C5=82=C4=85d kryptograficzny',
+'crypto warning' =3D> 'Ostrze=C5=BCenia kryptograficzne',
 'current' =3D> 'Aktualne',
 'current aliases' =3D> 'Aktualne alias:',
 'current class' =3D> 'Aktualna klasa',
@@ -1357,6 +1359,8 @@
 'ovpn subnet' =3D> 'Podsie=C4=87 OpenVPN (np. 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' =3D> 'Podsie=C4=87 OpenVPN jest niepoprawna.',
 'ovpn subnet overlap' =3D> 'Podsie=C4=87 OpenVPN zachodzi na : ',
+'ovpn warning 64 bit block cipher' =3D> 'Szyfr danych wymaga co najmniej jed=
nego szyfru. <br>Prosz=C4=99 to zmieni=C4=87 jak najszybciej!</br>',
+'ovpn warning algorithm' =3D> 'Skonfigurowa=C5=82e=C5=9B algorytm',
 'ovpn_fastio' =3D> 'Fast-IO',
 'ovpn_fragment' =3D> 'Rozmiar fragmentu',
 'ovpn_mssfix' =3D> 'MSSFIX Size',
diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
index 1d81eb62c..5ba44ce29 100644
--- a/langs/ru/cgi-bin/ru.pl
+++ b/langs/ru/cgi-bin/ru.pl
@@ -551,6 +551,8 @@
 'credits' =3D> '=D0=9E =D0=9F=D1=80=D0=BE=D0=B5=D0=BA=D1=82=D0=B5',
 'crl' =3D> '=D0=A1=D0=BF=D0=B8=D1=81=D0=BE=D0=BA =D0=BE=D1=82=D0=BE=D0=B7=D0=
=B2=D0=B0=D0=BD=D0=BD=D1=8B=D1=85 =D1=81=D0=B5=D1=80=D1=82=D0=B8=D1=84=D0=B8=
=D0=BA=D0=B0=D1=82=D0=BE=D0=B2',
 'cron server' =3D> 'CRON =D0=A1=D0=B5=D1=80=D0=B2=D0=B5=D1=80',
+'crypto error' =3D> '=D0=9E=D1=88=D0=B8=D0=B1=D0=BA=D0=B0 =D0=BA=D1=80=D0=B8=
=D0=BF=D1=82=D0=BE=D0=B3=D1=80=D0=B0=D1=84=D0=B8=D0=B8',
+'crypto warning' =3D> '=D0=BA=D1=80=D0=B8=D0=BF=D1=82=D0=BE-=D0=BF=D1=80=D0=
=B5=D0=B4=D1=83=D0=BF=D1=80=D0=B5=D0=B6=D0=B4=D0=B5=D0=BD=D0=B8=D0=B5',
 'current' =3D> 'Current',
 'current aliases' =3D> '=D0=94=D0=B5=D0=B9=D1=81=D1=82=D0=B2=D1=83=D1=8E=D1=
=89=D0=B8=D0=B5 =D0=BF=D1=81=D0=B5=D0=B2=D0=B4=D0=BE=D0=BD=D0=B8=D0=BC=D1=8B:=
',
 'current class' =3D> '=D0=A2=D0=B5=D0=BA=D1=83=D1=89=D0=B8=D0=B9 =D0=BA=D0=
=BB=D0=B0=D1=81=D1=81',
@@ -1352,6 +1354,8 @@
 'ovpn subnet' =3D> '=D0=9F=D0=BE=D0=B4=D1=81=D0=B5=D1=82=D1=8C OpenVPN (e.g.=
 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' =3D> '=D0=9F=D0=BE=D0=B4=D1=81=D0=B5=D1=82=D1=8C Op=
enVPN =D0=B7=D0=B0=D0=B4=D0=B0=D0=BD=D0=B0 =D0=BD=D0=B5=D0=B2=D0=B5=D1=80=D0=
=BD=D0=BE.',
 'ovpn subnet overlap' =3D> '=D0=9F=D0=BE=D0=B4=D1=81=D0=B5=D1=82=D1=8C OpenV=
PN =D0=BF=D0=B5=D1=80=D0=B5=D1=81=D0=B5=D0=BA=D0=B0=D0=B5=D1=82=D1=81=D1=8F =
=D1=81: ',
+'ovpn warning 64 bit block cipher' =3D> '=D0=AD=D1=82=D0=BE=D1=82 =D0=B0=D0=
=BB=D0=B3=D0=BE=D1=80=D0=B8=D1=82=D0=BC =D1=88=D0=B8=D1=84=D1=80=D0=BE=D0=B2=
=D0=B0=D0=BD=D0=B8=D1=8F =D1=81=D0=BB=D0=BE=D0=BC=D0=B0=D0=BD =D0=B8 =D0=B2=
=D1=81=D0=BA=D0=BE=D1=80=D0=B5 =D0=B1=D1=83=D0=B4=D0=B5=D1=82 =D1=83=D0=B4=D0=
=B0=D0=BB=D0=B5=D0=BD. <br>=D0=9F=D0=BE=D0=B6=D0=B0=D0=BB=D1=83=D0=B9=D1=81=
=D1=82=D0=B0, =D0=B8=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8=D1=82=D0=B5 =D1=8D=D1=82=
=D0=BE =D0=BA=D0=B0=D0=BA =D0=BC=D0=BE=D0=B6=D0=BD=D0=BE =D1=81=D0=BA=D0=BE=
=D1=80=D0=B5=D0=B5!</br>',
+'ovpn warning algorithm' =3D> '=D0=92=D1=8B =D0=BD=D0=B0=D1=81=D1=82=D1=80=
=D0=BE=D0=B8=D0=BB=D0=B8 =D0=B0=D0=BB=D0=B3=D0=BE=D1=80=D0=B8=D1=82=D0=BC',
 'ovpn_fastio' =3D> 'Fast-IO',
 'ovpn_fragment' =3D> 'Fragmentsize',
 'ovpn_mssfix' =3D> 'MSSFIX Size',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index 5fbd9f3d3..b459401c9 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -682,6 +682,8 @@
 'credits' =3D> 'Yazarlar',
 'crl' =3D> 'Sertifika =C4=B0ptal Listesi',
 'cron server' =3D> 'CRON Sunucusu',
+'crypto error' =3D> 'Kriptografi hatas=C4=B1',
+'crypto warning' =3D> 'Kriptografi uyar=C4=B1lar=C4=B1',
 'current' =3D> 'Ge=C3=A7erli',
 'current aliases' =3D> 'Ge=C3=A7erli takma adlar:',
 'current class' =3D> 'Ge=C3=A7erli s=C4=B1n=C4=B1flar',
@@ -1878,6 +1880,8 @@
 'ovpn subnet' =3D> 'OpenVPN alt a=C4=9F=C4=B1 (=C3=B6rne=C4=9Fin 10.0.10.0/2=
55.255.255.0)',
 'ovpn subnet is invalid' =3D> 'Ge=C3=A7ersiz OpenVPN alt a=C4=9F=C4=B1.',
 'ovpn subnet overlap' =3D> 'OpenVPN alt a=C4=9F=C4=B1 ile =C3=B6rt=C3=BC=C5=
=9Fenler: ',
+'ovpn warning 64 bit block cipher' =3D> 'Bu =C5=9Fifreleme algoritmas=C4=B1 =
bozuldu ve yak=C4=B1nda kald=C4=B1r=C4=B1lacak. <br> L=C3=BCtfen bunu m=C3=BC=
mk=C3=BCn olan en k=C4=B1sa s=C3=BCrede de=C4=9Fi=C5=9Ftirin!</br>',
+'ovpn warning algorithm' =3D> 'Algoritmay=C4=B1 sen yap=C4=B1land=C4=B1rd=C4=
=B1n',
 'ovpn_fastio' =3D> 'H=C4=B1zl=C4=B1-IO',
 'ovpn_mssfix' =3D> 'MSSFIX Boyutu',
 'ovpn_mtudisc' =3D> 'MTU-Ke=C5=9Ffi',
--=20
2.20.1


--===============8440955490639743758==--