From: ummeegge <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2 4/7] OpenVPN: New ciphers and HMACs for N2N
Date: Thu, 10 Dec 2020 16:59:22 +0000 [thread overview]
Message-ID: <20201210165925.25037-4-erik.kapfer@ipfire.org> (raw)
In-Reply-To: <20201210165925.25037-1-erik.kapfer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 5372 bytes --]
OpenVPN-2.5.0 delivers ChaCha20-Poly1305 for the data channel.
The Checcak (SHA3) and Blake for the hash message authentication code
are newely integrated fully into Net-to-Net .
Signed-off-by: ummeegge <erik.kapfer(a)ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 7a2f8a5a3..71cba6d88 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1028,10 +1028,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print SERVERCONF "# Cipher\n";
print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
- # If GCM cipher is used, do not use --auth
+ # If AEAD cipher is used, do not use --auth
if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
- ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+ ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {
print SERVERCONF unless "# HMAC algorithm\n";
print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
} else {
@@ -1133,10 +1134,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
- # If GCM cipher is used, do not use --auth
+ # If AEAD cipher is used, do not use --auth
if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
- ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+ ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {
print CLIENTCONF unless "# HMAC algorithm\n";
print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
} else {
@@ -2264,10 +2266,11 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
}
- # If GCM cipher is used, do not use --auth
+ # If AEAD cipher is used, do not use --auth
if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
- ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'ChaCha20-Poly1305')) {
print CLIENTCONF unless "# HMAC algorithm\n";
print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
} else {
@@ -4875,6 +4878,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
<td><select name='DCIPHER' id="n2ncipher" required>
+ <option value='ChaCha20-Poly1305' $selected{'DCIPHER'}{'ChaCha20-Poly1305'}>CHACHA20-POLY1305 (256 $Lang::tr{'bit'})</option>
<option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
<option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
<option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
@@ -4895,10 +4899,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
<td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
- <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
+ <option value='BLAKE2b512' $selected{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option>
+ <option value='BLAKE2s256' $selected{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option>
+ <option value='SHA3-512' $selected{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option>
+ <option value='SHA3-384' $selected{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option>
+ <option value='SHA3-256' $selected{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option>
<option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
<option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
<option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
+ <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
<option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
@@ -4915,7 +4924,7 @@ print<<END;
<script>
var disable_options = false;
document.getElementById('n2ncipher').onchange = function () {
- if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+ if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM"||this.value == "CHACHA20-POLY1305")) {
document.getElementById('n2nhmac').setAttribute('disabled', true);
} else {
document.getElementById('n2nhmac').removeAttribute('disabled');
--
2.20.1
next prev parent reply other threads:[~2020-12-10 16:59 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-03 12:08 [PATCH 1/3] OpenVPN: Introduce advanced encryption section ummeegge
2020-12-03 12:08 ` [PATCH 2/3] OpenVPN: Control-Channel encryption settings ummeegge
2020-12-03 12:08 ` [PATCH 3/3] OpenVPN: Integrate TLS-Authentication and HMAC selection ummeegge
2020-12-08 17:28 ` [PATCH 1/3] OpenVPN: Introduce advanced encryption section ummeegge
2020-12-29 10:29 ` Michael Tremer
2020-12-10 16:59 ` [PATCH v2 1/7] " ummeegge
2020-12-10 16:59 ` [PATCH v2 2/7] OpenVPN: Substitute --cipher with --data-cipher-fallback ummeegge
2020-12-10 16:59 ` [PATCH v2 3/7] OpenVPN: Warning for broken algorithms ummeegge
2020-12-10 16:59 ` ummeegge [this message]
2020-12-10 16:59 ` [PATCH v2 5/7] OpenVPN: Control-Channel encryption settings ummeegge
2020-12-10 16:59 ` [PATCH v2 6/7] OpenVPN: Moved HMAC to advanced crypto section ummeegge
2020-12-10 16:59 ` [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section ummeegge
2020-12-14 13:03 ` ummeegge
2020-12-14 13:43 ` Michael Tremer
2020-12-14 15:12 ` ummeegge
2020-12-15 11:58 ` Michael Tremer
2020-12-14 13:44 ` Paul Simmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201210165925.25037-4-erik.kapfer@ipfire.org \
--to=erik.kapfer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox