From: ummeegge <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2 6/7] OpenVPN: Moved HMAC to advanced crypto section
Date: Thu, 10 Dec 2020 16:59:24 +0000 [thread overview]
Message-ID: <20201210165925.25037-6-erik.kapfer@ipfire.org> (raw)
In-Reply-To: <20201210165925.25037-1-erik.kapfer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 15553 bytes --]
- The --auth directive has been enhanced with the Keccak (SHA3) family
but also BLAKE2 has been integrated.
- The HMACs have now multi select for better overview.
- Old default SHA512 has been kept.
Signed-off-by: ummeegge <erik.kapfer(a)ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 89 ++++++++++++++++++++++-----------------
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
langs/es/cgi-bin/es.pl | 2 +
langs/fr/cgi-bin/fr.pl | 1 +
langs/it/cgi-bin/it.pl | 3 +-
langs/nl/cgi-bin/nl.pl | 2 +
langs/pl/cgi-bin/pl.pl | 3 ++
langs/ru/cgi-bin/ru.pl | 2 +
langs/tr/cgi-bin/tr.pl | 1 +
10 files changed, 65 insertions(+), 40 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index e248b3cbb..a80befdb6 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -958,6 +958,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
+ $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
$vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
@@ -1292,7 +1293,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
$vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
$vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
$vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
- $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
$vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
#wrtie enable
@@ -2979,6 +2979,7 @@ END
$key = &General::findhasharraykey (\%confighash);
foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; }
}
+ $confighash{$key}[39] = $cgiparams{'DAUTH'};
$confighash{$key}[40] = $cgiparams{'DCIPHER'};
$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
$confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'};
@@ -2986,6 +2987,23 @@ END
ADV_ENC_ERROR:
+ # Set default for hash message authentication code
+ if ($cgiparams{'DAUTH'} eq '') {
+ $cgiparams{'DAUTH'} = 'SHA512'; #[39];
+ }
+ $checked{'DAUTH'}{'BLAKE2b512'} = '';
+ $checked{'DAUTH'}{'BLAKE2s256'} = '';
+ $checked{'DAUTH'}{'SHA3-512'} = '';
+ $checked{'DAUTH'}{'SHA3-384'} = '';
+ $checked{'DAUTH'}{'SHA3-256'} = '';
+ $checked{'DAUTH'}{'SHA512'} = '';
+ $checked{'DAUTH'}{'SHA384'} = '';
+ $checked{'DAUTH'}{'SHA256'} = '';
+ $checked{'DAUTH'}{'whirlpool'} = '';
+ $checked{'DAUTH'}{'SHA1'} = '';
+ @temp = split('\|', $cgiparams{'DAUTH'});
+ foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; }
+
# Set default for data-cipher-fallback (the old --cipher directive)
if ($cgiparams{'DCIPHER'} eq '') {
$cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40]
@@ -3038,11 +3056,13 @@ ADV_ENC_ERROR:
# Save settings and display default if not configured
if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+ $confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'};
$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
$confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'};
$confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'};
} else {
+ $cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'};
$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
$cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'};
@@ -3148,6 +3168,35 @@ ADV_ENC_ERROR:
<br><br>
+ <h2>$Lang::tr{'ovpn crypt options'}:</h2>
+
+ <table width="100%">
+ <thead>
+ <tr>
+ <th width="15%"></th>
+ <th>$Lang::tr{'ovpn ha'}</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td width="27%">$Lang::tr{'ovpn data channel authentication'}</td>
+ <td class='boldbase'>
+ <select name='DAUTH' size='6' style='width: 100%'>
+ <option value='BLAKE2b512' $checked{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option>
+ <option value='BLAKE2s256' $checked{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option>
+ <option value='SHA3-512' $checked{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option>
+ <option value='SHA3-384' $checked{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option>
+ <option value='SHA3-256' $checked{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option>
+ <option value='SHA512' $checked{'DAUTH'}{'SHA512'}>SHA2 512 $Lang::tr{'bit'}</option>
+ <option value='SHA384' $checked{'DAUTH'}{'SHA384'}>SHA2 384 $Lang::tr{'bit'}</option>
+ <option value='SHA256' $checked{'DAUTH'}{'SHA256'}>SHA2 256 $Lang::tr{'bit'}</option>
+ <option value='whirlpool' $checked{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
+ <option value='SHA1' $checked{'DAUTH'}{'SHA1'}>SHA1 160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+ </select>
+ </td>
+ </tr>
+ </tbody>
+ </table>
<hr>
END
;
@@ -4841,12 +4890,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
$checked{'MSSFIX'}{'on'} = '';
$checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $selected{'DAUTH'}{'whirlpool'} = '';
- $selected{'DAUTH'}{'SHA512'} = '';
- $selected{'DAUTH'}{'SHA384'} = '';
- $selected{'DAUTH'}{'SHA256'} = '';
- $selected{'DAUTH'}{'SHA1'} = '';
- $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
$checked{'TLSAUTH'}{'off'} = '';
$checked{'TLSAUTH'}{'on'} = '';
$checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
@@ -5396,18 +5439,6 @@ END
if ($cgiparams{'MSSFIX'} eq '') {
$cgiparams{'MSSFIX'} = 'off';
}
- if ($cgiparams{'DAUTH'} eq '') {
- if (-z "${General::swroot}/ovpn/ovpnconfig") {
- $cgiparams{'DAUTH'} = 'SHA512';
- }
- foreach my $key (keys %confighash) {
- if ($confighash{$key}[3] ne 'host') {
- $cgiparams{'DAUTH'} = 'SHA512';
- } else {
- $cgiparams{'DAUTH'} = 'SHA1';
- }
- }
- }
if ($cgiparams{'TLSAUTH'} eq '') {
$cgiparams{'TLSAUTH'} = 'off';
}
@@ -5428,13 +5459,6 @@ END
$selected{'DPROTOCOL'}{'tcp'} = '';
$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $selected{'DAUTH'}{'whirlpool'} = '';
- $selected{'DAUTH'}{'SHA512'} = '';
- $selected{'DAUTH'}{'SHA384'} = '';
- $selected{'DAUTH'}{'SHA256'} = '';
- $selected{'DAUTH'}{'SHA1'} = '';
- $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
-
$checked{'TLSAUTH'}{'off'} = '';
$checked{'TLSAUTH'}{'on'} = '';
$checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
@@ -5547,19 +5571,6 @@ END
</tr>
<tr><td colspan='1'><br></td></tr>
- <tr>
- <td class='base'>$Lang::tr{'ovpn ha'}</td>
- <td><select name='DAUTH'>
- <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
- <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
- <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
- <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
- <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- </select>
- </td>
- </tr>
-
- <tr><td colspan='4'><br></td></tr>
<tr>
<td class='base'>$Lang::tr{'ovpn tls auth'}</td>
<td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index cadf4b141..a4c166bfe 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1912,6 +1912,7 @@
'ovpn control channel v2' => 'Kontroll-Kanal TLSv2',
'ovpn control channel v3' => 'Kontroll-Kanal TLSv3',
'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
+'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation',
'ovpn data channel' => 'Daten-Kanal',
'ovpn data channel fallback' => 'Daten-Kanal Fallback',
'ovpn device' => 'OpenVPN-Gerät',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 4b667f881..dc324676a 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1944,6 +1944,7 @@
'ovpn control channel v2' => 'Control-Channel TLSv2',
'ovpn control channel v3' => 'Control-Channel TLSv3',
'ovpn data encryption' => 'Data-Channel encryption',
+'ovpn data channel authentication' => 'Data and channel authentication',
'ovpn data channel' => 'Data-Channel',
'ovpn data channel fallback' => 'Data-Channel fallback',
'ovpn device' => 'OpenVPN device:',
diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
index 65505706c..1a0272b8a 100644
--- a/langs/es/cgi-bin/es.pl
+++ b/langs/es/cgi-bin/es.pl
@@ -1337,11 +1337,13 @@
'ovpn control channel v2' => 'Canal-Control TLSv2',
'ovpn control channel v3' => 'Canal-Control TLSv3',
'ovpn data encryption' => 'Encriptación Data-Channel',
+'ovpn data channel authentication' => 'Autenticación de datos y canal',
'ovpn data channel' => 'Canal-Datos',
'ovpn data channel fallback' => 'Retroceso Canal-Datos',
'ovpn device' => 'Dispositivo OpenVPN',
'ovpn errmsg invalid data cipher input' => 'El cifrado de datos necesita al menos de un cifrado',
'ovpn dl' => 'Configuración de descargas OVPN',
+'ovpn ha' => 'Algoritmo hash',
'ovpn log' => 'Registro de log de OVPN',
'ovpn on blue' => 'OpenVPN en BLUE',
'ovpn on orange' => 'OpenVPN en ORANGE',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index cda133e5d..d5deea1c0 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -1945,6 +1945,7 @@
'ovpn control channel v2' => 'Canal de contrôle TLSv2',
'ovpn control channel v3' => 'Canal de contrôle TLSv3',
'ovpn data encryption' => 'Chiffrage du canal de données',
+'ovpn data channel authentication' => 'Authentification du canal et des données',
'ovpn data channel' => 'Canal de données',
'ovpn data channel fallback' => 'Canal de données de repli',
'ovpn device' => 'Périphérique OpenVPN :',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index 22ce7cd4d..ad16de583 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -44,6 +44,7 @@
'Number of Ports for the pie chart' => 'Numero di porte per il grafico a torta',
'OVPN' => 'OpenVPN',
'ovpn data encryption' => 'Crittografia del canale dati',
+'ovpn data channel authentication' => 'Autenticazione di dati e di canali',
'ovpn data channel' => 'Canale-Dati',
'ovpn data channel fallback' => 'Canale-Dati di riserva',
'ovpn advanced encryption' => 'Impostazioni avanzate di crittografia',
@@ -1715,7 +1716,7 @@
'ovpn errmsg invalid data cipher input' => 'La crittografia dati necessita almeno un cifrario',
'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.',
-'ovpn ha' => 'Hash algorithm',
+'ovpn ha' => 'Algoritmo di hash',
'ovpn hmac' => 'HMAC options',
'ovpn log' => 'OVPN-Log',
'ovpn mgmt in root range' => 'A port number of 1024 or higher is required.',
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index 15482b7c7..b0f037e0c 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -1664,6 +1664,7 @@
'ovpn control channel v2' => 'Controle-Kanaal TLSv2',
'ovpn control channel v3' => 'Controle-Kanaal TLSv3',
'ovpn data encryption' => 'Datakanaalversleuteling',
+'ovpn data channel authentication' => 'Gegevens en kanaal verificatie',
'ovpn data channel' => 'Data-kanaal',
'ovpn data channel fallback' => 'Data-Kanaal terugval',
'ovpn device' => 'OpenVPN apparaat:',
@@ -1671,6 +1672,7 @@
'ovpn errmsg green already pushed' => 'Route voor het groene netwerk is altijd aangezet',
'ovpn errmsg invalid data cipher input' => 'De gegevens codering heeft ten minste één codering nodig',
'ovpn errmsg invalid ip or mask' => 'Ongeldig netwerkadres of subnetmasker',
+'ovpn ha' => 'Hash algoritme',
'ovpn log' => 'OVPN-Log',
'ovpn mgmt in root range' => 'Een poortnummer hoger dan 1024 is vereist.',
'ovpn mtu-disc' => 'Pad MTU Discovery',
diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
index a5bde2044..5e8ec0864 100644
--- a/langs/pl/cgi-bin/pl.pl
+++ b/langs/pl/cgi-bin/pl.pl
@@ -40,6 +40,7 @@
'ovpn advanced encryption' => 'Zaawansowane ustawienia szyfrowania',
'ovpn client version 25 cipher negotiation' => 'Negocjowanie szyfrowania',
'ovpn client version 25 warning' => 'Dostępny z klientem w wersji 2.5.0 i wyższej',
+'ovpn crypt options' => 'Opcje kryptograficzne',
'OpenVPN' => 'OpenVPN',
'Pages' => 'Stron',
'Ping' => 'Ping :',
@@ -1349,11 +1350,13 @@
'ovpn control channel v2' => 'Kanał-Kontrolny TLSv2',
'ovpn control channel v3' => 'Kanał-Kontrolny TLSv3',
'ovpn data encryption' => 'Szyfrowanie Kanału-Danych',
+'ovpn data channel authentication' => 'Uwierzytelnianie danych i kanałów',
'ovpn data channel' => 'Kanał-Danych',
'ovpn data channel fallback' => 'Awaria Kanału-Danych',
'ovpn device' => 'Urządzenie OpenVPN:',
'ovpn dl' => 'Pobierz konfig OVPN',
'ovpn errmsg invalid data cipher input' => 'Szyfr danych wymaga co najmniej jednego szyfru',
+'ovpn ha' => 'Algorytm haszyszowy',
'ovpn log' => 'Log OVPN',
'ovpn on blue' => 'OpenVPN na int. BLUE',
'ovpn on orange' => 'OpenVPN na int. ORANGE',
diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
index 17666de80..6e3af2d7e 100644
--- a/langs/ru/cgi-bin/ru.pl
+++ b/langs/ru/cgi-bin/ru.pl
@@ -1340,6 +1340,7 @@
'ovpn control channel v2' => 'Канал-управления TLSv2',
'ovpn control channel v3' => 'Канал-управления TLSv3',
'ovpn data encryption' => 'шифрование-каналов данных',
+'ovpn data channel authentication' => 'Аутентификация данных и каналов',
'ovpn data channel' => 'Информационный-канал',
'ovpn data channel fallback' => 'Информационный-канал отступление',
'ovpn device' => 'Устройство OpenVPN:',
@@ -1347,6 +1348,7 @@
'ovpn errmsg green already pushed' => 'Маршрут для зелёной сети всегда включён',
'ovpn errmsg invalid data cipher input' => 'Для шифра данных нужен хотя бы один шифр',
'ovpn errmsg invalid ip or mask' => 'Неправильный адрес или маска подсти',
+'ovpn ha' => 'хеш-алгоритм',
'ovpn log' => 'Журнал OVPN',
'ovpn on blue' => 'OpenVPN на BLUE',
'ovpn on orange' => 'OpenVPN на ORANGE',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index 7df486bc8..e55a73aa3 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -1849,6 +1849,7 @@
'ovpn data channel' => 'Veri-Kanalı',
'ovpn data channel fallback' => 'Veri-Kanalı geri dönüşü',
'ovpn data encryption' => 'Veri-Kanalı şifreleme',
+'ovpn data channel authentication' => 'Veri ve kanal kimlik doğrulaması',
'ovpn device' => 'OpenVPN aygıtı:',
'ovpn dh' => 'Diffie-Hellman parametre uzunluğu',
'ovpn dh new key' => 'Yeni Diffie-Hellman parametrelerini oluşturun',
--
2.20.1
next prev parent reply other threads:[~2020-12-10 16:59 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-03 12:08 [PATCH 1/3] OpenVPN: Introduce advanced encryption section ummeegge
2020-12-03 12:08 ` [PATCH 2/3] OpenVPN: Control-Channel encryption settings ummeegge
2020-12-03 12:08 ` [PATCH 3/3] OpenVPN: Integrate TLS-Authentication and HMAC selection ummeegge
2020-12-08 17:28 ` [PATCH 1/3] OpenVPN: Introduce advanced encryption section ummeegge
2020-12-29 10:29 ` Michael Tremer
2020-12-10 16:59 ` [PATCH v2 1/7] " ummeegge
2020-12-10 16:59 ` [PATCH v2 2/7] OpenVPN: Substitute --cipher with --data-cipher-fallback ummeegge
2020-12-10 16:59 ` [PATCH v2 3/7] OpenVPN: Warning for broken algorithms ummeegge
2020-12-10 16:59 ` [PATCH v2 4/7] OpenVPN: New ciphers and HMACs for N2N ummeegge
2020-12-10 16:59 ` [PATCH v2 5/7] OpenVPN: Control-Channel encryption settings ummeegge
2020-12-10 16:59 ` ummeegge [this message]
2020-12-10 16:59 ` [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section ummeegge
2020-12-14 13:03 ` ummeegge
2020-12-14 13:43 ` Michael Tremer
2020-12-14 15:12 ` ummeegge
2020-12-15 11:58 ` Michael Tremer
2020-12-14 13:44 ` Paul Simmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201210165925.25037-6-erik.kapfer@ipfire.org \
--to=erik.kapfer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox