From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: [PATCH v2 6/7] OpenVPN: Moved HMAC to advanced crypto section Date: Thu, 10 Dec 2020 16:59:24 +0000 Message-ID: <20201210165925.25037-6-erik.kapfer@ipfire.org> In-Reply-To: <20201210165925.25037-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8411822948010474290==" List-Id: --===============8411822948010474290== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - The --auth directive has been enhanced with the Keccak (SHA3) family but also BLAKE2 has been integrated. - The HMACs have now multi select for better overview. - Old default SHA512 has been kept. Signed-off-by: ummeegge --- html/cgi-bin/ovpnmain.cgi | 89 ++++++++++++++++++++++----------------- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + langs/es/cgi-bin/es.pl | 2 + langs/fr/cgi-bin/fr.pl | 1 + langs/it/cgi-bin/it.pl | 3 +- langs/nl/cgi-bin/nl.pl | 2 + langs/pl/cgi-bin/pl.pl | 3 ++ langs/ru/cgi-bin/ru.pl | 2 + langs/tr/cgi-bin/tr.pl | 1 + 10 files changed, 65 insertions(+), 40 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index e248b3cbb..a80befdb6 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -958,6 +958,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}= ) { if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); =20 + $vpnsettings{'DAUTH'} =3D $cgiparams{'DAUTH'}; $vpnsettings{'DCIPHER'} =3D $cgiparams{'DCIPHER'}; $vpnsettings{'DATACIPHERS'} =3D $cgiparams{'DATACIPHERS'}; =20 @@ -1292,7 +1293,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgipa= rams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} =3D $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} =3D $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} =3D $cgiparams{'DCOMPLZO'}; - $vpnsettings{'DAUTH'} =3D $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} =3D $cgiparams{'TLSAUTH'}; #wrtie enable =20 @@ -2979,6 +2979,7 @@ END $key =3D &General::findhasharraykey (\%confighash); foreach my $i (39.. 45) { $confighash{$key}[$i] =3D ""; } } + $confighash{$key}[39] =3D $cgiparams{'DAUTH'}; $confighash{$key}[40] =3D $cgiparams{'DCIPHER'}; $confighash{$key}[42] =3D $cgiparams{'DATACIPHERS'}; $confighash{$key}[43] =3D $cgiparams{'CHANNELCIPHERS'}; @@ -2986,6 +2987,23 @@ END =20 ADV_ENC_ERROR: =20 + # Set default for hash message authentication code + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} =3D 'SHA512'; #[39]; + } + $checked{'DAUTH'}{'BLAKE2b512'} =3D ''; + $checked{'DAUTH'}{'BLAKE2s256'} =3D ''; + $checked{'DAUTH'}{'SHA3-512'} =3D ''; + $checked{'DAUTH'}{'SHA3-384'} =3D ''; + $checked{'DAUTH'}{'SHA3-256'} =3D ''; + $checked{'DAUTH'}{'SHA512'} =3D ''; + $checked{'DAUTH'}{'SHA384'} =3D ''; + $checked{'DAUTH'}{'SHA256'} =3D ''; + $checked{'DAUTH'}{'whirlpool'} =3D ''; + $checked{'DAUTH'}{'SHA1'} =3D ''; + @temp =3D split('\|', $cgiparams{'DAUTH'}); + foreach my $key (@temp) {$checked{'DAUTH'}{$key} =3D "selected=3D'selected'= "; } + # Set default for data-cipher-fallback (the old --cipher directive) if ($cgiparams{'DCIPHER'} eq '') { $cgiparams{'DCIPHER'} =3D 'AES-256-CBC'; #[40] @@ -3038,11 +3056,13 @@ ADV_ENC_ERROR: =20 # Save settings and display default if not configured if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + $confighash{$cgiparams{'KEY'}}[39] =3D $cgiparams{'DAUTH'}; $confighash{$cgiparams{'KEY'}}[40] =3D $cgiparams{'DCIPHER'}; $confighash{$cgiparams{'KEY'}}[42] =3D $cgiparams{'DATACIPHERS'}; $confighash{$cgiparams{'KEY'}}[43] =3D $cgiparams{'CHANNELCIPHERS'}; $confighash{$cgiparams{'KEY'}}[44] =3D $cgiparams{'NCHANNELCIPHERS'}; } else { + $cgiparams{'DAUTH'} =3D $vpnsettings{'DAUTH'}; $cgiparams{'DCIPHER'} =3D $vpnsettings{'DCIPHER'}; $cgiparams{'DATACIPHERS'} =3D $vpnsettings{'DATACIPHERS'}; $cgiparams{'CHANNELCIPHERS'} =3D $vpnsettings{'CHANNELCIPHERS'}; @@ -3148,6 +3168,35 @@ ADV_ENC_ERROR: =20

=20 +

$Lang::tr{'ovpn crypt options'}:

+ + + + + + + + + + + + + + +
$Lang::tr{'ovpn ha'}
$Lang::tr{'ovpn data channel authentication'} + +
END ; @@ -4841,12 +4890,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} =3D ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} =3D 'CHECKED'; =20 - $selected{'DAUTH'}{'whirlpool'} =3D ''; - $selected{'DAUTH'}{'SHA512'} =3D ''; - $selected{'DAUTH'}{'SHA384'} =3D ''; - $selected{'DAUTH'}{'SHA256'} =3D ''; - $selected{'DAUTH'}{'SHA1'} =3D ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} =3D 'SELECTED'; $checked{'TLSAUTH'}{'off'} =3D ''; $checked{'TLSAUTH'}{'on'} =3D ''; $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} =3D 'CHECKED'; @@ -5396,18 +5439,6 @@ END if ($cgiparams{'MSSFIX'} eq '') { $cgiparams{'MSSFIX'} =3D 'off'; } - if ($cgiparams{'DAUTH'} eq '') { - if (-z "${General::swroot}/ovpn/ovpnconfig") { - $cgiparams{'DAUTH'} =3D 'SHA512'; - } - foreach my $key (keys %confighash) { - if ($confighash{$key}[3] ne 'host') { - $cgiparams{'DAUTH'} =3D 'SHA512'; - } else { - $cgiparams{'DAUTH'} =3D 'SHA1'; - } - } - } if ($cgiparams{'TLSAUTH'} eq '') { $cgiparams{'TLSAUTH'} =3D 'off'; } @@ -5428,13 +5459,6 @@ END $selected{'DPROTOCOL'}{'tcp'} =3D ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} =3D 'SELECTED'; =20 - $selected{'DAUTH'}{'whirlpool'} =3D ''; - $selected{'DAUTH'}{'SHA512'} =3D ''; - $selected{'DAUTH'}{'SHA384'} =3D ''; - $selected{'DAUTH'}{'SHA256'} =3D ''; - $selected{'DAUTH'}{'SHA1'} =3D ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} =3D 'SELECTED'; - $checked{'TLSAUTH'}{'off'} =3D ''; $checked{'TLSAUTH'}{'on'} =3D ''; $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} =3D 'CHECKED'; @@ -5547,19 +5571,6 @@ END
=20 - - $Lang::tr{'ovpn ha'} - - - - -
$Lang::tr{'ovpn tls auth'} = diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index cadf4b141..a4c166bfe 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1912,6 +1912,7 @@ 'ovpn control channel v2' =3D> 'Kontroll-Kanal TLSv2', 'ovpn control channel v3' =3D> 'Kontroll-Kanal TLSv3', 'ovpn data encryption' =3D> 'Daten-Kanal Verschl=C3=BCsselung', +'ovpn data channel authentication' =3D> 'Daten-Kontrol Kanal Authentifikatio= n', 'ovpn data channel' =3D> 'Daten-Kanal', 'ovpn data channel fallback' =3D> 'Daten-Kanal Fallback', 'ovpn device' =3D> 'OpenVPN-Ger=C3=A4t', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 4b667f881..dc324676a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1944,6 +1944,7 @@ 'ovpn control channel v2' =3D> 'Control-Channel TLSv2', 'ovpn control channel v3' =3D> 'Control-Channel TLSv3', 'ovpn data encryption' =3D> 'Data-Channel encryption', +'ovpn data channel authentication' =3D> 'Data and channel authentication', 'ovpn data channel' =3D> 'Data-Channel', 'ovpn data channel fallback' =3D> 'Data-Channel fallback', 'ovpn device' =3D> 'OpenVPN device:', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index 65505706c..1a0272b8a 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -1337,11 +1337,13 @@ 'ovpn control channel v2' =3D> 'Canal-Control TLSv2', 'ovpn control channel v3' =3D> 'Canal-Control TLSv3', 'ovpn data encryption' =3D> 'Encriptaci=C3=B3n Data-Channel', +'ovpn data channel authentication' =3D> 'Autenticaci=C3=B3n de datos y canal= ', 'ovpn data channel' =3D> 'Canal-Datos', 'ovpn data channel fallback' =3D> 'Retroceso Canal-Datos', 'ovpn device' =3D> 'Dispositivo OpenVPN', 'ovpn errmsg invalid data cipher input' =3D> 'El cifrado de datos necesita a= l menos de un cifrado', 'ovpn dl' =3D> 'Configuraci=C3=B3n de descargas OVPN', +'ovpn ha' =3D> 'Algoritmo hash', 'ovpn log' =3D> 'Registro de log de OVPN', 'ovpn on blue' =3D> 'OpenVPN en BLUE', 'ovpn on orange' =3D> 'OpenVPN en ORANGE', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index cda133e5d..d5deea1c0 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1945,6 +1945,7 @@ 'ovpn control channel v2' =3D> 'Canal de contr=C3=B4le TLSv2', 'ovpn control channel v3' =3D> 'Canal de contr=C3=B4le TLSv3', 'ovpn data encryption' =3D> 'Chiffrage du canal de donn=C3=A9es', +'ovpn data channel authentication' =3D> 'Authentification du canal et des do= nn=C3=A9es', 'ovpn data channel' =3D> 'Canal de donn=C3=A9es', 'ovpn data channel fallback' =3D> 'Canal de donn=C3=A9es de repli', 'ovpn device' =3D> 'P=C3=A9riph=C3=A9rique OpenVPN :', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 22ce7cd4d..ad16de583 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -44,6 +44,7 @@ 'Number of Ports for the pie chart' =3D> 'Numero di porte per il grafico a t= orta', 'OVPN' =3D> 'OpenVPN', 'ovpn data encryption' =3D> 'Crittografia del canale dati', +'ovpn data channel authentication' =3D> 'Autenticazione di dati e di canali', 'ovpn data channel' =3D> 'Canale-Dati', 'ovpn data channel fallback' =3D> 'Canale-Dati di riserva', 'ovpn advanced encryption' =3D> 'Impostazioni avanzate di crittografia', @@ -1715,7 +1716,7 @@ 'ovpn errmsg invalid data cipher input' =3D> 'La crittografia dati necessita= almeno un cifrario', 'ovpn errmsg invalid ip or mask' =3D> 'Invalid network-address or subnetmask= ', 'ovpn generating the root and host certificates' =3D> 'Generating the root a= nd host certifictae can take a long time.', -'ovpn ha' =3D> 'Hash algorithm', +'ovpn ha' =3D> 'Algoritmo di hash', 'ovpn hmac' =3D> 'HMAC options', 'ovpn log' =3D> 'OVPN-Log', 'ovpn mgmt in root range' =3D> 'A port number of 1024 or higher is required.= ', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index 15482b7c7..b0f037e0c 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -1664,6 +1664,7 @@ 'ovpn control channel v2' =3D> 'Controle-Kanaal TLSv2', 'ovpn control channel v3' =3D> 'Controle-Kanaal TLSv3', 'ovpn data encryption' =3D> 'Datakanaalversleuteling', +'ovpn data channel authentication' =3D> 'Gegevens en kanaal verificatie', 'ovpn data channel' =3D> 'Data-kanaal', 'ovpn data channel fallback' =3D> 'Data-Kanaal terugval', 'ovpn device' =3D> 'OpenVPN apparaat:', @@ -1671,6 +1672,7 @@ 'ovpn errmsg green already pushed' =3D> 'Route voor het groene netwerk is al= tijd aangezet', 'ovpn errmsg invalid data cipher input' =3D> 'De gegevens codering heeft ten= minste =C3=A9=C3=A9n codering nodig', 'ovpn errmsg invalid ip or mask' =3D> 'Ongeldig netwerkadres of subnetmasker= ', +'ovpn ha' =3D> 'Hash algoritme', 'ovpn log' =3D> 'OVPN-Log', 'ovpn mgmt in root range' =3D> 'Een poortnummer hoger dan 1024 is vereist.', 'ovpn mtu-disc' =3D> 'Pad MTU Discovery', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index a5bde2044..5e8ec0864 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -40,6 +40,7 @@ 'ovpn advanced encryption' =3D> 'Zaawansowane ustawienia szyfrowania', 'ovpn client version 25 cipher negotiation' =3D> 'Negocjowanie szyfrowania', 'ovpn client version 25 warning' =3D> 'Dost=C4=99pny z klientem w wersji 2.5= .0 i wy=C5=BCszej', +'ovpn crypt options' =3D> 'Opcje kryptograficzne', 'OpenVPN' =3D> 'OpenVPN', 'Pages' =3D> 'Stron', 'Ping' =3D> 'Ping :', @@ -1349,11 +1350,13 @@ 'ovpn control channel v2' =3D> 'Kana=C5=82-Kontrolny TLSv2', 'ovpn control channel v3' =3D> 'Kana=C5=82-Kontrolny TLSv3', 'ovpn data encryption' =3D> 'Szyfrowanie Kana=C5=82u-Danych', +'ovpn data channel authentication' =3D> 'Uwierzytelnianie danych i kana=C5= =82=C3=B3w', 'ovpn data channel' =3D> 'Kana=C5=82-Danych', 'ovpn data channel fallback' =3D> 'Awaria Kana=C5=82u-Danych', 'ovpn device' =3D> 'Urz=C4=85dzenie OpenVPN:', 'ovpn dl' =3D> 'Pobierz konfig OVPN', 'ovpn errmsg invalid data cipher input' =3D> 'Szyfr danych wymaga co najmnie= j jednego szyfru', +'ovpn ha' =3D> 'Algorytm haszyszowy', 'ovpn log' =3D> 'Log OVPN', 'ovpn on blue' =3D> 'OpenVPN na int. BLUE', 'ovpn on orange' =3D> 'OpenVPN na int. ORANGE', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 17666de80..6e3af2d7e 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -1340,6 +1340,7 @@ 'ovpn control channel v2' =3D> '=D0=9A=D0=B0=D0=BD=D0=B0=D0=BB-=D1=83=D0=BF= =D1=80=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=B8=D1=8F TLSv2', 'ovpn control channel v3' =3D> '=D0=9A=D0=B0=D0=BD=D0=B0=D0=BB-=D1=83=D0=BF= =D1=80=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=B8=D1=8F TLSv3', 'ovpn data encryption' =3D> '=D1=88=D0=B8=D1=84=D1=80=D0=BE=D0=B2=D0=B0=D0= =BD=D0=B8=D0=B5-=D0=BA=D0=B0=D0=BD=D0=B0=D0=BB=D0=BE=D0=B2 =D0=B4=D0=B0=D0=BD= =D0=BD=D1=8B=D1=85', +'ovpn data channel authentication' =3D> '=D0=90=D1=83=D1=82=D0=B5=D0=BD=D1= =82=D0=B8=D1=84=D0=B8=D0=BA=D0=B0=D1=86=D0=B8=D1=8F =D0=B4=D0=B0=D0=BD=D0=BD= =D1=8B=D1=85 =D0=B8 =D0=BA=D0=B0=D0=BD=D0=B0=D0=BB=D0=BE=D0=B2', 'ovpn data channel' =3D> '=D0=98=D0=BD=D1=84=D0=BE=D1=80=D0=BC=D0=B0=D1=86= =D0=B8=D0=BE=D0=BD=D0=BD=D1=8B=D0=B9-=D0=BA=D0=B0=D0=BD=D0=B0=D0=BB', 'ovpn data channel fallback' =3D> '=D0=98=D0=BD=D1=84=D0=BE=D1=80=D0=BC=D0= =B0=D1=86=D0=B8=D0=BE=D0=BD=D0=BD=D1=8B=D0=B9-=D0=BA=D0=B0=D0=BD=D0=B0=D0=BB = =D0=BE=D1=82=D1=81=D1=82=D1=83=D0=BF=D0=BB=D0=B5=D0=BD=D0=B8=D0=B5', 'ovpn device' =3D> '=D0=A3=D1=81=D1=82=D1=80=D0=BE=D0=B9=D1=81=D1=82=D0=B2= =D0=BE OpenVPN:', @@ -1347,6 +1348,7 @@ 'ovpn errmsg green already pushed' =3D> '=D0=9C=D0=B0=D1=80=D1=88=D1=80=D1= =83=D1=82 =D0=B4=D0=BB=D1=8F =D0=B7=D0=B5=D0=BB=D1=91=D0=BD=D0=BE=D0=B9 =D1= =81=D0=B5=D1=82=D0=B8 =D0=B2=D1=81=D0=B5=D0=B3=D0=B4=D0=B0 =D0=B2=D0=BA=D0=BB= =D1=8E=D1=87=D1=91=D0=BD', 'ovpn errmsg invalid data cipher input' =3D> '=D0=94=D0=BB=D1=8F =D1=88=D0= =B8=D1=84=D1=80=D0=B0 =D0=B4=D0=B0=D0=BD=D0=BD=D1=8B=D1=85 =D0=BD=D1=83=D0=B6= =D0=B5=D0=BD =D1=85=D0=BE=D1=82=D1=8F =D0=B1=D1=8B =D0=BE=D0=B4=D0=B8=D0=BD = =D1=88=D0=B8=D1=84=D1=80', 'ovpn errmsg invalid ip or mask' =3D> '=D0=9D=D0=B5=D0=BF=D1=80=D0=B0=D0=B2= =D0=B8=D0=BB=D1=8C=D0=BD=D1=8B=D0=B9 =D0=B0=D0=B4=D1=80=D0=B5=D1=81 =D0=B8=D0= =BB=D0=B8 =D0=BC=D0=B0=D1=81=D0=BA=D0=B0 =D0=BF=D0=BE=D0=B4=D1=81=D1=82=D0=B8= ', +'ovpn ha' =3D> '=D1=85=D0=B5=D1=88-=D0=B0=D0=BB=D0=B3=D0=BE=D1=80=D0=B8=D1= =82=D0=BC', 'ovpn log' =3D> '=D0=96=D1=83=D1=80=D0=BD=D0=B0=D0=BB OVPN', 'ovpn on blue' =3D> 'OpenVPN =D0=BD=D0=B0 BLUE', 'ovpn on orange' =3D> 'OpenVPN =D0=BD=D0=B0 ORANGE', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 7df486bc8..e55a73aa3 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -1849,6 +1849,7 @@ 'ovpn data channel' =3D> 'Veri-Kanal=C4=B1', 'ovpn data channel fallback' =3D> 'Veri-Kanal=C4=B1 geri d=C3=B6n=C3=BC=C5= =9F=C3=BC', 'ovpn data encryption' =3D> 'Veri-Kanal=C4=B1 =C5=9Fifreleme', +'ovpn data channel authentication' =3D> 'Veri ve kanal kimlik do=C4=9Frulama= s=C4=B1', 'ovpn device' =3D> 'OpenVPN ayg=C4=B1t=C4=B1:', 'ovpn dh' =3D> 'Diffie-Hellman parametre uzunlu=C4=9Fu', 'ovpn dh new key' =3D> 'Yeni Diffie-Hellman parametrelerini olu=C5=9Fturun', --=20 2.20.1 --===============8411822948010474290==--