[PATCH] openvpn: Warning for broken algorithms .

[Erik Kapfer <erik.kapfer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5362 bytes --]

Since OpenSSL-3.x will remove all 64 bit block-cipher but also OpenVPNs changelog
for version 2.5.8 gives hints to get rid of BF-CBC for default configuations,
a warning will be displayed in the WUI if the user is running
BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to change
as soon as possible to another more secure algorithm.

The call of the pkiconfigcheck function is now located in the status page section.

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 38 ++++++++++++++++++++++++++++++++++++--
 langs/de/cgi-bin/de.pl    |  3 +++
 langs/en/cgi-bin/en.pl    |  3 +++
 3 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index dc429d90c..5c34a5f4d 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
-# Perform crypto and configration test
-&pkiconfigcheck;
 
 # Add CCD files if not already presant
 unless (-e $routes_push_file) {
@@ -240,6 +238,39 @@ sub pkiconfigcheck
 		}
 	}
 
+	# Warning for Roadwarrior if deprecated 64-bit-block ciphers or weak HMAC is in usage
+	if (-f "${General::swroot}/ovpn/server.conf") {
+		my $oldciphers = "${General::swroot}/ovpn/server.conf";
+		open(FH, $oldciphers);
+		while(my $cipherstring = <FH>) {
+			if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) {
+				my @tempcipherstring = split(" ", $cipherstring);
+				$cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}";
+				goto CRYPTO_WARNING;
+			}
+		}
+		close(FH);
+	}
+
+	# Warning for Net-to-Net connections if deprecated 64-bit-block ciphers or HMAC is in usage
+	if (-f "${General::swroot}/ovpn/ovpnconfig") {
+		my $oldciphers = "${General::swroot}/ovpn/ovpnconfig";
+		open(FH, $oldciphers);
+		while(my $cipherstring = <FH>) {
+			if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC/) {
+				my @tempcipherstring = split(",", $cipherstring);
+				$cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>";
+				goto CRYPTO_WARNING;
+			}
+			if ($cipherstring =~ /SHA1/) {
+				my @tempcipherstring = split(",", $cipherstring);
+				$cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>";
+				goto CRYPTO_WARNING;
+			}
+		}
+	}
+
+
 	CRYPTO_WARNING:
 }
 
@@ -5056,6 +5087,9 @@ END
     my @status = <FILE>;
     close(FILE);
 
+	# Perform crypto and configration test
+	&pkiconfigcheck;
+
     if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
 		if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
 		    my $ipaddr = <IPADDR>;
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index abfba5d5e..bb675ec34 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1982,6 +1982,9 @@
 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.',
 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit  ',
 'ovpn tls auth' => 'TLS-Kanalabsicherung:',
+'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf beiden Seiten (Server und Client) so schnell wie möglich!</br>',
+'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert',
+'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung',
 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_fragment' => 'Fragmentgrösse',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index bf18b22a2..9aaf3e765 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2035,6 +2035,9 @@
 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
 'ovpn tls auth' => 'TLS Channel Protection:',
+'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this on both sides (server and client) as soon as possible!</br>',
+'ovpn warning algorithm' => 'The following algorithm was configured',
+'ovpn warning algorithm n2n' => 'For the Net-to-Net connection',
 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_mssfix' => 'MSSFIX Size',
-- 
2.35.1