From mboxrd@z Thu Jan 1 00:00:00 1970 From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH 2/4] OpenVPN: Integration of the Negotiation Cipher Protocol (NCP) . Date: Thu, 21 Mar 2024 13:24:49 +0100 Message-ID: <20240321122511.3287692-2-erik.kapfer@ipfire.org> In-Reply-To: <20240321122511.3287692-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0256296371088999730==" List-Id: --===============0256296371088999730== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - The new directive '--data-ciphers algs' has been introduced for RWs with OpenVPN version 2.5.0. This directive negotiates with the clients the best but also available cipher. The selection for '--data-ciphers algs' is between the GCM family and the new CHACHA20-POLY1305 (all AEAD ciphers). All = ciphers can be combined with another or can also be selected separately. - The new directive '--data-ciphers algs' substitutes '--ncp-disable', theref= or '--ncp-disable' has been removed which fixes the deprecation warning in the OpenVPN-2.5.0 server instance. - A new section in ovpnmain.cgi has been added under the "Advanced server opt= ions" where this changes takes affect. Since all crytographic options should step-b= y-step belong to the "Advanced server options" (like in IPSec) the name of this sect= ion "Cryptographic options" is the same as in the "Global Settings". - New CHACHA-POLY1305 cipher is integrated. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 91 ++++++++++++++++++++++++++++++++++++++- langs/de/cgi-bin/de.pl | 4 ++ langs/en/cgi-bin/en.pl | 4 ++ 3 files changed, 97 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c92d0237d..833ce8247 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -80,6 +80,7 @@ my $col=3D""; my $local_serverconf =3D "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf =3D "${General::swroot}/ovpn/scripts/client.conf.local"; my $dhparameter =3D "/etc/ssl/ffdhe4096.pem"; +my @advcipherchar=3D(); =20 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} =3D 'off'; @@ -101,6 +102,7 @@ $cgiparams{'number'} =3D ''; $cgiparams{'DCIPHER'} =3D ''; $cgiparams{'DAUTH'} =3D ''; $cgiparams{'TLSAUTH'} =3D ''; +$cgiparams{'DATACIPHERS'} =3D ''; $routes_push_file =3D "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -329,7 +331,12 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; + + # Data channel encryption + # Set seperator ':' for data ciphers + @advcipherchar =3D ($sovpnsettings{'DATACIPHERS'} =3D~ s/\|/:/g); + print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; + print CONF "cipher $sovpnsettings{DCIPHER}\n"; print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum @@ -811,8 +818,15 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'= }) { $vpnsettings{'DHCP_DNS'} =3D $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} =3D $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} =3D $cgiparams{'ROUTES_PUSH'}; + $vpnsettings{'DATACIPHERS'} =3D $cgiparams{'DATACIPHERS'}; my @temp=3D(); =20 + # data-ciphers needs at least one cipher + if ($cgiparams{'DATACIPHERS'} eq '') { + $errormessage =3D $Lang::tr{'ovpn errmsg invalid data cipher input'= }; + goto ADV_ERROR; + } + if ($cgiparams{'FRAGMENT'} eq '') { delete $vpnsettings{'FRAGMENT'}; } else { @@ -2291,7 +2305,12 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or d= ie "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}= }[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add= file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Data cipher negotiation + # Set seperator ':' for --data-ciphers algorithms + @advcipherchar =3D ($vpnsettings{'DATACIPHERS'} =3D~ s/\|/:/g); + print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n"; + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; =20 if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2644,6 +2663,7 @@ END %cahash =3D (); %confighash =3D (); my $disabled; + my @temp=3D(); &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); read_routepushfile; =20 @@ -2652,6 +2672,18 @@ END # $cgiparams{'CLIENT2CLIENT'} =3D 'on'; # } ADV_ERROR: + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} =3D 'ChaCha20-Poly1305|AES-256-GCM'; + } + $checked{'DATACIPHERS'}{'AES-256-GCM'} =3D ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} =3D ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} =3D ''; + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} =3D ''; + @temp =3D split('\|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} =3D "selected=3D'= selected'"; } + if ($cgiparams{'MAX_CLIENTS'} eq '') { $cgiparams{'MAX_CLIENTS'} =3D '100'; } @@ -2706,9 +2738,64 @@ ADV_ERROR: &Header::closebox(); } &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} =3D 'ChaCha20-Poly1305|AES-256-GCM'; + } + $checked{'DATACIPHERS'}{'AES-256-GCM'} =3D ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} =3D ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} =3D ''; + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} =3D ''; + @temp =3D split('\|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} =3D "selected=3D'= selected'"; } + + if ($cgiparams{'MAX_CLIENTS'} eq '') { + $cgiparams{'MAX_CLIENTS'} =3D '100'; + } +@@ -2706,9 +2738,45 @@ + &Header::closebox(); + } + &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); + print "
"; + print< + + + + + +
$Lang::tr{'ovpn advanced encryptio= n'}
+
+ + + + + + + + + + + + + +
$Lang::tr{'ovpn data channel'}
$Lang::tr{'ovpn= data encryption'} + +
+
+END +; + print < +
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index f13bddf4b..7c8287510 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1952,14 +1952,18 @@ 'override mtu' =3D> '=C3=9Cberschreibe Standard-MTU', 'ovpn' =3D> 'OpenVPN', 'ovpn add conf' =3D> 'Erweiterte Konfiguration', +'ovpn advanced encryption' =3D> 'Kryptografie Optionen', 'ovpn con stat' =3D> 'OpenVPN Verbindungs-Statistik', 'ovpn config' =3D> 'OVPN-Konfiguration', 'ovpn connection name' =3D> 'Verbindungs-Name', 'ovpn crypt options' =3D> 'Kryptografieoptionen', +'ovpn data encryption' =3D> 'Daten-Kanal Verschl=C3=BCsselung', +'ovpn data channel' =3D> 'Daten-Kanal', 'ovpn device' =3D> 'OpenVPN-Ger=C3=A4t', 'ovpn dl' =3D> 'OVPN-Konfiguration downloaden', 'ovpn engines' =3D> 'Krypto Engine', 'ovpn errmsg green already pushed' =3D> 'Route f=C3=BCr gr=C3=BCnes Netzwerk= wird immer gesetzt', +'ovpn errmsg invalid data cipher input' =3D> 'Die Daten-Kanal Verschl=C3=BCs= selung ben=C3=B6tigt mindestens einen Algorithmus', 'ovpn errmsg invalid ip or mask' =3D> 'Ung=C3=BCltige Netzwerk-Adresse oder = Subnetzmaske', 'ovpn error md5' =3D> 'Das Host Zertifikat nutzt einen MD5 Algorithmus welch= er nicht mehr akzeptiert wird.
Bitte IPFire auf die neueste Version updat= en und generieren sie ein neues Root und Host Zertifikate.

Es m=C3=BC= ssen dann alle OpenVPN clients erneuert werden!
', 'ovpn generating the root and host certificates' =3D> 'Die Erzeugung der Roo= t- und Host-Zertifikate kann lange Zeit dauern.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 0113f8811..cfa826245 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2013,14 +2013,18 @@ 'override mtu' =3D> 'Override default MTU', 'ovpn' =3D> 'OpenVPN', 'ovpn add conf' =3D> 'Additional configuration', +'ovpn advanced encryption' =3D> 'Cryptographic options', 'ovpn con stat' =3D> 'OpenVPN Connection Statistics', 'ovpn config' =3D> 'OVPN-Config', 'ovpn connection name' =3D> 'Connection Name', 'ovpn crypt options' =3D> 'Cryptographic options', +'ovpn data encryption' =3D> 'Data-Channel encryption', +'ovpn data channel' =3D> 'Data-Channel', 'ovpn device' =3D> 'OpenVPN device:', 'ovpn dl' =3D> 'OVPN-Config Download', 'ovpn engines' =3D> 'Crypto engine', 'ovpn errmsg green already pushed' =3D> 'Route for green network is always s= et', +'ovpn errmsg invalid data cipher input' =3D> 'The data-channel encryption ne= eds at least one cipher', 'ovpn errmsg invalid ip or mask' =3D> 'Invalid network-address or subnetmask= ', 'ovpn error md5' =3D> 'You host certificate uses MD5 for the signature which= is not accepted anymore.
Please update to the latest IPFire version and = generate a new root and host certificate.

All OpenVPN clients needs t= hen to be renewed!
', 'ovpn generating the root and host certificates' =3D> 'Generating the root a= nd host certificate can take a long time.', --=20 2.43.0 --===============0256296371088999730==--
$Lang::tr{'dhcp-options'}