From mboxrd@z Thu Jan  1 00:00:00 1970
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 3/4] OpenVPN: Introduce --data-cipher-fallback to substitude
 the deprecated --cipher directive .
Date: Thu, 21 Mar 2024 13:24:50 +0100
Message-ID: <20240321122511.3287692-3-erik.kapfer@ipfire.org>
In-Reply-To: <20240321122511.3287692-1-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5136382853373108198=="
List-Id: <development.lists.ipfire.org>

--===============5136382853373108198==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

- Since the '--cipher' directive is with OpenVPN version 2.5.0 deprecated and=
 will be handled now via
'--data-cipher-fallback' to keep the compatibility with already existing clie=
nts until version 2.3.x.
The old 'DCIPHER' variable name has been kept and uses also the old setting f=
ile but
the directive has now be renamed from '--cipher' to '--data-cipher-fallback'.
All new clients needs to be at least at OpenVPN version 2.5.0 since the '--ci=
pher' directive
will no longer be printed into client.ovpn but uses instead only NCP.

- All old CBC ciphers except the GCM familiy and CHACHA20-POLY1305 (AEAD ciph=
ers),
are now included in the '--data-ciphers-fallback' table which is located bene=
ath the
data-channel ciphers in a separate table.

- With this patch all ciphers are now located under the "Advanced server opti=
ons" and no longer under
the "Global settings" therefor, tls-auth needed to be rearranged in the "Glob=
al settings".

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 92 +++++++++++++++++++++------------------
 langs/de/cgi-bin/de.pl    |  1 +
 langs/en/cgi-bin/en.pl    |  1 +
 3 files changed, 51 insertions(+), 43 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 833ce8247..49ddae4ce 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -337,7 +337,10 @@ sub writeserverconf {
     @advcipherchar =3D ($sovpnsettings{'DATACIPHERS'} =3D~ s/\|/:/g);
     print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
=20
-    print CONF "cipher $sovpnsettings{DCIPHER}\n";
+    # The "--cipher" directive has been renamed to "--data-cipher-fallback"
+    # but uses the old setting files. This should deliver compatibility
+    # for already existing old clients back to OpenVPN version 2.3.x
+    print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n";
 	print CONF "auth $sovpnsettings{'DAUTH'}\n";
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
@@ -819,6 +822,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}=
) {
     $vpnsettings{'DHCP_WINS'} =3D $cgiparams{'DHCP_WINS'};
     $vpnsettings{'ROUTES_PUSH'} =3D $cgiparams{'ROUTES_PUSH'};
     $vpnsettings{'DATACIPHERS'} =3D $cgiparams{'DATACIPHERS'};
+    $vpnsettings{'DCIPHER'} =3D $cgiparams{'DCIPHER'};
     my @temp=3D();
=20
     # data-ciphers needs at least one cipher
@@ -1243,7 +1247,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgipa=
rams{'TYPE'} eq '' && $cg
     $vpnsettings{'DDEST_PORT'} =3D $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} =3D $cgiparams{'DMTU'};
     $vpnsettings{'DCOMPLZO'} =3D $cgiparams{'DCOMPLZO'};
-    $vpnsettings{'DCIPHER'} =3D $cgiparams{'DCIPHER'};
     $vpnsettings{'DAUTH'} =3D $cgiparams{'DAUTH'};
     $vpnsettings{'TLSAUTH'} =3D $cgiparams{'TLSAUTH'};
 #wrtie enable
@@ -2306,6 +2309,12 @@ else
 	$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}=
}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add=
 file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
     }
=20
+    # !!! With the update to version 2.6.x all new configured clients
+    # needs to be at least at OpenVPN version >=3D 2.5.0 cause the cipher
+    # directive is deprecated and reach his EOL with 2.7.x so only the
+    # following NCP will be used !!!
+    #print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
     # Data cipher negotiation
     # Set seperator ':' for --data-ciphers algorithms
     @advcipherchar =3D ($vpnsettings{'DATACIPHERS'} =3D~ s/\|/:/g);
@@ -2684,6 +2693,26 @@ ADV_ERROR:
     @temp =3D split('\|', $cgiparams{'DATACIPHERS'});
     foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} =3D "selected=3D'=
selected'"; }
=20
+    # Set default for data-cipher-fallback (the old --cipher directive)
+    if ($cgiparams{'DCIPHER'} eq '') {
+         $cgiparams{'DCIPHER'} =3D  'AES-256-CBC';
+    }
+    # All CBC ciphers are now in data-cipher-fallback section
+    $selected{'DCIPHER'}{'AES-256-CBC'} =3D '';
+    $selected{'DCIPHER'}{'AES-192-CBC'} =3D '';
+    $selected{'DCIPHER'}{'AES-128-CBC'} =3D '';
+    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} =3D '';
+    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} =3D '';
+    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} =3D '';
+    $selected{'DCIPHER'}{'SEED-CBC'} =3D '';
+    $selected{'DCIPHER'}{'DES-CBC'} =3D '';
+    $selected{'DCIPHER'}{'DES-EDE3-CBC'} =3D '';
+    $selected{'DCIPHER'}{'DESX-CBC'} =3D '';
+    $selected{'DCIPHER'}{'DES-EDE-CBC'} =3D '';
+    $selected{'DCIPHER'}{'BF-CBC'} =3D '';
+    $selected{'DCIPHER'}{'CAST5-CBC'} =3D '';
+    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} =3D 'SELECTED';
+
     if ($cgiparams{'MAX_CLIENTS'} eq '') {
 		$cgiparams{'MAX_CLIENTS'} =3D  '100';
     }
@@ -2772,6 +2801,7 @@ ADV_ERROR:
                    <tr>
                         <th width=3D"15%"></th>
                         <th>$Lang::tr{'ovpn data channel'}</th>
+                        <th>$Lang::tr{'ovpn data channel fallback'}</th>
                    </tr>
               </thead>
               <tbody>
@@ -2785,6 +2815,23 @@ ADV_ERROR:
                                   <option value=3D'AES-128-GCM' $checked{'DA=
TACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
                              </select>
                         </td>
+
+                        <td class=3D'boldbase'>
+                             <select name=3D'DCIPHER' size=3D'6' style=3D'wi=
dth: 100%'>
+                                  <option value=3D'AES-256-CBC' $selected{'D=
CIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option>
+                                  <option value=3D'AES-192-CBC' $selected{'D=
CIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option>
+                                  <option value=3D'AES-128-CBC' $selected{'D=
CIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option>
+                                  <option value=3D'CAMELLIA-256-CBC' $select=
ed{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option>
+                                  <option value=3D'CAMELLIA-192-CBC' $select=
ed{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option>
+                                  <option value=3D'CAMELLIA-128-CBC' $select=
ed{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option>
+                                  <option value=3D'SEED-CBC' $selected{'DCIP=
HER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option>
+                                  <option value=3D'DES-EDE3-CBC' $selected{'=
DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn =
weak'}</option>
+                                  <option value=3D'DESX-CBC' $selected{'DCIP=
HER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</opti=
on>
+                                  <option value=3D'DES-EDE-CBC' $selected{'D=
CIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn wea=
k'}</option>
+                                  <option value=3D'BF-CBC' $selected{'DCIPHE=
R'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+                                  <option value=3D'CAST5-CBC' $selected{'DCI=
PHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</op=
tion>
+                             </select>
+                        </td>
                    </tr>
               </tbody>
          </table>
@@ -5250,24 +5297,6 @@ END
     $selected{'DPROTOCOL'}{'tcp'} =3D '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} =3D 'SELECTED';
=20
-    $selected{'DCIPHER'}{'AES-256-GCM'} =3D '';
-    $selected{'DCIPHER'}{'AES-192-GCM'} =3D '';
-    $selected{'DCIPHER'}{'AES-128-GCM'} =3D '';
-    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} =3D '';
-    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} =3D '';
-    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} =3D '';
-    $selected{'DCIPHER'}{'AES-256-CBC'} =3D '';
-    $selected{'DCIPHER'}{'AES-192-CBC'} =3D '';
-    $selected{'DCIPHER'}{'AES-128-CBC'} =3D '';
-    $selected{'DCIPHER'}{'DES-EDE3-CBC'} =3D '';
-    $selected{'DCIPHER'}{'DESX-CBC'} =3D '';
-    $selected{'DCIPHER'}{'SEED-CBC'} =3D '';
-    $selected{'DCIPHER'}{'DES-EDE-CBC'} =3D '';
-    $selected{'DCIPHER'}{'CAST5-CBC'} =3D '';
-    $selected{'DCIPHER'}{'BF-CBC'} =3D '';
-    $selected{'DCIPHER'}{'DES-CBC'} =3D '';
-    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} =3D 'SELECTED';
-
     $selected{'DAUTH'}{'whirlpool'} =3D '';
     $selected{'DAUTH'}{'SHA512'} =3D '';
     $selected{'DAUTH'}{'SHA384'} =3D '';
@@ -5391,29 +5420,6 @@ END
 			</select>
 		</td>
=20
-		<td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'cipher'}</td>
-		<td><select name=3D'DCIPHER'>
-				<option value=3D'AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GC=
M (256 $Lang::tr{'bit'})</option>
-				<option value=3D'AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GC=
M (192 $Lang::tr{'bit'})</option>
-				<option value=3D'AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GC=
M (128 $Lang::tr{'bit'})</option>
-				<option value=3D'CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CB=
C'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
-				<option value=3D'CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CB=
C'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
-				<option value=3D'CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CB=
C'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
-				<option value=3D'AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CB=
C (256 $Lang::tr{'bit'})</option>
-				<option value=3D'AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CB=
C (192 $Lang::tr{'bit'})</option>
-				<option value=3D'AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CB=
C (128 $Lang::tr{'bit'})</option>
-				<option value=3D'SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (12=
8 $Lang::tr{'bit'})</option>
-				<option value=3D'DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-=
EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value=3D'DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (19=
2 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value=3D'DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-ED=
E-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value=3D'BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lan=
g::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value=3D'CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC =
(128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-			</select>
-		</td>
-	</tr>
-
-    <tr><td colspan=3D'4'><br></td></tr>
-	<tr>
 		<td class=3D'base'>$Lang::tr{'ovpn tls auth'}</td>
 		<td><input type=3D'checkbox' name=3D'TLSAUTH' $checked{'TLSAUTH'}{'on'} />=
</td>
 	</tr>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 7c8287510..92bacc0ef 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1959,6 +1959,7 @@
 'ovpn crypt options' =3D> 'Kryptografieoptionen',
 'ovpn data encryption' =3D> 'Daten-Kanal Verschl=C3=BCsselung',
 'ovpn data channel' =3D> 'Daten-Kanal',
+'ovpn data channel fallback' =3D> 'Daten-Kanal Fallback',
 'ovpn device' =3D> 'OpenVPN-Ger=C3=A4t',
 'ovpn dl' =3D> 'OVPN-Konfiguration downloaden',
 'ovpn engines' =3D> 'Krypto Engine',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index cfa826245..2f517e79c 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2020,6 +2020,7 @@
 'ovpn crypt options' =3D> 'Cryptographic options',
 'ovpn data encryption' =3D> 'Data-Channel encryption',
 'ovpn data channel' =3D> 'Data-Channel',
+'ovpn data channel fallback' =3D> 'Data-Channel fallback',
 'ovpn device' =3D> 'OpenVPN device:',
 'ovpn dl' =3D> 'OVPN-Config Download',
 'ovpn engines' =3D> 'Crypto engine',
--=20
2.43.0


--===============5136382853373108198==--