OpenVPN-2.5.0 delivers ChaCha20-Poly1305 for the data channel. The Checcak (SHA3) and Blake for the hash message authentication code are newely integrated fully into Net-to-Net .
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 7a2f8a5a3..71cba6d88 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1028,10 +1028,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "# Cipher\n"; print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
- # If GCM cipher is used, do not use --auth + # If AEAD cipher is used, do not use --auth if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || - ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') || + ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) { print SERVERCONF unless "# HMAC algorithm\n"; print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { @@ -1133,10 +1134,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
- # If GCM cipher is used, do not use --auth + # If AEAD cipher is used, do not use --auth if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || - ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') || + ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) { print CLIENTCONF unless "# HMAC algorithm\n"; print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { @@ -2264,10 +2266,11 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; }
- # If GCM cipher is used, do not use --auth + # If AEAD cipher is used, do not use --auth if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') || ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') || - ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) { + ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM') || + ($confighash{$cgiparams{'KEY'}}[40] eq 'ChaCha20-Poly1305')) { print CLIENTCONF unless "# HMAC algorithm\n"; print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n"; } else { @@ -4875,6 +4878,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
<tr><td class='boldbase'>$Lang::tr{'cipher'}</td> <td><select name='DCIPHER' id="n2ncipher" required> + <option value='ChaCha20-Poly1305' $selected{'DCIPHER'}{'ChaCha20-Poly1305'}>CHACHA20-POLY1305 (256 $Lang::tr{'bit'})</option> <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option> <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option> <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option> @@ -4895,10 +4899,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td> <td><select name='DAUTH' id="n2nhmac" $hmacdisabled> - <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> + <option value='BLAKE2b512' $selected{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option> + <option value='BLAKE2s256' $selected{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option> + <option value='SHA3-512' $selected{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option> + <option value='SHA3-384' $selected{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option> + <option value='SHA3-256' $selected{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option> <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option> <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option> <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option> + <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> @@ -4915,7 +4924,7 @@ print<<END; <script> var disable_options = false; document.getElementById('n2ncipher').onchange = function () { - if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) { + if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM"||this.value == "CHACHA20-POLY1305")) { document.getElementById('n2nhmac').setAttribute('disabled', true); } else { document.getElementById('n2nhmac').removeAttribute('disabled');