From mboxrd@z Thu Jan  1 00:00:00 1970
From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated.
 52f61e496df86f1a70fa9d468d64e756bdb66f4d
Date: Sun, 25 Feb 2018 19:39:33 +0000
Message-ID: <20180225193933.DF942106D063@git01.ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2012895344031492988=="
List-Id: <ipfire-scm.lists.ipfire.org>

--===============2012895344031492988==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  52f61e496df86f1a70fa9d468d64e756bdb66f4d (commit)
      from  87484f5c784e013229bc6d32430cdc8eb7b8a709 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 52f61e496df86f1a70fa9d468d64e756bdb66f4d
Author: Erik Kapfer via Development <development(a)lists.ipfire.org>
Date:   Sun Feb 25 14:49:49 2018 +0100

    OpenVPN: New AES-GCM cipher for N2N and RW
   =20
    AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior=
 section.
   =20
    HMAC selection for N2N will be disabled if AES-GCM is used since GCM prov=
ides an own message authentication (GMAC).
        'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is=
 used since '--tls-auth' is not available for N2N.
    HMAC selection menu for Roadwarriors is still available since '--tls-auth=
' is available for RWs
        which uses the configuered HMAC even AES-GCM has been applied.
   =20
    Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 html/cgi-bin/ovpnmain.cgi | 84 ++++++++++++++++++++++++++++++++++++++-------=
--
 1 file changed, 69 insertions(+), 15 deletions(-)

Difference in files:
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c52e8bae9..ff3d05509 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -970,12 +970,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'=
NAME'}"){mkdir "${General
   print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
   print SERVERCONF "# Cipher\n";=20
   print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
-  if ($cgiparams{'DAUTH'} eq '') {
-	print SERVERCONF "auth SHA1\n";
+
+  # If GCM cipher is used, do not use --auth
+  if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+    print SERVERCONF unless "# HMAC algorithm\n";
+    print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
-	print SERVERCONF "# HMAC algorithm\n";
-	print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
+    print SERVERCONF "# HMAC algorithm\n";
+    print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
   }
+
   if ($cgiparams{'COMPLZO'} eq 'on') {
    print SERVERCONF "# Enable Compression\n";
    print SERVERCONF "comp-lzo\n";
@@ -1076,12 +1082,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams=
{'NAME'}"){mkdir "${General
   print CLIENTCONF "# Cipher\n";=20
   print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
   print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.=
p12\r\n";
-  if ($cgiparams{'DAUTH'} eq '') {
-	print CLIENTCONF "auth SHA1\n";
+
+  # If GCM cipher is used, do not use --auth
+  if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+    print CLIENTCONF unless "# HMAC algorithm\n";
+    print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
-	print CLIENTCONF "# HMAC algorithm\n";
-	print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
+    print CLIENTCONF "# HMAC algorithm\n";
+    print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
   }
+
   if ($cgiparams{'COMPLZO'} eq 'on') {
    print CLIENTCONF "# Enable Compression\n";
    print CLIENTCONF "comp-lzo\n";
@@ -2198,13 +2210,18 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
 	 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgipar=
ams{'KEY'}}[1].p12\r\n";
      $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'K=
EY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add fil=
e $confighash{$cgiparams{'KEY'}}[1].p12\n";
    }
-   if ($confighash{$cgiparams{'KEY'}}[39] eq '') {
-	print CLIENTCONF "# HMAC algorithm\n";
-	print CLIENTCONF "auth SHA1\n";
+
+   # If GCM cipher is used, do not use --auth
+   if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+        print CLIENTCONF unless "# HMAC algorithm\n";
+        print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
    } else {
-   print CLIENTCONF "# HMAC algorithm\n";
-   print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
+        print CLIENTCONF "# HMAC algorithm\n";
+        print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
    }
+
    if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
    print CLIENTCONF "# Enable Compression\n";
    print CLIENTCONF "comp-lzo\n";
@@ -4544,6 +4561,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
     }
     $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} =3D 'checked=3D=
\'checked\'';
=20
+    $selected{'DCIPHER'}{'AES-256-GCM'} =3D '';
+    $selected{'DCIPHER'}{'AES-192-GCM'} =3D '';
+    $selected{'DCIPHER'}{'AES-128-GCM'} =3D '';
     $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} =3D '';
     $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} =3D '';
     $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} =3D '';
@@ -4629,6 +4649,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	    } else {
 		print "<td width=3D'25%'><input type=3D'text' name=3D'NAME' value=3D'$cgip=
arams{'NAME'}' maxlength=3D'20' /></td>";
 	    }
+
+		# If GCM ciphers are in usage, HMAC menu is disabled
+		my $hmacdisabled;
+		if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+			($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+			($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+				$hmacdisabled =3D "disabled=3D'disabled'";
+		};
+
 	    print <<END;
 		    <td width=3D'25%'>&nbsp;</td>
 		    <td width=3D'25%'>&nbsp;</td></tr>=09
@@ -4707,7 +4736,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	</tr>
=20
 	<tr><td class=3D'boldbase'>$Lang::tr{'cipher'}</td>
-		<td><select name=3D'DCIPHER'>
+		<td><select name=3D'DCIPHER'  id=3D"n2ncipher" required>
+				<option value=3D'AES-256-GCM'		$selected{'DCIPHER'}{'AES-256-GCM'}>AES-G=
CM (256 $Lang::tr{'bit'})</option>
+				<option value=3D'AES-192-GCM'		$selected{'DCIPHER'}{'AES-192-GCM'}>AES-G=
CM (192 $Lang::tr{'bit'})</option>
+				<option value=3D'AES-128-GCM'		$selected{'DCIPHER'}{'AES-128-GCM'}>AES-G=
CM (128 $Lang::tr{'bit'})</option>
 				<option value=3D'CAMELLIA-256-CBC'	$selected{'DCIPHER'}{'CAMELLIA-256-CB=
C'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
 				<option value=3D'CAMELLIA-192-CBC'	$selected{'DCIPHER'}{'CAMELLIA-192-CB=
C'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
 				<option value=3D'CAMELLIA-128-CBC'	$selected{'DCIPHER'}{'CAMELLIA-128-CB=
C'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
@@ -4724,7 +4756,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
 		</td>
=20
 		<td class=3D'boldbase'>$Lang::tr{'ovpn ha'}:</td>
-		<td><select name=3D'DAUTH'>
+		<td><select name=3D'DAUTH' id=3D"n2nhmac" $hmacdisabled>
 				<option value=3D'whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (=
512 $Lang::tr{'bit'})</option>
 				<option value=3D'SHA512'			$selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang:=
:tr{'bit'})</option>
 				<option value=3D'SHA384'			$selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang:=
:tr{'bit'})</option>
@@ -4738,6 +4770,22 @@ if ($cgiparams{'TYPE'} eq 'net') {
 END
 ;
 	}
+
+#### JAVA SCRIPT ####
+# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled oncha=
nge
+print<<END;
+	<script>
+		var disable_options =3D false;
+		document.getElementById('n2ncipher').onchange =3D function () {
+			if((this.value =3D=3D "AES-256-GCM"||this.value =3D=3D "AES-192-GCM"||thi=
s.value =3D=3D "AES-128-GCM")) {
+				document.getElementById('n2nhmac').setAttribute('disabled', true);
+			} else {
+				document.getElementById('n2nhmac').removeAttribute('disabled');
+			}
+		}
+	</script>
+END
+
 #jumper
 	print "<tr><td class=3D'boldbase'>$Lang::tr{'remark title'}</td>";
 	print "<td colspan=3D'3'><input type=3D'text' name=3D'REMARK' value=3D'$cgi=
params{'REMARK'}' size=3D'55' maxlength=3D'50' /></td></tr></table>";
@@ -5109,6 +5157,9 @@ END
     $selected{'DPROTOCOL'}{'tcp'} =3D '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} =3D 'SELECTED';
=20
+    $selected{'DCIPHER'}{'AES-256-GCM'} =3D '';
+    $selected{'DCIPHER'}{'AES-192-GCM'} =3D '';
+    $selected{'DCIPHER'}{'AES-128-GCM'} =3D '';
     $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} =3D '';
     $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} =3D '';
     $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} =3D '';
@@ -5205,6 +5256,9 @@ END
=20
 		<td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'cipher'}</td>
 		<td><select name=3D'DCIPHER'>
+				<option value=3D'AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GC=
M (256 $Lang::tr{'bit'})</option>
+				<option value=3D'AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GC=
M (192 $Lang::tr{'bit'})</option>
+				<option value=3D'AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GC=
M (128 $Lang::tr{'bit'})</option>
 				<option value=3D'CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CB=
C'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
 				<option value=3D'CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CB=
C'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
 				<option value=3D'CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CB=
C'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>


hooks/post-receive
--
IPFire 2.x development tree

--===============2012895344031492988==--