From patchwork Thu Dec 10 16:59:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 3717 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CsKsB4598z3wg0 for ; Thu, 10 Dec 2020 16:59:42 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4CsKs6561Qz2qs; Thu, 10 Dec 2020 16:59:38 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4CsKs64d0rz2y3V; Thu, 10 Dec 2020 16:59:38 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4CsKs51vlxz2xkB for ; Thu, 10 Dec 2020 16:59:37 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4CsKs46MKWz2pD; Thu, 10 Dec 2020 16:59:36 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1607619576; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MTT7NKjQV2gcEqBJtrTZGWUUW62l601lczWH+QxJZfA=; b=qmYVW6cBb+0MRAKvtQtcgS481BcUdoGtNQ5ipARQbkyf7bjA1dfwmKwAR/lbpu1tW8O2M6 +K+0fphQP0s9E2CA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1607619576; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MTT7NKjQV2gcEqBJtrTZGWUUW62l601lczWH+QxJZfA=; b=e5kBKmatvdQBQjqg/KlhAlKtZvGevICiK+AXc0Hj2qh2zqFfn/SoZ19WEC8Yc2PL4zy0oJ v7HNu2EIPLrvZdmBz3prYCwi5JPveaD5xZh+P7NHhaN2IAaNdhQo3TGB5M2XTGdmGF9pub D6uSf8aV2WJNpF63CxyChEukGWtcbHcGuYYzeIABfEu6USZVBXTowY7nttY+Q4E4lzxdSM L4Qhm/ABH/19O3bryG2lBzJfztr4r8s7+7lVRFKiMeMWE5xBV7bBnIk2W496841SDM8LXh BEClRP/2otsDZcV7WetTvzGVJ3QnR5BwjqDS1sS+lTVkre0fGnhYBc5sw+h64Q== From: ummeegge To: development@lists.ipfire.org Subject: [PATCH v2 6/7] OpenVPN: Moved HMAC to advanced crypto section Date: Thu, 10 Dec 2020 16:59:24 +0000 Message-Id: <20201210165925.25037-6-erik.kapfer@ipfire.org> In-Reply-To: <20201210165925.25037-1-erik.kapfer@ipfire.org> References: <20201203120807.20694-1-erik.kapfer@ipfire.org> <20201210165925.25037-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - The --auth directive has been enhanced with the Keccak (SHA3) family but also BLAKE2 has been integrated. - The HMACs have now multi select for better overview. - Old default SHA512 has been kept. Signed-off-by: ummeegge --- html/cgi-bin/ovpnmain.cgi | 89 ++++++++++++++++++++++----------------- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + langs/es/cgi-bin/es.pl | 2 + langs/fr/cgi-bin/fr.pl | 1 + langs/it/cgi-bin/it.pl | 3 +- langs/nl/cgi-bin/nl.pl | 2 + langs/pl/cgi-bin/pl.pl | 3 ++ langs/ru/cgi-bin/ru.pl | 2 + langs/tr/cgi-bin/tr.pl | 1 + 10 files changed, 65 insertions(+), 40 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index e248b3cbb..a80befdb6 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -958,6 +958,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; @@ -1292,7 +1293,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; - $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable @@ -2979,6 +2979,7 @@ END $key = &General::findhasharraykey (\%confighash); foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; } } + $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; $confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'}; @@ -2986,6 +2987,23 @@ END ADV_ENC_ERROR: + # Set default for hash message authentication code + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA512'; #[39]; + } + $checked{'DAUTH'}{'BLAKE2b512'} = ''; + $checked{'DAUTH'}{'BLAKE2s256'} = ''; + $checked{'DAUTH'}{'SHA3-512'} = ''; + $checked{'DAUTH'}{'SHA3-384'} = ''; + $checked{'DAUTH'}{'SHA3-256'} = ''; + $checked{'DAUTH'}{'SHA512'} = ''; + $checked{'DAUTH'}{'SHA384'} = ''; + $checked{'DAUTH'}{'SHA256'} = ''; + $checked{'DAUTH'}{'whirlpool'} = ''; + $checked{'DAUTH'}{'SHA1'} = ''; + @temp = split('\|', $cgiparams{'DAUTH'}); + foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; } + # Set default for data-cipher-fallback (the old --cipher directive) if ($cgiparams{'DCIPHER'} eq '') { $cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40] @@ -3038,11 +3056,13 @@ ADV_ENC_ERROR: # Save settings and display default if not configured if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + $confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'}; $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; $confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'}; $confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'}; } else { + $cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'}; $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; $cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'}; @@ -3148,6 +3168,35 @@ ADV_ENC_ERROR:

+

$Lang::tr{'ovpn crypt options'}:

+ + + + + + + + + + + + + + +
$Lang::tr{'ovpn ha'}
$Lang::tr{'ovpn data channel authentication'} + +
END ; @@ -4841,12 +4890,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; - $selected{'DAUTH'}{'whirlpool'} = ''; - $selected{'DAUTH'}{'SHA512'} = ''; - $selected{'DAUTH'}{'SHA384'} = ''; - $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'SHA1'} = ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; $checked{'TLSAUTH'}{'off'} = ''; $checked{'TLSAUTH'}{'on'} = ''; $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; @@ -5396,18 +5439,6 @@ END if ($cgiparams{'MSSFIX'} eq '') { $cgiparams{'MSSFIX'} = 'off'; } - if ($cgiparams{'DAUTH'} eq '') { - if (-z "${General::swroot}/ovpn/ovpnconfig") { - $cgiparams{'DAUTH'} = 'SHA512'; - } - foreach my $key (keys %confighash) { - if ($confighash{$key}[3] ne 'host') { - $cgiparams{'DAUTH'} = 'SHA512'; - } else { - $cgiparams{'DAUTH'} = 'SHA1'; - } - } - } if ($cgiparams{'TLSAUTH'} eq '') { $cgiparams{'TLSAUTH'} = 'off'; } @@ -5428,13 +5459,6 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; - $selected{'DAUTH'}{'whirlpool'} = ''; - $selected{'DAUTH'}{'SHA512'} = ''; - $selected{'DAUTH'}{'SHA384'} = ''; - $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'SHA1'} = ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; - $checked{'TLSAUTH'}{'off'} = ''; $checked{'TLSAUTH'}{'on'} = ''; $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; @@ -5547,19 +5571,6 @@ END
- - $Lang::tr{'ovpn ha'} - - - - -
$Lang::tr{'ovpn tls auth'} diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index cadf4b141..a4c166bfe 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1912,6 +1912,7 @@ 'ovpn control channel v2' => 'Kontroll-Kanal TLSv2', 'ovpn control channel v3' => 'Kontroll-Kanal TLSv3', 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', +'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation', 'ovpn data channel' => 'Daten-Kanal', 'ovpn data channel fallback' => 'Daten-Kanal Fallback', 'ovpn device' => 'OpenVPN-Gerät', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 4b667f881..dc324676a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1944,6 +1944,7 @@ 'ovpn control channel v2' => 'Control-Channel TLSv2', 'ovpn control channel v3' => 'Control-Channel TLSv3', 'ovpn data encryption' => 'Data-Channel encryption', +'ovpn data channel authentication' => 'Data and channel authentication', 'ovpn data channel' => 'Data-Channel', 'ovpn data channel fallback' => 'Data-Channel fallback', 'ovpn device' => 'OpenVPN device:', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index 65505706c..1a0272b8a 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -1337,11 +1337,13 @@ 'ovpn control channel v2' => 'Canal-Control TLSv2', 'ovpn control channel v3' => 'Canal-Control TLSv3', 'ovpn data encryption' => 'Encriptación Data-Channel', +'ovpn data channel authentication' => 'Autenticación de datos y canal', 'ovpn data channel' => 'Canal-Datos', 'ovpn data channel fallback' => 'Retroceso Canal-Datos', 'ovpn device' => 'Dispositivo OpenVPN', 'ovpn errmsg invalid data cipher input' => 'El cifrado de datos necesita al menos de un cifrado', 'ovpn dl' => 'Configuración de descargas OVPN', +'ovpn ha' => 'Algoritmo hash', 'ovpn log' => 'Registro de log de OVPN', 'ovpn on blue' => 'OpenVPN en BLUE', 'ovpn on orange' => 'OpenVPN en ORANGE', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index cda133e5d..d5deea1c0 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1945,6 +1945,7 @@ 'ovpn control channel v2' => 'Canal de contrôle TLSv2', 'ovpn control channel v3' => 'Canal de contrôle TLSv3', 'ovpn data encryption' => 'Chiffrage du canal de données', +'ovpn data channel authentication' => 'Authentification du canal et des données', 'ovpn data channel' => 'Canal de données', 'ovpn data channel fallback' => 'Canal de données de repli', 'ovpn device' => 'Périphérique OpenVPN :', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 22ce7cd4d..ad16de583 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -44,6 +44,7 @@ 'Number of Ports for the pie chart' => 'Numero di porte per il grafico a torta', 'OVPN' => 'OpenVPN', 'ovpn data encryption' => 'Crittografia del canale dati', +'ovpn data channel authentication' => 'Autenticazione di dati e di canali', 'ovpn data channel' => 'Canale-Dati', 'ovpn data channel fallback' => 'Canale-Dati di riserva', 'ovpn advanced encryption' => 'Impostazioni avanzate di crittografia', @@ -1715,7 +1716,7 @@ 'ovpn errmsg invalid data cipher input' => 'La crittografia dati necessita almeno un cifrario', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', 'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.', -'ovpn ha' => 'Hash algorithm', +'ovpn ha' => 'Algoritmo di hash', 'ovpn hmac' => 'HMAC options', 'ovpn log' => 'OVPN-Log', 'ovpn mgmt in root range' => 'A port number of 1024 or higher is required.', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index 15482b7c7..b0f037e0c 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -1664,6 +1664,7 @@ 'ovpn control channel v2' => 'Controle-Kanaal TLSv2', 'ovpn control channel v3' => 'Controle-Kanaal TLSv3', 'ovpn data encryption' => 'Datakanaalversleuteling', +'ovpn data channel authentication' => 'Gegevens en kanaal verificatie', 'ovpn data channel' => 'Data-kanaal', 'ovpn data channel fallback' => 'Data-Kanaal terugval', 'ovpn device' => 'OpenVPN apparaat:', @@ -1671,6 +1672,7 @@ 'ovpn errmsg green already pushed' => 'Route voor het groene netwerk is altijd aangezet', 'ovpn errmsg invalid data cipher input' => 'De gegevens codering heeft ten minste één codering nodig', 'ovpn errmsg invalid ip or mask' => 'Ongeldig netwerkadres of subnetmasker', +'ovpn ha' => 'Hash algoritme', 'ovpn log' => 'OVPN-Log', 'ovpn mgmt in root range' => 'Een poortnummer hoger dan 1024 is vereist.', 'ovpn mtu-disc' => 'Pad MTU Discovery', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index a5bde2044..5e8ec0864 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -40,6 +40,7 @@ 'ovpn advanced encryption' => 'Zaawansowane ustawienia szyfrowania', 'ovpn client version 25 cipher negotiation' => 'Negocjowanie szyfrowania', 'ovpn client version 25 warning' => 'Dostępny z klientem w wersji 2.5.0 i wyższej', +'ovpn crypt options' => 'Opcje kryptograficzne', 'OpenVPN' => 'OpenVPN', 'Pages' => 'Stron', 'Ping' => 'Ping :', @@ -1349,11 +1350,13 @@ 'ovpn control channel v2' => 'Kanał-Kontrolny TLSv2', 'ovpn control channel v3' => 'Kanał-Kontrolny TLSv3', 'ovpn data encryption' => 'Szyfrowanie Kanału-Danych', +'ovpn data channel authentication' => 'Uwierzytelnianie danych i kanałów', 'ovpn data channel' => 'Kanał-Danych', 'ovpn data channel fallback' => 'Awaria Kanału-Danych', 'ovpn device' => 'Urządzenie OpenVPN:', 'ovpn dl' => 'Pobierz konfig OVPN', 'ovpn errmsg invalid data cipher input' => 'Szyfr danych wymaga co najmniej jednego szyfru', +'ovpn ha' => 'Algorytm haszyszowy', 'ovpn log' => 'Log OVPN', 'ovpn on blue' => 'OpenVPN na int. BLUE', 'ovpn on orange' => 'OpenVPN na int. ORANGE', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 17666de80..6e3af2d7e 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -1340,6 +1340,7 @@ 'ovpn control channel v2' => 'Канал-управления TLSv2', 'ovpn control channel v3' => 'Канал-управления TLSv3', 'ovpn data encryption' => 'шифрование-каналов данных', +'ovpn data channel authentication' => 'Аутентификация данных и каналов', 'ovpn data channel' => 'Информационный-канал', 'ovpn data channel fallback' => 'Информационный-канал отступление', 'ovpn device' => 'Устройство OpenVPN:', @@ -1347,6 +1348,7 @@ 'ovpn errmsg green already pushed' => 'Маршрут для зелёной сети всегда включён', 'ovpn errmsg invalid data cipher input' => 'Для шифра данных нужен хотя бы один шифр', 'ovpn errmsg invalid ip or mask' => 'Неправильный адрес или маска подсти', +'ovpn ha' => 'хеш-алгоритм', 'ovpn log' => 'Журнал OVPN', 'ovpn on blue' => 'OpenVPN на BLUE', 'ovpn on orange' => 'OpenVPN на ORANGE', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 7df486bc8..e55a73aa3 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -1849,6 +1849,7 @@ 'ovpn data channel' => 'Veri-Kanalı', 'ovpn data channel fallback' => 'Veri-Kanalı geri dönüşü', 'ovpn data encryption' => 'Veri-Kanalı şifreleme', +'ovpn data channel authentication' => 'Veri ve kanal kimlik doğrulaması', 'ovpn device' => 'OpenVPN aygıtı:', 'ovpn dh' => 'Diffie-Hellman parametre uzunluğu', 'ovpn dh new key' => 'Yeni Diffie-Hellman parametrelerini oluşturun',