From patchwork Wed Feb 14 23:45:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 1661 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id 9FD5561AD8 for ; Wed, 14 Feb 2018 13:45:23 +0100 (CET) X-Virus-Scanned: ClamAV at mail01.ipfire.org Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 90E181149952; Wed, 14 Feb 2018 12:45:26 +0000 (GMT) Authentication-Results: mail01.ipfire.org; dmarc=none (p=none dis=none) header.from=ipfire.org Authentication-Results: mail01.ipfire.org; spf=pass smtp.mailfrom=development-bounces@lists.ipfire.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ipfire.org; s=201801; t=1518612326; x=1521204326; bh=+eGrpNu8EbmukrqnCcLwf6zQQ7QfdDTsLUnSrlWPBj8=; h=From:To:Subject:Date:Message-Id:Content-Type:Sender:From:To:Cc: Date:Content-Type:Message-ID:In-Reply-To:Subject:Reply-To:Sender; b=wUcu6xPx7kg9HtAshFrT+QCZT3b2qkaMVOp0GV89PovIJcZGIMPAcsHX0E3MEzbIO Ls/66tgAjMv0D+hEBLRxJ6TB8bXvD9D/WnRmop6qINb2qRiiRCkZA9QHDxfY3PRyFY JNAgNUr3Al5ejrLEdSo8VCOJ+OeIsLy+IYHtQSYv2mvMC9ZfX/TkLwesTI7aG7EVsq kAO9gXJOEDbjvKkxqB6DOKpawtGqiIv0SIwFL+6ZfNSWTpL1CTxiCYoBGswFcSRare gxy7XE9iO40IXfWc0C7vHcvERx4eJHr/Ov62B2zjHalcdYaG43kBr65UY41Pn1Nvne tL7dzcdx3HkuQ== X-Virus-Scanned: ClamAV at mail01.ipfire.org Received: from localhost.localdomain (i59F4F19B.versanet.de [89.244.241.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 6CCD3108C389; Wed, 14 Feb 2018 12:45:20 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ipfire.org; s=201801; t=1518612320; x=1521204320; bh=+eGrpNu8EbmukrqnCcLwf6zQQ7QfdDTsLUnSrlWPBj8=; h=From:To:Cc:Subject:Date:Message-Id:Content-Type:From:To:Cc:Date: Content-Type:Message-ID:In-Reply-To:Subject:Reply-To:Sender; b=clNB8fRCcwMFwBnx6b9X5E59MzXR4zmKBxOjBK9e7Qf68RY4SFq3SH6Dn7VIbmsY7 TfO9tQlB2pR4yMvJmlRAVaWNwH7wn6DdwiTgwF7YvGo/QeyAnTPOnmak4nkNuEtSP/ JLK1Ob0HJuRtD77xdWJjFgU56NsHHABxc2asshRyfGp9IYS/SCA45aAi4xYWvwO4CN xld41pgCzAqNcHtRTW6edsie8vCRdfj2gLcABEJ7k8nV2mCOfniaedFDQtlkfA0HPn 44mNyJiBv/wf2RV3eD9DteoR2qDh5G7lzfTzkm4bpgdbGyysyDDoK2VbW54wQG7Mb2 BiyD/YQMP98LQ== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] OpenVPN: Introduce new AES-GCM cipher for N2N and RW Date: Wed, 14 Feb 2018 13:45:13 +0100 Message-Id: <1518612313-30683-1-git-send-email-erik.kapfer@ipfire.org> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section. Cipher menu description has been changed for N2N and RW since AES-GCM uses own authentication encryption (GMAC). More information can be found in here https://tools.ietf.org/html/rfc5288 . Added java script snipped to disable HMAC selection for N2N if AES-GCM has been selected. 'auth *' line in N2N.conf won´t be deleted even if AES-GCM is used so possible individual '--tls-auth' configurations won´t broke. 'auth *' line in N2N.conf will also be ignored if AES-GCM is used and no '--tls-auth' are configured. Left HMAC selection menu for Roadwarriors as it was since the WUI do provides '--tls-auth' which uses the configuered HMAC even AES-GCM has been applied. Signed-off-by: Erik Kapfer --- config/rootfiles/common/openssl-compat | 2 -- html/cgi-bin/ovpnmain.cgi | 32 ++++++++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 4 deletions(-) delete mode 100644 config/rootfiles/common/openssl-compat diff --git a/config/rootfiles/common/openssl-compat b/config/rootfiles/common/openssl-compat deleted file mode 100644 index 7ef11e6..0000000 --- a/config/rootfiles/common/openssl-compat +++ /dev/null @@ -1,2 +0,0 @@ -usr/lib/libcrypto.so.10 -usr/lib/libssl.so.10 diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9f5e682..0a18ec7 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4543,6 +4543,9 @@ if ($cgiparams{'TYPE'} eq 'net') { } $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; + $selected{'DCIPHER'}{'AES-256-GCM'} = ''; + $selected{'DCIPHER'}{'AES-192-GCM'} = ''; + $selected{'DCIPHER'}{'AES-128-GCM'} = ''; $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; @@ -4706,7 +4709,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $Lang::tr{'cipher'} - + + + @@ -4723,7 +4729,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $Lang::tr{'ovpn ha'}: - @@ -4737,6 +4743,22 @@ if ($cgiparams{'TYPE'} eq 'net') { END ; } + +#### JAVA SCRIPT #### +# Validate N2N cipher. If GCM is used, disable HMAC menu +print< + var disable_options = false; + document.getElementById('n2ncipher').onchange = function () { + if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) { + document.getElementById('n2nhmac').setAttribute('disabled', true); + } else { + document.getElementById('n2nhmac').removeAttribute('disabled'); + } + } + +END + #jumper print "$Lang::tr{'remark title'}"; print ""; @@ -5108,6 +5130,9 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; + $selected{'DCIPHER'}{'AES-256-GCM'} = ''; + $selected{'DCIPHER'}{'AES-192-GCM'} = ''; + $selected{'DCIPHER'}{'AES-128-GCM'} = ''; $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; @@ -5204,6 +5229,9 @@ END $Lang::tr{'cipher'}