From patchwork Mon Feb 26 00:49:49 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller_via_Development?=
 <development@lists.ipfire.org>
X-Patchwork-Id: 1674
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.i.ipfire.org (Postfix) with ESMTP id D3EAC60AF8
	for <patchwork@web02.i.ipfire.org>;
	Sun, 25 Feb 2018 14:50:01 +0100 (CET)
X-Virus-Scanned: ClamAV at mail01.ipfire.org
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 53783111C4EE;
	Sun, 25 Feb 2018 13:50:17 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.ipfire.org;
	s=201801; t=1519566617; x=1522158617;
	bh=dxg+HzuhIAL/p4IG8h2fEDTzfkLYw/XsKOqgnQEo1NM=;
	h=To:Subject:Date:Message-Id:In-Reply-To:From:Reply-To:Sender:From:
	To:Cc:Date:Content-Type:Message-ID:In-Reply-To:Subject:Reply-To:
	Sender;
	b=glN7lZTh0vPsaPB+xG5ZWsLEE9lByMxgVrDHa+cAY4YVuQM9JfIdjIZF2PVUxWjxG
	4o/Gik7eb9OkwvO7UgSepFBU6D31LHLhqBOBS2AbONQuVtVZkN7LBKVX4/TNb9uEzf
	bVg5DLa7QCVNQ+OG+Q67xqkz++Zp9xaa3WS/UXOPEDTGGdfhxGjOrECyJK9xE4WfHx
	CSoV/PfTDudq22EXy4vb94MVX/ThyhHBJb8+HxaHl7x+Q9TNENzWAzW3YdxZvWdITG
	nnuFPZJUyfAi4FrTBCkHtUKHsWnMINFxIwIShJW1NbCYrC1v6/OOsE5gmiiVT/XaQW
	Afn901sEEz4MQ==
X-Virus-Scanned: ClamAV at mail01.ipfire.org
Received: from localhost.localdomain (i59F52A67.versanet.de [89.245.42.103])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id CD28C111C4E3;
	Sun, 25 Feb 2018 13:50:11 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ipfire.org; s=201801;
	t=1519566612; x=1522158612;
	bh=dxg+HzuhIAL/p4IG8h2fEDTzfkLYw/XsKOqgnQEo1NM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:From:To:Cc:Date:
	Content-Type:Message-ID:In-Reply-To:Subject:Reply-To:Sender;
	b=hpjTTzxwAvyoMHLWjoEcxoPNBzRUDbripQCnC5jgDCRWGn+thAvYRJIwKoQI07K9h
	sz5GyFMz7s82ofWyeE+OlVUE5NLVyxaxV6S5kwCLTmpspV5RHpZKukX+zwDsc6dfZR
	xaU41GhL2MeodvxfypIjaA84cpgmnuDVfv5Z6ODApfZrb/UtGm3RXASGTQcbWDEgSF
	FX9TXhJRVkrApJehCMX6g8B4/ACbc49/lrYLo2xnH+Ed9AkNJCHQ5pw9+zcQBVi/eg
	qciCke2xcMVmUpTuWV627WSfVuDrB8kU3b6kuOnIxUJ6/hNGRcxSkhEF+uxyRu6Gw1
	g1dudB7M9KmVA==
To: development@lists.ipfire.org
Subject: [PATCH v3] OpenVPN: New AES-GCM cipher for N2N and RW
Date: Sun, 25 Feb 2018 14:49:49 +0100
Message-Id: <1519566589-18901-1-git-send-email-erik.kapfer@ipfire.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1518612313-30683-1-git-send-email-erik.kapfer@ipfire.org>
References: <1518612313-30683-1-git-send-email-erik.kapfer@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
X-Patchwork-Original-From: Erik Kapfer via Development
 <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller_via_Development?=
 <development@lists.ipfire.org>
Reply-To: Erik Kapfer <erik.kapfer@ipfire.org>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section.

HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC).
    'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N.
HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs
    which uses the configuered HMAC even AES-GCM has been applied.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 84 ++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 69 insertions(+), 15 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c52e8ba..ff3d055 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -970,12 +970,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
   print SERVERCONF "# Cipher\n"; 
   print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
-  if ($cgiparams{'DAUTH'} eq '') {
-	print SERVERCONF "auth SHA1\n";
+
+  # If GCM cipher is used, do not use --auth
+  if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+    print SERVERCONF unless "# HMAC algorithm\n";
+    print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
-	print SERVERCONF "# HMAC algorithm\n";
-	print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
+    print SERVERCONF "# HMAC algorithm\n";
+    print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
   }
+
   if ($cgiparams{'COMPLZO'} eq 'on') {
    print SERVERCONF "# Enable Compression\n";
    print SERVERCONF "comp-lzo\n";
@@ -1076,12 +1082,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print CLIENTCONF "# Cipher\n"; 
   print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
   print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
-  if ($cgiparams{'DAUTH'} eq '') {
-	print CLIENTCONF "auth SHA1\n";
+
+  # If GCM cipher is used, do not use --auth
+  if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+    print CLIENTCONF unless "# HMAC algorithm\n";
+    print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
-	print CLIENTCONF "# HMAC algorithm\n";
-	print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
+    print CLIENTCONF "# HMAC algorithm\n";
+    print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
   }
+
   if ($cgiparams{'COMPLZO'} eq 'on') {
    print CLIENTCONF "# Enable Compression\n";
    print CLIENTCONF "comp-lzo\n";
@@ -2198,13 +2210,18 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
 	 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
      $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
    }
-   if ($confighash{$cgiparams{'KEY'}}[39] eq '') {
-	print CLIENTCONF "# HMAC algorithm\n";
-	print CLIENTCONF "auth SHA1\n";
+
+   # If GCM cipher is used, do not use --auth
+   if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+        print CLIENTCONF unless "# HMAC algorithm\n";
+        print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
    } else {
-   print CLIENTCONF "# HMAC algorithm\n";
-   print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
+        print CLIENTCONF "# HMAC algorithm\n";
+        print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
    }
+
    if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
    print CLIENTCONF "# Enable Compression\n";
    print CLIENTCONF "comp-lzo\n";
@@ -4544,6 +4561,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
     }
     $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
 
+    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -4629,6 +4649,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	    } else {
 		print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
 	    }
+
+		# If GCM ciphers are in usage, HMAC menu is disabled
+		my $hmacdisabled;
+		if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+			($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+			($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+				$hmacdisabled = "disabled='disabled'";
+		};
+
 	    print <<END;
 		    <td width='25%'>&nbsp;</td>
 		    <td width='25%'>&nbsp;</td></tr>	
@@ -4707,7 +4736,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	</tr>
 
 	<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
-		<td><select name='DCIPHER'>
+		<td><select name='DCIPHER'  id="n2ncipher" required>
+				<option value='AES-256-GCM'		$selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+				<option value='AES-192-GCM'		$selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+				<option value='AES-128-GCM'		$selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-256-CBC'	$selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-192-CBC'	$selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-128-CBC'	$selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
@@ -4724,7 +4756,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
 		</td>
 
 		<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
-		<td><select name='DAUTH'>
+		<td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
 				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
 				<option value='SHA512'			$selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
 				<option value='SHA384'			$selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
@@ -4738,6 +4770,22 @@ if ($cgiparams{'TYPE'} eq 'net') {
 END
 ;
 	}
+
+#### JAVA SCRIPT ####
+# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange
+print<<END;
+	<script>
+		var disable_options = false;
+		document.getElementById('n2ncipher').onchange = function () {
+			if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+				document.getElementById('n2nhmac').setAttribute('disabled', true);
+			} else {
+				document.getElementById('n2nhmac').removeAttribute('disabled');
+			}
+		}
+	</script>
+END
+
 #jumper
 	print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>";
 	print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>";
@@ -5109,6 +5157,9 @@ END
     $selected{'DPROTOCOL'}{'tcp'} = '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
 
+    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -5205,6 +5256,9 @@ END
 
 		<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
 		<td><select name='DCIPHER'>
+				<option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+				<option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+				<option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>