From patchwork Thu Dec 10 16:59:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 3712 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CsKs117scz3wg0 for ; Thu, 10 Dec 2020 16:59:33 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4CsKs01KNbz12M; Thu, 10 Dec 2020 16:59:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4CsKs00Yt2z2xny; Thu, 10 Dec 2020 16:59:32 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4CsKrz4Dxtz2xZk for ; Thu, 10 Dec 2020 16:59:31 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4CsKry5kFFz8V; Thu, 10 Dec 2020 16:59:30 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1607619570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+yZSxeYK4eIUW9hxoDos1ECDWbsPTv6Q6+Bme+MV5nw=; b=580ME5QaKswj/EhE7QKdDI6Zh9Zrfzlal+mo/cBUAOzYDorgGfsrE5d160QBHFd4CEyV7o bW2Tw5AewpW7TcBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1607619570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+yZSxeYK4eIUW9hxoDos1ECDWbsPTv6Q6+Bme+MV5nw=; b=h28IELDMsXreDvIlNWm74fO/luTTBgCY53GwNQiJsG1ROKxd8cfuw8ddpWC3FLLdfNYHkA qgZM2wXBB+JJhTDqakh02cZq5VWLB/3d5LleoWCBDCKFx2fYeTuTjddWihr6BaPwEivyQb FsgTmBcx7VET5U6xbu86sdK6Lrs09KCcuOZdk1Wr8x6EcmKTrM4vxl6aPySAayz4Z2nSbg w2TUp1dNxqGD9nro6halNt659cywiTKOV1lGueEkq4rs0Gfw40paPBfcxbmqsEOMQUOXnO 5jvDEOJ3zi2yyjdtFuWOy0zvPE49oOLGUqAn0jh6VaD1OxaqgMzku+cqmqNWdw== From: ummeegge To: development@lists.ipfire.org Subject: [PATCH v2 1/7] OpenVPN: Introduce advanced encryption section Date: Thu, 10 Dec 2020 16:59:19 +0000 Message-Id: <20201210165925.25037-1-erik.kapfer@ipfire.org> In-Reply-To: <20201203120807.20694-1-erik.kapfer@ipfire.org> References: <20201203120807.20694-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - The whole crypto section will be sorted out from the global section to an extra page while this patchset and a set of defaults should handle the encryption also for not experienced users. The WUI style has been adopted from the IPSec WUI. - The new directive '--data-ciphers algs' has been introduced for RWs with OpenVPN version 2.5.0. This directive negotiates with the clients the best but also available cipher. The selection for '--data-ciphers algs' is between the GCM family and the new CHACHA20-POLY1305. All ciphers can be combined with another. - The new directive '--data-ciphers algs' substitutes '--ncp-disable', therefor '--ncp-disable' has been removed which fixes the deprecation warning in the new OpenVPN-2.5.0 server instance. - While client generation the client version can be set via a checkbox which enables, if client is >=2.5.0 a full cipher negotiation by printing also the '--data-cipher algs' directive into the client.ovpn, if the client version <=2.5.0 (checkbox off), the old deprecated '--cipher alg' will be written. Existing clients can also subsequently be enhanced via editing the connection. Signed-off-by: ummeegge --- html/cgi-bin/ovpnmain.cgi | 192 +++++++++++++++++++++++++++++++++++++- langs/de/cgi-bin/de.pl | 7 ++ langs/en/cgi-bin/en.pl | 7 ++ langs/es/cgi-bin/es.pl | 7 ++ langs/fr/cgi-bin/fr.pl | 7 ++ langs/it/cgi-bin/it.pl | 7 ++ langs/nl/cgi-bin/nl.pl | 7 ++ langs/pl/cgi-bin/pl.pl | 7 ++ langs/ru/cgi-bin/ru.pl | 7 ++ langs/tr/cgi-bin/tr.pl | 7 ++ 10 files changed, 251 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 68a70d147..40ae58673 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -75,6 +75,7 @@ my $name; my $col=""; my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; +my @advcipherchar=(); &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; @@ -98,6 +99,7 @@ $cgiparams{'number'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; +$cgiparams{'DATACIPHERS'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -325,8 +327,16 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; + + # Data channel encryption + # Set seperator for data ciphers + @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g); + # Add also algorithm from --cipher directive + if ($sovpnsettings{'DATACIPHERS'} ne '') { + print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -911,6 +921,27 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { &writeserverconf();#hier ok } +### +### Save Advanced encryption +### + +if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + + $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; + + # --data-ciphers needs at least one cipher + if ($cgiparams{'DATACIPHERS'} eq '') { + $errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'}; + goto ADV_ENC_ERROR; + } + + &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); + &writeserverconf(); +} + +### End Save advanced encryption + ### # m.a.d net2net ### @@ -2344,7 +2375,16 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0 in client.ovpn + if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') { + # Set seperator for --data-ciphers algorithms + @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g); + print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n"; + } else { + print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2859,7 +2899,132 @@ END &Header::closebigbox(); &Header::closepage(); exit(0); - + +### +### Advanced encryption settings +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn advanced encryption'}) { + %cgiparams = (); + %confighash = (); + my @temp=(); + my $disabled; + &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); + + my $key = $cgiparams{'KEY'}; + if (! $key) { + $key = &General::findhasharraykey (\%confighash); + foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; } + } + $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; + +ADV_ENC_ERROR: + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42]; + } + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = ''; + $checked{'DATACIPHERS'}{'AES-256-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} = ''; + @temp = split('\|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + + # Save settings and display default if not configured + if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; + } else { + $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; + } + +ADV_ENC_ERROR: + + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "$errormessage"; + print " "; + &Header::closebox(); + } + + if ($warnmessage) { + &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:"); + print "$warnmessage"; + print " "; + &Header::closebox(); + } + + print "
"; + &Header::openbox('100%', 'left', "$Lang::tr{'ovpn advanced encryption'}:"); + print< + + + + + + + + + + + + + + + +
$Lang::tr{'ovpn data channel'}
$Lang::tr{'ovpn data encryption'} + +
+
+END +; + + if ( -e "/var/run/openvpn.pid") { + print"
$Lang::tr{'attention'}:
$Lang::tr{'server restart'}


"; + print< + +   + + +   + + + +END +; + + } else { + print< + +   + + +   + + + +END +; + + } + + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit(0); + +### END advanced encryption # A.Marx CCD Add,delete or edit CCD net @@ -3595,6 +3760,8 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; + # Index from [39] to [44] has been reserved by advanced encryption + $cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); @@ -4338,6 +4505,8 @@ if ($cgiparams{'TYPE'} eq 'net') { if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { $confighash{$key}[41] = "no-pass"; } + # Index from [39] to [44] has been reserved by advanced encryption + $confighash{$key}[45] = $cgiparams{'CLIENTVERSION'}; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -4749,6 +4918,7 @@ if ($cgiparams{'TYPE'} eq 'host') { print"

"; my $name=$cgiparams{'CHECK1'}; $checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED'; + $checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED'; if (! -z "${General::swroot}/ovpn/ccd.conf"){ print""; @@ -4884,7 +5054,12 @@ if ($cgiparams{'TYPE'} eq 'host') { print < - + + + + +
$Lang::tr{'ccd name'}$Lang::tr{'network'}$Lang::tr{'ccd clientip'}
Redirect Gateway:
Redirect Gateway:
$Lang::tr{'ovpn client version 25 cipher negotiation'}: +  $Lang::tr{'ovpn client version 25 warning'}

$Lang::tr{'ccd routes'}
 
$Lang::tr{'ccd iroute'}