[v2,2/7] OpenVPN: Substitute --cipher with --data-cipher-fallback

Message ID 20201210165925.25037-2-erik.kapfer@ipfire.org
State Dropped
Headers show
Series [v2,1/7] OpenVPN: Introduce advanced encryption section | expand

Commit Message

ummeegge Dec. 10, 2020, 4:59 p.m. UTC
- Since --cipher is with OpenVPN version 2.5.0 deprecated and will be handled via
--data-cipher-fallback, the VAR name and the index has been kept but
renamed from --cipher to --data-cipher-fallback. Old default AES-256-CBC
has also been kept.
- All old ciphers except the GCM familiy are included.

Code is needed to change in server.conf the directive from 'cipher'
to 'data-cipher-fallback' for the update process in update.sh.

Code start block:

/usr/local/bin/openvpnctrl -k > /dev/null
if grep -q 'cipher' /var/ipfire/ovpn/server.conf; then
sed -i 's/cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf
fi
/usr/local/bin/openvpnctrl -s > /dev/null

Code block end

Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 109 +++++++++++++++-----------------------
 langs/de/cgi-bin/de.pl    |   1 +
 langs/en/cgi-bin/en.pl    |   1 +
 langs/es/cgi-bin/es.pl    |   1 +
 langs/fr/cgi-bin/fr.pl    |   1 +
 langs/it/cgi-bin/it.pl    |   1 +
 langs/nl/cgi-bin/nl.pl    |   1 +
 langs/pl/cgi-bin/pl.pl    |   1 +
 langs/ru/cgi-bin/ru.pl    |   1 +
 langs/tr/cgi-bin/tr.pl    |   1 +
 10 files changed, 53 insertions(+), 65 deletions(-)

Patch

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 40ae58673..dbf8a8d2e 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -327,7 +327,7 @@  sub writeserverconf {
     }	
     print CONF "status-version 1\n";
     print CONF "status /var/run/ovpnserver.log 30\n";
-    print CONF "cipher $sovpnsettings{DCIPHER}\n";
+    print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n";
 
 	# Data channel encryption
 	# Set seperator for data ciphers
@@ -928,6 +928,7 @@  if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 	&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
 
+	$vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
 	$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
 
 	# --data-ciphers needs at least one cipher
@@ -1245,7 +1246,6 @@  if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
     $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
-    $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
     $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
 #wrtie enable
@@ -2915,10 +2915,30 @@  END
 		$key = &General::findhasharraykey (\%confighash);
 		foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; }
 	}
+	$confighash{$key}[40] = $cgiparams{'DCIPHER'};
 	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
 
 ADV_ENC_ERROR:
 
+	# Set default for data-cipher-fallback (the old --cipher directive)
+	if ($cgiparams{'DCIPHER'} eq '') {
+		$cgiparams{'DCIPHER'} =  'AES-256-CBC'; #[40]
+	}
+	$checked{'DCIPHER'}{'AES-256-CBC'} = '';
+	$checked{'DCIPHER'}{'AES-192-CBC'} = '';
+	$checked{'DCIPHER'}{'AES-128-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
+	$checked{'DCIPHER'}{'SEED-CBC'} = '';
+	$checked{'DCIPHER'}{'DES-EDE3-CBC'} = '';
+	$checked{'DCIPHER'}{'DESX-CBC'} = '';
+	$checked{'DCIPHER'}{'DES-EDE-CBC'} = '';
+	$checked{'DCIPHER'}{'BF-CBC'} = '';
+	$checked{'DCIPHER'}{'CAST5-CBC'} = '';
+	@temp = split('\|', $cgiparams{'DCIPHER'});
+	foreach my $key (@temp) {$checked{'DCIPHER'}{$key} = "selected='selected'"; }
+
 	# Set default data channel ciphers
 	if ($cgiparams{'DATACIPHERS'} eq '') {
 		$cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42];
@@ -2932,8 +2952,10 @@  ADV_ENC_ERROR:
 
 	# Save settings and display default if not configured
 	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+		$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
 		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
 	} else {
+		$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
 		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
 	}
 
@@ -2968,6 +2990,7 @@  ADV_ENC_ERROR:
 			<tr>
 				<th width="15%"></th>
 				<th>$Lang::tr{'ovpn data channel'}</th>
+				<th>$Lang::tr{'ovpn data channel fallback'}</th>
 			</tr>
 		</thead>
 		<tbody>
@@ -2981,7 +3004,25 @@  ADV_ENC_ERROR:
 						<option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
 					</select>
 				</td>
+
+				<td class='boldbase'>
+					<select name='DCIPHER' size='6' style='width: 100%'>
+						<option value='AES-256-CBC' $checked{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option>
+						<option value='AES-192-CBC' $checked{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option>
+						<option value='AES-128-CBC' $checked{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option>
+						<option value='CAMELLIA-256-CBC' $checked{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option>
+						<option value='CAMELLIA-192-CBC' $checked{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option>
+						<option value='CAMELLIA-128-CBC' $checked{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option>
+						<option value='SEED-CBC' $checked{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option>
+						<option value='DES-EDE3-CBC' $checked{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='DESX-CBC' $checked{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='DES-EDE-CBC' $checked{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='BF-CBC' $checked{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='CAST5-CBC' $checked{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+					</select>
+				</td>
 			</tr>
+
 		</tbody>
 	</table>
 	<hr>
@@ -4677,28 +4718,6 @@  if ($cgiparams{'TYPE'} eq 'net') {
     $checked{'MSSFIX'}{'on'} = '';
     $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
 
-    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-256-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-192-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-128-CBC'} = '';
-    $selected{'DCIPHER'}{'DESX-CBC'} = '';
-    $selected{'DCIPHER'}{'SEED-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
-    $selected{'DCIPHER'}{'CAST5-CBC'} = '';
-    $selected{'DCIPHER'}{'BF-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-CBC'} = '';
-    # If no cipher has been chossen yet, select
-    # the old default (AES-256-CBC) for compatiblity reasons.
-    if ($cgiparams{'DCIPHER'} eq '') {
-	$cgiparams{'DCIPHER'} = 'AES-256-CBC';
-    }
-    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
     $selected{'DAUTH'}{'whirlpool'} = '';
     $selected{'DAUTH'}{'SHA512'} = '';
     $selected{'DAUTH'}{'SHA384'} = '';
@@ -5236,9 +5255,6 @@  END
     }
     
 #default setzen
-    if ($cgiparams{'DCIPHER'} eq '') {
-		$cgiparams{'DCIPHER'} =  'AES-256-CBC';
-    }
     if ($cgiparams{'DDEST_PORT'} eq '') {
 		$cgiparams{'DDEST_PORT'} =  '1194';
     }
@@ -5280,24 +5296,6 @@  END
     $selected{'DPROTOCOL'}{'tcp'} = '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
 
-    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-256-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-192-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-128-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
-    $selected{'DCIPHER'}{'DESX-CBC'} = '';
-    $selected{'DCIPHER'}{'SEED-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
-    $selected{'DCIPHER'}{'CAST5-CBC'} = '';
-    $selected{'DCIPHER'}{'BF-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-CBC'} = '';
-    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
-
     $selected{'DAUTH'}{'whirlpool'} = '';
     $selected{'DAUTH'}{'SHA512'} = '';
     $selected{'DAUTH'}{'SHA384'} = '';
@@ -5427,26 +5425,6 @@  END
 				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 			</select>
 		</td>
-
-		<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
-		<td><select name='DCIPHER'>
-				<option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-			</select>
-		</td>
 	</tr>
 
     <tr><td colspan='4'><br></td></tr>
@@ -6002,3 +5980,4 @@  END
 
 &Header::closepage();
 
+
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 0d0705845..08827b08a 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1910,6 +1910,7 @@ 
 'ovpn crypt options' => 'Kryptografieoptionen',
 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
 'ovpn data channel' => 'Daten-Kanal',
+'ovpn data channel fallback' => 'Daten-Kanal Fallback',
 'ovpn device' => 'OpenVPN-Gerät',
 'ovpn dh' => 'Diffie-Hellman-Parameter-Länge',
 'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index affa43cd3..880cae5f7 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1942,6 +1942,7 @@ 
 'ovpn crypt options' => 'Cryptographic options',
 'ovpn data encryption' => 'Data-Channel encryption',
 'ovpn data channel' => 'Data-Channel',
+'ovpn data channel fallback' => 'Data-Channel fallback',
 'ovpn device' => 'OpenVPN device:',
 'ovpn dh' => 'Diffie-Hellman parameters length',
 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
index 3d6efc21a..c86580e81 100644
--- a/langs/es/cgi-bin/es.pl
+++ b/langs/es/cgi-bin/es.pl
@@ -1333,6 +1333,7 @@ 
 'ovpn config' => 'Configruación de OVPN',
 'ovpn data encryption' => 'Encriptación Data-Channel',
 'ovpn data channel' => 'Canal-Datos',
+'ovpn data channel fallback' => 'Retroceso Canal-Datos',
 'ovpn device' => 'Dispositivo OpenVPN',
 'ovpn errmsg invalid data cipher input' => 'El cifrado de datos necesita al menos de un cifrado',
 'ovpn dl' => 'Configuración de descargas OVPN',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index df19ef316..1a1f37cbe 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -1943,6 +1943,7 @@ 
 'ovpn crypt options' => 'Options cryptographiques',
 'ovpn data encryption' => 'Chiffrage du canal de données',
 'ovpn data channel' => 'Canal de données',
+'ovpn data channel fallback' => 'Canal de données de repli',
 'ovpn device' => 'Périphérique OpenVPN :',
 'ovpn dh' => 'Longueur de paramètres Diffie-Hellman ',
 'ovpn dh new key' => 'Générer de nouveaux paramètres Diffie-Hellman ',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index 1c190eff2..2c1dc9559 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -45,6 +45,7 @@ 
 'OVPN' => 'OpenVPN',
 'ovpn data encryption' => 'Crittografia del canale dati',
 'ovpn data channel' => 'Canale-Dati',
+'ovpn data channel fallback' => 'Canale-Dati di riserva',
 'ovpn advanced encryption' => 'Impostazioni avanzate di crittografia',
 'ovpn client version 25 cipher negotiation' => 'Negozazione cirttografia',
 'ovpn client version 25 warning' => 'Disponibile con client 2.5.0 o più recente',
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index 8207399e2..635cbd3b8 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -1660,6 +1660,7 @@ 
 'ovpn config' => 'OVPN-Configuratie',
 'ovpn data encryption' => 'Datakanaalversleuteling',
 'ovpn data channel' => 'Data-kanaal',
+'ovpn data channel fallback' => 'Data-Kanaal terugval',
 'ovpn device' => 'OpenVPN apparaat:',
 'ovpn dl' => 'OVPN-Configuratie download',
 'ovpn errmsg green already pushed' => 'Route voor het groene netwerk is altijd aangezet',
diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
index f9fbe57df..4ceaeef8a 100644
--- a/langs/pl/cgi-bin/pl.pl
+++ b/langs/pl/cgi-bin/pl.pl
@@ -1345,6 +1345,7 @@ 
 'ovpn config' => 'OVPN-Konfig',
 'ovpn data encryption' => 'Szyfrowanie Kanału-Danych',
 'ovpn data channel' => 'Kanał-Danych',
+'ovpn data channel fallback' => 'Awaria Kanału-Danych',
 'ovpn device' => 'Urządzenie OpenVPN:',
 'ovpn dl' => 'Pobierz konfig OVPN',
 'ovpn errmsg invalid data cipher input' => 'Szyfr danych wymaga co najmniej jednego szyfru',
diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
index 700a8d838..1d81eb62c 100644
--- a/langs/ru/cgi-bin/ru.pl
+++ b/langs/ru/cgi-bin/ru.pl
@@ -1336,6 +1336,7 @@ 
 'ovpn config' => 'Настройки OVPN',
 'ovpn data encryption' => 'шифрование-каналов данных',
 'ovpn data channel' => 'Информационный-канал',
+'ovpn data channel fallback' => 'Информационный-канал отступление',
 'ovpn device' => 'Устройство OpenVPN:',
 'ovpn dl' => 'Загрузка настроек OVPN',
 'ovpn errmsg green already pushed' => 'Маршрут для зелёной сети всегда включён',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index 0c64063c7..5fbd9f3d3 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -1842,6 +1842,7 @@ 
 'ovpn config' => 'OVPN-Yapılandırması',
 'ovpn crypt options' => 'Şifreleme seçenekleri',
 'ovpn data channel' => 'Veri-Kanalı',
+'ovpn data channel fallback' => 'Veri-Kanalı geri dönüşü',
 'ovpn data encryption' => 'Veri-Kanalı şifreleme',
 'ovpn device' => 'OpenVPN aygıtı:',
 'ovpn dh' => 'Diffie-Hellman parametre uzunluğu',