From patchwork Thu Dec 10 16:59:22 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Erik Kapfer <erik.kapfer@ipfire.org>
X-Patchwork-Id: 3715
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CsKs62196z3wx8
	for <patchwork@web04.haj.ipfire.org>; Thu, 10 Dec 2020 16:59:38 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4CsKs44mZTz2pC;
	Thu, 10 Dec 2020 16:59:36 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4CsKs43JQ0z2yC8;
	Thu, 10 Dec 2020 16:59:36 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4CsKs338gRz2xZk
 for <development@lists.ipfire.org>; Thu, 10 Dec 2020 16:59:35 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4CsKs31pbyz1V4;
 Thu, 10 Dec 2020 16:59:35 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1607619575;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=nAKh2W5b4kG24ZWhIvp8KLqMYJA39sdK6EVwzreBPDc=;
 b=h2CIlot1y7M2u0EVmrlH9+zyqixIQ8mb/2dz4940/mL07u0utsox2fJRDCg+m9Os51neh2
 GtB+m7PnBGhrRbBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1607619575;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=nAKh2W5b4kG24ZWhIvp8KLqMYJA39sdK6EVwzreBPDc=;
 b=IkvI1NaHJNe5dxzo0IfIBxlXiA590JFnVNepmUeHRs++dHvNTT42+xrjXE57dVKTcIjfiZ
 wDBM6zaSNhxFkQUgWTsq8FQdY5s+NCWgnp3hLxOwFqJdstOBz8W4glAwd4RFrUQaCpI9NN
 9sp08j9DPafZ38NUipcTTVymA5srLUAmw6NWFuh6VKE4rUTAwy++OioLe7cuY9ziXxErEZ
 2x+39pzR5HDOXIpYvFPy1+/mNngmxkaQRoE35vIuz2DMkOzs1Lz2AC2i6VO+t3GkWNej/U
 P3A3nE2nTkyCkrz3Iv78qeumiDs9MFG0XqMizvXO4YdskpIwGveSt9Az3NSJHA==
From: ummeegge <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2 4/7] OpenVPN: New ciphers and HMACs for N2N
Date: Thu, 10 Dec 2020 16:59:22 +0000
Message-Id: <20201210165925.25037-4-erik.kapfer@ipfire.org>
In-Reply-To: <20201210165925.25037-1-erik.kapfer@ipfire.org>
References: <20201203120807.20694-1-erik.kapfer@ipfire.org>
 <20201210165925.25037-1-erik.kapfer@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

OpenVPN-2.5.0 delivers ChaCha20-Poly1305 for the data channel.
The Checcak (SHA3) and Blake for the hash message authentication code
are newely integrated fully into Net-to-Net .

Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 7a2f8a5a3..71cba6d88 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1028,10 +1028,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print SERVERCONF "# Cipher\n"; 
   print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
 
-  # If GCM cipher is used, do not use --auth
+  # If AEAD cipher is used, do not use --auth
   if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
       ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
-      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {
     print SERVERCONF unless "# HMAC algorithm\n";
     print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
@@ -1133,10 +1134,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
   print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
 
-  # If GCM cipher is used, do not use --auth
+  # If AEAD cipher is used, do not use --auth
   if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
       ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
-      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {
     print CLIENTCONF unless "# HMAC algorithm\n";
     print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
@@ -2264,10 +2266,11 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
      $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
    }
 
-   # If GCM cipher is used, do not use --auth
+   # If AEAD cipher is used, do not use --auth
    if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
        ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
-       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM') ||
+       ($confighash{$cgiparams{'KEY'}}[40] eq 'ChaCha20-Poly1305')) {
         print CLIENTCONF unless "# HMAC algorithm\n";
         print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
    } else {
@@ -4875,6 +4878,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
 
 	<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
 		<td><select name='DCIPHER'  id="n2ncipher" required>
+				<option value='ChaCha20-Poly1305' $selected{'DCIPHER'}{'ChaCha20-Poly1305'}>CHACHA20-POLY1305 (256 $Lang::tr{'bit'})</option>
 				<option value='AES-256-GCM'		$selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
 				<option value='AES-192-GCM'		$selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
 				<option value='AES-128-GCM'		$selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
@@ -4895,10 +4899,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
 
 		<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
 		<td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
-				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
+				<option value='BLAKE2b512'    $selected{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option>
+				<option value='BLAKE2s256'    $selected{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option>
+				<option value='SHA3-512'    $selected{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option>
+				<option value='SHA3-384'    $selected{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option>
+				<option value='SHA3-256'    $selected{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option> 
 				<option value='SHA512'			$selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
 				<option value='SHA384'			$selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
 				<option value='SHA256'			$selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
+				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
 				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 			</select>
 		</td>
@@ -4915,7 +4924,7 @@ print<<END;
 	<script>
 		var disable_options = false;
 		document.getElementById('n2ncipher').onchange = function () {
-			if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+			if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM"||this.value == "CHACHA20-POLY1305")) {
 				document.getElementById('n2nhmac').setAttribute('disabled', true);
 			} else {
 				document.getElementById('n2nhmac').removeAttribute('disabled');