[v2,6/7] OpenVPN: Moved HMAC to advanced crypto section

Message ID 20201210165925.25037-6-erik.kapfer@ipfire.org
State New
Headers show
Series [v2,1/7] OpenVPN: Introduce advanced encryption section | expand

Commit Message

ummeegge Dec. 10, 2020, 4:59 p.m. UTC
- The --auth directive has been enhanced with the Keccak (SHA3) family
but also BLAKE2 has been integrated.
- The HMACs have now multi select for better overview.
- Old default SHA512 has been kept.

Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 89 ++++++++++++++++++++++-----------------
 langs/de/cgi-bin/de.pl    |  1 +
 langs/en/cgi-bin/en.pl    |  1 +
 langs/es/cgi-bin/es.pl    |  2 +
 langs/fr/cgi-bin/fr.pl    |  1 +
 langs/it/cgi-bin/it.pl    |  3 +-
 langs/nl/cgi-bin/nl.pl    |  2 +
 langs/pl/cgi-bin/pl.pl    |  3 ++
 langs/ru/cgi-bin/ru.pl    |  2 +
 langs/tr/cgi-bin/tr.pl    |  1 +
 10 files changed, 65 insertions(+), 40 deletions(-)

Patch

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index e248b3cbb..a80befdb6 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -958,6 +958,7 @@  if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 	&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
 
+	$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
 	$vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
 	$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
 
@@ -1292,7 +1293,6 @@  if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
     $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
-    $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
 #wrtie enable
 
@@ -2979,6 +2979,7 @@  END
 		$key = &General::findhasharraykey (\%confighash);
 		foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; }
 	}
+	$confighash{$key}[39] = $cgiparams{'DAUTH'};
 	$confighash{$key}[40] = $cgiparams{'DCIPHER'};
 	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
 	$confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'};
@@ -2986,6 +2987,23 @@  END
 
 ADV_ENC_ERROR:
 
+	# Set default for hash message authentication code
+	if ($cgiparams{'DAUTH'} eq '') {
+		$cgiparams{'DAUTH'} =  'SHA512'; #[39];
+	}
+	$checked{'DAUTH'}{'BLAKE2b512'} = '';
+	$checked{'DAUTH'}{'BLAKE2s256'} = '';
+	$checked{'DAUTH'}{'SHA3-512'} = '';
+	$checked{'DAUTH'}{'SHA3-384'} = '';
+	$checked{'DAUTH'}{'SHA3-256'} = '';
+	$checked{'DAUTH'}{'SHA512'} = '';
+	$checked{'DAUTH'}{'SHA384'} = '';
+	$checked{'DAUTH'}{'SHA256'} = '';
+	$checked{'DAUTH'}{'whirlpool'} = '';
+	$checked{'DAUTH'}{'SHA1'} = '';
+	@temp = split('\|', $cgiparams{'DAUTH'});
+	foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; }
+
 	# Set default for data-cipher-fallback (the old --cipher directive)
 	if ($cgiparams{'DCIPHER'} eq '') {
 		$cgiparams{'DCIPHER'} =  'AES-256-CBC'; #[40]
@@ -3038,11 +3056,13 @@  ADV_ENC_ERROR:
 
 	# Save settings and display default if not configured
 	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+		$confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'};
 		$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
 		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
 		$confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'};
 		$confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'};
 	} else {
+		$cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'};
 		$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
 		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
 		$cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'};
@@ -3148,6 +3168,35 @@  ADV_ENC_ERROR:
 
 	<br><br>
 
+	<h2>$Lang::tr{'ovpn crypt options'}:</h2>
+
+	<table width="100%">
+		<thead>
+			<tr>
+				<th width="15%"></th>
+				<th>$Lang::tr{'ovpn ha'}</th>
+			</tr>
+		</thead>
+		<tbody>
+			<tr>
+				<td width="27%">$Lang::tr{'ovpn data channel authentication'}</td>
+				<td class='boldbase'>
+					<select name='DAUTH' size='6' style='width: 100%'>
+						<option value='BLAKE2b512' $checked{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option>
+						<option value='BLAKE2s256' $checked{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option>
+						<option value='SHA3-512' $checked{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option>
+						<option value='SHA3-384' $checked{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option>
+						<option value='SHA3-256' $checked{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option>
+						<option value='SHA512' $checked{'DAUTH'}{'SHA512'}>SHA2 512 $Lang::tr{'bit'}</option>
+						<option value='SHA384' $checked{'DAUTH'}{'SHA384'}>SHA2 384 $Lang::tr{'bit'}</option>
+						<option value='SHA256' $checked{'DAUTH'}{'SHA256'}>SHA2 256 $Lang::tr{'bit'}</option>
+						<option value='whirlpool' $checked{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
+						<option value='SHA1' $checked{'DAUTH'}{'SHA1'}>SHA1 160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+					</select>
+				</td>
+			</tr>
+		</tbody>
+	</table>
 	<hr>
 END
 ;
@@ -4841,12 +4890,6 @@  if ($cgiparams{'TYPE'} eq 'net') {
     $checked{'MSSFIX'}{'on'} = '';
     $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
 
-    $selected{'DAUTH'}{'whirlpool'} = '';
-    $selected{'DAUTH'}{'SHA512'} = '';
-    $selected{'DAUTH'}{'SHA384'} = '';
-    $selected{'DAUTH'}{'SHA256'} = '';
-    $selected{'DAUTH'}{'SHA1'} = '';
-    $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
     $checked{'TLSAUTH'}{'off'} = '';
     $checked{'TLSAUTH'}{'on'} = '';
     $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
@@ -5396,18 +5439,6 @@  END
     if ($cgiparams{'MSSFIX'} eq '') {
 		$cgiparams{'MSSFIX'} = 'off';
     }
-	if ($cgiparams{'DAUTH'} eq '') {
-		if (-z "${General::swroot}/ovpn/ovpnconfig") {
-			$cgiparams{'DAUTH'} = 'SHA512';
-		}
-		foreach my $key (keys %confighash) {
-			if ($confighash{$key}[3] ne 'host') {
-				$cgiparams{'DAUTH'} = 'SHA512';
-			} else {
-				$cgiparams{'DAUTH'} = 'SHA1';
-			}
-		}
-	}
 	if ($cgiparams{'TLSAUTH'} eq '') {
 		$cgiparams{'TLSAUTH'} = 'off';
 	}
@@ -5428,13 +5459,6 @@  END
     $selected{'DPROTOCOL'}{'tcp'} = '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
 
-    $selected{'DAUTH'}{'whirlpool'} = '';
-    $selected{'DAUTH'}{'SHA512'} = '';
-    $selected{'DAUTH'}{'SHA384'} = '';
-    $selected{'DAUTH'}{'SHA256'} = '';
-    $selected{'DAUTH'}{'SHA1'} = '';
-    $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
-
     $checked{'TLSAUTH'}{'off'} = '';
     $checked{'TLSAUTH'}{'on'} = '';
     $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
@@ -5547,19 +5571,6 @@  END
 	</tr>
 	<tr><td colspan='1'><br></td></tr>
 
-	<tr>
-		<td class='base'>$Lang::tr{'ovpn ha'}</td>
-		<td><select name='DAUTH'>
-				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
-				<option value='SHA512'			$selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
-				<option value='SHA384'			$selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
-				<option value='SHA256'			$selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
-				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-			</select>
-		</td>
-	</tr>
-
-    <tr><td colspan='4'><br></td></tr>
 	<tr>
 		<td class='base'>$Lang::tr{'ovpn tls auth'}</td>
 		<td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index cadf4b141..a4c166bfe 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1912,6 +1912,7 @@ 
 'ovpn control channel v2' => 'Kontroll-Kanal TLSv2',
 'ovpn control channel v3' => 'Kontroll-Kanal TLSv3',
 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
+'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation',
 'ovpn data channel' => 'Daten-Kanal',
 'ovpn data channel fallback' => 'Daten-Kanal Fallback',
 'ovpn device' => 'OpenVPN-Gerät',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 4b667f881..dc324676a 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1944,6 +1944,7 @@ 
 'ovpn control channel v2' => 'Control-Channel TLSv2',
 'ovpn control channel v3' => 'Control-Channel TLSv3',
 'ovpn data encryption' => 'Data-Channel encryption',
+'ovpn data channel authentication' => 'Data and channel authentication',
 'ovpn data channel' => 'Data-Channel',
 'ovpn data channel fallback' => 'Data-Channel fallback',
 'ovpn device' => 'OpenVPN device:',
diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
index 65505706c..1a0272b8a 100644
--- a/langs/es/cgi-bin/es.pl
+++ b/langs/es/cgi-bin/es.pl
@@ -1337,11 +1337,13 @@ 
 'ovpn control channel v2' => 'Canal-Control TLSv2',
 'ovpn control channel v3' => 'Canal-Control TLSv3',
 'ovpn data encryption' => 'Encriptación Data-Channel',
+'ovpn data channel authentication' => 'Autenticación de datos y canal',
 'ovpn data channel' => 'Canal-Datos',
 'ovpn data channel fallback' => 'Retroceso Canal-Datos',
 'ovpn device' => 'Dispositivo OpenVPN',
 'ovpn errmsg invalid data cipher input' => 'El cifrado de datos necesita al menos de un cifrado',
 'ovpn dl' => 'Configuración de descargas OVPN',
+'ovpn ha' => 'Algoritmo hash',
 'ovpn log' => 'Registro de log de OVPN',
 'ovpn on blue' => 'OpenVPN en BLUE',
 'ovpn on orange' => 'OpenVPN en ORANGE',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index cda133e5d..d5deea1c0 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -1945,6 +1945,7 @@ 
 'ovpn control channel v2' => 'Canal de contrôle TLSv2',
 'ovpn control channel v3' => 'Canal de contrôle TLSv3',
 'ovpn data encryption' => 'Chiffrage du canal de données',
+'ovpn data channel authentication' => 'Authentification du canal et des données',
 'ovpn data channel' => 'Canal de données',
 'ovpn data channel fallback' => 'Canal de données de repli',
 'ovpn device' => 'Périphérique OpenVPN :',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index 22ce7cd4d..ad16de583 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -44,6 +44,7 @@ 
 'Number of Ports for the pie chart' => 'Numero di porte per il grafico a torta',
 'OVPN' => 'OpenVPN',
 'ovpn data encryption' => 'Crittografia del canale dati',
+'ovpn data channel authentication' => 'Autenticazione di dati e di canali',
 'ovpn data channel' => 'Canale-Dati',
 'ovpn data channel fallback' => 'Canale-Dati di riserva',
 'ovpn advanced encryption' => 'Impostazioni avanzate di crittografia',
@@ -1715,7 +1716,7 @@ 
 'ovpn errmsg invalid data cipher input' => 'La crittografia dati necessita almeno un cifrario',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
 'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.',
-'ovpn ha' => 'Hash algorithm',
+'ovpn ha' => 'Algoritmo di hash',
 'ovpn hmac' => 'HMAC options',
 'ovpn log' => 'OVPN-Log',
 'ovpn mgmt in root range' => 'A port number of 1024 or higher is required.',
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index 15482b7c7..b0f037e0c 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -1664,6 +1664,7 @@ 
 'ovpn control channel v2' => 'Controle-Kanaal TLSv2',
 'ovpn control channel v3' => 'Controle-Kanaal TLSv3',
 'ovpn data encryption' => 'Datakanaalversleuteling',
+'ovpn data channel authentication' => 'Gegevens en kanaal verificatie',
 'ovpn data channel' => 'Data-kanaal',
 'ovpn data channel fallback' => 'Data-Kanaal terugval',
 'ovpn device' => 'OpenVPN apparaat:',
@@ -1671,6 +1672,7 @@ 
 'ovpn errmsg green already pushed' => 'Route voor het groene netwerk is altijd aangezet',
 'ovpn errmsg invalid data cipher input' => 'De gegevens codering heeft ten minste één codering nodig',
 'ovpn errmsg invalid ip or mask' => 'Ongeldig netwerkadres of subnetmasker',
+'ovpn ha' => 'Hash algoritme',
 'ovpn log' => 'OVPN-Log',
 'ovpn mgmt in root range' => 'Een poortnummer hoger dan 1024 is vereist.',
 'ovpn mtu-disc' => 'Pad MTU Discovery',
diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
index a5bde2044..5e8ec0864 100644
--- a/langs/pl/cgi-bin/pl.pl
+++ b/langs/pl/cgi-bin/pl.pl
@@ -40,6 +40,7 @@ 
 'ovpn advanced encryption' => 'Zaawansowane ustawienia szyfrowania',
 'ovpn client version 25 cipher negotiation' => 'Negocjowanie szyfrowania',
 'ovpn client version 25 warning' => 'Dostępny z klientem w wersji 2.5.0 i wyższej',
+'ovpn crypt options' => 'Opcje kryptograficzne',
 'OpenVPN' => 'OpenVPN',
 'Pages' => 'Stron',
 'Ping' => 'Ping :',
@@ -1349,11 +1350,13 @@ 
 'ovpn control channel v2' => 'Kanał-Kontrolny TLSv2',
 'ovpn control channel v3' => 'Kanał-Kontrolny TLSv3',
 'ovpn data encryption' => 'Szyfrowanie Kanału-Danych',
+'ovpn data channel authentication' => 'Uwierzytelnianie danych i kanałów',
 'ovpn data channel' => 'Kanał-Danych',
 'ovpn data channel fallback' => 'Awaria Kanału-Danych',
 'ovpn device' => 'Urządzenie OpenVPN:',
 'ovpn dl' => 'Pobierz konfig OVPN',
 'ovpn errmsg invalid data cipher input' => 'Szyfr danych wymaga co najmniej jednego szyfru',
+'ovpn ha' => 'Algorytm haszyszowy',
 'ovpn log' => 'Log OVPN',
 'ovpn on blue' => 'OpenVPN na int. BLUE',
 'ovpn on orange' => 'OpenVPN na int. ORANGE',
diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
index 17666de80..6e3af2d7e 100644
--- a/langs/ru/cgi-bin/ru.pl
+++ b/langs/ru/cgi-bin/ru.pl
@@ -1340,6 +1340,7 @@ 
 'ovpn control channel v2' => 'Канал-управления TLSv2',
 'ovpn control channel v3' => 'Канал-управления TLSv3',
 'ovpn data encryption' => 'шифрование-каналов данных',
+'ovpn data channel authentication' => 'Аутентификация данных и каналов',
 'ovpn data channel' => 'Информационный-канал',
 'ovpn data channel fallback' => 'Информационный-канал отступление',
 'ovpn device' => 'Устройство OpenVPN:',
@@ -1347,6 +1348,7 @@ 
 'ovpn errmsg green already pushed' => 'Маршрут для зелёной сети всегда включён',
 'ovpn errmsg invalid data cipher input' => 'Для шифра данных нужен хотя бы один шифр',
 'ovpn errmsg invalid ip or mask' => 'Неправильный адрес или маска подсти',
+'ovpn ha' => 'хеш-алгоритм',
 'ovpn log' => 'Журнал OVPN',
 'ovpn on blue' => 'OpenVPN на BLUE',
 'ovpn on orange' => 'OpenVPN на ORANGE',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index 7df486bc8..e55a73aa3 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -1849,6 +1849,7 @@ 
 'ovpn data channel' => 'Veri-Kanalı',
 'ovpn data channel fallback' => 'Veri-Kanalı geri dönüşü',
 'ovpn data encryption' => 'Veri-Kanalı şifreleme',
+'ovpn data channel authentication' => 'Veri ve kanal kimlik doğrulaması',
 'ovpn device' => 'OpenVPN aygıtı:',
 'ovpn dh' => 'Diffie-Hellman parametre uzunluğu',
 'ovpn dh new key' => 'Yeni Diffie-Hellman parametrelerini oluşturun',