From patchwork Thu Mar 21 12:24:50 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Erik Kapfer <erik.kapfer@ipfire.org>
X-Patchwork-Id: 7652
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6V5hlHz3ww6
	for <patchwork@web04.haj.ipfire.org>; Thu, 21 Mar 2024 12:25:38 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4V0l6R16XwzpH;
	Thu, 21 Mar 2024 12:25:35 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4V0l6R0dsfz32qt;
	Thu, 21 Mar 2024 12:25:35 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6J4x7Dz307F
	for <development@lists.ipfire.org>; Thu, 21 Mar 2024 12:25:28 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4V0l6H2lbFz1Rw;
	Thu, 21 Mar 2024 12:25:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1711023927;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=iPbBitsR8mvqlWU3GC4hkh72HXu7BnO5M+22+xERlJM=;
	b=eTf1wNkrYgfpfRfeqgwTRV5Jd7IDRSzV+65aDdM0s2ZP/lHvRqECGy/N5QwiUy1R/++fp9
	KqnRzXFU0eUS3pDA31gGn44xpygsaUOZY+P0v+OX/BGcG2KYoHq7/ViyUrZYNN9eo5vozX
	lRMFGmQ+rJIOds1lAK50p+7BLCTygTdQ86+HUCsYB/3qLffqgQcX4UDweq/xQUkt4IYxph
	jsxQ1RLIZ1wViWqkeSBHx5Ew6JNFENaLaqYc0JX+h5EZFccNa+wy5nerhz3nzc8b65eWLP
	uj2Fd9hpvQWnMZBu1u5TjNxW7iAjRp/wj51+EbjeWL0EYYa2uU5/3Bq9OYPHxg==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1711023927;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=iPbBitsR8mvqlWU3GC4hkh72HXu7BnO5M+22+xERlJM=;
	b=uESEt7KYU6qpdKSLEiE2B4FnO1dtHskeF24a1+01WfUe4Ou0p8c0c5gk74xQ2lh+ulMq4y
	S3nBSjRs4d95ziCw==
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 3/4] OpenVPN: Introduce --data-cipher-fallback to substitude
 the deprecated --cipher directive .
Date: Thu, 21 Mar 2024 13:24:50 +0100
Message-ID: <20240321122511.3287692-3-erik.kapfer@ipfire.org>
In-Reply-To: <20240321122511.3287692-1-erik.kapfer@ipfire.org>
References: <20240321122511.3287692-1-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Message-ID-Hash: IWVW52AJAZG4PXC7WU3ZQTGPD5PRTEHH
X-Message-ID-Hash: IWVW52AJAZG4PXC7WU3ZQTGPD5PRTEHH
X-MailFrom: erik.kapfer@ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/IWVW52AJAZG4PXC7WU3ZQTGPD5PRTEHH/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

- Since the '--cipher' directive is with OpenVPN version 2.5.0 deprecated and will be handled now via
'--data-cipher-fallback' to keep the compatibility with already existing clients until version 2.3.x.
The old 'DCIPHER' variable name has been kept and uses also the old setting file but
the directive has now be renamed from '--cipher' to '--data-cipher-fallback'.
All new clients needs to be at least at OpenVPN version 2.5.0 since the '--cipher' directive
will no longer be printed into client.ovpn but uses instead only NCP.

- All old CBC ciphers except the GCM familiy and CHACHA20-POLY1305 (AEAD ciphers),
are now included in the '--data-ciphers-fallback' table which is located beneath the
data-channel ciphers in a separate table.

- With this patch all ciphers are now located under the "Advanced server options" and no longer under
the "Global settings" therefor, tls-auth needed to be rearranged in the "Global settings".

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 92 +++++++++++++++++++++------------------
 langs/de/cgi-bin/de.pl    |  1 +
 langs/en/cgi-bin/en.pl    |  1 +
 3 files changed, 51 insertions(+), 43 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 833ce8247..49ddae4ce 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -337,7 +337,10 @@ sub writeserverconf {
     @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
     print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
 
-    print CONF "cipher $sovpnsettings{DCIPHER}\n";
+    # The "--cipher" directive has been renamed to "--data-cipher-fallback"
+    # but uses the old setting files. This should deliver compatibility
+    # for already existing old clients back to OpenVPN version 2.3.x
+    print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n";
 	print CONF "auth $sovpnsettings{'DAUTH'}\n";
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
@@ -819,6 +822,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
     $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
     $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
+    $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
     my @temp=();
 
     # data-ciphers needs at least one cipher
@@ -1243,7 +1247,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
     $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
-    $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
     $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
 #wrtie enable
@@ -2306,6 +2309,12 @@ else
 	$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
     }
 
+    # !!! With the update to version 2.6.x all new configured clients
+    # needs to be at least at OpenVPN version >= 2.5.0 cause the cipher
+    # directive is deprecated and reach his EOL with 2.7.x so only the
+    # following NCP will be used !!!
+    #print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
     # Data cipher negotiation
     # Set seperator ':' for --data-ciphers algorithms
     @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
@@ -2684,6 +2693,26 @@ ADV_ERROR:
     @temp = split('\|', $cgiparams{'DATACIPHERS'});
     foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
 
+    # Set default for data-cipher-fallback (the old --cipher directive)
+    if ($cgiparams{'DCIPHER'} eq '') {
+         $cgiparams{'DCIPHER'} =  'AES-256-CBC';
+    }
+    # All CBC ciphers are now in data-cipher-fallback section
+    $selected{'DCIPHER'}{'AES-256-CBC'} = '';
+    $selected{'DCIPHER'}{'AES-192-CBC'} = '';
+    $selected{'DCIPHER'}{'AES-128-CBC'} = '';
+    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
+    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
+    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
+    $selected{'DCIPHER'}{'SEED-CBC'} = '';
+    $selected{'DCIPHER'}{'DES-CBC'} = '';
+    $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
+    $selected{'DCIPHER'}{'DESX-CBC'} = '';
+    $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
+    $selected{'DCIPHER'}{'BF-CBC'} = '';
+    $selected{'DCIPHER'}{'CAST5-CBC'} = '';
+    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
+
     if ($cgiparams{'MAX_CLIENTS'} eq '') {
 		$cgiparams{'MAX_CLIENTS'} =  '100';
     }
@@ -2772,6 +2801,7 @@ ADV_ERROR:
                    <tr>
                         <th width="15%"></th>
                         <th>$Lang::tr{'ovpn data channel'}</th>
+                        <th>$Lang::tr{'ovpn data channel fallback'}</th>
                    </tr>
               </thead>
               <tbody>
@@ -2785,6 +2815,23 @@ ADV_ERROR:
                                   <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
                              </select>
                         </td>
+
+                        <td class='boldbase'>
+                             <select name='DCIPHER' size='6' style='width: 100%'>
+                                  <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option>
+                                  <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option>
+                                  <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option>
+                                  <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option>
+                                  <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option>
+                                  <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option>
+                                  <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option>
+                                  <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+                                  <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+                                  <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+                                  <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+                                  <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+                             </select>
+                        </td>
                    </tr>
               </tbody>
          </table>
@@ -5250,24 +5297,6 @@ END
     $selected{'DPROTOCOL'}{'tcp'} = '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
 
-    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-256-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-192-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-128-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
-    $selected{'DCIPHER'}{'DESX-CBC'} = '';
-    $selected{'DCIPHER'}{'SEED-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
-    $selected{'DCIPHER'}{'CAST5-CBC'} = '';
-    $selected{'DCIPHER'}{'BF-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-CBC'} = '';
-    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
-
     $selected{'DAUTH'}{'whirlpool'} = '';
     $selected{'DAUTH'}{'SHA512'} = '';
     $selected{'DAUTH'}{'SHA384'} = '';
@@ -5391,29 +5420,6 @@ END
 			</select>
 		</td>
 
-		<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
-		<td><select name='DCIPHER'>
-				<option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-			</select>
-		</td>
-	</tr>
-
-    <tr><td colspan='4'><br></td></tr>
-	<tr>
 		<td class='base'>$Lang::tr{'ovpn tls auth'}</td>
 		<td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
 	</tr>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 7c8287510..92bacc0ef 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1959,6 +1959,7 @@
 'ovpn crypt options' => 'Kryptografieoptionen',
 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
 'ovpn data channel' => 'Daten-Kanal',
+'ovpn data channel fallback' => 'Daten-Kanal Fallback',
 'ovpn device' => 'OpenVPN-Gerät',
 'ovpn dl' => 'OVPN-Konfiguration downloaden',
 'ovpn engines' => 'Krypto Engine',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index cfa826245..2f517e79c 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2020,6 +2020,7 @@
 'ovpn crypt options' => 'Cryptographic options',
 'ovpn data encryption' => 'Data-Channel encryption',
 'ovpn data channel' => 'Data-Channel',
+'ovpn data channel fallback' => 'Data-Channel fallback',
 'ovpn device' => 'OpenVPN device:',
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',