From patchwork Thu Feb 15 01:40:53 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Erik Kapfer <erik.kapfer@ipfire.org>
X-Patchwork-Id: 1662
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.i.ipfire.org (Postfix) with ESMTP id EAA0A60FB1
	for <patchwork@web02.i.ipfire.org>;
	Wed, 14 Feb 2018 15:41:03 +0100 (CET)
X-Virus-Scanned: ClamAV at mail01.ipfire.org
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 073C5108B8B9;
	Wed, 14 Feb 2018 14:41:07 +0000 (GMT)
Authentication-Results: mail01.ipfire.org;
	dmarc=none (p=none dis=none) header.from=ipfire.org
Authentication-Results: mail01.ipfire.org; spf=pass
	smtp.mailfrom=development-bounces@lists.ipfire.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ipfire.org; s=201801;
	t=1518619267; x=1521211267;
	bh=QYucGAxO+rgq/aCMpdyj2MwgyAh+tBfc2wWhRKmKFu4=;
	h=From:To:Subject:Date:Message-Id:In-Reply-To:Content-Type:Sender:
	From:To:Cc:Date:Content-Type:Message-ID:In-Reply-To:Subject:
	Reply-To:Sender;
	b=zcqU2Xk9Ott74P1JoUy8eb+Nx6lA8M1IyJEkYYMF5l8ybCAHx9EZYj5Yi5N20XaoK
	Uv+Ik+m2MxLdrSlhvOE7VHYj3b+/Hc1FCtJ09gC7Oq/JZv11FEM8GLcZyW0M9hk8el
	TRILv55CLRYY2Wm1JsSW5LyOB7A4B+KlEiIj9QOc0tsbfzm6PMFyJ4bk8AC/yoTLYs
	ghb02XwR7Tk+Y/7UpDAVDY0L3tKP6fW69ZXExv8XOWkkDBt+UkMD5iQwZXcAzv6ZjM
	Gctov1+ps3gdnCgHTBIZr7FzKybXR3fpuvqb3oKo4vVahrDA4s2bPFPNhNOqmjsCy8
	uSUktTuCtNNpg==
X-Virus-Scanned: ClamAV at mail01.ipfire.org
Received: from localhost.localdomain (i59F4F19B.versanet.de [89.244.241.155])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id C82F31018DD9;
	Wed, 14 Feb 2018 14:41:01 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ipfire.org; s=201801;
	t=1518619261; x=1521211261;
	bh=QYucGAxO+rgq/aCMpdyj2MwgyAh+tBfc2wWhRKmKFu4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:Content-Type:From:
	To:Cc:Date:Content-Type:Message-ID:In-Reply-To:Subject:Reply-To:
	Sender;
	b=1BZiK5spEaVPFgMa6L2rpTjiSYhtXLv7mqA0od92Z+q8zLv0mvWgzYCvZMck1JuTn
	TfS3pCIzVBq+2kBiHrlNjVWnR/GVnZmb2mxYys5bZgu7uGvEWR8nzNxTrTFkEHd/7L
	AdFYg1EkfLYnSzqsdJTnIomqqAbS/3i0+bJPCfpWuQdJYV70zUm7f4cGuKHxRsSTYj
	LdBluxOa0WHJYSZ9t9sIfBMlvqotJ6AS5h1ZydJyAW/O2MKjkSvCbKJiVTufNQDGc9
	ffyykuXFeHEWZP8C3fuOyM3Xb3NJgh053eYYr+XQBZpwGyIPCnXOKBVjpNPx8dVKLd
	bSqxnZch5ysOA==
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2] OpenVPN: Introduce new AES-GCM cipher for N2N and RW
Date: Wed, 14 Feb 2018 15:40:53 +0100
Message-Id: <1518619253-22278-1-git-send-email-erik.kapfer@ipfire.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1518612313-30683-1-git-send-email-erik.kapfer@ipfire.org>
References: <1518612313-30683-1-git-send-email-erik.kapfer@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section.

Cipher menu description has been changed for N2N and RW since AES-GCM uses own authentication encryption (GMAC).
    More information can be found in here https://tools.ietf.org/html/rfc5288 .
Added java script snipped to disable HMAC selection for N2N if AES-GCM has been selected.
    'auth *' line in N2N.conf won´t be deleted even if AES-GCM is used so possible individual '--tls-auth' configurations won´t broke.
    'auth *' line in N2N.conf will also be ignored if AES-GCM is used and no '--tls-auth' are configured.
Left HMAC selection menu for Roadwarriors as it was since the WUI do provides '--tls-auth' which uses the configuered HMAC even AES-GCM has been applied.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 9f5e682..0a18ec7 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -4543,6 +4543,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
     }
     $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
 
+    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -4706,7 +4709,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	</tr>
 
 	<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
-		<td><select name='DCIPHER'>
+		<td><select name='DCIPHER'  id="n2ncipher" required>
+				<option value='AES-256-GCM'		$selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'}) with SHA384</option>
+				<option value='AES-192-GCM'		$selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'}) with SHA256</option>
+				<option value='AES-128-GCM'		$selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'}) with SHA256</option>
 				<option value='CAMELLIA-256-CBC'	$selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-192-CBC'	$selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-128-CBC'	$selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
@@ -4723,7 +4729,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
 		</td>
 
 		<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
-		<td><select name='DAUTH'>
+		<td><select name='DAUTH' id="n2nhmac">
 				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
 				<option value='SHA512'			$selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
 				<option value='SHA384'			$selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
@@ -4737,6 +4743,22 @@ if ($cgiparams{'TYPE'} eq 'net') {
 END
 ;
 	}
+
+#### JAVA SCRIPT ####
+# Validate N2N cipher. If GCM is used, disable HMAC menu
+print<<END;
+	<script>
+		var disable_options = false;
+		document.getElementById('n2ncipher').onchange = function () {
+			if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+				document.getElementById('n2nhmac').setAttribute('disabled', true);
+			} else {
+				document.getElementById('n2nhmac').removeAttribute('disabled');
+			}
+		}
+	</script>
+END
+
 #jumper
 	print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>";
 	print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>";
@@ -5108,6 +5130,9 @@ END
     $selected{'DPROTOCOL'}{'tcp'} = '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
 
+    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -5204,6 +5229,9 @@ END
 
 		<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
 		<td><select name='DCIPHER'>
+				<option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'}) with SHA384</option>
+				<option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'}) with SHA256</option>
+				<option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'}) with SHA256</option>
 				<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>