From patchwork Mon Feb 26 00:49:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller_via_Development?= X-Patchwork-Id: 1674 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id D3EAC60AF8 for ; Sun, 25 Feb 2018 14:50:01 +0100 (CET) X-Virus-Scanned: ClamAV at mail01.ipfire.org Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 53783111C4EE; Sun, 25 Feb 2018 13:50:17 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.ipfire.org; s=201801; t=1519566617; x=1522158617; bh=dxg+HzuhIAL/p4IG8h2fEDTzfkLYw/XsKOqgnQEo1NM=; h=To:Subject:Date:Message-Id:In-Reply-To:From:Reply-To:Sender:From: To:Cc:Date:Content-Type:Message-ID:In-Reply-To:Subject:Reply-To: Sender; b=glN7lZTh0vPsaPB+xG5ZWsLEE9lByMxgVrDHa+cAY4YVuQM9JfIdjIZF2PVUxWjxG 4o/Gik7eb9OkwvO7UgSepFBU6D31LHLhqBOBS2AbONQuVtVZkN7LBKVX4/TNb9uEzf bVg5DLa7QCVNQ+OG+Q67xqkz++Zp9xaa3WS/UXOPEDTGGdfhxGjOrECyJK9xE4WfHx CSoV/PfTDudq22EXy4vb94MVX/ThyhHBJb8+HxaHl7x+Q9TNENzWAzW3YdxZvWdITG nnuFPZJUyfAi4FrTBCkHtUKHsWnMINFxIwIShJW1NbCYrC1v6/OOsE5gmiiVT/XaQW Afn901sEEz4MQ== X-Virus-Scanned: ClamAV at mail01.ipfire.org Received: from localhost.localdomain (i59F52A67.versanet.de [89.245.42.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id CD28C111C4E3; Sun, 25 Feb 2018 13:50:11 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ipfire.org; s=201801; t=1519566612; x=1522158612; bh=dxg+HzuhIAL/p4IG8h2fEDTzfkLYw/XsKOqgnQEo1NM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:From:To:Cc:Date: Content-Type:Message-ID:In-Reply-To:Subject:Reply-To:Sender; b=hpjTTzxwAvyoMHLWjoEcxoPNBzRUDbripQCnC5jgDCRWGn+thAvYRJIwKoQI07K9h sz5GyFMz7s82ofWyeE+OlVUE5NLVyxaxV6S5kwCLTmpspV5RHpZKukX+zwDsc6dfZR xaU41GhL2MeodvxfypIjaA84cpgmnuDVfv5Z6ODApfZrb/UtGm3RXASGTQcbWDEgSF FX9TXhJRVkrApJehCMX6g8B4/ACbc49/lrYLo2xnH+Ed9AkNJCHQ5pw9+zcQBVi/eg qciCke2xcMVmUpTuWV627WSfVuDrB8kU3b6kuOnIxUJ6/hNGRcxSkhEF+uxyRu6Gw1 g1dudB7M9KmVA== To: development@lists.ipfire.org Subject: [PATCH v3] OpenVPN: New AES-GCM cipher for N2N and RW Date: Sun, 25 Feb 2018 14:49:49 +0100 Message-Id: <1519566589-18901-1-git-send-email-erik.kapfer@ipfire.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1518612313-30683-1-git-send-email-erik.kapfer@ipfire.org> References: <1518612313-30683-1-git-send-email-erik.kapfer@ipfire.org> X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Erik Kapfer via Development From: =?utf-8?q?Peter_M=C3=BCller_via_Development?= Reply-To: Erik Kapfer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section. HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC). 'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N. HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs which uses the configuered HMAC even AES-GCM has been applied. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 84 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 69 insertions(+), 15 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c52e8ba..ff3d055 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -970,12 +970,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; print SERVERCONF "# Cipher\n"; print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n"; - if ($cgiparams{'DAUTH'} eq '') { - print SERVERCONF "auth SHA1\n"; + + # If GCM cipher is used, do not use --auth + if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + print SERVERCONF unless "# HMAC algorithm\n"; + print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { - print SERVERCONF "# HMAC algorithm\n"; - print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + print SERVERCONF "# HMAC algorithm\n"; + print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; } + if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\n"; @@ -1076,12 +1082,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Cipher\n"; print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; - if ($cgiparams{'DAUTH'} eq '') { - print CLIENTCONF "auth SHA1\n"; + + # If GCM cipher is used, do not use --auth + if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + print CLIENTCONF unless "# HMAC algorithm\n"; + print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { - print CLIENTCONF "# HMAC algorithm\n"; - print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; } + if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\n"; @@ -2198,13 +2210,18 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; } - if ($confighash{$cgiparams{'KEY'}}[39] eq '') { - print CLIENTCONF "# HMAC algorithm\n"; - print CLIENTCONF "auth SHA1\n"; + + # If GCM cipher is used, do not use --auth + if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') || + ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') || + ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) { + print CLIENTCONF unless "# HMAC algorithm\n"; + print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n"; } else { - print CLIENTCONF "# HMAC algorithm\n"; - print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n"; + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n"; } + if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\n"; @@ -4544,6 +4561,9 @@ if ($cgiparams{'TYPE'} eq 'net') { } $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; + $selected{'DCIPHER'}{'AES-256-GCM'} = ''; + $selected{'DCIPHER'}{'AES-192-GCM'} = ''; + $selected{'DCIPHER'}{'AES-128-GCM'} = ''; $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; @@ -4629,6 +4649,15 @@ if ($cgiparams{'TYPE'} eq 'net') { } else { print ""; } + + # If GCM ciphers are in usage, HMAC menu is disabled + my $hmacdisabled; + if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') || + ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') || + ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) { + $hmacdisabled = "disabled='disabled'"; + }; + print <    @@ -4707,7 +4736,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $Lang::tr{'cipher'} - + + + @@ -4724,7 +4756,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $Lang::tr{'ovpn ha'}: - @@ -4738,6 +4770,22 @@ if ($cgiparams{'TYPE'} eq 'net') { END ; } + +#### JAVA SCRIPT #### +# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange +print< + var disable_options = false; + document.getElementById('n2ncipher').onchange = function () { + if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) { + document.getElementById('n2nhmac').setAttribute('disabled', true); + } else { + document.getElementById('n2nhmac').removeAttribute('disabled'); + } + } + +END + #jumper print "$Lang::tr{'remark title'}"; print ""; @@ -5109,6 +5157,9 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; + $selected{'DCIPHER'}{'AES-256-GCM'} = ''; + $selected{'DCIPHER'}{'AES-192-GCM'} = ''; + $selected{'DCIPHER'}{'AES-128-GCM'} = ''; $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; @@ -5205,6 +5256,9 @@ END $Lang::tr{'cipher'}