From patchwork Sun Apr 28 00:05:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: ummeegge X-Patchwork-Id: 2218 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id D5A7285BD82 for ; Sat, 27 Apr 2019 15:06:04 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44rt4W4X7Yz57vr5; Sat, 27 Apr 2019 15:06:03 +0100 (BST) Received: from ipfire-server.local (i59F5F781.versanet.de [89.245.247.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44rt4R6tnWz57vqF; Sat, 27 Apr 2019 15:05:59 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1556373960; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:openpgp:autocrypt; bh=Tq4GNZXn01cX0LmvJLDyOQfjz/HdobFzyflfmw0l4iY=; b=Bi7VA0gefv/uaTezFn46pSo16y6+Sg/wN0+OI+e64CcfEZaWXQc5S3Xui9yn650BlvMyCk Kdvx7i8MY1B4rxoZGMqrbTD2cry4SVd76Cy8d2qLX/9XghQt/CUYLXLpNUqHUu7aB8/5Oe wcu6C10bjZKOW8ccZtNUWCDyqRZ+nPLq/Mjy/hOpS3iJfokwGgoHd9/eAqDLcLdl1JdhRl zDhpUOlO9K0QqSg464TK+ZAuM6+FF+1FyVFUx4BmSbEK+6R2yBm2bYDggXDYk20YwrtVav ytbA+aWUOZWre/a25Utg42tUu4Cu3TrZFsYpeWweyv44MMIq9iyIHxxPkETAcw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1556373960; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:openpgp:autocrypt; bh=Tq4GNZXn01cX0LmvJLDyOQfjz/HdobFzyflfmw0l4iY=; b=UNcJNtDsfER/dDq5aJOKrtbWoo3L/Cl5PD/a7F4VPKZpNxAPYsJY2T7SOnPD6drbSYqPhg 2R15FaGTfC+crSAA== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH 1/3] ovpn_reorganize_encryption: Integrate HMAC selection to global section Date: Sat, 27 Apr 2019 16:05:49 +0200 Message-Id: <20190427140551.10647-1-ummeegge@ipfire.org> X-Mailer: git-send-email 2.12.2 MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ummeegge smtp.mailfrom=ummeegge@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Fixes: #12009 and #11824 - Since HMACs will be used in any configuration it is better placed in the global menu. - Adapted global section to advanced and marked sections with a headline for better overview. - Deleted old headline in advanced section cause it is not needed anymore. - Added check if settings do not includes 'DAUTH', if possible SHA512 will be used and written to settings file. Old configurations with SHA1 will be untouched. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 88 ++++++++++++++++++++++------------------------- langs/de/cgi-bin/de.pl | 1 - langs/en/cgi-bin/en.pl | 1 - 3 files changed, 42 insertions(+), 48 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 812680328..80190dc34 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -332,11 +332,8 @@ sub writeserverconf { print CONF "status /var/run/ovpnserver.log 30\n"; print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; - if ($sovpnsettings{'DAUTH'} eq '') { - print CONF ""; - } else { print CONF "auth $sovpnsettings{'DAUTH'}\n"; - } + if ($sovpnsettings{'TLSAUTH'} eq 'on') { print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; } @@ -793,7 +790,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; - $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); @@ -1204,6 +1200,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; + $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; #wrtie enable if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} @@ -2341,11 +2338,8 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; - if ($vpnsettings{'DAUTH'} eq '') { - print CLIENTCONF ""; - } else { print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; - } + if ($vpnsettings{'TLSAUTH'} eq 'on') { if ($cgiparams{'MODE'} eq 'insecure') { print CLIENTCONF ";"; @@ -2651,9 +2645,6 @@ ADV_ERROR: if ($cgiparams{'LOG_VERB'} eq '') { $cgiparams{'LOG_VERB'} = '3'; } - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA512'; - } if ($cgiparams{'TLSAUTH'} eq '') { $cgiparams{'TLSAUTH'} = 'off'; } @@ -2682,12 +2673,6 @@ ADV_ERROR: $selected{'LOG_VERB'}{'10'} = ''; $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - $selected{'DAUTH'}{'whirlpool'} = ''; - $selected{'DAUTH'}{'SHA512'} = ''; - $selected{'DAUTH'}{'SHA384'} = ''; - $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'SHA1'} = ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; $checked{'TLSAUTH'}{'off'} = ''; $checked{'TLSAUTH'}{'on'} = ''; $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; @@ -2820,25 +2805,6 @@ print <
- - - - - - - - - - - -
$Lang::tr{'ovpn crypt options'}
$Lang::tr{'ovpn ha'} - $Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr{'bit'})
@@ -4566,11 +4532,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = ''; - # If no hash algorythm has been choosen yet, select - # the old default value (SHA1) for compatiblity reasons. - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; - } $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; if (1) { @@ -5107,8 +5068,17 @@ END $cgiparams{'MSSFIX'} = 'off'; } if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA512'; - } + if (-z "${General::swroot}/ovpn/ovpnconfig") { + $cgiparams{'DAUTH'} = 'SHA512'; + } + foreach my $key (keys %confighash) { + if ($confighash{$key}[3] ne 'host') { + $cgiparams{'DAUTH'} = 'SHA512'; + } else { + $cgiparams{'DAUTH'} = 'SHA1'; + } + } + } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } @@ -5225,8 +5195,16 @@ END if (&haveOrangeNet()) { print ""; print ""; - } - print < + + + + + @@ -5236,6 +5214,24 @@ END + + + + + + + + + + + - +
$Lang::tr{'ovpn on orange'}
$Lang::tr{'net config'}:

$Lang::tr{'local vpn hostname/ip'}:
$Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'}
$Lang::tr{'MTU'} 

$Lang::tr{'ovpn crypt options'}:

$Lang::tr{'ovpn ha'} + $Lang::tr{'cipher'} - - - - - - - - -
HMAC tls-auth

END if ( -e "/var/run/openvpn.pid"){ @@ -3492,7 +3478,7 @@ foreach my $dkey (keys %confighash) {
Fragment:$confighash{$key}[24]
$Lang::tr{'MTU'}$confighash{$key}[31]
Management Port $confighash{$key}[22]
$Lang::tr{'ovpn hmac'}:$confighash{$key}[39]
$Lang::tr{'ovpn tls auth'}:$confighash{$key}[39]
$Lang::tr{'cipher'}$confighash{$key}[40]
  
@@ -4533,6 +4519,9 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; if (1) { &Header::showhttpheaders(); @@ -5079,6 +5068,9 @@ END } } } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'off'; + } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } @@ -5121,6 +5113,10 @@ END $selected{'DAUTH'}{'SHA1'} = ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; + $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -5255,6 +5251,13 @@ END $Lang::tr{'comp-lzo'} + +
+ + $Lang::tr{'ovpn tls auth'} + + +

END ; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index bea89fde3..eac4ed667 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1877,6 +1877,7 @@ 'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', +'ovpn tls auth' => 'TLS-Kanal Absicherung:', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform.
Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.

Es müssen dann alle OpenVPN clients erneuert werden!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 449370a89..e853477dc 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1916,6 +1916,7 @@ 'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', +'ovpn tls auth' => 'TLS-Channel Protection:', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', From patchwork Sun Apr 28 00:05:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ummeegge X-Patchwork-Id: 2220 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 7C3A085BD82 for ; Sat, 27 Apr 2019 15:06:18 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44rt4n74Qnz57vrG; Sat, 27 Apr 2019 15:06:17 +0100 (BST) Received: from ipfire-server.local (i59F5F781.versanet.de [89.245.247.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44rt4W1z0gz57vr2; Sat, 27 Apr 2019 15:06:03 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1556373963; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:openpgp:autocrypt; bh=cwr++8IB906MHkEthLVuiHxLRy0MrhZNCTzm9lGYcWg=; b=amPuCURIdAHoCVZp1PTQRCQysG/HsDh7ytuyjOjAXslgobMlwOEMxCwoucgqoYr/5dIRVm 9zQSsBT5JhPbKGnTnfyFNZkLXUdgLIWyzAbe2PDzzTSMdWmm80Ax0fAnWR+9kUll8nkNY0 oGBTZSEmVeYtZBY67lzhWBSV9ieYujDqmE9pwD2Qu50Ys4JzUuJQ4tAxszPokULclhYqLW LCyG6KYidD7XCfd+Tyu6HzgAyf6NY5QqifVKY93GZ3ZYv7ZW05CiYojClJnHCXbFoHl3f/ TgoqwTgM9z3nwy04S5ylPTcKds8M1rK4/BX/VDbgE6oeKmAQf2YQ3ipgvMpVWg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1556373963; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:openpgp:autocrypt; bh=cwr++8IB906MHkEthLVuiHxLRy0MrhZNCTzm9lGYcWg=; b=78gn9uNrDApaxs0TLbxNMkLTQj3A9EjqkVuyyuSEscVKjMgV1kWyHLK6XYyoK5IMl2gVQK 17MuPS/DbZ1DCgCw== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH 3/3] ovpn_reorganize_encryption: Integrate LZO from global to advanced section Date: Sat, 27 Apr 2019 16:05:51 +0200 Message-Id: <20190427140551.10647-3-ummeegge@ipfire.org> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20190427140551.10647-1-ummeegge@ipfire.org> References: <20190427140551.10647-1-ummeegge@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ummeegge smtp.mailfrom=ummeegge@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Fixes: #11819 - Since the Voracle vulnerability, LZO is better placed under advanced section cause under specific circumstances it is exploitable. - Warning/hint has been added in the option defaults description. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index d7895e600..c5eac26a9 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -785,6 +785,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'}; $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'}; $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'}; + $vpnsettings{'COMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'}; $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'}; $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; @@ -2654,6 +2655,9 @@ ADV_ERROR: $checked{'REDIRECT_GW_DEF1'}{'off'} = ''; $checked{'REDIRECT_GW_DEF1'}{'on'} = ''; $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED'; + $checked{'DCOMPLZO'}{'off'} = ''; + $checked{'DCOMPLZO'}{'on'} = ''; + $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; $checked{'ADDITIONAL_CONFIGS'}{'off'} = ''; $checked{'ADDITIONAL_CONFIGS'}{'on'} = ''; $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED'; @@ -2732,7 +2736,7 @@ print < - + @@ -2745,6 +2749,11 @@ print < + $Lang::tr{'comp-lzo'} + + $Lang::tr{'openvpn default'}: off ($Lang::tr{'attention'} exploitable via Voracle) + + $Lang::tr{'ovpn add conf'} @@ -5248,8 +5257,6 @@ END - $Lang::tr{'comp-lzo'} -