/[smecontribs]/rpms/smeserver-openvpn-bridge/contribs10/smeserver-openvpn-bridge-2.1-bz11335-sme10bis.patch
ViewVC logotype

Annotation of /rpms/smeserver-openvpn-bridge/contribs10/smeserver-openvpn-bridge-2.1-bz11335-sme10bis.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Apr 1 01:43:12 2021 UTC (3 years, 7 months ago) by jpp
Branch: MAIN
CVS Tags: smeserver-openvpn-bridge-2_1-18_el7_sme, smeserver-openvpn-bridge-2_1-16_el7_sme, smeserver-openvpn-bridge-2_1-14_el7_sme, smeserver-openvpn-bridge-2_1-19_el7_sme, smeserver-openvpn-bridge-2_1-17_el7_sme, smeserver-openvpn-bridge-2_1-15_el7_sme, smeserver-openvpn-bridge-2_1-13_el7_sme, smeserver-openvpn-bridge-2_1-23_el7_sme, smeserver-openvpn-bridge-2_1-21_el7_sme, smeserver-openvpn-bridge-2_1-22_el7_sme, smeserver-openvpn-bridge-2_1-20_el7_sme, HEAD
* Wed Mar 31 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.1-13.sme
- default AES-128-CBC and SHA256 fix [SME: 11335]
- better frist screen with information on link and hnac and cipher
- better client default configuration with embded shared key and CAcert
- migrate cipher to Cipher like routed and s2s usage
- HMAC and Cipher are accessible to change using the manager.
- fix typos in translations [SME: 6647]

1 jpp 1.1 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher
2     --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher 1969-12-31 19:00:00.000000000 -0500
3     +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher 2021-03-31 21:29:02.179000000 -0400
4     @@ -0,0 +1 @@
5     +AES-128-CBC
6     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher
7     --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 2021-03-31 16:16:30.757000000 -0400
8     +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 1969-12-31 19:00:00.000000000 -0500
9     @@ -1 +0,0 @@
10     -AES-256-CBC
11     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC
12     --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC 1969-12-31 19:00:00.000000000 -0500
13     +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC 2021-03-31 16:20:58.668000000 -0400
14     @@ -0,0 +1 @@
15     +SHA256
16     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher
17     --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher 1969-12-31 19:00:00.000000000 -0500
18     +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher 2021-03-31 21:31:42.029000000 -0400
19     @@ -0,0 +1,16 @@
20     +{
21     + #migrate cipher to Cipher that is used in all other openvpn contribs
22     + my $opv = $DB->get('openvpn-bridge') || $DB->new_record('openvpn-bridge', {type => 'service'});
23     +
24     + my %old2new = (
25     + 'cipher' => "Cipher",
26     + );
27     +
28     + for my $keyt ( keys %old2new )
29     + {
30     + next unless ( $opv->prop($keyt) );
31     + my $value = $DB->get_prop_and_delete('openvpn-bridge', $keyt);
32     + next if ( $opv->prop($old2new{$keyt}) );
33     + $DB->set_prop('openvpn-bridge', $old2new{$keyt}, $value);
34     + }
35     +}
36     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge smeserver-openvpn-bridge-2.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge
37     --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge 2021-03-31 16:16:30.731000000 -0400
38     +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge 2021-03-31 21:37:50.773000000 -0400
39     @@ -230,7 +230,7 @@
40    
41     <entry>
42     <base>DESC_STATUS</base>
43     - <trans>Do you want to enable the service ?</trans>
44     + <trans>Do you want to enable the service?</trans>
45     </entry>
46    
47     <entry>
48     @@ -363,7 +363,7 @@
49    
50     <entry>
51     <base>DESC_CLIENT_DISCONECT_PAGE</base>
52     - <trans>Your are going to diconnect this user. Are you sure you want to continue ?</trans>
53     + <trans>You are going to diconnect this user. Are you sure you want to continue?</trans>
54     </entry>
55    
56     <entry>
57     @@ -420,4 +420,49 @@
58     <base>LABEL_TA_PEM</base>
59     <trans>Static key</trans>
60     </entry>
61     + <entry>
62     + <base>DESC_HMAC</base>
63     + <trans>HMAC is part of the encryption of the data channel for openvpn (where your data travel) after encryption with the cipher. Default is the insecure SHA1, we suggest you to at least use SHA256. This setting should match on both the server and the client</trans>
64     + </entry>
65     + <entry>
66     + <base>LABEL_HMAC</base>
67     + <trans>HMAC algorithm</trans>
68     + </entry>
69     + <entry>
70     + <base>DESC_CIPHER</base>
71     + <trans>The cipher used for your data channel for openvpn. The default is to use the insecure BlowFish algorithm. We suggest you the AES-128-CBC or higher. This setting should match on both the server and the client.</trans>
72     + </entry>
73     + <entry>
74     + <base>LABEL_CIPHER</base>
75     + <trans>Cipher encryption algorithm</trans>
76     + </entry>
77     + <entry>
78     + <base>LINK</base>
79     + <trans>Link status</trans>
80     + </entry>
81     + <entry>
82     + <base>UP</base>
83     + <trans>Up</trans>
84     + </entry>
85     + <entry>
86     + <base>SYSTEMD_RETURNED</base>
87     + <trans>Systemd returned service as</trans>
88     + </entry>
89     + <entry>
90     + <base>CHANGEME_INSECURE</base>
91     + <trans>Please change this insecure parameter</trans>
92     + </entry>
93     + <entry>
94     + <base>SUGGESTED</base>
95     + <trans>Sugested value</trans>
96     + </entry>
97     + <entry>
98     + <base>DEFAULT</base>
99     + <trans>Default</trans>
100     + </entry>
101     + <entry>
102     + <base>ERROR</base>
103     + <trans>Error</trans>
104     + </entry>
105     +
106     </lexicon>
107     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption
108     --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption 1969-12-31 19:00:00.000000000 -0500
109     +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption 2021-03-31 21:31:42.515000000 -0400
110     @@ -0,0 +1,33 @@
111     +{
112     + #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
113     + # need to be changed on both side
114     + my $HMAC = ( ${'openvpn-bridge'}{'HMAC'} ) ? ${'openvpn-bridge'}{'HMAC'} : undef;
115     + # cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
116     + # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
117     + my $cipher = ( ${'openvpn-bridge'}{'Cipher'} && ${'openvpn-bridge'}{'Cipher'} ne 'auto')? ${'openvpn-bridge'}{'Cipher'} : undef;
118     +
119     + ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
120     + my $tlsVmin = ( ${'openvpn-bridge'}{'tlsVmin'} && ( ${'openvpn-bridge'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-bridge'}{'tlsVmin'} : "1.2";
121     + # TLS 1.3 encryption settings
122     + my $tlsCipherSuites13 = ( ${'openvpn-bridge'}{'tlsCipherSuites13'} ) ? ${'openvpn-bridge'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
123     + # # TLS 1.2 encryption settings
124     + my $tlsCipher12 = ( ${'openvpn-bridge'}{'tlsCipher12'} ) ? ${'openvpn-bridge'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
125     +
126     +
127     +
128     + $OUT .= "#securing control channel\n";
129     + $OUT .= "tls-version-min $tlsVmin\n";
130     + $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
131     + $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
132     + #$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
133     + #$OUT .= "ecdh-curve secp384r1\n";
134     +
135     + # data channel
136     + $OUT .= "#securing data channel\n";
137     + $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
138     + #auth SHA512
139     + $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
140     +
141     +
142     +
143     +}
144     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options
145     --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options 2013-11-11 12:27:02.000000000 -0500
146     +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options 2021-03-31 21:31:42.246000000 -0400
147     @@ -4,7 +4,6 @@
148     my $mtuTest = ${'openvpn-bridge'}{mtuTest} || 'enabled';
149     my $tunMtu = ${'openvpn-bridge'}{tunMtu};
150     my $fragment = ${'openvpn-bridge'}{fragment};
151     -my $cipher = ${'openvpn-bridge'}{cipher} || 'auto';
152     my $redirectGW = ${'openvpn-bridge'}{redirectGW} || 'PerClient';
153     my $proto = ${'openvpn-bridge'}{protocol} || 'udp';
154     my $duplicate = ${'openvpn-bridge'}{duplicateCN} || 'disabled';
155     @@ -35,10 +34,6 @@
156     }
157     }
158    
159     -if ($cipher ne 'auto'){
160     - $OUT .= "cipher $cipher\n";
161     -}
162     -
163     if ($duplicate eq 'enabled'){
164     $OUT .= "duplicate-cn\n";
165     }
166     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/web/functions/openvpnbridge smeserver-openvpn-bridge-2.1/root/etc/e-smith/web/functions/openvpnbridge
167     --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/web/functions/openvpnbridge 2013-11-11 12:27:02.000000000 -0500
168     +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/web/functions/openvpnbridge 2021-03-31 21:31:41.307000000 -0400
169     @@ -57,6 +57,14 @@
170     value="get_status()">
171     <label>LABEL_STATUS</label>
172     </field>
173     +
174     + <field
175     + type="literal"
176     + id="current_link_status"
177     + display=""
178     + value="print_link_status()">
179     + <label>LINK</label>
180     + </field>
181    
182     <field
183     type="literal"
184     @@ -81,6 +89,21 @@
185     value="print_crt_not_ready_warning()">
186     <label>LABEL_CRT_STATUS</label>
187     </field>
188     +
189     + <field
190     + type="literal"
191     + id="current_hmac_status"
192     + display=""
193     + value="get_hmac_status()">
194     + <label>LABEL_HMAC</label>
195     + </field>
196     + <field
197     + type="literal"
198     + id="current_cipher_status"
199     + display=""
200     + value="get_cipher_status()">
201     + <label>LABEL_CIPHER</label>
202     + </field>
203    
204     <subroutine src="print_section_bar()" />
205     <subroutine src="print_custom_button('DESC_RULE_BUTTON','RULES_PAGE')"/>
206     @@ -135,6 +158,17 @@
207     <description>DESC_END_POOL</description>
208     </field>
209    
210     + <field type="select" id="hmac" options="get_digests_options()" value="get_current_hmac()">
211     + <description>DESC_HMAC</description>
212     + <label>LABEL_HMAC</label>
213     + </field>
214     +
215     + <field type="select" id="cipher" options="get_ciphers_options()" value="get_current_cipher()">
216     + <description>DESC_CIPHER</description>
217     + <label>LABEL_CIPHER</label>
218     + </field>
219     +
220     +
221     <subroutine src="print_button('SAVE')" />
222     </page>
223    
224     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm
225     --- smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2021-03-31 16:16:30.758000000 -0400
226     +++ smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2021-03-31 21:31:41.548000000 -0400
227     @@ -16,6 +16,7 @@
228     our @EXPORT = qw(
229     get_prop
230     get_status
231     + print_link_status
232     get_auth_type
233     get_ip_pool
234     print_crt_not_ready
235     @@ -27,6 +28,12 @@
236     write_pem
237     read_pem
238     disconnect_client
239     + get_cipher_status
240     + get_hmac_status
241     + get_current_hmac
242     + get_current_cipher
243     + get_digests_options
244     + get_ciphers_options
245     );
246    
247     our $config_db = esmith::ConfigDB->open || die "Couldn't open ConfigDB\n";
248     @@ -95,6 +102,20 @@
249     $config_db->set_prop('openvpn-bridge', 'userAuth', $q->param("auth_type"));
250     $config_db->set_prop('openvpn-bridge', 'startPool', $q->param("start_pool"));
251     $config_db->set_prop('openvpn-bridge', 'endPool', $q->param("end_pool"));
252     + if ($q->param("hmac") eq 'SHA1') {
253     + my $tmpk = $config_db->get('openvpn-bridge');
254     + $tmpk->delete_prop('HMAC');
255     + }
256     + else {
257     + $config_db->set_prop('openvpn-bridge', 'HMAC', $q->param("hmac"));
258     + }
259     + if ($q->param("cipher") eq 'BF-CBC') {
260     + my $tmpk = $config_db->get('openvpn-bridge');
261     + $tmpk->delete_prop('Cipher');
262     + }
263     + else {
264     + $config_db->set_prop('openvpn-bridge', 'Cipher', $q->param("cipher"));
265     + }
266    
267     unless ( system ("/sbin/e-smith/signal-event", "openvpn-bridge-update") == 0 ){
268     return $fm->error('ERROR_OCCURED', 'FIRST');;
269     @@ -103,6 +124,51 @@
270     return $fm->success('SUCCESS','FIRST');
271     }
272    
273     +#status global du lien
274     +sub print_link_status{
275     + my $fm = shift;
276     + my $q = $fm->{cgi};
277     + my $common_name = $fm->localise('COMMON_NAME');
278     + my $real_ip = $fm->localise('REAL_IP');
279     + my $virtual_ip = $fm->localise('VIRTUAL_IP');
280     + my $sent = $fm->localise('SENT');
281     + my $received = $fm->localise('RECEIVED');
282     + my $connected_since = $fm->localise('CONNECTED_SINCE');
283     + my $disconnect = $fm->localise('DISCONNECT');
284     +
285     + # test status db
286     + return get_status($fm) if get_status($fm) eq $fm->localise('DISABLED');
287     + # test systemd
288     + my $act = `/usr/bin/systemctl is-active openvpn-bridge.service`;
289     + chomp $act;
290     + return "<span style='color:red'>" . $fm->localise('SYSTEMD_RETURNED') . " $act </span>" unless $act eq "active";
291     +
292     + # On récupère les paramètre et on les parse
293     + my $param = get_prop('',"management");
294     + my @param = split(/:/,$param);
295     + my $host = $param[0];
296     + my $port = $param[1];
297     + my $pass = $param[2];
298     +
299     + # On cré l'objet vpn
300     + my $vpn = Net::OpenVPN::Manage->new({
301     + host => $host,
302     + port => $port,
303     + password => $pass,
304     + timeout => 3
305     + });
306     +
307     + # On se connecte ou on retourne le message d'erreur
308     + unless($vpn->connect()){
309     + print "<span style='color:red'>" . $fm->localise('ERROR_CONNECT_TO_MANAGER'). "</span>";
310     + return "";
311     + }
312     + my $r = $vpn->status_ref();
313     + return "<span style='color:green'>" . $fm->localise('UP') ."</span>" if $r->{TITLE};
314     + return "<span style='color:red'>" . $fm->localise('ERROR') ."</span>";
315     +}
316     +
317     +
318     # Affiche les connexions en cours
319     sub print_clients_table{
320     my $fm = shift;
321     @@ -500,7 +566,8 @@
322     my $mtutest = get_prop('','mtuTest','enabled');
323     my $fragment = get_prop('','fragment','');
324     my $tunmtu = get_prop('','tunMtu','');
325     - my $cipher = get_prop('','cipher','');
326     + my $cipher = get_prop('','Cipher','');
327     + my $hmac = get_prop('','HMAC','');
328     if ($proto eq 'tcp'){
329     $mtutest = 'disabled';
330     $fragment = '';
331     @@ -518,11 +585,11 @@
332     $fic .= "tls-auth takey.pem 1\n"
333     if (( -e "$privdir/takey.pem")&&( !-z "$privdir/takey.pem"));
334     $fic .= "ns-cert-type server\n\n";
335     + $fic .= "cipher $cipher\n" if (($cipher ne '') && ($cipher ne 'auto'));
336     + $fic .= "auth $hmac\n" if (($hmac ne '') && ($hmac ne 'auto'));
337     + $fic .= "\n";
338     $fic .= (get_prop('','userAuth','CrtWithPass') eq 'CrtWithPass' ? "auth-user-pass\n\n" : "\n");
339     - $fic .= "# Replace user.p12 with the certificate\n# bundle in PKCS12 format\n";
340     - $fic .= "pkcs12 user.p12\n\n";
341     - $fic .= "# You can replace the pkcs12\n# directive with the old ones\n";
342     - $fic .= "#ca cacert.pem\n#cert user.pem\n#key user-key.pem\n\n";
343     + $fic .= "\n";
344     if ($mtutest eq 'enabled'){
345     $fic .= "mtu-test\n";
346     }
347     @@ -534,9 +601,33 @@
348     $fic .= "fragment $fragment\nmssfix\n";
349     }
350     }
351     - $fic .= "cipher $cipher\n" if (($cipher ne '') && ($cipher ne 'auto'));
352     $fic .= "comp-lzo\n";
353     $fic .= "pull\n";
354     + $fic .= "\n";
355     + $fic .= "# Uncomment and replace user.p12 \n# with the certificate bundle in PKCS12 format\n";
356     + $fic .= "#pkcs12 user.p12\n\n";
357     + $fic .= "# You can replace the pkcs12\n# directive with the old ones\n";
358     + $fic .= "#ca cacert.pem\n#cert user.pem\n#key user-key.pem\n\n";
359     + $fic .= "# Alternatively you can paste your cert and private key here:\n";
360     + #infile file support
361     + $fic .= "# client certificate - uncomment and paste between delimiters \n";
362     + $fic .= "#<cert>\n";
363     + $fic .= "#</cert>\n";
364     + $fic .= "# client private key - uncomment and paste between delimiters\n";
365     + $fic .= "#<key>\n";
366     + $fic .= "#</key>\n";
367     + $fic .= "\n";
368     + $fic .= "# CA certificate\n";
369     + $fic .= "<ca>\n";
370     + $fic .= read_pem($fm,'cacert.pem')."\n";
371     + $fic .= "</ca>\n";
372     + if (( -e "$privdir/takey.pem")&&( !-z "$privdir/takey.pem")) {
373     + $fic .= "\n# Shared TLS key\n";
374     + $fic .= "<tls-auth>\n";
375     + $fic .= read_pem($fm,'takey.pem')."\n";
376     + $fic .= "</tls-auth>\n";
377     + }
378     +
379    
380     print(esmith::cgi::genTextRow($q,
381     $q->textarea (
382     @@ -544,7 +635,7 @@
383     -override => 1,
384     -default => $fic,
385     -rows => 30,
386     - -columns => 60)
387     + -columns => 100)
388     )
389     );
390     return "";
391     @@ -773,5 +864,127 @@
392     return "OK";
393     }
394    
395     +###### those could almost be copy paste for bridge and s2s
396     +##
397     +=head2 get_hmac_status
398     +
399     +=cut
400     +sub get_hmac_status{
401     + my ($fm) = @_;
402     + my $hmac = get_current_hmac();
403     + $hmac= "<span style='color:red'>". $fm->localise('CHANGEME_INSECURE'). ": $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/);
404     + return $hmac;
405     +}
406     +
407     +=head2 get_cipher_status
408     +list obtained using
409     +openvpn --show-digests | egrep 'digest size' | awk {'print "'\''" $1 "'\'' => '\''" $1 "'\''," '}
410     +=cut
411     +sub get_cipher_status{
412     + my ($fm) = @_;
413     + my $cipher = get_current_cipher();
414     + $cipher = "<span style='color:red'>". $fm->localise('CHANGEME_INSECURE'). ": $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ );
415     + return $cipher;
416     +}
417     +
418     +=head2 get_current_hmac
419     +
420     +=cut
421     +sub get_current_hmac{
422     + my ($self) = @_;
423     + my $cvpn= $config_db->get('openvpn-bridge') or return "SHA256" ;
424     + return "SHA1" unless defined $cvpn->prop('HMAC');
425     + return $cvpn->prop('HMAC') ;
426     +}
427     +
428     +=head2 get_current_cipher
429     +list obtained using
430     +openvpn --show-digests | egrep 'digest size' | awk {'print "'\''" $1 "'\'' => '\''" $1 "'\''," '}
431     +=cut
432     +sub get_current_cipher{
433     + my ($self) = @_;
434     + my $cvpn= $config_db->get('openvpn-bridge') or return "AES-128-CBC";
435     + return "BF-CBC" unless defined $cvpn->prop('Cipher');
436     + return $cvpn->prop('Cipher') ;
437     +}
438     +
439     +
440     +=head2 get_digests_options
441     +
442     +=cut
443     +sub get_digests_options{
444     + my ($self) = @_;
445     + my $translate = $self->localise('DEFAULT');
446     + my $suggested = $self->localise('SUGGESTED');
447     + my %options= (
448     + 'whirlpool' => 'whirlpool (512)',
449     + 'SHA512' => 'SHA512',
450     + 'SHA384' => 'SHA384',
451     + 'SHA256' => 'SHA256' . ": $suggested",
452     + 'SHA224' => 'SHA224',
453     + 'SHA1' => 'SHA1 (160)' . ": $translate",
454     + 'SHA' => 'SHA (160)',
455     + 'ecdsa-with-SHA1' => 'ecdsa-with-SHA1 (160)',
456     + 'RIPEMD160' => 'RIPEMD160',
457     + 'MD5' => 'MD5 (128)',
458     + 'MD4' => 'MD4 (128)',
459     + );
460     + return \%options;
461     +}
462     +
463     +
464     +=head2 get_ciphers_options
465     +list obtained using
466     +openvpn --show-ciphers | egrep '^[A-Z]{2}' | sed 's/ by//; s/ default//; s/block,/block/; s/)// ' | awk {'print " '\''" $1 "'\'' => '\''" $1 $2 " " $4 " " $5 " " $7")'\''," '}
467     +then reduced to remove most of insecure ciphers
468     +Using a CBC or GCM mode is recommended.
469     +In static key mode only CBC mode is allowed.
470     +
471     +=cut
472     +sub get_ciphers_options{
473     + my ($self) = @_;
474     + my $translate = $self->localise('DEFAULT');
475     + my $suggested = $self->localise('SUGGESTED');
476     + my %options= (
477     + 'AES-128-CBC' => 'AES-128-CBC (128 key, 128 block)'.": $suggested",
478     + 'AES-128-CFB' => 'AES-128-CFB (128 key, 128 block)',
479     + 'AES-128-CFB1' => 'AES-128-CFB1 (128 key, 128 block)',
480     + 'AES-128-CFB8' => 'AES-128-CFB8 (128 key, 128 block)',
481     + 'AES-128-GCM' => 'AES-128-GCM (128 key, 128 block)',
482     + 'AES-128-OFB' => 'AES-128-OFB (128 key, 128 block)',
483     + 'AES-192-CBC' => 'AES-192-CBC (192 key, 128 block)',
484     + 'AES-192-CFB' => 'AES-192-CFB (192 key, 128 block)',
485     + 'AES-192-CFB1' => 'AES-192-CFB1 (192 key, 128 block)',
486     + 'AES-192-CFB8' => 'AES-192-CFB8 (192 key, 128 block)',
487     + 'AES-192-GCM' => 'AES-192-GCM (192 key, 128 block)',
488     + 'AES-192-OFB' => 'AES-192-OFB (192 key, 128 block)',
489     + 'AES-256-CBC' => 'AES-256-CBC (256 key, 128 block)',
490     + 'AES-256-CFB' => 'AES-256-CFB (256 key, 128 block)',
491     + 'AES-256-CFB1' => 'AES-256-CFB1 (256 key, 128 block)',
492     + 'AES-256-CFB8' => 'AES-256-CFB8 (256 key, 128 block)',
493     + 'AES-256-GCM' => 'AES-256-GCM (256 key, 128 block)',
494     + 'AES-256-OFB' => 'AES-256-OFB (256 key, 128 block)',
495     + 'CAMELLIA-128-CBC' => 'CAMELLIA-128-CBC (128 key, 128 block)',
496     + 'CAMELLIA-128-CFB' => 'CAMELLIA-128-CFB (128 key, 128 block)',
497     + 'CAMELLIA-128-CFB1' => 'CAMELLIA-128-CFB1 (128 key, 128 block)',
498     + 'CAMELLIA-128-CFB8' => 'CAMELLIA-128-CFB8 (128 key, 128 block)',
499     + 'CAMELLIA-128-OFB' => 'CAMELLIA-128-OFB (128 key, 128 block)',
500     + 'CAMELLIA-192-CBC' => 'CAMELLIA-192-CBC (192 key, 128 block)',
501     + 'CAMELLIA-192-CFB' => 'CAMELLIA-192-CFB (192 key, 128 block)',
502     + 'CAMELLIA-192-CFB1' => 'CAMELLIA-192-CFB1 (192 key, 128 block)',
503     + 'CAMELLIA-192-CFB8' => 'CAMELLIA-192-CFB8 (192 key, 128 block)',
504     + 'CAMELLIA-192-OFB' => 'CAMELLIA-192-OFB (192 key, 128 block)',
505     + 'CAMELLIA-256-CBC' => 'CAMELLIA-256-CBC (256 key, 128 block)',
506     + 'CAMELLIA-256-CFB' => 'CAMELLIA-256-CFB (256 key, 128 block)',
507     + 'CAMELLIA-256-CFB1' => 'CAMELLIA-256-CFB1 (256 key, 128 block)',
508     + 'CAMELLIA-256-CFB8' => 'CAMELLIA-256-CFB8 (256 key, 128 block)',
509     + 'CAMELLIA-256-OFB' => 'CAMELLIA-256-OFB (256 key, 128 block)',
510     + 'SEED-CBC' => 'SEED-CBC (128 key, 128 block)',
511     + 'SEED-CFB' => 'SEED-CFB (128 key, 128 block)',
512     + 'SEED-OFB' => 'SEED-OFB (128 key, 128 block)',
513     + 'BF-CBC' => 'BF-CBC(128 key, 64 block)'. ": $translate ",
514     + );
515     + return \%options;
516     +}
517    
518     1;

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed