1 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher |
2 |
--- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher 1969-12-31 19:00:00.000000000 -0500 |
3 |
+++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher 2021-03-31 21:29:02.179000000 -0400 |
4 |
@@ -0,0 +1 @@ |
5 |
+AES-128-CBC |
6 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher |
7 |
--- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 2021-03-31 16:16:30.757000000 -0400 |
8 |
+++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 1969-12-31 19:00:00.000000000 -0500 |
9 |
@@ -1 +0,0 @@ |
10 |
-AES-256-CBC |
11 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC |
12 |
--- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC 1969-12-31 19:00:00.000000000 -0500 |
13 |
+++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC 2021-03-31 16:20:58.668000000 -0400 |
14 |
@@ -0,0 +1 @@ |
15 |
+SHA256 |
16 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher |
17 |
--- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher 1969-12-31 19:00:00.000000000 -0500 |
18 |
+++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher 2021-03-31 21:31:42.029000000 -0400 |
19 |
@@ -0,0 +1,16 @@ |
20 |
+{ |
21 |
+ #migrate cipher to Cipher that is used in all other openvpn contribs |
22 |
+ my $opv = $DB->get('openvpn-bridge') || $DB->new_record('openvpn-bridge', {type => 'service'}); |
23 |
+ |
24 |
+ my %old2new = ( |
25 |
+ 'cipher' => "Cipher", |
26 |
+ ); |
27 |
+ |
28 |
+ for my $keyt ( keys %old2new ) |
29 |
+ { |
30 |
+ next unless ( $opv->prop($keyt) ); |
31 |
+ my $value = $DB->get_prop_and_delete('openvpn-bridge', $keyt); |
32 |
+ next if ( $opv->prop($old2new{$keyt}) ); |
33 |
+ $DB->set_prop('openvpn-bridge', $old2new{$keyt}, $value); |
34 |
+ } |
35 |
+} |
36 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge smeserver-openvpn-bridge-2.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge |
37 |
--- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge 2021-03-31 16:16:30.731000000 -0400 |
38 |
+++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge 2021-03-31 21:37:50.773000000 -0400 |
39 |
@@ -230,7 +230,7 @@ |
40 |
|
41 |
<entry> |
42 |
<base>DESC_STATUS</base> |
43 |
- <trans>Do you want to enable the service ?</trans> |
44 |
+ <trans>Do you want to enable the service?</trans> |
45 |
</entry> |
46 |
|
47 |
<entry> |
48 |
@@ -363,7 +363,7 @@ |
49 |
|
50 |
<entry> |
51 |
<base>DESC_CLIENT_DISCONECT_PAGE</base> |
52 |
- <trans>Your are going to diconnect this user. Are you sure you want to continue ?</trans> |
53 |
+ <trans>You are going to diconnect this user. Are you sure you want to continue?</trans> |
54 |
</entry> |
55 |
|
56 |
<entry> |
57 |
@@ -420,4 +420,49 @@ |
58 |
<base>LABEL_TA_PEM</base> |
59 |
<trans>Static key</trans> |
60 |
</entry> |
61 |
+ <entry> |
62 |
+ <base>DESC_HMAC</base> |
63 |
+ <trans>HMAC is part of the encryption of the data channel for openvpn (where your data travel) after encryption with the cipher. Default is the insecure SHA1, we suggest you to at least use SHA256. This setting should match on both the server and the client</trans> |
64 |
+ </entry> |
65 |
+ <entry> |
66 |
+ <base>LABEL_HMAC</base> |
67 |
+ <trans>HMAC algorithm</trans> |
68 |
+ </entry> |
69 |
+ <entry> |
70 |
+ <base>DESC_CIPHER</base> |
71 |
+ <trans>The cipher used for your data channel for openvpn. The default is to use the insecure BlowFish algorithm. We suggest you the AES-128-CBC or higher. This setting should match on both the server and the client.</trans> |
72 |
+ </entry> |
73 |
+ <entry> |
74 |
+ <base>LABEL_CIPHER</base> |
75 |
+ <trans>Cipher encryption algorithm</trans> |
76 |
+ </entry> |
77 |
+ <entry> |
78 |
+ <base>LINK</base> |
79 |
+ <trans>Link status</trans> |
80 |
+ </entry> |
81 |
+ <entry> |
82 |
+ <base>UP</base> |
83 |
+ <trans>Up</trans> |
84 |
+ </entry> |
85 |
+ <entry> |
86 |
+ <base>SYSTEMD_RETURNED</base> |
87 |
+ <trans>Systemd returned service as</trans> |
88 |
+ </entry> |
89 |
+ <entry> |
90 |
+ <base>CHANGEME_INSECURE</base> |
91 |
+ <trans>Please change this insecure parameter</trans> |
92 |
+ </entry> |
93 |
+ <entry> |
94 |
+ <base>SUGGESTED</base> |
95 |
+ <trans>Sugested value</trans> |
96 |
+ </entry> |
97 |
+ <entry> |
98 |
+ <base>DEFAULT</base> |
99 |
+ <trans>Default</trans> |
100 |
+ </entry> |
101 |
+ <entry> |
102 |
+ <base>ERROR</base> |
103 |
+ <trans>Error</trans> |
104 |
+ </entry> |
105 |
+ |
106 |
</lexicon> |
107 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption |
108 |
--- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption 1969-12-31 19:00:00.000000000 -0500 |
109 |
+++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption 2021-03-31 21:31:42.515000000 -0400 |
110 |
@@ -0,0 +1,33 @@ |
111 |
+{ |
112 |
+ #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one... |
113 |
+ # need to be changed on both side |
114 |
+ my $HMAC = ( ${'openvpn-bridge'}{'HMAC'} ) ? ${'openvpn-bridge'}{'HMAC'} : undef; |
115 |
+ # cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one... |
116 |
+ # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel |
117 |
+ my $cipher = ( ${'openvpn-bridge'}{'Cipher'} && ${'openvpn-bridge'}{'Cipher'} ne 'auto')? ${'openvpn-bridge'}{'Cipher'} : undef; |
118 |
+ |
119 |
+ ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower |
120 |
+ my $tlsVmin = ( ${'openvpn-bridge'}{'tlsVmin'} && ( ${'openvpn-bridge'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-bridge'}{'tlsVmin'} : "1.2"; |
121 |
+ # TLS 1.3 encryption settings |
122 |
+ my $tlsCipherSuites13 = ( ${'openvpn-bridge'}{'tlsCipherSuites13'} ) ? ${'openvpn-bridge'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; |
123 |
+ # # TLS 1.2 encryption settings |
124 |
+ my $tlsCipher12 = ( ${'openvpn-bridge'}{'tlsCipher12'} ) ? ${'openvpn-bridge'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"; |
125 |
+ |
126 |
+ |
127 |
+ |
128 |
+ $OUT .= "#securing control channel\n"; |
129 |
+ $OUT .= "tls-version-min $tlsVmin\n"; |
130 |
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
131 |
+ $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13; |
132 |
+ #$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n"; |
133 |
+ #$OUT .= "ecdh-curve secp384r1\n"; |
134 |
+ |
135 |
+ # data channel |
136 |
+ $OUT .= "#securing data channel\n"; |
137 |
+ $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n"; |
138 |
+ #auth SHA512 |
139 |
+ $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n"; |
140 |
+ |
141 |
+ |
142 |
+ |
143 |
+} |
144 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options |
145 |
--- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options 2013-11-11 12:27:02.000000000 -0500 |
146 |
+++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options 2021-03-31 21:31:42.246000000 -0400 |
147 |
@@ -4,7 +4,6 @@ |
148 |
my $mtuTest = ${'openvpn-bridge'}{mtuTest} || 'enabled'; |
149 |
my $tunMtu = ${'openvpn-bridge'}{tunMtu}; |
150 |
my $fragment = ${'openvpn-bridge'}{fragment}; |
151 |
-my $cipher = ${'openvpn-bridge'}{cipher} || 'auto'; |
152 |
my $redirectGW = ${'openvpn-bridge'}{redirectGW} || 'PerClient'; |
153 |
my $proto = ${'openvpn-bridge'}{protocol} || 'udp'; |
154 |
my $duplicate = ${'openvpn-bridge'}{duplicateCN} || 'disabled'; |
155 |
@@ -35,10 +34,6 @@ |
156 |
} |
157 |
} |
158 |
|
159 |
-if ($cipher ne 'auto'){ |
160 |
- $OUT .= "cipher $cipher\n"; |
161 |
-} |
162 |
- |
163 |
if ($duplicate eq 'enabled'){ |
164 |
$OUT .= "duplicate-cn\n"; |
165 |
} |
166 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/web/functions/openvpnbridge smeserver-openvpn-bridge-2.1/root/etc/e-smith/web/functions/openvpnbridge |
167 |
--- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/web/functions/openvpnbridge 2013-11-11 12:27:02.000000000 -0500 |
168 |
+++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/web/functions/openvpnbridge 2021-03-31 21:31:41.307000000 -0400 |
169 |
@@ -57,6 +57,14 @@ |
170 |
value="get_status()"> |
171 |
<label>LABEL_STATUS</label> |
172 |
</field> |
173 |
+ |
174 |
+ <field |
175 |
+ type="literal" |
176 |
+ id="current_link_status" |
177 |
+ display="" |
178 |
+ value="print_link_status()"> |
179 |
+ <label>LINK</label> |
180 |
+ </field> |
181 |
|
182 |
<field |
183 |
type="literal" |
184 |
@@ -81,6 +89,21 @@ |
185 |
value="print_crt_not_ready_warning()"> |
186 |
<label>LABEL_CRT_STATUS</label> |
187 |
</field> |
188 |
+ |
189 |
+ <field |
190 |
+ type="literal" |
191 |
+ id="current_hmac_status" |
192 |
+ display="" |
193 |
+ value="get_hmac_status()"> |
194 |
+ <label>LABEL_HMAC</label> |
195 |
+ </field> |
196 |
+ <field |
197 |
+ type="literal" |
198 |
+ id="current_cipher_status" |
199 |
+ display="" |
200 |
+ value="get_cipher_status()"> |
201 |
+ <label>LABEL_CIPHER</label> |
202 |
+ </field> |
203 |
|
204 |
<subroutine src="print_section_bar()" /> |
205 |
<subroutine src="print_custom_button('DESC_RULE_BUTTON','RULES_PAGE')"/> |
206 |
@@ -135,6 +158,17 @@ |
207 |
<description>DESC_END_POOL</description> |
208 |
</field> |
209 |
|
210 |
+ <field type="select" id="hmac" options="get_digests_options()" value="get_current_hmac()"> |
211 |
+ <description>DESC_HMAC</description> |
212 |
+ <label>LABEL_HMAC</label> |
213 |
+ </field> |
214 |
+ |
215 |
+ <field type="select" id="cipher" options="get_ciphers_options()" value="get_current_cipher()"> |
216 |
+ <description>DESC_CIPHER</description> |
217 |
+ <label>LABEL_CIPHER</label> |
218 |
+ </field> |
219 |
+ |
220 |
+ |
221 |
<subroutine src="print_button('SAVE')" /> |
222 |
</page> |
223 |
|
224 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm |
225 |
--- smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2021-03-31 16:16:30.758000000 -0400 |
226 |
+++ smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2021-03-31 21:31:41.548000000 -0400 |
227 |
@@ -16,6 +16,7 @@ |
228 |
our @EXPORT = qw( |
229 |
get_prop |
230 |
get_status |
231 |
+ print_link_status |
232 |
get_auth_type |
233 |
get_ip_pool |
234 |
print_crt_not_ready |
235 |
@@ -27,6 +28,12 @@ |
236 |
write_pem |
237 |
read_pem |
238 |
disconnect_client |
239 |
+ get_cipher_status |
240 |
+ get_hmac_status |
241 |
+ get_current_hmac |
242 |
+ get_current_cipher |
243 |
+ get_digests_options |
244 |
+ get_ciphers_options |
245 |
); |
246 |
|
247 |
our $config_db = esmith::ConfigDB->open || die "Couldn't open ConfigDB\n"; |
248 |
@@ -95,6 +102,20 @@ |
249 |
$config_db->set_prop('openvpn-bridge', 'userAuth', $q->param("auth_type")); |
250 |
$config_db->set_prop('openvpn-bridge', 'startPool', $q->param("start_pool")); |
251 |
$config_db->set_prop('openvpn-bridge', 'endPool', $q->param("end_pool")); |
252 |
+ if ($q->param("hmac") eq 'SHA1') { |
253 |
+ my $tmpk = $config_db->get('openvpn-bridge'); |
254 |
+ $tmpk->delete_prop('HMAC'); |
255 |
+ } |
256 |
+ else { |
257 |
+ $config_db->set_prop('openvpn-bridge', 'HMAC', $q->param("hmac")); |
258 |
+ } |
259 |
+ if ($q->param("cipher") eq 'BF-CBC') { |
260 |
+ my $tmpk = $config_db->get('openvpn-bridge'); |
261 |
+ $tmpk->delete_prop('Cipher'); |
262 |
+ } |
263 |
+ else { |
264 |
+ $config_db->set_prop('openvpn-bridge', 'Cipher', $q->param("cipher")); |
265 |
+ } |
266 |
|
267 |
unless ( system ("/sbin/e-smith/signal-event", "openvpn-bridge-update") == 0 ){ |
268 |
return $fm->error('ERROR_OCCURED', 'FIRST');; |
269 |
@@ -103,6 +124,51 @@ |
270 |
return $fm->success('SUCCESS','FIRST'); |
271 |
} |
272 |
|
273 |
+#status global du lien |
274 |
+sub print_link_status{ |
275 |
+ my $fm = shift; |
276 |
+ my $q = $fm->{cgi}; |
277 |
+ my $common_name = $fm->localise('COMMON_NAME'); |
278 |
+ my $real_ip = $fm->localise('REAL_IP'); |
279 |
+ my $virtual_ip = $fm->localise('VIRTUAL_IP'); |
280 |
+ my $sent = $fm->localise('SENT'); |
281 |
+ my $received = $fm->localise('RECEIVED'); |
282 |
+ my $connected_since = $fm->localise('CONNECTED_SINCE'); |
283 |
+ my $disconnect = $fm->localise('DISCONNECT'); |
284 |
+ |
285 |
+ # test status db |
286 |
+ return get_status($fm) if get_status($fm) eq $fm->localise('DISABLED'); |
287 |
+ # test systemd |
288 |
+ my $act = `/usr/bin/systemctl is-active openvpn-bridge.service`; |
289 |
+ chomp $act; |
290 |
+ return "<span style='color:red'>" . $fm->localise('SYSTEMD_RETURNED') . " $act </span>" unless $act eq "active"; |
291 |
+ |
292 |
+ # On récupère les paramètre et on les parse |
293 |
+ my $param = get_prop('',"management"); |
294 |
+ my @param = split(/:/,$param); |
295 |
+ my $host = $param[0]; |
296 |
+ my $port = $param[1]; |
297 |
+ my $pass = $param[2]; |
298 |
+ |
299 |
+ # On cré l'objet vpn |
300 |
+ my $vpn = Net::OpenVPN::Manage->new({ |
301 |
+ host => $host, |
302 |
+ port => $port, |
303 |
+ password => $pass, |
304 |
+ timeout => 3 |
305 |
+ }); |
306 |
+ |
307 |
+ # On se connecte ou on retourne le message d'erreur |
308 |
+ unless($vpn->connect()){ |
309 |
+ print "<span style='color:red'>" . $fm->localise('ERROR_CONNECT_TO_MANAGER'). "</span>"; |
310 |
+ return ""; |
311 |
+ } |
312 |
+ my $r = $vpn->status_ref(); |
313 |
+ return "<span style='color:green'>" . $fm->localise('UP') ."</span>" if $r->{TITLE}; |
314 |
+ return "<span style='color:red'>" . $fm->localise('ERROR') ."</span>"; |
315 |
+} |
316 |
+ |
317 |
+ |
318 |
# Affiche les connexions en cours |
319 |
sub print_clients_table{ |
320 |
my $fm = shift; |
321 |
@@ -500,7 +566,8 @@ |
322 |
my $mtutest = get_prop('','mtuTest','enabled'); |
323 |
my $fragment = get_prop('','fragment',''); |
324 |
my $tunmtu = get_prop('','tunMtu',''); |
325 |
- my $cipher = get_prop('','cipher',''); |
326 |
+ my $cipher = get_prop('','Cipher',''); |
327 |
+ my $hmac = get_prop('','HMAC',''); |
328 |
if ($proto eq 'tcp'){ |
329 |
$mtutest = 'disabled'; |
330 |
$fragment = ''; |
331 |
@@ -518,11 +585,11 @@ |
332 |
$fic .= "tls-auth takey.pem 1\n" |
333 |
if (( -e "$privdir/takey.pem")&&( !-z "$privdir/takey.pem")); |
334 |
$fic .= "ns-cert-type server\n\n"; |
335 |
+ $fic .= "cipher $cipher\n" if (($cipher ne '') && ($cipher ne 'auto')); |
336 |
+ $fic .= "auth $hmac\n" if (($hmac ne '') && ($hmac ne 'auto')); |
337 |
+ $fic .= "\n"; |
338 |
$fic .= (get_prop('','userAuth','CrtWithPass') eq 'CrtWithPass' ? "auth-user-pass\n\n" : "\n"); |
339 |
- $fic .= "# Replace user.p12 with the certificate\n# bundle in PKCS12 format\n"; |
340 |
- $fic .= "pkcs12 user.p12\n\n"; |
341 |
- $fic .= "# You can replace the pkcs12\n# directive with the old ones\n"; |
342 |
- $fic .= "#ca cacert.pem\n#cert user.pem\n#key user-key.pem\n\n"; |
343 |
+ $fic .= "\n"; |
344 |
if ($mtutest eq 'enabled'){ |
345 |
$fic .= "mtu-test\n"; |
346 |
} |
347 |
@@ -534,9 +601,33 @@ |
348 |
$fic .= "fragment $fragment\nmssfix\n"; |
349 |
} |
350 |
} |
351 |
- $fic .= "cipher $cipher\n" if (($cipher ne '') && ($cipher ne 'auto')); |
352 |
$fic .= "comp-lzo\n"; |
353 |
$fic .= "pull\n"; |
354 |
+ $fic .= "\n"; |
355 |
+ $fic .= "# Uncomment and replace user.p12 \n# with the certificate bundle in PKCS12 format\n"; |
356 |
+ $fic .= "#pkcs12 user.p12\n\n"; |
357 |
+ $fic .= "# You can replace the pkcs12\n# directive with the old ones\n"; |
358 |
+ $fic .= "#ca cacert.pem\n#cert user.pem\n#key user-key.pem\n\n"; |
359 |
+ $fic .= "# Alternatively you can paste your cert and private key here:\n"; |
360 |
+ #infile file support |
361 |
+ $fic .= "# client certificate - uncomment and paste between delimiters \n"; |
362 |
+ $fic .= "#<cert>\n"; |
363 |
+ $fic .= "#</cert>\n"; |
364 |
+ $fic .= "# client private key - uncomment and paste between delimiters\n"; |
365 |
+ $fic .= "#<key>\n"; |
366 |
+ $fic .= "#</key>\n"; |
367 |
+ $fic .= "\n"; |
368 |
+ $fic .= "# CA certificate\n"; |
369 |
+ $fic .= "<ca>\n"; |
370 |
+ $fic .= read_pem($fm,'cacert.pem')."\n"; |
371 |
+ $fic .= "</ca>\n"; |
372 |
+ if (( -e "$privdir/takey.pem")&&( !-z "$privdir/takey.pem")) { |
373 |
+ $fic .= "\n# Shared TLS key\n"; |
374 |
+ $fic .= "<tls-auth>\n"; |
375 |
+ $fic .= read_pem($fm,'takey.pem')."\n"; |
376 |
+ $fic .= "</tls-auth>\n"; |
377 |
+ } |
378 |
+ |
379 |
|
380 |
print(esmith::cgi::genTextRow($q, |
381 |
$q->textarea ( |
382 |
@@ -544,7 +635,7 @@ |
383 |
-override => 1, |
384 |
-default => $fic, |
385 |
-rows => 30, |
386 |
- -columns => 60) |
387 |
+ -columns => 100) |
388 |
) |
389 |
); |
390 |
return ""; |
391 |
@@ -773,5 +864,127 @@ |
392 |
return "OK"; |
393 |
} |
394 |
|
395 |
+###### those could almost be copy paste for bridge and s2s |
396 |
+## |
397 |
+=head2 get_hmac_status |
398 |
+ |
399 |
+=cut |
400 |
+sub get_hmac_status{ |
401 |
+ my ($fm) = @_; |
402 |
+ my $hmac = get_current_hmac(); |
403 |
+ $hmac= "<span style='color:red'>". $fm->localise('CHANGEME_INSECURE'). ": $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/); |
404 |
+ return $hmac; |
405 |
+} |
406 |
+ |
407 |
+=head2 get_cipher_status |
408 |
+list obtained using |
409 |
+openvpn --show-digests | egrep 'digest size' | awk {'print "'\''" $1 "'\'' => '\''" $1 "'\''," '} |
410 |
+=cut |
411 |
+sub get_cipher_status{ |
412 |
+ my ($fm) = @_; |
413 |
+ my $cipher = get_current_cipher(); |
414 |
+ $cipher = "<span style='color:red'>". $fm->localise('CHANGEME_INSECURE'). ": $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ ); |
415 |
+ return $cipher; |
416 |
+} |
417 |
+ |
418 |
+=head2 get_current_hmac |
419 |
+ |
420 |
+=cut |
421 |
+sub get_current_hmac{ |
422 |
+ my ($self) = @_; |
423 |
+ my $cvpn= $config_db->get('openvpn-bridge') or return "SHA256" ; |
424 |
+ return "SHA1" unless defined $cvpn->prop('HMAC'); |
425 |
+ return $cvpn->prop('HMAC') ; |
426 |
+} |
427 |
+ |
428 |
+=head2 get_current_cipher |
429 |
+list obtained using |
430 |
+openvpn --show-digests | egrep 'digest size' | awk {'print "'\''" $1 "'\'' => '\''" $1 "'\''," '} |
431 |
+=cut |
432 |
+sub get_current_cipher{ |
433 |
+ my ($self) = @_; |
434 |
+ my $cvpn= $config_db->get('openvpn-bridge') or return "AES-128-CBC"; |
435 |
+ return "BF-CBC" unless defined $cvpn->prop('Cipher'); |
436 |
+ return $cvpn->prop('Cipher') ; |
437 |
+} |
438 |
+ |
439 |
+ |
440 |
+=head2 get_digests_options |
441 |
+ |
442 |
+=cut |
443 |
+sub get_digests_options{ |
444 |
+ my ($self) = @_; |
445 |
+ my $translate = $self->localise('DEFAULT'); |
446 |
+ my $suggested = $self->localise('SUGGESTED'); |
447 |
+ my %options= ( |
448 |
+ 'whirlpool' => 'whirlpool (512)', |
449 |
+ 'SHA512' => 'SHA512', |
450 |
+ 'SHA384' => 'SHA384', |
451 |
+ 'SHA256' => 'SHA256' . ": $suggested", |
452 |
+ 'SHA224' => 'SHA224', |
453 |
+ 'SHA1' => 'SHA1 (160)' . ": $translate", |
454 |
+ 'SHA' => 'SHA (160)', |
455 |
+ 'ecdsa-with-SHA1' => 'ecdsa-with-SHA1 (160)', |
456 |
+ 'RIPEMD160' => 'RIPEMD160', |
457 |
+ 'MD5' => 'MD5 (128)', |
458 |
+ 'MD4' => 'MD4 (128)', |
459 |
+ ); |
460 |
+ return \%options; |
461 |
+} |
462 |
+ |
463 |
+ |
464 |
+=head2 get_ciphers_options |
465 |
+list obtained using |
466 |
+openvpn --show-ciphers | egrep '^[A-Z]{2}' | sed 's/ by//; s/ default//; s/block,/block/; s/)// ' | awk {'print " '\''" $1 "'\'' => '\''" $1 $2 " " $4 " " $5 " " $7")'\''," '} |
467 |
+then reduced to remove most of insecure ciphers |
468 |
+Using a CBC or GCM mode is recommended. |
469 |
+In static key mode only CBC mode is allowed. |
470 |
+ |
471 |
+=cut |
472 |
+sub get_ciphers_options{ |
473 |
+ my ($self) = @_; |
474 |
+ my $translate = $self->localise('DEFAULT'); |
475 |
+ my $suggested = $self->localise('SUGGESTED'); |
476 |
+ my %options= ( |
477 |
+ 'AES-128-CBC' => 'AES-128-CBC (128 key, 128 block)'.": $suggested", |
478 |
+ 'AES-128-CFB' => 'AES-128-CFB (128 key, 128 block)', |
479 |
+ 'AES-128-CFB1' => 'AES-128-CFB1 (128 key, 128 block)', |
480 |
+ 'AES-128-CFB8' => 'AES-128-CFB8 (128 key, 128 block)', |
481 |
+ 'AES-128-GCM' => 'AES-128-GCM (128 key, 128 block)', |
482 |
+ 'AES-128-OFB' => 'AES-128-OFB (128 key, 128 block)', |
483 |
+ 'AES-192-CBC' => 'AES-192-CBC (192 key, 128 block)', |
484 |
+ 'AES-192-CFB' => 'AES-192-CFB (192 key, 128 block)', |
485 |
+ 'AES-192-CFB1' => 'AES-192-CFB1 (192 key, 128 block)', |
486 |
+ 'AES-192-CFB8' => 'AES-192-CFB8 (192 key, 128 block)', |
487 |
+ 'AES-192-GCM' => 'AES-192-GCM (192 key, 128 block)', |
488 |
+ 'AES-192-OFB' => 'AES-192-OFB (192 key, 128 block)', |
489 |
+ 'AES-256-CBC' => 'AES-256-CBC (256 key, 128 block)', |
490 |
+ 'AES-256-CFB' => 'AES-256-CFB (256 key, 128 block)', |
491 |
+ 'AES-256-CFB1' => 'AES-256-CFB1 (256 key, 128 block)', |
492 |
+ 'AES-256-CFB8' => 'AES-256-CFB8 (256 key, 128 block)', |
493 |
+ 'AES-256-GCM' => 'AES-256-GCM (256 key, 128 block)', |
494 |
+ 'AES-256-OFB' => 'AES-256-OFB (256 key, 128 block)', |
495 |
+ 'CAMELLIA-128-CBC' => 'CAMELLIA-128-CBC (128 key, 128 block)', |
496 |
+ 'CAMELLIA-128-CFB' => 'CAMELLIA-128-CFB (128 key, 128 block)', |
497 |
+ 'CAMELLIA-128-CFB1' => 'CAMELLIA-128-CFB1 (128 key, 128 block)', |
498 |
+ 'CAMELLIA-128-CFB8' => 'CAMELLIA-128-CFB8 (128 key, 128 block)', |
499 |
+ 'CAMELLIA-128-OFB' => 'CAMELLIA-128-OFB (128 key, 128 block)', |
500 |
+ 'CAMELLIA-192-CBC' => 'CAMELLIA-192-CBC (192 key, 128 block)', |
501 |
+ 'CAMELLIA-192-CFB' => 'CAMELLIA-192-CFB (192 key, 128 block)', |
502 |
+ 'CAMELLIA-192-CFB1' => 'CAMELLIA-192-CFB1 (192 key, 128 block)', |
503 |
+ 'CAMELLIA-192-CFB8' => 'CAMELLIA-192-CFB8 (192 key, 128 block)', |
504 |
+ 'CAMELLIA-192-OFB' => 'CAMELLIA-192-OFB (192 key, 128 block)', |
505 |
+ 'CAMELLIA-256-CBC' => 'CAMELLIA-256-CBC (256 key, 128 block)', |
506 |
+ 'CAMELLIA-256-CFB' => 'CAMELLIA-256-CFB (256 key, 128 block)', |
507 |
+ 'CAMELLIA-256-CFB1' => 'CAMELLIA-256-CFB1 (256 key, 128 block)', |
508 |
+ 'CAMELLIA-256-CFB8' => 'CAMELLIA-256-CFB8 (256 key, 128 block)', |
509 |
+ 'CAMELLIA-256-OFB' => 'CAMELLIA-256-OFB (256 key, 128 block)', |
510 |
+ 'SEED-CBC' => 'SEED-CBC (128 key, 128 block)', |
511 |
+ 'SEED-CFB' => 'SEED-CFB (128 key, 128 block)', |
512 |
+ 'SEED-OFB' => 'SEED-OFB (128 key, 128 block)', |
513 |
+ 'BF-CBC' => 'BF-CBC(128 key, 64 block)'. ": $translate ", |
514 |
+ ); |
515 |
+ return \%options; |
516 |
+} |
517 |
|
518 |
1; |