/[smecontribs]/rpms/smeserver-openvpn-bridge/contribs10/smeserver-openvpn-bridge-2.1-bz11335-sme10bis.patch
ViewVC logotype

Contents of /rpms/smeserver-openvpn-bridge/contribs10/smeserver-openvpn-bridge-2.1-bz11335-sme10bis.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Thu Apr 1 01:43:12 2021 UTC (3 years, 7 months ago) by jpp
Branch: MAIN
CVS Tags: smeserver-openvpn-bridge-2_1-18_el7_sme, smeserver-openvpn-bridge-2_1-16_el7_sme, smeserver-openvpn-bridge-2_1-14_el7_sme, smeserver-openvpn-bridge-2_1-19_el7_sme, smeserver-openvpn-bridge-2_1-17_el7_sme, smeserver-openvpn-bridge-2_1-15_el7_sme, smeserver-openvpn-bridge-2_1-13_el7_sme, smeserver-openvpn-bridge-2_1-23_el7_sme, smeserver-openvpn-bridge-2_1-21_el7_sme, smeserver-openvpn-bridge-2_1-22_el7_sme, smeserver-openvpn-bridge-2_1-20_el7_sme, HEAD
* Wed Mar 31 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.1-13.sme
- default AES-128-CBC and SHA256 fix [SME: 11335]
- better frist screen with information on link and hnac and cipher
- better client default configuration with embded shared key and CAcert
- migrate cipher to Cipher like routed and s2s usage
- HMAC and Cipher are accessible to change using the manager.
- fix typos in translations [SME: 6647]

1 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher
2 --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher 1969-12-31 19:00:00.000000000 -0500
3 +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/Cipher 2021-03-31 21:29:02.179000000 -0400
4 @@ -0,0 +1 @@
5 +AES-128-CBC
6 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher
7 --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 2021-03-31 16:16:30.757000000 -0400
8 +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 1969-12-31 19:00:00.000000000 -0500
9 @@ -1 +0,0 @@
10 -AES-256-CBC
11 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC
12 --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC 1969-12-31 19:00:00.000000000 -0500
13 +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/HMAC 2021-03-31 16:20:58.668000000 -0400
14 @@ -0,0 +1 @@
15 +SHA256
16 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher
17 --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher 1969-12-31 19:00:00.000000000 -0500
18 +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/migrate/50openvpn-cipher 2021-03-31 21:31:42.029000000 -0400
19 @@ -0,0 +1,16 @@
20 +{
21 + #migrate cipher to Cipher that is used in all other openvpn contribs
22 + my $opv = $DB->get('openvpn-bridge') || $DB->new_record('openvpn-bridge', {type => 'service'});
23 +
24 + my %old2new = (
25 + 'cipher' => "Cipher",
26 + );
27 +
28 + for my $keyt ( keys %old2new )
29 + {
30 + next unless ( $opv->prop($keyt) );
31 + my $value = $DB->get_prop_and_delete('openvpn-bridge', $keyt);
32 + next if ( $opv->prop($old2new{$keyt}) );
33 + $DB->set_prop('openvpn-bridge', $old2new{$keyt}, $value);
34 + }
35 +}
36 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge smeserver-openvpn-bridge-2.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge
37 --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge 2021-03-31 16:16:30.731000000 -0400
38 +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpnbridge 2021-03-31 21:37:50.773000000 -0400
39 @@ -230,7 +230,7 @@
40
41 <entry>
42 <base>DESC_STATUS</base>
43 - <trans>Do you want to enable the service ?</trans>
44 + <trans>Do you want to enable the service?</trans>
45 </entry>
46
47 <entry>
48 @@ -363,7 +363,7 @@
49
50 <entry>
51 <base>DESC_CLIENT_DISCONECT_PAGE</base>
52 - <trans>Your are going to diconnect this user. Are you sure you want to continue ?</trans>
53 + <trans>You are going to diconnect this user. Are you sure you want to continue?</trans>
54 </entry>
55
56 <entry>
57 @@ -420,4 +420,49 @@
58 <base>LABEL_TA_PEM</base>
59 <trans>Static key</trans>
60 </entry>
61 + <entry>
62 + <base>DESC_HMAC</base>
63 + <trans>HMAC is part of the encryption of the data channel for openvpn (where your data travel) after encryption with the cipher. Default is the insecure SHA1, we suggest you to at least use SHA256. This setting should match on both the server and the client</trans>
64 + </entry>
65 + <entry>
66 + <base>LABEL_HMAC</base>
67 + <trans>HMAC algorithm</trans>
68 + </entry>
69 + <entry>
70 + <base>DESC_CIPHER</base>
71 + <trans>The cipher used for your data channel for openvpn. The default is to use the insecure BlowFish algorithm. We suggest you the AES-128-CBC or higher. This setting should match on both the server and the client.</trans>
72 + </entry>
73 + <entry>
74 + <base>LABEL_CIPHER</base>
75 + <trans>Cipher encryption algorithm</trans>
76 + </entry>
77 + <entry>
78 + <base>LINK</base>
79 + <trans>Link status</trans>
80 + </entry>
81 + <entry>
82 + <base>UP</base>
83 + <trans>Up</trans>
84 + </entry>
85 + <entry>
86 + <base>SYSTEMD_RETURNED</base>
87 + <trans>Systemd returned service as</trans>
88 + </entry>
89 + <entry>
90 + <base>CHANGEME_INSECURE</base>
91 + <trans>Please change this insecure parameter</trans>
92 + </entry>
93 + <entry>
94 + <base>SUGGESTED</base>
95 + <trans>Sugested value</trans>
96 + </entry>
97 + <entry>
98 + <base>DEFAULT</base>
99 + <trans>Default</trans>
100 + </entry>
101 + <entry>
102 + <base>ERROR</base>
103 + <trans>Error</trans>
104 + </entry>
105 +
106 </lexicon>
107 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption
108 --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption 1969-12-31 19:00:00.000000000 -0500
109 +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/35encryption 2021-03-31 21:31:42.515000000 -0400
110 @@ -0,0 +1,33 @@
111 +{
112 + #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
113 + # need to be changed on both side
114 + my $HMAC = ( ${'openvpn-bridge'}{'HMAC'} ) ? ${'openvpn-bridge'}{'HMAC'} : undef;
115 + # cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
116 + # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
117 + my $cipher = ( ${'openvpn-bridge'}{'Cipher'} && ${'openvpn-bridge'}{'Cipher'} ne 'auto')? ${'openvpn-bridge'}{'Cipher'} : undef;
118 +
119 + ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
120 + my $tlsVmin = ( ${'openvpn-bridge'}{'tlsVmin'} && ( ${'openvpn-bridge'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-bridge'}{'tlsVmin'} : "1.2";
121 + # TLS 1.3 encryption settings
122 + my $tlsCipherSuites13 = ( ${'openvpn-bridge'}{'tlsCipherSuites13'} ) ? ${'openvpn-bridge'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
123 + # # TLS 1.2 encryption settings
124 + my $tlsCipher12 = ( ${'openvpn-bridge'}{'tlsCipher12'} ) ? ${'openvpn-bridge'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
125 +
126 +
127 +
128 + $OUT .= "#securing control channel\n";
129 + $OUT .= "tls-version-min $tlsVmin\n";
130 + $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
131 + $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
132 + #$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
133 + #$OUT .= "ecdh-curve secp384r1\n";
134 +
135 + # data channel
136 + $OUT .= "#securing data channel\n";
137 + $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
138 + #auth SHA512
139 + $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
140 +
141 +
142 +
143 +}
144 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options
145 --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options 2013-11-11 12:27:02.000000000 -0500
146 +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/60options 2021-03-31 21:31:42.246000000 -0400
147 @@ -4,7 +4,6 @@
148 my $mtuTest = ${'openvpn-bridge'}{mtuTest} || 'enabled';
149 my $tunMtu = ${'openvpn-bridge'}{tunMtu};
150 my $fragment = ${'openvpn-bridge'}{fragment};
151 -my $cipher = ${'openvpn-bridge'}{cipher} || 'auto';
152 my $redirectGW = ${'openvpn-bridge'}{redirectGW} || 'PerClient';
153 my $proto = ${'openvpn-bridge'}{protocol} || 'udp';
154 my $duplicate = ${'openvpn-bridge'}{duplicateCN} || 'disabled';
155 @@ -35,10 +34,6 @@
156 }
157 }
158
159 -if ($cipher ne 'auto'){
160 - $OUT .= "cipher $cipher\n";
161 -}
162 -
163 if ($duplicate eq 'enabled'){
164 $OUT .= "duplicate-cn\n";
165 }
166 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/web/functions/openvpnbridge smeserver-openvpn-bridge-2.1/root/etc/e-smith/web/functions/openvpnbridge
167 --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/web/functions/openvpnbridge 2013-11-11 12:27:02.000000000 -0500
168 +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/web/functions/openvpnbridge 2021-03-31 21:31:41.307000000 -0400
169 @@ -57,6 +57,14 @@
170 value="get_status()">
171 <label>LABEL_STATUS</label>
172 </field>
173 +
174 + <field
175 + type="literal"
176 + id="current_link_status"
177 + display=""
178 + value="print_link_status()">
179 + <label>LINK</label>
180 + </field>
181
182 <field
183 type="literal"
184 @@ -81,6 +89,21 @@
185 value="print_crt_not_ready_warning()">
186 <label>LABEL_CRT_STATUS</label>
187 </field>
188 +
189 + <field
190 + type="literal"
191 + id="current_hmac_status"
192 + display=""
193 + value="get_hmac_status()">
194 + <label>LABEL_HMAC</label>
195 + </field>
196 + <field
197 + type="literal"
198 + id="current_cipher_status"
199 + display=""
200 + value="get_cipher_status()">
201 + <label>LABEL_CIPHER</label>
202 + </field>
203
204 <subroutine src="print_section_bar()" />
205 <subroutine src="print_custom_button('DESC_RULE_BUTTON','RULES_PAGE')"/>
206 @@ -135,6 +158,17 @@
207 <description>DESC_END_POOL</description>
208 </field>
209
210 + <field type="select" id="hmac" options="get_digests_options()" value="get_current_hmac()">
211 + <description>DESC_HMAC</description>
212 + <label>LABEL_HMAC</label>
213 + </field>
214 +
215 + <field type="select" id="cipher" options="get_ciphers_options()" value="get_current_cipher()">
216 + <description>DESC_CIPHER</description>
217 + <label>LABEL_CIPHER</label>
218 + </field>
219 +
220 +
221 <subroutine src="print_button('SAVE')" />
222 </page>
223
224 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm
225 --- smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2021-03-31 16:16:30.758000000 -0400
226 +++ smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2021-03-31 21:31:41.548000000 -0400
227 @@ -16,6 +16,7 @@
228 our @EXPORT = qw(
229 get_prop
230 get_status
231 + print_link_status
232 get_auth_type
233 get_ip_pool
234 print_crt_not_ready
235 @@ -27,6 +28,12 @@
236 write_pem
237 read_pem
238 disconnect_client
239 + get_cipher_status
240 + get_hmac_status
241 + get_current_hmac
242 + get_current_cipher
243 + get_digests_options
244 + get_ciphers_options
245 );
246
247 our $config_db = esmith::ConfigDB->open || die "Couldn't open ConfigDB\n";
248 @@ -95,6 +102,20 @@
249 $config_db->set_prop('openvpn-bridge', 'userAuth', $q->param("auth_type"));
250 $config_db->set_prop('openvpn-bridge', 'startPool', $q->param("start_pool"));
251 $config_db->set_prop('openvpn-bridge', 'endPool', $q->param("end_pool"));
252 + if ($q->param("hmac") eq 'SHA1') {
253 + my $tmpk = $config_db->get('openvpn-bridge');
254 + $tmpk->delete_prop('HMAC');
255 + }
256 + else {
257 + $config_db->set_prop('openvpn-bridge', 'HMAC', $q->param("hmac"));
258 + }
259 + if ($q->param("cipher") eq 'BF-CBC') {
260 + my $tmpk = $config_db->get('openvpn-bridge');
261 + $tmpk->delete_prop('Cipher');
262 + }
263 + else {
264 + $config_db->set_prop('openvpn-bridge', 'Cipher', $q->param("cipher"));
265 + }
266
267 unless ( system ("/sbin/e-smith/signal-event", "openvpn-bridge-update") == 0 ){
268 return $fm->error('ERROR_OCCURED', 'FIRST');;
269 @@ -103,6 +124,51 @@
270 return $fm->success('SUCCESS','FIRST');
271 }
272
273 +#status global du lien
274 +sub print_link_status{
275 + my $fm = shift;
276 + my $q = $fm->{cgi};
277 + my $common_name = $fm->localise('COMMON_NAME');
278 + my $real_ip = $fm->localise('REAL_IP');
279 + my $virtual_ip = $fm->localise('VIRTUAL_IP');
280 + my $sent = $fm->localise('SENT');
281 + my $received = $fm->localise('RECEIVED');
282 + my $connected_since = $fm->localise('CONNECTED_SINCE');
283 + my $disconnect = $fm->localise('DISCONNECT');
284 +
285 + # test status db
286 + return get_status($fm) if get_status($fm) eq $fm->localise('DISABLED');
287 + # test systemd
288 + my $act = `/usr/bin/systemctl is-active openvpn-bridge.service`;
289 + chomp $act;
290 + return "<span style='color:red'>" . $fm->localise('SYSTEMD_RETURNED') . " $act </span>" unless $act eq "active";
291 +
292 + # On récupère les paramètre et on les parse
293 + my $param = get_prop('',"management");
294 + my @param = split(/:/,$param);
295 + my $host = $param[0];
296 + my $port = $param[1];
297 + my $pass = $param[2];
298 +
299 + # On cré l'objet vpn
300 + my $vpn = Net::OpenVPN::Manage->new({
301 + host => $host,
302 + port => $port,
303 + password => $pass,
304 + timeout => 3
305 + });
306 +
307 + # On se connecte ou on retourne le message d'erreur
308 + unless($vpn->connect()){
309 + print "<span style='color:red'>" . $fm->localise('ERROR_CONNECT_TO_MANAGER'). "</span>";
310 + return "";
311 + }
312 + my $r = $vpn->status_ref();
313 + return "<span style='color:green'>" . $fm->localise('UP') ."</span>" if $r->{TITLE};
314 + return "<span style='color:red'>" . $fm->localise('ERROR') ."</span>";
315 +}
316 +
317 +
318 # Affiche les connexions en cours
319 sub print_clients_table{
320 my $fm = shift;
321 @@ -500,7 +566,8 @@
322 my $mtutest = get_prop('','mtuTest','enabled');
323 my $fragment = get_prop('','fragment','');
324 my $tunmtu = get_prop('','tunMtu','');
325 - my $cipher = get_prop('','cipher','');
326 + my $cipher = get_prop('','Cipher','');
327 + my $hmac = get_prop('','HMAC','');
328 if ($proto eq 'tcp'){
329 $mtutest = 'disabled';
330 $fragment = '';
331 @@ -518,11 +585,11 @@
332 $fic .= "tls-auth takey.pem 1\n"
333 if (( -e "$privdir/takey.pem")&&( !-z "$privdir/takey.pem"));
334 $fic .= "ns-cert-type server\n\n";
335 + $fic .= "cipher $cipher\n" if (($cipher ne '') && ($cipher ne 'auto'));
336 + $fic .= "auth $hmac\n" if (($hmac ne '') && ($hmac ne 'auto'));
337 + $fic .= "\n";
338 $fic .= (get_prop('','userAuth','CrtWithPass') eq 'CrtWithPass' ? "auth-user-pass\n\n" : "\n");
339 - $fic .= "# Replace user.p12 with the certificate\n# bundle in PKCS12 format\n";
340 - $fic .= "pkcs12 user.p12\n\n";
341 - $fic .= "# You can replace the pkcs12\n# directive with the old ones\n";
342 - $fic .= "#ca cacert.pem\n#cert user.pem\n#key user-key.pem\n\n";
343 + $fic .= "\n";
344 if ($mtutest eq 'enabled'){
345 $fic .= "mtu-test\n";
346 }
347 @@ -534,9 +601,33 @@
348 $fic .= "fragment $fragment\nmssfix\n";
349 }
350 }
351 - $fic .= "cipher $cipher\n" if (($cipher ne '') && ($cipher ne 'auto'));
352 $fic .= "comp-lzo\n";
353 $fic .= "pull\n";
354 + $fic .= "\n";
355 + $fic .= "# Uncomment and replace user.p12 \n# with the certificate bundle in PKCS12 format\n";
356 + $fic .= "#pkcs12 user.p12\n\n";
357 + $fic .= "# You can replace the pkcs12\n# directive with the old ones\n";
358 + $fic .= "#ca cacert.pem\n#cert user.pem\n#key user-key.pem\n\n";
359 + $fic .= "# Alternatively you can paste your cert and private key here:\n";
360 + #infile file support
361 + $fic .= "# client certificate - uncomment and paste between delimiters \n";
362 + $fic .= "#<cert>\n";
363 + $fic .= "#</cert>\n";
364 + $fic .= "# client private key - uncomment and paste between delimiters\n";
365 + $fic .= "#<key>\n";
366 + $fic .= "#</key>\n";
367 + $fic .= "\n";
368 + $fic .= "# CA certificate\n";
369 + $fic .= "<ca>\n";
370 + $fic .= read_pem($fm,'cacert.pem')."\n";
371 + $fic .= "</ca>\n";
372 + if (( -e "$privdir/takey.pem")&&( !-z "$privdir/takey.pem")) {
373 + $fic .= "\n# Shared TLS key\n";
374 + $fic .= "<tls-auth>\n";
375 + $fic .= read_pem($fm,'takey.pem')."\n";
376 + $fic .= "</tls-auth>\n";
377 + }
378 +
379
380 print(esmith::cgi::genTextRow($q,
381 $q->textarea (
382 @@ -544,7 +635,7 @@
383 -override => 1,
384 -default => $fic,
385 -rows => 30,
386 - -columns => 60)
387 + -columns => 100)
388 )
389 );
390 return "";
391 @@ -773,5 +864,127 @@
392 return "OK";
393 }
394
395 +###### those could almost be copy paste for bridge and s2s
396 +##
397 +=head2 get_hmac_status
398 +
399 +=cut
400 +sub get_hmac_status{
401 + my ($fm) = @_;
402 + my $hmac = get_current_hmac();
403 + $hmac= "<span style='color:red'>". $fm->localise('CHANGEME_INSECURE'). ": $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/);
404 + return $hmac;
405 +}
406 +
407 +=head2 get_cipher_status
408 +list obtained using
409 +openvpn --show-digests | egrep 'digest size' | awk {'print "'\''" $1 "'\'' => '\''" $1 "'\''," '}
410 +=cut
411 +sub get_cipher_status{
412 + my ($fm) = @_;
413 + my $cipher = get_current_cipher();
414 + $cipher = "<span style='color:red'>". $fm->localise('CHANGEME_INSECURE'). ": $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ );
415 + return $cipher;
416 +}
417 +
418 +=head2 get_current_hmac
419 +
420 +=cut
421 +sub get_current_hmac{
422 + my ($self) = @_;
423 + my $cvpn= $config_db->get('openvpn-bridge') or return "SHA256" ;
424 + return "SHA1" unless defined $cvpn->prop('HMAC');
425 + return $cvpn->prop('HMAC') ;
426 +}
427 +
428 +=head2 get_current_cipher
429 +list obtained using
430 +openvpn --show-digests | egrep 'digest size' | awk {'print "'\''" $1 "'\'' => '\''" $1 "'\''," '}
431 +=cut
432 +sub get_current_cipher{
433 + my ($self) = @_;
434 + my $cvpn= $config_db->get('openvpn-bridge') or return "AES-128-CBC";
435 + return "BF-CBC" unless defined $cvpn->prop('Cipher');
436 + return $cvpn->prop('Cipher') ;
437 +}
438 +
439 +
440 +=head2 get_digests_options
441 +
442 +=cut
443 +sub get_digests_options{
444 + my ($self) = @_;
445 + my $translate = $self->localise('DEFAULT');
446 + my $suggested = $self->localise('SUGGESTED');
447 + my %options= (
448 + 'whirlpool' => 'whirlpool (512)',
449 + 'SHA512' => 'SHA512',
450 + 'SHA384' => 'SHA384',
451 + 'SHA256' => 'SHA256' . ": $suggested",
452 + 'SHA224' => 'SHA224',
453 + 'SHA1' => 'SHA1 (160)' . ": $translate",
454 + 'SHA' => 'SHA (160)',
455 + 'ecdsa-with-SHA1' => 'ecdsa-with-SHA1 (160)',
456 + 'RIPEMD160' => 'RIPEMD160',
457 + 'MD5' => 'MD5 (128)',
458 + 'MD4' => 'MD4 (128)',
459 + );
460 + return \%options;
461 +}
462 +
463 +
464 +=head2 get_ciphers_options
465 +list obtained using
466 +openvpn --show-ciphers | egrep '^[A-Z]{2}' | sed 's/ by//; s/ default//; s/block,/block/; s/)// ' | awk {'print " '\''" $1 "'\'' => '\''" $1 $2 " " $4 " " $5 " " $7")'\''," '}
467 +then reduced to remove most of insecure ciphers
468 +Using a CBC or GCM mode is recommended.
469 +In static key mode only CBC mode is allowed.
470 +
471 +=cut
472 +sub get_ciphers_options{
473 + my ($self) = @_;
474 + my $translate = $self->localise('DEFAULT');
475 + my $suggested = $self->localise('SUGGESTED');
476 + my %options= (
477 + 'AES-128-CBC' => 'AES-128-CBC (128 key, 128 block)'.": $suggested",
478 + 'AES-128-CFB' => 'AES-128-CFB (128 key, 128 block)',
479 + 'AES-128-CFB1' => 'AES-128-CFB1 (128 key, 128 block)',
480 + 'AES-128-CFB8' => 'AES-128-CFB8 (128 key, 128 block)',
481 + 'AES-128-GCM' => 'AES-128-GCM (128 key, 128 block)',
482 + 'AES-128-OFB' => 'AES-128-OFB (128 key, 128 block)',
483 + 'AES-192-CBC' => 'AES-192-CBC (192 key, 128 block)',
484 + 'AES-192-CFB' => 'AES-192-CFB (192 key, 128 block)',
485 + 'AES-192-CFB1' => 'AES-192-CFB1 (192 key, 128 block)',
486 + 'AES-192-CFB8' => 'AES-192-CFB8 (192 key, 128 block)',
487 + 'AES-192-GCM' => 'AES-192-GCM (192 key, 128 block)',
488 + 'AES-192-OFB' => 'AES-192-OFB (192 key, 128 block)',
489 + 'AES-256-CBC' => 'AES-256-CBC (256 key, 128 block)',
490 + 'AES-256-CFB' => 'AES-256-CFB (256 key, 128 block)',
491 + 'AES-256-CFB1' => 'AES-256-CFB1 (256 key, 128 block)',
492 + 'AES-256-CFB8' => 'AES-256-CFB8 (256 key, 128 block)',
493 + 'AES-256-GCM' => 'AES-256-GCM (256 key, 128 block)',
494 + 'AES-256-OFB' => 'AES-256-OFB (256 key, 128 block)',
495 + 'CAMELLIA-128-CBC' => 'CAMELLIA-128-CBC (128 key, 128 block)',
496 + 'CAMELLIA-128-CFB' => 'CAMELLIA-128-CFB (128 key, 128 block)',
497 + 'CAMELLIA-128-CFB1' => 'CAMELLIA-128-CFB1 (128 key, 128 block)',
498 + 'CAMELLIA-128-CFB8' => 'CAMELLIA-128-CFB8 (128 key, 128 block)',
499 + 'CAMELLIA-128-OFB' => 'CAMELLIA-128-OFB (128 key, 128 block)',
500 + 'CAMELLIA-192-CBC' => 'CAMELLIA-192-CBC (192 key, 128 block)',
501 + 'CAMELLIA-192-CFB' => 'CAMELLIA-192-CFB (192 key, 128 block)',
502 + 'CAMELLIA-192-CFB1' => 'CAMELLIA-192-CFB1 (192 key, 128 block)',
503 + 'CAMELLIA-192-CFB8' => 'CAMELLIA-192-CFB8 (192 key, 128 block)',
504 + 'CAMELLIA-192-OFB' => 'CAMELLIA-192-OFB (192 key, 128 block)',
505 + 'CAMELLIA-256-CBC' => 'CAMELLIA-256-CBC (256 key, 128 block)',
506 + 'CAMELLIA-256-CFB' => 'CAMELLIA-256-CFB (256 key, 128 block)',
507 + 'CAMELLIA-256-CFB1' => 'CAMELLIA-256-CFB1 (256 key, 128 block)',
508 + 'CAMELLIA-256-CFB8' => 'CAMELLIA-256-CFB8 (256 key, 128 block)',
509 + 'CAMELLIA-256-OFB' => 'CAMELLIA-256-OFB (256 key, 128 block)',
510 + 'SEED-CBC' => 'SEED-CBC (128 key, 128 block)',
511 + 'SEED-CFB' => 'SEED-CFB (128 key, 128 block)',
512 + 'SEED-OFB' => 'SEED-OFB (128 key, 128 block)',
513 + 'BF-CBC' => 'BF-CBC(128 key, 64 block)'. ": $translate ",
514 + );
515 + return \%options;
516 +}
517
518 1;

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed