From: Adolf Belka Date: Wed, 15 Feb 2023 17:27:31 +0000 (+0100) Subject: 7-7: OpenVPN-Moved-TLS-auth-to-advanced-encryption-section X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Fovpnmain.cgi;p=people%2Fbonnietwin%2Fipfire-2.x.git 7-7: OpenVPN-Moved-TLS-auth-to-advanced-encryption-section Signed-off-by: Adolf Belka --- diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index b417ba1cd6..be3d288ad1 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -363,9 +363,19 @@ sub writeserverconf { # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; - if ($sovpnsettings{'TLSAUTH'} eq 'on') { - print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; - } + # TLS control channel authentication + if ($sovpnsettings{'TLSAUTH'} ne 'off') { + if ($sovpnsettings{'TLSAUTH'} eq 'on') { + print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt') { + print CONF "tls-crypt ${General::swroot}/ovpn/certs/tc.key\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + print CONF "tls-crypt-v2 ${General::swroot}/ovpn/certs/tc-v2-server.key\n"; + } + } + if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -958,6 +968,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; @@ -981,6 +992,39 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { $vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'}; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + + # Create tc.key for tls-crypt if not presant + if ($cgiparams{'TLSAUTH'} eq 'tls-crypt') { + if ( ! -e "${General::swroot}/ovpn/certs/tc.key") { + system('/usr/sbin/openvpn', '--genkey', 'tls-crypt', "${General::swroot}/ovpn/certs/tc.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + + # Create tc-v2-server.key for tls-crypt-v2 server if not presant + if ($cgiparams{'TLSAUTH'} eq 'tls-crypt-v2') { + if ( ! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") { + system('/usr/sbin/openvpn', '--genkey', 'tls-crypt-v2-server', "${General::swroot}/ovpn/certs/tc-v2-server.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf(); } @@ -1271,18 +1315,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; } - # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { - # This system call is safe, because all arguements are passed as an array. - system("/usr/sbin/openvpn", "--genkey", "secret", "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - goto SETTINGS_ERROR; - } - } - } - $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; @@ -1293,7 +1325,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; - $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) { @@ -1658,18 +1689,54 @@ END ### Download tls-auth key ### }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) { - if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { - print "Content-Type: application/octet-stream\r\n"; - print "Content-Disposition: filename=ta.key\r\n\r\n"; + if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=ta.key\r\n\r\n"; - open(FILE, "${General::swroot}/ovpn/certs/ta.key"); - my @tmp = ; - close(FILE); + open(FILE, "${General::swroot}/ovpn/certs/ta.key"); + my @tmp = ; + close(FILE); - print @tmp; + print @tmp; - exit(0); - } + exit(0); + } + +### +### Download tls-crypt key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt key'}) { + if ( -f "${General::swroot}/ovpn/certs/tc.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=tc.key\r\n\r\n"; + + open(FILE, "${General::swroot}/ovpn/certs/tc.key"); + my @tmp = ; + close(FILE); + + print @tmp; + + + exit(0); + } + +### +### Download tls-crypt-v2 key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt-v2 key'}) { + if ( -f "${General::swroot}/ovpn/certs/tc-v2-server.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=tc-v2-server.key\r\n\r\n"; + + open(FILE, "${General::swroot}/ovpn/certs/tc-v2-server.key"); + my @tmp = ; + close(FILE); + + print @tmp; + + + exit(0); + } ### ### Form for generating a root certificate @@ -2363,13 +2430,37 @@ else print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; - if ($vpnsettings{'TLSAUTH'} eq 'on') { - if ($cgiparams{'MODE'} eq 'insecure') { - print CLIENTCONF ";"; - } - print CLIENTCONF "tls-auth ta.key\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; + # Comment TLS-Auth directive if 'insecure' mode has been choosen + if ($vpnsettings{'TLSAUTH'} eq 'on') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } + print CLIENTCONF "tls-auth ta.key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; } + + # Comment TLS-Crypt directive if 'insecure' mode has been choosen + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } + print CLIENTCONF "tls-crypt tc.key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/tc.key", "tc.key") or die "Can't add file tc.key\n"; + } + + # Comment TLS-Crypt-v2 directive if 'insecure' mode has been choosen and generate individual key + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } + print CLIENTCONF "tls-crypt-v2 tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\r\n"; + # Generate individual tls-crypt-v2 client key + my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key"; + system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile"); + # Add individual tls-crypt-v2 client key to client package + $zip->addFile( "$cryptfile", "tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key") or die "Can't add file tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\n"; + } + if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; } @@ -2436,7 +2527,33 @@ else print CLIENTCONF "\r\n\r\n"; close(FILE); - # TLS auth + # Create individual tls-crypt-v2 client key and print it to client.conf if 'insecure' has been selected + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key"; + system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile"); + open(FILE, "<$cryptfile"); + print CLIENTCONF "\r\n"; + while () { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "\r\n\r\n"; + close(FILE); + } + + # Print TLS-Crypt key to client.ovpn if 'insecure' has been selected + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') { + open(FILE, "<${General::swroot}/ovpn/certs/tc.key"); + print CLIENTCONF "\r\n"; + while () { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "\r\n\r\n"; + close(FILE); + } + + # Print TLS-Auth key to client.ovpn if 'insecure' has been selected if ($vpnsettings{'TLSAUTH'} eq 'on') { open(FILE, "<${General::swroot}/ovpn/certs/ta.key"); print CLIENTCONF "\r\n"; @@ -2675,6 +2792,50 @@ END &Header::closepage(); exit(0); } + +### +### Display tls-crypt key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt key'}) { + + if (! -e "${General::swroot}/ovpn/certs/tc.key") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc key'}"); + my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + +### +### Display tls-crypt-v2 server key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt-v2 key'}) { + + if (! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc v2 key'}"); + my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } ### ### Display Certificate Revoke List @@ -2728,9 +2889,6 @@ ADV_ERROR: if ($cgiparams{'LOG_VERB'} eq '') { $cgiparams{'LOG_VERB'} = '3'; } - if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} = 'off'; - } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; @@ -2951,6 +3109,7 @@ END } $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; + $confighash{$key}[41] = $cgiparams{'TLSAUTH'}; $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; $confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'}; $confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'}; @@ -2974,6 +3133,17 @@ ADV_ENC_ERROR: @temp = split('\|', $cgiparams{'DAUTH'}); foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; } + # Set default for TLS control authentication + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'tls-crypt'; #[41] + } + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'tls-crypt'} = ''; + $checked{'TLSAUTH'}{'tls-crypt-v2'} = ''; + @temp = split('\|', $cgiparams{'TLSAUTH'}); + foreach my $key (@temp) {$checked{'TLSAUTH'}{$key} = "selected='selected'"; } + # Set default for data-cipher-fallback (the old --cipher directive) if ($cgiparams{'DCIPHER'} eq '') { $cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40] @@ -3028,12 +3198,14 @@ ADV_ENC_ERROR: if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { $confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'}; $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; + $confighash{$cgiparams{'KEY'}}[41] = $cgiparams{'TLSAUTH'}; $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; $confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'}; $confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'}; } else { $cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'}; $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; + $cgiparams{'TLSAUTH'} = $vpnsettings{'TLSAUTH'}; $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; $cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'}; $cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'}; @@ -3145,6 +3317,7 @@ ADV_ENC_ERROR: $Lang::tr{'ovpn ha'} + $Lang::tr{'ovpn tls auth'} @@ -3163,6 +3336,14 @@ ADV_ENC_ERROR: + + + @@ -3944,7 +4125,6 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; - $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; $cgiparams{'OTP_STATE'} = $confighash{$cgiparams{'KEY'}}[43]; # Index from [39] to [44] has been reserved by advanced encryption $cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45]; @@ -4894,10 +5074,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; - $checked{'TLSAUTH'}{'off'} = ''; - $checked{'TLSAUTH'}{'on'} = ''; - $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; - if (1) { &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); @@ -5447,9 +5623,6 @@ END if ($cgiparams{'MSSFIX'} eq '') { $cgiparams{'MSSFIX'} = 'off'; } - if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} = 'off'; - } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } @@ -5467,10 +5640,6 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; - $checked{'TLSAUTH'}{'off'} = ''; - $checked{'TLSAUTH'}{'on'} = ''; - $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; - $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -5573,17 +5742,6 @@ END -
- - $Lang::tr{'ovpn crypt options'}: - -
- - - $Lang::tr{'ovpn tls auth'} - - -

END ; @@ -5905,6 +6063,10 @@ END my $col3="bgcolor='$color{'color22'}'"; # ta.key line my $col4="bgcolor='$color{'color20'}'"; + # tc-v2.key line + my $col5="bgcolor='$color{'color22'}'"; + # tc.key + my $col6="bgcolor='$color{'color20'}'"; if (-f "${General::swroot}/ovpn/ca/cacert.pem") { my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem"); @@ -6065,7 +6227,7 @@ END # Nothing print < - $Lang::tr{'ta key'}: + $Lang::tr{'ta key'} $Lang::tr{'not present'}   @@ -6073,6 +6235,51 @@ END ; } + # Adding tc-v2.key to chart + if (-f "${General::swroot}/ovpn/certs/tc-v2-server.key") { + my $tcvsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`; + $tcvsubject =~ /-----BEGIN (.*)-----[\n]/; + $tcvsubject = $1; + print < + $Lang::tr{'tc v2 key'} + $tcvsubject +
+ + +
+
+   + +END +; + } + + # Adding tc.key to chart + if (-f "${General::swroot}/ovpn/certs/tc.key") { + my $tcsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`; + $tcsubject =~ /# (.*)[\n]/; + $tcsubject = $1; + print < + $Lang::tr{'tc key'} + $tcsubject + + + + +
+ + +
+   + +END +; + } + if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { print "
"; print ""; diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 438e70d273..9a6916bd56 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -942,7 +942,9 @@ 'download new ruleset' => 'Download new ruleset', 'download pkcs12 file' => 'Download PKCS12 file', 'download root certificate' => 'Download root certificate', -'download tls-auth key' => 'Download tls-auth key', +'download tls-auth key' => 'Download TLS-Auth key', +'download tls-crypt key' => 'Download TLS-Crypt key', +'download tls-crypt-v2 key' => 'Download TLS-Crypt-v2 server key', 'dpd action' => 'Action', 'dpd delay' => 'Delay', 'dpd timeout' => 'Timeout', @@ -2045,7 +2047,7 @@ 'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', -'ovpn tls auth' => 'TLS Channel Protection:', +'ovpn tls auth' => 'TLS Channel Protection', 'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed.
Please change this as soon as possible!
', 'ovpn warning algorithm' => 'You configured the algorithm', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', @@ -2333,7 +2335,9 @@ 'show otp qrcode' => 'Show OTP QRCode', 'show root certificate' => 'Show root certificate', 'show share options' => 'Show shares options', -'show tls-auth key' => 'Show tls-auth key', +'show tls-auth key' => 'Show TLS-Auth key', +'show tls-crypt key' => 'Show TLS-Crypt key', +'show tls-crypt-v2 key' => 'Show TLS-Crypt-v2 key', 'shuffle' => 'Shuffle', 'shutdown' => 'Shutdown', 'shutdown ask' => 'Shutdown?', @@ -2461,6 +2465,8 @@ 'system logs' => 'System Logs', 'system status information' => 'System Status Information', 'ta key' => 'TLS-Authentification-Key', +'tc key' => 'TLS-Cryptografic-Key', +'tc v2 key' => 'TLS-Cryptografic-Key-version2', 'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2', 'tcp more reliable' => 'TCP (more reliable)', 'telephone not set' => 'Telephone not set.',