diff options
-rw-r--r-- | etc/inc/openvpn.inc | 17 | ||||
-rw-r--r-- | usr/local/www/vpn_openvpn_client.php | 23 | ||||
-rw-r--r-- | usr/local/www/vpn_openvpn_server.php | 23 |
3 files changed, 63 insertions, 0 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index d01e547..cadc32b 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -202,6 +202,20 @@ function openvpn_get_cipherlist() { return $ciphers; } +function openvpn_get_digestlist() { + + $digests = array(); + $digest_out = shell_exec('/usr/local/sbin/openvpn --show-digests | /usr/bin/grep "digest size" | /usr/bin/awk \'{print $1, "(" $2 "-" $3 ")";}\''); + $digest_lines = explode("\n", trim($digest_out)); + sort($digest_lines); + foreach ($digest_lines as $line) { + $words = explode(' ', $line); + $digests[$words[0]] = "{$words[0]} {$words[1]}"; + } + $digests["none"] = gettext("None (No Authentication)"); + return $digests; +} + function openvpn_get_engines() { $openssl_engines = array('none' => 'No Hardware Crypto Acceleration'); exec("/usr/local/bin/openssl engine -t -c", $openssl_engine_output); @@ -414,6 +428,8 @@ function openvpn_reconfigure($mode, $settings) { $proto = "{$proto}-{$mode}"; $dev_mode = $settings['dev_mode']; $cipher = $settings['crypto']; + // OpenVPN defaults to SHA1, so use it when unset to maintain compatibility. + $digest = !empty($settings['digest']) ? $settings['digest'] : "SHA1"; $interface = get_failover_interface($settings['interface']); $ipaddr = $settings['ipaddr']; @@ -456,6 +472,7 @@ function openvpn_reconfigure($mode, $settings) { $conf .= "persist-key\n"; $conf .= "proto {$proto}\n"; $conf .= "cipher {$cipher}\n"; + $conf .= "auth {$digest}\n"; $conf .= "up /usr/local/sbin/ovpn-linkup\n"; $conf .= "down /usr/local/sbin/ovpn-linkdown\n"; if (file_exists("/usr/local/sbin/openvpn.attributes.sh")) { diff --git a/usr/local/www/vpn_openvpn_client.php b/usr/local/www/vpn_openvpn_client.php index 4f0b6db..c122b79 100644 --- a/usr/local/www/vpn_openvpn_client.php +++ b/usr/local/www/vpn_openvpn_client.php @@ -92,6 +92,8 @@ if($_GET['act']=="new"){ $pconfig['autotls_enable'] = "yes"; $pconfig['interface'] = "wan"; $pconfig['server_port'] = 1194; + // OpenVPN Defaults to SHA1 + $pconfig['digest'] = "SHA1"; } if($_GET['act']=="edit"){ @@ -129,6 +131,8 @@ if($_GET['act']=="edit"){ } else $pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']); $pconfig['crypto'] = $a_client[$id]['crypto']; + // OpenVPN Defaults to SHA1 if unset + $pconfig['digest'] = !empty($a_client[$id]['digest']) ? $a_client[$id]['digest'] : "SHA1"; $pconfig['engine'] = $a_client[$id]['engine']; $pconfig['tunnel_network'] = $a_client[$id]['tunnel_network']; @@ -283,6 +287,7 @@ if ($_POST) { $client['shared_key'] = base64_encode($pconfig['shared_key']); } $client['crypto'] = $pconfig['crypto']; + $client['digest'] = $pconfig['digest']; $client['engine'] = $pconfig['engine']; $client['tunnel_network'] = $pconfig['tunnel_network']; @@ -762,6 +767,24 @@ if ($savemsg) </select> </td> </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Auth Digest Algorithm"); ?></td> + <td width="78%" class="vtable"> + <select name="digest" class="formselect"> + <?php + $digestlist = openvpn_get_digestlist(); + foreach ($digestlist as $name => $desc): + $selected = ''; + if ($name == $pconfig['digest']) + $selected = ' selected'; + ?> + <option value="<?=$name;?>"<?=$selected?>> + <?=htmlspecialchars($desc);?> + </option> + <?php endforeach; ?> + </select> + </td> + </tr> <tr id="engine"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Hardware Crypto"); ?></td> <td width="78%" class="vtable"> diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index c8b70c3..e59e424 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -97,6 +97,8 @@ if($_GET['act']=="new"){ $pconfig['local_port'] = openvpn_port_next('UDP'); $pconfig['pool_enable'] = "yes"; $pconfig['cert_depth'] = 1; + // OpenVPN Defaults to SHA1 + $pconfig['digest'] = "SHA1"; } if($_GET['act']=="edit"){ @@ -133,6 +135,8 @@ if($_GET['act']=="edit"){ } else $pconfig['shared_key'] = base64_decode($a_server[$id]['shared_key']); $pconfig['crypto'] = $a_server[$id]['crypto']; + // OpenVPN Defaults to SHA1 if unset + $pconfig['digest'] = !empty($a_server[$id]['digest']) ? $a_server[$id]['digest'] : "SHA1"; $pconfig['engine'] = $a_server[$id]['engine']; $pconfig['tunnel_network'] = $a_server[$id]['tunnel_network']; @@ -381,6 +385,7 @@ if ($_POST) { $server['shared_key'] = base64_encode($pconfig['shared_key']); } $server['crypto'] = $pconfig['crypto']; + $server['digest'] = $pconfig['digest']; $server['engine'] = $pconfig['engine']; $server['tunnel_network'] = $pconfig['tunnel_network']; @@ -1060,6 +1065,24 @@ if ($savemsg) </select> </td> </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Auth Digest Algorithm"); ?></td> + <td width="78%" class="vtable"> + <select name="digest" class="formselect"> + <?php + $digestlist = openvpn_get_digestlist(); + foreach ($digestlist as $name => $desc): + $selected = ''; + if ($name == $pconfig['digest']) + $selected = ' selected'; + ?> + <option value="<?=$name;?>"<?=$selected?>> + <?=htmlspecialchars($desc);?> + </option> + <?php endforeach; ?> + </select> + </td> + </tr> <tr id="engine"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Hardware Crypto"); ?></td> <td width="78%" class="vtable"> |