diff options
| author | Christian Poessinger <christian@poessinger.com> | 2019-09-30 20:30:00 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-30 20:30:00 +0200 |
| commit | 9a4eab94d76c2a5609cc84a5fb6f73561cc4678b (patch) | |
| tree | 8281a110b487367bda223373077e9e7c6e34686d | |
| parent | 41aa7bc4c804c0eba36ba6ec10b49b303e8c1df4 (diff) | |
| parent | 9a4f89ad6752d9ad859ae124c97e3e4657f81aad (diff) | |
| download | vyos-1x-9a4eab94d76c2a5609cc84a5fb6f73561cc4678b.tar.gz vyos-1x-9a4eab94d76c2a5609cc84a5fb6f73561cc4678b.zip | |
Merge pull request #143 from vindenesen/current-T1688
[OpenVPN]: T1688: Add support for using encryption aes128gcm, aes192gcm and aes25gcm
| -rw-r--r-- | interface-definitions/interfaces-openvpn.xml | 22 | ||||
| -rwxr-xr-x | src/conf_mode/interface-openvpn.py | 9 |
2 files changed, 26 insertions, 5 deletions
diff --git a/interface-definitions/interfaces-openvpn.xml b/interface-definitions/interfaces-openvpn.xml index fb2564cbd..365d80558 100644 --- a/interface-definitions/interfaces-openvpn.xml +++ b/interface-definitions/interfaces-openvpn.xml @@ -106,7 +106,7 @@ <properties> <help>Data Encryption Algorithm</help> <completionHelp> - <list>des 3des bf128 bf256 aes128 aes192 aes256</list> + <list>des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list> </completionHelp> <valueHelp> <format>des</format> @@ -126,18 +126,30 @@ </valueHelp> <valueHelp> <format>aes128</format> - <description>AES algorithm with 128-bit key</description> + <description>AES algorithm with 128-bit key CBC</description> + </valueHelp> + <valueHelp> + <format>aes128gcm</format> + <description>AES algorithm with 128-bit key GCM</description> </valueHelp> <valueHelp> <format>aes192</format> - <description>AES algorithm with 192-bit key</description> + <description>AES algorithm with 192-bit key CBC</description> + </valueHelp> + <valueHelp> + <format>aes192gcm</format> + <description>AES algorithm with 192-bit key GCM</description> </valueHelp> <valueHelp> <format>aes256</format> - <description>AES algorithm with 256-bit key</description> + <description>AES algorithm with 256-bit key CBC</description> + </valueHelp> + <valueHelp> + <format>aes256gcm</format> + <description>AES algorithm with 256-bit key GCM</description> </valueHelp> <constraint> - <regex>(des|3des|bf128|bf256|aes128|aes192|aes256)</regex> + <regex>(des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex> </constraint> </properties> </leafNode> diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py index a988e1ab1..5345bf7a2 100755 --- a/src/conf_mode/interface-openvpn.py +++ b/src/conf_mode/interface-openvpn.py @@ -207,10 +207,16 @@ keysize 128 {%- elif 'bf256' in encryption %} cipher bf-cbc keysize 25 +{%- elif 'aes128gcm' in encryption %} +cipher aes-128-gcm {%- elif 'aes128' in encryption %} cipher aes-128-cbc +{%- elif 'aes192gcm' in encryption %} +cipher aes-192-gcm {%- elif 'aes192' in encryption %} cipher aes-192-cbc +{%- elif 'aes256gcm' in encryption %} +cipher aes-256-gcm {%- elif 'aes256' in encryption %} cipher aes-256-cbc {% endif %} @@ -729,6 +735,9 @@ def verify(openvpn): # TLS/encryption # if openvpn['shared_secret_file']: + if openvpn['encryption'] in ['aes128gcm', 'aes192gcm', 'aes256gcm']: + raise ConfigError('GCM encryption with shared-secret-key-file is not supported') + if not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', openvpn['shared_secret_file']): raise ConfigError('Specified shared-secret-key-file "{}" is not valid'.format(openvpn['shared_secret_file'])) |