From b7598dab47d3648bf1bb28eae8c8ed8006097f5a Mon Sep 17 00:00:00 2001 From: Bodo Petermann Date: Wed, 18 Oct 2023 13:50:58 +0200 Subject: [PATCH] vpnaas: add support for more ciphers (auth, encryption, pfs modes) Encryption algorithms: add AES CCM mode and AES GCM mode variants for 128/192/256 bit keys and 8/12/16 octet ICVs. Auth algorithms: add aes-xcbc and aes-cmac. PFS: add Diffie Hellman groups 15 to 31. Related-Bug: #1938284 Change-Id: Iba86fe9a1bbf88223b57a45fb89349c6b1858015 --- api-ref/source/v2/parameters.yaml | 10 ++- neutron_lib/api/definitions/__init__.py | 2 + neutron_lib/api/definitions/vpn.py | 68 ++++++++++++++++++- .../api/definitions/vpn_aes_ccm_gcm.py | 27 ++++++++ .../api/definitions/test_vpn_aes_ccm_gcm.py | 18 +++++ .../add-vpnaas-ciphers-6c1dffbc2cdc3225.yaml | 8 +++ 6 files changed, 127 insertions(+), 6 deletions(-) create mode 100644 neutron_lib/api/definitions/vpn_aes_ccm_gcm.py create mode 100644 neutron_lib/tests/unit/api/definitions/test_vpn_aes_ccm_gcm.py create mode 100644 releasenotes/notes/add-vpnaas-ciphers-6c1dffbc2cdc3225.yaml diff --git a/api-ref/source/v2/parameters.yaml b/api-ref/source/v2/parameters.yaml index b2d5bfca5..21f6ad4d6 100644 --- a/api-ref/source/v2/parameters.yaml +++ b/api-ref/source/v2/parameters.yaml @@ -2007,7 +2007,8 @@ audited: auth_algorithm: description: | The authentication hash algorithm. Valid values - are ``sha1``, ``sha256``, ``sha384``, ``sha512``. + are ``sha1``, ``sha256``, ``sha384``, ``sha512``, ``aes-xcbc``, + ``aes-cmac``. The default is ``sha1``. in: body required: false @@ -3029,7 +3030,10 @@ encapsulation_mode: encryption_algorithm: description: | The encryption algorithm. A valid value is - ``3des``, ``aes-128``, ``aes-192``, ``aes-256``, and so on. + ``3des``, ``aes-128``, ``aes-192``, ``aes-256``. Additional values for AES + CCM and GCM modes are defined (e.g. ``aes-256-ccm-16``, ``aes-256-gcm-16``) + for all combinations of key length 128, 192, 256 bits and ICV length + 8, 12, 16 octets. Default is ``aes-128``. in: body required: false @@ -5197,7 +5201,7 @@ peer_id: pfs: description: | Perfect forward secrecy (PFS). A valid value is - ``Group2``, ``Group5``, ``Group14``, and so on. Default is + ``Group2``, ``Group5``, ``Group14`` to ``Group31``. Default is ``Group5``. in: body required: false diff --git a/neutron_lib/api/definitions/__init__.py b/neutron_lib/api/definitions/__init__.py index 33dcdfe2e..6a59eaeb6 100644 --- a/neutron_lib/api/definitions/__init__.py +++ b/neutron_lib/api/definitions/__init__.py @@ -159,6 +159,7 @@ from neutron_lib.api.definitions import uplink_status_propagation from neutron_lib.api.definitions import vlan_filter from neutron_lib.api.definitions import vlantransparent from neutron_lib.api.definitions import vpn +from neutron_lib.api.definitions import vpn_aes_ccm_gcm from neutron_lib.api.definitions import vpn_endpoint_groups from neutron_lib.api.definitions import vpn_flavors @@ -312,6 +313,7 @@ _ALL_API_DEFINITIONS = { vlan_filter, vlantransparent, vpn, + vpn_aes_ccm_gcm, vpn_endpoint_groups, vpn_flavors, } diff --git a/neutron_lib/api/definitions/vpn.py b/neutron_lib/api/definitions/vpn.py index 08d18cb8c..39bb3f33c 100644 --- a/neutron_lib/api/definitions/vpn.py +++ b/neutron_lib/api/definitions/vpn.py @@ -41,10 +41,48 @@ VPN_ENCRYPTION_ALGORITHM_3DES = '3des' VPN_ENCRYPTION_ALGORITHM_AES_128 = 'aes-128' VPN_ENCRYPTION_ALGORITHM_AES_192 = 'aes-192' VPN_ENCRYPTION_ALGORITHM_AES_256 = 'aes-256' +VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_8 = 'aes-128-ccm-8' +VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_8 = 'aes-192-ccm-8' +VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_8 = 'aes-256-ccm-8' +VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_12 = 'aes-128-ccm-12' +VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_12 = 'aes-192-ccm-12' +VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_12 = 'aes-256-ccm-12' +VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_16 = 'aes-128-ccm-16' +VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_16 = 'aes-192-ccm-16' +VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_16 = 'aes-256-ccm-16' +VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_8 = 'aes-128-gcm-8' +VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_8 = 'aes-192-gcm-8' +VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_8 = 'aes-256-gcm-8' +VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_12 = 'aes-128-gcm-12' +VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_12 = 'aes-192-gcm-12' +VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_12 = 'aes-256-gcm-12' +VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_16 = 'aes-128-gcm-16' +VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_16 = 'aes-192-gcm-16' +VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_16 = 'aes-256-gcm-16' VPN_SUPPORTED_ENCRYPTION_ALGORITHMS = [ - VPN_ENCRYPTION_ALGORITHM_3DES, VPN_ENCRYPTION_ALGORITHM_AES_128, - VPN_ENCRYPTION_ALGORITHM_AES_192, VPN_ENCRYPTION_ALGORITHM_AES_256, + VPN_ENCRYPTION_ALGORITHM_3DES, + VPN_ENCRYPTION_ALGORITHM_AES_128, + VPN_ENCRYPTION_ALGORITHM_AES_192, + VPN_ENCRYPTION_ALGORITHM_AES_256, + VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_8, + VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_8, + VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_8, + VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_12, + VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_12, + VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_12, + VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_16, + VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_16, + VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_16, + VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_8, + VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_8, + VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_8, + VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_12, + VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_12, + VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_12, + VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_16, + VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_16, + VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_16, ] # VPN DPD action constants @@ -88,9 +126,30 @@ VPN_SUPPORTED_LIFETIME_UNITS = [ VPN_PFS_GROUP2 = 'group2' VPN_PFS_GROUP5 = 'group5' VPN_PFS_GROUP14 = 'group14' +VPN_PFS_GROUP15 = 'group15' +VPN_PFS_GROUP16 = 'group16' +VPN_PFS_GROUP17 = 'group17' +VPN_PFS_GROUP18 = 'group18' +VPN_PFS_GROUP19 = 'group19' +VPN_PFS_GROUP20 = 'group20' +VPN_PFS_GROUP21 = 'group21' +VPN_PFS_GROUP22 = 'group22' +VPN_PFS_GROUP23 = 'group23' +VPN_PFS_GROUP24 = 'group24' +VPN_PFS_GROUP25 = 'group25' +VPN_PFS_GROUP26 = 'group26' +VPN_PFS_GROUP27 = 'group27' +VPN_PFS_GROUP28 = 'group28' +VPN_PFS_GROUP29 = 'group29' +VPN_PFS_GROUP30 = 'group30' +VPN_PFS_GROUP31 = 'group31' VPN_SUPPORTED_PFSES = [ - VPN_PFS_GROUP2, VPN_PFS_GROUP5, VPN_PFS_GROUP14, + VPN_PFS_GROUP2, VPN_PFS_GROUP5, VPN_PFS_GROUP14, VPN_PFS_GROUP15, + VPN_PFS_GROUP16, VPN_PFS_GROUP17, VPN_PFS_GROUP18, VPN_PFS_GROUP19, + VPN_PFS_GROUP20, VPN_PFS_GROUP21, VPN_PFS_GROUP22, VPN_PFS_GROUP23, + VPN_PFS_GROUP24, VPN_PFS_GROUP25, VPN_PFS_GROUP26, VPN_PFS_GROUP27, + VPN_PFS_GROUP28, VPN_PFS_GROUP29, VPN_PFS_GROUP30, VPN_PFS_GROUP31, ] # VPN IKE version constants @@ -113,10 +172,13 @@ VPN_AUTH_ALGORITHM_SHA1 = 'sha1' VPN_AUTH_ALGORITHM_SHA256 = 'sha256' VPN_AUTH_ALGORITHM_SHA384 = 'sha384' VPN_AUTH_ALGORITHM_SHA512 = 'sha512' +VPN_AUTH_ALGORITHM_AES_XCBC = 'aes-xcbc' +VPN_AUTH_ALGORITHM_AES_CMAC = 'aes-cmac' VPN_SUPPORTED_AUTH_ALGORITHMS = [ VPN_AUTH_ALGORITHM_SHA1, VPN_AUTH_ALGORITHM_SHA256, VPN_AUTH_ALGORITHM_SHA384, VPN_AUTH_ALGORITHM_SHA512, + VPN_AUTH_ALGORITHM_AES_XCBC, VPN_AUTH_ALGORITHM_AES_CMAC, ] # VPN phase1 negotiation mode constants diff --git a/neutron_lib/api/definitions/vpn_aes_ccm_gcm.py b/neutron_lib/api/definitions/vpn_aes_ccm_gcm.py new file mode 100644 index 000000000..ba9014cf8 --- /dev/null +++ b/neutron_lib/api/definitions/vpn_aes_ccm_gcm.py @@ -0,0 +1,27 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from neutron_lib.api.definitions import vpn + + +ALIAS = 'vpn-aes-ccm-gcm' +IS_SHIM_EXTENSION = True +IS_STANDARD_ATTR_EXTENSION = False +NAME = 'VPN support for AES CCM, GCM modes' +DESCRIPTION = 'Add choices for encryption, auth and pfs' +UPDATED_TIMESTAMP = '2023-10-24T11:00:00-00:00' +RESOURCE_ATTRIBUTE_MAP = {} +SUB_RESOURCE_ATTRIBUTE_MAP = {} +ACTION_MAP = {} +REQUIRED_EXTENSIONS = [vpn.ALIAS] +OPTIONAL_EXTENSIONS = [] +ACTION_STATUS = {} diff --git a/neutron_lib/tests/unit/api/definitions/test_vpn_aes_ccm_gcm.py b/neutron_lib/tests/unit/api/definitions/test_vpn_aes_ccm_gcm.py new file mode 100644 index 000000000..92a592a1f --- /dev/null +++ b/neutron_lib/tests/unit/api/definitions/test_vpn_aes_ccm_gcm.py @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from neutron_lib.api.definitions import vpn_aes_ccm_gcm +from neutron_lib.tests.unit.api.definitions import base + + +class VpnAesCcmGcmDefinitionTestCase(base.DefinitionBaseTestCase): + extension_module = vpn_aes_ccm_gcm diff --git a/releasenotes/notes/add-vpnaas-ciphers-6c1dffbc2cdc3225.yaml b/releasenotes/notes/add-vpnaas-ciphers-6c1dffbc2cdc3225.yaml new file mode 100644 index 000000000..9494d6871 --- /dev/null +++ b/releasenotes/notes/add-vpnaas-ciphers-6c1dffbc2cdc3225.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Added support for more ciphers to the neutron-vpnaas API. + Added encryption algorithms (AES CCM and AES GCM modes for 128/192/256 + bit keys and 8/12/16 octet ICVs, e.g. aes-256-ccm-16), + authentication algorithms (AES-XCBC, AES-CMAC) and PFS choices + (Diffie Hellman groups 15 to 31).