vpnaas: add support for more ciphers (auth, encryption, pfs modes)

Extend the lists of choices for encryption algorithms, auth algorithms, and PFS groups to include the additions made in neutron-vpnaas. Encryption algorithms: add AES CCM mode and AES GCM mode variants for 128/192/256 bit keys and 8/12/16 octet ICVs, add AES CTR modes for 128/192/256 bit keys Auth algorithms: add aes-xcbc and aes-cmac. PFS: add Diffie Hellman groups 15 to 31. Related-Bug: #1938284 Change-Id: I3fd17b93820da9d86b2fc4bc89058475d7629d5d
2025-02-26 15:57:35 +01:00
parent 1d7a13ab11
commit dc026cd3d6
2 changed files with 126 additions and 6 deletions
--- a/neutronclient/osc/v2/vpnaas/ikepolicy.py
+++ b/neutronclient/osc/v2/vpnaas/ikepolicy.py
@@ -56,6 +56,66 @@ _attr_map_dict = {
    'project_id': 'Project',
 }

+_auth_algorithms = [
+    'sha1',
+    'sha256',
+    'sha384',
+    'sha512',
+    'aes-xcbc',
+    'aes-cmac',
+]
+
+_encryption_algorithms = [
+    '3des',
+    'aes-128',
+    'aes-192',
+    'aes-256',
+    'aes-128-ccm-8',
+    'aes-192-ccm-8',
+    'aes-256-ccm-8',
+    'aes-128-ccm-12',
+    'aes-192-ccm-12',
+    'aes-256-ccm-12',
+    'aes-128-ccm-16',
+    'aes-192-ccm-16',
+    'aes-256-ccm-16',
+    'aes-128-gcm-8',
+    'aes-192-gcm-8',
+    'aes-256-gcm-8',
+    'aes-128-gcm-12',
+    'aes-192-gcm-12',
+    'aes-256-gcm-12',
+    'aes-128-gcm-16',
+    'aes-192-gcm-16',
+    'aes-256-gcm-16',
+    'aes-128-ctr',
+    'aes-192-ctr',
+    'aes-256-ctr',
+]
+
+_pfs_groups = [
+    'group2',
+    'group5',
+    'group14',
+    'group15',
+    'group16',
+    'group17',
+    'group18',
+    'group19',
+    'group20',
+    'group21',
+    'group22',
+    'group23',
+    'group24',
+    'group25',
+    'group26',
+    'group27',
+    'group28',
+    'group29',
+    'group30',
+    'group31',
+]
+

 def _convert_to_lowercase(string):
    return string.lower()
@@ -68,12 +128,12 @@ def _get_common_parser(parser):
        help=_('Description of the IKE policy'))
    parser.add_argument(
        '--auth-algorithm',
-        choices=['sha1', 'sha256', 'sha384', 'sha512'],
+        choices=_auth_algorithms,
        type=_convert_to_lowercase,
        help=_('Authentication algorithm'))
    parser.add_argument(
        '--encryption-algorithm',
-        choices=['aes-128', '3des', 'aes-192', 'aes-256'],
+        choices=_encryption_algorithms,
        type=_convert_to_lowercase,
        help=_('Encryption algorithm'))
    parser.add_argument(
@@ -88,7 +148,7 @@ def _get_common_parser(parser):
        help=_('IKE version for the policy'))
    parser.add_argument(
        '--pfs',
-        choices=['group5', 'group2', 'group14'],
+        choices=_pfs_groups,
        type=_convert_to_lowercase,
        help=_('Perfect Forward Secrecy'))
    parser.add_argument(
--- a/neutronclient/osc/v2/vpnaas/ipsecpolicy.py
+++ b/neutronclient/osc/v2/vpnaas/ipsecpolicy.py
@@ -54,6 +54,66 @@ _attr_map_dict = {
    'project_id': 'Project',
 }

+_auth_algorithms = [
+    'sha1',
+    'sha256',
+    'sha384',
+    'sha512',
+    'aes-xcbc',
+    'aes-cmac',
+]
+
+_encryption_algorithms = [
+    '3des',
+    'aes-128',
+    'aes-192',
+    'aes-256',
+    'aes-128-ccm-8',
+    'aes-192-ccm-8',
+    'aes-256-ccm-8',
+    'aes-128-ccm-12',
+    'aes-192-ccm-12',
+    'aes-256-ccm-12',
+    'aes-128-ccm-16',
+    'aes-192-ccm-16',
+    'aes-256-ccm-16',
+    'aes-128-gcm-8',
+    'aes-192-gcm-8',
+    'aes-256-gcm-8',
+    'aes-128-gcm-12',
+    'aes-192-gcm-12',
+    'aes-256-gcm-12',
+    'aes-128-gcm-16',
+    'aes-192-gcm-16',
+    'aes-256-gcm-16',
+    'aes-128-ctr',
+    'aes-192-ctr',
+    'aes-256-ctr',
+]
+
+_pfs_groups = [
+    'group2',
+    'group5',
+    'group14',
+    'group15',
+    'group16',
+    'group17',
+    'group18',
+    'group19',
+    'group20',
+    'group21',
+    'group22',
+    'group23',
+    'group24',
+    'group25',
+    'group26',
+    'group27',
+    'group28',
+    'group29',
+    'group30',
+    'group31',
+]
+

 def _convert_to_lowercase(string):
    return string.lower()
@@ -66,7 +126,7 @@ def _get_common_parser(parser):
        help=_('Description of the IPsec policy'))
    parser.add_argument(
        '--auth-algorithm',
-        choices=['sha1', 'sha256', 'sha384', 'sha512'],
+        choices=_auth_algorithms,
        type=_convert_to_lowercase,
        help=_('Authentication algorithm for IPsec policy'))
    parser.add_argument(
@@ -76,7 +136,7 @@ def _get_common_parser(parser):
        help=_('Encapsulation mode for IPsec policy'))
    parser.add_argument(
        '--encryption-algorithm',
-        choices=['3des', 'aes-128', 'aes-192', 'aes-256'],
+        choices=_encryption_algorithms,
        type=_convert_to_lowercase,
        help=_('Encryption algorithm for IPsec policy'))
    parser.add_argument(
@@ -86,7 +146,7 @@ def _get_common_parser(parser):
        help=vpn_utils.lifetime_help("IPsec"))
    parser.add_argument(
        '--pfs',
-        choices=['group2', 'group5', 'group14'],
+        choices=_pfs_groups,
        type=_convert_to_lowercase,
        help=_('Perfect Forward Secrecy for IPsec policy'))
    parser.add_argument(