From dc026cd3d6a280768b2d477410058b16ef86e124 Mon Sep 17 00:00:00 2001
From: Bodo Petermann <b.petermann@syseleven.de>
Date: Wed, 26 Feb 2025 15:57:35 +0100
Subject: [PATCH] vpnaas: add support for more ciphers (auth, encryption, pfs
 modes)

Extend the lists of choices for encryption algorithms, auth algorithms,
and PFS groups to include the additions made in neutron-vpnaas.

Encryption algorithms: add AES CCM mode and AES GCM mode variants
for 128/192/256 bit keys and 8/12/16 octet ICVs, add AES CTR modes
for 128/192/256 bit keys
Auth algorithms: add aes-xcbc and aes-cmac.
PFS: add Diffie Hellman groups 15 to 31.

Related-Bug: #1938284
Change-Id: I3fd17b93820da9d86b2fc4bc89058475d7629d5d
---
 neutronclient/osc/v2/vpnaas/ikepolicy.py   | 66 +++++++++++++++++++++-
 neutronclient/osc/v2/vpnaas/ipsecpolicy.py | 66 +++++++++++++++++++++-
 2 files changed, 126 insertions(+), 6 deletions(-)

diff --git a/neutronclient/osc/v2/vpnaas/ikepolicy.py b/neutronclient/osc/v2/vpnaas/ikepolicy.py
index 766a550f1..0a8aecb08 100644
--- a/neutronclient/osc/v2/vpnaas/ikepolicy.py
+++ b/neutronclient/osc/v2/vpnaas/ikepolicy.py
@@ -56,6 +56,66 @@ _attr_map_dict = {
     'project_id': 'Project',
 }
 
+_auth_algorithms = [
+    'sha1',
+    'sha256',
+    'sha384',
+    'sha512',
+    'aes-xcbc',
+    'aes-cmac',
+]
+
+_encryption_algorithms = [
+    '3des',
+    'aes-128',
+    'aes-192',
+    'aes-256',
+    'aes-128-ccm-8',
+    'aes-192-ccm-8',
+    'aes-256-ccm-8',
+    'aes-128-ccm-12',
+    'aes-192-ccm-12',
+    'aes-256-ccm-12',
+    'aes-128-ccm-16',
+    'aes-192-ccm-16',
+    'aes-256-ccm-16',
+    'aes-128-gcm-8',
+    'aes-192-gcm-8',
+    'aes-256-gcm-8',
+    'aes-128-gcm-12',
+    'aes-192-gcm-12',
+    'aes-256-gcm-12',
+    'aes-128-gcm-16',
+    'aes-192-gcm-16',
+    'aes-256-gcm-16',
+    'aes-128-ctr',
+    'aes-192-ctr',
+    'aes-256-ctr',
+]
+
+_pfs_groups = [
+    'group2',
+    'group5',
+    'group14',
+    'group15',
+    'group16',
+    'group17',
+    'group18',
+    'group19',
+    'group20',
+    'group21',
+    'group22',
+    'group23',
+    'group24',
+    'group25',
+    'group26',
+    'group27',
+    'group28',
+    'group29',
+    'group30',
+    'group31',
+]
+
 
 def _convert_to_lowercase(string):
     return string.lower()
@@ -68,12 +128,12 @@ def _get_common_parser(parser):
         help=_('Description of the IKE policy'))
     parser.add_argument(
         '--auth-algorithm',
-        choices=['sha1', 'sha256', 'sha384', 'sha512'],
+        choices=_auth_algorithms,
         type=_convert_to_lowercase,
         help=_('Authentication algorithm'))
     parser.add_argument(
         '--encryption-algorithm',
-        choices=['aes-128', '3des', 'aes-192', 'aes-256'],
+        choices=_encryption_algorithms,
         type=_convert_to_lowercase,
         help=_('Encryption algorithm'))
     parser.add_argument(
@@ -88,7 +148,7 @@ def _get_common_parser(parser):
         help=_('IKE version for the policy'))
     parser.add_argument(
         '--pfs',
-        choices=['group5', 'group2', 'group14'],
+        choices=_pfs_groups,
         type=_convert_to_lowercase,
         help=_('Perfect Forward Secrecy'))
     parser.add_argument(
diff --git a/neutronclient/osc/v2/vpnaas/ipsecpolicy.py b/neutronclient/osc/v2/vpnaas/ipsecpolicy.py
index 877602ffc..c6e42bd06 100644
--- a/neutronclient/osc/v2/vpnaas/ipsecpolicy.py
+++ b/neutronclient/osc/v2/vpnaas/ipsecpolicy.py
@@ -54,6 +54,66 @@ _attr_map_dict = {
     'project_id': 'Project',
 }
 
+_auth_algorithms = [
+    'sha1',
+    'sha256',
+    'sha384',
+    'sha512',
+    'aes-xcbc',
+    'aes-cmac',
+]
+
+_encryption_algorithms = [
+    '3des',
+    'aes-128',
+    'aes-192',
+    'aes-256',
+    'aes-128-ccm-8',
+    'aes-192-ccm-8',
+    'aes-256-ccm-8',
+    'aes-128-ccm-12',
+    'aes-192-ccm-12',
+    'aes-256-ccm-12',
+    'aes-128-ccm-16',
+    'aes-192-ccm-16',
+    'aes-256-ccm-16',
+    'aes-128-gcm-8',
+    'aes-192-gcm-8',
+    'aes-256-gcm-8',
+    'aes-128-gcm-12',
+    'aes-192-gcm-12',
+    'aes-256-gcm-12',
+    'aes-128-gcm-16',
+    'aes-192-gcm-16',
+    'aes-256-gcm-16',
+    'aes-128-ctr',
+    'aes-192-ctr',
+    'aes-256-ctr',
+]
+
+_pfs_groups = [
+    'group2',
+    'group5',
+    'group14',
+    'group15',
+    'group16',
+    'group17',
+    'group18',
+    'group19',
+    'group20',
+    'group21',
+    'group22',
+    'group23',
+    'group24',
+    'group25',
+    'group26',
+    'group27',
+    'group28',
+    'group29',
+    'group30',
+    'group31',
+]
+
 
 def _convert_to_lowercase(string):
     return string.lower()
@@ -66,7 +126,7 @@ def _get_common_parser(parser):
         help=_('Description of the IPsec policy'))
     parser.add_argument(
         '--auth-algorithm',
-        choices=['sha1', 'sha256', 'sha384', 'sha512'],
+        choices=_auth_algorithms,
         type=_convert_to_lowercase,
         help=_('Authentication algorithm for IPsec policy'))
     parser.add_argument(
@@ -76,7 +136,7 @@ def _get_common_parser(parser):
         help=_('Encapsulation mode for IPsec policy'))
     parser.add_argument(
         '--encryption-algorithm',
-        choices=['3des', 'aes-128', 'aes-192', 'aes-256'],
+        choices=_encryption_algorithms,
         type=_convert_to_lowercase,
         help=_('Encryption algorithm for IPsec policy'))
     parser.add_argument(
@@ -86,7 +146,7 @@ def _get_common_parser(parser):
         help=vpn_utils.lifetime_help("IPsec"))
     parser.add_argument(
         '--pfs',
-        choices=['group2', 'group5', 'group14'],
+        choices=_pfs_groups,
         type=_convert_to_lowercase,
         help=_('Perfect Forward Secrecy for IPsec policy'))
     parser.add_argument(