From b76a690afa47c92e990fefa9f75f4583d91ea95d Mon Sep 17 00:00:00 2001 From: Bodo Petermann Date: Wed, 26 Feb 2025 13:55:45 +0100 Subject: [PATCH] vpnaas: add support for more ciphers (auth, encryption, pfs modes) For VPNaaS IKE policies and IPSEC policies several choices for encryption algorithms, auth algorithms and PFS modes have been added. Encryption algorithms: add AES CCM mode and AES GCM mode variants for 128/192/256 bit keys and 8/12/16 octet ICVs. Add AES CTR modes for 128/192/256 bit keys. Auth algorithms: add aes-xcbc and aes-cmac. PFS: add Diffie Hellman groups 15 to 31. Closes: #3314 --- .../extensions/vpnaas/ikepolicies/requests.go | 72 ++++++++++++++---- .../vpnaas/ipsecpolicies/requests.go | 76 ++++++++++++++----- 2 files changed, 114 insertions(+), 34 deletions(-) diff --git a/openstack/networking/v2/extensions/vpnaas/ikepolicies/requests.go b/openstack/networking/v2/extensions/vpnaas/ikepolicies/requests.go index 7d5c81e13b..f0845d6a60 100644 --- a/openstack/networking/v2/extensions/vpnaas/ikepolicies/requests.go +++ b/openstack/networking/v2/extensions/vpnaas/ikepolicies/requests.go @@ -15,22 +15,62 @@ type IKEVersion string type Phase1NegotiationMode string const ( - AuthAlgorithmSHA1 AuthAlgorithm = "sha1" - AuthAlgorithmSHA256 AuthAlgorithm = "sha256" - AuthAlgorithmSHA384 AuthAlgorithm = "sha384" - AuthAlgorithmSHA512 AuthAlgorithm = "sha512" - EncryptionAlgorithm3DES EncryptionAlgorithm = "3des" - EncryptionAlgorithmAES128 EncryptionAlgorithm = "aes-128" - EncryptionAlgorithmAES256 EncryptionAlgorithm = "aes-256" - EncryptionAlgorithmAES192 EncryptionAlgorithm = "aes-192" - UnitSeconds Unit = "seconds" - UnitKilobytes Unit = "kilobytes" - PFSGroup2 PFS = "group2" - PFSGroup5 PFS = "group5" - PFSGroup14 PFS = "group14" - IKEVersionv1 IKEVersion = "v1" - IKEVersionv2 IKEVersion = "v2" - Phase1NegotiationModeMain Phase1NegotiationMode = "main" + AuthAlgorithmSHA1 AuthAlgorithm = "sha1" + AuthAlgorithmSHA256 AuthAlgorithm = "sha256" + AuthAlgorithmSHA384 AuthAlgorithm = "sha384" + AuthAlgorithmSHA512 AuthAlgorithm = "sha512" + AuthAlgorithmAESXCBC AuthAlgorithm = "aes-xcbc" + AuthAlgorithmAESCMAC AuthAlgorithm = "aes-cmac" + EncryptionAlgorithm3DES EncryptionAlgorithm = "3des" + EncryptionAlgorithmAES128 EncryptionAlgorithm = "aes-128" + EncryptionAlgorithmAES192 EncryptionAlgorithm = "aes-192" + EncryptionAlgorithmAES256 EncryptionAlgorithm = "aes-256" + EncryptionAlgorithmAES128CTR EncryptionAlgorithm = "aes-128-ctr" + EncryptionAlgorithmAES192CTR EncryptionAlgorithm = "aes-192-ctr" + EncryptionAlgorithmAES256CTR EncryptionAlgorithm = "aes-256-ctr" + EncryptionAlgorithmAES128CCM8 EncryptionAlgorithm = "aes-128-ccm-8" + EncryptionAlgorithmAES128CCM12 EncryptionAlgorithm = "aes-128-ccm-12" + EncryptionAlgorithmAES128CCM16 EncryptionAlgorithm = "aes-128-ccm-16" + EncryptionAlgorithmAES192CCM8 EncryptionAlgorithm = "aes-192-ccm-8" + EncryptionAlgorithmAES192CCM12 EncryptionAlgorithm = "aes-192-ccm-12" + EncryptionAlgorithmAES192CCM16 EncryptionAlgorithm = "aes-192-ccm-16" + EncryptionAlgorithmAES256CCM8 EncryptionAlgorithm = "aes-256-ccm-8" + EncryptionAlgorithmAES256CCM12 EncryptionAlgorithm = "aes-256-ccm-12" + EncryptionAlgorithmAES256CCM16 EncryptionAlgorithm = "aes-256-ccm-16" + EncryptionAlgorithmAES128GCM8 EncryptionAlgorithm = "aes-128-gcm-8" + EncryptionAlgorithmAES128GCM12 EncryptionAlgorithm = "aes-128-gcm-12" + EncryptionAlgorithmAES128GCM16 EncryptionAlgorithm = "aes-128-gcm-16" + EncryptionAlgorithmAES192GCM8 EncryptionAlgorithm = "aes-192-gcm-8" + EncryptionAlgorithmAES192GCM12 EncryptionAlgorithm = "aes-192-gcm-12" + EncryptionAlgorithmAES192GCM16 EncryptionAlgorithm = "aes-192-gcm-16" + EncryptionAlgorithmAES256GCM8 EncryptionAlgorithm = "aes-256-gcm-8" + EncryptionAlgorithmAES256GCM12 EncryptionAlgorithm = "aes-256-gcm-12" + EncryptionAlgorithmAES256GCM16 EncryptionAlgorithm = "aes-256-gcm-16" + UnitSeconds Unit = "seconds" + UnitKilobytes Unit = "kilobytes" + PFSGroup2 PFS = "group2" + PFSGroup5 PFS = "group5" + PFSGroup14 PFS = "group14" + PFSGroup15 PFS = "group15" + PFSGroup16 PFS = "group16" + PFSGroup17 PFS = "group17" + PFSGroup18 PFS = "group18" + PFSGroup19 PFS = "group19" + PFSGroup20 PFS = "group20" + PFSGroup21 PFS = "group21" + PFSGroup22 PFS = "group22" + PFSGroup23 PFS = "group23" + PFSGroup24 PFS = "group24" + PFSGroup25 PFS = "group25" + PFSGroup26 PFS = "group26" + PFSGroup27 PFS = "group27" + PFSGroup28 PFS = "group28" + PFSGroup29 PFS = "group29" + PFSGroup30 PFS = "group30" + PFSGroup31 PFS = "group31" + IKEVersionv1 IKEVersion = "v1" + IKEVersionv2 IKEVersion = "v2" + Phase1NegotiationModeMain Phase1NegotiationMode = "main" ) // CreateOptsBuilder allows extensions to add additional parameters to the diff --git a/openstack/networking/v2/extensions/vpnaas/ipsecpolicies/requests.go b/openstack/networking/v2/extensions/vpnaas/ipsecpolicies/requests.go index 4397c0587b..9f34895c15 100644 --- a/openstack/networking/v2/extensions/vpnaas/ipsecpolicies/requests.go +++ b/openstack/networking/v2/extensions/vpnaas/ipsecpolicies/requests.go @@ -15,24 +15,64 @@ type PFS string type Unit string const ( - TransformProtocolESP TransformProtocol = "esp" - TransformProtocolAH TransformProtocol = "ah" - TransformProtocolAHESP TransformProtocol = "ah-esp" - AuthAlgorithmSHA1 AuthAlgorithm = "sha1" - AuthAlgorithmSHA256 AuthAlgorithm = "sha256" - AuthAlgorithmSHA384 AuthAlgorithm = "sha384" - AuthAlgorithmSHA512 AuthAlgorithm = "sha512" - EncryptionAlgorithm3DES EncryptionAlgorithm = "3des" - EncryptionAlgorithmAES128 EncryptionAlgorithm = "aes-128" - EncryptionAlgorithmAES256 EncryptionAlgorithm = "aes-256" - EncryptionAlgorithmAES192 EncryptionAlgorithm = "aes-192" - EncapsulationModeTunnel EncapsulationMode = "tunnel" - EncapsulationModeTransport EncapsulationMode = "transport" - UnitSeconds Unit = "seconds" - UnitKilobytes Unit = "kilobytes" - PFSGroup2 PFS = "group2" - PFSGroup5 PFS = "group5" - PFSGroup14 PFS = "group14" + TransformProtocolESP TransformProtocol = "esp" + TransformProtocolAH TransformProtocol = "ah" + TransformProtocolAHESP TransformProtocol = "ah-esp" + AuthAlgorithmSHA1 AuthAlgorithm = "sha1" + AuthAlgorithmSHA256 AuthAlgorithm = "sha256" + AuthAlgorithmSHA384 AuthAlgorithm = "sha384" + AuthAlgorithmSHA512 AuthAlgorithm = "sha512" + AuthAlgorithmAESXCBC AuthAlgorithm = "aes-xcbc" + AuthAlgorithmAESCMAC AuthAlgorithm = "aes-cmac" + EncryptionAlgorithm3DES EncryptionAlgorithm = "3des" + EncryptionAlgorithmAES128 EncryptionAlgorithm = "aes-128" + EncryptionAlgorithmAES192 EncryptionAlgorithm = "aes-192" + EncryptionAlgorithmAES256 EncryptionAlgorithm = "aes-256" + EncryptionAlgorithmAES128CTR EncryptionAlgorithm = "aes-128-ctr" + EncryptionAlgorithmAES192CTR EncryptionAlgorithm = "aes-192-ctr" + EncryptionAlgorithmAES256CTR EncryptionAlgorithm = "aes-256-ctr" + EncryptionAlgorithmAES128CCM8 EncryptionAlgorithm = "aes-128-ccm-8" + EncryptionAlgorithmAES128CCM12 EncryptionAlgorithm = "aes-128-ccm-12" + EncryptionAlgorithmAES128CCM16 EncryptionAlgorithm = "aes-128-ccm-16" + EncryptionAlgorithmAES192CCM8 EncryptionAlgorithm = "aes-192-ccm-8" + EncryptionAlgorithmAES192CCM12 EncryptionAlgorithm = "aes-192-ccm-12" + EncryptionAlgorithmAES192CCM16 EncryptionAlgorithm = "aes-192-ccm-16" + EncryptionAlgorithmAES256CCM8 EncryptionAlgorithm = "aes-256-ccm-8" + EncryptionAlgorithmAES256CCM12 EncryptionAlgorithm = "aes-256-ccm-12" + EncryptionAlgorithmAES256CCM16 EncryptionAlgorithm = "aes-256-ccm-16" + EncryptionAlgorithmAES128GCM8 EncryptionAlgorithm = "aes-128-gcm-8" + EncryptionAlgorithmAES128GCM12 EncryptionAlgorithm = "aes-128-gcm-12" + EncryptionAlgorithmAES128GCM16 EncryptionAlgorithm = "aes-128-gcm-16" + EncryptionAlgorithmAES192GCM8 EncryptionAlgorithm = "aes-192-gcm-8" + EncryptionAlgorithmAES192GCM12 EncryptionAlgorithm = "aes-192-gcm-12" + EncryptionAlgorithmAES192GCM16 EncryptionAlgorithm = "aes-192-gcm-16" + EncryptionAlgorithmAES256GCM8 EncryptionAlgorithm = "aes-256-gcm-8" + EncryptionAlgorithmAES256GCM12 EncryptionAlgorithm = "aes-256-gcm-12" + EncryptionAlgorithmAES256GCM16 EncryptionAlgorithm = "aes-256-gcm-16" + EncapsulationModeTunnel EncapsulationMode = "tunnel" + EncapsulationModeTransport EncapsulationMode = "transport" + UnitSeconds Unit = "seconds" + UnitKilobytes Unit = "kilobytes" + PFSGroup2 PFS = "group2" + PFSGroup5 PFS = "group5" + PFSGroup14 PFS = "group14" + PFSGroup15 PFS = "group15" + PFSGroup16 PFS = "group16" + PFSGroup17 PFS = "group17" + PFSGroup18 PFS = "group18" + PFSGroup19 PFS = "group19" + PFSGroup20 PFS = "group20" + PFSGroup21 PFS = "group21" + PFSGroup22 PFS = "group22" + PFSGroup23 PFS = "group23" + PFSGroup24 PFS = "group24" + PFSGroup25 PFS = "group25" + PFSGroup26 PFS = "group26" + PFSGroup27 PFS = "group27" + PFSGroup28 PFS = "group28" + PFSGroup29 PFS = "group29" + PFSGroup30 PFS = "group30" + PFSGroup31 PFS = "group31" ) // CreateOptsBuilder allows extensions to add additional parameters to the