security-policies: Add function to generate ESP proposal for strongswan

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/functions/functions.util b/src/functions/functions.util
index 664e90917d3ca374ee68a2aca6680f1aa70b6714..28396f07e62d08b5ac7783c6601d5fe3d975015b 100644 (file)
--- a/src/functions/functions.util
+++ b/src/functions/functions.util
@@ -638,6 +638,13 @@ contains_spaces() {
        return ${EXIT_FALSE}
 }
 
+string_match() {
+       local match=${1}
+       local string=${2}
+
+       [[ ${string} =~ ${match} ]] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
+}
+
 string_split() {
        local string="$@"
 

diff --git a/src/functions/functions.vpn-security-policies b/src/functions/functions.vpn-security-policies
index 643fed9cc416073330f8081863d4635ab90b4f46..eb4b915678c02b075b49d0a59d2a7cc3e31570ee 100644 (file)
--- a/src/functions/functions.vpn-security-policies
+++ b/src/functions/functions.vpn-security-policies
@@ -791,6 +791,13 @@ vpn_security_policies_destroy() {
        done
 }
 
+vpn_security_policies_cipher_is_aead() {
+       local cipher=${1}
+
+       # All CCM and GCM ciphers are AEAD
+       string_match "[CG]CM" "${cipher}"
+}
+
 vpn_security_policies_make_ah_proposal() {
        local name=${1}
 
@@ -839,3 +846,67 @@ vpn_security_policies_make_ah_proposal() {
        # Returns as a comma-separated list
        list_join proposals ,
 }
+
+vpn_security_policies_make_esp_proposal() {
+       local name=${1}
+
+       # Read the config settings
+       local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
+       if ! vpn_security_policies_read_config "${name}"; then
+               return ${EXIT_ERROR}
+       fi
+
+       local proposals
+
+       local cipher
+       for cipher in ${CIPHER}; do
+               # Translate cipher
+               local _cipher=${CIPHER_TO_STRONGSWAN[${cipher}]}
+
+               if ! isset _cipher; then
+                       log WARN "Unsupported cipher: ${cipher}"
+                       continue
+               fi
+
+               if vpn_security_policies_cipher_is_aead ${cipher}; then
+                       local group_type
+                       for group_type in ${GROUP_TYPE}; do
+                               local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
+
+                               if ! isset _group_type; then
+                                       log WARN "Unsupported group-type: ${group_type}"
+                                       continue
+                               fi
+
+                               # Put everything together
+                               list_append proposals "${_cipher}-${_group_type}"
+                       done
+               else
+                       local integrity
+                       for integrity in ${INTEGRITY}; do
+                               local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]}
+
+                               if ! isset _integrity; then
+                                       log WARN "Unsupported integrity: ${integrity}"
+                                       continue
+                               fi
+
+                               local group_type
+                               for group_type in ${GROUP_TYPE}; do
+                                       local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
+
+                                       if ! isset _group_type; then
+                                               log WARN "Unsupported group-type: ${group_type}"
+                                               continue
+                                       fi
+
+                                       # Put everything together
+                                       list_append proposals "${_cipher}-${_integrity}-${_group_type}"
+                               done
+                       done
+               fi
+       done
+
+       # Returns as a comma-separated list
+       list_join proposals ,
+}