From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 21 Jul 2017 17:51:25 +0000 (+0200)
Subject: security-policies: Add function to generate ESP proposal for strongswan
X-Git-Tag: 009~132
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d64549787ceca0e5f687e51c64817e3e12b77c9;p=network.git

security-policies: Add function to generate ESP proposal for strongswan

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/functions/functions.util b/src/functions/functions.util
index 664e9091..28396f07 100644
--- a/src/functions/functions.util
+++ b/src/functions/functions.util
@@ -638,6 +638,13 @@ contains_spaces() {
 	return ${EXIT_FALSE}
 }
 
+string_match() {
+	local match=${1}
+	local string=${2}
+
+	[[ ${string} =~ ${match} ]] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
+}
+
 string_split() {
 	local string="$@"
 
diff --git a/src/functions/functions.vpn-security-policies b/src/functions/functions.vpn-security-policies
index 643fed9c..eb4b9156 100644
--- a/src/functions/functions.vpn-security-policies
+++ b/src/functions/functions.vpn-security-policies
@@ -791,6 +791,13 @@ vpn_security_policies_destroy() {
 	done
 }
 
+vpn_security_policies_cipher_is_aead() {
+	local cipher=${1}
+
+	# All CCM and GCM ciphers are AEAD
+	string_match "[CG]CM" "${cipher}"
+}
+
 vpn_security_policies_make_ah_proposal() {
 	local name=${1}
 
@@ -839,3 +846,67 @@ vpn_security_policies_make_ah_proposal() {
 	# Returns as a comma-separated list
 	list_join proposals ,
 }
+
+vpn_security_policies_make_esp_proposal() {
+	local name=${1}
+
+	# Read the config settings
+	local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
+	if ! vpn_security_policies_read_config "${name}"; then
+		return ${EXIT_ERROR}
+	fi
+
+	local proposals
+
+	local cipher
+	for cipher in ${CIPHER}; do
+		# Translate cipher
+		local _cipher=${CIPHER_TO_STRONGSWAN[${cipher}]}
+
+		if ! isset _cipher; then
+			log WARN "Unsupported cipher: ${cipher}"
+			continue
+		fi
+
+		if vpn_security_policies_cipher_is_aead ${cipher}; then
+			local group_type
+			for group_type in ${GROUP_TYPE}; do
+				local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
+
+				if ! isset _group_type; then
+					log WARN "Unsupported group-type: ${group_type}"
+					continue
+				fi
+
+				# Put everything together
+				list_append proposals "${_cipher}-${_group_type}"
+			done
+		else
+			local integrity
+			for integrity in ${INTEGRITY}; do
+				local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]}
+
+				if ! isset _integrity; then
+					log WARN "Unsupported integrity: ${integrity}"
+					continue
+				fi
+
+				local group_type
+				for group_type in ${GROUP_TYPE}; do
+					local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
+
+					if ! isset _group_type; then
+						log WARN "Unsupported group-type: ${group_type}"
+						continue
+					fi
+
+					# Put everything together
+					list_append proposals "${_cipher}-${_integrity}-${_group_type}"
+				done
+			done
+		fi
+	done
+
+	# Returns as a comma-separated list
+	list_join proposals ,
+}