vpnaas: add support for more ciphers (auth, encryption, pfs modes)

Encryption algorithms: add AES CCM mode and AES GCM mode variants for 128/192/256 bit keys and 8/12/16 octet ICVs. Auth algorithms: add aes-xcbc and aes-cmac. PFS: add Diffie Hellman groups 15 to 31. Related-Bug: #1938284 Change-Id: Iba86fe9a1bbf88223b57a45fb89349c6b1858015
2023-10-18 13:50:58 +02:00 · 2023-10-18 13:50:58 +02:00 · b7598dab47
parent bdebe1de3c
commit b7598dab47
6 changed files with 127 additions and 6 deletions
--- a/api-ref/source/v2/parameters.yaml
+++ b/api-ref/source/v2/parameters.yaml
@ -2007,7 +2007,8 @@ audited:
 auth_algorithm:
  description: |
    The authentication hash algorithm. Valid values
-    are ``sha1``, ``sha256``, ``sha384``, ``sha512``.
+    are ``sha1``, ``sha256``, ``sha384``, ``sha512``, ``aes-xcbc``,
+    ``aes-cmac``.
    The default is ``sha1``.
  in: body
  required: false
@ -3029,7 +3030,10 @@ encapsulation_mode:
 encryption_algorithm:
  description: |
    The encryption algorithm. A valid value is
-    ``3des``, ``aes-128``, ``aes-192``, ``aes-256``, and so on.
+    ``3des``, ``aes-128``, ``aes-192``, ``aes-256``. Additional values for AES
+    CCM and GCM modes are defined (e.g. ``aes-256-ccm-16``, ``aes-256-gcm-16``)
+    for all combinations of key length 128, 192, 256 bits and ICV length
+    8, 12, 16 octets.
    Default is ``aes-128``.
  in: body
  required: false
@ -5197,7 +5201,7 @@ peer_id:
 pfs:
  description: |
    Perfect forward secrecy (PFS). A valid value is
-    ``Group2``, ``Group5``, ``Group14``, and so on. Default is
+    ``Group2``, ``Group5``, ``Group14`` to ``Group31``. Default is
    ``Group5``.
  in: body
  required: false
--- a/neutron_lib/api/definitions/init.py
+++ b/neutron_lib/api/definitions/init.py
@ -159,6 +159,7 @@ from neutron_lib.api.definitions import uplink_status_propagation
 from neutron_lib.api.definitions import vlan_filter
 from neutron_lib.api.definitions import vlantransparent
 from neutron_lib.api.definitions import vpn
+from neutron_lib.api.definitions import vpn_aes_ccm_gcm
 from neutron_lib.api.definitions import vpn_endpoint_groups
 from neutron_lib.api.definitions import vpn_flavors

@ -312,6 +313,7 @@ _ALL_API_DEFINITIONS = {
    vlan_filter,
    vlantransparent,
    vpn,
+    vpn_aes_ccm_gcm,
    vpn_endpoint_groups,
    vpn_flavors,
 }
--- a/neutron_lib/api/definitions/vpn.py
+++ b/neutron_lib/api/definitions/vpn.py
@ -41,10 +41,48 @@ VPN_ENCRYPTION_ALGORITHM_3DES = '3des'
 VPN_ENCRYPTION_ALGORITHM_AES_128 = 'aes-128'
 VPN_ENCRYPTION_ALGORITHM_AES_192 = 'aes-192'
 VPN_ENCRYPTION_ALGORITHM_AES_256 = 'aes-256'
+VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_8 = 'aes-128-ccm-8'
+VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_8 = 'aes-192-ccm-8'
+VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_8 = 'aes-256-ccm-8'
+VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_12 = 'aes-128-ccm-12'
+VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_12 = 'aes-192-ccm-12'
+VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_12 = 'aes-256-ccm-12'
+VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_16 = 'aes-128-ccm-16'
+VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_16 = 'aes-192-ccm-16'
+VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_16 = 'aes-256-ccm-16'
+VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_8 = 'aes-128-gcm-8'
+VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_8 = 'aes-192-gcm-8'
+VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_8 = 'aes-256-gcm-8'
+VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_12 = 'aes-128-gcm-12'
+VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_12 = 'aes-192-gcm-12'
+VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_12 = 'aes-256-gcm-12'
+VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_16 = 'aes-128-gcm-16'
+VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_16 = 'aes-192-gcm-16'
+VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_16 = 'aes-256-gcm-16'

 VPN_SUPPORTED_ENCRYPTION_ALGORITHMS = [
-    VPN_ENCRYPTION_ALGORITHM_3DES, VPN_ENCRYPTION_ALGORITHM_AES_128,
-    VPN_ENCRYPTION_ALGORITHM_AES_192, VPN_ENCRYPTION_ALGORITHM_AES_256,
+    VPN_ENCRYPTION_ALGORITHM_3DES,
+    VPN_ENCRYPTION_ALGORITHM_AES_128,
+    VPN_ENCRYPTION_ALGORITHM_AES_192,
+    VPN_ENCRYPTION_ALGORITHM_AES_256,
+    VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_8,
+    VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_8,
+    VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_8,
+    VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_12,
+    VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_12,
+    VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_12,
+    VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_16,
+    VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_16,
+    VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_16,
+    VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_8,
+    VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_8,
+    VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_8,
+    VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_12,
+    VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_12,
+    VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_12,
+    VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_16,
+    VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_16,
+    VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_16,
 ]

 # VPN DPD action constants
@ -88,9 +126,30 @@ VPN_SUPPORTED_LIFETIME_UNITS = [
 VPN_PFS_GROUP2 = 'group2'
 VPN_PFS_GROUP5 = 'group5'
 VPN_PFS_GROUP14 = 'group14'
+VPN_PFS_GROUP15 = 'group15'
+VPN_PFS_GROUP16 = 'group16'
+VPN_PFS_GROUP17 = 'group17'
+VPN_PFS_GROUP18 = 'group18'
+VPN_PFS_GROUP19 = 'group19'
+VPN_PFS_GROUP20 = 'group20'
+VPN_PFS_GROUP21 = 'group21'
+VPN_PFS_GROUP22 = 'group22'
+VPN_PFS_GROUP23 = 'group23'
+VPN_PFS_GROUP24 = 'group24'
+VPN_PFS_GROUP25 = 'group25'
+VPN_PFS_GROUP26 = 'group26'
+VPN_PFS_GROUP27 = 'group27'
+VPN_PFS_GROUP28 = 'group28'
+VPN_PFS_GROUP29 = 'group29'
+VPN_PFS_GROUP30 = 'group30'
+VPN_PFS_GROUP31 = 'group31'

 VPN_SUPPORTED_PFSES = [
-    VPN_PFS_GROUP2, VPN_PFS_GROUP5, VPN_PFS_GROUP14,
+    VPN_PFS_GROUP2, VPN_PFS_GROUP5, VPN_PFS_GROUP14, VPN_PFS_GROUP15,
+    VPN_PFS_GROUP16, VPN_PFS_GROUP17, VPN_PFS_GROUP18, VPN_PFS_GROUP19,
+    VPN_PFS_GROUP20, VPN_PFS_GROUP21, VPN_PFS_GROUP22, VPN_PFS_GROUP23,
+    VPN_PFS_GROUP24, VPN_PFS_GROUP25, VPN_PFS_GROUP26, VPN_PFS_GROUP27,
+    VPN_PFS_GROUP28, VPN_PFS_GROUP29, VPN_PFS_GROUP30, VPN_PFS_GROUP31,
 ]

 # VPN IKE version constants
@ -113,10 +172,13 @@ VPN_AUTH_ALGORITHM_SHA1 = 'sha1'
 VPN_AUTH_ALGORITHM_SHA256 = 'sha256'
 VPN_AUTH_ALGORITHM_SHA384 = 'sha384'
 VPN_AUTH_ALGORITHM_SHA512 = 'sha512'
+VPN_AUTH_ALGORITHM_AES_XCBC = 'aes-xcbc'
+VPN_AUTH_ALGORITHM_AES_CMAC = 'aes-cmac'

 VPN_SUPPORTED_AUTH_ALGORITHMS = [
    VPN_AUTH_ALGORITHM_SHA1, VPN_AUTH_ALGORITHM_SHA256,
    VPN_AUTH_ALGORITHM_SHA384, VPN_AUTH_ALGORITHM_SHA512,
+    VPN_AUTH_ALGORITHM_AES_XCBC, VPN_AUTH_ALGORITHM_AES_CMAC,
 ]

 # VPN phase1 negotiation mode constants
--- a/neutron_lib/api/definitions/vpn_aes_ccm_gcm.py
+++ b/neutron_lib/api/definitions/vpn_aes_ccm_gcm.py
@ -0,0 +1,27 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron_lib.api.definitions import vpn
+
+
+ALIAS = 'vpn-aes-ccm-gcm'
+IS_SHIM_EXTENSION = True
+IS_STANDARD_ATTR_EXTENSION = False
+NAME = 'VPN support for AES CCM, GCM modes'
+DESCRIPTION = 'Add choices for encryption, auth and pfs'
+UPDATED_TIMESTAMP = '2023-10-24T11:00:00-00:00'
+RESOURCE_ATTRIBUTE_MAP = {}
+SUB_RESOURCE_ATTRIBUTE_MAP = {}
+ACTION_MAP = {}
+REQUIRED_EXTENSIONS = [vpn.ALIAS]
+OPTIONAL_EXTENSIONS = []
+ACTION_STATUS = {}
--- a/neutron_lib/tests/unit/api/definitions/test_vpn_aes_ccm_gcm.py
+++ b/neutron_lib/tests/unit/api/definitions/test_vpn_aes_ccm_gcm.py
@ -0,0 +1,18 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron_lib.api.definitions import vpn_aes_ccm_gcm
+from neutron_lib.tests.unit.api.definitions import base
+
+
+class VpnAesCcmGcmDefinitionTestCase(base.DefinitionBaseTestCase):
+    extension_module = vpn_aes_ccm_gcm
--- a/releasenotes/notes/add-vpnaas-ciphers-6c1dffbc2cdc3225.yaml
+++ b/releasenotes/notes/add-vpnaas-ciphers-6c1dffbc2cdc3225.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Added support for more ciphers to the neutron-vpnaas API.
+    Added encryption algorithms (AES CCM and AES GCM modes for 128/192/256
+    bit keys and 8/12/16 octet ICVs, e.g. aes-256-ccm-16),
+    authentication algorithms (AES-XCBC, AES-CMAC) and PFS choices
+    (Diffie Hellman groups 15 to 31).