VPN: IPsec: Connections - re-add hashing options to GCM ciphers, but …

…at the bottom of the list. In theory these are only valid for IKE (https://users.strongswan.narkive.com/0YfEZ2CS/question-about-ike-aes256gcm16-aesxcbc-modp2048-in-ipsec-conf), but as there seems to be some confusion and having them doesn't really hurt, we are going to re-add them anyway for ESP and IKE. We might want to reassess this at some point, but there's not rush. ref: https://forum.opnsense.org/index.php?topic=36638.0
opnsense · Oct 26, 2023 · cde83b0 · cde83b0
1 parent 8439eeb
commit cde83b0
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/FieldTypes/IPsecProposalField.php b/src/opnsense/mvc/app/models/OPNsense/IPsec/FieldTypes/IPsecProposalField.php
@@ -106,15 +106,21 @@ protected function actionPostLoadingEvent()
                 'x25519' => 'DH31, Modern EC',
                 'x448' => 'DH32, Modern EC'
             ];
-
+            $gcm_prf_options = [];
             foreach (['aes128', 'aes192', 'aes256', 'aes128gcm16', 'aes192gcm16', 'aes256gcm16'] as $encalg) {
                 foreach (['sha256', 'sha384', 'sha512', 'aesxcbc'] as $intalg) {
                     foreach ($dhgroups as $dhgroup => $descr) {
+                        $cipher = "{$encalg}-{$intalg}-{$dhgroup}";
                         if (strpos($encalg, 'gcm') !== false) {
-                            /** GCM includes hashing */
+                            /**
+                             * GCM includes hashing, for IKE we might optionally add PRF options, which we will sort at
+                             * the end of the list.
+                             */
+                            $gcm_prf_options[$cipher] = [
+                                'value' => $cipher . " [{$descr}]",
+                                'optgroup' => gettext('Miscellaneous')
+                            ];
                             $cipher = "{$encalg}-{$dhgroup}";
-                        } else {
-                            $cipher = "{$encalg}-{$intalg}-{$dhgroup}";
                         }
                         if (empty(self::$internalCacheOptionList[$cipher])) {
                             self::$internalCacheOptionList[$cipher] = [
@@ -127,6 +133,7 @@ protected function actionPostLoadingEvent()
                     }
                 }
             }
+            self::$internalCacheOptionList = self::$internalCacheOptionList + $gcm_prf_options;
         }
 
         $this->internalOptionList = self::$internalCacheOptionList;