From cde83b0a0c3a5ef320954b8ba568902738ff4a5f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 26 Oct 2023 15:09:32 +0200
Subject: [PATCH] VPN: IPsec: Connections - re-add hashing options to GCM
 ciphers, but at the bottom of the list. In theory these are only valid for
 IKE
 (https://users.strongswan.narkive.com/0YfEZ2CS/question-about-ike-aes256gcm16-aesxcbc-modp2048-in-ipsec-conf),
 but as there seems to be some confusion and having them doesn't really hurt,
 we are going to re-add them anyway for ESP and IKE.

We might want to reassess this at some point, but there's not rush.

ref: https://forum.opnsense.org/index.php?topic=36638.0
---
 .../IPsec/FieldTypes/IPsecProposalField.php       | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/FieldTypes/IPsecProposalField.php b/src/opnsense/mvc/app/models/OPNsense/IPsec/FieldTypes/IPsecProposalField.php
index 1d8fa748bd7..80c5d778655 100644
--- a/src/opnsense/mvc/app/models/OPNsense/IPsec/FieldTypes/IPsecProposalField.php
+++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/FieldTypes/IPsecProposalField.php
@@ -106,15 +106,21 @@ protected function actionPostLoadingEvent()
                 'x25519' => 'DH31, Modern EC',
                 'x448' => 'DH32, Modern EC'
             ];
-
+            $gcm_prf_options = [];
             foreach (['aes128', 'aes192', 'aes256', 'aes128gcm16', 'aes192gcm16', 'aes256gcm16'] as $encalg) {
                 foreach (['sha256', 'sha384', 'sha512', 'aesxcbc'] as $intalg) {
                     foreach ($dhgroups as $dhgroup => $descr) {
+                        $cipher = "{$encalg}-{$intalg}-{$dhgroup}";
                         if (strpos($encalg, 'gcm') !== false) {
-                            /** GCM includes hashing */
+                            /**
+                             * GCM includes hashing, for IKE we might optionally add PRF options, which we will sort at
+                             * the end of the list.
+                             */
+                            $gcm_prf_options[$cipher] = [
+                                'value' => $cipher . " [{$descr}]",
+                                'optgroup' => gettext('Miscellaneous')
+                            ];
                             $cipher = "{$encalg}-{$dhgroup}";
-                        } else {
-                            $cipher = "{$encalg}-{$intalg}-{$dhgroup}";
                         }
                         if (empty(self::$internalCacheOptionList[$cipher])) {
                             self::$internalCacheOptionList[$cipher] = [
@@ -127,6 +133,7 @@ protected function actionPostLoadingEvent()
                     }
                 }
             }
+            self::$internalCacheOptionList = self::$internalCacheOptionList + $gcm_prf_options;
         }
 
         $this->internalOptionList = self::$internalCacheOptionList;