From 7a663a75dc8b2f9842b72a05e17240edb4008849 Mon Sep 17 00:00:00 2001
From: aapostoliuk <a.apostoliuk@vyos.io>
Date: Wed, 18 Jan 2023 19:15:44 +0200
Subject: ipsec: T4925: Added PRF into IKE group

Added the possibility to configure Pseudo-Random Functions (PRF)
in IKE group
set vpn ipsec ike-group <Ike-grp> proposal <number> prf <PRF>
---
 interface-definitions/vpn-ipsec.xml.in  | 39 +++++++++++++++++++++++++++++++++
 python/vyos/template.py                 |  2 ++
 smoketest/scripts/cli/test_vpn_ipsec.py |  3 ++-
 3 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/interface-definitions/vpn-ipsec.xml.in b/interface-definitions/vpn-ipsec.xml.in
index fd74a51d7..fa12d999c 100644
--- a/interface-definitions/vpn-ipsec.xml.in
+++ b/interface-definitions/vpn-ipsec.xml.in
@@ -465,6 +465,45 @@
                     </properties>
                     <defaultValue>2</defaultValue>
                   </leafNode>
+                  <leafNode name="prf">
+                    <properties>
+                      <help>Pseudo-Random Functions</help>
+                      <completionHelp>
+                        <list>prfmd5 prfsha1 prfaesxcbc prfaescmac prfsha256 prfsha384 prfsha512</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>prfmd5</format>
+                        <description>MD5 PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfsha1</format>
+                        <description>SHA1 PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfaesxcbc</format>
+                        <description>AES XCBC PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfaescmac</format>
+                        <description>AES CMAC PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfsha256</format>
+                        <description>SHA2_256 PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfsha384</format>
+                        <description>SHA2_384 PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfsha512</format>
+                        <description>SHA2_512 PRF</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(prfmd5|prfsha1|prfaesxcbc|prfaescmac|prfsha256|prfsha384|prfsha512)</regex>
+                      </constraint>
+                    </properties>
+                  </leafNode>
                   #include <include/vpn-ipsec-encryption.xml.i>
                   #include <include/vpn-ipsec-hash.xml.i>
                 </children>
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 2a4135f9e..ce9983958 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -476,6 +476,8 @@ def get_esp_ike_cipher(group_config, ike_group=None):
                 continue
 
             tmp = '{encryption}-{hash}'.format(**proposal)
+            if 'prf' in proposal:
+                tmp += '-' + proposal['prf']
             if 'dh_group' in proposal:
                 tmp += '-' + pfs_lut[ 'dh-group' +  proposal['dh_group'] ]
             elif 'pfs' in group_config and group_config['pfs'] != 'disable':
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 46db0bbf5..03780c465 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -337,6 +337,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
         self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'dh-group', '2'])
         self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'encryption', 'aes256'])
         self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'hash', 'sha1'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'prf', 'prfsha1'])
 
         # Profile
         self.cli_set(base_path + ['profile', 'NHRPVPN', 'authentication', 'mode', 'pre-shared-secret'])
@@ -349,7 +350,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
 
         swanctl_conf = read_file(swanctl_file)
         swanctl_lines = [
-            f'proposals = aes128-sha1-modp1024,aes256-sha1-modp1024',
+            f'proposals = aes128-sha1-modp1024,aes256-sha1-prfsha1-modp1024',
             f'version = 1',
             f'rekey_time = {ike_lifetime}s',
             f'rekey_time = {esp_lifetime}s',
-- 
cgit v1.2.3