[feature] Added data-ciphers #322

Closes #322

Author: nemesifier

netjsonconfig/backends/openvpn/converters.py

@@ -53,9 +53,23 @@ def __intermediate_vpn(self, config, remove=None):
         # do not display status-version if status directive not present
         if 'status' not in config and 'status_version' in config:
             del config['status_version']
+        config = self.__output_data_ciphers(config)
         config = self.__add_tls_auth_key(config)
         return self.sorted_dict(config)
 
+    def __output_data_ciphers(self, config):
+        data_ciphers = config.get('data_ciphers', None)
+        if not data_ciphers:
+            return config
+        output = ''
+        for cipher in data_ciphers:
+            cipher_text = cipher['cipher']
+            if cipher['optional']:
+                cipher_text = f'?{cipher_text}'
+            output = f'{output}:{cipher_text}'
+        config['data_ciphers'] = output[1:]
+        return config
+
     def __add_tls_auth_key(self, config):
         tls_auth = config.get('tls_auth', None)
         if not tls_auth:
@@ -109,4 +123,18 @@ def __netjson_vpn(self, vpn):
                 else:
                     remote.append(dict(host=items[0], port=int(items[1])))
             vpn['remote'] = remote
+        vpn = self.__netjson_data_ciphers(vpn)
+        return vpn
+
+    def __netjson_data_ciphers(self, vpn):
+        data_ciphers_text = vpn.get('data_ciphers')
+        if not data_ciphers_text:
+            return vpn
+        data_ciphers = []
+        ciphers = data_ciphers_text.split(':')
+        for cipher in ciphers:
+            optional = cipher.startswith('?')
+            cipher_text = cipher if not optional else cipher[1:]
+            data_ciphers.append({'cipher': cipher_text, 'optional': optional})
+        vpn['data_ciphers'] = data_ciphers
         return vpn

netjsonconfig/backends/openvpn/schema.py

@@ -5,6 +5,91 @@
 
 from ...schema import schema as default_schema
 
+data_ciphers = [
+    "AES-128-CBC",
+    "AES-128-CFB",
+    "AES-128-CFB1",
+    "AES-128-CFB8",
+    "AES-128-GCM",
+    "AES-128-OFB",
+    "AES-192-CBC",
+    "AES-192-CFB",
+    "AES-192-CFB1",
+    "AES-192-CFB8",
+    "AES-192-GCM",
+    "AES-192-OFB",
+    "AES-256-CBC",
+    "AES-256-CFB",
+    "AES-256-CFB1",
+    "AES-256-CFB8",
+    "AES-256-GCM",
+    "AES-256-OFB",
+    "ARIA-128-CBC",
+    "ARIA-128-CFB",
+    "ARIA-128-CFB1",
+    "ARIA-128-CFB8",
+    "ARIA-128-OFB",
+    "ARIA-192-CBC",
+    "ARIA-192-CFB",
+    "ARIA-192-CFB1",
+    "ARIA-192-CFB8",
+    "ARIA-192-OFB",
+    "ARIA-256-CBC",
+    "ARIA-256-CFB",
+    "ARIA-256-CFB1",
+    "ARIA-256-CFB8",
+    "ARIA-256-OFB",
+    "CAMELLIA-128-CBC",
+    "CAMELLIA-128-CFB",
+    "CAMELLIA-128-CFB1",
+    "CAMELLIA-128-CFB8",
+    "CAMELLIA-128-OFB",
+    "CAMELLIA-192-CBC",
+    "CAMELLIA-192-CFB",
+    "CAMELLIA-192-CFB1",
+    "CAMELLIA-192-CFB8",
+    "CAMELLIA-192-OFB",
+    "CAMELLIA-256-CBC",
+    "CAMELLIA-256-CFB",
+    "CAMELLIA-256-CFB1",
+    "CAMELLIA-256-CFB8",
+    "CAMELLIA-256-OFB",
+    "CHACHA20-POLY1305",
+    "SEED-CBC",
+    "SEED-CFB",
+    "SEED-OFB",
+    "SM4-CBC",
+    "SM4-CFB",
+    "SM4-OFB",
+    "BF-CBC",
+    "BF-CFB",
+    "BF-OFB",
+    "CAST5-CBC",
+    "CAST5-CFB",
+    "CAST5-OFB",
+    "DES-CBC",
+    "DES-CFB",
+    "DES-CFB1",
+    "DES-CFB8",
+    "DES-EDE-CBC",
+    "DES-EDE-CFB",
+    "DES-EDE-OFB",
+    "DES-EDE3-CBC",
+    "DES-EDE3-CFB",
+    "DES-EDE3-CFB1",
+    "DES-EDE3-CFB8",
+    "DES-EDE3-OFB",
+    "DES-OFB",
+    "DESX-CBC",
+    "RC2-40-CBC",
+    "RC2-64-CBC",
+    "RC2-CBC",
+    "RC2-CFB",
+    "RC2-OFB",
+    "none",
+]
+default_cipher = "AES-256-GCM"
+
 base_openvpn_schema = {
     "$schema": "http://json-schema.org/draft-04/schema#",
     "type": "object",
@@ -102,46 +187,61 @@
                     "default": "SHA1",
                     "propertyOrder": 11,
                 },
+                "data_ciphers": {
+                    "title": "data ciphers",
+                    "description": (
+                        "Restrict the allowed ciphers to be negotiated "
+                        "to the ciphers in this list."
+                    ),
+                    "type": "array",
+                    "additionalItems": True,
+                    "propertyOrder": 12.0,
+                    "minItems": 1,
+                    "default": [
+                        {"cipher": "AES-256-GCM", "optional": False},
+                        {"cipher": "AES-128-GCM", "optional": False},
+                    ],
+                    "items": {
+                        "type": "object",
+                        "required": ["cipher", "optional"],
+                        "properties": {
+                            "cipher": {
+                                "type": "string",
+                                "enum": [""] + data_ciphers,
+                                "default": "",
+                                "propertyOrder": 1,
+                            },
+                            "optional": {
+                                "type": "boolean",
+                                "default": False,
+                                "format": "checkbox",
+                                "propertyOrder": 2,
+                            },
+                        },
+                    },
+                },
+                "data_ciphers_fallback": {
+                    "title": "data ciphers fallback",
+                    "type": "string",
+                    "description": (
+                        "Configure a cipher that is used to fall back to if we "
+                        "could not determine which cipher the peer is willing to use."
+                    ),
+                    "enum": data_ciphers,
+                    "default": default_cipher,
+                    "propertyOrder": 12.1,
+                },
                 "cipher": {
                     "title": "cipher",
                     "type": "string",
-                    "description": "Encrypt data channel packets with cipher algorithm",
-                    "enum": [
-                        "AES-128-CBC",
-                        "AES-128-CFB",
-                        "AES-128-CFB1",
-                        "AES-128-CFB8",
-                        "AES-128-GCM",
-                        "AES-128-OFB",
-                        "AES-192-CBC",
-                        "AES-192-CFB",
-                        "AES-192-CFB1",
-                        "AES-192-CFB8",
-                        "AES-192-GCM",
-                        "AES-192-OFB",
-                        "AES-256-CBC",
-                        "AES-256-CFB",
-                        "AES-256-CFB1",
-                        "AES-256-CFB8",
-                        "AES-256-GCM",
-                        "AES-256-OFB",
-                        "BF-CBC",
-                        "BF-CFB",
-                        "BF-OFB",
-                        "CAMELLIA-128-CBC",
-                        "CAMELLIA-128-CFB1",
-                        "CAMELLIA-128-CFB8",
-                        "CAMELLIA-128-OFB",
-                        "CAMELLIA-192-CBC",
-                        "CAMELLIA-192-CFB",
-                        "CAMELLIA-192-CFB1",
-                        "CAMELLIA-192-CFB8",
-                        "CAMELLIA-192-OFB",
-                        "CAMELLIA-256-CBC",
-                        "none",
-                    ],
-                    "default": "BF-CBC",
-                    "propertyOrder": 12,
+                    "description": (
+                        "Encrypt data channel packets with cipher algorithm. "
+                        "This option is deprecated in favour of data-ciphers "
+                        "and data-ciphers-fallback."
+                    ),
+                    "enum": data_ciphers,
+                    "default": default_cipher,
+                    "propertyOrder": 12.2,
                 },
                 "engine": {
                     "title": "engine",