[PATCH 08/16] IPsec: Apple: Add desired cipher suites to profiles

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3601 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 110 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 110 insertions(+)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 816136c92..7011454fa 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -126,6 +126,35 @@ $cgiparams{'INTERFACE_ADDRESS'} = "";
 $cgiparams{'INTERFACE_MTU'} = 1500;
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
 
+my %APPLE_CIPHERS = (
+	"aes256gcm128" => "AES-256-GCM",
+	"aes128gcm128" => "AES-128-GCM",
+	"aes256"       => "AES-256",
+	"aes128"       => "AES-128",
+	"3des"         => "3DES",
+);
+
+my %APPLE_INTEGRITIES = (
+	"sha2_512" => "SHA2-512",
+	"sha2_384" => "SHA2-384",
+	"sha2_256" => "SHA2-256",
+	"sha1"     => "SHA1-160",
+);
+
+my %APPLE_DH_GROUPS = (
+	"768" => 1,
+	"1024" => 2,
+	"1536" => 5,
+	"2048" => 14,
+	"3072" => 15,
+	"4096" => 16,
+	"6144" => 17,
+	"8192" => 18,
+	"e256" => 19,
+	"e384" => 20,
+	"e521" => 21,
+);
+
 ###
 ### Useful functions
 ###
@@ -1264,6 +1293,87 @@ END
 		print "					<true/>\n";
 	}
 
+	# IKE Cipher Suite
+	print "					<key>IKESecurityAssociationParameters</key>\n";
+	print "					<dict>\n";
+
+	# Encryption
+	foreach my $cipher (split(/\|/,$confighash{$key}[18])) {
+		# Skip all unsupported ciphers
+		next unless (exists $APPLE_CIPHERS{$cipher});
+
+		print "						<key>EncryptionAlgorithm</key>\n";
+		print "						<string>$APPLE_CIPHERS{$cipher}</string>\n";
+		last;
+	}
+
+	# Integrity
+	foreach my $integrity (split(/\|/,$confighash{$key}[19])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_INTEGRITIES{$integrity});
+
+		print "						<key>IntegrityAlgorithm</key>\n";
+		print "						<string>$APPLE_INTEGRITIES{$integrity}</string>\n";
+		last;
+	}
+
+	# Diffie Hellman Groups
+	foreach my $group (split(/\|/,$confighash{$key}[20])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_DH_GROUPS{$group});
+
+		print "						<key>DiffieHellmanGroup</key>\n";
+		print "						<string>$APPLE_DH_GROUPS{$group}</string>\n";
+		last;
+	}
+
+	# Lifetime
+	my $lifetime = $confighash{$key}[16] * 60;
+	print "						<key>LifeTimeInMinutes</key>\n";
+	print "						<integer>$lifetime</integer>\n";
+	print "					</dict>\n";
+
+	# ESP Cipher Suite
+	print "					<key>ChildSecurityAssociationParameters</key>\n";
+	print "					<dict>\n";
+
+	# Encryption
+	foreach my $cipher (split(/\|/,$confighash{$key}[21])) {
+		# Skip all unsupported ciphers
+		next unless (exists $APPLE_CIPHERS{$cipher});
+
+		print "						<key>EncryptionAlgorithm</key>\n";
+		print "						<string>$APPLE_CIPHERS{$cipher}</string>\n";
+		last;
+	}
+
+	# Integrity
+	foreach my $integrity (split(/\|/,$confighash{$key}[22])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_INTEGRITIES{$integrity});
+
+		print "						<key>IntegrityAlgorithm</key>\n";
+		print "						<string>$APPLE_INTEGRITIES{$integrity}</string>\n";
+		last;
+	}
+
+	# Diffie Hellman Groups
+	foreach my $group (split(/\|/,$confighash{$key}[23])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_DH_GROUPS{$group});
+
+		print "						<key>DiffieHellmanGroup</key>\n";
+		print "						<string>$APPLE_DH_GROUPS{$group}</string>\n";
+		last;
+	}
+
+	# Lifetime
+	my $lifetime = $confighash{$key}[17] * 60;
+	print "						<key>LifeTimeInMinutes</key>\n";
+	print "						<integer>$lifetime</integer>\n";
+	print "					</dict>\n";
+
+
 	# Left ID
 	if ($confighash{$key}[9]) {
 		print "					<key>LocalIdentifier</key>\n";
-- 
2.20.1