From 062a016b5817dadebfc860cb0fbce98be0c7c176 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 2 Aug 2018 19:27:55 +0200
Subject: [PATCH] ipsec: add brainpool ec groups

PR: https://forum.opnsense.org/index.php?topic=9308.0
---
 src/etc/inc/plugins.inc.d/ipsec.inc |  9 +++++++
 src/www/vpn_ipsec.php               | 40 ++++++++++++++++-------------
 src/www/vpn_ipsec_mobile.php        | 35 +++++++++++++------------
 src/www/vpn_ipsec_phase1.php        | 35 +++++++++++++------------
 src/www/vpn_ipsec_phase2.php        | 36 ++++++++++++++------------
 5 files changed, 88 insertions(+), 67 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 2f5c65f0c..37a23cef6 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -653,6 +653,15 @@ function ipsec_convert_to_modp($index)
         case '24':
             $convertion = "modp2048s256";
             break;
+        case '28':
+            $convertion = "ecp256bp";
+            break;
+        case '29':
+            $convertion = "ecp384bp";
+            break;
+        case '30':
+            $convertion = "ecp512bp";
+            break;
     }
 
     return $convertion;
diff --git a/src/www/vpn_ipsec.php b/src/www/vpn_ipsec.php
index 2ad07db3d..e37e3717f 100644
--- a/src/www/vpn_ipsec.php
+++ b/src/www/vpn_ipsec.php
@@ -186,25 +186,29 @@ legacy_html_escape_form_data($a_phase2);
 $service_hook = 'ipsec';
 
 include("head.inc");
-$dhgroups = array(
-  0  => gettext('off'),
-  1  => '1 (768&nbsp;bits)',
-  2  => '2 (1024&nbsp;bits)',
-  5  => '5 (1536&nbsp;bits)',
-  14 => '14 (2048&nbsp;bits)',
-  15 => '15 (3072&nbsp;bits)',
-  16 => '16 (4096&nbsp;bits)',
-  17 => '17 (6144&nbsp;bits)',
-  18 => '18 (8192&nbsp;bits)',
-  19 => '19 (256&nbsp;bit&nbsp;elliptic&nbsp;curve)',
-  20 => '20 (384&nbsp;bit&nbsp;elliptic&nbsp;curve)',
-  21 => '21 (521&nbsp;bit&nbsp;elliptic&nbsp;curve)',
-  22 => '22 (1024(sub 160)&nbsp;bits)',
-  23 => '23 (2048(sub 224)&nbsp;bits)',
-  24 => '24 (2048(sub 256)&nbsp;bits)'
-);
-?>
 
+$dhgroups = array(
+    0 => gettext('off'),
+    1 => '1 (768 bits)',
+    2 => '2 (1024 bits)',
+    5 => '5 (1536 bits)',
+    14 => '14 (2048 bits)',
+    15 => '15 (3072 bits)',
+    16 => '16 (4096 bits)',
+    17 => '17 (6144 bits)',
+    18 => '18 (8192 bits)',
+    19 => '19 (NIST EC 256 bits)',
+    20 => '20 (NIST EC 384 bits)',
+    21 => '21 (NIST EC 521 bits)',
+    22 => '22 (1024(sub 160) bits)',
+    23 => '23 (2048(sub 224) bits)',
+    24 => '24 (2048(sub 256) bits)',
+    28 => '28 (Brainpool EC 256 bits)',
+    29 => '29 (Brainpool EC 384 bits)',
+    30 => '30 (Brainpool EC 512 bits)',
+);
+
+?>
 <body>
 <script>
 $( document ).ready(function() {
diff --git a/src/www/vpn_ipsec_mobile.php b/src/www/vpn_ipsec_mobile.php
index c6cfd4902..6db8b1613 100644
--- a/src/www/vpn_ipsec_mobile.php
+++ b/src/www/vpn_ipsec_mobile.php
@@ -506,23 +506,26 @@ endfor; ?>
                         <select name="pfs_group" class="selectpicker" id="pfs_group">
 <?php
                         $p2_dhgroups = array(
-                          0  => gettext('off'),
-                          1  => '1 (768 bit)',
-                          2  => '2 (1024 bit)',
-                          5  => '5 (1536 bit)',
-                          14 => '14 (2048 bit)',
-                          15 => '15 (3072 bit)',
-                          16 => '16 (4096 bit)',
-                          17 => '17 (6144 bit)',
-                          18 => '18 (8192 bit)',
-                          19 => '19 (256 bit elliptic curve)',
-                          20 => '20 (384 bit elliptic curve)',
-                          21 => '21 (521 bit elliptic curve)',
-                          22 => '22 (1024(sub 160) bit)',
-                          23 => '23 (2048(sub 224) bit)',
-                          24 => '24 (2048(sub 256) bit)'
+                            0 => gettext('off'),
+                            1 => '1 (768 bits)',
+                            2 => '2 (1024 bits)',
+                            5 => '5 (1536 bits)',
+                            14 => '14 (2048 bits)',
+                            15 => '15 (3072 bits)',
+                            16 => '16 (4096 bits)',
+                            17 => '17 (6144 bits)',
+                            18 => '18 (8192 bits)',
+                            19 => '19 (NIST EC 256 bits)',
+                            20 => '20 (NIST EC 384 bits)',
+                            21 => '21 (NIST EC 521 bits)',
+                            22 => '22 (1024(sub 160) bits)',
+                            23 => '23 (2048(sub 224) bits)',
+                            24 => '24 (2048(sub 256) bits)',
+                            28 => '28 (Brainpool EC 256 bits)',
+                            29 => '29 (Brainpool EC 384 bits)',
+                            30 => '30 (Brainpool EC 512 bits)',
                         );
-                        foreach ($p2_dhgroups as $keygroup => $keygroupname) :?>
+                        foreach ($p2_dhgroups as $keygroup => $keygroupname): ?>
                           <option value="<?=$keygroup;
 ?>" <?= $pconfig['pfs_group'] == $keygroup ? "selected=\"selected\"" : "" ; ?>>
                             <?=$keygroupname;?>
diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php
index 74b96156a..2621df956 100644
--- a/src/www/vpn_ipsec_phase1.php
+++ b/src/www/vpn_ipsec_phase1.php
@@ -932,23 +932,26 @@ endforeach; ?>
                       <select name="dhgroup">
 <?php
                       $p1_dhgroups = array(
-                        0  => gettext('off'),
-                        1  => '1 (768 bit)',
-                        2  => '2 (1024 bit)',
-                        5  => '5 (1536 bit)',
-                        14 => '14 (2048 bit)',
-                        15 => '15 (3072 bit)',
-                        16 => '16 (4096 bit)',
-                        17 => '17 (6144 bit)',
-                        18 => '18 (8192 bit)',
-                        19 => '19 (256 bit elliptic curve)',
-                        20 => '20 (384 bit elliptic curve)',
-                        21 => '21 (521 bit elliptic curve)',
-                        22 => '22 (1024(sub 160) bit)',
-                        23 => '23 (2048(sub 224) bit)',
-                        24 => '24 (2048(sub 256) bit)'
+                           0 => gettext('off'),
+                           1 => '1 (768 bits)',
+                           2 => '2 (1024 bits)',
+                           5 => '5 (1536 bits)',
+                           14 => '14 (2048 bits)',
+                           15 => '15 (3072 bits)',
+                           16 => '16 (4096 bits)',
+                           17 => '17 (6144 bits)',
+                           18 => '18 (8192 bits)',
+                           19 => '19 (NIST EC 256 bits)',
+                           20 => '20 (NIST EC 384 bits)',
+                           21 => '21 (NIST EC 521 bits)',
+                           22 => '22 (1024(sub 160) bits)',
+                           23 => '23 (2048(sub 224) bits)',
+                           24 => '24 (2048(sub 256) bits)',
+                           28 => '28 (Brainpool EC 256 bits)',
+                           29 => '29 (Brainpool EC 384 bits)',
+                           30 => '30 (Brainpool EC 512 bits)',
                       );
-                      foreach ($p1_dhgroups as $keygroup => $keygroupname) :
+                      foreach ($p1_dhgroups as $keygroup => $keygroupname):
 ?>
                         <option value="<?=$keygroup;?>" <?= $keygroup == $pconfig['dhgroup'] ? "selected=\"selected\"" : "";?>>
                           <?=$keygroupname;?>
diff --git a/src/www/vpn_ipsec_phase2.php b/src/www/vpn_ipsec_phase2.php
index a14927e6e..cd8b41da2 100644
--- a/src/www/vpn_ipsec_phase2.php
+++ b/src/www/vpn_ipsec_phase2.php
@@ -674,24 +674,26 @@ endif; ?>
                     <select name="pfsgroup">
 <?php
                     $p2_dhgroups = array(
-                      0  => gettext('off'),
-                      1  => '1 (768 bit)',
-                      2  => '2 (1024 bit)',
-                      5  => '5 (1536 bit)',
-                      14 => '14 (2048 bit)',
-                      15 => '15 (3072 bit)',
-                      16 => '16 (4096 bit)',
-                      17 => '17 (6144 bit)',
-                      18 => '18 (8192 bit)',
-                      19 => '19 (256 bit elliptic curve)',
-                      20 => '20 (384 bit elliptic curve)',
-                      21 => '21 (521 bit elliptic curve)',
-                      22 => '22 (1024(sub 160) bit)',
-                      23 => '23 (2048(sub 224) bit)',
-                      24 => '24 (2048(sub 256) bit)'
+                        0 => gettext('off'),
+                        1 => '1 (768 bits)',
+                        2 => '2 (1024 bits)',
+                        5 => '5 (1536 bits)',
+                        14 => '14 (2048 bits)',
+                        15 => '15 (3072 bits)',
+                        16 => '16 (4096 bits)',
+                        17 => '17 (6144 bits)',
+                        18 => '18 (8192 bits)',
+                        19 => '19 (NIST EC 256 bits)',
+                        20 => '20 (NIST EC 384 bits)',
+                        21 => '21 (NIST EC 521 bits)',
+                        22 => '22 (1024(sub 160) bits)',
+                        23 => '23 (2048(sub 224) bits)',
+                        24 => '24 (2048(sub 256) bits)',
+                        28 => '28 (Brainpool EC 256 bits)',
+                        29 => '29 (Brainpool EC 384 bits)',
+                        30 => '30 (Brainpool EC 512 bits)',
                     );
-
-                    foreach ($p2_dhgroups as $keygroup => $keygroupname) :?>
+                    foreach ($p2_dhgroups as $keygroup => $keygroupname): ?>
                       <option value="<?=$keygroup;?>" <?= $keygroup == $pconfig['pfsgroup'] ? "selected=\"selected\"" : "";?>>
                         <?=$keygroupname;?>
                       </option>