summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-10-04 13:43:40 +0200
committerGitHub <noreply@github.com>2024-10-04 13:43:40 +0200
commit43e9082419e88f59a804eae16e3fc4e848f40fbd (patch)
treeefab992f298e26dc2a731c3742a383b7fd138a37
parenta60cd03068db703d71988788d5486ac22b028d0a (diff)
parent34bbc3be98d20b7ce704cc498f070e70bf8f0213 (diff)
downloadvyos-1x-43e9082419e88f59a804eae16e3fc4e848f40fbd.tar.gz
vyos-1x-43e9082419e88f59a804eae16e3fc4e848f40fbd.zip
Merge pull request #4121 from natali-rs1985/T6101-current
ipsec: T6101: Add validation for proposal option used in IKE group
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py8
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py13
2 files changed, 20 insertions, 1 deletions
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 3b8687b93..de18d0427 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -947,7 +947,8 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', ike_lifetime])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '14'])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes256'])
- self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha512'])
+ # a hash algorithm that cannot be mapped to an equivalent PRF
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'aes192gmac'])
# ESP
self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', eap_lifetime])
@@ -968,6 +969,11 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'name-server', name_server])
self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'prefix', prefix])
+ # verify() - IKE group use not mapped hash algorithm
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+
+ self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha512'])
self.cli_commit()
self.assertTrue(os.path.exists(dhcp_interfaces_file))
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index ca0c3657f..e22b7550c 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -214,6 +214,19 @@ def verify(ipsec):
else:
verify_interface_exists(ipsec, interface)
+ # need to use a pseudo-random function (PRF) with an authenticated encryption algorithm.
+ # If a hash algorithm is defined then it will be mapped to an equivalent PRF
+ if 'ike_group' in ipsec:
+ for _, ike_config in ipsec['ike_group'].items():
+ for proposal, proposal_config in ike_config.get('proposal', {}).items():
+ if 'encryption' in proposal_config and 'prf' not in proposal_config:
+ # list of hash algorithms that cannot be mapped to an equivalent PRF
+ algs = ['aes128gmac', 'aes192gmac', 'aes256gmac', 'sha256_96']
+ if 'hash' in proposal_config and proposal_config['hash'] in algs:
+ raise ConfigError(
+ f"A PRF algorithm is mandatory in IKE proposal {proposal}"
+ )
+
if 'l2tp' in ipsec:
if 'esp_group' in ipsec['l2tp']:
if 'esp_group' not in ipsec or ipsec['l2tp']['esp_group'] not in ipsec['esp_group']: