openvpn: T2994: verify DH key length

3 files changed, 66 insertions, 1 deletions

diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index d3ca56d11..babb0feb7 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -259,3 +259,27 @@ def verify_accel_ppp_base_service(config):
                 if 'delegation_prefix' not in ipv6_pool['delegate'][delegate]:
                     raise ConfigError('delegation-prefix length required!')
 
+def verify_diffie_hellman_length(file, min_keysize):
+    """ Verify Diffie-Hellamn keypair length given via file. It must be greater
+    then or equal to min_keysize """
+
+    try:
+        keysize = str(min_keysize)
+    except:
+        return False
+
+    import os
+    import re
+    from vyos.util import cmd
+
+    if os.path.exists(file):
+
+        out = cmd(f'openssl dhparam -inform PEM -in {file} -text')
+        prog = re.compile('\d+\s+bit')
+        if prog.search(out):
+            bits = prog.search(out)[0].split()[0]
+            if int(min_keysize) >= int(bits):
+                return True
+
+    return False
+
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 6b5a3363e..b75b6dc1b 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -38,6 +38,7 @@ from vyos.validate import is_addr_assigned
 from vyos.validate import is_ipv6
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_diffie_hellman_length
 
 from vyos import ConfigError
 from vyos import airbag
@@ -229,7 +230,6 @@ def verify(openvpn):
         if 'remote_host' in openvpn:
             raise ConfigError('Cannot specify "remote-host" in server mode')
 
-        tmp = dict_search('tls.dh_file', openvpn)
         if 'tls' in openvpn:
             if 'dh_file' not in openvpn['tls']:
                 if 'key_file' in openvpn['tls'] and not checkCertHeader('-----BEGIN EC PRIVATE KEY-----', openvpn['tls']['key_file']):
@@ -415,6 +415,9 @@ def verify(openvpn):
         if file and not checkCertHeader('-----BEGIN DH PARAMETERS-----', file):
             raise ConfigError(f'Specified dh-file "{file}" is not valid')
 
+        if file and not verify_diffie_hellman_length(file, 2048):
+            raise ConfigError(f'Minimum DH key-size is 2048 bits')
+
         tmp = dict_search('tls.role', openvpn)
         if tmp:
             if openvpn['mode'] in ['client', 'server']:
diff --git a/src/tests/test_configverify.py b/src/tests/test_configverify.py
new file mode 100644
index 000000000..ad7e053db
--- /dev/null
+++ b/src/tests/test_configverify.py
@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from unittest import TestCase
+from vyos.configverify import verify_diffie_hellman_length
+from vyos.util import cmd
+
+dh_file = '/tmp/dh.pem'
+
+class TestDictSearch(TestCase):
+    def setUp(self):
+        pass
+
+    def test_dh_key_none(self):
+        self.assertFalse(verify_diffie_hellman_length('/tmp/non_existing_file', '1024'))
+
+    def test_dh_key_256(self):
+        key_len = '256'
+        cmd(f'openssl dhparam -out {dh_file} {key_len}')
+        self.assertTrue(verify_diffie_hellman_length(dh_file, key_len))
+
+    def test_dh_key_512(self):
+        key_len = '512'
+        cmd(f'openssl dhparam -out {dh_file} {key_len}')
+        self.assertTrue(verify_diffie_hellman_length(dh_file, key_len))