diff options
author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2024-04-15 08:40:26 +0000 |
---|---|---|
committer | Viacheslav Hletenko <v.gletenko@vyos.io> | 2024-04-15 08:54:20 +0000 |
commit | 95cd743c24c6f7720af87450312fc111649db849 (patch) | |
tree | e1156083214a68cdb95d609b80c5000e666dbbac | |
parent | a6ccf358c7148781be438c4a2f89468ebfe5d48f (diff) | |
download | vyos-1x-95cd743c24c6f7720af87450312fc111649db849.tar.gz vyos-1x-95cd743c24c6f7720af87450312fc111649db849.zip |
T5734: OpenVPN check PKI DH name exists if DH configured
Check if DH is configured for OpenVPN but does not exist in the
PKI section
```
set pki dh dh-correct parameters 'xxxx'
set interfaces openvpn vtun10 tls dh-params 'dh-fake'
File "/usr/libexec/vyos/conf_mode/interfaces_openvpn.py", line 208, in verify_pki
pki_dh = pki['dh'][tls['dh_params']]
~~~~~~~~~^^^^^^^^^^^^^^^^^^
KeyError: 'dh-fake'
```
-rwxr-xr-x | src/conf_mode/interfaces_openvpn.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py index 505ec55c6..0ecffd3be 100755 --- a/src/conf_mode/interfaces_openvpn.py +++ b/src/conf_mode/interfaces_openvpn.py @@ -198,6 +198,12 @@ def verify_pki(openvpn): raise ConfigError(f'Cannot use encrypted private key on openvpn interface {interface}') if 'dh_params' in tls: + if 'dh' not in pki: + raise ConfigError(f'pki dh is not configured') + proposed_dh = tls['dh_params'] + if proposed_dh not in pki['dh'].keys(): + raise ConfigError(f"pki dh '{proposed_dh}' is not configured") + pki_dh = pki['dh'][tls['dh_params']] dh_params = load_dh_parameters(pki_dh['parameters']) dh_numbers = dh_params.parameter_numbers() |