summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorViacheslav Hletenko <v.gletenko@vyos.io>2024-04-15 08:40:26 +0000
committerViacheslav Hletenko <v.gletenko@vyos.io>2024-04-15 08:54:20 +0000
commit95cd743c24c6f7720af87450312fc111649db849 (patch)
treee1156083214a68cdb95d609b80c5000e666dbbac
parenta6ccf358c7148781be438c4a2f89468ebfe5d48f (diff)
downloadvyos-1x-95cd743c24c6f7720af87450312fc111649db849.tar.gz
vyos-1x-95cd743c24c6f7720af87450312fc111649db849.zip
T5734: OpenVPN check PKI DH name exists if DH configured
Check if DH is configured for OpenVPN but does not exist in the PKI section ``` set pki dh dh-correct parameters 'xxxx' set interfaces openvpn vtun10 tls dh-params 'dh-fake' File "/usr/libexec/vyos/conf_mode/interfaces_openvpn.py", line 208, in verify_pki pki_dh = pki['dh'][tls['dh_params']] ~~~~~~~~~^^^^^^^^^^^^^^^^^^ KeyError: 'dh-fake' ```
-rwxr-xr-xsrc/conf_mode/interfaces_openvpn.py6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 505ec55c6..0ecffd3be 100755
--- a/src/conf_mode/interfaces_openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -198,6 +198,12 @@ def verify_pki(openvpn):
raise ConfigError(f'Cannot use encrypted private key on openvpn interface {interface}')
if 'dh_params' in tls:
+ if 'dh' not in pki:
+ raise ConfigError(f'pki dh is not configured')
+ proposed_dh = tls['dh_params']
+ if proposed_dh not in pki['dh'].keys():
+ raise ConfigError(f"pki dh '{proposed_dh}' is not configured")
+
pki_dh = pki['dh'][tls['dh_params']]
dh_params = load_dh_parameters(pki_dh['parameters'])
dh_numbers = dh_params.parameter_numbers()