summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorViacheslav Hletenko <v.gletenko@vyos.io>2024-04-15 08:40:26 +0000
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-04-15 14:43:24 +0000
commit9cd746491a4d866f208855830a7b8b3ffbb6757e (patch)
treec471e64c5a7d50a9de93b9c210677f3720da86eb
parent8034e76f6b8d0813ad1a447935809efcd203be47 (diff)
downloadvyos-1x-9cd746491a4d866f208855830a7b8b3ffbb6757e.tar.gz
vyos-1x-9cd746491a4d866f208855830a7b8b3ffbb6757e.zip
T5734: OpenVPN check PKI DH name exists if DH configured
Check if DH is configured for OpenVPN but does not exist in the PKI section ``` set pki dh dh-correct parameters 'xxxx' set interfaces openvpn vtun10 tls dh-params 'dh-fake' File "/usr/libexec/vyos/conf_mode/interfaces_openvpn.py", line 208, in verify_pki pki_dh = pki['dh'][tls['dh_params']] ~~~~~~~~~^^^^^^^^^^^^^^^^^^ KeyError: 'dh-fake' ``` (cherry picked from commit 95cd743c24c6f7720af87450312fc111649db849)
-rwxr-xr-xsrc/conf_mode/interfaces_openvpn.py6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 505ec55c6..0ecffd3be 100755
--- a/src/conf_mode/interfaces_openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -198,6 +198,12 @@ def verify_pki(openvpn):
raise ConfigError(f'Cannot use encrypted private key on openvpn interface {interface}')
if 'dh_params' in tls:
+ if 'dh' not in pki:
+ raise ConfigError(f'pki dh is not configured')
+ proposed_dh = tls['dh_params']
+ if proposed_dh not in pki['dh'].keys():
+ raise ConfigError(f"pki dh '{proposed_dh}' is not configured")
+
pki_dh = pki['dh'][tls['dh_params']]
dh_params = load_dh_parameters(pki_dh['parameters'])
dh_numbers = dh_params.parameter_numbers()