summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJohn Estabrook <jestabro@vyos.io>2023-10-11 19:43:52 -0500
committerGitHub <noreply@github.com>2023-10-11 19:43:52 -0500
commit526f19eaf7953ff96e6b92c798aa7b3df42a7472 (patch)
treeac4a4b043de6bf81662d706705f6c30eb30c22aa /src
parentf51c3b07daf21c261306cf41d7d1f3dfd473b0fb (diff)
parent941c5adfaca2c7e3318b2ba0e7f36c37acaa53c1 (diff)
downloadvyos-1x-526f19eaf7953ff96e6b92c798aa7b3df42a7472.tar.gz
vyos-1x-526f19eaf7953ff96e6b92c798aa7b3df42a7472.zip
Merge pull request #2353 from dmbaturin/T5634-no-more-blowfish
openvpn: T5634: Remove support for insecure DES and Blowfish ciphers
Diffstat (limited to 'src')
-rw-r--r--src/migration-scripts/openvpn/0-to-149
1 files changed, 49 insertions, 0 deletions
diff --git a/src/migration-scripts/openvpn/0-to-1 b/src/migration-scripts/openvpn/0-to-1
new file mode 100644
index 000000000..24bb38d3c
--- /dev/null
+++ b/src/migration-scripts/openvpn/0-to-1
@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+
+# Removes outdated ciphers (DES and Blowfish) from OpenVPN configs
+
+import sys
+
+from vyos.configtree import ConfigTree
+
+if len(sys.argv) < 2:
+ print("Must specify file name!")
+ sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+
+if not config.exists(['interfaces', 'openvpn']):
+ # Nothing to do
+ sys.exit(0)
+else:
+ ovpn_intfs = config.list_nodes(['interfaces', 'openvpn'])
+ for i in ovpn_intfs:
+ # Remove DES and Blowfish from 'encryption cipher'
+ cipher_path = ['interfaces', 'openvpn', i, 'encryption', 'cipher']
+ if config.exists(cipher_path):
+ cipher = config.return_value(cipher_path)
+ if cipher in ['des', 'bf128', 'bf256']:
+ config.delete(cipher_path)
+
+ ncp_cipher_path = ['interfaces', 'openvpn', i, 'encryption', 'ncp-ciphers']
+ if config.exists(ncp_cipher_path):
+ ncp_ciphers = config.return_values(['interfaces', 'openvpn', i, 'encryption', 'ncp-ciphers'])
+ if 'des' in ncp_ciphers:
+ config.delete_value(['interfaces', 'openvpn', i, 'encryption', 'ncp-ciphers'], 'des')
+
+ # Clean up the encryption subtree if the migration procedure left it empty
+ if config.exists(['interfaces', 'openvpn', i, 'encryption']) and \
+ (config.list_nodes(['interfaces', 'openvpn', i, 'encryption']) == []):
+ config.delete(['interfaces', 'openvpn', i, 'encryption'])
+
+ try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+ except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ sys.exit(1)