diff options
author | John Estabrook <jestabro@vyos.io> | 2023-10-11 19:43:52 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-10-11 19:43:52 -0500 |
commit | 526f19eaf7953ff96e6b92c798aa7b3df42a7472 (patch) | |
tree | ac4a4b043de6bf81662d706705f6c30eb30c22aa /src | |
parent | f51c3b07daf21c261306cf41d7d1f3dfd473b0fb (diff) | |
parent | 941c5adfaca2c7e3318b2ba0e7f36c37acaa53c1 (diff) | |
download | vyos-1x-526f19eaf7953ff96e6b92c798aa7b3df42a7472.tar.gz vyos-1x-526f19eaf7953ff96e6b92c798aa7b3df42a7472.zip |
Merge pull request #2353 from dmbaturin/T5634-no-more-blowfish
openvpn: T5634: Remove support for insecure DES and Blowfish ciphers
Diffstat (limited to 'src')
-rw-r--r-- | src/migration-scripts/openvpn/0-to-1 | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/src/migration-scripts/openvpn/0-to-1 b/src/migration-scripts/openvpn/0-to-1 new file mode 100644 index 000000000..24bb38d3c --- /dev/null +++ b/src/migration-scripts/openvpn/0-to-1 @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 + +# Removes outdated ciphers (DES and Blowfish) from OpenVPN configs + +import sys + +from vyos.configtree import ConfigTree + +if len(sys.argv) < 2: + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +if not config.exists(['interfaces', 'openvpn']): + # Nothing to do + sys.exit(0) +else: + ovpn_intfs = config.list_nodes(['interfaces', 'openvpn']) + for i in ovpn_intfs: + # Remove DES and Blowfish from 'encryption cipher' + cipher_path = ['interfaces', 'openvpn', i, 'encryption', 'cipher'] + if config.exists(cipher_path): + cipher = config.return_value(cipher_path) + if cipher in ['des', 'bf128', 'bf256']: + config.delete(cipher_path) + + ncp_cipher_path = ['interfaces', 'openvpn', i, 'encryption', 'ncp-ciphers'] + if config.exists(ncp_cipher_path): + ncp_ciphers = config.return_values(['interfaces', 'openvpn', i, 'encryption', 'ncp-ciphers']) + if 'des' in ncp_ciphers: + config.delete_value(['interfaces', 'openvpn', i, 'encryption', 'ncp-ciphers'], 'des') + + # Clean up the encryption subtree if the migration procedure left it empty + if config.exists(['interfaces', 'openvpn', i, 'encryption']) and \ + (config.list_nodes(['interfaces', 'openvpn', i, 'encryption']) == []): + config.delete(['interfaces', 'openvpn', i, 'encryption']) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) |