From 700d03d241b7335d9c647afb114100929dfbd909 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 30 Oct 2020 21:13:35 +0100 Subject: openvpn: T2994: verify DH key length --- python/vyos/configverify.py | 24 +++++++++++++++++++++++ src/conf_mode/interfaces-openvpn.py | 5 ++++- src/tests/test_configverify.py | 38 +++++++++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 src/tests/test_configverify.py diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index d3ca56d11..babb0feb7 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -259,3 +259,27 @@ def verify_accel_ppp_base_service(config): if 'delegation_prefix' not in ipv6_pool['delegate'][delegate]: raise ConfigError('delegation-prefix length required!') +def verify_diffie_hellman_length(file, min_keysize): + """ Verify Diffie-Hellamn keypair length given via file. It must be greater + then or equal to min_keysize """ + + try: + keysize = str(min_keysize) + except: + return False + + import os + import re + from vyos.util import cmd + + if os.path.exists(file): + + out = cmd(f'openssl dhparam -inform PEM -in {file} -text') + prog = re.compile('\d+\s+bit') + if prog.search(out): + bits = prog.search(out)[0].split()[0] + if int(min_keysize) >= int(bits): + return True + + return False + diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 6b5a3363e..b75b6dc1b 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -38,6 +38,7 @@ from vyos.validate import is_addr_assigned from vyos.validate import is_ipv6 from vyos.configverify import verify_vrf from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_diffie_hellman_length from vyos import ConfigError from vyos import airbag @@ -229,7 +230,6 @@ def verify(openvpn): if 'remote_host' in openvpn: raise ConfigError('Cannot specify "remote-host" in server mode') - tmp = dict_search('tls.dh_file', openvpn) if 'tls' in openvpn: if 'dh_file' not in openvpn['tls']: if 'key_file' in openvpn['tls'] and not checkCertHeader('-----BEGIN EC PRIVATE KEY-----', openvpn['tls']['key_file']): @@ -415,6 +415,9 @@ def verify(openvpn): if file and not checkCertHeader('-----BEGIN DH PARAMETERS-----', file): raise ConfigError(f'Specified dh-file "{file}" is not valid') + if file and not verify_diffie_hellman_length(file, 2048): + raise ConfigError(f'Minimum DH key-size is 2048 bits') + tmp = dict_search('tls.role', openvpn) if tmp: if openvpn['mode'] in ['client', 'server']: diff --git a/src/tests/test_configverify.py b/src/tests/test_configverify.py new file mode 100644 index 000000000..ad7e053db --- /dev/null +++ b/src/tests/test_configverify.py @@ -0,0 +1,38 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from unittest import TestCase +from vyos.configverify import verify_diffie_hellman_length +from vyos.util import cmd + +dh_file = '/tmp/dh.pem' + +class TestDictSearch(TestCase): + def setUp(self): + pass + + def test_dh_key_none(self): + self.assertFalse(verify_diffie_hellman_length('/tmp/non_existing_file', '1024')) + + def test_dh_key_256(self): + key_len = '256' + cmd(f'openssl dhparam -out {dh_file} {key_len}') + self.assertTrue(verify_diffie_hellman_length(dh_file, key_len)) + + def test_dh_key_512(self): + key_len = '512' + cmd(f'openssl dhparam -out {dh_file} {key_len}') + self.assertTrue(verify_diffie_hellman_length(dh_file, key_len)) -- cgit v1.2.3