Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ipsec: T6101: Add validation for proposal option used in IKE group #4121

Merged
merged 1 commit into from
Oct 4, 2024
Merged

ipsec: T6101: Add validation for proposal option used in IKE group #4121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion smoketest/scripts/cli/test_vpn_ipsec.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -947,7 +947,8 @@ def test_remote_access_dhcp_fail_handling(self):
self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', ike_lifetime])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '14'])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes256'])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha512'])
# a hash algorithm that cannot be mapped to an equivalent PRF
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'aes192gmac'])

# ESP
self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', eap_lifetime])
Expand All @@ -968,6 +969,11 @@ def test_remote_access_dhcp_fail_handling(self):
self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'name-server', name_server])
self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'prefix', prefix])

# verify() - IKE group use not mapped hash algorithm
with self.assertRaises(ConfigSessionError):
self.cli_commit()

self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha512'])
self.cli_commit()

self.assertTrue(os.path.exists(dhcp_interfaces_file))
Expand Down
13 changes: 13 additions & 0 deletions src/conf_mode/vpn_ipsec.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,19 @@ def verify(ipsec):
else:
verify_interface_exists(ipsec, interface)

# need to use a pseudo-random function (PRF) with an authenticated encryption algorithm.
# If a hash algorithm is defined then it will be mapped to an equivalent PRF
if 'ike_group' in ipsec:
for _, ike_config in ipsec['ike_group'].items():
for proposal, proposal_config in ike_config.get('proposal', {}).items():
if 'encryption' in proposal_config and 'prf' not in proposal_config:
# list of hash algorithms that cannot be mapped to an equivalent PRF
algs = ['aes128gmac', 'aes192gmac', 'aes256gmac', 'sha256_96']
if 'hash' in proposal_config and proposal_config['hash'] in algs:
raise ConfigError(
f"A PRF algorithm is mandatory in IKE proposal {proposal}"
)

if 'l2tp' in ipsec:
if 'esp_group' in ipsec['l2tp']:
if 'esp_group' not in ipsec or ipsec['l2tp']['esp_group'] not in ipsec['esp_group']:
Expand Down
Loading