Merge pull request #4121 from natali-rs1985/T6101-current

ipsec: T6101: Add validation for proposal option used in IKE group
vyos · Oct 4, 2024 · 43e9082 · 43e9082
2 parents a60cd03 + 34bbc3b
commit 43e9082
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -947,7 +947,8 @@ def test_remote_access_dhcp_fail_handling(self):
         self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', ike_lifetime])
         self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'dh-group', '14'])
         self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'encryption', 'aes256'])
-        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'hash', 'sha512'])
+        # a hash algorithm that cannot be mapped to an equivalent PRF
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'hash', 'aes192gmac'])
 
         # ESP
         self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', eap_lifetime])
@@ -968,6 +969,11 @@ def test_remote_access_dhcp_fail_handling(self):
         self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'name-server', name_server])
         self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'prefix', prefix])
 
+        # verify() - IKE group use not mapped hash algorithm
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha512'])
         self.cli_commit()
 
         self.assertTrue(os.path.exists(dhcp_interfaces_file))

diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
@@ -214,6 +214,19 @@ def verify(ipsec):
             else:
                 verify_interface_exists(ipsec, interface)
 
+    # need to use a pseudo-random function (PRF) with an authenticated encryption algorithm.
+    # If a hash algorithm is defined then it will be mapped to an equivalent PRF
+    if 'ike_group' in ipsec:
+        for _, ike_config in ipsec['ike_group'].items():
+            for proposal, proposal_config in ike_config.get('proposal', {}).items():
+                if 'encryption' in proposal_config and 'prf' not in proposal_config:
+                    # list of hash algorithms that cannot be mapped to an equivalent PRF
+                    algs = ['aes128gmac', 'aes192gmac', 'aes256gmac', 'sha256_96']
+                    if 'hash' in proposal_config and proposal_config['hash'] in algs:
+                        raise ConfigError(
+                            f"A PRF algorithm is mandatory in IKE proposal {proposal}"
+                        )
+
     if 'l2tp' in ipsec:
         if 'esp_group' in ipsec['l2tp']:
             if 'esp_group' not in ipsec or ipsec['l2tp']['esp_group'] not in ipsec['esp_group']: