Page Menu
Home
VyOS Platform
Search
Configure Global Search
Log In
Files
F187642
vpn-config-pfs.patch
All Users
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
DaRK
May 12 2018, 7:41 AM
2018-05-12 07:41:12 (UTC+0)
Size
7 KB
Referenced Files
None
Subscribers
None
vpn-config-pfs.patch
View Options
767,797c767,770
< if ($dh_group eq '2') {
< $genout .= '-modp1024';
< } elsif ($dh_group eq '5') {
< $genout .= '-modp1536';
< } elsif ($dh_group eq '14') {
< $genout .= '-modp2048';
< } elsif ($dh_group eq '15') {
< $genout .= '-modp3072';
< } elsif ($dh_group eq '16') {
< $genout .= '-modp4096';
< } elsif ($dh_group eq '17') {
< $genout .= '-modp6144';
< } elsif ($dh_group eq '18') {
< $genout .= '-modp8192';
< } elsif ($dh_group eq '19') {
< $genout .= '-ecp256';
< } elsif ($dh_group eq '20') {
< $genout .= '-ecp384';
< } elsif ($dh_group eq '21') {
< $genout .= '-ecp521';
< } elsif ($dh_group eq '22') {
< $genout .= '-modp1024s160';
< } elsif ($dh_group eq '23') {
< $genout .= '-modp2048s224';
< } elsif ($dh_group eq '24') {
< $genout .= '-modp2048s256';
< } elsif ($dh_group eq '25') {
< $genout .= '-ecp192';
< } elsif ($dh_group eq '26') {
< $genout .= '-ecp224';
< } elsif ($dh_group ne '') {
---
> my $cipher_out = get_dh_cipher_result($dh_group);
> if ($dh_group ne 'unknown') {
> $genout .= "-$cipher_out";
> } else {
895c868
< # Get encryption, hash
---
> # Get encryption, hash
898a872,873
> my $key_exchange = $vcVPN->returnValue("ipsec ike-group $ike_group key-exchange");
> my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs");
908a884,895
> if (defined($pfs)) {
> if ($pfs eq 'enable') {
> # Get the first IKE group's dh-group and use that as our PFS setting
> my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal 1 dh-group");
> $pfs = get_dh_cipher_result($default_pfs);
> } elsif ($pfs eq 'disable') {
> undef $pfs;
> } else {
> $pfs = get_dh_cipher_result($pfs);
> }
> }
>
913a901,903
> if (defined($pfs) && defined($key_exchange) && $key_exchange eq 'ikev2') {
> $genout .= "-$pfs";
> }
964,985c954,955
< } elsif ($pfs eq 'dh-group2') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=modp1024\n";
< } elsif ($pfs eq 'dh-group5') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=modp1536\n";
< } elsif ($pfs eq 'dh-group14') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=modp2048\n";
< } elsif ($pfs eq 'dh-group15') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=modp3072\n";
< } elsif ($pfs eq 'dh-group16') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=modp4096\n";
< } elsif ($pfs eq 'dh-group17') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=modp6144\n";
< } elsif ($pfs eq 'dh-group18') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=modp8192\n";
< } elsif ($pfs eq 'dh-group19') {
---
> } elsif ($pfs ne 'disable') {
> my $pfsgroup = get_dh_cipher_result($pfs);
987,1008c957
< $genout .= "\tpfsgroup=ecp256\n";
< } elsif ($pfs eq 'dh-group20') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=ecp384\n";
< } elsif ($pfs eq 'dh-group21') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=ecp521\n";
< } elsif ($pfs eq 'dh-group22') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=modp1024s160\n";
< } elsif ($pfs eq 'dh-group23') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=modp2048s224\n";
< } elsif ($pfs eq 'dh-group24') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=modp2048s256\n";
< } elsif ($pfs eq 'dh-group25') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=ecp192\n";
< } elsif ($pfs eq 'dh-group26') {
< $genout .= "\tpfs=yes\n";
< $genout .= "\tpfsgroup=ecp224\n";
---
> $genout .= "\tpfsgroup=$pfsgroup\n";
1554a1504,1542
> }
>
> sub get_dh_cipher_result {
> my ($cipher) = @_;
> my $ciph_out;
> if ($cipher eq '2' || $cipher eq 'dh-group2') {
> $ciph_out = 'modp1024';
> } elsif ($cipher eq '5' || $cipher eq 'dh-group5') {
> $ciph_out = 'modp1536';
> } elsif ($cipher eq '14' || $cipher eq 'dh-group14') {
> $ciph_out = 'modp2048';
> } elsif ($cipher eq '15' || $cipher eq 'dh-group15') {
> $ciph_out = 'modp3072';
> } elsif ($cipher eq '16' || $cipher eq 'dh-group16') {
> $ciph_out = 'modp4096';
> } elsif ($cipher eq '17' || $cipher eq 'dh-group17') {
> $ciph_out = 'modp6144';
> } elsif ($cipher eq '18' || $cipher eq 'dh-group18') {
> $ciph_out = 'modp8192';
> } elsif ($cipher eq '19' || $cipher eq 'dh-group19') {
> $ciph_out = 'ecp256';
> } elsif ($cipher eq '20' || $cipher eq 'dh-group20') {
> $ciph_out = 'ecp384';
> } elsif ($cipher eq '21' || $cipher eq 'dh-group21') {
> $ciph_out = 'ecp521';
> } elsif ($cipher eq '22' || $cipher eq 'dh-group22') {
> $ciph_out = 'modp1024s160';
> } elsif ($cipher eq '23' || $cipher eq 'dh-group23') {
> $ciph_out = 'modp2048s224';
> } elsif ($cipher eq '24' || $cipher eq 'dh-group24') {
> $ciph_out = 'modp2048s256';
> } elsif ($cipher eq '25' || $cipher eq 'dh-group25') {
> $ciph_out = 'ecp192';
> } elsif ($cipher eq '26' || $cipher eq 'dh-group26') {
> $ciph_out = 'ecp224';
> } else {
> $ciph_out = 'unknown';
> }
> return $ciph_out;
File Metadata
Details
Attached
Mime Type
text/plain
Storage Engine
amazon-s3
Storage Format
Raw Data
Storage Handle
phabricator/aw/md/pehugwqckiq4pfry
Default Alt Text
vpn-config-pfs.patch (7 KB)
Attached To
Mode
T334: Not setting ESP DH Group properly on "esp=" line in ipsec.conf
Attached
Detach File
Event Timeline
Log In to Comment