Page MenuHomePhabricator

Python KeyError exceptions raised with 'show vpn ipsec sa' command under use of certain IPSEC cipher suites.
Closed, ResolvedPublicBUG

Description

When using the show vpn ipsec sa command the python script behind will error with KeyError exceptions when the following conditions are true.

  • Suites containing GCM or CHACHA20_POLY1305 are used.

Circumstances here mean that a lookup for integ-alg key fail as it is not present in the object's dictionary keys.

  • Suites containing CHACHA20_POLICY1305 are used

Circumstances here mean that a lookup for encr-keysize key fail as it is not present in the object's dictionary keys.

This issue can be mitigated by performing simple checks similar to the dh-group checks and formatting the output string appropriately on the response.

Details

Difficulty level
Unknown (require assessment)
Version
1.2-rolling
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

jdmac87 created this task.Oct 21 2019, 5:15 PM

Pull request raised for review with effective fix proposed.
https://github.com/vyos/vyos-1x/pull/147

pasik added a subscriber: pasik.Oct 27 2019, 5:41 PM
syncer changed the task status from Open to Backport candidate.Nov 16 2019, 10:57 PM
syncer assigned this task to jestabro.
syncer triaged this task as Normal priority.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.

This is dependent on T1260, which will need to be backported.

jestabro closed this task as Resolved.Wed, Jan 29, 8:54 PM