CS-15511: Not allow pfs parameter for customer VPN gateway

2012-07-19 15:08:56 -07:00 · 2012-07-19 15:08:56 -07:00 · 8331483306
parent ce536daffa
commit 8331483306
2 changed files with 16 additions and 9 deletions
--- a/utils/src/com/cloud/utils/net/NetUtils.java
+++ b/utils/src/com/cloud/utils/net/NetUtils.java
@ -1097,25 +1097,32 @@ public class NetUtils {
            if (policy.isEmpty()) {
                return false;
            }
-            String cipherHash = policy.split(";")[0];
+            //String cipherHash = policy.split(";")[0];
+            String cipherHash = policy;
            if (cipherHash.isEmpty()) {
                return false;
            }
-            String pfsGroup = null;
-            if (!policy.equals(cipherHash)) {
-                pfsGroup = policy.split(";")[1];
+            String[] list = cipherHash.split("-");
+            if (list.length != 2) {
+                return false;
            }
-            String cipher = cipherHash.split("-")[0];
-            String hash = cipherHash.split("-")[1];
+            String cipher = list[0];
+            String hash = list[1];
            if (!cipher.matches("des|3des|aes|aes128|aes256")) {
                return false;
            }
            if (!hash.matches("md5|sha1")) {
                return false;
            }
+            /*  Disable pfsGroup support, see CS-15511
+            String pfsGroup = null;
+            if (!policy.equals(cipherHash)) {
+                pfsGroup = policy.split(";")[1];
+            }
            if (pfsGroup != null && !pfsGroup.matches("modp1024|modp1536")) {
                return false;
            }
+            */
        }
        return true;
    }
--- a/utils/test/com/cloud/utils/net/NetUtilsTest.java
+++ b/utils/test/com/cloud/utils/net/NetUtilsTest.java
@ -51,9 +51,9 @@ public class NetUtilsTest extends TestCase {
    
    public void testVpnPolicy() {
        assertTrue(NetUtils.isValidS2SVpnPolicy("aes-sha1"));
-        assertTrue(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024"));
-        assertTrue(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes-sha1;modp1536"));
-        assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1;modp1536"));
+        assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024"));
+        assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes-sha1;modp1536"));
+        assertFalse(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1;modp1536"));
        assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1"));
        assertFalse(NetUtils.isValidS2SVpnPolicy("abc-123,ase-sha1"));
        assertFalse(NetUtils.isValidS2SVpnPolicy("de-sh,aes-sha1"));