From 8331483306052d340a25cd9dec1db302b90372b3 Mon Sep 17 00:00:00 2001
From: Sheng Yang <sheng.yang@citrix.com>
Date: Thu, 19 Jul 2012 15:08:56 -0700
Subject: [PATCH] CS-15511: Not allow pfs parameter for customer VPN gateway

---
 utils/src/com/cloud/utils/net/NetUtils.java   | 19 +++++++++++++------
 .../com/cloud/utils/net/NetUtilsTest.java     |  6 +++---
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/utils/src/com/cloud/utils/net/NetUtils.java b/utils/src/com/cloud/utils/net/NetUtils.java
index a19dc85355c..97f6cd29258 100755
--- a/utils/src/com/cloud/utils/net/NetUtils.java
+++ b/utils/src/com/cloud/utils/net/NetUtils.java
@@ -1097,25 +1097,32 @@ public class NetUtils {
             if (policy.isEmpty()) {
                 return false;
             }
-            String cipherHash = policy.split(";")[0];
+            //String cipherHash = policy.split(";")[0];
+            String cipherHash = policy;
             if (cipherHash.isEmpty()) {
                 return false;
             }
-            String pfsGroup = null;
-            if (!policy.equals(cipherHash)) {
-                pfsGroup = policy.split(";")[1];
+            String[] list = cipherHash.split("-");
+            if (list.length != 2) {
+                return false;
             }
-            String cipher = cipherHash.split("-")[0];
-            String hash = cipherHash.split("-")[1];
+            String cipher = list[0];
+            String hash = list[1];
             if (!cipher.matches("des|3des|aes|aes128|aes256")) {
                 return false;
             }
             if (!hash.matches("md5|sha1")) {
                 return false;
             }
+            /*  Disable pfsGroup support, see CS-15511
+            String pfsGroup = null;
+            if (!policy.equals(cipherHash)) {
+                pfsGroup = policy.split(";")[1];
+            }
             if (pfsGroup != null && !pfsGroup.matches("modp1024|modp1536")) {
                 return false;
             }
+            */
         }
         return true;
     }
diff --git a/utils/test/com/cloud/utils/net/NetUtilsTest.java b/utils/test/com/cloud/utils/net/NetUtilsTest.java
index e73e08f4ef6..f25215a4d42 100644
--- a/utils/test/com/cloud/utils/net/NetUtilsTest.java
+++ b/utils/test/com/cloud/utils/net/NetUtilsTest.java
@@ -51,9 +51,9 @@ public class NetUtilsTest extends TestCase {
     
     public void testVpnPolicy() {
         assertTrue(NetUtils.isValidS2SVpnPolicy("aes-sha1"));
-        assertTrue(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024"));
-        assertTrue(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes-sha1;modp1536"));
-        assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1;modp1536"));
+        assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024"));
+        assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes-sha1;modp1536"));
+        assertFalse(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1;modp1536"));
         assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1"));
         assertFalse(NetUtils.isValidS2SVpnPolicy("abc-123,ase-sha1"));
         assertFalse(NetUtils.isValidS2SVpnPolicy("de-sh,aes-sha1"));