From c2250fecf71de30cb53ed1be8270dda8078677b3 Mon Sep 17 00:00:00 2001 From: Sheng Yang Date: Thu, 2 Aug 2012 18:24:59 -0700 Subject: [PATCH] S2S VPN: CS-15511: Add PFS support for VPN connection --- .../debian/config/opt/cloud/bin/ipsectunnel.sh | 8 +++++++- utils/src/com/cloud/utils/net/NetUtils.java | 7 ++----- utils/test/com/cloud/utils/net/NetUtilsTest.java | 10 +++++----- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh index 74d31191804..1bc20025d8c 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -141,7 +141,7 @@ ipsec_tunnel_add() { sudo echo " ikelifetime=${ikelifetime}s" >> $vpnconffile && sudo echo " esp=$esppolicy" >> $vpnconffile && sudo echo " salifetime=${esplifetime}s" >> $vpnconffile && - sudo echo " pfs=no" >> $vpnconffile && + sudo echo " pfs=$pfs" >> $vpnconffile && sudo echo " keyingtries=3" >> $vpnconffile && sudo echo " auto=add" >> $vpnconffile && sudo echo "$leftpeer $rightpeer: PSK \"$secret\"" > $vpnsecretsfile && @@ -258,6 +258,12 @@ do done < /tmp/iflist rightnets=${rightnets//,/ } +pfs="no" +echo "$esppolicy" | grep "modp" > /dev/null +if [ $? -eq 0 ] +then + pfs="yes" +fi ret=0 #Firewall ports for one-to-one/static NAT diff --git a/utils/src/com/cloud/utils/net/NetUtils.java b/utils/src/com/cloud/utils/net/NetUtils.java index 65ec6aebb2f..bbc4f54ff67 100755 --- a/utils/src/com/cloud/utils/net/NetUtils.java +++ b/utils/src/com/cloud/utils/net/NetUtils.java @@ -1109,8 +1109,7 @@ public class NetUtils { if (policy.isEmpty()) { return false; } - //String cipherHash = policy.split(";")[0]; - String cipherHash = policy; + String cipherHash = policy.split(";")[0]; if (cipherHash.isEmpty()) { return false; } @@ -1126,15 +1125,13 @@ public class NetUtils { if (!hash.matches("md5|sha1")) { return false; } - /* Disable pfsGroup support, see CS-15511 String pfsGroup = null; if (!policy.equals(cipherHash)) { pfsGroup = policy.split(";")[1]; } - if (pfsGroup != null && !pfsGroup.matches("modp1024|modp1536")) { + if (pfsGroup != null && !pfsGroup.matches("modp1024|modp1536|")) { return false; } - */ } return true; } diff --git a/utils/test/com/cloud/utils/net/NetUtilsTest.java b/utils/test/com/cloud/utils/net/NetUtilsTest.java index 06fc1769675..227f0112ae3 100644 --- a/utils/test/com/cloud/utils/net/NetUtilsTest.java +++ b/utils/test/com/cloud/utils/net/NetUtilsTest.java @@ -50,12 +50,12 @@ public class NetUtilsTest extends TestCase { } public void testVpnPolicy() { - assertTrue(NetUtils.isValidS2SVpnPolicy("aes-sha1")); + assertTrue(NetUtils.isValidS2SVpnPolicy("aes128-sha1")); assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1")); - assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1")); - assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024")); - assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes-sha1;modp1536")); - assertFalse(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1;modp1536")); + assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes256-sha1")); + assertTrue(NetUtils.isValidS2SVpnPolicy("3des-md5;modp1024")); + assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes128-sha1;modp1536")); + assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes128-sha1;modp1536")); assertFalse(NetUtils.isValidS2SVpnPolicy("des-sha1")); assertFalse(NetUtils.isValidS2SVpnPolicy("abc-123,ase-sha1")); assertFalse(NetUtils.isValidS2SVpnPolicy("de-sh,aes-sha1"));