Page MenuHomeVyOS Platform

Python KeyError exceptions raised with 'show vpn ipsec sa' command under use of certain IPSEC cipher suites
Closed, ResolvedPublicBUG

Description

When using the show vpn ipsec sa command the python script behind will error with KeyError exceptions when the following conditions are true.

  • Suites containing GCM or CHACHA20_POLY1305 are used.

Circumstances here mean that a lookup for integ-alg key fail as it is not present in the object's dictionary keys.

  • Suites containing CHACHA20_POLICY1305 are used

Circumstances here mean that a lookup for encr-keysize key fail as it is not present in the object's dictionary keys.

This issue can be mitigated by performing simple checks similar to the dh-group checks and formatting the output string appropriately on the response.

Details

Difficulty level
Unknown (require assessment)
Version
1.2-rolling
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Pull request raised for review with effective fix proposed.
https://github.com/vyos/vyos-1x/pull/147

syncer changed the task status from Open to Backport candidate.Nov 16 2019, 10:57 PM
syncer assigned this task to jestabro.
syncer triaged this task as Normal priority.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.

This is dependent on T1260, which will need to be backported.

erkin renamed this task from Python KeyError exceptions raised with 'show vpn ipsec sa' command under use of certain IPSEC cipher suites. to Python KeyError exceptions raised with 'show vpn ipsec sa' command under use of certain IPSEC cipher suites.Aug 31 2021, 6:29 PM
erkin set Issue type to Bug (incorrect behavior).