Skip to content

Commit

Permalink
Fixes #14499: Relax requirements for encryption/auth algorithms on IK…
Browse files Browse the repository at this point in the history
…E & IPSec proposals
  • Loading branch information
jeremystretch committed Dec 19, 2023
1 parent 96878cf commit b794bd6
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 7 deletions.
2 changes: 1 addition & 1 deletion docs/models/vpn/ikeproposal.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ The protocol employed for data encryption. Options include DES, 3DES, and variou

### Authentication Algorithm

The mechanism employed to ensure data integrity. Options include MD5 and SHA HMAC implementations.
The mechanism employed to ensure data integrity. Options include MD5 and SHA HMAC implementations. Specifying an authentication algorithm is optional, as some encryption algorithms (e.g. AES-GCM) provide authentication natively.

### Group

Expand Down
6 changes: 6 additions & 0 deletions docs/models/vpn/ipsecproposal.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,16 @@ The unique user-assigned name for the proposal.

The protocol employed for data encryption. Options include DES, 3DES, and various flavors of AES.

!!! note
If an encryption algorithm is not specified, an authentication algorithm must be specified.

### Authentication Algorithm

The mechanism employed to ensure data integrity. Options include MD5 and SHA HMAC implementations.

!!! note
If an authentication algorithm is not specified, an encryption algorithm must be specified.

### SA Lifetime (Seconds)

The maximum amount of time for which the security association (SA) may be active, in seconds.
Expand Down
6 changes: 3 additions & 3 deletions netbox/vpn/migrations/0001_initial.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ class Migration(migrations.Migration):
('name', models.CharField(max_length=100, unique=True)),
('authentication_method', models.CharField()),
('encryption_algorithm', models.CharField()),
('authentication_algorithm', models.CharField()),
('authentication_algorithm', models.CharField(blank=True)),
('group', models.PositiveSmallIntegerField()),
('sa_lifetime', models.PositiveIntegerField(blank=True, null=True)),
('tags', taggit.managers.TaggableManager(through='extras.TaggedItem', to='extras.Tag')),
Expand Down Expand Up @@ -82,8 +82,8 @@ class Migration(migrations.Migration):
('description', models.CharField(blank=True, max_length=200)),
('comments', models.TextField(blank=True)),
('name', models.CharField(max_length=100, unique=True)),
('encryption_algorithm', models.CharField()),
('authentication_algorithm', models.CharField()),
('encryption_algorithm', models.CharField(blank=True)),
('authentication_algorithm', models.CharField(blank=True)),
('sa_lifetime_seconds', models.PositiveIntegerField(blank=True, null=True)),
('sa_lifetime_data', models.PositiveIntegerField(blank=True, null=True)),
('tags', taggit.managers.TaggableManager(through='extras.TaggedItem', to='extras.Tag')),
Expand Down
17 changes: 14 additions & 3 deletions netbox/vpn/models/crypto.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
from django.core.exceptions import ValidationError
from django.db import models
from django.urls import reverse
from django.utils.translation import gettext_lazy as _
Expand Down Expand Up @@ -34,7 +35,8 @@ class IKEProposal(PrimaryModel):
)
authentication_algorithm = models.CharField(
verbose_name=_('authentication algorithm'),
choices=AuthenticationAlgorithmChoices
choices=AuthenticationAlgorithmChoices,
blank=True
)
group = models.PositiveSmallIntegerField(
verbose_name=_('group'),
Expand Down Expand Up @@ -120,11 +122,13 @@ class IPSecProposal(PrimaryModel):
)
encryption_algorithm = models.CharField(
verbose_name=_('encryption'),
choices=EncryptionAlgorithmChoices
choices=EncryptionAlgorithmChoices,
blank=True
)
authentication_algorithm = models.CharField(
verbose_name=_('authentication'),
choices=AuthenticationAlgorithmChoices
choices=AuthenticationAlgorithmChoices,
blank=True
)
sa_lifetime_seconds = models.PositiveIntegerField(
verbose_name=_('SA lifetime (seconds)'),
Expand Down Expand Up @@ -154,6 +158,13 @@ def __str__(self):
def get_absolute_url(self):
return reverse('vpn:ipsecproposal', args=[self.pk])

def clean(self):
super().clean()

# Encryption and/or authentication algorithm must be defined
if not self.encryption_algorithm and not self.authentication_algorithm:
raise ValidationError(_("Encryption and/or authentication algorithm must be defined"))


class IPSecPolicy(PrimaryModel):
name = models.CharField(
Expand Down

0 comments on commit b794bd6

Please sign in to comment.