python: T8859: validate min_keysize once in verify_diffie_hellman_length

[andamasov]

Tracked in Phorge T8859.

Defect

verify_diffie_hellman_length(file, min_keysize) in python/vyos/configverify.py wraps str(min_keysize) in try/except, but:

1. The later int(min_keysize) call on the comparison line can still raise ValueError for non-numeric inputs (e.g. 'abc'), surfacing as an unhandled exception instead of returning False as the function intends.
2. The local keysize variable was computed but never used — the function only consumes min_keysize afterward.

Fix

Convert min_keysize once inside try/except (TypeError, ValueError), store as min_keysize_int, and reuse for the bits comparison. Unused keysize variable dropped.

Behavior change

None for valid integer / integer-string inputs (the common case from callers in src/conf_mode/vpn_ipsec.py and similar). The only observable change is that a non-numeric min_keysize now correctly returns False instead of propagating ValueError.

Provenance

Found by Copilot during review of vyos/vyos-1x#5074 — the configverify changes were dropped from that PR per dmbaturin's scope narrowing. This defect is independent of the broader configverify redesign concerns (MTU helpers taking defaults as args) and can be fixed in isolation.

Test plan

• CLI smoketests pass (vpn_ipsec, vpn_openconnect and any others calling verify_diffie_hellman_length).
• Manual: pass a non-numeric min_keysize and verify the function returns False instead of raising.
• Manual: pass a valid integer min_keysize against a known-good DH file and verify return is True when bits ≥ keysize.

🤖 Generated by robots

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 93d61983-b3f3-4bcd-b8d6-f3877282a63b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/T8859-dh-keysize-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

👍
No issues in PR Title / Commit Title

[github-actions]

✅ No typos found in changed files.

[github-actions]

CI integration ❌ failed!

Details

CI logs

• CLI Smoketests 👍 passed
• CLI Smoketests (interfaces only) ❌ failed
• Config tests 👍 passed
• RAID1 tests 👍 passed
• CLI Smoketests VPP ❌ failed
• Config tests VPP 👍 passed
• TPM tests 👍 passed

[dmbaturin]

I agree validation could be better here but I don't think this solution is the best one.

One note: this function is not actually used in any real scripts. Its only callers are unit tests for this very function (https://github.com/vyos/vyos-1x/blob/current/src/tests/test_configverify.py#L25-L31). Which means we can change it freely however we want, since we only need to update two tests for that.

If we are to change it, I believe it should be like this:

• Its signature should be def verify_diffie_hellman_length(file: str, min_keysize: int):—calling it with an argument that makes no sense is a logic problem in a script.
• It should throw a TypeError if min_keysize is not an integer at all.
• It should also throw a ValueError if min_keysize is not a positive integer (because key size of -512 makes no more sense than fgsfds).