[server] GPG_ALLOW_NO_PW + no KEY bug fix

Bug fix to allow GPG_ALLOW_NO_PW to result in not also having to specify a Rijndael key.
2012-10-02 23:20:47 -04:00 · 2012-10-02 23:20:47 -04:00 · 1828f51b90
commit 1828f51b90
parent 2aff47c7a2
4 changed files with 11 additions and 2 deletions
--- a/2
+++ b/2
@ -11,6 +11,8 @@ fwknop-2.0.4 (09/20/2012):
      also added to the test suite.
    - (Vlad Glagolev) Submitted an OpenBSD port for fwknop-2.0.3, and this has
      been checked in under extras/openbsd/.
+    - [server] Bug fix to allow GPG_ALLOW_NO_PW to result in not also having
+      to specify a Rijndael key.

 fwknop-2.0.3 (09/03/2012):
    - [server] Fernando Arnaboldi from IOActive found several DoS/code
--- a/server/access.c
+++ b/server/access.c
@ -806,7 +806,8 @@ static int
 acc_data_is_valid(const acc_stanza_t *acc)
 {
    if(((acc->key == NULL || !strlen(acc->key))
-      && (acc->gpg_decrypt_pw == NULL || !strlen(acc->gpg_decrypt_pw)))
+      && ((acc->gpg_decrypt_pw == NULL || !strlen(acc->gpg_decrypt_pw))
+          && acc->gpg_allow_no_pw == 0))
      || (acc->use_rijndael == 0 && acc->use_gpg == 0 && acc->gpg_allow_no_pw == 0))
    {
        fprintf(stderr,
--- a/test/conf/gpg_no_pw_access.conf
+++ b/test/conf/gpg_no_pw_access.conf
@ -1,5 +1,4 @@
 SOURCE: ANY;
-KEY: fwknoptest;
 FW_ACCESS_TIMEOUT:  3;
 GPG_HOME_DIR: conf/server-gpg-no-pw;
 GPG_DECRYPT_ID: 361BBAD4;
--- a/todo.org
+++ b/todo.org
@ -34,6 +34,10 @@
 *** Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files
    :CLOSED: <2012-08-12 Sun>
    Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.
+*** [server] access.c parsing: allow no KEY variable if GPG keys are used.
+    :CLOSED: <2012-10-02 Tue>
+    The access.c parsing code currently throws an error if there is not KEY
+    variable in an access stanza even if GPG_ALLOW_NO_PW is set.
 ** Add 'enable' to ipfw active set at init time
   Currently fwknopd does not do a check to ensure that the active set is
   enabled at init time ('ipfw set enable 1').
@ -76,3 +80,6 @@
 ** [test suite] client/server only tests
   When only the client or server is being installed on a system, the test
   suite should be able to run only the relevant tests.
+** [server] Add access variable to require particular IP's even when REQUIRE_SOURCE is used
+   The SOURCE variable only applies to the IP header.  Add analogous filtering
+   for the allow IP that is encrypted within an SPA payload.