Added a no-digest-cache configure option and capability (though it is not recommended).

git-svn-id: file:///home/mbr/svn/fwknop/trunk@313 510a4753-2344-4c79-9c09-4d669213fbeb
2011-03-27 02:38:41 +00:00 · 2011-03-27 02:38:41 +00:00 · 39e7412bb8
commit 39e7412bb8
parent 03361fea74
2 changed files with 66 additions and 24 deletions
--- a/configure.ac
+++ b/configure.ac
@ -59,6 +59,16 @@ AC_ARG_ENABLE([server],
  [])
 AM_CONDITIONAL([WANT_SERVER], [test "$want_server" = yes])

+dnl Decide whether or not to enable the digest-cache
+dnl
+want_digest_cache=yes
+AC_ARG_ENABLE([digest-cache],
+  [AS_HELP_STRING([--disable-digest-cache],
+    [Do not enable the fwknopd digest-cache @<:@default is to build@:>@])],
+  [want_digest_cache=$enableval],
+  [])
+dnl AM_CONDITIONAL([WANT_DIGEST_CACHE], [test "$want_digest_cache" = yes])
+
 AC_GNU_SOURCE

 AC_PROG_CC
@ -174,32 +184,44 @@ AS_IF([test "x$GPG_EXE" != x],
 dnl Check for libpcap, gdbm (or ndbm) if we are building the server component
 dnl
 AS_IF([test "$want_server" = yes], [
-  use_ndbm=no
-  # Looking for libpcap
-  #
-  AC_CHECK_LIB([pcap],[pcap_open_live],
-    [ AC_DEFINE([HAVE_LIBPCAP], [1], [Define if you have libpcap]) ],
-    [ AC_MSG_ERROR([fwknopd needs libpcap])]
-  )
+    # Looking for libpcap
+    #
+    AC_CHECK_LIB([pcap],[pcap_open_live],
+      [ AC_DEFINE([HAVE_LIBPCAP], [1], [Define if you have libpcap]) ],
+      [ AC_MSG_ERROR([fwknopd needs libpcap])]
+    )

-  # Looking for gdbm or fallback to ndbm or bail
-  #
-  AC_CHECK_LIB([gdbm],[gdbm_open],
-    [ AC_DEFINE([HAVE_LIBGDBM], [1], [Define if you have libgdbm]) ],
-    [ AC_CHECK_LIB([ndbm],[dbm_open],
+  AS_IF([test "$want_digest_cache" = yes], [
+    use_ndbm=no
+    have_digest_cache=yes
+
+    # Looking for gdbm or fallback to ndbm or bail
+    #
+    AC_CHECK_LIB([gdbm],[gdbm_open],
        [
-            AC_DEFINE([HAVE_LIBNDBM], [1], [Define if you have libndbm])
-            use_ndbm=yes
+            AC_DEFINE([HAVE_LIBGDBM], [1], [Define if you have libgdbm])
        ],
-        [ AC_CHECK_HEADER([ndbm.h],
-            [ AC_CHECK_FUNC([dbm_open],
-                [
-                    AC_DEFINE([HAVE_LIBNDBM], [1], [Define if you have libndbm])
-                ],
-                [ AC_MSG_ERROR([fwknopd needs either gdbm or ndbm])]
+        [ AC_CHECK_LIB([ndbm],[dbm_open],
+            [
+                AC_DEFINE([HAVE_LIBNDBM], [1], [Define if you have libndbm])
+                use_ndbm=yes
+            ],
+            [ AC_CHECK_HEADER([ndbm.h],
+                [ AC_CHECK_FUNC([dbm_open],
+                    [ AC_DEFINE([HAVE_LIBNDBM], [1], [Define if you have libndbm])],
+                    [
+                        AC_DEFINE([NO_DIGEST_CACHE], [1], [Define this to disable the digest cache for replay detection.])
+                        AC_MSG_WARN([No DBM implementation found. Replay detection will be disabled.])
+                        have_digest_cache=no
+                    ]
+                )]
            )]
        )]
-    )]
+    )],
+    [
+        AC_DEFINE([NO_DIGEST_CACHE], [1], [Define this to disable the digest cache for replay detection.])
+        have_digest_cache=no
+    ]
  )

  AM_CONDITIONAL([USE_NDBM], [test x$use_ndbm = xyes])
@ -302,7 +324,7 @@ AC_CONFIG_FILES([Makefile

 AC_OUTPUT

-if [test $have_gpgme = "yes" ]; then
+if [test "$have_gpgme" = "yes" ]; then
    have_gpgme="$have_gpgme
                  Gpgme engine:     $GPG_EXE"
 fi
@ -316,10 +338,16 @@ echo "

        Installation prefix:        $prefix
 "
-if [test $want_server = "yes" ]; then
+if [test "$want_server" = "yes" ]; then
  echo "    Server support:
        firewall type:              $FIREWALL_TYPE
        firewall program path:      $FIREWALL_EXE
 "
-fi

+    if [test "$want_digest_cache" = "no" ]; then
+        echo "    *WARNING*
+        The digest-cache functionality is not enabled.  This
+        could leave the fwknopd server open to replay attacks!
+"
+    fi
+fi
--- a/server/replay_dbm.c
+++ b/server/replay_dbm.c
@ -76,6 +76,9 @@
 static void
 rotate_digest_cache_file(fko_srv_options_t *opts)
 {
+#ifdef NO_DIGEST_CACHE
+    log_msg(LOG_WARNING, "Digest cache not supported. Nothing to rotate.");
+#else
    int         res;
    char       *new_file = NULL;

@ -100,6 +103,7 @@ rotate_digest_cache_file(fko_srv_options_t *opts)
        log_msg(LOG_ERR, "Unable to rename digest file: %s to %s: %s",
            opts->config[CONF_DIGEST_FILE], new_file, strerror(errno)
        );
+#endif /* NO_DIGEST_CACHE */
 }

 /* Check for the existence of the replay dbm file, and create it if it does
@ -108,6 +112,10 @@ rotate_digest_cache_file(fko_srv_options_t *opts)
 int
 replay_db_init(fko_srv_options_t *opts)
 {
+#ifdef NO_DIGEST_CACHE
+    return 0;
+#else
+
 #ifdef HAVE_LIBGDBM
    GDBM_FILE   rpdb;
 #elif HAVE_LIBNDBM
@ -161,6 +169,7 @@ replay_db_init(fko_srv_options_t *opts)
    MY_DBM_CLOSE(rpdb);

    return(db_count);
+#endif /* NO_DIGEST_CACHE */
 }

 /* Take an fko context, pull the digest and use it as the key to check the
@ -170,6 +179,10 @@ replay_db_init(fko_srv_options_t *opts)
 int
 replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
 {
+#ifdef NO_DIGEST_CACHE
+    return 0;
+#else
+
 #ifdef HAVE_LIBGDBM
    GDBM_FILE   rpdb;
 #elif HAVE_LIBNDBM
@ -305,6 +318,7 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
    MY_DBM_CLOSE(rpdb);

    return(res);
+#endif /* NO_DIGEST_CACHE */
 }

 /***EOF***/