DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Added a no-digest-cache configure option and capability (though it is not recommended).

Browse Source 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@313 510a4753-2344-4c79-9c09-4d669213fbeb
This commit is contained in:
Damien Stuart 2011-03-27 02:38:41 +00:00
parent 03361fea74
commit 39e7412bb8
2 changed files with 66 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
configure.ac
View File

@ -59,6 +59,16 @@ AC_ARG_ENABLE([server],
[]) [])
AM_CONDITIONAL([WANT_SERVER], [test "$want_server" = yes]) AM_CONDITIONAL([WANT_SERVER], [test "$want_server" = yes])
dnl Decide whether or not to enable the digest-cache
dnl
want_digest_cache=yes
AC_ARG_ENABLE([digest-cache],
[AS_HELP_STRING([--disable-digest-cache],
[Do not enable the fwknopd digest-cache @<:@default is to build@:>@])],
[want_digest_cache=$enableval],
[])
dnl AM_CONDITIONAL([WANT_DIGEST_CACHE], [test "$want_digest_cache" = yes])
AC_GNU_SOURCE AC_GNU_SOURCE
AC_PROG_CC AC_PROG_CC
@ -174,32 +184,44 @@ AS_IF([test "x$GPG_EXE" != x],
dnl Check for libpcap, gdbm (or ndbm) if we are building the server component dnl Check for libpcap, gdbm (or ndbm) if we are building the server component
dnl dnl
AS_IF([test "$want_server" = yes], [ AS_IF([test "$want_server" = yes], [
use_ndbm=no # Looking for libpcap
# Looking for libpcap #
# AC_CHECK_LIB([pcap],[pcap_open_live],
AC_CHECK_LIB([pcap],[pcap_open_live], [ AC_DEFINE([HAVE_LIBPCAP], [1], [Define if you have libpcap]) ],
[ AC_DEFINE([HAVE_LIBPCAP], [1], [Define if you have libpcap]) ], [ AC_MSG_ERROR([fwknopd needs libpcap])]
[ AC_MSG_ERROR([fwknopd needs libpcap])] )
)
# Looking for gdbm or fallback to ndbm or bail AS_IF([test "$want_digest_cache" = yes], [
# use_ndbm=no
AC_CHECK_LIB([gdbm],[gdbm_open], have_digest_cache=yes
[ AC_DEFINE([HAVE_LIBGDBM], [1], [Define if you have libgdbm]) ],
[ AC_CHECK_LIB([ndbm],[dbm_open], # Looking for gdbm or fallback to ndbm or bail
#
AC_CHECK_LIB([gdbm],[gdbm_open],
[ [
AC_DEFINE([HAVE_LIBNDBM], [1], [Define if you have libndbm]) AC_DEFINE([HAVE_LIBGDBM], [1], [Define if you have libgdbm])
use_ndbm=yes
], ],
[ AC_CHECK_HEADER([ndbm.h], [ AC_CHECK_LIB([ndbm],[dbm_open],
[ AC_CHECK_FUNC([dbm_open], [
[ AC_DEFINE([HAVE_LIBNDBM], [1], [Define if you have libndbm])
AC_DEFINE([HAVE_LIBNDBM], [1], [Define if you have libndbm]) use_ndbm=yes
], ],
[ AC_MSG_ERROR([fwknopd needs either gdbm or ndbm])] [ AC_CHECK_HEADER([ndbm.h],
[ AC_CHECK_FUNC([dbm_open],
[ AC_DEFINE([HAVE_LIBNDBM], [1], [Define if you have libndbm])],
[
AC_DEFINE([NO_DIGEST_CACHE], [1], [Define this to disable the digest cache for replay detection.])
AC_MSG_WARN([No DBM implementation found. Replay detection will be disabled.])
have_digest_cache=no
]
)]
)] )]
)] )]
)] )],
[
AC_DEFINE([NO_DIGEST_CACHE], [1], [Define this to disable the digest cache for replay detection.])
have_digest_cache=no
]
) )
AM_CONDITIONAL([USE_NDBM], [test x$use_ndbm = xyes]) AM_CONDITIONAL([USE_NDBM], [test x$use_ndbm = xyes])
@ -302,7 +324,7 @@ AC_CONFIG_FILES([Makefile
AC_OUTPUT AC_OUTPUT
if [test $have_gpgme = "yes" ]; then if [test "$have_gpgme" = "yes" ]; then
have_gpgme="$have_gpgme have_gpgme="$have_gpgme
Gpgme engine: $GPG_EXE" Gpgme engine: $GPG_EXE"
fi fi
@ -316,10 +338,16 @@ echo "
Installation prefix: $prefix Installation prefix: $prefix
" "
if [test $want_server = "yes" ]; then if [test "$want_server" = "yes" ]; then
echo " Server support: echo " Server support:
firewall type: $FIREWALL_TYPE firewall type: $FIREWALL_TYPE
firewall program path: $FIREWALL_EXE firewall program path: $FIREWALL_EXE
" "
fi
if [test "$want_digest_cache" = "no" ]; then
echo " *WARNING*
The digest-cache functionality is not enabled. This
could leave the fwknopd server open to replay attacks!
"
fi
fi

14
server/replay_dbm.c
View File

@ -76,6 +76,9 @@
static void static void
rotate_digest_cache_file(fko_srv_options_t *opts) rotate_digest_cache_file(fko_srv_options_t *opts)
{ {
#ifdef NO_DIGEST_CACHE
log_msg(LOG_WARNING, "Digest cache not supported. Nothing to rotate.");
#else
int res; int res;
char *new_file = NULL; char *new_file = NULL;
@ -100,6 +103,7 @@ rotate_digest_cache_file(fko_srv_options_t *opts)
log_msg(LOG_ERR, "Unable to rename digest file: %s to %s: %s", log_msg(LOG_ERR, "Unable to rename digest file: %s to %s: %s",
opts->config[CONF_DIGEST_FILE], new_file, strerror(errno) opts->config[CONF_DIGEST_FILE], new_file, strerror(errno)
); );
#endif /* NO_DIGEST_CACHE */
} }
/* Check for the existence of the replay dbm file, and create it if it does /* Check for the existence of the replay dbm file, and create it if it does
@ -108,6 +112,10 @@ rotate_digest_cache_file(fko_srv_options_t *opts)
int int
replay_db_init(fko_srv_options_t *opts) replay_db_init(fko_srv_options_t *opts)
{ {
#ifdef NO_DIGEST_CACHE
return 0;
#else
#ifdef HAVE_LIBGDBM #ifdef HAVE_LIBGDBM
GDBM_FILE rpdb; GDBM_FILE rpdb;
#elif HAVE_LIBNDBM #elif HAVE_LIBNDBM
@ -161,6 +169,7 @@ replay_db_init(fko_srv_options_t *opts)
MY_DBM_CLOSE(rpdb); MY_DBM_CLOSE(rpdb);
return(db_count); return(db_count);
#endif /* NO_DIGEST_CACHE */
} }
/* Take an fko context, pull the digest and use it as the key to check the /* Take an fko context, pull the digest and use it as the key to check the
@ -170,6 +179,10 @@ replay_db_init(fko_srv_options_t *opts)
int int
replay_check(fko_srv_options_t *opts, fko_ctx_t ctx) replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
{ {
#ifdef NO_DIGEST_CACHE
return 0;
#else
#ifdef HAVE_LIBGDBM #ifdef HAVE_LIBGDBM
GDBM_FILE rpdb; GDBM_FILE rpdb;
#elif HAVE_LIBNDBM #elif HAVE_LIBNDBM
@ -305,6 +318,7 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
MY_DBM_CLOSE(rpdb); MY_DBM_CLOSE(rpdb);
return(res); return(res);
#endif /* NO_DIGEST_CACHE */
} }
/***EOF***/ /***EOF***/