DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
Franck Joncourt 2013-06-30 22:22:34 +02:00
commit 9d7feb52f6
17 changed files with 213 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CREDITS
View File

@ -115,6 +115,9 @@ George Herlin
test suite operate equivalently regardless of whether valgrind is used or
whether fwknop is being tested on an embedded system with very limited
resources.
- Suggested that 'make install' run ldconfig since on some systems it
appears that ldconfig is not automatically run via the autoconf generated
Makefile configs.
Ruhsam Bernhard
- Reported an issue where the message size test would result in long

19
ChangeLog
View File

@ -1,4 +1,20 @@
fwknop-2.5 (//2013):
- ***** IMPORTANT *****: If you are upgrading from an older version of
fwknop, you will want to read the "Backwards Compatibility" section of
the fwknop tutorial available here:
http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#backwards-compatibility
In summary, it is possible to have a mixed environment of fwknop-2.5
clients and/or servers with older client and/or servers, but this
requires some configuration in order to work properly. On the server
side, the directive "ENCRYPTION_MODE legacy" will need to be added to
every access.conf stanza that uses Rijndael and that needs to support
SPA packets from pre-2.5 clients. On the client side when generating
Rijndael-encrypted SPA packets from a pre-2.5 server, the command line
argument "-M legacy" will need to be given. GnuPG operations are not
affected however and don't require the above steps whenever the new HMAC
authenticated encryption feature (offered in fwknop-2.5) is not used.
- Major release of new functionality - HMAC authenticated encryption
support in the encrypt-then-authenticate model for SPA communications.
Supported HMAC digests include MD5, SHA1, SHA256, SHA384, and SHA512.
@ -49,7 +65,8 @@ fwknop-2.5 (//2013):
of sizeof(), potential double-free conditions, and more. Full details on
these fixes are available in the git history. Any open source project
that is written in a language supported by Coverity would benefit highly
from participating.
from participating. As of the 2.5 release, fwknop has a Coverity defect
score of zero.
- [test suite] Changed how the test suite interacts with the fwknop client
and server by looking for indications that SPA packets are actually
received. This is done by first waiting for 'main event loop' in fwknopd

11
Makefile.am
View File

@ -345,3 +345,14 @@ install-exec-hook:
if test -f $(DESTDIR)$(sysconfdir)/fwknop/access.conf; then \
chmod 600 $(DESTDIR)$(sysconfdir)/fwknop/access.conf; \
fi
if test -f $(DESTDIR)$(bindir)/fwknop; then \
if ! $(DESTDIR)$(bindir)/fwknop -h > /dev/null 2>&1; then \
ldconfig; \
fi \
else \
if test -f $(DESTDIR)$(sbindir)/fwknopd; then \
if ! $(DESTDIR)$(sbindir)/fwknopd -h > /dev/null 2>&1; then \
ldconfig -v; \
fi \
fi \
fi

104
README
View File

@ -1,29 +1,89 @@
This is the top-level directory for the C version of fwknop.
Additional information and details can be found on the fwknop-c site at
http://devmetrix.org/trac/fwknop-c.
This is the top-level directory for the fwknop project.
INTRODUCTION
============
This distribution will be a C-based implementation of Michael Rash's
Perl-based "fwknop" programs. For more information on fwknop and what
it is all about, go to http://www.cipherdyne.org/fwknop.
fwknop implements an authorization scheme known as Single Packet Authorization
(SPA) for strong service concealment. SPA requires only a single packet which
is encrypted, non-replayable, and authenticated via an HMAC in order to
communicate desired access to a service that is hidden behind a firewall in a
default-drop filtering stance. The main application of SPA is to use a firewall
to drop all attempts to connect to services such as SSH in order to make the
exploitation of vulnerabilities (both 0-day and unpatched code) more difficult.
Any service that is concealed by SPA naturally cannot be scanned for with Nmap.
The fwknop project supports three different firewalls: iptables on Linux
systems, pf on OpenBSD, and ipfw on FreeBSD and Mac OS X.
SPA is essentially next generation Port Knocking (PK), but solves many of the
limitations exhibited by PK while retaining its core benefits. PK limitations
include a general difficulty in protecting against replay attacks, asymmetric
ciphers and HMAC schemes are not usually possible to reliably support, and it
is trivially easy to mount a DoS attack against a PK server just by spoofing an
additional packet into a PK sequence as it traverses the network (thereby
convincing the PK server that the client doesnt know the proper sequence). All
of these limitation are solved by SPA. At the same time, SPA hides services
behind a default-drop firewall policy, acquires SPA data passively (usually via
libpcap or other means), and implements standard cryptographic operations for
SPA packet authentication and encryption/decryption.
SPA packets generated by fwknop leverage HMAC for authenticated encryption in
the encrypt-then-authenticate model. Although the usage of an HMAC is currently
optional (enabled via the --use-hmac command line switch), it is highly
recommended for three reasons: 1) without an HMAC, cryptographically strong
authentication is not possible with fwknop unless GnuPG is used, but even then
an HMAC should still be applied, 2) an HMAC applied after encryption protects
against cryptanalytic CBC-mode padding oracle attacks such as the Vaudenay
attack and related trickery (like the more recent "Lucky 13" attack against
SSL), and 3) the code required by the fwknopd daemon to verify an HMAC is much
more simplistic than the code required to decrypt an SPA packet, so an SPA
packet without a proper HMAC isnt even sent through the decryption routines.
Reason 3) is why an HMAC should still be used even when SPA packets are
encrypted with GnuPG due to the fact that SPA data is not sent through libgpgme
functions unless the HMAC checks out first. GnuPG and libgpgme are relatively
complex bodies of code, and therefore limiting the ability of a potential
attacker to interact with this code through an HMAC operation helps to maintain
a stronger security stance. Generating an HMAC for SPA communications requires
a dedicated key in addition to the normal encryption key, and both can be
generated with the --key-gen option.
fwknop encrypts SPA packets either with the Rijndael block cipher or via GnuPG
and associated asymmetric cipher. If the symmetric encryption method is chosen,
then as usual the encryption key is shared between the client and server (see
the /etc/fwknop/access.conf file for details). The actual encryption key used
for Rijndael encryption is generated via the standard PBKDF1 key derivation
algorithm, and CBC mode is set. If the GnuPG method is chosen, then the
encryption keys are derived from GnuPG key rings.
A comprehensive tutorial on fwknop can be found here:
http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html
LICENSE
=======
The fwknop project is released as open source software under the terms of the
GNU Public License (GPL v2). The latest release can be found at
http://www.cipherdyne.org/fwknop/
CURRENT STATE
=============
At present, we have an implementation of the Firewall Knock Operator
library; `libfko', as well as the fwknop client and server applications.
The library provides the API and back-end functionality for managing the
Single Packet Authorization (SPA) data that the other fwknop components
employ. It also can be used by other programs that need SPA functonality
(see the `perl' directory for the FKO perl module as an example).
This README file describes the present state of the fwknop project as of the
2.5 release made in July, 2013. At present, we have an implementation of the
Firewall Knock Operator library; `libfko', as well as the fwknop client and
server applications. The library provides the API and back-end functionality
for managing the Single Packet Authorization (SPA) data that the other fwknop
components employ. It also can be used by other programs that need SPA
functonality (see the `perl' directory for the FKO perl module as an example,
and there are python bindings as well in the 'python' directory).
This first version of the C implementation is planned to be compatible
with legacy Perl-based fwknop version 1.9.x. However, it was decided to
start the version number at 2.0 to differentiate it from the current
Perl implementation.
UPGRADING
=========
If you are upgrading from an older version of fwknop (and this includes the
original perl implementation as well), then you will want to read the
following link to ensure a smooth transition to fwknop-2.5:
http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#backwards-compatibility
BUILDING fwknop
@ -49,13 +109,16 @@ There are some "configure" options that are specific to fwknop. They are
--with-ipfw=/path/to/ipfw
Specify path to the ipfw executable [default=check
path]
--with-sh=/path/to/sh Specify path to the sh executable [default=check
--with-pf=/path/to/pfctl
Specify path to the pf executable [default=check
path]
--with-ipf=/path/to/ipf Specify path to the ipf executable [default=check
path]
NOTE to those who may be migrating from the Perl version of fwknop
==================================================================
For those of you who are currently using the Perl version and plan to
For those of you who are currently using the Perl version and plan to
migrate to this version, there are some things to be aware of:
- Not all of the features and functionality of the Perl-based
@ -84,4 +147,3 @@ The fwknop and fwknopd man page nroff sources are included in their
respective directorys (client and server). These nroff files are derived
from the asciidoc sources in the 'docs' directory. See the README in docs
for details.

2
VERSION
View File

@ -1 +1 @@
fwknop-2.5-pre2
fwknop-2.5

18
client/fwknop.8.in
View File

@ -2,12 +2,12 @@
.\" Title: fwknop
.\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
.\" Date: 06/20/2013
.\" Date: 06/30/2013
.\" Manual: Fwknop Client
.\" Source: Fwknop Client
.\" Language: English
.\"
.TH "FWKNOP" "8" "06/20/2013" "Fwknop Client" "Fwknop Client"
.TH "FWKNOP" "8" "06/30/2013" "Fwknop Client" "Fwknop Client"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -34,7 +34,7 @@ fwknop \- Firewall Knock Operator
\fBfwknop\fR \fB\-A\fR <\*(Aqproto/ports\*(Aq> \fB\-R\fR|\fB\-a\fR|\fB\-s \-D\fR <\*(Aqhost\*(Aq> [\fIoptions\fR]
.SH "DESCRIPTION"
.sp
\fBfwknop\fR implements an authorization scheme known as Single Packet Authorization (SPA) for strong service protection\&. SPA requires only a single packet which is encrypted, non\-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default\-drop filtering stance\&. The main application of SPA is to use a firewall to drop all attempts to connect to services such as \fISSH\fR in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) more difficult\&. Any service that is protected by SPA naturally cannot be scanned for with \fINmap\fR\&. The fwknop project supports three different firewalls: \fIiptables\fR on Linux systems, \fIpf\fR on OpenBSD, and \fIipfw\fR on FreeBSD and Mac OS X\&.
\fBfwknop\fR implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment\&. SPA requires only a single packet which is encrypted, non\-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default\-drop filtering stance\&. The main application of SPA is to use a firewall to drop all attempts to connect to services such as \fISSH\fR in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) more difficult\&. Any service that is concealed by SPA naturally cannot be scanned for with \fINmap\fR\&. The fwknop project supports three different firewalls: \fIiptables\fR on Linux systems, \fIpf\fR on OpenBSD, and \fIipfw\fR on FreeBSD and Mac OS X\&.
.sp
SPA is essentially next generation Port Knocking (PK), but solves many of the limitations exhibited by PK while retaining its core benefits\&. PK limitations include a general difficulty in protecting against replay attacks, asymmetric ciphers and HMAC schemes are not usually possible to reliably support, and it is trivially easy to mount a DoS attack against a PK server just by spoofing an additional packet into a PK sequence as it traverses the network (thereby convincing the PK server that the client doesn\(cqt know the proper sequence)\&. All of these limitation are solved by SPA\&. At the same time, SPA hides services behind a default\-drop firewall policy, acquires SPA data passively (usually via libpcap or other means), and implements standard cryptographic operations for SPA packet authentication and encryption/decryption\&.
.sp
@ -156,7 +156,7 @@ rc file is a more powerful mechanism for specifying not only the HMAC key but ot
.RS 4
Have
\fBfwknop\fR
generate both Rijndael and HMAC keys that can be used for SPA packet encryption\&. These keys are derived from /dev/random and then base64 encoded before being printed to stdout, and are meant to be included within the \(lq$HOME/\&.fwknoprc\(rq file (or the file referenced by
generate both Rijndael and HMAC keys that can be used for SPA packet encryption\&. These keys are derived from /dev/urandom and then base64 encoded before being printed to stdout, and are meant to be included within the \(lq$HOME/\&.fwknoprc\(rq file (or the file referenced by
\fB\-\-get\-key\fR)\&. Such keys are generally more secure than passphrases that are typed in from the command line\&.
.RE
.PP
@ -916,7 +916,7 @@ So, assuming that the IP \fI2\&.2\&.2\&.2\fR is the system where \fBfwknopd\fR i
.RE
.\}
.sp
With the access request arguments and encryption and HMAC keys generated and saved in \(lq$HOME/\&.fwknoprc\(rq, the keys themselves need to be transferred to the \fI2\&.2\&.2\&.2\fR system where fwknopd is running\&. As always, this should be done via some secure means such as SSH before SPA is enabled and SSHD is blocked by the firewall\&. Here is what the new \fI2\&.2\&.2\&.2\fR stanza looks like in the \&.fwknoprc file:
With the access request arguments and encryption and HMAC keys generated and saved in \(lq$HOME/\&.fwknoprc\(rq, the keys themselves need to be transferred to the \fI2\&.2\&.2\&.2\fR system where fwknopd is running\&. As always, this should be done via some secure means such as SSH before SPA is enabled and SSHD is blocked by the firewall\&. Here is what the new \fI2\&.2\&.2\&.2\fR stanza looks like in the \fI~/\&.fwknoprc\fR file:
.sp
.if n \{\
.RS 4
@ -950,7 +950,7 @@ The keys are base64 encoded blobs of random data, and both the \fBKEY_BASE64\fR
Random Value: 8950423288486978
Username: mbr
Timestamp: 1370194770
FKO Version: 2\&.5\&.0
FKO Version: 2\&.5
Message Type: 1 (Access msg)
Message String: 1\&.1\&.1\&.1,tcp/22
Nat Access: <NULL>
@ -970,7 +970,7 @@ The keys are base64 encoded blobs of random data, and both the \fBKEY_BASE64\fR
.\}
.SS "Access mode examples"
.sp
The most common usage of \fBfwknop\fR is to gain access to SSH running on a remote system that has the \fBfwknopd\fR daemon deployed along with a default\-drop firewall policy\&. The following command illustrates this where IP \fI1\&.1\&.1\&.1\fR is the IP to be allowed through the firewall running on \fI3\&.3\&.3\&.3\fR (note that the \fI@sysconfdir@/fwknop/access\&.conf\fR file consumed by \fBfwknopd\fR will need to have matching encryption and HMAC keys, and configuration specifics can be found in the \fIfwknopd(8)\fR manual page)\&. Also, note the examples below prompt the user to supply the encryption and HMAC keys via stdin instead of writing them to disk as in the case of using the \(lq$HOME/\&.fwknoprc\(rq file in the example above\&. However, all of the following examples can be converted to using the \&.fwknoprc file just by adding the \fB\-\-save\-rc\-stanza\fR argument:
The most common usage of \fBfwknop\fR is to gain access to SSH running on a remote system that has the \fBfwknopd\fR daemon deployed along with a default\-drop firewall policy\&. The following command illustrates this where IP \fI1\&.1\&.1\&.1\fR is the IP to be allowed through the firewall running on \fI3\&.3\&.3\&.3\fR (note that the \fI@sysconfdir@/fwknop/access\&.conf\fR file consumed by \fBfwknopd\fR will need to have matching encryption and HMAC keys, and configuration specifics can be found in the \fIfwknopd(8)\fR manual page)\&. Also, note the examples below prompt the user to supply the encryption and HMAC keys via stdin instead of writing them to disk as in the case of using the \(lq$HOME/\&.fwknoprc\(rq file in the example above\&. However, all of the following examples can be converted to using the ~/\&.fwknoprc file just by adding the \fB\-\-save\-rc\-stanza\fR argument:
.sp
.if n \{\
.RS 4
@ -999,7 +999,7 @@ If the \fB\-\-verbose\fR flag is added to the command line, then some SPA packet
Random Value: 1916307060193417
Username: mbr
Timestamp: 1368498909
FKO Version: 2\&.5\&.0
FKO Version: 2\&.5
Message Type: 1 (Access msg)
Message String: 1\&.1\&.1\&.1,tcp/22
Nat Access: <NULL>
@ -1129,6 +1129,8 @@ More information on Single Packet Authorization can be found in the paper \(lqSi
.if n \{\
.RE
.\}
.sp
Additional commentary on Single Packet Authorization can be found via Michael Rash\(cqs Twitter feed: http://twitter\&.com/michaelrash, @michaelrash
.SH "AUTHORS"
.sp
Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org>

2
configure.ac
View File

@ -11,7 +11,7 @@ AC_PREREQ(2.62)
dnl Define our name, version and email.
m4_define(my_package, [fwknop])
m4_define(my_version, [2.5.0b])
m4_define(my_version, [2.5])
m4_define(my_bug_email, [dstuart@dstuart.org])
AC_INIT(my_package, my_version, my_bug_email)

15
doc/fwknop.man.asciidoc
View File

@ -16,13 +16,13 @@ SYNOPSIS
DESCRIPTION
-----------
*fwknop* implements an authorization scheme known as Single Packet
Authorization (SPA) for strong service protection. SPA requires only a single
Authorization (SPA) for strong service concealment. SPA requires only a single
packet which is encrypted, non-replayable, and authenticated via an HMAC in order
to communicate desired access to a service that is hidden behind a firewall in a
default-drop filtering stance. The main application of SPA is to use a
firewall to drop all attempts to connect to services such as 'SSH' in order
to make the exploitation of vulnerabilities (both 0-day and unpatched code)
more difficult. Any service that is protected by SPA naturally cannot be
more difficult. Any service that is concealed by SPA naturally cannot be
scanned for with 'Nmap'. The fwknop project supports three different
firewalls: 'iptables' on Linux systems, 'pf' on OpenBSD, and 'ipfw' on FreeBSD
and Mac OS X.
@ -760,7 +760,7 @@ With the access request arguments and encryption and HMAC keys generated and sav
in ``$HOME/.fwknoprc'', the keys themselves need to be transferred to the '2.2.2.2'
system where fwknopd is running. As always, this should be done via some secure
means such as SSH before SPA is enabled and SSHD is blocked by the firewall. Here
is what the new '2.2.2.2' stanza looks like in the .fwknoprc file:
is what the new '2.2.2.2' stanza looks like in the '~/.fwknoprc' file:
..........................
$ tail -n 8 /home/user/.fwknoprc
@ -791,7 +791,7 @@ file (some *--verbose* output is included for illustration):
Random Value: 8950423288486978
Username: mbr
Timestamp: 1370194770
FKO Version: 2.5.0
FKO Version: 2.5
Message Type: 1 (Access msg)
Message String: 1.1.1.1,tcp/22
Nat Access: <NULL>
@ -818,7 +818,7 @@ and HMAC keys, and configuration specifics can be found in the 'fwknopd(8)'
manual page). Also, note the examples below prompt the user to supply the
encryption and HMAC keys via stdin instead of writing them to disk as in the
case of using the ``$HOME/.fwknoprc'' file in the example above. However, all
of the following examples can be converted to using the .fwknoprc file just by
of the following examples can be converted to using the ~/.fwknoprc file just by
adding the *--save-rc-stanza* argument:
..........................
@ -840,7 +840,7 @@ specifics are printed to stdout (not all output is shown for brevity):
Random Value: 1916307060193417
Username: mbr
Timestamp: 1368498909
FKO Version: 2.5.0
FKO Version: 2.5
Message Type: 1 (Access msg)
Message String: 1.1.1.1,tcp/22
Nat Access: <NULL>
@ -1002,6 +1002,9 @@ along with 'Github' for tracking of issues and milestones:
$ git clone https://github.com/mrash/fwknop.git fwknop.git
..........................
Additional commentary on Single Packet Authorization can be found via Michael
Rash's Twitter feed: http://twitter.com/michaelrash, @michaelrash
AUTHORS
-------

12
doc/fwknopd.man.asciidoc
View File

@ -23,10 +23,10 @@ or ACL policy to allow the desired access after authenticating and
decrypting a valid SPA packet (in that order), and removing access after a
configurable timeout.
The main application of this program is to protect services such as 'SSH'
The main application of this program is to conceal services such as 'SSH'
with an additional layer of security in order to make the exploitation of
vulnerabilities (both 0-day and unpatched code) much more difficult. In
addition, services that are protected in this fashion naturally cannot be
addition, services that are concealed in this fashion naturally cannot be
scanned for with 'Nmap'.
The main configuration for *fwknopd* is maintained within two files:
@ -136,7 +136,8 @@ COMMAND-LINE OPTIONS
*-S, --status*::
Display the status of any *fwknopd* processes that may or not be
running.
running. If there is an existing fwknopd process then 0 is returned for the
exit status and 1 is returned otherwise.
*-v, --verbose*::
Run *fwknopd* in verbose mode. This can option can be specified
@ -155,7 +156,7 @@ FWKNOPD CONFIG AND ACCESS VARIABLES
*fwknopd* references the '@sysconfdir@/fwknop/fwknopd.conf'' file for configuration variables
that define its operational parameters (what network interface and port
to sniff, what features to enable/disable, etc.). The 'fwknopd.conf' file
does not define any access control directives.
does not define any access control directives.
The access control directives are contained in the '@sysconfdir@/fwknop/access.conf' file.
Access control directives define encryption keys and level of access that
@ -557,6 +558,9 @@ along with 'Github' for tracking of issues and milestones:
$ git clone https://github.com/mrash/fwknop.git fwknop.git
..........................
Additional commentary on Single Packet Authorization can be found via Michael
Rash's Twitter feed: http://twitter.com/michaelrash, @michaelrash
AUTHORS
-------

25
doc/libfko.texi
View File

@ -578,6 +578,7 @@ For a context that will be used for receiving and parsing an existing
@acronym{SPA} message, you will use the @code{fko_new_with_data} function:
@deftypefun int fko_new_with_data (@w{fko_ctx_t @var{*ctx}, const char @var{*data}, const char @var{*key}, const char @var{key_len}, int @var{encryption_mode}, const char @var{hmac_key}, const int @var{hmac_type}})
The function @code{fko_new_with_data} sets up and initializes a new
@code{fko_ctx_t} context, but instead of initializing default values, it
stores the encrypted message data and makes it ready for parsing. This
@ -617,7 +618,8 @@ int rc;
/* Assume we called code that retrieves the data and key
*/
rc = fko_new_with_data(&ctx, spa_data, key, key_len, enc_mode, hmac_key, hmac_key_len, hmac_type);
rc = fko_new_with_data(&ctx, spa_data, key, key_len, \\
enc_mode, hmac_key, hmac_key_len, hmac_type);
if(rc != FKO_SUCCESS)
@{
@ -763,15 +765,15 @@ a contrived bit of code demonstrating this:
int
main(int argc, char **argv)
@{
fko_ctx_t ctx; /* FKO Context */
char *key; /* Encryption passphrase */
char *hmac_key; /* HMAC key */
char *final_spa; /* Final encrypted SPA data */
int key_len; /* Length of encryption key */
int hmac_key_len; /* Length of HMAC key */
int rc; /* Result code */
int hmac_type = FKO_HMAC_SHA256; /* Default HMAC digest */
int enc_mode = FKO_ENC_MODE_ASYMMETRIC; /* Use GPG */
fko_ctx_t ctx; /* FKO Context */
char *key; /* Encryption passphrase */
char *hmac_key; /* HMAC key */
char *final_spa; /* Final encrypted SPA data */
int key_len; /* Length of encryption key */
int hmac_key_len; /* Length of HMAC key */
int rc; /* Result code */
int hmac_type = FKO_HMAC_SHA256; /* Default HMAC digest */
int enc_mode = FKO_ENC_MODE_ASYMMETRIC; /* Use GPG */
/* Assume we processed the command line
* and retrieved the password and the HMAC key and
@ -813,7 +815,8 @@ main(int argc, char **argv)
hmac_key, hmac_key_len, hmac_type);
if(rc != FKO_SUCCESS)
@{
fprintf(stderr, "Error encoding SPA data: %s\n", fko_errstr(rc));
fprintf(stderr, "Error encoding SPA data: %s\n",
fko_errstr(rc));
exit(1);
@}

6
fwknop.spec
View File

@ -13,7 +13,7 @@
%define _mandir /usr/share/man
Name: fwknop
Version: 2.5.0b
Version: 2.5
Epoch: 1
Release: 1%{?dist}
Summary: Firewall Knock Operator client. An implementation of Single Packet Authorization.
@ -30,13 +30,13 @@ Requires: libfko, iptables
%package -n libfko
Version: 1.0.0
Version: 2.0
Summary: The fwknop library
Group: Development/Libraries
Requires: gpg, gpgme
%package -n libfko-devel
Version: 1.0.0
Version: 2.0
Summary: The fwknop library header and API docs
Group: Development/Libraries
Requires: libfko

2
lib/fko.h
View File

@ -53,7 +53,7 @@ extern "C" {
/* General params
*/
#define FKO_PROTOCOL_VERSION "2.5.0" /* The fwknop protocol version */
#define FKO_PROTOCOL_VERSION "2.0" /* The fwknop protocol version */
/* Supported FKO Message types...
*/

26
server/fw_util_ipfw.c
View File

@ -80,7 +80,7 @@ ipfw_set_exists(const fko_srv_options_t *opts,
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
log_msg(LOG_INFO, "ipfw_set_exists() CMD: '%s' (res: %d)",
log_msg(LOG_DEBUG, "ipfw_set_exists() CMD: '%s' (res: %d)",
cmd_buf, res);
if(!EXTCMD_IS_SUCCESS(res))
@ -115,7 +115,7 @@ fw_dump_rules(const fko_srv_options_t * const opts)
res = system(cmd_buf);
log_msg(LOG_INFO, "fw_dump_rules() CMD: '%s' (res: %d)",
log_msg(LOG_DEBUG, "fw_dump_rules() CMD: '%s' (res: %d)",
cmd_buf, res);
/* Expect full success on this */
@ -142,7 +142,7 @@ fw_dump_rules(const fko_srv_options_t * const opts)
printf("\nActive Rules:\n");
res = system(cmd_buf);
log_msg(LOG_INFO, "fw_dump_rules() CMD: '%s' (res: %d)",
log_msg(LOG_DEBUG, "fw_dump_rules() CMD: '%s' (res: %d)",
cmd_buf, res);
/* Expect full success on this */
@ -162,7 +162,7 @@ fw_dump_rules(const fko_srv_options_t * const opts)
printf("\nExpired Rules:\n");
res = system(cmd_buf);
log_msg(LOG_INFO, "fw_dump_rules() CMD: '%s' (res: %d)",
log_msg(LOG_DEBUG, "fw_dump_rules() CMD: '%s' (res: %d)",
cmd_buf, res);
/* Expect full success on this */
@ -282,7 +282,7 @@ fw_initialize(const fko_srv_options_t * const opts)
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
log_msg(LOG_INFO, "fw_initialize() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "fw_initialize() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
if(EXTCMD_IS_SUCCESS(res))
@ -312,7 +312,7 @@ fw_initialize(const fko_srv_options_t * const opts)
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
log_msg(LOG_INFO, "fw_initialize() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "fw_initialize() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
if(EXTCMD_IS_SUCCESS(res))
@ -334,7 +334,7 @@ fw_initialize(const fko_srv_options_t * const opts)
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
log_msg(LOG_INFO, "fw_initialize() CMD: '%s' (res: %d)",
log_msg(LOG_DEBUG, "fw_initialize() CMD: '%s' (res: %d)",
cmd_buf, res);
if(!EXTCMD_IS_SUCCESS(res))
@ -413,7 +413,7 @@ fw_cleanup(const fko_srv_options_t * const opts)
res = system(cmd_buf);
log_msg(LOG_INFO, "fw_cleanup() CMD: '%s' (res: %d)",
log_msg(LOG_DEBUG, "fw_cleanup() CMD: '%s' (res: %d)",
cmd_buf, res);
/* Expect full success on this */
@ -526,7 +526,7 @@ process_spa_request(const fko_srv_options_t * const opts,
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
log_msg(LOG_INFO, "process_spa_request() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "process_spa_request() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
if(EXTCMD_IS_SUCCESS(res))
@ -620,7 +620,7 @@ check_firewall_rules(const fko_srv_options_t * const opts)
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d)",
log_msg(LOG_DEBUG, "check_firewall_rules() CMD: '%s' (res: %d)",
cmd_buf, res);
if(!EXTCMD_IS_SUCCESS(res))
@ -726,7 +726,7 @@ check_firewall_rules(const fko_srv_options_t * const opts)
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "check_firewall_rules() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
if(EXTCMD_IS_SUCCESS(res))
@ -794,7 +794,7 @@ ipfw_purge_expired_rules(const fko_srv_options_t *opts)
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
log_msg(LOG_INFO, "ipfw_purge_expired_rules() CMD: '%s' (res: %d)",
log_msg(LOG_DEBUG, "ipfw_purge_expired_rules() CMD: '%s' (res: %d)",
cmd_buf, res);
if(!EXTCMD_IS_SUCCESS(res))
@ -901,7 +901,7 @@ ipfw_purge_expired_rules(const fko_srv_options_t *opts)
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
log_msg(LOG_INFO, "ipfw_purge_expired_rules() CMD: '%s' (res: %d)",
log_msg(LOG_DEBUG, "ipfw_purge_expired_rules() CMD: '%s' (res: %d)",
cmd_buf, res);
if(!EXTCMD_IS_SUCCESS(res))

36
server/fw_util_iptables.c
View File

@ -87,7 +87,7 @@ comment_match_exists(const fko_srv_options_t * const opts)
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
chop_newline(err_buf);
log_msg(LOG_INFO, "comment_match_exists() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "comment_match_exists() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
zero_cmd_buffers();
@ -145,7 +145,7 @@ add_jump_rule(const fko_srv_options_t * const opts, const int chain_num)
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
log_msg(LOG_INFO, "add_jump_rule() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "add_jump_rule() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
if(EXTCMD_IS_SUCCESS(res))
@ -174,11 +174,11 @@ chain_exists(const fko_srv_options_t * const opts, const int chain_num)
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
chop_newline(err_buf);
log_msg(LOG_INFO, "chain_exists() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "chain_exists() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
if(EXTCMD_IS_SUCCESS(res))
log_msg(LOG_INFO, "'%s' table '%s' chain exists",
log_msg(LOG_DEBUG, "'%s' table '%s' chain exists",
fwc.chain[chain_num].table,
fwc.chain[chain_num].to_chain);
else
@ -202,11 +202,11 @@ jump_rule_exists(const fko_srv_options_t * const opts, const int chain_num)
if(rule_exists(opts, fwc.chain[chain_num].from_chain, rule_buf) == 1)
{
log_msg(LOG_INFO, "jump_rule_exists() jump rule found");
log_msg(LOG_DEBUG, "jump_rule_exists() jump rule found");
exists = 1;
}
else
log_msg(LOG_INFO, "jump_rule_exists() jump rule not found");
log_msg(LOG_DEBUG, "jump_rule_exists() jump rule not found");
return exists;
}
@ -244,7 +244,7 @@ fw_dump_rules(const fko_srv_options_t * const opts)
res = system(cmd_buf);
log_msg(LOG_INFO, "fw_dump_rules() CMD: '%s' (res: %d)",
log_msg(LOG_DEBUG, "fw_dump_rules() CMD: '%s' (res: %d)",
cmd_buf, res);
/* Expect full success on this */
@ -280,7 +280,7 @@ fw_dump_rules(const fko_srv_options_t * const opts)
fflush(stdout);
res = system(cmd_buf);
log_msg(LOG_INFO, "fw_dump_rules() CMD: '%s' (res: %d)",
log_msg(LOG_DEBUG, "fw_dump_rules() CMD: '%s' (res: %d)",
cmd_buf, res);
/* Expect full success on this */
@ -325,7 +325,7 @@ delete_all_chains(const fko_srv_options_t * const opts)
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
chop_newline(err_buf);
log_msg(LOG_INFO, "delete_all_chains() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "delete_all_chains() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
/* Expect full success on this */
@ -352,7 +352,7 @@ delete_all_chains(const fko_srv_options_t * const opts)
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
chop_newline(err_buf);
log_msg(LOG_INFO, "delete_all_chains() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "delete_all_chains() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
/* Expect full success on this */
@ -379,7 +379,7 @@ create_chain(const fko_srv_options_t * const opts, const int chain_num)
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
chop_newline(err_buf);
log_msg(LOG_INFO, "create_chain() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "create_chain() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
/* Expect full success on this */
@ -617,18 +617,18 @@ rule_exists(const fko_srv_options_t * const opts,
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
chop_newline(err_buf);
log_msg(LOG_INFO, "rule_exists() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "rule_exists() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
if(EXTCMD_IS_SUCCESS(res) && strlen(err_buf))
{
log_msg(LOG_INFO, "rule_exists() Rule : '%s' in %s does not exist.",
log_msg(LOG_DEBUG, "rule_exists() Rule : '%s' in %s does not exist.",
fw_rule, fw_chain);
}
else
{
rule_exists = 1;
log_msg(LOG_INFO, "rule_exists() Rule : '%s' in %s already exists.",
log_msg(LOG_DEBUG, "rule_exists() Rule : '%s' in %s already exists.",
fw_rule, fw_chain);
}
@ -648,12 +648,12 @@ create_rule(const fko_srv_options_t * const opts,
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
chop_newline(err_buf);
log_msg(LOG_INFO, "create_rule() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "create_rule() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "create_rule() Rule: '%s' added to %s", fw_rule, fw_chain);
log_msg(LOG_DEBUG, "create_rule() Rule: '%s' added to %s", fw_rule, fw_chain);
res = 1;
}
else
@ -1071,7 +1071,7 @@ check_firewall_rules(const fko_srv_options_t * const opts)
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
chop_newline(cmd_out);
log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d, cmd_out: %s)",
log_msg(LOG_DEBUG, "check_firewall_rules() CMD: '%s' (res: %d, cmd_out: %s)",
cmd_buf, res, cmd_out);
if(!EXTCMD_IS_SUCCESS(res))
@ -1179,7 +1179,7 @@ check_firewall_rules(const fko_srv_options_t * const opts)
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
chop_newline(err_buf);
log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d, err: %s)",
log_msg(LOG_DEBUG, "check_firewall_rules() CMD: '%s' (res: %d, err: %s)",
cmd_buf, res, err_buf);
if(EXTCMD_IS_SUCCESS(res))

10
server/fwknopd.8.in
View File

@ -2,12 +2,12 @@
.\" Title: fwknopd
.\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
.\" Date: 06/01/2013
.\" Date: 06/30/2013
.\" Manual: Fwknop Server
.\" Source: Fwknop Server
.\" Language: English
.\"
.TH "FWKNOPD" "8" "06/01/2013" "Fwknop Server" "Fwknop Server"
.TH "FWKNOPD" "8" "06/30/2013" "Fwknop Server" "Fwknop Server"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -36,7 +36,7 @@ fwknopd \- Firewall Knock Operator Daemon
.sp
\fBfwknopd\fR is the server component for the FireWall Knock Operator, and is responsible for monitoring and processing Single Packet Authorization (SPA) packets that are generated by \fBfwknop\fR clients, modifying a firewall or ACL policy to allow the desired access after authenticating and decrypting a valid SPA packet (in that order), and removing access after a configurable timeout\&.
.sp
The main application of this program is to protect services such as \fISSH\fR with an additional layer of security in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) much more difficult\&. In addition, services that are protected in this fashion naturally cannot be scanned for with \fINmap\fR\&.
The main application of this program is to conceal services such as \fISSH\fR with an additional layer of security in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) much more difficult\&. In addition, services that are concealed in this fashion naturally cannot be scanned for with \fINmap\fR\&.
.sp
The main configuration for \fBfwknopd\fR is maintained within two files: \fIfwknopd\&.conf\fR and \fIaccess\&.conf\fR\&. The default location for these files is determined at package configuration (typically \fI@sysconfdir@/fwknop\fR)\&. The configuration variables within these files are described below\&.
.SH "COMMAND-LINE OPTIONS"
@ -202,7 +202,7 @@ Rotate the digest cache file by renaming it to \(lq<name>\-old\(rq, and starting
.RS 4
Display the status of any
\fBfwknopd\fR
processes that may or not be running\&.
processes that may or not be running\&. If there is an existing fwknopd process then 0 is returned for the exit status and 1 is returned otherwise\&.
.RE
.PP
\fB\-v, \-\-verbose\fR
@ -642,6 +642,8 @@ More information on Single Packet Authorization can be found in the paper \(lqSi
.if n \{\
.RE
.\}
.sp
Additional commentary on Single Packet Authorization can be found via Michael Rash\(cqs Twitter feed: http://twitter\&.com/michaelrash, @michaelrash
.SH "AUTHORS"
.sp
Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org>

8
server/fwknopd.c
View File

@ -101,11 +101,15 @@ main(int argc, char **argv)
old_pid = write_pid_file(&opts);
if(old_pid > 0)
{
fprintf(stdout, "Detected fwknopd is running (pid=%i).\n", old_pid);
clean_exit(&opts, NO_FW_CLEANUP, EXIT_SUCCESS);
}
else
{
fprintf(stdout, "No running fwknopd detected.\n");
clean_exit(&opts, NO_FW_CLEANUP, EXIT_SUCCESS);
clean_exit(&opts, NO_FW_CLEANUP, EXIT_FAILURE);
}
}
/* Restart the currently running fwknopd?

8
test/test-fwknop.pl
View File

@ -1408,6 +1408,14 @@ sub rotate_digest_file() {
my $test_hr = shift;
my $rv = 1;
unless (-e $default_digest_file) {
open F, "> $default_digest_file"
or die "[*] Could not open $default_digest_file: $!";
print F "# <digest> <proto> <src_ip> "
. "<src_port> <dst_ip> <dst_port> <time>\n";
close F;
}
$rv = &spa_cycle($test_hr);
if (-e "${default_digest_file}-old") {