DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Added check for SPA packet age against the MAX_SPA_PACKET_AGE if ENABLE SPA_PACKET_AGING is set to "Y" in the conf file. Made the digest cache check only of ENABLE_DIGEST_PERSISTENCE is "Y".

Browse Source 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@176 510a4753-2344-4c79-9c09-4d669213fbeb
This commit is contained in:
Damien Stuart 2009-12-29 20:16:52 +00:00
parent 142d07142b
commit d8dc9be941
5 changed files with 88 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile.am
View File

@ -15,7 +15,7 @@ SUBDIRS = \
doc doc
EXTRA_DIST = \ EXTRA_DIST = \
m4 \ m4 \
perl/legacy \ perl/legacy \
perl/FKO/README \ perl/FKO/README \
perl/FKO/inc/Devel/CheckLib.pm \ perl/FKO/inc/Devel/CheckLib.pm \

28
server/config_init.c
View File

@ -288,17 +288,25 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
*/ */
optind = 0; optind = 0;
/* First, scan the command-line args for an alternate configuration /* First, scan the command-line args for -h/--help or an alternate
* file. If we find it, use it, otherwise use the default. * configuration file. If we find an alternate config file, use it,
* We also grab any override config files as well. * otherwise use the default. We also grab any override config files
* as well.
*/ */
while ((cmd_arg = getopt_long(argc, argv, while ((cmd_arg = getopt_long(argc, argv,
GETOPTS_OPTION_STRING, cmd_opts, &index)) != -1) { GETOPTS_OPTION_STRING, cmd_opts, &index)) != -1) {
/* If help is wanted, give it and exit.
*/
switch(cmd_arg) {
case 'h':
usage();
exit(EXIT_SUCCESS);
break;
/* Look for configuration file arg. /* Look for configuration file arg.
*/ */
if(cmd_arg == 'c') case 'c':
{
set_config_entry(opts, CONF_CONFIG_FILE, optarg); set_config_entry(opts, CONF_CONFIG_FILE, optarg);
got_conf_file++; got_conf_file++;
@ -306,14 +314,12 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
*/ */
if(got_override_config > 0) if(got_override_config > 0)
break; break;
}
/* Look for override configuration file arg. /* Look for override configuration file arg.
*/ */
if(cmd_arg == 'O') case 'O':
{
set_config_entry(opts, CONF_OVERRIDE_CONFIG, optarg); set_config_entry(opts, CONF_OVERRIDE_CONFIG, optarg);
got_conf_file++; got_override_config++;
/* If we already have the conf_file option, we are done. /* If we already have the conf_file option, we are done.
*/ */
@ -406,10 +412,6 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
case GPG_KEY: case GPG_KEY:
set_config_entry(opts, CONF_GPG_KEY, optarg); set_config_entry(opts, CONF_GPG_KEY, optarg);
break; break;
case 'h':
usage();
exit(EXIT_SUCCESS);
break;
case 'i': case 'i':
set_config_entry(opts, CONF_PCAP_INTF, optarg); set_config_entry(opts, CONF_PCAP_INTF, optarg);
break; break;

14
server/fwknopd_common.h
View File

@ -79,6 +79,20 @@ enum {
SPA_CAP_MODE_TCP SPA_CAP_MODE_TCP
}; };
/* SPA message handling status code
*/
enum {
SPA_MSG_SUCCESS = 0,
SPA_MSG_BAD_DATA,
SPA_MSG_FKO_CTX_ERROR,
SPA_MSG_DIGEST_ERROR,
SPA_MSG_DIGEST_CACHE_ERROR,
SPA_MSG_REPLAY,
SPA_MSG_TOO_OLD,
SPA_MSG_ACCESS_DENIED,
SPA_MSG_ERROR
};
/* Configuration file parameter tags. /* Configuration file parameter tags.
* This will correspond to entries in the configuration parameters * This will correspond to entries in the configuration parameters
* array. * array.

61
server/incoming_spa.c
View File

@ -5,7 +5,7 @@
* *
* Author: Damien S. Stuart * Author: Damien S. Stuart
* *
* Purpose: The pcap capture routines for fwknopd. * Purpose: Process an incoming SPA data packet for fwknopd.
* *
* Copyright (C) 2009 Damien Stuart (dstuart@dstuart.org) * Copyright (C) 2009 Damien Stuart (dstuart@dstuart.org)
* *
@ -27,22 +27,26 @@
#include "incoming_spa.h" #include "incoming_spa.h"
#include "log_msg.h" #include "log_msg.h"
/* The pcap capture routine. /* Process the SPA packet data
*/ */
int int
incoming_spa(fko_srv_options_t *opts) incoming_spa(fko_srv_options_t *opts)
{ {
fko_ctx_t ctx; fko_ctx_t ctx;
int res; int res;
time_t spa_ts, now_ts;
int ts_diff;
spa_pkt_info_t *spa_pkt = &(opts->spa_pkt); spa_pkt_info_t *spa_pkt = &(opts->spa_pkt);
/* Sanity check /* Sanity check
*/ */
if(spa_pkt->packet_data_len <= 0) if(spa_pkt->packet_data_len <= 0)
return; return(SPA_MSG_BAD_DATA);
/* --DSS temp */
fprintf(stderr, "SPA Packet: '%s'\n", spa_pkt->packet_data); fprintf(stderr, "SPA Packet: '%s'\n", spa_pkt->packet_data);
/* --DSS temp */
/* Get the decryption key /* Get the decryption key
*/ */
@ -61,19 +65,60 @@ fprintf(stderr, "SPA Packet: '%s'\n", spa_pkt->packet_data);
if(res != FKO_SUCCESS) if(res != FKO_SUCCESS)
{ {
fprintf(stderr, "Error creating fko context: %s\n", fko_errstr(res)); log_msg(LOG_WARNING|LOG_STDERR, "Error creating fko context: %s",
return(-1); fko_errstr(res));
return(SPA_MSG_FKO_CTX_ERROR);
} }
/* --DSS temp */
fprintf(stderr, "Decode res = %i\n", res); fprintf(stderr, "Decode res = %i\n", res);
display_ctx(ctx);
/* --DSS temp */
if(strncasecmp(opts->config[CONF_ENABLE_DIGEST_PERSISTENCE], "Y", 1) == 0)
{
res = replay_check(opts, ctx);
if(res != SPA_MSG_SUCCESS)
goto clean_and_bail;
}
/* Check packet age if so configured.
*/
if(strncasecmp(opts->config[CONF_ENABLE_SPA_PACKET_AGING], "Y", 1) == 0)
{
if(fko_get_timestamp(ctx, &spa_ts) != FKO_SUCCESS)
{
log_msg(LOG_WARNING|LOG_STDERR, "Error getting SPA timestamp: %s",
fko_errstr(res));
res = SPA_MSG_ERROR;
goto clean_and_bail;
}
time(&now_ts);
ts_diff = now_ts - spa_ts;
if(ts_diff > atoi(opts->config[CONF_MAX_SPA_PACKET_AGE]))
{
log_msg(LOG_WARNING|LOG_STDERR, "SPA data is too old (%i seconds).",
ts_diff);
res = SPA_MSG_TOO_OLD;
goto clean_and_bail;
}
}
/* Additional access checks
*/
// TODO: Finish me
display_ctx(ctx); /* Send to the firewall rule processor.
*/
// TODO: Finish me
res = replay_check(opts, ctx);
clean_and_bail:
fko_destroy(ctx); fko_destroy(ctx);
return(res); return(res);
} }

10
server/replay_dbm.c
View File

@ -146,7 +146,7 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
log_msg(LOG_WARNING|LOG_STDERR, "Error getting digest from SPA data: %s", log_msg(LOG_WARNING|LOG_STDERR, "Error getting digest from SPA data: %s",
fko_errstr(res)); fko_errstr(res));
return(-1); return(SPA_MSG_DIGEST_ERROR);
} }
digest_len = strlen(digest); digest_len = strlen(digest);
@ -171,7 +171,7 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
MY_DBM_STRERROR(errno) MY_DBM_STRERROR(errno)
); );
return(-1); return(SPA_MSG_DIGEST_CACHE_ERROR);
} }
db_ent = MY_DBM_FETCH(rpdb, db_key); db_ent = MY_DBM_FETCH(rpdb, db_key);
@ -232,7 +232,7 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
free(db_ent.dptr); free(db_ent.dptr);
#endif #endif
res = 1; res = SPA_MSG_REPLAY;
} else { } else {
/* This is a new SPA packet that needs to be added to the cache. /* This is a new SPA packet that needs to be added to the cache.
*/ */
@ -249,10 +249,10 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
MY_DBM_STRERROR(errno) MY_DBM_STRERROR(errno)
); );
res = -1; res = SPA_MSG_DIGEST_CACHE_ERROR;
} }
res = 0; res = SPA_MSG_SUCCESS;
} }
MY_DBM_CLOSE(rpdb); MY_DBM_CLOSE(rpdb);