DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Added check for SPA packet age against the MAX_SPA_PACKET_AGE if ENABLE SPA_PACKET_AGING is set to "Y" in the conf file. Made the digest cache check only of ENABLE_DIGEST_PERSISTENCE is "Y".

Browse Source 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@176 510a4753-2344-4c79-9c09-4d669213fbeb
This commit is contained in:
Damien Stuart 2009-12-29 20:16:52 +00:00
parent 142d07142b
commit d8dc9be941
5 changed files with 88 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile.am
View File

@ -15,7 +15,7 @@ SUBDIRS = \
doc
EXTRA_DIST = \
m4 \
m4 \
perl/legacy \
perl/FKO/README \
perl/FKO/inc/Devel/CheckLib.pm \

28
server/config_init.c
View File

@ -288,17 +288,25 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
*/
optind = 0;
/* First, scan the command-line args for an alternate configuration
* file. If we find it, use it, otherwise use the default.
* We also grab any override config files as well.
/* First, scan the command-line args for -h/--help or an alternate
* configuration file. If we find an alternate config file, use it,
* otherwise use the default. We also grab any override config files
* as well.
*/
while ((cmd_arg = getopt_long(argc, argv,
GETOPTS_OPTION_STRING, cmd_opts, &index)) != -1) {
/* If help is wanted, give it and exit.
*/
switch(cmd_arg) {
case 'h':
usage();
exit(EXIT_SUCCESS);
break;
/* Look for configuration file arg.
*/
if(cmd_arg == 'c')
{
case 'c':
set_config_entry(opts, CONF_CONFIG_FILE, optarg);
got_conf_file++;
@ -306,14 +314,12 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
*/
if(got_override_config > 0)
break;
}
/* Look for override configuration file arg.
*/
if(cmd_arg == 'O')
{
case 'O':
set_config_entry(opts, CONF_OVERRIDE_CONFIG, optarg);
got_conf_file++;
got_override_config++;
/* If we already have the conf_file option, we are done.
*/
@ -406,10 +412,6 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
case GPG_KEY:
set_config_entry(opts, CONF_GPG_KEY, optarg);
break;
case 'h':
usage();
exit(EXIT_SUCCESS);
break;
case 'i':
set_config_entry(opts, CONF_PCAP_INTF, optarg);
break;

14
server/fwknopd_common.h
View File

@ -79,6 +79,20 @@ enum {
SPA_CAP_MODE_TCP
};
/* SPA message handling status code
*/
enum {
SPA_MSG_SUCCESS = 0,
SPA_MSG_BAD_DATA,
SPA_MSG_FKO_CTX_ERROR,
SPA_MSG_DIGEST_ERROR,
SPA_MSG_DIGEST_CACHE_ERROR,
SPA_MSG_REPLAY,
SPA_MSG_TOO_OLD,
SPA_MSG_ACCESS_DENIED,
SPA_MSG_ERROR
};
/* Configuration file parameter tags.
* This will correspond to entries in the configuration parameters
* array.

61
server/incoming_spa.c
View File

@ -5,7 +5,7 @@
*
* Author: Damien S. Stuart
*
* Purpose: The pcap capture routines for fwknopd.
* Purpose: Process an incoming SPA data packet for fwknopd.
*
* Copyright (C) 2009 Damien Stuart (dstuart@dstuart.org)
*
@ -27,22 +27,26 @@
#include "incoming_spa.h"
#include "log_msg.h"
/* The pcap capture routine.
/* Process the SPA packet data
*/
int
incoming_spa(fko_srv_options_t *opts)
{
fko_ctx_t ctx;
int res;
time_t spa_ts, now_ts;
int ts_diff;
spa_pkt_info_t *spa_pkt = &(opts->spa_pkt);
/* Sanity check
*/
if(spa_pkt->packet_data_len <= 0)
return;
return(SPA_MSG_BAD_DATA);
/* --DSS temp */
fprintf(stderr, "SPA Packet: '%s'\n", spa_pkt->packet_data);
/* --DSS temp */
/* Get the decryption key
*/
@ -61,19 +65,60 @@ fprintf(stderr, "SPA Packet: '%s'\n", spa_pkt->packet_data);
if(res != FKO_SUCCESS)
{
fprintf(stderr, "Error creating fko context: %s\n", fko_errstr(res));
return(-1);
log_msg(LOG_WARNING|LOG_STDERR, "Error creating fko context: %s",
fko_errstr(res));
return(SPA_MSG_FKO_CTX_ERROR);
}
/* --DSS temp */
fprintf(stderr, "Decode res = %i\n", res);
display_ctx(ctx);
/* --DSS temp */
if(strncasecmp(opts->config[CONF_ENABLE_DIGEST_PERSISTENCE], "Y", 1) == 0)
{
res = replay_check(opts, ctx);
if(res != SPA_MSG_SUCCESS)
goto clean_and_bail;
}
/* Check packet age if so configured.
*/
if(strncasecmp(opts->config[CONF_ENABLE_SPA_PACKET_AGING], "Y", 1) == 0)
{
if(fko_get_timestamp(ctx, &spa_ts) != FKO_SUCCESS)
{
log_msg(LOG_WARNING|LOG_STDERR, "Error getting SPA timestamp: %s",
fko_errstr(res));
res = SPA_MSG_ERROR;
goto clean_and_bail;
}
time(&now_ts);
ts_diff = now_ts - spa_ts;
if(ts_diff > atoi(opts->config[CONF_MAX_SPA_PACKET_AGE]))
{
log_msg(LOG_WARNING|LOG_STDERR, "SPA data is too old (%i seconds).",
ts_diff);
res = SPA_MSG_TOO_OLD;
goto clean_and_bail;
}
}
/* Additional access checks
*/
// TODO: Finish me
display_ctx(ctx);
/* Send to the firewall rule processor.
*/
// TODO: Finish me
res = replay_check(opts, ctx);
clean_and_bail:
fko_destroy(ctx);
return(res);
}

10
server/replay_dbm.c
View File

@ -146,7 +146,7 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
log_msg(LOG_WARNING|LOG_STDERR, "Error getting digest from SPA data: %s",
fko_errstr(res));
return(-1);
return(SPA_MSG_DIGEST_ERROR);
}
digest_len = strlen(digest);
@ -171,7 +171,7 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
MY_DBM_STRERROR(errno)
);
return(-1);
return(SPA_MSG_DIGEST_CACHE_ERROR);
}
db_ent = MY_DBM_FETCH(rpdb, db_key);
@ -232,7 +232,7 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
free(db_ent.dptr);
#endif
res = 1;
res = SPA_MSG_REPLAY;
} else {
/* This is a new SPA packet that needs to be added to the cache.
*/
@ -249,10 +249,10 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
MY_DBM_STRERROR(errno)
);
res = -1;
res = SPA_MSG_DIGEST_CACHE_ERROR;
}
res = 0;
res = SPA_MSG_SUCCESS;
}
MY_DBM_CLOSE(rpdb);