DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[client] set HMAC mode whenever any HMAC option is given, add --key-hmac arg

Browse Source
This commit is contained in:
Michael Rash 2013-04-20 11:12:04 -04:00
parent 387b6e40d3
commit f0036f7f22
3 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
client/cmd_opts.h
View File

@ -55,6 +55,7 @@ enum {
KEY_RIJNDAEL,
KEY_RIJNDAEL_BASE64,
KEY_HMAC_BASE64,
KEY_HMAC,
/* Put GPG-related items below the following line */
GPG_ENCRYPTION = 0x200,
GPG_RECIP_KEY,
@ -98,6 +99,7 @@ static struct option cmd_opts[] =
{"key-rijndael", 1, NULL, KEY_RIJNDAEL },
{"key-rijndael-base64", 1, NULL, KEY_RIJNDAEL_BASE64 },
{"key-hmac-base64", 1, NULL, KEY_HMAC_BASE64 },
{"key-hmac", 1, NULL, KEY_HMAC },
{"key-len", 1, NULL, KEY_LEN},
{"hmac-key-len", 1, NULL, HMAC_KEY_LEN},
{"hmac-digest-type", 1, NULL, HMAC_DIGEST_TYPE},

32
client/config_init.c
View File

@ -76,6 +76,8 @@ enum
FWKNOP_CLI_ARG_KEY_RIJNDAEL_BASE64,
FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE,
FWKNOP_CLI_ARG_KEY_HMAC_BASE64,
FWKNOP_CLI_ARG_KEY_HMAC,
FWKNOP_CLI_ARG_USE_HMAC,
FWKNOP_CLI_ARG_KEY_FILE,
FWKNOP_CLI_ARG_NAT_ACCESS,
FWKNOP_CLI_ARG_HTTP_USER_AGENT,
@ -110,6 +112,8 @@ const char* fwknop_cli_key_tab[FWKNOP_CLI_ARG_NB] =
"KEY_BASE64",
"HMAC_DIGEST_TYPE",
"HMAC_KEY_BASE64",
"HMAC_KEY",
"USE_HMAC",
"KEY_FILE",
"NAT_ACCESS",
"HTTP_USER_AGENT",
@ -693,7 +697,7 @@ parse_rc_param(fko_cli_options_t *options, const char *var, char * val)
options->hmac_type = tmpint;
}
}
/* HMAC key */
/* HMAC key (base64 encoded) */
else if(CONF_VAR_IS(var, "HMAC_KEY_BASE64"))
{
if (! is_base64((unsigned char *) val, strlen(val)))
@ -707,6 +711,13 @@ parse_rc_param(fko_cli_options_t *options, const char *var, char * val)
options->have_hmac_base64_key = 1;
}
/* HMAC key */
else if(CONF_VAR_IS(var, "HMAC_KEY"))
{
strlcpy(options->hmac_key, val, MAX_KEY_LEN);
options->have_hmac_key = 1;
}
/* Key file */
else if(CONF_VAR_IS(var, "KEY_FILE"))
{
@ -859,9 +870,15 @@ add_rc_param(FILE* fhandle, uint16_t arg_ndx, fko_cli_options_t *options)
case FWKNOP_CLI_ARG_KEY_HMAC_BASE64:
strlcpy(val, options->hmac_key_base64, sizeof(val));
break;
case FWKNOP_CLI_ARG_KEY_HMAC:
strlcpy(val, options->hmac_key, sizeof(val));
break;
case FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE :
hmac_digest_inttostr(options->hmac_type, val, sizeof(val));
break;
case FWKNOP_CLI_ARG_USE_HMAC :
bool_to_yesno(options->use_hmac, val, sizeof(val));
break;
case FWKNOP_CLI_ARG_NAT_ACCESS :
strlcpy(val, options->nat_access_str, sizeof(val));
break;
@ -1375,7 +1392,15 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
}
strlcpy(options->hmac_key_base64, optarg, MAX_KEY_LEN);
options->have_hmac_base64_key = 1;
options->use_hmac = 1;
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_KEY_HMAC_BASE64);
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC);
case KEY_HMAC:
strlcpy(options->hmac_key, optarg, MAX_KEY_LEN);
options->have_hmac_key = 1;
options->use_hmac = 1;
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_KEY_HMAC);
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC);
case KEY_LEN:
options->key_len = strtol_wrapper(optarg, 1,
MAX_KEY_LEN, NO_EXIT_UPON_ERR, &is_err);
@ -1395,6 +1420,8 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
exit(EXIT_FAILURE);
}
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE);
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC);
options->use_hmac = 1;
break;
case HMAC_KEY_LEN:
options->hmac_key_len = strtol_wrapper(optarg, 1,
@ -1405,6 +1432,8 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
optarg, 1, MAX_KEY_LEN);
exit(EXIT_FAILURE);
}
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC);
options->use_hmac = 1;
break;
case SPA_ICMP_TYPE:
options->spa_icmp_type = strtol_wrapper(optarg, 0,
@ -1580,6 +1609,7 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_TIME_OFFSET);
break;
case USE_HMAC:
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC);
options->use_hmac = 1;
break;
default:

12
doc/fwknop.man.asciidoc
View File

@ -125,7 +125,7 @@ GENERAL OPTIONS
Load an encryption key/password from the specified file. The key file
contains a line for each destination hostname or IP address, a colon
(":"), optional space and the password, followed by a newline. Note
that the last line has to have a terminating newline character.
that the last line has to have a terminating newline character.
Also note: though this is a convenience, have a file on your system with
cleartext passwords is not a good idea and is not recommended.
@ -144,6 +144,11 @@ GENERAL OPTIONS
utilities (like 'ps' under Unix) this form should only be used where
security is not important.
*--key-hmac*='<key>'::
Specify the raw HMAC key (not base64 encoded). Since the password is
visible to utilities (like 'ps' under Unix) this form should only be used
where security is not important.
*-l, --last-cmd*::
Execute *fwknop* with the command-line arguments from the previous
invocation (if any). The previous arguments are parsed out of the
@ -246,6 +251,11 @@ SPA OPTIONS
Set the HMAC digest algorithm (default is sha256). Options are md5, sha1,
sha256, sha384, or sha512.
*--use-hmac*::
Set HMAC mode for authenticated encryption of SPA communications. As of
*fwknop* 2.5, this is an optional feature, but this will become the
default in a future release.
*-N, --nat-access*='<internalIP:forwardPort>'::
The *fwknopd* server offers the ability to provide SPA access through
an iptables firewall to an internal service by interfacing with the