diff --git a/client/cmd_opts.h b/client/cmd_opts.h index 53912ec8..ff714134 100644 --- a/client/cmd_opts.h +++ b/client/cmd_opts.h @@ -55,6 +55,7 @@ enum { KEY_RIJNDAEL, KEY_RIJNDAEL_BASE64, KEY_HMAC_BASE64, + KEY_HMAC, /* Put GPG-related items below the following line */ GPG_ENCRYPTION = 0x200, GPG_RECIP_KEY, @@ -98,6 +99,7 @@ static struct option cmd_opts[] = {"key-rijndael", 1, NULL, KEY_RIJNDAEL }, {"key-rijndael-base64", 1, NULL, KEY_RIJNDAEL_BASE64 }, {"key-hmac-base64", 1, NULL, KEY_HMAC_BASE64 }, + {"key-hmac", 1, NULL, KEY_HMAC }, {"key-len", 1, NULL, KEY_LEN}, {"hmac-key-len", 1, NULL, HMAC_KEY_LEN}, {"hmac-digest-type", 1, NULL, HMAC_DIGEST_TYPE}, diff --git a/client/config_init.c b/client/config_init.c index 462af1ee..e64e9bb1 100644 --- a/client/config_init.c +++ b/client/config_init.c @@ -76,6 +76,8 @@ enum FWKNOP_CLI_ARG_KEY_RIJNDAEL_BASE64, FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE, FWKNOP_CLI_ARG_KEY_HMAC_BASE64, + FWKNOP_CLI_ARG_KEY_HMAC, + FWKNOP_CLI_ARG_USE_HMAC, FWKNOP_CLI_ARG_KEY_FILE, FWKNOP_CLI_ARG_NAT_ACCESS, FWKNOP_CLI_ARG_HTTP_USER_AGENT, @@ -110,6 +112,8 @@ const char* fwknop_cli_key_tab[FWKNOP_CLI_ARG_NB] = "KEY_BASE64", "HMAC_DIGEST_TYPE", "HMAC_KEY_BASE64", + "HMAC_KEY", + "USE_HMAC", "KEY_FILE", "NAT_ACCESS", "HTTP_USER_AGENT", @@ -693,7 +697,7 @@ parse_rc_param(fko_cli_options_t *options, const char *var, char * val) options->hmac_type = tmpint; } } - /* HMAC key */ + /* HMAC key (base64 encoded) */ else if(CONF_VAR_IS(var, "HMAC_KEY_BASE64")) { if (! is_base64((unsigned char *) val, strlen(val))) @@ -707,6 +711,13 @@ parse_rc_param(fko_cli_options_t *options, const char *var, char * val) options->have_hmac_base64_key = 1; } + /* HMAC key */ + else if(CONF_VAR_IS(var, "HMAC_KEY")) + { + strlcpy(options->hmac_key, val, MAX_KEY_LEN); + options->have_hmac_key = 1; + } + /* Key file */ else if(CONF_VAR_IS(var, "KEY_FILE")) { @@ -859,9 +870,15 @@ add_rc_param(FILE* fhandle, uint16_t arg_ndx, fko_cli_options_t *options) case FWKNOP_CLI_ARG_KEY_HMAC_BASE64: strlcpy(val, options->hmac_key_base64, sizeof(val)); break; + case FWKNOP_CLI_ARG_KEY_HMAC: + strlcpy(val, options->hmac_key, sizeof(val)); + break; case FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE : hmac_digest_inttostr(options->hmac_type, val, sizeof(val)); break; + case FWKNOP_CLI_ARG_USE_HMAC : + bool_to_yesno(options->use_hmac, val, sizeof(val)); + break; case FWKNOP_CLI_ARG_NAT_ACCESS : strlcpy(val, options->nat_access_str, sizeof(val)); break; @@ -1375,7 +1392,15 @@ config_init(fko_cli_options_t *options, int argc, char **argv) } strlcpy(options->hmac_key_base64, optarg, MAX_KEY_LEN); options->have_hmac_base64_key = 1; + options->use_hmac = 1; cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_KEY_HMAC_BASE64); + cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC); + case KEY_HMAC: + strlcpy(options->hmac_key, optarg, MAX_KEY_LEN); + options->have_hmac_key = 1; + options->use_hmac = 1; + cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_KEY_HMAC); + cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC); case KEY_LEN: options->key_len = strtol_wrapper(optarg, 1, MAX_KEY_LEN, NO_EXIT_UPON_ERR, &is_err); @@ -1395,6 +1420,8 @@ config_init(fko_cli_options_t *options, int argc, char **argv) exit(EXIT_FAILURE); } cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE); + cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC); + options->use_hmac = 1; break; case HMAC_KEY_LEN: options->hmac_key_len = strtol_wrapper(optarg, 1, @@ -1405,6 +1432,8 @@ config_init(fko_cli_options_t *options, int argc, char **argv) optarg, 1, MAX_KEY_LEN); exit(EXIT_FAILURE); } + cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC); + options->use_hmac = 1; break; case SPA_ICMP_TYPE: options->spa_icmp_type = strtol_wrapper(optarg, 0, @@ -1580,6 +1609,7 @@ config_init(fko_cli_options_t *options, int argc, char **argv) cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_TIME_OFFSET); break; case USE_HMAC: + cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC); options->use_hmac = 1; break; default: diff --git a/doc/fwknop.man.asciidoc b/doc/fwknop.man.asciidoc index 10e39baa..21ddad93 100644 --- a/doc/fwknop.man.asciidoc +++ b/doc/fwknop.man.asciidoc @@ -125,7 +125,7 @@ GENERAL OPTIONS Load an encryption key/password from the specified file. The key file contains a line for each destination hostname or IP address, a colon (":"), optional space and the password, followed by a newline. Note - that the last line has to have a terminating newline character. + that the last line has to have a terminating newline character. Also note: though this is a convenience, have a file on your system with cleartext passwords is not a good idea and is not recommended. @@ -144,6 +144,11 @@ GENERAL OPTIONS utilities (like 'ps' under Unix) this form should only be used where security is not important. +*--key-hmac*='':: + Specify the raw HMAC key (not base64 encoded). Since the password is + visible to utilities (like 'ps' under Unix) this form should only be used + where security is not important. + *-l, --last-cmd*:: Execute *fwknop* with the command-line arguments from the previous invocation (if any). The previous arguments are parsed out of the @@ -246,6 +251,11 @@ SPA OPTIONS Set the HMAC digest algorithm (default is sha256). Options are md5, sha1, sha256, sha384, or sha512. +*--use-hmac*:: + Set HMAC mode for authenticated encryption of SPA communications. As of + *fwknop* 2.5, this is an optional feature, but this will become the + default in a future release. + *-N, --nat-access*='':: The *fwknopd* server offers the ability to provide SPA access through an iptables firewall to an internal service by interfacing with the