DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[client] set HMAC mode whenever any HMAC option is given, add --key-hmac arg

Browse Source
This commit is contained in:
Michael Rash 2013-04-20 11:12:04 -04:00
parent 387b6e40d3
commit f0036f7f22
3 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
client/cmd_opts.h
View File

@ -55,6 +55,7 @@ enum {
KEY_RIJNDAEL, KEY_RIJNDAEL,
KEY_RIJNDAEL_BASE64, KEY_RIJNDAEL_BASE64,
KEY_HMAC_BASE64, KEY_HMAC_BASE64,
KEY_HMAC,
/* Put GPG-related items below the following line */ /* Put GPG-related items below the following line */
GPG_ENCRYPTION = 0x200, GPG_ENCRYPTION = 0x200,
GPG_RECIP_KEY, GPG_RECIP_KEY,
@ -98,6 +99,7 @@ static struct option cmd_opts[] =
{"key-rijndael", 1, NULL, KEY_RIJNDAEL }, {"key-rijndael", 1, NULL, KEY_RIJNDAEL },
{"key-rijndael-base64", 1, NULL, KEY_RIJNDAEL_BASE64 }, {"key-rijndael-base64", 1, NULL, KEY_RIJNDAEL_BASE64 },
{"key-hmac-base64", 1, NULL, KEY_HMAC_BASE64 }, {"key-hmac-base64", 1, NULL, KEY_HMAC_BASE64 },
{"key-hmac", 1, NULL, KEY_HMAC },
{"key-len", 1, NULL, KEY_LEN}, {"key-len", 1, NULL, KEY_LEN},
{"hmac-key-len", 1, NULL, HMAC_KEY_LEN}, {"hmac-key-len", 1, NULL, HMAC_KEY_LEN},
{"hmac-digest-type", 1, NULL, HMAC_DIGEST_TYPE}, {"hmac-digest-type", 1, NULL, HMAC_DIGEST_TYPE},

32
client/config_init.c
View File

@ -76,6 +76,8 @@ enum
FWKNOP_CLI_ARG_KEY_RIJNDAEL_BASE64, FWKNOP_CLI_ARG_KEY_RIJNDAEL_BASE64,
FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE, FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE,
FWKNOP_CLI_ARG_KEY_HMAC_BASE64, FWKNOP_CLI_ARG_KEY_HMAC_BASE64,
FWKNOP_CLI_ARG_KEY_HMAC,
FWKNOP_CLI_ARG_USE_HMAC,
FWKNOP_CLI_ARG_KEY_FILE, FWKNOP_CLI_ARG_KEY_FILE,
FWKNOP_CLI_ARG_NAT_ACCESS, FWKNOP_CLI_ARG_NAT_ACCESS,
FWKNOP_CLI_ARG_HTTP_USER_AGENT, FWKNOP_CLI_ARG_HTTP_USER_AGENT,
@ -110,6 +112,8 @@ const char* fwknop_cli_key_tab[FWKNOP_CLI_ARG_NB] =
"KEY_BASE64", "KEY_BASE64",
"HMAC_DIGEST_TYPE", "HMAC_DIGEST_TYPE",
"HMAC_KEY_BASE64", "HMAC_KEY_BASE64",
"HMAC_KEY",
"USE_HMAC",
"KEY_FILE", "KEY_FILE",
"NAT_ACCESS", "NAT_ACCESS",
"HTTP_USER_AGENT", "HTTP_USER_AGENT",
@ -693,7 +697,7 @@ parse_rc_param(fko_cli_options_t *options, const char *var, char * val)
options->hmac_type = tmpint; options->hmac_type = tmpint;
} }
} }
/* HMAC key */ /* HMAC key (base64 encoded) */
else if(CONF_VAR_IS(var, "HMAC_KEY_BASE64")) else if(CONF_VAR_IS(var, "HMAC_KEY_BASE64"))
{ {
if (! is_base64((unsigned char *) val, strlen(val))) if (! is_base64((unsigned char *) val, strlen(val)))
@ -707,6 +711,13 @@ parse_rc_param(fko_cli_options_t *options, const char *var, char * val)
options->have_hmac_base64_key = 1; options->have_hmac_base64_key = 1;
} }
/* HMAC key */
else if(CONF_VAR_IS(var, "HMAC_KEY"))
{
strlcpy(options->hmac_key, val, MAX_KEY_LEN);
options->have_hmac_key = 1;
}
/* Key file */ /* Key file */
else if(CONF_VAR_IS(var, "KEY_FILE")) else if(CONF_VAR_IS(var, "KEY_FILE"))
{ {
@ -859,9 +870,15 @@ add_rc_param(FILE* fhandle, uint16_t arg_ndx, fko_cli_options_t *options)
case FWKNOP_CLI_ARG_KEY_HMAC_BASE64: case FWKNOP_CLI_ARG_KEY_HMAC_BASE64:
strlcpy(val, options->hmac_key_base64, sizeof(val)); strlcpy(val, options->hmac_key_base64, sizeof(val));
break; break;
case FWKNOP_CLI_ARG_KEY_HMAC:
strlcpy(val, options->hmac_key, sizeof(val));
break;
case FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE : case FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE :
hmac_digest_inttostr(options->hmac_type, val, sizeof(val)); hmac_digest_inttostr(options->hmac_type, val, sizeof(val));
break; break;
case FWKNOP_CLI_ARG_USE_HMAC :
bool_to_yesno(options->use_hmac, val, sizeof(val));
break;
case FWKNOP_CLI_ARG_NAT_ACCESS : case FWKNOP_CLI_ARG_NAT_ACCESS :
strlcpy(val, options->nat_access_str, sizeof(val)); strlcpy(val, options->nat_access_str, sizeof(val));
break; break;
@ -1375,7 +1392,15 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
} }
strlcpy(options->hmac_key_base64, optarg, MAX_KEY_LEN); strlcpy(options->hmac_key_base64, optarg, MAX_KEY_LEN);
options->have_hmac_base64_key = 1; options->have_hmac_base64_key = 1;
options->use_hmac = 1;
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_KEY_HMAC_BASE64); cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_KEY_HMAC_BASE64);
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC);
case KEY_HMAC:
strlcpy(options->hmac_key, optarg, MAX_KEY_LEN);
options->have_hmac_key = 1;
options->use_hmac = 1;
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_KEY_HMAC);
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC);
case KEY_LEN: case KEY_LEN:
options->key_len = strtol_wrapper(optarg, 1, options->key_len = strtol_wrapper(optarg, 1,
MAX_KEY_LEN, NO_EXIT_UPON_ERR, &is_err); MAX_KEY_LEN, NO_EXIT_UPON_ERR, &is_err);
@ -1395,6 +1420,8 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE); cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE);
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC);
options->use_hmac = 1;
break; break;
case HMAC_KEY_LEN: case HMAC_KEY_LEN:
options->hmac_key_len = strtol_wrapper(optarg, 1, options->hmac_key_len = strtol_wrapper(optarg, 1,
@ -1405,6 +1432,8 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
optarg, 1, MAX_KEY_LEN); optarg, 1, MAX_KEY_LEN);
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC);
options->use_hmac = 1;
break; break;
case SPA_ICMP_TYPE: case SPA_ICMP_TYPE:
options->spa_icmp_type = strtol_wrapper(optarg, 0, options->spa_icmp_type = strtol_wrapper(optarg, 0,
@ -1580,6 +1609,7 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_TIME_OFFSET); cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_TIME_OFFSET);
break; break;
case USE_HMAC: case USE_HMAC:
cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_USE_HMAC);
options->use_hmac = 1; options->use_hmac = 1;
break; break;
default: default:

10
doc/fwknop.man.asciidoc
View File

@ -144,6 +144,11 @@ GENERAL OPTIONS
utilities (like 'ps' under Unix) this form should only be used where utilities (like 'ps' under Unix) this form should only be used where
security is not important. security is not important.
*--key-hmac*='<key>'::
Specify the raw HMAC key (not base64 encoded). Since the password is
visible to utilities (like 'ps' under Unix) this form should only be used
where security is not important.
*-l, --last-cmd*:: *-l, --last-cmd*::
Execute *fwknop* with the command-line arguments from the previous Execute *fwknop* with the command-line arguments from the previous
invocation (if any). The previous arguments are parsed out of the invocation (if any). The previous arguments are parsed out of the
@ -246,6 +251,11 @@ SPA OPTIONS
Set the HMAC digest algorithm (default is sha256). Options are md5, sha1, Set the HMAC digest algorithm (default is sha256). Options are md5, sha1,
sha256, sha384, or sha512. sha256, sha384, or sha512.
*--use-hmac*::
Set HMAC mode for authenticated encryption of SPA communications. As of
*fwknop* 2.5, this is an optional feature, but this will become the
default in a future release.
*-N, --nat-access*='<internalIP:forwardPort>':: *-N, --nat-access*='<internalIP:forwardPort>'::
The *fwknopd* server offers the ability to provide SPA access through The *fwknopd* server offers the ability to provide SPA access through
an iptables firewall to an internal service by interfacing with the an iptables firewall to an internal service by interfacing with the