* Added the --show-last and --no-save command line options to show the

command line used for the previous fwknop invocation, and to have the
  fwknop client not save its command line arguments.
* Bug fix to force libfko to recalculate the random data embedded in the
  the SPA packet after a random port is acquired via --rand-port or
  --nat-rand-port.  This is a precaution so that an attacker cannot guess
  some of the internal SPA data based on the destination port number.


git-svn-id: file:///home/mbr/svn/fwknop/trunk@116 510a4753-2344-4c79-9c09-4d669213fbeb

ChangeLog

@@ -1,3 +1,12 @@
+2009-07-23  Michael Rash  <mbr@cipherdyne.org>
+    * Added the --show-last and --no-save command line options to show the
+      command line used for the previous fwknop invocation, and to have the
+      fwknop client not save its command line arguments.
+    * Bug fix to force libfko to recalculate the random data embedded in the
+      the SPA packet after a random port is acquired via --rand-port or
+      --nat-rand-port.  This is a precaution so that an attacker cannot guess
+      some of the internal SPA data based on the destination port number.
+
 2009-07-21  Michael Rash  <mbr@cipherdyne.org>
     * Got forward and local NAT modes working with the --nat-access,
       --nat-local, --nat-port, and --nat-randport options.  All NAT modes

src/config_init.c

@@ -204,7 +204,7 @@ validate_options(fko_cli_options_t *options)
     /* Gotta have a Destination unless we are just testing or getting the
      * the version.
     */
-    if (!options->test && !options->version
+    if (!options->test && !options->version && !options->show_last_command
         && options->spa_server_str[0] == 0x0)
     {
         fprintf(stderr,
@@ -340,6 +340,9 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
             case 'r':
                 options->rand_port = 1;
                 break;
+            case SHOW_LAST_ARGS:
+                options->show_last_command = 1;
+                break;
             case 'S':
                 options->spa_src_port = atoi(optarg);
                 if (options->spa_src_port < 0 || options->spa_src_port > 65535) {
@@ -394,6 +397,9 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
             case TIME_OFFSET_MINUS:
                 options->time_offset_minus = parse_time_offset(optarg);
                 break;
+            case NO_SAVE_ARGS:
+                options->no_save_args = 1;
+                break;
             default:
                 usage();
                 exit(EXIT_FAILURE);
@@ -459,10 +465,13 @@ usage(void)
       "     --gpg-signer-key    - Specify the signer's GPG key name or ID.\n"
       "     --gpg-home-dir      - Specify the GPG home directory.\n"
       "     --gpg-agent         - Use GPG agent if available.\n"
-      "     --nat-local         - Use GPG agent if available.\n"
-      "     --nat-port         - Use GPG agent if available.\n"
-      "     --nat-rand-port    - Use GPG agent if available.\n"
-      "     --nat-local         - Use GPG agent if available.\n"
+      "     --nat-local         - Access a local service via a forwarded port\n"
+      "                           on the fwknopd server system.\n"
+      "     --nat-port          - Specify the port to forward to access a\n"
+      "                           service via NAT.\n"
+      "     --nat-rand-port     - Have the fwknop client assign a random port\n"
+      "                           for NAT access.\n"
+      "     --show-last         - Show the last fwknop command line arguments.\n"
       "     --time-offset-plus  - Add time to outgoing SPA packet timestamp.\n"
       "     --time-offset-minus - Subtract time from outgoing SPA packet\n"
       "                           timestamp.\n"

src/config_init.h

@@ -38,6 +38,8 @@ enum {
     NAT_RAND_PORT,
     TIME_OFFSET_MINUS,
     TIME_OFFSET_PLUS,
+    NO_SAVE_ARGS,
+    SHOW_LAST_ARGS,
     /* Put GPG-related items below the following line */
     GPG_ENCRYPTION      = 0x200,
     GPG_RECIP_KEY,
@@ -55,6 +57,7 @@ static struct option cmd_opts[] =
     {"access",              1, NULL, 'A'},
     {"save-packet-append",  0, NULL, 'b'},
     {"save-packet",         1, NULL, 'B'},
+    {"no-save",             0, NULL, NO_SAVE_ARGS},
     {"server-command",      1, NULL, 'C'},
     {"digest-type",         1, NULL, FKO_DIGEST_NAME},
     {"destination",         1, NULL, 'D'},
@@ -76,6 +79,7 @@ static struct option cmd_opts[] =
     {"quiet",               0, NULL, 'q'},
     {"rand-port",           0, NULL, 'r'},
     {"spoof-src",           1, NULL, 'Q'},
+    {"show-last",           0, NULL, SHOW_LAST_ARGS},
     {"source-port",         1, NULL, 'S'},
     {"test",                0, NULL, 'T'},
     {"time-offset-plus",    1, NULL, TIME_OFFSET_PLUS},

src/fwknop.c

@@ -34,6 +34,8 @@
 char* get_user_pw(fko_cli_options_t *options, int crypt_op);
 static void display_ctx(fko_ctx_t ctx);
 void errmsg(char *msg, int err);
+static void show_last_command(void);
+static void save_args(int argc, char **argv);
 static int set_message_type(fko_ctx_t ctx, fko_cli_options_t *options);
 static int set_nat_access(fko_ctx_t ctx, fko_cli_options_t *options);
 static int get_rand_port(fko_ctx_t ctx);
@@ -53,6 +55,13 @@ main(int argc, char **argv)
     */
     config_init(&options, argc, argv);
 
+    /* Handle options that don't require a libfko context
+    */
+    if(options.show_last_command)
+        show_last_command();
+    else if (!options.no_save_args)
+        save_args(argc, argv);
+
     /* Intialize the context
     */
     res = fko_new(&ctx);
@@ -370,8 +379,8 @@ print_proto(int proto)
     return;
 }
 
-static
-int get_rand_port(fko_ctx_t ctx)
+static int
+get_rand_port(fko_ctx_t ctx)
 {
     char *rand_val = NULL;
     int   port     = 0;
@@ -384,9 +393,22 @@ int get_rand_port(fko_ctx_t ctx)
         exit(EXIT_FAILURE);
     }
 
-    /* convert to a random value between 1024 and 65535
+    /* Convert to a random value between 1024 and 65535
     */
-    return (MIN_HIGH_PORT + (atoi(rand_val) % (MAX_PORT - MIN_HIGH_PORT)));
+    port = (MIN_HIGH_PORT + (abs(atoi(rand_val)) % (MAX_PORT - MIN_HIGH_PORT)));
+
+    /* Force libfko to calculate a new random value since we don't want to
+     * given anyone a hint (via the port value) about the contents of the
+     * encrypted SPA data.
+    */
+    res = fko_set_rand_value(ctx, NULL);
+    if(res != FKO_SUCCESS)
+    {
+        errmsg("get_rand_port(), fko_get_rand_value", res);
+        exit(EXIT_FAILURE);
+    }
+
+    return port;
 }
 
 static void
@@ -401,7 +423,8 @@ dump_transmit_options(fko_cli_options_t *options)
 /* See if the string is of the format "<ipv4 addr>:<port>",
  * e.g. "123.1.2.3,12345" - this needs work.
 */
-static int ipv4_str_has_port(char *str)
+static int
+ipv4_str_has_port(char *str)
 {
     int rv = 0, i;
 
@@ -458,6 +481,95 @@ set_nat_access(fko_ctx_t ctx, fko_cli_options_t *options)
     return fko_set_spa_nat_access(ctx, nat_access_buf);
 }
 
+static int
+get_save_file(char *args_save_file)
+{
+    char *homedir = NULL;
+    int rv = 0;
+
+    homedir = getenv("HOME");
+
+    if (homedir != NULL) {
+        snprintf(args_save_file, MAX_PATH_LEN, "%s%s%s",
+            homedir, "/", ".fwknop.run");
+        rv = 1;
+    }
+    return rv;
+}
+
+/* Show the last command that was executed
+*/
+static void
+show_last_command(void)
+{
+    char args_save_file[MAX_PATH_LEN];
+    char args_str[MAX_LINE_LEN] = "";
+    FILE *args_file_ptr = NULL;
+
+#ifdef WIN32
+    /* Not sure what the right thing is here on Win32, just exit
+     * for now.
+    */
+    printf("[*] --show-last not implemented on Win32 yet.");
+    exit(EXIT_FAILURE);
+#endif
+
+    if (get_save_file(args_save_file)) {
+        if ((args_file_ptr = fopen(args_save_file, "r")) == NULL) {
+            printf("[*] Could not open args file: %s\n",
+                args_save_file);
+            exit(EXIT_FAILURE);
+        }
+        if ((fgets(args_str, MAX_LINE_LEN, args_file_ptr)) != NULL) {
+            printf("[+] Last fwknop client command line: %s", args_str);
+        } else {
+            printf("[-] Could not read line from file: %s\n", args_save_file);
+        }
+        fclose(args_file_ptr);
+    }
+
+    exit(EXIT_SUCCESS);
+}
+
+/* Save our command line arguments
+*/
+static void
+save_args(int argc, char **argv)
+{
+    char args_save_file[MAX_PATH_LEN];
+    char args_str[MAX_LINE_LEN] = "";
+    FILE *args_file_ptr = NULL;
+    int i = 0, args_str_len;
+
+#ifdef WIN32
+    /* Not sure what the right thing is here on Win32, just return
+     * for now.
+    */
+    return;
+#endif
+
+
+    if (get_save_file(args_save_file)) {
+        if ((args_file_ptr = fopen(args_save_file, "w")) == NULL) {
+            printf("[*] Could not open args file: %s\n",
+                args_save_file);
+            exit(EXIT_FAILURE);
+        }
+        for (i=0; i < argc; i++) {
+            args_str_len += strlen(argv[i]);
+            if (args_str_len >= MAX_PATH_LEN) {
+                printf("[*] argument string too long, exiting.\n");
+                exit(EXIT_FAILURE);
+            }
+            strlcat(args_str, argv[i], MAX_PATH_LEN);
+            strlcat(args_str, " ", MAX_PATH_LEN);
+        }
+        fprintf(args_file_ptr, "%s\n", args_str);
+        fclose(args_file_ptr);
+    }
+    return;
+}
+
 /* Set the SPA packet message type
 */
 static int
@@ -505,7 +617,6 @@ set_message_type(fko_ctx_t ctx, fko_cli_options_t *options)
             message_type = FKO_ACCESS_MSG;
         }
     }
-printf("....setting message type to: %d\n", message_type);
     return fko_set_spa_message_type(ctx, message_type);
 }
 

src/fwknop_common.h

@@ -124,6 +124,8 @@ typedef struct fko_cli_options
     char get_key_file[MAX_LINE_LEN];
     char save_packet_file[MAX_LINE_LEN];
     int  save_packet_file_append;
+    int  show_last_command;
+    int  no_save_args;
     char spa_server_str[MAX_SERVER_STR_LEN];  /* may be a hostname */
     char allow_ip_str[MAX_IP_STR_LEN];
     char spoof_ip_src_str[MAX_IP_STR_LEN];