DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
fwknop/doc/libfko.texi
Damien Stuart 078661e355 Fixed typo (actually a cut-and-paste remnant) in the doc. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@126 510a4753-2344-4c79-9c09-4d669213fbeb
2009-08-02 21:27:46 +00:00

1305 lines
49 KiB
Plaintext
Raw Blame History

\input texinfo @c -*-texinfo-*-
@c %**start of header
@setfilename libfko.info
@include version.texi
@settitle Firewall Knock Operator Library - libfko
@c @setchapternewpage odd
@ifnothtml
@setcontentsaftertitlepage
@end ifnothtml
@finalout
@c Unify some of the indices.
@syncodeindex tp fn
@syncodeindex pg fn
@syncodeindex vr fn
@c %**end of header
@copying
This manual is for the Firewall Knock Operator library, libfko.
(version @value{VERSION}, last updated @value{UPDATED}).
Copyright @copyright{} 2009 Damien Stuart.
@quotation
The libfko manual is free; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
The libfko manual is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this manual; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
@end quotation
@end copying
@dircategory Network Security
@direntry
* libfko: (libfko). The FireWall KNock OPerator (fwknop) Library - libfko
@end direntry
@titlepage
@title libfko
@subtitle The Firewall Knock Operator Library
@subtitle Edition @value{EDITION}, @value{UPDATED}
@author Damien S. Stuart
@page
@vskip 0pt plus 1filll
@insertcopying
@end titlepage
@contents
@ifnottex
@node Top
@top Main Menu
@insertcopying
@end ifnottex
@menu
* Introduction:: How to use this manual
* Preparation:: What you should do before using the library
* Using libfko:: How to use libfko in your program
Appendices
* Library Copying:: The GNU General Public License says
how you can copy and share
Indices
* Concept Index:: Index of concepts and programs
* Function and Data Index:: Index of functions, variables and data types
@detailmenu
--- The Detailed Node Listing ---
Introduction
* Getting Started:: Purpose of the manual, and how to use it
* Features:: Reasons to install and use libfko
* Overview:: Basic overview of @acronym{SPA} and
architecture of the libfko library
Overview
* SPA Data Format:: Description of the @acronym{SPA} data
format.
Preparation
* libfko Header:: What header file you need to include
* Compiling with libfko:: What you need to compile and link your
program with libfko
* SPA Parameter Types:: The available digests, message types and
modes of encryption for @acronym{SPA} data
Using libfko
* Creating Contexts:: Creating a new fko context
* Destroying Contexts:: Releasing an fko context
* Creating a SPA Message:: What it takes to create a @acronym{SPA}
message
* Setting SPA Data:: Setting @acronym{SPA} data
* Retrieving SPA Data:: Retrieving @acronym{SPA} data
* Utility Functions:: Other utility, miscellaneous, and seldom
used functions
* Error Handling:: Possible errors and their meaning
SPA Parameter Types
* Digests:: The message digest hashes supported by libfko
* SPA Messages:: The fko @acronym{SPA} message types
supported by libfko (and fwknop)
* Encryption Algorithms:: Encryption schemes supported by libfko
@end detailmenu
@end menu
@node Introduction
@chapter Introduction
@cindex fwknop
@cindex Firewall Knock Operator, intro
@cindex SPA, intro
@cindex Single Packet Authorization, intro
The ``Firewall Knock Operator Library'' (libfko) is a C language library that
implements the functions needed to create and/or parse
@dfn{Single Packet Authorization} (@acronym{SPA}) data. It is designed to
abstract the details of encoding, encryption, decoding, parsing, and verifying
@acronym{SPA} messages such as those used by Michael Rash's @dfn{Firewall
Knock Operator} (fwknop).
@dfn{fwknop} implements @acronym{SPA}; an authorization scheme that requires
only a single encrypted packet to communicate various pieces of information
including desired access through an iptables policy and/or specific commands
to execute on the target system. The main application for a program of this
type is to protect services such as SSH with an additional layer of security
in order to make the exploitation of vulnerabilities much more difficult.
libfko is not an implementation of an fwknop client or server. It simply
provides the functions for managing the @acronym{SPA} data used by those
programs.
@sp 1
@noindent
For more information on fwknop and @acronym{SPA}, go to
@uref{http://www.cipherdyne.org/fwknop}.
@menu
* Getting Started:: Purpose of the manual, and how to use it
* Features:: Reasons to install and use libfko
* Overview:: Basic architecture of the libfko library
@end menu
@node Getting Started
@section Getting Started
This manual documents the ``Firewall Knock Operator'' library programming
interface. All functions and data types provided by the library are
explained.
This manual can be used in a couple of ways. If read from the beginning
to the end, it should give a good introduction into the library and how it
can be used in an application. Later on, the manual can be used as a
reference manual to get just the information needed about any particular
interface of the library.
@node Features
@section Features
The primary advantage of using libfko is it provides a single API for either
creating, or parsing of existing @acronym{SPA} data that is fully compatible
with the current fwknop implemetation (currently written in Perl). Other
advantages include:
@table @asis
@item It's free software
Anybody can use, modify, and redistribute it under the terms of the GNU
General Public License (@pxref{Library Copying}).
@item It's lightweight
The current Perl-based implementation requires several additional Perl
modules and has a relatively large footprint in memory. This C-based
library eliminates those dependencies and has a much smaller footprint.
@item It's easy
libfko hides many of the gory details of fwkop's @acronym{SPA} message data
format, encoding, encrypting, decrypting, decoding, and parsing. In most
cases, only a few function calls will be needed create or parse a @acronym{SPA}
message.
@end table
@node Overview
@section Overview
@menu
* SPA Data Format:: Description of the @acronym{SPA} data
format.
@end menu
libfko functionality can be divided into two roles. One is the creation of
an encrypted @acronym{SPA} message. The other is the taking an encrypted
@acronym{SPA} message to decode, parse, and extract the original data.
The actual @acronym{SPA} data handling and operations are set within a
context. The context represents a single @acronym{SPA} message and provides
configuration parameters and data settings for defining that message. All
operations on the data occur within that context.
Some operations on the context must occur before others. Details of these
dependencies are covered in @ref{Creating a SPA Message}.
@noindent
With libfko, working with @acronym{SPA} message data basically consists of the
following steps in order:
@itemize @bullet
@item
Create a new context
@item
Work with (get/set) the @acronym{SPA} data fields
@item
Destroy the context
@end itemize
@node SPA Data Format
@subsection SPA Data Format
@cindex SPA, data format
The format of the @acronym{SPA} message data used by fwknop (before encryption)
is a colon-delimited string containing the individual @acronym{SPA} data
fields. Some of these fields are base64-encoded in the final encoding process
as dictated by the current fwknop implementation.
@deftypevar data spa_message_fields
Using the libfko names for the data fields, the list of these fields (in
order) follows:
@table @code
@item @strong{rand_value} - @emph{Default: Random (created upon context creation)}
A 16-byte random numeric string.
@item @strong{username} - @emph{Default: Current login user or Value of @env{SPOOF_USER} env var}
The base64-encoded username associated with this @acronym{SPA} data.
@item @strong{timestamp} - @emph{Default: The Unix time at creation}
The Unix timestamp value.
@item @strong{version} - @emph{Default: the current fwknop version}
The current fwknop version that supports this format. This field is not
user settable.
@item @strong{spa_message_type} - @emph{Default: SPA access message (@code{FKO_ACCESS_MSG})}
The @acronym{SPA} message type value for this message.
@item @strong{spa_message}
The base64-encoded @acronym{SPA} message itself (an access request or command
string).
@item @strong{spa_nat_access}
An optional base64-encoded request for NAT access.
@item @strong{spa_server_auth}
An optional base64-encoded string that can be used as an additional
authentication mechanism at the fwknop server.
@item @strong{spa_client_timeout}
An optional client timeout value that can be supplied to the fwknop server.
@item @strong{spa_digest} - @emph{Computed value}
The digest of the previous fields (including the delimiters).
@end table
@end deftypevar
With all fields defined, a complete (unencoded) @acronym{SPA} message would
look something like the following example (Note: The line is broken for
readability and the username, message, nat_access, and server_auth fields
are not base64-encoded):
@sp 1
@example
8307540982176539:juser:1230665172:1.1.10:1:0.0.0.0,tcp/22:192.168.1.2,22:
crypt,mypw:120:xswj8V0zMR7/7MV9pQRarSKWG1l9Zfjv+kbXaKrJ+RA
@end example
@sp 1
For most of the fields, you need not be too concerned about the format as
libfko handles that. The exceptions are the @code{spa_message},
@code{spa_nat_access}, and @code{spa_server_auth}. The formats for these
are not handled by libfko during creation. However, they are checked for
format validity during the endcoding and decoding (when parsing incoming)
@acronym{SPA} data. More information on the specifics of the formats for
these fields can be found in @ref{SPA Messages}.
@node Preparation
@chapter Preparation
This chapter provides information needed to prepare for using libfko
in your programs.
@menu
* libfko Header:: What header file you need to include
* Compiling with libfko:: What you need to compile and link your
program with libfko
* SPA Parameter Types:: The available digests, message types and
modes of encryption for @acronym{SPA} data
@end menu
@node libfko Header
@section libfko Header
@cindex header file
@cindex include file
@cindex fko.h
All interfaces (data types and functions) of the library are defined
in the header file `fko.h'. You must include this in all programs
using the library, either directly or through some other header file,
like this:
@example
#include <fko.h>
@end example
The name space of @acronym{FKO} is @code{fko_*} for function names and
data types and @code{FKO_*} for other symbols. Other symbols internal to
@acronym{FKO} may take the form @code{_fko_*} and @code{_FKO_*}.
@node Compiling with libfko
@section Compiling with libfko
@cindex compiling, with libfko
@cindex linking, with libfko
If you want to compile a source file including the `fko.h' header
file, you must make sure that the compiler can find it in the
directory hierarchy. This is accomplished by adding the path to the
directory in which the header file is located to the compilers include
file search path (via the @option{-I} option).
For example, if you installed libfko in @file{/opt/fko}, you may want to
add @command{-I/opt/fko/include} to @env{CFLAGS}, or directly on the
command-line:
@example
gcc -c foo.c -I/opt/fko/include ...
@end example
A similar problem occurs when linking the program with the library.
Again, the compiler has to find the library files. For this to work,
the path to the library files has to be added to the library search
path (via the @option{-L} option).
Continuing with the example above you may want to add @command{-L/opt/fko/lib}
to @env{LDFLAGS}, or directly on the command-line:
@example
gcc -o foo foo.c -I/opt/fko/include -L/opt/fko/lib -lfko
@end example
@node SPA Parameter Types
@section SPA Parameter Types
@menu
* Digests:: The message digest hashes supported by libfko
* SPA Messages:: The fko @acronym{SPA} message types
supported by libfko (and fwknop)
* Encryption Algorithms:: Encryption schemes supported by libfko
@end menu
@node Digests
@subsection Digests
@cindex digest types
@cindex message digest types
@cindex default message digest
The fwknop system employs a message digest hash of the @acronym{SPA}
data as one of the data fields to act a signature which can be used
at the receiving end to verify the data is valid. This provides a means
to ensure the data was not modified in-transit. The resulting digest
is base64-encoded before it is added to the @acronym{SPA} data.
Currently, libfko support the same three message digests as fwknop. These
are (in order of strength):
@deftypevar int fko_digest_type_t
@table @code
@item FKO_DIGEST_MD5
@item FKO_DIGEST_SHA1
@item FKO_DIGEST_SHA256 (libfko default)
@item FKO_DIGEST_SHA384
@item FKO_DIGEST_SHA512
@end table
@end deftypevar
As indicated in the list above, SHA256 is the default. This means the
digest type does not need to be explicitly set unless you wish to use
one of the other values. This applies to all libfko @acronym{SPA} data
fields that have a default value.
@node SPA Messages
@subsection SPA Messages
@cindex spa, message types
@cindex message types
The fwknop system (and subsequently libfko), support a specific set of
message types. The message type value is used by fwkop to help determine
the correct message format and content. These message types are:
@deftypevar int fko_message_type_t
@table @code
@item FKO_COMMAND_MSG
A request to have the fwknop server execute the given command. The format
for this type is: @samp{<ip of requestor>:<command text>}
@example
"192.168.1.2:uname -a"
@end example
@item FKO_ACCESS_MSG
A basic access request. This is the most common type in use. The format
for this type is: @samp{<ip of requestor>:<protocol>/<port>}.
@example
"192.168.1.2:tcp/22"
@end example
@item FKO_NAT_ACCESS_MSG
An access request that also provide information for the fwknop server
to create a Network Address Translation (@acronym{NAT} to an internal
address. The format for this string is: @samp{<internal ip>,<ext nat port>}.
@example
"10.10.1.2,9922"
@end example
@item FKO_CLIENT_TIMEOUT_ACCESS_MSG
This is an FKO_ACCESS_REQUEST with a timeout parameter for the fwknop server.
The timeout value is provided via the @code{client_timeout} data field.
@item FKO_CLIENT_TIMEOUT_NAT_ACCESS_MSG
This is an FKO_NAT_ACCESS_REQUEST with a timeout parameter for the fwknop
server. The timeout value is provided via the @code{client_timeout} data
field.
@item FKO_LOCAL_NAT_ACCESS_MSG
This is similar to the FKO_NAT_ACCESS request exept the @acronym{NAT} is
to the local to the server (i.e. a service listening on 127.0.0.1).
@item FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG
This is an FKO_LOCAL_NAT_ACCESS_REQUEST with a timeout parameter for the
fwknop server. The timeout value is provided via the @code{client_timeout}
data field.
@end table
@end deftypevar
@node Encryption Algorithms
@subsection Encryption Algorithms
@cindex encryption types
@cindex default encryption
One of the final steps in creating an fwknop @acronym{SPA} message is
encrypting the entire message. Currently, fwknop supports two methods
of encryption:
@deftypevar int fko_encryption_type_t
@table @code
@item FKO_ENCRYPTION_RIJNDAEL (default)
@item FKO_ENCRYPTION_GPG
@end table
@end deftypevar
As indicated, libfko only uses Rijndael encryption by default. Rijndael
encryption is sufficient for most users and produces a much smaller data
packet than @acronym{GPG} (around 146 bytes or so compared to around 1K for
@acronym{GPG}).
However, some may prefer the higher level of security provided by @acronym{GPG}.
When selected, additional parameters such as @emph{recipient} and @emph{signer}
will need to be set as well. See @ref{Setting SPA Data} for detail on
setting these and other @acronym{SPA} data fields.
@node Using libfko
@chapter Using libfko
This chapter provides the ``howto'' for using libfko, including required
functions and parameter choices. In some places, code samples are provided
to further illustrate usage.
@menu
* Creating Contexts:: Creating a new fko context
* Destroying Contexts:: Releasing an fko context
* Creating a SPA Message:: What it takes to create a @acronym{SPA}
message
* Setting SPA Data:: Setting @acronym{SPA} data
* Retrieving SPA Data:: Retrieving @acronym{SPA} data
* Utility Functions:: Other utility, miscellaneous, and seldom
used functions
* Error Handling:: Possible errors and their meaning
@end menu
@node Creating Contexts
@section Creating Contexts
@cindex context, creation
Before doing anything with libfko, you need to create a context. As stated
earlier, A context can created for one of two reasons. One is for the
purpose of building a new fko @acronym{SPA} message from scratch (typically
to be packaged and sent to an fwknop server somewhere). The other would be
a context for taking an existing @acronym{SPA} message for decoding,
parsing, and data extraction.
@noindent
For building a new fko @acronym{SPA} message, you will use the @code{fko_new}
function:
@deftypefun int fko_new (@w{fko_ctx_t @var{*ctx}})
The function @code{fko_new} sets up and initializes a new @code{fko_ctx_t}
object, pre-populates default values and returns a handle for it in @var{ctx}.
The function returns the error code @code{FKO_SUCCESS} if the context was
successfully created. Otherwise an another error code will be returned
(@pxref{Error Handling} for details on the various error codes and their
meanings).
@end deftypefun
@example
fko_ctx_t ctx;
int rc;
rc = fko_new(&ctx);
if(rc != FKO_SUCCESS)
@{
fprintf(stderr, "Error %i from fko_new: %s\n", fko_errstr(rc));
exit(1);
@}
@end example
@noindent
For a context that will be used for receiving and parsing an existing
@acronym{SPA} message, you will use the @code{fko_new_with_data} function:
@deftypefun int fko_new_with_data (@w{fko_ctx_t @var{*ctx}, char @var{*data}, char @var{*key}})
The function @code{fko_new_with_data} sets up and initializes a new
@code{fko_ctx_t} context, but instead of initializing default values, it
stores the encrypted message data and makes it ready for parsing. This
can be done in one of two ways. One is to pass @code{NULL} for the third
argument. The context will be created and the data will be stored, but no
decryption or decoding takes place. In this case, you will need to call
@code{fko_decrypt_spa_data} at a later time. The other way to do it is
to supply the @var{key} value; which would be the password or decryption
key. In this case, the context is created, the @acronym{SPA} data is
decrypted, decoded, parsed, and stored in the context ready for retrieval.
The @code{fko_new_with_data} function returns the error code
@code{FKO_SUCCESS} if the context was successfully created. If any of the
intermediate steps in parsing the data, validating the @acronym{SPA} message
digest, or any other internal action fails, then the appropriate error code
is returned.
@end deftypefun
@noindent
The most common (simple) case...
@example
fko_ctx_t ctx;
char *spa_data;
char *key;
int rc;
/* Assume we called code that retrieves the data and key
*/
rc = fko_new_with_data(&ctx, spa_data, key);
if(rc != FKO_SUCCESS)
@{
fprintf(stderr, "Error %i from fko_new_with_data\n");
exit(1);
@}
@end example
@noindent
Or, perhaps you need to defer decryption and parsing to a later point
in the program. We could use fko_new_with_data(), passing NULL for the
decryption key, or we could use fko_new() to create an empty context,
then use fko_set_spa_data() to add the encypted data (see comments in the code
samples).
@example
fko_ctx_t ctx;
char *spa_data;
char *key;
int rc;
/* Assume we called code that retrieves the data and key
*/
rc = fko_new_with_data(&ctx, spa_data, NULL);
if(rc != FKO_SUCCESS)
@{
fprintf(stderr, "Error %i from fko_new_with_data\n");
exit(1);
@}
/* We could also just create and empty context and add the
* encrypted data as follows:
*
* rc = fko_new(&ctx);
* ... check rc ...
* rc = fko_set_spa_data(ctx, spa_data);
* ...
*/
/* Assume we called other code and functions... */
/* Decrypt and decode...
*/
rc = fko_decrypt_spa_data(ctx, key);
if(rc != FKO_SUCCESS)
@{
fprintf(stderr, "Error %i from fko_decrypt_spa_data\n");
exit(1);
@}
@end example
@node Destroying Contexts
@section Destroying Contexts
@cindex context, destruction
When you are done with the context, you must destroy it in order to free up
the memory and resources it was using. This is especially important in
programs that process @acronym{SPA} data repeatedly (i.e. in a loop).
Failure to destroy the context can cause memory leaks in your program.
@deftypefun void fko_destroy (@w{fko_ctx_t @var{ctx}})
The function @code{fko_destroy} destroys the context with the handle
@var{ctx} and releases all associated resources.
@end deftypefun
@node Creating a SPA Message
@section Creating a SPA Message
@cindex spa, message data creation
@cindex spa, data creation code sample
This section describes the process for creating a new fko
@acronym{SPA} message. After creating a context, there are still some
requisite @acronym{SPA} data fields and @acronym{SPA} parameters that need
to be set before the final encrypted message is ready.
The following list contains the minimum required fields for a complete fko
@acronym{SPA} message. You should also take note of the order of these
parameters as well. Setting the ``type'' parameters first is recommended
(if you want a type other than the default).
@itemize @bullet
@item digest_type -- @emph{(default may suffice)}
@item message_type -- @emph{(default may suffice)}
@item encryption_type -- @emph{(default may suffice)}
@item rand_val -- @emph{(default should suffice)}
@item time_stamp -- @emph{(default should suffice)}
@item username -- @emph{(default may suffice)}
@item spa_message -- @emph{(must be explicitly set)}
@end itemize
@noindent
@emph{If using gpg encryption:}
@itemize @bullet
@item gpg_recipient -- @emph{(must be explicitly set)}
@item gpg_signer -- @emph{(optional, but recommended - must be explicitly set)}
@item gpg_home_dir -- @emph{(default may suffice)}
@end itemize
When a context is initialized, some of the @acronym{SPA} data fields are
pre-set with default values (@pxref{SPA Data Format}). For fields such
as @code{rand_val}, @code{username}, @code{timestamp}, @code{message_type},
and @code{digest_type}, these defaults may be sufficient.
The functions used to set the various @acronym{SPA} data fields and
parameters are described in detail in @ref{Setting SPA Data}.
@noindent
@strong{Note}: Attempts to call any ``@code{fko_}'' function on a context that
has not been initialized can have undefined consequences. Libfko will attempt
to recover, and if succussful, will return a status of
@code{FKO_ERROR_CTX_NOT_INITIALIZED}.
A common @acronym{SPA} message is a simple access request. This request asks
the fwknop server to create a temporary firewall rule to allow a particular
IP address access to a particular port. Assuming the defaults are fine
for this, all we need to do is create the context, set the message data
field, call the @code{fko_spa_data_final} function to encode and encrypt,
process the message, then destroy the context. Below, we havea contrived bit
of code demonstrating this:
@example
int
main(int argc, char **argv)
@{
fko_ctx_t ctx; /* FKO Context */
char *password; /* Encryption password */
char *final_spa; /* Final encrypted SPA data */
int rc; /* Result code */
/* Assume we processed the command line
* and retrieved the password.
*/
/* Create the context */
rc = fko_new(&ctx);
if(rc != FKO_SUCCESS)
@{
fprintf(stderr, "Error creating context: %s\n", fko_errstr());
exit(1);
@}
/* Set the SPA message field */
rc = fko_set_spa_message(ctx, "0.0.0.0,tcp/22");
if(rc != FKO_SUCCESS)
@{
fprintf(stderr, "Set SPA message failed: %s\n", fko_errstr());
exit(1);
@}
/* Let us assume we are using GPG encryption. So we need to
* set the encryption type and set the required GPG parameters
* (we can skip checking return values for brevity).
*/
rc = fko_set_spa_encryption_type(ctx, FKO_ENCRYPTION_GPG);
/* Key for the recipient */
rc = fko_set_gpg_recipient(ctx, "recip@@some.where");
/* Key for the signer (if you want to sign it) */
rc = fko_set_gpg_signer(ctx, "me@@right.here");
/* Finalize the SPA data */
rc = fko_spa_data_final(ctx);
if(rc != FKO_SUCCESS)
@{
fprintf(stderr, "Error encoding SPA data: %s\n", fko_errstr());
exit(1);
@}
/* Take the final message and do something with it */
rc = fko_get_spa_data(ctx, &final_spa);
/* Assume this function packs the spa data into a UDP
* packet and sends it to the server.
*/
send_spa_message(final_spa);
/* Done with the context */
fko_destroy(ctx);
exit(0);
@}
@end example
@node Setting SPA Data
@section Setting SPA Data
@cindex spa data, setting values
This section describes the functions used for setting the various
@acronym{SPA} data fields and parameters. All of these functions
return an integer representing the return status of the function. When
succesfull, they will return @code{FKO_SUCCESS}. Otherwise, an error
code value is returned.
@deftypefun int fko_set_spa_digest_type (@w{fko_ctx_t @var{ctx}, short @var{digest_type}});
Set the message digest type. Valid values can be found in @ref{Digests}
of this manual. If a value other than the those that are supported is given,
the function will return @code{FKO_ERROR_INVALID_DATA}.
For example:
@example
rc = fko_set_digest_type(ctx, FKO_DIGEST_SHA1);
@end example
@end deftypefun
@deftypefun int fko_set_spa_encryption_type (@w{fko_ctx_t @var{ctx}, short @var{encrypt_type}});
Set the encrytion algorithm to use when ecrypting the final @acronym{SPA}
data. Valid values can be found in @ref{Encryption Algorithms} of this
manual.
For example:
@example
rc = fko_set_encryption_type(ctx, FKO_ENCRYPTION_RIJNDAEL);
@end example
@end deftypefun
@deftypefun int fko_set_rand_value (@w{fko_ctx_t @var{ctx}, const char @var{*val}});
Set the random value portion of the spa data to the given value. The
given value must be a pointer to a 16-character decimal numeric string
or NULL. If the value is NULL, the function generate a new random value.
If a string value is provided, it must not a 16-character decimal string,
the function will return @code{FKO_ERROR_INVALID_DATA}.
@end deftypefun
@deftypefun int fko_set_username (@w{fko_ctx_t @var{ctx}, const char @var{*spoof_user}});
Set the username field of the @acronym{SPA} data. If a NULL pointer is
given, libfko will first look for the environment variable @env{SPOOF_USER}
and use its value if found. Otherwise, it will try to determine the username
itself using various methods starting with @code{cuser} or @code{getlogin},
then fallback to the environment variables @env{LOGNAME} or @env{USER}. If
none of those work, the function will return @code{FKO_ERROR_USERNAME_UNKNOWN}.
@end deftypefun
@deftypefun int fko_set_timestamp (@w{fko_ctx_t @var{ctx}, int @var{offset}});
Sets the timestamp value of the SPA data to the current time plus the offset
value.
@end deftypefun
@deftypefun int fko_set_spa_message_type (@w{fko_ctx_t @var{ctx}, short @var{msg_type}});
Sets the message type for the SPA data. The choices for the
@code{spa_message_type} are listed in @ref{SPA Messages}.
For example:
@example
rc = fko_set_spa_message_type(ctx, FKO_ACCESS_MSG);
@end example
@end deftypefun
@deftypefun int fko_set_spa_message (@w{fko_ctx_t @var{ctx}, const char @var{*msg_string}});
Set the SPA message string to the given value. If this string does not
conform to the required @code{spa_nat_access} format, the function will
return @code{FKO_ERROR_INVALID_DATA}.
@end deftypefun
@deftypefun int fko_set_spa_nat_access (@w{fko_ctx_t @var{ctx}, const char @var{*nat_access}});
Set the optional SPA nat access string to the given value. If this string
does not conform to the required @code{spa_nat_access} format, the function
will return
@code{FKO_ERROR_INVALID_DATA}.
@end deftypefun
@deftypefun int fko_set_spa_server_auth (@w{fko_ctx_t @var{ctx}, const char @var{*server_auth}});
Set the optional (very seldom used) SPA server auth feature to the given
value. This parameter may become deprecated.
@end deftypefun
@deftypefun int fko_set_spa_client_timeout (@w{fko_ctx_t @var{ctx}, int @var{timeout}});
Sets the SPA client timeout value. If the timeout is set to a value greater
than 0, it is assumed the @code{spa_message_type} setting should be one of
the ``TIMEOUT'' variants. This function will change the @code{message_type}
to the appropriate setting if necessary. However, it is recommended you set
the correct @code{message_type} ahead of time.
@end deftypefun
@deftypefun int fko_set_spa_digest (@w{fko_ctx_t @var{ctx}});
Initiates a calculation (or recalculation) if the message digest hash for the
current @acronym{SPA} data. If the required data fields are not set this
function will return @code{FKO_ERROR_MISSING_ENCODED_DATA}.
@strong{Note}: It should not be necessary to call this function directly
as it will be called automatically by other functions during normal
processing (most notably @code{fko_spa_data_final}).
@end deftypefun
@deftypefun int fko_set_spa_data (@w{fko_ctx_t @var{ctx}, char @var{*enc_data}});
This function is used to place encrypted @acronym{SPA} data into a newly
created empty context (i.e. with @code{fko_new}). In most cases, you would
use @code{fko_new_with_data} so you wouldn't have to take the extra step to
use this function. However, some may find a reason to do it in this way.
@end deftypefun
@cindex gpg-specific functions
@noindent
@emph{GPG-specific functions:}
@deftypefun int fko_set_gpg_recipient (@w{fko_ctx_t @var{ctx}, const char @var{recipient}});
Sets the @acronym{GPG} key for the recipient. This would be the recipient's
public key used to encyrpt the @acronym{SPA} data. You can use the user name
("recip@@the.dest.com") or the key ID ("5EXXXXCC"). At present, multiple
recipients are not supported.
@end deftypefun
@deftypefun int fko_set_gpg_signer (@w{fko_ctx_t @var{ctx}, const char @var{signer}});
Sets the @acronym{GPG} key for signing the data. This would be the sender's
key used to sign the @acronym{SPA} data. You can use the user name or key ID.
@end deftypefun
@deftypefun int fko_set_gpg_home_dir (@w{fko_ctx_t @var{ctx}, const char @var{home_dir}});
Sets the @acronym{GPG} home directory for the current gpgme context. This
allows for using alternate keyrings, gpg configurations, etc.
@end deftypefun
@deftypefun int fko_set_gpg_signature_verify (@w{fko_ctx_t @var{ctx}, unsigned char @var{verify}});
Sets the verify @acronym{GPG} signature flag. When set to a true value, the
@acronym{GPG} signature is extracted and checked for validity during the
decryption/decoding phase. When set to false, no attempt is made to access
or check the signature. This flag is set to true by default.
@end deftypefun
@deftypefun int fko_set_gpg_ignore_verify_error (@w{fko_ctx_t @var{ctx}, unsigned char @var{ignore}});
Sets the ignore signature verify error flag. When set to a true value. Any
signature verification errors are ignored (but still captured) and the
decoding process will continue. The default value of this flag is false.
@end deftypefun
@noindent
@strong{Note}: On a libfko build without @acronym{GPG} support, the
GPG-related functions above will simply return the FKO_ERROR_UNSUPPORTED_FEATURE
error code.
@node Retrieving SPA Data
@section Retrieving SPA Data
@cindex spa data, retrieving values
This section describes the functions used for retrieving the various
@acronym{SPA} data fields and parameters settings. They all return
an FKO error code. The value of the respective field or parmeter that is
being retrieved will placed into the variables whose addresses are passed
to the function.
@deftypefun int fko_get_spa_data (@w{fko_ctx_t @var{ctx}, char @var{**spa_data}});
Assigns the pointer to the string holding the final encrypted
@acronym{SPA} data to the address @var{spa_data} is pointing to. This is the
data that would be packaged into a packet and sent to an fwknop server.
The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_rand_value (@w{fko_ctx_t @var{ctx}, char @var{**rand_val}});
Assigns the pointer to the string holding the random 16-character decimal
number (@code{rand_val}) associated with the current context to the address
@var{rand_val} is pointing to. The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_username (@w{fko_ctx_t @var{ctx}, char @var{**username}});
Assigns the pointer to the string holding the username associated with the
current context to the address @var{rand_val} is pointing to. The return value
is an FKO error status.
@end deftypefun
@deftypefun int fko_get_timestamp (@w{fko_ctx_t @var{ctx}, unsigned int @var{*timestamp}});
Sets the value of the @var{timestamp} variable to the timestamp value
associated with the current context. The return value is an FKO error
status.
@end deftypefun
@deftypefun int fko_get_spa_message_type (@w{fko_ctx_t @var{ctx}, short @var{*msg_type}});
Sets the value of the @var{msg_type} variable to the @acronym{SPA} message
type value associated with the current context. This value can be checked
against the list of valid message_types listed in @ref{SPA Messages} of this
manual. For example:
@example
short msg_type;
rc = fko_get_spa_message_type(ctx, &msg_type);
switch(msg_type)
@{
case FKO_ACCESS_MSG:
process_access_msg(...);
break;
case FKO_NAT_ACCESS_MSG:
process_nat_access_msg(...);
break;
/*...and so on...*/
@}
@end example
The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_spa_message (@w{fko_ctx_t @var{ctx}, char @var{**spa_msg}});
Assigns the pointer to the string holding the the fko @acronym{SPA} request
message associated with the current context to the address @var{spa_msg} is
pointing to. The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_spa_nat_access (@w{fko_ctx_t @var{ctx}, char @var{**nat_access}});
Assigns the pointer to the string holding the the fko @acronym{SPA} nat access
message associated with the current context to the address @var{nat_access} is
pointing to. The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_spa_server_auth (@w{fko_ctx_t @var{ctx}, char @var{**server_auth}});
Assigns the pointer to the string holding the the fko @acronym{SPA} server
auth message associated with the current context to the address
@var{server_auth} is pointing to. The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_spa_client_timeout (@w{fko_ctx_t @var{ctx}, int @var{*client_timeout}});
Sets the value of the @var{client_timeout} variable to the client_timeout
value associated with the current context. The return value is an FKO error
status.
@end deftypefun
@deftypefun int fko_get_spa_digest_type (@w{fko_ctx_t @var{ctx}, short @var{*digest_type}});
Sets the value of the @var{digest_type} variable to the digest type value
associated with the current context. This value can be checked against the
list of valid digest_types listed in @ref{Digests} of this manual. The
return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_spa_digest (@w{fko_ctx_t @var{ctx}, char @var{**spa_digest}});
Assigns the pointer to the string holding the the fko @acronym{SPA} digest
value associated with the current context to the address @var{spa_digest}
is pointing to. The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_spa_encryption_type (@w{fko_ctx_t @var{ctx}, short @var{*enc_type}});
Sets the value of the @var{enc_type} variable to the encryption type value
associated with the current context. This value can be checked against the
list of valid digest_types listed in @ref{Encryption Algorithms} of this
manual. The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_encoded_data (@w{fko_ctx_t @var{ctx}, char @var{**enc_msg}});
Assigns the pointer to the string holding the the encoded @acronym{SPA} data
(before encryption) associated with the current context to the address
@var{enc_msg} is pointing to. This is intermediate data that would not
normally be of use unless debugging the library. The return value is an
FKO error status.
@end deftypefun
@deftypefun int fko_get_version (@w{fko_ctx_t @var{ctx}, char @var{**fko_version}});
Assigns the pointer to the string holding the the @acronym{SPA} version
value associated with the current context to the address @var{fko_version}
is pointing to. This is a static value for @acronym{SPA} data that is being
created in a new context. For data parsed from an external source, the
version string will be whatever version the sending client used. The return
value is an FKO error status.
@end deftypefun
@cindex gpg-specific functions
@noindent
@emph{GPG-specific functions:}
@deftypefun int fko_get_gpg_recipient (@w{fko_ctx_t @var{ctx}, char @var{**recipient}});
Assigns the pointer to the string holding the the @acronym{GPG} recipient ID
associated with the current context to the address @var{recipient} is pointing
to. The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_gpg_signer (@w{fko_ctx_t @var{ctx}, char @var{**signer}});
Assigns the pointer to the string holding the the @acronym{GPG} signer ID
associated with the current context to the address @var{signer} is pointing
to. The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_gpg_home_dir (@w{fko_ctx_t @var{ctx}, char @var{**gpg_dir}});
Assigns the pointer to the string holding the the @acronym{GPG} home directory
associated with the current context to the address @var{recipient} is pointing
to. The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_gpg_signature_verify (@w{fko_ctx_t @var{ctx}, unsigned char @var{*val}});
Sets the value of the @var{val} variable to the current gpg_signature_verify
flag value associated with the current context. The return value is an FKO error
status.
@end deftypefun
@deftypefun int fko_get_gpg_ignore_verify_error (@w{fko_ctx_t @var{ctx}, unsigned char @var{*val}});
Sets the value of the @var{val} variable to the current ignore_verify_error
flag value associated with the current context. The return value is an FKO error
status.
@end deftypefun
@deftypefun int fko_get_gpg_signature_id (@w{fko_ctx_t @var{ctx}, char @var{**sig_id}});
Assigns the pointer to the string holding the the @acronym{GPG} signature ID
associated with the current context to the address @var{sig_id} is pointing
to. The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_gpg_signature_fpr (@w{fko_ctx_t @var{ctx}, char @var{**sig_fpr}});
Assigns the pointer to the string holding the the @acronym{GPG} signature
fingerprint associated with the current context to the address @var{sig_id}
is pointing to. The return value is an FKO error status.
@end deftypefun
@deftypefun int fko_get_gpg_signature_summary (@w{fko_ctx_t @var{ctx}, unsigned char @var{*sig_sum}});
Sets the value of the @var{sig_sum} variable to the @acronym{GPG} signature
summary value associated with the current context. The return value is an FKO error
status.
@end deftypefun
@deftypefun int fko_get_gpg_signature_status (@w{fko_ctx_t @var{ctx}, unsigned char @var{*sig_stat}});
Sets the value of the @var{sig_stat} variable to the @acronym{GPG} signature
error status value associated with the current context. The return value is an FKO error
status.
@end deftypefun
@noindent
@strong{Note}: The char* values retrieved by the GPG-related functions above
will be NULL if the context value was not previously set.
@node Utility Functions
@section Utility Functions
@cindex utility functions
@cindex spa data, utility functions
This section describes the functions not covered elsewhere in this
manual. These are utility functions that operate on the data in the fko
context. All but @code{fko_spa_data_final} are called by other functions
and are not normally explictly called by the user. However, they can
be, so they are listed here.
All of these functions return an integer representing the return status of
the function. When succesfull, they will return @code{FKO_SUCCESS}.
Otherwise, an error code value is returned.
@deftypefun int fko_spa_data_final (@w{fko_ctx_t @var{ctx}, char @var{*enc_key}});
This function is the final step in creating a complete encrypted
@acronym{SPA} data string suitable for transmission to an fwknop server.
It does require all of the requisite @acronym{SPA} data fields be set,
otherwise it will fail with an appropriate error code.
@end deftypefun
@deftypefun int fko_decrypt_spa_data (@w{fko_ctx_t @var{ctx}, char @var{*dec_key}});
When given the correct @var{key} (passsword), this function decrypts, decodes,
and parses the encrypted @acronym{SPA} data that was supplied to the context
via the @code{fko_new_with_data} function that was also called without the
@var{key} value. Once the data is decrypted, this function will also call
@code{fko_decode_spa_data} to decode, parse, validate, and store the data
fields in the context for later retrieval.
@end deftypefun
@deftypefun int fko_encrypt_spa_data (@w{fko_ctx_t @var{ctx}, char @var{*enc_key}});
Encrypts the intermediate encoded @acronym{SPA} data stored in the context.
This function will call @code{fko_encode} if necessary. It is normally not
called directly as it is called from @code{fko_spa_data_final}.
@end deftypefun
@deftypefun int fko_decode_spa_data (@w{fko_ctx_t @var{ctx}});
This function performs the decoding, parsing, validation of the @acronym{SPA}
data that was just decrypted. It is normally not called directly as it is
called from @code{fko_decrypt_spa_data} (which is in turn called from
@code{fko_new_with_data} if a password is supplied to it).
@end deftypefun
@deftypefun int fko_encode_spa_data (@w{fko_ctx_t @var{ctx}});
Performs the base64 encoding of those @acronym{SPA} data fields that
need to be encoded, performs some data validation, and calls
@code{fkp_set_spa_digest} to recompute the @acronym{SPA} message
digest. It is normally not called directly as it is
called from @code{fko_encrypt_spa_data} (which is in turn called from
@code{fko_spa_data_final}).
@end deftypefun
@cindex gpg-specific functions
@noindent
@emph{GPG-specific utility functions:}
@deftypefun int fko_gpg_signature_id_match (@w{fko_ctx_t @var{ctx}, const char @var{*id}, unsigned char @var{*id_match}});
Sets the value of the @var{id_match} variable to true (1) if the value of
@var{id} matches the ID of the @acronym{GPG} signature associated with the
current context. Otherwise, @var{id_match} is set to false (0). The return
value is an FKO error status.
@end deftypefun
@deftypefun int fko_gpg_signature_fpr_match (@w{fko_ctx_t @var{ctx}, const char @var{*fpr}, unsigned char @var{*fpr_match}});
Sets the value of the @var{fpr_match} variable to true (1) if the value of
@var{fpr} matches the fingerprint of the @acronym{GPG} signature associated
with the current context. Otherwise, @var{fpr_match} is set to false (0).
The return value is an FKO error status.
@end deftypefun
@node Error Handling
@section Error Handling
@cindex error handling
@cindex error codes
@cindex error strings
Most fko functions return an integer value that corresponds to either
success (0), or one of the non-zero values thar corresponds to a number
of possible errors. libfko provides a function to get a descriptive string
for the given error code.
@deftypefun {const char *} fko_errstr (@w{int @var{err_code}})
The function @code{fko_errstr} returns a pointer to a statically
allocated string containing the descripton of the error.
@end deftypefun
@noindent
The list of the possible error codes and their corresponding descriptions as
returned by @code{fko_errstr} follows:
@deftypevar int error_code
@table @code
@item FKO_SUCCESS
Success
@item FKO_ERROR_CTX_NOT_INITIALIZED
FKO Context is not initialized
@item FKO_ERROR_MEMORY_ALLOCATION
Unable to allocate memory
@item FKO_ERROR_INVALID_DATA
Args contain invalid data
@item FKO_ERROR_DATA_TOO_LARGE
Value or Size of the data exceeded the max allowed
@item FKO_ERROR_USERNAME_UNKNOWN
Unable to determine username
@item FKO_ERROR_INCOMPLETE_SPA_DATA
Missing or incomplete SPA data
@item FKO_ERROR_MISSING_ENCODED_DATA
There is no encoded data to process
@item FKO_ERROR_INVALID_DIGEST_TYPE
Invalid digest type
@item FKO_ERROR_INVALID_ALLOW_IP
Invalid allow IP address in the SPA mesage data
@item FKO_ERROR_INVALID_SPA_COMMAND_MSG
Invalid SPA command mesage format
@item FKO_ERROR_INVALID_SPA_ACCESS_MSG
Invalid SPA access mesage format
@item FKO_ERROR_INVALID_SPA_NAT_ACCESS_MSG
Invalid SPA nat_access mesage format
@item FKO_ERROR_INVALID_ENCRYPTION_TYPE
Invalid encryption type
@item FKO_ERROR_WRONG_ENCRYPTION_TYPE
Wrong or inappropriate encryption type for this operation
@item FKO_ERROR_DECRYPTION_SIZE
Unexpected or invalid size for decrypted data
@item FKO_ERROR_DECRYPTION_FAILURE
Decryption failed or decrypted data is invalid
@item FKO_ERROR_DIGEST_VERIFICATION_FAILED
The computed digest did not match the digest in the spa data
@item FKO_ERROR_UNSUPPORTED_FEATURE
Unsupported or unimplemented feature or function
@item FKO_ERROR_UNKNOWN
Unknown/Unclassified error
@end table
@end deftypevar
If GPG support is available, there are additional possible error conditions
and error codes. The @acronym{GPG} support is implemented via @acronym{GPGME}.
The libfko error handling code wraps many of the @acronym{GPGME} error codes
that may be encountered while using libfko's @acronym{GPG} related functions.
These are:
@cindex error codes, gpgme related
@deftypevar int error_code (gpgme support only)
@table @code
@item FKO_ERROR_MISSING_GPG_KEY_DATA
Missing GPG key data (signer or recipient not set)
@item FKO_ERROR_GPGME_NO_OPENPGP
This GPGME implementation does not support OpenPGP
@item FKO_ERROR_GPGME_CONTEXT
Unable to create GPGME context
@item FKO_ERROR_GPGME_PLAINTEXT_DATA_OBJ
Error creating the plaintext data object
@item FKO_ERROR_GPGME_SET_PROTOCOL
Unable to set GPGME to use OpenPGP protocol
@item FKO_ERROR_GPGME_CIPHER_DATA_OBJ
Error creating the encrypted data data object
@item FKO_ERROR_GPGME_BAD_PASSPHRASE
The GPG passphrase was not valid
@item FKO_ERROR_GPGME_ENCRYPT_SIGN
Error during the encrypt and sign operation
@item FKO_ERROR_GPGME_CONTEXT_SIGNER_KEY
Unable to create GPGME context for the signer key
@item FKO_ERROR_GPGME_SIGNER_KEYLIST_START
Error from signer keylist start operation
@item FKO_ERROR_GPGME_SIGNER_KEY_NOT_FOUND
The key for the given signer was not found
@item FKO_ERROR_GPGME_SIGNER_KEY_AMBIGUOUS
Ambiguous name/id for the signer key (mulitple matches)
@item FKO_ERROR_GPGME_ADD_SIGNER
Error adding the signer key to the gpgme context
@item FKO_ERROR_GPGME_CONTEXT_RECIPIENT_KEY
Unable to create GPGME context for the recipient key
@item FKO_ERROR_GPGME_RECIPIENT_KEYLIST_START
Error from signer keylist start operation
@item FKO_ERROR_GPGME_RECIPIENT_KEY_NOT_FOUND
The key for the given recipient was not found
@item FKO_ERROR_GPGME_RECIPIENT_KEY_AMBIGUOUS
Ambiguous name/id for the recipient key (mulitple matches)
@item FKO_ERROR_GPGME_DECRYPT_FAILED
Decryption operation failed
@item FKO_ERROR_GPGME_BAD_HOME_DIR
Unable to stat the given GPG home directory
@item FKO_ERROR_GPGME_SET_HOME_DIR
Unable to set the given GPG home directory
@item FKO_ERROR_GPGME_NO_SIGNATURE
Missing GPG signature
@item FKO_ERROR_GPGME_BAD_SIGNATURE
Bad GPG signature
@item FKO_ERROR_GPGME_SIGNATURE_VERIFY_DISABLED
Trying to check signature with verification disabled
@end table
@end deftypevar
You can use the @code{IS_GPGME_ERROR(err_code)} macro to determine whether
or not an error id @acronym{GPGME} related. If the macro evaluates to a
true value, you may be able to get additional information about the error
using the following function:
@cindex gpg-specific functions
@deftypefun {const char *} fko_gpg_errstr (@w{int @var{err_code}})
The function @code{fko_errstr} returns a pointer to a statically
allocated string containing the descripton of the @acronym{GPGME} error.
@end deftypefun
@noindent
@strong{Note}: For some errors, this function may return an empty string.
@c --End of main chapters.
@include gpl-2.0.texi
@node Concept Index
@unnumbered Concept Index
@printindex cp
@node Function and Data Index
@unnumbered Function and Data Index
@printindex fn
@bye
@c ***EOF***
View Git Blame Copy Permalink