Changeset 1000

Timestamp:

02/02/08 18:21:40 (10 months ago)

Author:

mbr

Message:

- Applied modified version of the client-defined access timeout patches
submitted by the PICT SPA Group. There are two new message types to
facilitate client timeouts; one for normal access mode, and the other
for the FORWARD access mode. In the access.conf file, there is also a
new variable "PERMIT_CLIENT_TIMEOUT" to allow each SOURCE stanza to
allow client-defined timeouts or not.

Files:

• fwknop/trunk/ChangeLog (modified) (1 diff)
• fwknop/trunk/TODO (modified) (1 diff)
• fwknop/trunk/fwknop (modified) (7 diffs)
• fwknop/trunk/fwknopd (modified) (18 diffs)
• fwknop/trunk/test/conf/client_timeout_access.conf (added)
• fwknop/trunk/test/fwknop_test.pl (modified) (16 diffs)

fwknop/trunk/ChangeLog

@@ -3 +3 @@
-    - (Grant Ferley) Submitted patch to handle Linux "cooked" interfaces for
-      packet capture (e.g. rp-pppoe interfaces).
+    - Applied modified version of the client-defined access timeout patches
+      submitted by the PICT SPA Group.  There are two new message types to
+      facilitate client timeouts; one for normal access mode, and the other
+      for the FORWARD access mode.  In the access.conf file, there is also a
+      new variable "PERMIT_CLIENT_TIMEOUT" to allow each SOURCE stanza to
+      allow client-defined timeouts or not.
-    - Added full packet hex dumps (including packet headers) to fwknopd in
-      --debug --verbose mode.  This is to help diagnose packet sniffing issues

fwknop/trunk/TODO

@@ -73 +73 @@
-
-
-Client derived access timeouts:
-
-    The current fwknopd implementation maintains access timeouts via the
-    FW_ACCESS_TIMEOUT variable in the /etc/fwknop/access.conf file.  This
-    strategy works well enough, but it would be useful to allow the SPA client
-    to set the timeout (subject to a setting in the access.conf file to permit
-    this for an applicable SOURCE stanza).  To support this, a new command
-    line argument would need to be added to the fwknop client.
-
-
-Destination IP address restrictions in /etc/fwknop/access.conf:
-

fwknop/trunk/fwknop

@@ -102 +102 @@
-$ext_resolve_user_agent =~ s|-pre\d+||;
-
-
+
+
+
+
+
+
+
+
-my $SPA_COMMAND_MODE = 0;
-
+
+
+
+
-my $SPA_FORWARD_ACCESS_MODE = 2;
-
+### ACCESS message with client-defined firewall timeout:
+###     random data :user : client_timestamp : client_version : \
+###     type (3) : access_request : timeout : MD5
+my $SPA_CLIENT_TIMEOUT_ACCESS_MODE = 3;
+
+### FORWARD ACCESS message with client-defined firewall timeout:
+###     random data :user : client_timestamp : client_version : \
+###     type (4) : access_request : NAT_info : timeout : MD5
+my $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE = 4;
+
-### default time values
-  
-fw_access_timeout = 30
+
+cmdl_fw_timeout = 
-
-### default to root (client must run as root in this mode)
@@ -215 +235 @@
-die "[*] Must specify a destination server with -D <IP|Host>"
-    unless $knock_dst;
+
+if ($cmdl_fw_timeout ne '0') {
+    die "[*] Must specify a firewall timeout > 0"
+        unless $cmdl_fw_timeout > 0;
+}
-
-my $print_mode = '';
@@ -395 +420 @@
-    $msg .= &SPA_message();
-
+    ### append FORWARD access requirement (optional)
+    $msg .= &SPA_forward_access();
+
-    ### append server authentication method (optional)
-    $msg .= &SPA_server_auth();
-
-FORWARD access requiremen
-forward_access
+any client defined fw timeou
+client_timeout
-
-    ### append MD5 sum
@@ -461 +489 @@
-        return ':' . $SPA_COMMAND_MODE;
-    } elsif ($forward_access_str) {
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-}
-
@@ -487 +529 @@
-        unless $quiet;
-    return ':' . encode_base64("$enc_allow_ip,$access_str");
+}
+
+sub SPA_client_timeout() {
+    return unless $cmdl_fw_timeout;
+    return ':' . $cmdl_fw_timeout;
-}
-
@@ -1279 +1326 @@
-        'TCP-sock'       => \$spa_established_tcp,
-        'Access=s'       => \$access_str,
+        'fw-timeout=i'   => \$cmdl_fw_timeout,
-        'allow-IP=s'     => \$enc_allow_ip,
-        'source-IP'      => \$enc_source_ip,
@@ -1466 +1514 @@
-                                 (must use the -R option). The default user
-                                 agent is: $ext_resolve_user_agent
+    -f, --fw-timeout <seconds> - Specify the time the port will remain open
+                                 on the server (requires
+                                 PERMIT_CLIENT_TIMEOUT in access.conf on the
+                                 fwknopd server side).
-    --Save-dst                 - Save the command line args for this
-                                 invocation against the destination to the

fwknop/trunk/fwknopd

@@ -114 +114 @@
-
-### SPA message types from fwknop clients
+
+### ACCESS message:
+###     random data :user : client_timestamp : client_version : \
+###     type (1) : access_request : MD5
+my $SPA_ACCESS_MODE  = 1;  ### default
+
+### COMMAND message:
+###     random data :user : client_timestamp : client_version : \
+###     type (0) : command : MD5
-my $SPA_COMMAND_MODE = 0;
-
+
+
+
+
-my $SPA_FORWARD_ACCESS_MODE = 2;
+
+### ACCESS message with client-defined firewall timeout:
+###     random data :user : client_timestamp : client_version : \
+###     type (3) : access_request : timeout : MD5
+my $SPA_CLIENT_TIMEOUT_ACCESS_MODE = 3;
+
+### FORWARD ACCESS message with client-defined firewall timeout:
+###     random data :user : client_timestamp : client_version : \
+###     type (4) : access_request : NAT_info : timeout : MD5
+my $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE = 4;
-
-### minimum nummber of fields within a decrypted SPA packet
@@ -122 +144 @@
-
-### default time values
-   
-fw
+
+default
-
-my $enc_port_offset   = 61000;  ### default offset
@@ -192 +214 @@
-    'KNOCK_LIMIT'    => '',
-    'PERMIT_CLIENT_PORTS' => '',
+    'PERMIT_CLIENT_TIMEOUT' => '',
-    'ENABLE_FORWARD_ACCESS' => 0,
-    'ENABLE_CMD_EXEC'     => '',
@@ -492 +515 @@
-                $access_hr, $src_ip, $msg_hr);
-
-) {
-if (&SPA_access($msg_hr, $src_ip, $decrypt_algo,
-    $gpg_sign_id, $md5sum, $access_hr)) {
-last SOURCE;
-} else {
-next SOURCE;
-}
-
+
+    or $msg_hr->{'action_type'} == $SPA_FORWARD_ACCESS_MODE
+or $msg_hr->{'action_type'} == $SPA_FORWARD_ACCESS_MODE
+or $msg_hr->{'action_type'}
+        == $SPA_CLIENT_TIMEOUT_ACCESS_MODE
+or $msg_hr->{'action_type'}
+        == $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE) {
+
-                if (&SPA_access($msg_hr, $src_ip, $decrypt_algo,
-                        $gpg_sign_id, $md5sum, $access_hr)) {
@@ -602 +625 @@
-
-    print STDERR localtime() . " [+] Packet fields:\n";
-4s %s\n    %-14s %s\n    %-14
-4s %s\n    %-14
+6s %s\n    %-16s %s\n    %-16
+6s %s\n    %-16
-            'Random data:', $msg_hr->{'random_number'},
-            'Username:',    $msg_hr->{'username'},
@@ -616 +639 @@
-    } elsif ($msg_hr->{'action_type'} == $SPA_FORWARD_ACCESS_MODE) {
-        print STDERR " (SPA_FORWARD_ACCESS_MODE)\n";
-
-
+
+
+
+
+
+
-            'Action:', $msg_hr->{'action'};
+
+    if ($msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_ACCESS_MODE
+            or $msg_hr->{'action_type'}
+                == $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE) {
+        printf STDERR "    %-16s %s\n",
+                'Client timeout:', $msg_hr->{'client_timeout'};
+    }
-
-    if ($msg_hr->{'server_auth'}) {
@@ -625 +659 @@
-            my $server_auth_crypt_pw = $2;
-            if ($debug) {
-4
+6
-                for (my $i=0; $i<length($server_auth_crypt_pw); $i++) {
-                    print STDERR '*';
@@ -634 +668 @@
-    }
-    if ($msg_hr->{'forward_info'}) {
-
-
-
+
+
+
+
-    return;
-}
@@ -714 +749 @@
-    }
-
+    if ($msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_ACCESS_MODE
+            or $msg_hr->{'action_type'}
+                == $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE) {
+
+        if ($access_hr->{'PERMIT_CLIENT_TIMEOUT'}) {
+            $access_hr->{'FW_ACCESS_TIMEOUT'} = $msg_hr->{'client_timeout'};
+        } else {
+            &logr('[-]', "received fw access request from $src_ip, " .
+                "with client-defined timeout, but PERMIT_CLIENT_TIMEOUT is not " .
+                "set (SOURCE line num: $access_hr->{'src_line_num'})", $NO_MAIL);
+            return 0;
+        }
+    }
+
-    $allow_src = $1 if $msg_hr->{'action'} =~ /($ip_re)/;
-
@@ -1063 +1112 @@
-        'server_auth'     => '',  ### optional
-        'forward_info'    => '',  ### optional
+        'client_timeout'  => -1,  ### optional
-        'md5sum'          => '',
-    );
@@ -1124 +1174 @@
-    if (&is_digit($fields[4])) {
-        return 0, {} unless $fields[4] == $SPA_COMMAND_MODE
-
-
+
+
+
+
-        $msg_hsh{'action_type'} = $fields[4];
-    } else {
@@ -1141 +1193 @@
-        ### iptables FORWARD/DNAT access was introduced in 1.9.0
-        if ($msg_hsh{'numeric_version'} >= 190) {
+            my $found = 0;
-            if ($msg_hsh{'action_type'} == $SPA_FORWARD_ACCESS_MODE) {
-                if ($#fields == $SPA_MIN_PACKET_FIELDS+1) {
-                    $msg_hsh{'forward_info'} = decode_base64($fields[6]);
+                    $found = 1;
-                }
-
+
+
+
+
+
+
+
+
+
+
+
+
-                if ($#fields > $SPA_MIN_PACKET_FIELDS) {
-                    $msg_hsh{'server_auth'} = decode_base64($fields[6]);
@@ -1172 +1237 @@
-            "$msg_hsh{'username'}:$msg_hsh{'remote_time'}:",
-            "$msg_hsh{'remote_version'}:$msg_hsh{'action_type'}:",
-
+
+
+
+
+
+
+
+
+
-
-        ### careful not to display password information
@@ -1182 +1255 @@
-                print STDERR "*";
-            }
-
-
-
-
+
+
+
-    }
-    return 1, \%msg_hsh;
@@ -3048 +3120 @@
-                        $access_hsh{'PERMIT_CLIENT_PORTS'} = 0;
-                    }
+                } elsif ($line =~ /^\s*PERMIT_CLIENT_TIMEOUT\s*;/) {
+                    $access_hsh{'PERMIT_CLIENT_TIMEOUT'} = 1;
+                } elsif ($line =~ /^\s*PERMIT_CLIENT_TIMEOUT:\s*(\S+);/) {
+                    my $val = $1;
+                    if ($val =~ /y/i) {
+                        $access_hsh{'PERMIT_CLIENT_TIMEOUT'} = 1;
+                    } else {
+                        $access_hsh{'PERMIT_CLIENT_TIMEOUT'} = 0;
+                    }
-                } elsif ($line =~ /^\s*ENABLE_CMD_EXEC\s*;/) {
-                    $access_hsh{'ENABLE_CMD_EXEC'} = 1;
@@ -3077 +3158 @@
-                } elsif ($line =~ /^\s*FW_ACCESS_TIMEOUT:\s*(\d+)\s*;/) {
-                    $access_hsh{'FW_ACCESS_TIMEOUT'} = $1;
+                } elsif ($line =~ /^\s*MAX_ACCESS_TIMEOUT:\s*(\d+)\s*;/) {
+                    $access_hsh{'FW_ACCESS_TIMEOUT'} = $1;
-                } elsif ($line =~ /^\s*REQUIRE_OS:\s*(.*)\s*;/) {
-                    $access_hsh{'REQUIRE_OS'} = $1;
@@ -3095 +3178 @@
-        unless (defined $access_hsh{'PERMIT_CLIENT_PORTS'}) {
-            $access_hsh{'PERMIT_CLIENT_PORTS'} = 0;
+        }
+        unless (defined $access_hsh{'PERMIT_CLIENT_TIMEOUT'}) {
+            $access_hsh{'PERMIT_CLIENT_TIMEOUT'} = 0;
-        }
-        if (&validate_src_access_hsh(\%access_hsh)) {
@@ -3299 +3385 @@
-        }
-    } else {
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-    }
-    if (defined $src_href->{'KNOCK_LIMIT'}) {

fwknop/trunk/test/fwknop_test.pl

@@ -59 +59 @@
-my $multi_source_access_conf = "$conf_dir/multi_source_access.conf";
-my $no_loopback_ip_match_access_conf = "$conf_dir/no_loopback_ip_match_access.conf";
+my $client_timeout_access_conf = "$conf_dir/client_timeout_access.conf";
-
-my $local_key_file = 'local_spa.key';
@@ -99 +100 @@
-my $ip_re   = qr|(?:[0-2]?\d{1,2}\.){3}[0-2]?\d{1,2}|;
-
-
+
+
+
+
+
+
+
+
-my $SPA_COMMAND_MODE = 0;
-
+
+
+
+
-my $SPA_FORWARD_ACCESS_MODE = 2;
+
+### ACCESS message with client-defined firewall timeout:
+###     random data :user : client_timestamp : client_version : \
+###     type (3) : access_request : timeout : MD5
+my $SPA_CLIENT_TIMEOUT_ACCESS_MODE = 3;
+
+### FORWARD ACCESS message with client-defined firewall timeout:
+###     random data :user : client_timestamp : client_version : \
+###     type (4) : access_request : NAT_info : timeout : MD5
+my $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE = 4;
-
-### make Getopts case sensitive
@@ -191 +212 @@
-&stop_fwknopd_quiet();
-
+### client timeout with --fw-timeout on fwknop command line
+&test_driver('(Client timeout) Generating SPA access packet',
+    \&SPA_client_timeout_access_packet);
+&test_driver('(Client timeout) Sniffing SPA access packet',
+    \&client_timeout_sniff_decrypt);
+&test_driver('(Client timeout) Verifying SPA access packet format',
+    \&spa_client_timeout_access_format);
+&test_driver('(Client timeout) Firewall access rules exist',
+    \&fw_rules_exist);
+&fw_sleep_10();  ### give knoptm a chance to remove the rules
+&test_driver('(Client timeout) Firewall access rules removed',
+    \&fw_rules_removed);
+&test_driver('(Client timeout) Stopping all running fwknopd processes',
+    \&stop_fwknopd);
+
-### It is ok to append data in the current code since the Rijndael decrypt
-### only returns the actual SPA payload (may need to revist this)
@@ -571 +607 @@
-
-sub non_matching_source_generation() {
-
+0
-}
-
@@ -690 +726 @@
-        "rule timeout)\n    ");
-    for (my $i=$fw_access_timeout+3; $i > 0; $i--) {
+        &logr("$i ");
+        sleep 1;
+    }
+    &logr("0\n");
+    return;
+}
+
+sub fw_sleep_10() {
+    &logr("    (Sleeping for 10 seconds for firewall " .
+        "rule timeout)\n    ");
+    for (my $i=10; $i > 0; $i--) {
-        &logr("$i ");
-        sleep 1;
@@ -881 +928 @@
-}
-
+sub spa_client_timeout_access_format() {
+    ### Random data:    1946117908964953
+    ### Username:       root
+    ### Remote time:    1197922462
+    ### Remote ver:     1.9.0
+    ### Action type:    1 (SPA_ACCESS_MODE)
+    ### Action:         127.0.0.2,none,0
+    ### Client timeout: 5
+    ### MD5 sum:        DLnVQDc5XTkazUbeJX14Og
+    my $valid_lines = 0;
+    open F, "< $fwknopd_output_file" or die "[*] Could not open ",
+        "$fwknopd_output_file: $!";
+    while (<F>) {
+        if (/^\s+Random\s+data:\s+\d+/i) {
+            $valid_lines++;
+        } elsif (/^\s+Username:\s+\w+$/i) {
+            $valid_lines++;
+        } elsif (/^\s+Remote\s+time:\s+\d+$/i) {
+            $valid_lines++;
+        } elsif (/^\s+Remote\s+ver:\s+(\S+)$/i) {
+            $valid_lines++;
+        } elsif (/^\s+Action\s+type:\s+$SPA_CLIENT_TIMEOUT_ACCESS_MODE\s+/i) {
+            $valid_lines++;
+        } elsif (/^\s+Action:\s+$ip_re/i) {
+            $valid_lines++;
+        } elsif (/^\s+Client\s+timeout:\s+\d+/i) {
+            $valid_lines++;
+        } elsif (/^\s+MD5\s+sum:\s+\S+$/i) {
+            $valid_lines++;
+        }
+    }
+    close F;
+    unless ($valid_lines == 8) {
+        return &print_errors("fail ($test_num)\n[*] Dubious " .
+            "sniffed packet format");
+    }
+    return 1;
+}
+
-sub spa_access_format() {
-    ### Random data:   1946117908964953
@@ -1239 +1325 @@
-}
-
+sub SPA_client_timeout_access_packet() {
+    return &get_access_packet(5);
+}
+
-sub SPA_access_packet() {
-
+0
-}
-
@@ -1271 +1361 @@
-    }
-    die "[*] Could not assign valid unauthorized port" unless $unauth_port;
-
+0
-    $open_ports = $port_copy;
-    return $rv;
@@ -1305 +1395 @@
-    my $require_user_copy = $require_user;
-    $require_user = 'mbr' . $require_user;
-
+0
-    $require_user = $require_user_copy;
-    return $rv;
@@ -1338 +1428 @@
-
-sub truncated_SPA_packet() {
-
+0
-    ### chop off the last 10 chars
-    $cache_encrypted_Rijndael_spa_packet =~ s|.{10}$||;
@@ -1345 +1435 @@
-
-sub append_SPA_packet() {
-
+0
-    ### append 10 garbage chars
-    $cache_encrypted_Rijndael_spa_packet .= '1234567890';
@@ -1390 +1480 @@
-}
-
+sub client_timeout_sniff_decrypt() {
+
+    $fwknopd_output_file = "${cmd_stderr}.$test_num";
+
+    if (&run_fwknopd($cache_encrypted_Rijndael_spa_packet,
+            $default_fwknop_conf, $client_timeout_access_conf)) {
+
+        ### now that fwknopd has exited, see if the SPA packet was valid
+        open SE, "< $fwknopd_output_file"
+            or die "[*] Could not open $fwknopd_output_file: $!";
+        while (<SE>) {
+            if (/\[\-\]\s+Key\s+mis\-?match/i) {
+                ### [-] Key mis-match or broken message checksum for SOURCE \
+                ### ANY (# 1 in access.conf)
+                return &print_errors("fail ($test_num)\n[*] " .
+                    "Key mis-match");
+            } elsif (/\[\-\]\s+Decrypted.*not\s+conform/i) {
+                ### [-] Decrypted message does not conform to a valid SPA packet
+                return &print_errors("fail ($test_num)\n[*] " .
+                        "Invalid SPA packet");
+            }
+        }
+        close SE;
+        return 1;
+    }
+    return &print_errors("fail ($test_num)\n[*] Sniff alarm " .
+            "($sniff_alarm seconds) expired");
+}
+
-sub append_SPA_sniff_decrypt() {
-
@@ -1461 +1580 @@
-    my $spa_src_copy = $spa_src;
-    $spa_src = '0.0.0.0';
-
+0
-    $spa_src = $spa_src_copy;
-    return $rv;
@@ -1502 +1621 @@
-    for (my $i=0; $i < $NUM_RAND; $i++) {
-
-
+0
-
-        if (defined $packet_cache{$cache_encrypted_Rijndael_spa_packet}) {
@@ -1626 +1745 @@
-
-sub get_access_packet() {
+    my $client_timeout = shift;
-
-    ### --Test so that SPA packet is not sent
@@ -1637 +1757 @@
-    close K;
-
-unless (&run_cmd(
+my $cmd = 
-            "$local_key_file -D $spa_dst -a $spa_src --Test -v " .
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-    }
-    open F, "< ${cmd_stdout}.$test_num"