Changeset 1026

Show
Ignore:
Timestamp:
03/02/08 02:40:01 (9 months ago)
Author:
mbr
Message:

- Crypt::CBC adds the string "Salted" to the beginning of the encrypted
text (at least for how fwknop interfaces with Crypt::CBC), so the fwknop
client was updated to delete the encoded version of this string
"U2FsdGVkX1" before sending a Rijndael-encrypted SPA packet on the wire.
The fwknopd server will add this string back in before decrypting. This
makes it harder to write an IDS signature that looks for fwknop traffic;
e.g. look for the default prefix string "U2FsdGVkX1" over UDP port 62201,
which would work for fwknop clients < 1.9.2 (as long as the port number
is not changed with --Server-port).

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • fwknop/trunk/ChangeLog

    r1025 r1026  
    11fwknop-1.9.2 (02//2008): 
     2    - Crypt::CBC adds the string "Salted__" to the beginning of the encrypted 
     3      text (at least for how fwknop interfaces with Crypt::CBC), so the fwknop 
     4      client was updated to delete the encoded version of this string 
     5      "U2FsdGVkX1" before sending a Rijndael-encrypted SPA packet on the wire. 
     6      The fwknopd server will add this string back in before decrypting.  This 
     7      makes it harder to write an IDS signature that looks for fwknop traffic; 
     8      e.g. look for the default prefix string "U2FsdGVkX1" over UDP port 62201, 
     9      which would work for fwknop clients < 1.9.2 (as long as the port number 
     10      is not changed with --Server-port). 
    211    - (Grant Ferley) Submitted patch to handle SIGCHLD in IPTables::ChainMgr. 
    312    - (Grant Ferley) Submitted patch to handle Linux "cooked" interfaces for 

  • fwknop/trunk/fwknop

    r1025 r1026  
    8181my $gpg_recipient = ''; 
    8282my $use_gpg_agent = 0; 
    83 my $gpg_agent_info = ''; 
    8483my $max_msg_len   = 1500; 
    8584my $gpg_verbose   = 0; 
     85my $gpg_agent_info = ''; 
     86my $include_salted = 0; 
    8687my $gpg_default_key = 0; 
    8788my $err_wait_timer  = 30;  ### seconds 
     
    699700    ); 
    700701    my $encoded_msg = encode_base64($cipher->encrypt($msg), ''); 
     702 
     703    ### Crypt::CBC adds the string "Salted__" to the beginning of the 
     704    ### encrypted text (at least for how we create the cipher object 
     705    ### above), so delete the encoded version of this string ("U2FsdGVkX1") 
     706    ### before sending on the wire.  The fwknopd server will add this 
     707    ### string back in before decrypting.  This makes it harder to write 
     708    ### an IDS signature that looks for fwknop traffic (e.g. look for the 
     709    ### string "U2FsdGVkX1" over UDP port 62201). 
     710    unless ($include_salted) { 
     711        print "[+] Stripping encoded Salted__ prefix (U2FsdGVkX1) from ", 
     712            "outgoing encoded SPA packet.\n" if $debug; 
     713        $encoded_msg =~ s/^U2FsdGVkX1//;  ### encoded "Salted__" string 
     714    } 
    701715 
    702716    print "[+] Encrypted message: $encoded_msg\n" if $debug; 
     
    13741388        'get-key=s'      => \$get_key_file, 
    13751389        'Home-dir=s'     => \$cmdl_homedir, 
     1390        'Include-salted' => \$include_salted, 
    13761391        'Test-mode'      => \$test_mode, 
    13771392        'debug'          => \$debug, 
     
    15461561                                 behind a NAT device). Note that the -w 
    15471562                                 option should really be used instead. 
     1563    -F, --Forward-access <NAT> - Access an internal server (say, SSH) by 
     1564                                 instructing the remote fwknopd instance to 
     1565                                 build inbound DNAT rules. The format of the 
     1566                                 argument is <InternalIP>,<Port> where 
     1567                                 InternalIP is the internal system and Port 
     1568                                 is the port number that will be forwarded. 
    15481569    -R, --Resolve-external-IP  - Resolve client IP via the 
    15491570                                 http://www.whatismyip.org/ website. This is 
     
    15611582                                 PERMIT_CLIENT_TIMEOUT in access.conf on the 
    15621583                                 fwknopd server side). 
     1584    --I, --Include-salted      - Include the encoded "Salted__" prefix; this 
     1585                                 is only necessary for older versions of the 
     1586                                 fwknopd server (< 1.9.2). 
    15631587    --Save-dst                 - Save the command line args for this 
    15641588                                 invocation against the destination to the 

  • fwknop/trunk/fwknopd

    r1019 r1026  
    19981998    my $gpg_sign_id   = ''; 
    19991999 
    2000     $msg .= '==' if $msg !~ /==$/; 
    2001  
    20022000    print STDERR localtime() . " [+] Attempting GnuPG decrypt...\n" if $debug; 
    20032001    if ($debug and $verbose) { 
     
    21132111    my $decrypt_rv    = 0; 
    21142112 
     2113    unless ($msg =~ /^U2FsdGVkX1/) { 
     2114        if ($debug) { 
     2115            print STDERR localtime() . " [+] Adding encoded Salted__ prefix ", 
     2116                "(U2FsdGVkX1) to incoming encoded SPA packet.\n" 
     2117        } 
     2118        $msg = 'U2FsdGVkX1' . $msg; 
     2119    } 
     2120 
    21152121    print STDERR localtime() . " [+] Attempting Rijndael decrypt...\n" if $debug; 
    2116  
    2117     ### make sure the trailing "==" is there for the base64 decode 
    2118     $msg .= '==' if $msg !~ /==$/; 
    21192122 
    21202123    if ($debug and $verbose) {