Changeset 1098

Timestamp:

05/31/08 11:58:00 (6 months ago)

Author:

mbr

Message:

Added --time-offset-plus and --time-offset-minus options

Files:

• fwknop/trunk/ChangeLog (modified) (2 diffs)
• fwknop/trunk/fwknop (modified) (6 diffs)

fwknop/trunk/ChangeLog

@@ -28 +28 @@
-      Now the fwknop client will select a random port to NAT the incoming
-      connection.  So say it selects port 31001 (as indicated by the output of
-
-
+
+
+
+
+
+
-
-      $ ssh -p 31001 <user>@11.1.1.1
@@ -52 +56 @@
-      This allows fwknopd to ignore packets that are not at least this many
-      bytes (including packet headers) before any decryption attempt is made.
+    - Added --time-offset-plus and --time-offset-minus args to the fwknop
+      client command line.  This allows the time stamp within an SPA packet to
+      be influenced without setting the system clock (which normal users
+      cannot usually do).  This is useful for when the client and server
+      systems have clocks that are out of sync.
-    - Updated to version 5.47 of the Digest::SHA module.
-    - Updated to version 0.7 of the IPTables::ChainMgr module (includes

fwknop/trunk/fwknop

@@ -75 +75 @@
-my $show_last_host_cmd = '';
-my $show_last_cmd = 0;
+my $time_offset_plus = '';
+my $time_offset_minus = '';
-my $use_md5       = 0;
-my $use_sha1      = 0;
@@ -531 +533 @@
-sub SPA_timestamp() {
-    my $timestamp = time();
+
+
+    if ($time_offset_plus) {
+        my $offset = &time_offset($time_offset_plus);
+        $timestamp += $offset;
+    }
+
+    if ($time_offset_minus) {
+        my $offset = &time_offset($time_offset_minus);
+        $timestamp -= $offset;
+    }
+
-    print "        Timestamp:      $timestamp\n" unless $quiet;
-    return ':' . $timestamp;
@@ -1443 +1457 @@
-        'knock-dst=s'    => \$knock_dst,
-        'Destination=s'  => \$knock_dst,
+        'time-offset-plus=s'  => \$time_offset_plus,
+        'time-offset-minus=s' => \$time_offset_minus,
-        'gpg-signing-key=s' => \$gpg_signing_key,
-        'gpg-recipient=s'   => \$gpg_recipient,
@@ -1620 +1636 @@
-    }
-    return;
+}
+
+sub time_offset() {
+    my $str = shift;
+    my $offset = 0;
+
+    if ($str =~ /(\d+)/) {
+        $offset = $1;
+    } else {
+        die "[*] Must specify a value like 60min";
+    }
+    if ($str =~ /min/i) {
+        $offset *= 60;
+    } elsif ($str =~ /hour/i) {
+        $offset *= 60 * 60;
+    } elsif ($str =~ /day/i) {
+        $offset *= 60 * 60 * 24;
+    } elsif ($str =~ /sec/i) {
+        ### no action
+    } else {
+        ### default to minutes
+        $offset *= 60;
+    }
+    return $offset;
-}
-
@@ -1775 +1815 @@
-    --get-key <file>           - Get encryption key from <file> instead of
-                                 from STDIN.
+    --Test-mode                - Build SPA packet data but do not send it
+                                 over the network.
+    --time-offset-plus <str>   - Add a time offset to the advertised time
+                                 stamp in the SPA packet (e.g. "60sec" or
+                                 "1day").
+    --time-offset-minus <str>  - Subtract a time offset from the advertised
+                                 time stamp in the SPA packet (e.g. "60sec"
+                                 or "1day").
-    --TCP-sock                 - Send SPA packets over an established TCP
-                                 socket with the fwknopd server.  This
@@ -1790 +1838 @@
-    -H, --Home-dir <directory> - Specify the home directory of the current
-                                 user that is running fwknop.
-
-
-
-
+
+
+
+
+
-    -k, --knock-dst <IP>       - Connection destination IP address for port
-                                 knock sequence (synonym for -D).
-    --Test-mode                - Build SPA packet data but do not send it
-                                 over the network.
-    -d, --debug                - Run fwknop in debugging mode.
-    -v, --verbose              - Verbose mode.