Navigation

← Previous Changeset
Next Changeset →

Changeset 1210

Timestamp:

08/16/08 11:54:51 (4 months ago)

Author:

mbr

Message:

- Added the ability to ignore any local GnuPG 'options' file with a new
command line argument --gpg-no-options (for the fwknop client) and a new
access.conf config variable GPG_NO_OPTIONS (for the fwknopd daemon).
This fixes a problem reported by Mike Holzmann where the 'encrypt-to'
option in the default options file was causing SPA packets to exceed
1500 bytes when encrypted with a 2048-bit GnuPG key.

Files:

fwknop/trunk/CREDITS (modified) (1 diff)
fwknop/trunk/ChangeLog (modified) (1 diff)
fwknop/trunk/fwknop (modified) (8 diffs)
fwknop/trunk/fwknopd (modified) (7 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

fwknop/trunk/CREDITS

r1204	r1210
225	225	Updated fwknopd to use the Net::Pcap API valid in Net::Pcap 0.14 for
226	226	the datalink() function (used to detect the datalink layer type).
	227
	228	Mike Holzmann
	229	- Diagnosed a bug where SPA packets encrypted with 2048-bit keys would
	230	exceed 1500 bytes if the 'encrypt-to' option was set in the default
	231	~/.gnupg/options file. The result was the addition of the
	232	--gpg-no-options command line argument on the fwknop command line, and
	233	the GPG_NO_OPTIONS variable in the access.conf file for the fwknopd
	234	daemon.

fwknop/trunk/ChangeLog

r1206	r1210
27	27	and fwknopd in --debug mode. This is mostly useful for the test suite
28	28	to see which versions of the modules are being used.
	29	- Added the ability to ignore any local GnuPG 'options' file with a new
	30	command line argument --gpg-no-options (for the fwknop client) and a new
	31	access.conf config variable GPG_NO_OPTIONS (for the fwknopd daemon).
	32	This fixes a problem reported by Mike Holzmann where the 'encrypt-to'
	33	option in the default options file was causing SPA packets to exceed
	34	1500 bytes when encrypted with a 2048-bit GnuPG key.
29	35
30	36	fwknop-1.9.6 (07/18/2008):

fwknop/trunk/fwknop

r1206	r1210
5	5	# File: fwknop
6	6	#
7		# URL: http://www.cipherdyne.org/fwknop
	7	# URL: http://www.cipherdyne.org/fwknop/
8	8	#
9	9	# Purpose: fwknop implements an authorization scheme known as Single Packet
…	…
91	91	my $max_msg_len = 1500;
92	92	my $gpg_verbose = 0;
	93	my $gpg_no_options = 0;
93	94	my $gpg_agent_info = '';
94	95	my $include_salted = 0;
…	…
251	252	if (($gpg_default_key or $gpg_signing_key) and not $gpg_recipient);
252	253
	254	die "[*] Cannot assume a default key when --gpg-no-options is used."
	255	if ($gpg_default_key and $gpg_no_options);
	256
253	257	die "[*] Cannot spoof source address for a real TCP socket."
254	258	if ($spoof_src and $spa_established_tcp);
…	…
699	703	Digest::SHA->import(qw(sha1_base64));
700	704	if ($debug) {
701		print "[+] Digest::SHA~~1::VERSION $Digest::SHA1~~::VERSION\n";
	705	print "[+] Digest::SHA::VERSION $Digest::SHA::VERSION\n";
702	706	}
703	707	$digest = sha1_base64($msg);
…	…
710	714	Digest::SHA->import(qw(sha256_base64));
711	715	if ($debug) {
712		print "[+] Digest::SHA~~256::VERSION $Digest::SHA256~~::VERSION\n";
	716	print "[+] Digest::SHA::VERSION $Digest::SHA::VERSION\n";
713	717	}
714	718	$digest = sha256_base64($msg);
…	…
730	734	$gpg_home_dir = "$homedir/.gnupg" unless $gpg_home_dir;
731	735
732		if ($gpg_verbose) {
733		$gnupg->options->hash_init(
734		'homedir' => $gpg_home_dir);
735		} else {
736		$gnupg->options->hash_init(
737		'batch' => 1,
738		'homedir' => $gpg_home_dir);
739		}
	736	my %gnupg_options = (
	737	'batch' => 1,
	738	'homedir' => $gpg_home_dir
	739	);
	740
	741	delete $gnupg_options{'batch'} if $gpg_verbose;
	742
	743	$gnupg->options->hash_init(%gnupg_options);
	744
	745	$gnupg->options->no_options() if $gpg_no_options;
740	746
741	747	### if --gpg-default-key is given, then we trust that the user has
742	748	### set the default key with the default-key variable in ~/.gnupg/options
	749	### and --no-gpg-options is not used on the fwknop command line.
743	750	$gnupg->options->default_key($gpg_signing_key) unless $gpg_default_key;
744	751
…	…
1626	1633	'gpg-agent' => \$use_gpg_agent,
1627	1634	'gpg-agent-info=s' => \$gpg_agent_info,
	1635	'gpg-no-options' => \$gpg_no_options,
1628	1636	'quiet' => \$quiet,
1629	1637	'Forward-access=s' => \$NAT_access_str,
…	…
1911	1919	running gpg-agent.
1912	1920	--gpg-agent-info <info> - Specify the value for the GPG_AGENT_INFO
1913		environment variable as returned by
1914		'gpg-agent --daemon'.
	1921	environment variable as returned by
	1922	'gpg-agent --daemon'.
1915	1923	--gpg-verbose - Display all output from GnuPG process.
	1924	--gpg-no-options - In GnuPG mode, instruct GnuPG to not use
	1925	the local ~/.gnupg/options file for config
	1926	parameters.
1916	1927	-a, --allow-IP <IP> - IP to instruct the remote fwknop server to
1917	1928	allow through the firewall ruleset.

fwknop/trunk/fwknopd

r1207	r1210
5	5	# File: fwknopd (/usr/sbin/fwknopd)
6	6	#
7		# URL: http://www.cipherdyne.org/fwknop
	7	# URL: http://www.cipherdyne.org/fwknop/
8	8	#
9	9	# Purpose: fwknopd implements the server portion of an authorization scheme
…	…
104	104	my $err_wait_timer = 30; ### seconds
105	105	my $gpg_agent_info = '';
	106	my $gpg_no_options = 0;
106	107	my $build_ipt_config = 0;
107	108	my $skipped_first_loop = 0;
…	…
226	227	'GPG_DECRYPT_PW' => '',
227	228	'GPG_HOME_DIR' => '',
	229	'GPG_NO_OPTIONS' => 0,
228	230	'ULOG_PCAP' => '',
229	231	'FILE_PCAP' => '',
…	…
2261	2263	my $gnupg = GnuPG::Interface->new();
2262	2264
2263		if ($debug and $verbose and not $test_mode) {
2264		$gnupg->options->hash_init(
2265		'homedir' => $access_hr->{'GPG_HOME_DIR'});
2266		} else {
2267		$gnupg->options->hash_init(
2268		'batch' => 1,
2269		'homedir' => $access_hr->{'GPG_HOME_DIR'});
2270		}
	2265	my %gnupg_options = (
	2266	'batch' => 1,
	2267	'homedir' => $access_hr->{'GPG_HOME_DIR'}
	2268	);
	2269
	2270	delete $gnupg_options{'batch'} if ($debug and $verbose and not $test_mode);
	2271
	2272	$gnupg->options->hash_init(%gnupg_options);
	2273
	2274	$gnupg->options->no_options()
	2275	if $gpg_no_options or $access_hr->{'GPG_NO_OPTIONS'};
2271	2276
2272	2277	my $input = IO::Handle->new() or die $!;
…	…
3410	3415	$imported_gpg = 1;
3411	3416	$access_hsh{'GPG_HOME_DIR'} = $1;
	3417	} elsif ($line =~ /^\sGPG_NO_OPTIONS:\s(\S+);/) {
	3418	my $val = $1;
	3419	if ($val =~ /y/i) {
	3420	$access_hsh{'GPG_NO_OPTIONS'} = 1;
	3421	} else {
	3422	$access_hsh{'GPG_NO_OPTIONS'} = 0;
	3423	}
3412	3424	} elsif ($line =~ /^\sFILE_PCAP\s;/) {
3413	3425	### used in file pcap mode
…	…
3878	3890	'fw-type=s' => \$fw_type,
3879	3891	'gpg-agent-info=s' => \$gpg_agent_info,
	3892	'gpg-no-options' => \$gpg_no_options,
3880	3893	'debug' => \$debug,
3881	3894	'Kill' => \$kill,
…	…
5177	5190	-S, --Status - Displays the status of any
5178	5191	currently running fwknopd processes.
	5192	--gpg-agent-info <info> - Specify the value for the GPG_AGENT_INFO
	5193	environment variable as returned by
	5194	'gpg-agent --daemon'.
	5195	--gpg-no-options - In GnuPG mode, instruct GnuPG to not use
	5196	the local ~/.gnupg/options file for config
	5197	parameters.
5179	5198	-T, --Test-mode - Run in testing mode for compatibility
5180	5199	with the fwknop test suite (sets the