Changeset 1251
- Timestamp:
- 09/28/08 16:28:42 (2 months ago)
- Files:
-
- fwknop/trunk/ChangeLog (modified) (2 diffs)
- fwknop/trunk/fwknop (modified) (7 diffs)
- fwknop/trunk/fwknop.conf (modified) (1 diff)
- fwknop/trunk/fwknopd (modified) (15 diffs)
- fwknop/trunk/test/conf/blacklist_dashA_IP_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/blacklist_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/default_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/filter_62203_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/forward_chain_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/gpg_access_no_prefix.conf (added)
- fwknop/trunk/test/conf/md5_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/no_local_nat_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/no_promisc_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/output_chain_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/pcap_file_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/pk_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/rand_port_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/sha1_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/sha256_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/conf/spa_aging_fwknop.conf (modified) (1 diff)
- fwknop/trunk/test/fwknop_test.pl (modified) (15 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
fwknop/trunk/ChangeLog
r1248 r1251 1 1 fwknop-1.9.8 (09//2008): 2 - Added GPG_NO_REQUIRE_PREFIX to access.conf to control whether the GnuPG 3 'hQ' prefix is added before base64 decoding and decrypting. Normally 4 this is not needed, but if there appear to be communications issues 5 between the fwknop client and the fwknopd server then this option can be 6 useful to ensure that encrypted SPA data is sent through the GnuPG 7 decryption routine. The 'hQ' prefix is a heuristic derived from the 8 file 'magic' database for describing data encrypted with GnuPG, and the 9 fwknop client normally strips this data from outgoing SPA packets 10 (unless the --Include-gpg-prefix option is used). 11 - Added '--gpg-prefix <bytes>' to the fwknop client so that the 12 predictable prefix for GnuPG encrypted data can be changed. Normally 13 this prefix is 'hQ' (base64 encoded), or the raw bytes 0x8502. 14 - Added the ability to control the path used for the gpg binary on the 15 client side with a new argument '--gpg-path <path>', and on the server 16 side with gpgCmd in the fwknop.conf file. The GnuPG::Interface module 17 normally just takes the first instance of gpg that is the current path, 18 but this new feature allows the path to the binary to be explicitly set. 2 19 - Added --Save-packet-append to allow SPA packets to be appended to the 3 20 --Save-packet-file in --Save-packet mode. This allows multiple SPA … … 14 31 - Bugfix to remove the Net::IPv4Addr dependency in the fwknop client and 15 32 knoptm daemon (Franck Joncourt). 16 - Added the base64_byte_frequency.pl script to the test/ directory. This 17 script parses files that contain base64 encoded data (one record per 18 line), and produces data files that can be graphed with Gnuplot in order 19 to visualize SPA packets. The new --Save-packet-append argument makes 20 it easy to generate large collections of SPA packets with the fwknop 21 client, and this data can then be parsed by base64_byte_frequency.pl to 22 look for features that are common across SPA packets (this should be 23 minimized because every fwknop SPA packet contains 16 bytes of random 24 data). 33 - (Test suite) Added the base64_byte_frequency.pl script to the test/ 34 directory. This script parses files that contain base64 encoded data 35 (one record per line), and produces data files that can be graphed with 36 Gnuplot in order to visualize SPA packets. The new --Save-packet-append 37 argument makes it easy to generate large collections of SPA packets with 38 the fwknop client, and this data can then be parsed by 39 base64_byte_frequency.pl to look for features that are common across SPA 40 packets (this should be minimized because every fwknop SPA packet contains 41 16 bytes of random data). Some analysis of randomness in SPA packets 42 generated by fwknop is presented in this blog post: 43 44 http://www.cipherdyne.org/blog/2008/09/visualizing-spa-packet-randomness.html 45 - (Test suite) Added tests for GPG_NO_REQUIRE_PREFIX functionality and for 46 the expected GnuPG prefix. 25 47 26 48 fwknop-1.9.7 (08/24/2008): fwknop/trunk/fwknop
r1244 r1251 122 122 my $locale = 'C'; ### default LC_ALL env variable 123 123 my $no_locale = 0; 124 my $gpg_prefix = 'hQ'; ### base64 encoded version of 0x8502 125 my $gpg_path = ''; 124 126 125 127 ### User agent for contacting http://www.whatismyip.org/, (can … … 525 527 526 528 if ($debug) { 527 print "\n[+] Clear text message ( fields base64 encoded): $msg\n",529 print "\n[+] Clear text message (some fields base64 encoded): $msg\n", 528 530 " Digest: $total_digest\n"; 529 531 } … … 756 758 $gnupg->options->push_recipients($gpg_recipient); 757 759 760 if ($gpg_path) { 761 ### normally gpg is in the local path, but if not --gpg-path can 762 ### provide a custom path 763 $gnupg->call($gpg_path); 764 } 765 758 766 my ($input, $output, $error, $pw, $status) = 759 767 (IO::Handle->new(), … … 824 832 } 825 833 826 unless ($include_base64_gnupg_prefix) { 827 print "[+] Stripping encoded '0x8502' prefix (hQ) from ", 828 "outgoing encoded SPA packet.\n" if $debug; 829 $encoded_msg =~ s/^hQ//; 830 ### perl -MMIME::Base64 -e 'print encode_base64("\x85\x02\n")' 831 ### The 'magic' database (via the 'file') command identifies GnuPG 832 ### encrypted files as starting with 0x8502 834 if ($encoded_msg =~ /^$gpg_prefix/) { 835 unless ($include_base64_gnupg_prefix) { 836 print qq|[+] Stripping encoded "$gpg_prefix" prefix from |, 837 "outgoing encoded SPA packet.\n" if $debug; 838 ### perl -MMIME::Base64 -e 'print encode_base64("\x85\x02\n")' 839 ### The 'magic' database (via the 'file') command identifies GnuPG 840 ### encrypted files as starting with 0x8502 841 $encoded_msg =~ s/^$gpg_prefix//; 842 } 843 } else { 844 print 845 "[-] Warning: GnuPG encrypted SPA packet does not begin with: $gpg_prefix\n", 846 " It is recommend to set GPG_NO_PREFIX_ADD in access.conf on the fwknopd\n", 847 " server side.\n"; 833 848 } 834 849 … … 1413 1428 Term::ReadKey->import(qw/ReadMode ReadLine/); 1414 1429 1415 if ($debug) { 1416 print "[+] Term::ReadKey::VERSION $Term::ReadKey::VERSION\n", 1417 " Net::IPv4Addr::VERSION $Net::IPv4Addr::VERSION\n"; 1418 } 1430 print "[+] Term::ReadKey::VERSION $Term::ReadKey::VERSION\n", 1431 if $debug; 1419 1432 1420 1433 return; … … 1644 1657 'gpg-agent-info=s' => \$gpg_agent_info, 1645 1658 'gpg-no-options' => \$gpg_no_options, 1659 'gpg-prefix=s' => \$gpg_prefix, 1660 'gpg-path=s' => \$gpg_path, 1646 1661 'quiet' => \$quiet, 1647 1662 'Forward-access=s' => \$NAT_access_str, … … 1935 1950 the local ~/.gnupg/options file for config 1936 1951 parameters. 1952 --gpg-prefix <bytes> - Change the bytes for the expected GnuPG 1953 prefix from 'hQ' to the specified string. 1954 --gpg-path <path> - Specify the path to the gpg command (not 1955 usually necessary if gpg is in your path). 1937 1956 -a, --allow-IP <IP> - IP to instruct the remote fwknop server to 1938 1957 allow through the firewall ruleset. fwknop/trunk/fwknop.conf
r1231 r1251 311 311 312 312 ### system binaries 313 gpgCmd /usr/bin/gpg; 313 314 mailCmd /bin/mail; 314 315 shCmd /bin/sh; fwknop/trunk/fwknopd
r1244 r1251 105 105 my $gpg_agent_info = ''; 106 106 my $gpg_no_options = 0; 107 my $gpg_default_prefix = 'hQ'; ### base64 encoded 0x8502 107 108 my $build_ipt_config = 0; 108 109 my $skipped_first_loop = 0; … … 228 229 'GPG_HOME_DIR' => '', 229 230 'GPG_NO_OPTIONS' => 0, 230 'ULOG_PCAP' => '', 231 'FILE_PCAP' => '', 231 'GPG_NO_REQUIRE_PREFIX' => 0, 232 'GPG_PREFIX' => '', 233 'ULOG_PCAP' => '', 234 'FILE_PCAP' => '', 232 235 'DATA_COLLECT_MODE' => '', 233 236 'ENCRYPT_SEQUENCE' => '', … … 2263 2266 my $gpg_sign_id = ''; 2264 2267 2265 unless ($msg =~ /^hQ/) { 2266 print STDERR localtime() . " [+] Adding 'hQ' prefix to ", 2267 "base64-encoded message.\n" if $debug; 2268 $msg = 'hQ' . $msg; 2268 unless ($msg =~ /^$access_hr->{'GPG_PREFIX'}/) { 2269 if ($access_hr->{'GPG_NO_REQUIRE_PREFIX'}) { 2270 print STDERR localtime() . qq| [-] Incoming base64-encoded |, 2271 qq|SPA packet is not prefixed with: |, 2272 qq|"$access_hr->{'GPG_PREFIX'}"\n| if $debug; 2273 } else { 2274 print STDERR localtime() . qq| [+] Adding |, 2275 qq|"$access_hr->{'GPG_PREFIX'}" prefix to |, 2276 "base64-encoded message.\n" if $debug; 2277 $msg = $access_hr->{'GPG_PREFIX'} . $msg; 2278 } 2269 2279 } 2270 2280 … … 2296 2306 } 2297 2307 2298 ### look for the 0x8502 GnuPG prefix2299 unless ($base64_decoded_msg =~ /^\x85\x02/) {2300 if ($debug) {2301 print STDERR localtime() . " [-] base64-decoded data does not begin ",2302 "with 0x8502\n";2303 }2304 return $decrypt_rv, $decrypted_msg, $gpg_sign_id;2305 }2308 # ### look for the 0x8502 GnuPG prefix 2309 # unless ($base64_decoded_msg =~ /^\x85\x02/) { 2310 # if ($debug) { 2311 # print STDERR localtime() . " [-] base64-decoded data does not begin ", 2312 # "with 0x8502\n"; 2313 # } 2314 # return $decrypt_rv, $decrypted_msg, $gpg_sign_id; 2315 # } 2306 2316 2307 2317 print STDERR localtime() . " [+] Attempting GnuPG decrypt...\n" if $debug; … … 2324 2334 $gnupg->options->no_options() 2325 2335 if $gpg_no_options or $access_hr->{'GPG_NO_OPTIONS'}; 2336 2337 $gnupg->call($cmds{'gpg'}) if defined $cmds{'gpg'}; 2326 2338 2327 2339 my $input = IO::Handle->new() or die $!; … … 3461 3473 } elsif ($line =~ /^\s*GPG_REMOTE_ID:\s*(.*)\s*;/) { 3462 3474 unless ($imported_gpg) { 3475 &check_commands({'gpg' => ''}, {}); 3463 3476 require GnuPG::Interface; 3464 3477 print STDERR "[+] GnuPG::Interface::VERSION ", … … 3472 3485 } elsif ($line =~ /^\s*GPG_DECRYPT_ID:\s*(.*)\s*;/) { 3473 3486 unless ($imported_gpg) { 3487 &check_commands({'gpg' => ''}, {}); 3474 3488 require GnuPG::Interface; 3475 3489 print STDERR "[+] GnuPG::Interface::VERSION ", … … 3480 3494 } elsif ($line =~ /^\s*GPG_DECRYPT_PW:\s*(.*)\s*;/) { 3481 3495 unless ($imported_gpg) { 3496 &check_commands({'gpg' => ''}, {}); 3482 3497 require GnuPG::Interface; 3483 3498 print STDERR "[+] GnuPG::Interface::VERSION ", … … 3488 3503 } elsif ($line =~ /^\s*GPG_HOME_DIR:\s*(\S+)\s*;/) { 3489 3504 unless ($imported_gpg) { 3505 &check_commands({'gpg' => ''}, {}); 3490 3506 require GnuPG::Interface; 3491 3507 print STDERR "[+] GnuPG::Interface::VERSION ", … … 3501 3517 $access_hsh{'GPG_NO_OPTIONS'} = 0; 3502 3518 } 3519 } elsif ($line =~ /^\s*GPG_NO_REQUIRE_PREFIX:\s*(\S+);/) { 3520 my $val = $1; 3521 if ($val =~ /y/i) { 3522 $access_hsh{'GPG_NO_REQUIRE_PREFIX'} = 1; 3523 } else { 3524 $access_hsh{'GPG_NO_REQUIRE_PREFIX'} = 0; 3525 } 3526 } elsif ($line =~ /^\s*GPG_PREFIX:\s*(\S+);/) { 3527 $access_hsh{'GPG_PREFIX'} = $1; 3503 3528 } elsif ($line =~ /^\s*FILE_PCAP\s*;/) { 3504 3529 ### used in file pcap mode … … 3876 3901 } 3877 3902 $gpg_mode = 1 if defined $access_hr->{'GPG_REMOTE_ID'}; 3903 if ($gpg_mode) { 3904 $access_hr->{'GPG_PREFIX'} = $gpg_default_prefix 3905 unless defined $access_hr->{'GPG_PREFIX'}; 3906 } 3878 3907 if (defined ($access_hr->{'REQUIRE_AUTH_METHOD'})) { 3879 3908 unless (lc($access_hr->{'REQUIRE_AUTH_METHOD'}) eq 'crypt') { … … 3992 4021 ### check paths to commands and attempt to correct if any are wrong. 3993 4022 sub check_commands() { 4023 my ($include_hr, $exclude_hr) = @_; 4024 4025 if ($debug and $verbose) { 4026 print STDERR "[+] check_commands() include/exclude hrefs:\n", 4027 Dumper($include_hr), Dumper $exclude_hr; 4028 } 4029 3994 4030 my @path = qw( 3995 4031 /bin … … 4002 4038 for my $cmd (keys %cmds) { 4003 4039 4040 if ($include_hr) { 4041 next unless defined $include_hr->{$cmd}; 4042 } 4043 if ($exclude_hr) { 4044 next if defined $exclude_hr->{$cmd}; 4045 } 4046 4004 4047 if ($cmd eq 'iptables') { 4005 4048 next unless $config{'FIREWALL_TYPE'} eq 'iptables'; 4006 4049 } elsif ($cmd eq 'ipfw') { 4007 4050 next unless $config{'FIREWALL_TYPE'} eq 'ipfw'; 4051 } 4052 4053 if ($cmd eq 'mknod') { 4054 next unless $config{'AUTH_MODE'} eq 'KNOCK'; 4008 4055 } 4009 4056 … … 4018 4065 } 4019 4066 unless ($found) { 4020 die "[*] Could not find $cmd anywhere !!!Please edit the\n",4067 die "[*] Could not find $cmd anywhere. Please edit the\n", 4021 4068 "config section in $config_file to include the path to\n", 4022 4069 "$cmd."; … … 4163 4210 4164 4211 ### make sure command paths are correct 4165 &check_commands( ) unless $os_fprint_only;4212 &check_commands({}, {'gpg' => ''}) unless $os_fprint_only; 4166 4213 4167 4214 if ($fw_del_ip) { fwknop/trunk/test/conf/blacklist_dashA_IP_fwknop.conf
r1243 r1251 101 101 ### system binaries 102 102 mailCmd /bin/mail; 103 gpgCmd /usr/bin/gpg; 103 104 shCmd /bin/sh; 104 105 mknodCmd /bin/mknod; fwknop/trunk/test/conf/blacklist_fwknop.conf
r1231 r1251 101 101 ### system binaries 102 102 mailCmd /bin/mail; 103 gpgCmd /usr/bin/gpg; 103 104 shCmd /bin/sh; 104 105 mknodCmd /bin/mknod; fwknop/trunk/test/conf/default_fwknop.conf
r1231 r1251 101 101 ### system binaries 102 102 mailCmd /bin/mail; 103 gpgCmd /usr/bin/gpg; 103 104 shCmd /bin/sh; 104 105 mknodCmd /bin/mknod; fwknop/trunk/test/conf/filter_62203_fwknop.conf
r1231 r1251 98 98 ### system binaries 99 99 mailCmd /bin/mail; 100 gpgCmd /usr/bin/gpg; 100 101 shCmd /bin/sh; 101 102 mknodCmd /bin/mknod; fwknop/trunk/test/conf/forward_chain_fwknop.conf
r1231 r1251 100 100 ### system binaries 101 101 mailCmd /bin/mail; 102 gpgCmd /usr/bin/gpg; 102 103 shCmd /bin/sh; 103 104 mknodCmd /bin/mknod; fwknop/trunk/test/conf/md5_fwknop.conf
r1231 r1251 101 101 ### system binaries 102 102 mailCmd /bin/mail; 103 gpgCmd /usr/bin/gpg; 103 104 shCmd /bin/sh; 104 105 mknodCmd /bin/mknod; fwknop/trunk/test/conf/no_local_nat_fwknop.conf
r1231 r1251 101 101 ### system binaries 102 102 mailCmd /bin/mail; 103 gpgCmd /usr/bin/gpg; 103 104 shCmd /bin/sh; 104 105 mknodCmd /bin/mknod; fwknop/trunk/test/conf/no_promisc_fwknop.conf
r1231 r1251 101 101 ### system binaries 102 102 mailCmd /bin/mail; 103 gpgCmd /usr/bin/gpg; 103 104 shCmd /bin/sh; 104 105 mknodCmd /bin/mknod; fwknop/trunk/test/conf/output_chain_fwknop.conf
r1231 r1251 101 101 ### system binaries 102 102 mailCmd /bin/mail; 103 gpgCmd /usr/bin/gpg; 103 104 shCmd /bin/sh; 104 105 mknodCmd /bin/mknod; fwknop/trunk/test/conf/pcap_file_fwknop.conf
r1231 r1251 100 100 ### system binaries 101 101 mailCmd /bin/mail; 102 gpgCmd /usr/bin/gpg; 102 103 shCmd /bin/sh; 103 104 mknodCmd /bin/mknod; fwknop/trunk/test/conf/pk_fwknop.conf
r1231 r1251 101 101 ### system binaries 102 102 mailCmd /bin/mail; 103 gpgCmd /usr/bin/gpg; 103 104 shCmd /bin/sh; 104 105 mknodCmd /bin/mknod; fwknop/trunk/test/conf/rand_port_fwknop.conf
r1231 r1251 98 98 ### system binaries 99 99 mailCmd /bin/mail; 100 gpgCmd /usr/bin/gpg; 100 101 shCmd /bin/sh; 101 102 mknodCmd /bin/mknod; fwknop/trunk/test/conf/sha1_fwknop.conf
r1231 r1251 101 101 ### system binaries 102 102 mailCmd /bin/mail; 103 gpgCmd /usr/bin/gpg; 103 104 shCmd /bin/sh; 104 105 mknodCmd /bin/mknod; fwknop/trunk/test/conf/sha256_fwknop.conf
r1231 r1251 101 101 ### system binaries 102 102 mailCmd /bin/mail; 103 gpgCmd /usr/bin/gpg; 103 104 shCmd /bin/sh; 104 105 mknodCmd /bin/mknod; fwknop/trunk/test/conf/spa_aging_fwknop.conf
r1231 r1251 101 101 ### system binaries 102 102 mailCmd /bin/mail; 103 gpgCmd /usr/bin/gpg; 103 104 shCmd /bin/sh; 104 105 mknodCmd /bin/mknod; fwknop/trunk/test/fwknop_test.pl
r1244 r1251 62 62 my $rand_port_fwknop_conf = "$conf_dir/rand_port_fwknop.conf"; 63 63 my $gpg_access_conf = "$conf_dir/gpg_access.conf"; 64 my $gpg_access_no_prefix_conf = "$conf_dir/gpg_access_no_prefix.conf"; 64 65 my $no_promisc_fwknop_conf = "$conf_dir/no_promisc_fwknop.conf"; 65 66 my $excluded_net_access_conf = "$conf_dir/excluded_net_access.conf"; … … 83 84 my $localhost = '127.0.0.1'; 84 85 my $allow_src = '127.0.0.2'; 86 87 my $gpg_server_key = '361BBAD4'; 88 my $gpg_client_key = '6A3FAD56'; 85 89 86 90 my $sniff_alarm = 20; … … 477 481 &fw_sleep('(GnuPG)'); 478 482 &test_driver('(GnuPG) Firewall access rules removed', \&fw_rules_removed); 479 &test_driver('(GnuPG) Stopping all running fwknopd processes', \&stop_fwknopd); 483 &test_driver('(GnuPG) Stopping all running fwknopd processes', 484 \&stop_fwknopd); 485 486 &test_driver('(GnuPG) Excluding prefix config', 487 \&gpg_sniff_decrypt_no_prefix_add); 488 &test_driver('(GnuPG) Making sure firewall rules do not exist', 489 \&fw_rules_removed); 490 &stop_fwknopd_quiet('(GnuPG)'); 491 492 &test_driver('(GnuPG) Generating SPA packet with 0x8502 prefix', 493 \&SPA_gpg_access_packet_with_prefix); 494 &test_driver('(GnuPG) Sniffing SPA access packet to acquire access', 495 \&gpg_sniff_decrypt); 496 &test_driver('(GnuPG) Verifying sniffed SPA access packet format', 497 \&spa_access_format); 498 &test_driver('(GnuPG) Firewall access rules exist', \&fw_rules_exist); 499 &fw_sleep('(GnuPG)'); 500 &test_driver('(GnuPG) Firewall access rules removed', \&fw_rules_removed); 501 &test_driver('(GnuPG) Stopping all running fwknopd processes', 502 \&stop_fwknopd); 480 503 } 481 504 … … 907 930 or die "[*] Could not open $current_test_file: $!"; 908 931 while (<SE>) { 909 ### look for error condition932 ### FIXME look for error condition 910 933 } 911 934 close SE; … … 922 945 or die "[*] Could not open $current_test_file: $!"; 923 946 while (<SE>) { 924 ### look for error condition947 ### FIXME look for error condition 925 948 } 926 949 close SE; … … 1450 1473 } 1451 1474 1475 sub gpg_sniff_decrypt_no_prefix_add() { 1476 1477 if (&run_fwknopd($cache_encrypted_spa_packet, 1478 $default_fwknop_conf, $gpg_access_no_prefix_conf)) { 1479 1480 ### now that fwknopd has exited, see if the SPA packet was valid 1481 open SE, "< $current_test_file" 1482 or die "[*] Could not open $current_test_file: $!"; 1483 while (<SE>) { 1484 if (/\s+is\s+not\s+prefixed/i) { 1485 close SE; 1486 return 1; 1487 } 1488 } 1489 close SE; 1490 return &print_errors("[-] fwknopd accepted SPA packet without prefix"); 1491 } 1492 return &print_errors("[-] Sniff alarm ($sniff_alarm seconds) expired"); 1493 } 1494 1452 1495 sub gpg_sniff_decrypt() { 1453 1496 … … 1462 1505 ### [-] Key mis-match or broken message checksum for SOURCE \ 1463 1506 ### ANY (# 1 in access.conf) 1507 close SE; 1464 1508 return &print_errors("[-] Key mis-match"); 1465 1509 } elsif (/\[\-\]\s+Decrypted.*not\s+conform/i) { 1466 1510 ### [-] Decrypted message does not conform to a valid SPA packet 1511 close SE; 1467 1512 return &print_errors("[-] Invalid SPA packet"); 1468 1513 } … … 1495 1540 ### [-] Key mis-match or broken message checksum for SOURCE \ 1496 1541 ### ANY (# 1 in access.conf) 1542 close SE; 1497 1543 return &print_errors("[-] Key mis-match"); 1498 1544 } elsif (/\[\-\]\s+Decrypted.*not\s+conform/i) { 1499 1545 ### [-] Decrypted message does not conform to a valid SPA packet 1546 close SE; 1500 1547 return &print_errors("[-] Invalid SPA packet"); 1501 1548 } … … 1519 1566 ### [-] Key mis-match or broken message checksum for SOURCE \ 1520 1567 ### ANY (# 1 in access.conf) 1568 close SE; 1521 1569 return &print_errors("[-] Key mis-match"); 1522 1570 } elsif (/\[\-\]\s+Decrypted.*not\s+conform/i) { 1523 1571 ### [-] Decrypted message does not conform to a valid SPA packet 1572 close SE; 1524 1573 return &print_errors("[-] Invalid SPA packet"); 1525 1574 } elsif (/Unable\s+to\s+compile\s+packet\s+capture/) { 1575 close SE; 1526 1576 return &print_errors("[-] Could not compile pcap filter, " . 1527 1577 "upgrade libpcap?"); … … 1547 1597 ### [-] Key mis-match or broken message checksum for SOURCE \ 1548 1598 ### ANY (# 1 in access.conf) 1599 close SE; 1549 1600 return &print_errors("[-] Key mis-match"); 1550 1601 } elsif (/\[\-\]\s+Decrypted.*not\s+conform/i) { 1551 1602 ### [-] Decrypted message does not conform to a valid SPA packet 1603 close SE; 1552 1604 return &print_errors("[-] Invalid SPA packet"); 1553 1605 } … … 1579 1631 ### [-] Key mis-match or broken message checksum for SOURCE \ 1580 1632 ### ANY (# 1 in access.conf) 1633 close SE; 1581 1634 return &print_errors("[-] Key mis-match"); 1582 1635 } elsif (/\[\-\]\s+Decrypted.*not\s+conform/i) { 1583 1636 ### [-] Decrypted message does not conform to a valid SPA packet 1637 close SE; 1584 1638 return &print_errors("[-] Invalid SPA packet"); 1585 1639 } … … 2248 2302 sub SPA_gpg_access_packet() { 2249 2303 return &get_access_packet("$default_fwknop_args " . 2250 "--gpg-home conf/client-gpg --gpg-recip 361BBAD4 " . 2251 "--gpg-sign 6A3FAD56 --gpg-no-options", $NO_QUIET); 2304 "--gpg-home conf/client-gpg --gpg-recip $gpg_server_key " . 2305 "--gpg-sign $gpg_client_key --gpg-no-options", $NO_QUIET); 2306 } 2307 2308 sub SPA_gpg_access_packet_with_prefix() { 2309 return &get_access_packet("$default_fwknop_args " . 2310 "--gpg-home conf/client-gpg --gpg-recip $gpg_server_key " . 2311 "--gpg-sign $gpg_client_key --gpg-no-options " . 2312 "--Include-gpg-prefix", 2313 $NO_QUIET); 2252 2314 } 2253 2315 … … 2497 2559 ### [-] Key mis-match or broken message checksum for SOURCE \ 2498 2560 ### ANY (# 1 in access.conf) 2561 close SE; 2499 2562 return &print_errors("[-] Key mis-match"); 2500 2563 } elsif (/\[\-\]\s+Decrypted.*not\s+conform/i) { 2501 2564 ### [-] Decrypted message does not conform to a valid SPA packet 2565 close SE; 2502 2566 return &print_errors("[-] Invalid SPA packet"); 2503 2567 } … … 2521 2585 ### [-] Key mis-match or broken message checksum for SOURCE \ 2522 2586 ### ANY (# 1 in access.conf) 2587 close SE; 2523 2588 return &print_errors("[-] Key mis-match"); 2524 2589 } elsif (/\[\-\]\s+Decrypted.*not\s+conform/i) { 2525 2590 ### [-] Decrypted message does not conform to a valid SPA packet 2591 close SE; 2526 2592 return &print_errors("[-] Invalid SPA packet"); 2527 2593 } … … 2547 2613 ### ANY (# 1 in access.conf) 2548 2614 $found_err = 1; 2549 last; 2550 return &print_errors("[-] Key mis-match"); 2615 last; 2551 2616 } elsif (/\[\-\]\s+Decrypted.*not\s+conform/i) { 2552 2617 ### [-] Decrypted message does not conform to a valid SPA packet 2553 return &print_errors("[-] Invalid SPA packet");2554 2618 $found_err = 1; 2555 last; 2619 last; 2556 2620 } 2557 2621 }
