Changeset 1266
- Timestamp:
- 09/29/08 23:36:50 (2 months ago)
- Files:
-
- fwknop/trunk/ChangeLog (modified) (2 diffs)
- fwknop/trunk/fwknop (modified) (6 diffs)
- fwknop/trunk/fwknop.8 (modified) (1 diff)
- fwknop/trunk/fwknopd (modified) (6 diffs)
- fwknop/trunk/fwknopd.8 (modified) (1 diff)
- fwknop/trunk/test/fwknop_test.pl (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
fwknop/trunk/ChangeLog
r1264 r1266 14 14 /usr/bin/gpg), and another SOURCE stanza to apply to another gpg binary 15 15 (say /usr/bin/gpg2). 16 - Bugfix to make sure that neither fwknop nor fwknopd reference any 17 options file in GnuPG mode, and this is now the default (which overrides 18 the now unnecessary --gpg-no-options arg). There is a new option 19 --gpg-use-options to restore the usage of an options file by GnuPG (not 20 normally needed). 16 21 - Added '--gpg-prefix <bytes>' to the fwknop client so that the 17 22 predictable prefix for GnuPG encrypted data can be changed. Normally … … 52 57 53 58 http://www.cipherdyne.org/blog/2008/09/visualizing-spa-packet-randomness.html 59 54 60 - (Test suite) Added tests for GPG_NO_REQUIRE_PREFIX functionality and for 55 61 the expected GnuPG prefix. fwknop/trunk/fwknop
r1262 r1266 97 97 my $client_src_port = 0; 98 98 my $gpg_default_key = 0; 99 my $gpg_use_options = 0; 99 100 my $err_wait_timer = 30; ### seconds 100 101 my $resolve_ip_url = 'http://www.whatismyip.org/'; … … 721 722 my %gnupg_options = ( 722 723 'batch' => 1, 723 'homedir' => $gpg_home_dir 724 'homedir' => $gpg_home_dir, 725 'no_options' => 1 724 726 ); 725 727 726 728 delete $gnupg_options{'batch'} if $gpg_verbose; 729 delete $gnupg_options{'no_options'} if $gpg_use_options; 727 730 728 731 $gnupg->options->hash_init(%gnupg_options); 729 730 $gnupg->options->no_options() if $gpg_no_options;731 732 732 733 ### if --gpg-default-key is given, then we trust that the user has 733 734 ### set the default key with the default-key variable in ~/.gnupg/options 734 ### and --no-gpg-options is not used on the fwknop command line. 735 $gnupg->options->default_key($gpg_signing_key) unless $gpg_default_key; 735 ### and we need to enable options 736 if ($gpg_default_key) { 737 delete $gnupg_options{'no_options'} 738 if defined delete $gnupg_options{'no_options'}; 739 } else { 740 $gnupg->options->default_key($gpg_signing_key); 741 } 736 742 737 743 $gnupg->options->push_recipients($gpg_recipient); … … 1636 1642 'gpg-agent-info=s' => \$gpg_agent_info, 1637 1643 'gpg-no-options' => \$gpg_no_options, 1644 'gpg-use-options' => \$gpg_use_options, 1638 1645 'gpg-prefix=s' => \$gpg_prefix, 1639 1646 'gpg-path=s' => \$gpg_path, … … 1905 1912 if (($gpg_default_key or $gpg_signing_key) and not $gpg_recipient); 1906 1913 1907 die "[*] Cannot assume a default key when --gpg-no-options is used."1908 if ($gpg_default_key and $gpg_no_options);1909 1910 1914 die "[*] Cannot spoof source address for a real TCP socket." 1911 1915 if ($spoof_src and $spa_established_tcp); … … 1917 1921 die "[*] $gpg_path does not exist." unless -e $gpg_path; 1918 1922 die "[*] $gpg_path not executable." unless -x $gpg_path; 1923 } 1924 1925 if ($gpg_no_options) { 1926 print "[-] Options are disabled by default, so --gpg-no-options ", 1927 "is not used.\n"; 1919 1928 } 1920 1929 return; … … 1959 1968 'gpg-agent --daemon'. 1960 1969 --gpg-verbose - Display all output from GnuPG process. 1961 --gpg- no-options - In GnuPG mode, instruct GnuPG to not use1962 thelocal ~/.gnupg/options file for config1963 parameters .1970 --gpg-use-options - In GnuPG mode, instruct GnuPG to use the 1971 local ~/.gnupg/options file for config 1972 parameters (this is disabled by default). 1964 1973 --gpg-prefix <bytes> - Change the bytes for the expected GnuPG 1965 1974 prefix from 'hQ' to the specified string. fwknop/trunk/fwknop.8
r1250 r1266 277 277 purposes if it appears that the GnuPG encrypt/decrypt is not performing correctly. 278 278 .TP 279 .BR \-\^\-gpg-no-options 280 Instruct 281 .B fwknop 282 to not have 283 .B gpg 284 reference any options file when creating SPA packets in GnuPG mode. 279 .BR \-\^\-gpg-use-options 280 By default the 281 .B fwknop 282 client instructs gpg to not reference any options file in gpg mode, but this 283 command line argument can be used to re-enable them. 285 284 .TP 286 285 .BR \-\^\-Home-dir\ \<dir> fwknop/trunk/fwknopd
r1265 r1266 105 105 my $gpg_agent_info = ''; 106 106 my $gpg_no_options = 0; 107 my $gpg_use_options = 0; 107 108 my $gpg_default_prefix = 'hQ'; ### base64 encoded 0x8502 108 109 my $build_ipt_config = 0; … … 229 230 'GPG_HOME_DIR' => '', 230 231 'GPG_NO_OPTIONS' => 0, 232 'GPG_USE_OPTIONS' => 0, 231 233 'GPG_NO_REQUIRE_PREFIX' => 0, 232 234 'GPG_PREFIX' => '', … … 2341 2343 my %gnupg_options = ( 2342 2344 'batch' => 1, 2343 'homedir' => $access_hr->{'GPG_HOME_DIR'} 2345 'homedir' => $access_hr->{'GPG_HOME_DIR'}, 2346 'no_options' => 1 2344 2347 ); 2345 2348 2346 2349 delete $gnupg_options{'batch'} if ($debug and $verbose and not $test_mode); 2350 delete $gnupg_options{'batch'} if $access_hr->{'GPG_USE_OPTIONS'}; 2347 2351 2348 2352 $gnupg->options->hash_init(%gnupg_options); 2349 2350 $gnupg->options->no_options()2351 if $gpg_no_options or $access_hr->{'GPG_NO_OPTIONS'};2352 2353 2353 2354 if ($access_hr->{'GPG_PATH'}) { … … 3551 3552 } else { 3552 3553 $access_hsh{'GPG_NO_OPTIONS'} = 0; 3554 } 3555 } elsif ($line =~ /^\s*GPG_USE_OPTIONS:\s*(\S+);/) { 3556 my $val = $1; 3557 if ($val =~ /y/i) { 3558 $access_hsh{'GPG_USE_OPTIONS'} = 1; 3559 } else { 3560 $access_hsh{'GPG_USE_OPTIONS'} = 0; 3553 3561 } 3554 3562 } elsif ($line =~ /^\s*GPG_NO_REQUIRE_PREFIX:\s*(\S+);/) { … … 3950 3958 $access_hr->{'GPG_PATH'} = '' 3951 3959 unless defined $access_hr->{'GPG_PATH'}; 3960 $access_hr->{'GPG_NO_OPTIONS'} = 0 3961 unless defined $access_hr->{'GPG_NO_OPTIONS'}; 3962 $access_hr->{'GPG_USE_OPTIONS'} = 0 3963 unless defined $access_hr->{'GPG_USE_OPTIONS'}; 3952 3964 unless ($access_hr->{'GPG_PATH'}) { 3953 3965 &check_commands({'gpg' => ''}, {}); … … 4048 4060 'gpg-agent-info=s' => \$gpg_agent_info, 4049 4061 'gpg-no-options' => \$gpg_no_options, 4062 'gpg-use-options' => \$gpg_use_options, 4050 4063 'debug' => \$debug, 4051 4064 'Kill' => \$kill, fwknop/trunk/fwknopd.8
r1255 r1266 214 214 then fwknopd will default to using the /root/.gnupg directory for the server key(s). 215 215 .TP 216 .B GPG_NO_OPTIONS 217 Make sure that GnuPG does not reference any options file when decrypting incoming 218 SPA packets that have been encrypted with GnuPG by the fwknop client. 216 .B GPG_USE_OPTIONS 217 By default, 218 .B fwknopd 219 instructs gpg to not reference any options file when decrypting incoming 220 SPA packets that have been encrypted with GnuPG by the fwknop client. This argument 221 re-enables options in gpg. 219 222 .TP 220 223 .B GPG_NO_REQUIRE_PREFIX fwknop/trunk/test/fwknop_test.pl
r1264 r1266 182 182 'loopback-intf=s' => \$loopback_intf, 183 183 'test-include=s' => \$test_include, 184 'include=s' => \$test_include, ### synonym 184 185 'test-exclude=s' => \$test_exclude, 186 'exclude=s' => \$test_exclude, ### synonym 185 187 'test-system-fwknop' => \$test_system_installed_fwknop, 186 188 'help' => \$help … … 2367 2369 return &get_access_packet("$default_fwknop_args " . 2368 2370 "--gpg-home conf/client-gpg --gpg-recip $gpg_server_key " . 2369 "--gpg-sign $gpg_client_key --gpg-no-options", $NO_QUIET);2371 "--gpg-sign $gpg_client_key", $NO_QUIET); 2370 2372 } 2371 2373 … … 2373 2375 return &get_access_packet("$default_fwknop_args " . 2374 2376 "--gpg-home conf/client-gpg --gpg-recip $gpg_server_key " . 2375 "--gpg-sign $gpg_client_key --gpg-no-options " . 2376 "--Include-gpg-prefix", 2377 "--gpg-sign $gpg_client_key --Include-gpg-prefix", 2377 2378 $NO_QUIET); 2378 2379 } … … 2381 2382 return &get_access_packet("$default_fwknop_args " . 2382 2383 "--gpg-home conf/client-gpg --gpg-recip $gpg_server_key " . 2383 "--gpg-sign $gpg_client_key --gpg- no-options " .2384 "--gpg-path $gpg2Cmd",$NO_QUIET);2384 "--gpg-sign $gpg_client_key --gpg-path $gpg2Cmd", 2385 $NO_QUIET); 2385 2386 } 2386 2387
