Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1464

Timestamp:

06/17/09 23:55:49 (9 months ago)

Author:

mbr

Message:

major update to fwknopd to support the FKO module

Location:

fwknop/trunk

Files:

: 2 modified

fwknop (modified) (3 diffs)
fwknopd (modified) (24 diffs)

Legend:

: Unmodified
: Added
: Removed

fwknop/trunk/fwknop

r1463	r1464
476	476	### initialize the FKO object if we are using the FKO module
477	477	if ($use_fko_module) {
478		$fko_obj = FKO->new() or die "[*] Could not acquire FKO object: $!";
	478	$fko_obj = FKO->new()
	479	or die "[*] Could not acquire FKO object: $FKO::error_str";
479	480	if ($debug) {
480	481	print "[+] Using libfko functions via the FKO module.\n";
…	…
520	521	$msg .= &SPA_digest($msg);
521	522
	523	my $encrypted_msg = '';
	524
522	525	### encrypt the SPA packet using the FKO module
523		return &fko_encrypt() if $use_fko_module;
	526	if ($use_fko_module) {
	527	$encrypted_msg = &fko_encrypt();
	528	$fko_obj->destroy();
	529	return $encrypted_msg;
	530	}
524	531
525	532	if ($debug) {
…	…
528	535	}
529	536
530		~~my $encrypted_msg = '';~~
531	537	if ($gpg_signing_key or $gpg_recipient) {
532	538	$encrypted_msg = &pcap_GPG_encrypt_msg($msg);

fwknop/trunk/fwknopd

r1454	r1464
108	108	my $skip_fko_module = 0;
109	109	my $use_fko_module = 0;
	110	my $fko_obj = ();
110	111	my $cmdl_disable_gpg = 0;
111	112	my $cmdline_fwknop_serv = '';
…	…
199	200	my $SHA1_DIGEST_LEN = 27;
200	201	my $MD5_DIGEST_LEN = 22;
	202	my $FKO_RECOMPUTE = 1;
201	203
202	204	### logr constants
…	…
699	701
700	702	### see if we can decrypt and base64-decode
	703	&fko_acquire_object() if $use_fko_module;
701	704	my ($decrypt_rv, $decrypted_msg, $gpg_sign_id, $decrypt_algo)
702	705	= &SPA_decrypt($pkt_data, $enc_msg_len, $access_hr);
703		next SOURCE unless $decrypt_rv;
	706
	707	unless ($decrypt_rv) {
	708	&fko_destroy_object() if $use_fko_module;
	709	next SOURCE;
	710	}
704	711
705	712	### check for replay attacks
706	713	my ($digest_rv, $digest)
707	714	= &check_replay_attack($decrypted_msg, $src_ip);
708		return if $digest_rv;
	715	if ($digest_rv) {
	716	&fko_destroy_object() if $use_fko_module;
	717	return;
	718	}
709	719
710	720	### see if we have a syntactically valid message
…	…
715	725	"conform to a valid SPA packet.\n";
716	726	}
717		next SOURCE unless $validate_rv;
	727	unless ($validate_rv) {
	728	&fko_destroy_object() if $use_fko_module;
	729	next SOURCE;
	730	}
718	731
719	732	### check to see if client side time stamp is too old
720	733	my $time_check_rv = &SPA_check_packet_age($msg_hr->{'remote_time'});
	734	unless ($validate_rv) {
	735	&fko_destroy_object() if $use_fko_module;
	736	next SOURCE;
	737	}
721	738	next SOURCE unless $time_check_rv;
722	739
…	…
726	743	### check username
727	744	next SOURCE unless &SPA_check_user($access_hr, $src_ip, $msg_hr);
	745	unless ($validate_rv) {
	746	&fko_destroy_object() if $use_fko_module;
	747	next SOURCE;
	748	}
728	749
729	750	### check authentication method
730		next SOURCE unless &SPA_check_auth_method(
731		$access_hr, $src_ip, $msg_hr);
	751	unless (&SPA_check_auth_method($access_hr, $src_ip, $msg_hr)) {
	752	&fko_destroy_object() if $use_fko_module;
	753	next SOURCE;
	754	}
732	755
733	756	if ($msg_hr->{'action_type'} == $SPA_ACCESS_MODE
…	…
740	763	if (&SPA_access($msg_hr, $src_ip, $decrypt_algo,
741	764	$gpg_sign_id, $digest, $access_hr)) {
	765	&fko_destroy_object() if $use_fko_module;
742	766	last SOURCE;
743	767	} else {
	768	&fko_destroy_object() if $use_fko_module;
744	769	next SOURCE;
745	770	}
…	…
747	772	if (&SPA_cmd($msg_hr, $src_ip, $decrypt_algo,
748	773	$gpg_sign_id, $digest, $access_hr)) {
	774	&fko_destroy_object() if $use_fko_module;
749	775	last SOURCE;
750	776	} else {
	777	&fko_destroy_object() if $use_fko_module;
751	778	next SOURCE;
752	779	}
…	…
795	822	my $decrypt_rv = 0;
796	823
797		if (not $cmdl_disable_gpg and $enc_msg_len > $config{'MIN_GNUPG_MSG_SIZE'}
	824	if (not $cmdl_disable_gpg
	825	and $enc_msg_len > $config{'MIN_GNUPG_MSG_SIZE'}
798	826	and defined $access_hr->{'GPG_REMOTE_ID'}) {
799	827	### attempt GPG decrypt (only if the length of the encrypted
…	…
818	846
819	847	if ($decrypt_rv) {
820		if ($debug) {
	848	if ($debug and not $use_fko_module) {
821	849	### make sure not to print non-printable stuff
822	850	my $dec_tmp_msg = $decrypted_msg;
…	…
1418	1446
1419	1447	if ($config{'DIGEST_TYPE'} eq 'ALL') {
1420		push @digests, sha256_base64($decrypted_data);
1421		push @digests, sha1_base64($decrypted_data);
1422		push @digests, md5_base64($decrypted_data);
	1448	if ($use_fko_module) {
	1449	for my $digest_type (FKO->FKO_DIGEST_SHA256,
	1450	FKO->FKO_DIGEST_SHA1,
	1451	FKO->FKO_DIGEST_MD5) {
	1452	my $digest = &fko_compute_digest($digest_type);
	1453	if ($digest) {
	1454	push @digests, $digest;
	1455	} else {
	1456	return 1, '';
	1457	}
	1458	}
	1459	} else {
	1460	push @digests, sha256_base64($decrypted_data);
	1461	push @digests, sha1_base64($decrypted_data);
	1462	push @digests, md5_base64($decrypted_data);
	1463	}
1423	1464	} else {
1424	1465	if ($config{'DIGEST_TYPE'} =~ /SHA256/) {
1425		push @digests, sha256_base64($decrypted_data);
	1466	if ($use_fko_module) {
	1467	my $digest = &fko_compute_digest(FKO->FKO_DIGEST_SHA256);
	1468	if ($digest) {
	1469	push @digests, $digest;
	1470	} else {
	1471	return 1, '';
	1472	}
	1473	} else {
	1474	push @digests, sha256_base64($decrypted_data);
	1475	}
1426	1476	}
1427	1477	if ($config{'DIGEST_TYPE'} =~ /SHA1/) {
1428		push @digests, sha1_base64($decrypted_data);
	1478	if ($use_fko_module) {
	1479	my $digest = &fko_compute_digest(FKO->FKO_DIGEST_SHA1);
	1480	if ($digest) {
	1481	push @digests, $digest;
	1482	} else {
	1483	return 1, '';
	1484	}
	1485	} else {
	1486	push @digests, sha1_base64($decrypted_data);
	1487	}
1429	1488	}
1430	1489	if ($config{'DIGEST_TYPE'} =~ /MD5/) {
1431		push @digests, md5_base64($decrypted_data);
	1490	if ($use_fko_module) {
	1491	my $digest = &fko_compute_digest(FKO->FKO_DIGEST_MD5);
	1492	if ($digest) {
	1493	push @digests, $digest;
	1494	} else {
	1495	return 1, '';
	1496	}
	1497	} else {
	1498	push @digests, md5_base64($decrypted_data);
	1499	}
1432	1500	}
1433	1501	}
…	…
1467	1535	}
1468	1536	return $rv, $disk_write_digest;
	1537	}
	1538
	1539	sub fko_acquire_object() {
	1540
	1541	&fko_destroy_object() if $fko_obj;
	1542
	1543	### initialize the FKO object
	1544	$fko_obj = FKO->new()
	1545	or die "[*] Could not acquire FKO object: ", FKO->error_str;
	1546
	1547	if ($debug) {
	1548	print STDERR localtime() . " [+] Using libfko ",
	1549	"functions via the FKO module.\n";
	1550	}
	1551	return;
	1552	}
	1553
	1554	sub fko_destroy_object() {
	1555	$fko_obj->destroy();
	1556	$fko_obj = ();
	1557	return;
	1558	}
	1559
	1560	sub fko_compute_digest() {
	1561	my $digest_type = shift;
	1562
	1563	my $fko_err = $fko_obj->digest_type($digest_type);
	1564	if ($fko_err) {
	1565	&logr('[-]', "FKO error setting digest type " .
	1566	"$digest_type: " . $fko_obj->errstr($fko_err),
	1567	$NO_MAIL);
	1568	}
	1569	my $digest = $fko_obj->spa_digest($FKO_RECOMPUTE);
	1570	unless ($digest) {
	1571	&logr('[-]', "FKO error computing digest: " .
	1572	$fko_obj->errstr($fko_err),
	1573	$NO_MAIL);
	1574	return 0;
	1575	}
	1576	return $digest;
1469	1577	}
1470	1578
…	…
1590	1698	);
1591	1699
	1700	my @fields = ();
	1701	my $fko_err = 0;
	1702
1592	1703	### the last field in the SPA packet is the digest, so see if it
1593	1704	### checks out first (this is the internal digest, not the digest that
…	…
1601	1712	}
1602	1713
1603		my @fields = split /:/, $msg;
1604
1605		unless (@fields) {
1606		print STDERR localtime() . " [-] Could not split decrypted ",
1607		"message into an array.\n" if $debug;
	1714	unless ($use_fko_module) {
	1715	@fields = split /:/, $msg;
	1716
	1717	unless (@fields) {
	1718	print STDERR localtime() . " [-] Could not split decrypted ",
	1719	"message into an array.\n" if $debug;
	1720	return 0, {};
	1721	}
	1722
	1723	if ($debug and $verbose) {
	1724	print STDERR localtime() . " [+] Packet array:\n", Dumper @fields;
	1725	}
	1726
	1727	unless ($#fields+1 >= $SPA_MIN_PACKET_FIELDS
	1728	and $#fields+1 <= $SPA_MAX_PACKET_FIELDS) {
	1729	print STDERR localtime() . " [-] Invalid number of fields in ",
	1730	"SPA packet, expected $SPA_MIN_PACKET_FIELDS-",
	1731	"$SPA_MAX_PACKET_FIELDS, got " . ($#fields+1) . ".\n" if $debug;
	1732	return 0, {};
	1733	}
	1734	}
	1735
	1736	### random number
	1737	#
	1738	if ($use_fko_module) {
	1739	$msg_hsh{'random_number'} = $fko_obj->rand_value();
	1740	} else {
	1741	$msg_hsh{'random_number'} = $fields[0];
	1742	}
	1743	unless (&is_digit($msg_hsh{'random_number'})) {
	1744	&logr('[-]', "non-digit random number in decrypted SPA " .
	1745	"packet: $msg_hsh{'random_number'}", $SEND_MAIL);
1608	1746	return 0, {};
1609	1747	}
1610	1748
1611		if ($debug and $verbose) {
1612		print STDERR localtime() . " [+] Packet array:\n", Dumper @fields;
1613		}
1614
1615		unless ($#fields+1 >= $SPA_MIN_PACKET_FIELDS
1616		and $#fields+1 <= $SPA_MAX_PACKET_FIELDS) {
1617		print STDERR localtime() . " [-] Invalid number of fields in ",
1618		"SPA packet, expected $SPA_MIN_PACKET_FIELDS-",
1619		"$SPA_MAX_PACKET_FIELDS, got " . ($#fields+1) . ".\n" if $debug;
1620		return 0, {};
1621		}
1622
1623		### random number
1624		if (&is_digit($fields[0])) {
1625		$msg_hsh{'random_number'} = $fields[0];
	1749	### username
	1750	#
	1751	if ($use_fko_module) {
	1752	$msg_hsh{'username'} = $fko_obj->username();
1626	1753	} else {
1627		&logr('[-]', "non-digit random number in decrypted SPA packet",
1628		$SEND_MAIL);
1629		return 0, {};
1630		}
1631
1632		### username
1633		$msg_hsh{'username'} = decode_base64($fields[1]);
	1754	$msg_hsh{'username'} = decode_base64($fields[1]);
	1755	}
1634	1756
1635	1757	### timestamp
1636		if (&is_digit($fields[2])) {
	1758	#
	1759	if ($use_fko_module) {
	1760	$msg_hsh{'remote_time'} = $fko_obj->timestamp();
	1761	} else {
1637	1762	$msg_hsh{'remote_time'} = $fields[2];
1638		} else {
	1763	}
	1764	unless (&is_digit($msg_hsh{'remote_time'})) {
1639	1765	&logr('[-]', "non-digit timestamp in decrypted SPA packet",
1640	1766	$SEND_MAIL);
…	…
1643	1769
1644	1770	### remote client version
1645		$msg_hsh{'remote_version'} = $fields[3];
	1771	#
	1772	if ($use_fko_module) {
	1773	$msg_hsh{'remote_version'} = $fko_obj->version();
	1774	} else {
	1775	$msg_hsh{'remote_version'} = $fields[3];
	1776	}
	1777
1646	1778	unless (&SPA_parse_client_version(\%msg_hsh)) {
1647	1779	&logr('[-]', "invalid client string in decrypted SPA packet",
…	…
1651	1783
1652	1784	### message type
1653		if (&is_digit($fields[4])) {
1654		return 0, {} unless $fields[4] == $SPA_COMMAND_MODE
1655		or $fields[4] == $SPA_ACCESS_MODE
1656		or $fields[4] == $SPA_NAT_ACCESS_MODE
1657		or $fields[4] == $SPA_CLIENT_TIMEOUT_ACCESS_MODE
1658		or $fields[4] == $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE
1659		or $fields[4] == $SPA_LOCAL_NAT_ACCESS_MODE
1660		or $fields[4] == $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE;
	1785	#
	1786	if ($use_fko_module) {
	1787	$msg_hsh{'action_type'} = $fko_obj->spa_message_type();
	1788	} else {
1661	1789	$msg_hsh{'action_type'} = $fields[4];
	1790	}
	1791
	1792	if (&is_digit($msg_hsh{'action_type'})) {
	1793	return 0, {} unless $msg_hsh{'action_type'} == $SPA_COMMAND_MODE
	1794	or $msg_hsh{'action_type'} == $SPA_ACCESS_MODE
	1795	or $msg_hsh{'action_type'} == $SPA_NAT_ACCESS_MODE
	1796	or $msg_hsh{'action_type'} == $SPA_CLIENT_TIMEOUT_ACCESS_MODE
	1797	or $msg_hsh{'action_type'} == $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE
	1798	or $msg_hsh{'action_type'} == $SPA_LOCAL_NAT_ACCESS_MODE
	1799	or $msg_hsh{'action_type'} == $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE;
	1800	$msg_hsh{'action_type'} = $msg_hsh{'action_type'};
1662	1801	} else {
1663	1802	&logr('[-]', "non-digit action type in decrypted SPA packet",
…	…
1665	1804	return 0, {};
1666	1805	}
	1806	if ($debug) {
	1807	print STDERR localtime() .
	1808	"[+] SPA action type: $msg_hsh{'action_type'}\n";
	1809	}
1667	1810
1668	1811	### action
1669		$msg_hsh{'action'} = decode_base64($fields[5]);
	1812	#
	1813	if ($use_fko_module) {
	1814	$msg_hsh{'action'} = $fko_obj->spa_message();
	1815	} else {
	1816	$msg_hsh{'action'} = decode_base64($fields[5]);
	1817	}
1670	1818
1671	1819	### server_auth was introduced in 0.9.3
	1820	#
1672	1821	if ($msg_hsh{'numeric_version'} >= 93) {
1673	1822
…	…
1676	1825	my $found = 0;
1677	1826	if ($msg_hsh{'action_type'} == $SPA_NAT_ACCESS_MODE
1678		or $msg_hsh{'action_type'} == $SPA_LOCAL_NAT_ACCESS_MODE) {
1679		if ($#fields == $SPA_MIN_PACKET_FIELDS) {
1680		$msg_hsh{'nat_info'} = decode_base64($fields[6]);
1681		$found = 1;
	1827	or $msg_hsh{'action_type'} == $SPA_LOCAL_NAT_ACCESS_MODE) {
	1828	if ($use_fko_module) {
	1829	$msg_hsh{'nat_info'} = $fko_obj->spa_nat_access();
	1830	} else {
	1831	if ($#fields == $SPA_MIN_PACKET_FIELDS) {
	1832	$msg_hsh{'nat_info'} = decode_base64($fields[6]);
	1833	}
1682	1834	}
	1835	$found = 1;
1683	1836	} elsif ($msg_hsh{'numeric_version'} >= 192) {
1684	1837	### client timeouts were introduced in 1.9.2
1685	1838	if ($msg_hsh{'action_type'} == $SPA_CLIENT_TIMEOUT_ACCESS_MODE) {
1686		$msg_hsh{'client_timeout'} = $fields[6];
	1839	if ($use_fko_module) {
	1840	$msg_hsh{'client_timeout'} = $fko_obj->spa_client_timeout();
	1841	} else {
	1842	$msg_hsh{'client_timeout'} = $fields[6];
	1843	}
1687	1844	$found = 1;
1688	1845	} elsif ($msg_hsh{'action_type'}
1689	1846	== $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE) {
1690		$msg_hsh{'nat_info'} = decode_base64($fields[6]);
1691		$msg_hsh{'client_timeout'} = $fields[7];
	1847	if ($use_fko_module) {
	1848	$msg_hsh{'nat_info'} = $fko_obj->spa_nat_access();
	1849	$msg_hsh{'client_timeout'} = $fko_obj->spa_client_timeout();
	1850	} else {
	1851	$msg_hsh{'nat_info'} = decode_base64($fields[6]);
	1852	$msg_hsh{'client_timeout'} = $fields[7];
	1853	}
1692	1854	$found = 1;
1693	1855	} elsif ($msg_hsh{'action_type'}
1694	1856	== $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE) {
1695		$msg_hsh{'nat_info'} = decode_base64($fields[6]);
1696		$msg_hsh{'client_timeout'} = $fields[7];
	1857	if ($use_fko_module) {
	1858	$msg_hsh{'nat_info'} = $fko_obj->spa_nat_access();
	1859	$msg_hsh{'client_timeout'} = $fko_obj->spa_client_timeout();
	1860	} else {
	1861	$msg_hsh{'nat_info'} = decode_base64($fields[6]);
	1862	$msg_hsh{'client_timeout'} = $fields[7];
	1863	}
1697	1864	$found = 1;
1698	1865	}
…	…
1706	1873	}
1707	1874	unless ($found) {
	1875	if (not $use_fko_module and $#fields+1 > $SPA_MIN_PACKET_FIELDS) {
	1876	$msg_hsh{'server_auth'} = decode_base64($fields[6]);
	1877	}
	1878	}
	1879	} else {
	1880	if ($use_fko_module) {
	1881	&logr('[-]', "remote libfko version less than minimum ",
	1882	"required by FKO module", $SEND_MAIL);
	1883	return 0, {};
	1884	} else {
1708	1885	if ($#fields+1 > $SPA_MIN_PACKET_FIELDS) {
1709	1886	$msg_hsh{'server_auth'} = decode_base64($fields[6]);
1710	1887	}
1711	1888	}
1712		~~} else {~~
1713		~~if ($#fields+1 > $SPA_MIN_PACKET_FIELDS) {~~
1714		~~$msg_hsh{'server_auth'} = decode_base64($fields[6]);~~
1715		}
1716	1889	}
1717	1890	} else {
1718		unless ($#fields+1 == $SPA_MIN_PACKET_FIELDS) {
	1891	unless ($use_fko_module and $#fields+1 == $SPA_MIN_PACKET_FIELDS) {
1719	1892	print STDERR localtime() . " [-] SPA packet from version: ",
1720	1893	"$msg_hsh{'remote_version'} ",
…	…
1790	1963
1791	1964	my $rv = 0;
	1965
	1966	if ($use_fko_module) {
	1967	$hr->{'digest'} = $fko_obj->spa_digest();
	1968	my $digest_type = $fko_obj->digest_type();
	1969	if ($digest_type == FKO->FKO_DIGEST_SHA256) {
	1970	$hr->{'digest_str'} = 'SHA256';
	1971	return 1;
	1972	} elsif ($digest_type == FKO->FKO_DIGEST_SHA1) {
	1973	$hr->{'digest_str'} = 'SHA1';
	1974	return 1;
	1975	} elsif ($digest_type == FKO->FKO_DIGEST_MD5) {
	1976	$hr->{'digest_str'} = 'MD5';
	1977	return 1;
	1978	} else {
	1979	if ($debug) {
	1980	print STDERR localtime() .
	1981	" [-] invalid digest type: $digest_type\n";
	1982	}
	1983	return 0;
	1984	}
	1985	}
	1986
1792	1987	if ($msg_str =~ /(.*):(\S+)/) {
1793	1988	my $msg = $1;
…	…
2522	2717	my $gpg_sign_id = '';
2523	2718
	2719	if ($use_fko_module) {
	2720
	2721	my $fko_err = $fko_obj->spa_data($msg);
	2722	if ($fko_err) {
	2723	if ($debug) {
	2724	&logr('[-]', "FKO error setting spa_data(): " .
	2725	$fko_obj->errstr($fko_err), $NO_MAIL);
	2726	}
	2727	return $decrypt_rv, $decrypted_msg, $gpg_sign_id;
	2728	}
	2729
	2730	### set the decryption type to use gpg
	2731	$fko_err = $fko_obj->encryption_type(FKO->FKO_ENCRYPTION_GPG);
	2732	if ($fko_err) {
	2733	if ($debug) {
	2734	&logr('[-]', "FKO error setting decryption type to gpg: " .
	2735	$fko_obj->errstr($fko_err), $NO_MAIL);
	2736	return $decrypt_rv, $decrypted_msg, $gpg_sign_id;
	2737	}
	2738	}
	2739
	2740	$fko_err = $fko_obj->gpg_home_dir($access_hr->{'GPG_HOME_DIR'});
	2741	if ($fko_err) {
	2742	if ($debug) {
	2743	&logr('[-]', "FKO error setting gpg home dir: " .
	2744	$fko_obj->errstr($fko_err), $NO_MAIL);
	2745	return $decrypt_rv, $decrypted_msg, $gpg_sign_id;
	2746	}
	2747	}
	2748
	2749	$fko_err = $fko_obj->gpg_recipient($access_hr->{'GPG_DECRYPT_ID'});
	2750	if ($fko_err) {
	2751	if ($debug) {
	2752	&logr('[-]', "FKO error setting signing key " .
	2753	"gpg_signer(): " . $fko_obj->errstr($fko_err),
	2754	$NO_MAIL);
	2755	}
	2756	return $decrypt_rv, $decrypted_msg, $gpg_sign_id;
	2757	}
	2758
	2759	$fko_err = $fko_obj->decrypt_spa_data($access_hr->{'GPG_DECRYPT_PW'});
	2760	if ($fko_err) {
	2761	if ($debug) {
	2762	&logr('[-]', "FKO error decrypting data via " .
	2763	"decrypt_spa_data(): " . $fko_obj->errstr($fko_err),
	2764	$NO_MAIL);
	2765	}
	2766	return $decrypt_rv, $decrypted_msg, $gpg_sign_id;
	2767	}
	2768
	2769	return 1, $decrypted_msg, $gpg_sign_id;
	2770	}
	2771
2524	2772	unless ($msg =~ /^$access_hr->{'GPG_PREFIX'}/) {
2525	2773	if ($access_hr->{'GPG_NO_REQUIRE_PREFIX'}) {
…	…
2566	2814	return $decrypt_rv, $decrypted_msg, $gpg_sign_id;
2567	2815	}
2568
2569		~~# ### look for the 0x8502 GnuPG prefix~~
2570		~~# unless ($base64_decoded_msg =~ /^\x85\x02/) {~~
2571		~~# if ($debug) {~~
2572		~~# print STDERR localtime() . " [-] base64-decoded data does not begin ",~~
2573		~~# "with 0x8502\n";~~
2574		~~# }~~
2575		~~# return $decrypt_rv, $decrypted_msg, $gpg_sign_id;~~
2576		~~# }~~
2577	2816
2578	2817	print STDERR localtime() . " [+] Attempting GnuPG decrypt...\n" if $debug;
…	…
2710	2949	my $base64_decoded_msg = '';
2711	2950
	2951	if ($use_fko_module) {
	2952
	2953	my $fko_err = $fko_obj->spa_data($msg);
	2954	if ($fko_err) {
	2955	if ($debug) {
	2956	&logr('[-]', "FKO error setting spa_data(): " .
	2957	$fko_obj->errstr($fko_err), $NO_MAIL);
	2958	}
	2959	return $decrypt_rv, $decrypted_msg;
	2960	}
	2961
	2962	$fko_err = $fko_obj->decrypt_spa_data($enc_key);
	2963	if ($fko_err) {
	2964	if ($debug) {
	2965	&logr('[-]', "FKO error decrypting data via " .
	2966	"decrypt_spa_data(): " . $fko_obj->errstr($fko_err),
	2967	$NO_MAIL);
	2968	}
	2969	return $decrypt_rv, $decrypted_msg;
	2970	}
	2971
	2972	return 1, $decrypted_msg;
	2973
	2974	}
	2975
2712	2976	unless ($msg =~ /^U2FsdGVkX1/) {
2713	2977	if ($debug) {
2714		print STDERR localtime() . " [+] Adding encoded 'Salted__' ~~prefix~~ ",
2715		"~~(U2FsdGVkX1) to incoming encoded SPA packet.\n"~~
	2978	print STDERR localtime() . " [+] Adding encoded 'Salted__' ",
	2979	"prefix (U2FsdGVkX1) to incoming encoded SPA packet.\n";
2716	2980	}
2717	2981	$msg = 'U2FsdGVkX1' . $msg;
…	…
2753	3017	unless ($base64_decoded_msg =~ /^Salted__/) {
2754	3018	if ($debug) {
2755		print STDERR localtime() . " [-] base64-decoded data does ~~not~~ ",
2756		"begin with 'Salted__'\n";
	3019	print STDERR localtime() . " [-] base64-decoded data does ",
	3020	"not begin with 'Salted__'\n";
2757	3021	}
2758	3022	return $decrypt_rv, $decrypted_msg;
2759	3023	}
2760	3024
2761		print STDERR localtime() . " [+] Attempting Rijndael decrypt...\n" if $debug;
	3025	print STDERR localtime() . " [+] Attempting Rijndael decrypt...\n"
	3026	if $debug;
2762	3027
2763	3028	if ($debug and $verbose) {
…	…
5700	5965	}
5701	5966	}
5702		}
5703		~~close F;~~
	5967	close F;
	5968	}
5704	5969
5705	5970	&logr('[+]', "imported previous tracking digests from disk " .

Context Navigation

Changeset 1464

Legend:

fwknop/trunk/fwknop

fwknop/trunk/fwknopd

Download in other formats: