add HMAC_KEY variable support to access.conf (alternative to HMAC_KEY_BASE64)
authorMichael Rash <mbr@cipherdyne.org>
Tue, 9 Apr 2013 02:14:06 +0000 (22:14 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Tue, 9 Apr 2013 02:14:06 +0000 (22:14 -0400)
Makefile.am
server/access.c
test/conf/fwknoprc_hmac_key2 [new file with mode: 0644]
test/conf/hmac_no_b64_access.conf [new file with mode: 0644]
test/test-fwknop.pl
test/tests/rijndael_hmac.pl

index 0376b18..b516971 100644 (file)
@@ -145,6 +145,7 @@ EXTRA_DIST = \
     test/conf/gpg_access.conf \
     test/conf/gpg_no_pw_access.conf \
     test/conf/hmac_access.conf \
+    test/conf/hmac_no_b64_access.conf \
     test/conf/hmac_dual_key_usage_access.conf \
     test/conf/hmac_invalid_type_access.conf \
     test/conf/hmac_md5_access.conf \
@@ -167,6 +168,7 @@ EXTRA_DIST = \
     test/conf/hmac_sha256_open_ports_access.conf \
     test/conf/hmac_force_nat_access.conf \
     test/conf/fwknoprc_default_hmac_base64_key \
+    test/conf/fwknoprc_hmac_key2 \
     test/conf/fwknoprc_hmac_invalid_type \
     test/conf/fwknoprc_hmac_md5_key \
     test/conf/fwknoprc_hmac_md5_long_key \
index 5684285..a65cc04 100644 (file)
@@ -1078,6 +1078,19 @@ parse_access_file(fko_srv_options_t *opts)
             add_acc_b64_string(&(curr_acc->hmac_key),
                 &curr_acc->hmac_key_len, curr_acc->hmac_key_base64);
         }
+        else if(CONF_VAR_IS(var, "HMAC_KEY"))
+        {
+            if(strcasecmp(val, "__CHANGEME__") == 0)
+            {
+                fprintf(stderr,
+                    "[*] HMAC_KEY_BASE64 value is not properly set in stanza source '%s' in access file: '%s'\n",
+                    curr_acc->source, opts->config[CONF_ACCESS_FILE]);
+                fclose(file_ptr);
+                clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+            }
+            add_acc_string(&(curr_acc->hmac_key), val);
+            curr_acc->hmac_key_len = strlen(curr_acc->hmac_key);
+        }
         else if(CONF_VAR_IS(var, "FW_ACCESS_TIMEOUT"))
         {
             curr_acc->fw_access_timeout = strtol_wrapper(val, 0,
diff --git a/test/conf/fwknoprc_hmac_key2 b/test/conf/fwknoprc_hmac_key2
new file mode 100644 (file)
index 0000000..1c069ee
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    sha256
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64     dGVzdHRlc3Q=
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/hmac_no_b64_access.conf b/test/conf/hmac_no_b64_access.conf
new file mode 100644 (file)
index 0000000..5d6fa52
--- /dev/null
@@ -0,0 +1,4 @@
+SOURCE: ANY;
+KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY:           testtest;
+FW_ACCESS_TIMEOUT:  3;
index ab3fe8b..23353a5 100755 (executable)
@@ -36,6 +36,7 @@ our %cf = (
     'def'                          => "$conf_dir/default_fwknopd.conf",
     'def_access'                   => "$conf_dir/default_access.conf",
     'hmac_access'                  => "$conf_dir/hmac_access.conf",
+    'hmac_no_b64_access'           => "$conf_dir/hmac_no_b64_access.conf",
     'hmac_md5_access'              => "$conf_dir/hmac_md5_access.conf",
     'hmac_md5_short_key_access'    => "$conf_dir/hmac_md5_short_key_access.conf",
     'hmac_md5_long_key_access'     => "$conf_dir/hmac_md5_long_key_access.conf",
@@ -99,6 +100,7 @@ our %cf = (
     'rc_named_key'                 => "$conf_dir/fwknoprc_named_key",
     'rc_invalid_b64_key'           => "$conf_dir/fwknoprc_invalid_base64_key",
     'rc_hmac_b64_key'              => "$conf_dir/fwknoprc_default_hmac_base64_key",
+    'rc_hmac_b64_key2'             => "$conf_dir/fwknoprc_hmac_key2",
     'rc_hmac_simple_key'           => "$conf_dir/fwknoprc_hmac_simple_keys",
     'rc_hmac_invalid_type'         => "$conf_dir/fwknoprc_hmac_invalid_type",
     'rc_hmac_invalid_type'         => "$conf_dir/fwknoprc_hmac_invalid_type",
index 646d323..5f95917 100644 (file)
@@ -57,6 +57,7 @@
         'fatal'    => $NO
     },
     {
+
         'category' => 'Rijndael+HMAC',
         'subcategory' => 'client+server',
         'detail'   => 'complete cycle (tcp/23)',
     {
         'category' => 'Rijndael+HMAC',
         'subcategory' => 'client+server',
+        'detail'   => 'non-b64 HMAC key (tcp/22 ssh)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --rc-file " .
+            "$cf{'rc_hmac_b64_key2'} --verbose --verbose",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_no_b64_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_b64_key2'},
+        'fatal'    => $NO
+    },
+
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
         'detail'   => 'complete cycle (tcp/9418)',
         'function' => \&spa_cycle,
         'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .