[server] restore backwards compatibility for Rijndael keys > 16 bytes in legacy mode...
authorMichael Rash <mbr@cipherdyne.org>
Sun, 14 Jul 2013 19:37:24 +0000 (15:37 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Sun, 14 Jul 2013 19:37:24 +0000 (15:37 -0400)
server/access.c
test/conf/legacy_iv_long_key2_access.conf [new file with mode: 0644]
test/test-fwknop.pl
test/tests/rijndael_backwards_compatibility.pl

index 1b9bb38..b0cfbbb 100644 (file)
@@ -886,7 +886,7 @@ set_acc_defaults(fko_srv_options_t *opts)
 /* Perform some sanity checks on an acc stanza data.
 */
 static int
-acc_data_is_valid(const acc_stanza_t *acc)
+acc_data_is_valid(acc_stanza_t * const acc)
 {
     if(acc == NULL)
     {
@@ -906,6 +906,19 @@ acc_data_is_valid(const acc_stanza_t *acc)
         return(0);
     }
 
+    if(acc->use_rijndael && acc->key != NULL)
+    {
+        if((acc->encryption_mode == FKO_ENC_MODE_CBC_LEGACY_IV)
+                && (acc->key_len > 16))
+        {
+            log_msg(LOG_INFO,
+                "Warning: truncating encryption key in legacy mode to 16 bytes for access stanza source: '%s'",
+                acc->source
+            );
+            acc->key_len = 16;
+        }
+    }
+
     if((acc->hmac_key_len) != 0 && (acc->hmac_key != NULL))
     {
         if((acc->key != NULL) && (acc->key_len != 0)
diff --git a/test/conf/legacy_iv_long_key2_access.conf b/test/conf/legacy_iv_long_key2_access.conf
new file mode 100644 (file)
index 0000000..6ebfc7e
--- /dev/null
@@ -0,0 +1,4 @@
+SOURCE                  ANY
+KEY                     1234567890123456blah
+FW_ACCESS_TIMEOUT       3
+ENCRYPTION_MODE         legacy
index 1ab9a41..1e81a6c 100755 (executable)
@@ -83,6 +83,7 @@ our %cf = (
     'gpg_hmac_access'              => "$conf_dir/gpg_hmac_access.conf",
     'legacy_iv_access'             => "$conf_dir/legacy_iv_access.conf",
     'legacy_iv_long_key_access'    => "$conf_dir/legacy_iv_long_key_access.conf",
+    'legacy_iv_long_key2_access'   => "$conf_dir/legacy_iv_long_key2_access.conf",
     'gpg_no_pw_access'             => "$conf_dir/gpg_no_pw_access.conf",
     'gpg_no_pw_hmac_access'        => "$conf_dir/gpg_no_pw_hmac_access.conf",
     'tcp_server'                   => "$conf_dir/tcp_server_fwknopd.conf",
index 57063fe..337e0a2 100644 (file)
         'fatal'    => $NO
     },
 
-    ### This test helps with backwards compatibility for the corner
-    ### case where an SPA client pre-2.5 uses a password longer than 16 chars
-    ### which gets truncated to just 16 chars (this bug was fixed in the 2.5
-    ### development series).  The SPA packet itself was generated by fwknop
-    ### 2.0.4 with a pass phrase of '12345678901234567890', and this can be
-    ### decrypted with the legacy encryption mode setting in fwknop-2.5 as
-    ### long as the key in the access.conf file has been truncated to 16
-    ### chars.
+    ### The SPA packets for the following two tests were generated by
+    ### fwknop-2.0.4 with a pass phrase of '12345678901234567890'
     {
         'category' => 'Rijndael',
         'subcategory' => 'client->server backwards compat.',
         'fw_rule_removed' => $NEW_RULE_REMOVED,
         'fatal'    => $NO
     },
+    {
+        'category' => 'Rijndael',
+        'subcategory' => 'client->server backwards compat.',
+        'detail'   => 'v2.0.4 non-trunc key',
+        'function' => \&backwards_compatibility,
+        'pkt' =>
+            '/iDyDBp/N35nNokK8jF5R7cWed3Y+NohcUaiVJk2qpuyC/Pa00xKpzduGTj52v3F4Tih' .
+            'ko7bFH3nykDa3j0u88QAgCNglg+Fcbe6NGVeogUndPUmAhi/kOzmiGCMzl9kapbaH/PB' .
+            'T2HsgbcGzTHXZAV5kMVTLG0ZM',
+        'server_positive_output_matches' => [qr/with expire time/,
+            qr/truncating\sencryption\skey/],
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'legacy_iv_long_key2_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'fatal'    => $NO
+    },
 
     {
         'category' => 'Rijndael',