added encryption mode flags for each access stanza
authorMichael Rash <mbr@cipherdyne.org>
Sun, 26 Aug 2012 19:47:24 +0000 (15:47 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Sun, 26 Aug 2012 19:47:24 +0000 (15:47 -0400)
server/access.c
server/fwknopd_common.h
server/incoming_spa.c

index 91feb0b..d1057f8 100644 (file)
@@ -763,8 +763,9 @@ set_acc_defaults(fko_srv_options_t *opts)
 static int
 acc_data_is_valid(const acc_stanza_t *acc)
 {
-    if((acc->key == NULL || !strlen(acc->key))
+    if(((acc->key == NULL || !strlen(acc->key))
       && (acc->gpg_decrypt_pw == NULL || !strlen(acc->gpg_decrypt_pw)))
+      || (acc->use_rijndael == 0 && acc->use_gpg == 0 && acc->gpg_allow_no_pw == 0))
     {
         fprintf(stderr,
             "[*] No keys found for access stanza source: '%s'\n", acc->source
@@ -907,6 +908,7 @@ parse_access_file(fko_srv_options_t *opts)
                 clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
             }
             add_acc_string(&(curr_acc->key), val);
+            add_acc_bool(&(curr_acc->use_rijndael), "Y");
         }
         else if(CONF_VAR_IS(var, "FW_ACCESS_TIMEOUT"))
         {
@@ -972,13 +974,18 @@ parse_access_file(fko_srv_options_t *opts)
                 clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
             }
             add_acc_string(&(curr_acc->gpg_decrypt_pw), val);
+            add_acc_bool(&(curr_acc->use_gpg), "Y");
         }
         else if(CONF_VAR_IS(var, "GPG_ALLOW_NO_PW"))
         {
-            if(curr_acc->gpg_decrypt_pw != NULL && curr_acc->gpg_decrypt_pw[0] != '\0')
-                free(curr_acc->gpg_decrypt_pw);
-
-            add_acc_string(&(curr_acc->gpg_decrypt_pw), "");
+            add_acc_bool(&(curr_acc->gpg_allow_no_pw), val);
+            if(curr_acc->gpg_allow_no_pw == 1)
+            {
+                add_acc_bool(&(curr_acc->use_gpg), "Y");
+                if(curr_acc->gpg_decrypt_pw != NULL && curr_acc->gpg_decrypt_pw[0] != '\0')
+                    free(curr_acc->gpg_decrypt_pw);
+                add_acc_string(&(curr_acc->gpg_decrypt_pw), "");
+            }
         }
         else if(CONF_VAR_IS(var, "GPG_REQUIRE_SIG"))
         {
index a6f0655..cd4d42e 100644 (file)
@@ -273,6 +273,7 @@ typedef struct acc_stanza
     char                *restrict_ports;
     acc_port_list_t     *rport_list;
     char                *key;
+    unsigned char       use_rijndael;
     int                 fw_access_timeout;
     unsigned char       enable_cmd_exec;
     char                *cmd_exec_user;
@@ -284,6 +285,8 @@ typedef struct acc_stanza
     char                *gpg_decrypt_pw;
     unsigned char       gpg_require_sig;
     unsigned char       gpg_ignore_sig_error;
+    unsigned char       use_gpg;
+    unsigned char       gpg_allow_no_pw;
     char                *gpg_remote_id;
     acc_string_list_t   *gpg_remote_id_list;
     time_t              access_expire_time;
index a7be5f6..67929c2 100644 (file)
@@ -362,7 +362,7 @@ incoming_spa(fko_srv_options_t *opts)
         */
         enc_type = fko_encryption_type((char *)spa_pkt->packet_data);
 
-        if(enc_type == FKO_ENCRYPTION_RIJNDAEL)
+        if(acc->use_rijndael && enc_type == FKO_ENCRYPTION_RIJNDAEL)
         {
             if(acc->key != NULL)
                 res = fko_new_with_data(&ctx, (char *)spa_pkt->packet_data, acc->key);
@@ -376,12 +376,12 @@ incoming_spa(fko_srv_options_t *opts)
                 continue;
             }
         }
-        else if(enc_type == FKO_ENCRYPTION_GPG)
+        else if(acc->use_gpg && enc_type == FKO_ENCRYPTION_GPG)
         {
             /* For GPG we create the new context without decrypting on the fly
              * so we can set some  GPG parameters first.
             */
-            if(acc->gpg_decrypt_pw != NULL)
+            if(acc->gpg_decrypt_pw != NULL || acc->gpg_allow_no_pw)
             {
                 res = fko_new_with_data(&ctx, (char *)spa_pkt->packet_data, NULL);
                 if(res != FKO_SUCCESS)
@@ -439,19 +439,11 @@ incoming_spa(fko_srv_options_t *opts)
                 res = fko_decrypt_spa_data(ctx, acc->gpg_decrypt_pw);
 
             }
-            else
-            {
-                log_msg(LOG_ERR,
-                    "(stanza #%d) No GPG_DECRYPT_PW for GPG encrypted messages, set GPG_ALLOW_NO_PW",
-                    stanza_num
-                );
-                acc = acc->next;
-                continue;
-            }
         }
         else
         {
-            log_msg(LOG_ERR, "(stanza #%d) Unable to determing encryption type. Got type=%i.",
+            log_msg(LOG_ERR,
+                "(stanza #%d) No stanza encryption mode match for encryption type: %i.",
                 stanza_num, enc_type);
             acc = acc->next;
             continue;