--disable-file-cache is used for the autoconf configure script. This
functionality was broken in be4193d734850fe60f14a26b547525ea0b9ce1e9
through improper handling of #define macros from --disable-file-cache.
+ - [server] (Vlad Glagolev) Submitted a patch to fix command exec mode
+ under SPA message type validity test. Support for command exec mode was
+ also added to the test suite.
fwknop-2.0.3 (09/03/2012):
- [server] Fernando Arnaboldi from IOActive found several DoS/code
ctx->message_type = (unsigned int)atoi(tbuf);
+ if(ctx->message_type < 0 || ctx->message_type >= FKO_LAST_MSG_TYPE)
+ {
+ free(tbuf);
+ return(FKO_ERROR_INVALID_DATA);
+ }
+
/* Extract the SPA message string.
*/
ndx += t_size + 1;
b64_decode(tbuf, (unsigned char*)ctx->message);
- /* Require a message similar to: 1.2.3.4,tcp/22
- */
- if(validate_access_msg(ctx->message) != FKO_SUCCESS)
+ if(ctx->message_type == FKO_COMMAND_MSG)
{
- free(tbuf);
- return(FKO_ERROR_INVALID_DATA);
+ /* Require a message similar to: 1.2.3.4,<command>
+ */
+ if(validate_cmd_msg(ctx->message) != FKO_SUCCESS)
+ {
+ free(tbuf);
+ return(FKO_ERROR_INVALID_DATA);
+ }
+ }
+ else
+ {
+ /* Require a message similar to: 1.2.3.4,tcp/22
+ */
+ if(validate_access_msg(ctx->message) != FKO_SUCCESS)
+ {
+ free(tbuf);
+ return(FKO_ERROR_INVALID_DATA);
+ }
}
/* Extract nat_access string if the message_type indicates so.
'exp_epoch_access' => "$conf_dir/expired_epoch_stanza_access.conf",
'invalid_exp_access' => "$conf_dir/invalid_expire_access.conf",
'force_nat_access' => "$conf_dir/force_nat_access.conf",
+ 'cmd_access' => "$conf_dir/cmd_access.conf",
'local_nat' => "$conf_dir/local_nat_fwknopd.conf",
'ipfw_active_expire' => "$conf_dir/ipfw_active_expire_equal_fwknopd.conf",
'dual_key_access' => "$conf_dir/dual_key_usage_access.conf",
my $non_std_spa_port = 12345;
my $spoof_user = 'testuser';
+my $cmd_exec_test_file = '/tmp/fwknoptest';
#================== end config ===================
my $passed = 0;
'fatal' => $NO
},
+ ### command execution tests
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client+server',
+ 'detail' => 'command execution',
+ 'err_msg' => 'could not complete SPA cycle',
+ 'function' => \&spa_cmd_exec_cycle,
+ 'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ qq|$fwknopCmd --server-cmd "echo fwknoptest > $cmd_exec_test_file" | .
+ "-a $fake_ip -D $loopback_ip --get-key $local_key_file " .
+ "--verbose --verbose",
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'def'} -a $cf{'cmd_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
+ 'fatal' => $NO
+ },
+
{
'category' => 'Rijndael SPA',
'subcategory' => 'server',
return $rv;
}
+sub spa_cmd_exec_cycle() {
+ my $test_hr = shift;
+
+ my $rv = &spa_cycle($test_hr);
+
+ if (-e $cmd_exec_test_file) {
+ unlink $cmd_exec_test_file;
+ } else {
+ $rv = 0;
+ }
+
+ return $rv;
+}
+
sub replay_detection() {
my $test_hr = shift;
die "[*] $conf_dir directory does not exist." unless -d $conf_dir;
die "[*] $lib_dir directory does not exist." unless -d $lib_dir;
+ unlink $cmd_exec_test_file if -e $cmd_exec_test_file;
for my $name (keys %cf) {
die "[*] $cf{$name} does not exist" unless -e $cf{$name};
chmod 0600, $cf{$name} or die "[*] Could not chmod 0600 $cf{$name}";
projects / fwknop.git / commitdiff