Permalink
Browse files

[server] GPG_ALLOW_NO_PW + no KEY bug fix

Bug fix to allow GPG_ALLOW_NO_PW to result in not also having to specify a
Rijndael key.
  • Loading branch information...
1 parent 2aff47c commit 1828f51b90a925a296d72406f0b8dfb1cfe7e7b1 @mrash committed Oct 3, 2012
Showing with 11 additions and 2 deletions.
  1. +2 −0 ChangeLog
  2. +2 −1 server/access.c
  3. +0 −1 test/conf/gpg_no_pw_access.conf
  4. +7 −0 todo.org
View
@@ -11,6 +11,8 @@ fwknop-2.0.4 (09/20/2012):
also added to the test suite.
- (Vlad Glagolev) Submitted an OpenBSD port for fwknop-2.0.3, and this has
been checked in under extras/openbsd/.
+ - [server] Bug fix to allow GPG_ALLOW_NO_PW to result in not also having
+ to specify a Rijndael key.
fwknop-2.0.3 (09/03/2012):
- [server] Fernando Arnaboldi from IOActive found several DoS/code
View
@@ -806,7 +806,8 @@ static int
acc_data_is_valid(const acc_stanza_t *acc)
{
if(((acc->key == NULL || !strlen(acc->key))
- && (acc->gpg_decrypt_pw == NULL || !strlen(acc->gpg_decrypt_pw)))
+ && ((acc->gpg_decrypt_pw == NULL || !strlen(acc->gpg_decrypt_pw))
+ && acc->gpg_allow_no_pw == 0))
|| (acc->use_rijndael == 0 && acc->use_gpg == 0 && acc->gpg_allow_no_pw == 0))
{
fprintf(stderr,
@@ -1,5 +1,4 @@
SOURCE: ANY;
-KEY: fwknoptest;
FW_ACCESS_TIMEOUT: 3;
GPG_HOME_DIR: conf/server-gpg-no-pw;
GPG_DECRYPT_ID: 361BBAD4;
View
@@ -34,6 +34,10 @@
*** Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files
:CLOSED: <2012-08-12 Sun>
Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.
+*** [server] access.c parsing: allow no KEY variable if GPG keys are used.
+ :CLOSED: <2012-10-02 Tue>
+ The access.c parsing code currently throws an error if there is not KEY
+ variable in an access stanza even if GPG_ALLOW_NO_PW is set.
** Add 'enable' to ipfw active set at init time
Currently fwknopd does not do a check to ensure that the active set is
enabled at init time ('ipfw set enable 1').
@@ -76,3 +80,6 @@
** [test suite] client/server only tests
When only the client or server is being installed on a system, the test
suite should be able to run only the relevant tests.
+** [server] Add access variable to require particular IP's even when REQUIRE_SOURCE is used
+ The SOURCE variable only applies to the IP header. Add analogous filtering
+ for the allow IP that is encrypted within an SPA payload.

0 comments on commit 1828f51

Please sign in to comment.