Browse files

added encryption mode flags for each access stanza

  • Loading branch information...
1 parent 557cd66 commit e8386dbe6c959365da5c08396e09c27901faed56 @mrash committed Aug 26, 2012
Showing with 20 additions and 18 deletions.
  1. +12 −5 server/access.c
  2. +3 −0 server/fwknopd_common.h
  3. +5 −13 server/incoming_spa.c
View
17 server/access.c
@@ -763,8 +763,9 @@ set_acc_defaults(fko_srv_options_t *opts)
static int
acc_data_is_valid(const acc_stanza_t *acc)
{
- if((acc->key == NULL || !strlen(acc->key))
+ if(((acc->key == NULL || !strlen(acc->key))
&& (acc->gpg_decrypt_pw == NULL || !strlen(acc->gpg_decrypt_pw)))
+ || (acc->use_rijndael == 0 && acc->use_gpg == 0 && acc->gpg_allow_no_pw == 0))
{
fprintf(stderr,
"[*] No keys found for access stanza source: '%s'\n", acc->source
@@ -907,6 +908,7 @@ parse_access_file(fko_srv_options_t *opts)
clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
}
add_acc_string(&(curr_acc->key), val);
+ add_acc_bool(&(curr_acc->use_rijndael), "Y");
}
else if(CONF_VAR_IS(var, "FW_ACCESS_TIMEOUT"))
{
@@ -972,13 +974,18 @@ parse_access_file(fko_srv_options_t *opts)
clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
}
add_acc_string(&(curr_acc->gpg_decrypt_pw), val);
+ add_acc_bool(&(curr_acc->use_gpg), "Y");
}
else if(CONF_VAR_IS(var, "GPG_ALLOW_NO_PW"))
{
- if(curr_acc->gpg_decrypt_pw != NULL && curr_acc->gpg_decrypt_pw[0] != '\0')
- free(curr_acc->gpg_decrypt_pw);
-
- add_acc_string(&(curr_acc->gpg_decrypt_pw), "");
+ add_acc_bool(&(curr_acc->gpg_allow_no_pw), val);
+ if(curr_acc->gpg_allow_no_pw == 1)
+ {
+ add_acc_bool(&(curr_acc->use_gpg), "Y");
+ if(curr_acc->gpg_decrypt_pw != NULL && curr_acc->gpg_decrypt_pw[0] != '\0')
+ free(curr_acc->gpg_decrypt_pw);
+ add_acc_string(&(curr_acc->gpg_decrypt_pw), "");
+ }
}
else if(CONF_VAR_IS(var, "GPG_REQUIRE_SIG"))
{
View
3 server/fwknopd_common.h
@@ -273,6 +273,7 @@ typedef struct acc_stanza
char *restrict_ports;
acc_port_list_t *rport_list;
char *key;
+ unsigned char use_rijndael;
int fw_access_timeout;
unsigned char enable_cmd_exec;
char *cmd_exec_user;
@@ -284,6 +285,8 @@ typedef struct acc_stanza
char *gpg_decrypt_pw;
unsigned char gpg_require_sig;
unsigned char gpg_ignore_sig_error;
+ unsigned char use_gpg;
+ unsigned char gpg_allow_no_pw;
char *gpg_remote_id;
acc_string_list_t *gpg_remote_id_list;
time_t access_expire_time;
View
18 server/incoming_spa.c
@@ -362,7 +362,7 @@ incoming_spa(fko_srv_options_t *opts)
*/
enc_type = fko_encryption_type((char *)spa_pkt->packet_data);
- if(enc_type == FKO_ENCRYPTION_RIJNDAEL)
+ if(acc->use_rijndael && enc_type == FKO_ENCRYPTION_RIJNDAEL)
{
if(acc->key != NULL)
res = fko_new_with_data(&ctx, (char *)spa_pkt->packet_data, acc->key);
@@ -376,12 +376,12 @@ incoming_spa(fko_srv_options_t *opts)
continue;
}
}
- else if(enc_type == FKO_ENCRYPTION_GPG)
+ else if(acc->use_gpg && enc_type == FKO_ENCRYPTION_GPG)
{
/* For GPG we create the new context without decrypting on the fly
* so we can set some GPG parameters first.
*/
- if(acc->gpg_decrypt_pw != NULL)
+ if(acc->gpg_decrypt_pw != NULL || acc->gpg_allow_no_pw)
{
res = fko_new_with_data(&ctx, (char *)spa_pkt->packet_data, NULL);
if(res != FKO_SUCCESS)
@@ -439,19 +439,11 @@ incoming_spa(fko_srv_options_t *opts)
res = fko_decrypt_spa_data(ctx, acc->gpg_decrypt_pw);
}
- else
- {
- log_msg(LOG_ERR,
- "(stanza #%d) No GPG_DECRYPT_PW for GPG encrypted messages, set GPG_ALLOW_NO_PW",
- stanza_num
- );
- acc = acc->next;
- continue;
- }
}
else
{
- log_msg(LOG_ERR, "(stanza #%d) Unable to determing encryption type. Got type=%i.",
+ log_msg(LOG_ERR,
+ "(stanza #%d) No stanza encryption mode match for encryption type: %i.",
stanza_num, enc_type);
acc = acc->next;
continue;

0 comments on commit e8386db

Please sign in to comment.