Permalink
Browse files

[server] (Vlad Glagolev) Submitted a patch to fix command exec mode

(Vlad Glagolev) Submitted a patch to fix command exec mode
under SPA message type validity test.  Support for command exec mode was
also added to the test suite.
  • Loading branch information...
mrash committed Sep 12, 2012
1 parent 591416e commit f8374c8aefe7a3cf4fcc8763267b139a3504cd66
Showing with 69 additions and 5 deletions.
  1. +3 −0 CREDITS
  2. +3 −0 ChangeLog
  3. +24 −5 lib/fko_decode.c
  4. +4 −0 test/conf/cmd_access.conf
  5. +35 −0 test/test-fwknop.pl
View
@@ -72,3 +72,6 @@ Vlad Glagolev
used for the autoconf configure script. This functionality was broken in
be4193d734850fe60f14a26b547525ea0b9ce1e9 through improper handling of
#define macros from --disable-file-cache.
+ - Submitted a patch to fix command exec mode under SPA message type
+ validity test. Support for command exec mode was also added to the test
+ suite.
View
@@ -3,6 +3,9 @@ fwknop-2.0.4 (09/20/2012):
--disable-file-cache is used for the autoconf configure script. This
functionality was broken in be4193d734850fe60f14a26b547525ea0b9ce1e9
through improper handling of #define macros from --disable-file-cache.
+ - [server] (Vlad Glagolev) Submitted a patch to fix command exec mode
+ under SPA message type validity test. Support for command exec mode was
+ also added to the test suite.
fwknop-2.0.3 (09/03/2012):
- [server] Fernando Arnaboldi from IOActive found several DoS/code
View
@@ -259,6 +259,12 @@ fko_decode_spa_data(fko_ctx_t ctx)
ctx->message_type = (unsigned int)atoi(tbuf);
+ if(ctx->message_type < 0 || ctx->message_type >= FKO_LAST_MSG_TYPE)
+ {
+ free(tbuf);
+ return(FKO_ERROR_INVALID_DATA);
+ }
+
/* Extract the SPA message string.
*/
ndx += t_size + 1;
@@ -285,12 +291,25 @@ fko_decode_spa_data(fko_ctx_t ctx)
b64_decode(tbuf, (unsigned char*)ctx->message);
- /* Require a message similar to: 1.2.3.4,tcp/22
- */
- if(validate_access_msg(ctx->message) != FKO_SUCCESS)
+ if(ctx->message_type == FKO_COMMAND_MSG)
{
- free(tbuf);
- return(FKO_ERROR_INVALID_DATA);
+ /* Require a message similar to: 1.2.3.4,<command>
+ */
+ if(validate_cmd_msg(ctx->message) != FKO_SUCCESS)
+ {
+ free(tbuf);
+ return(FKO_ERROR_INVALID_DATA);
+ }
+ }
+ else
+ {
+ /* Require a message similar to: 1.2.3.4,tcp/22
+ */
+ if(validate_access_msg(ctx->message) != FKO_SUCCESS)
+ {
+ free(tbuf);
+ return(FKO_ERROR_INVALID_DATA);
+ }
}
/* Extract nat_access string if the message_type indicates so.
@@ -0,0 +1,4 @@
+SOURCE: ANY;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT: 3;
+ENABLE_CMD_EXEC: Y;
View
@@ -29,6 +29,7 @@
'exp_epoch_access' => "$conf_dir/expired_epoch_stanza_access.conf",
'invalid_exp_access' => "$conf_dir/invalid_expire_access.conf",
'force_nat_access' => "$conf_dir/force_nat_access.conf",
+ 'cmd_access' => "$conf_dir/cmd_access.conf",
'local_nat' => "$conf_dir/local_nat_fwknopd.conf",
'ipfw_active_expire' => "$conf_dir/ipfw_active_expire_equal_fwknopd.conf",
'dual_key_access' => "$conf_dir/dual_key_usage_access.conf",
@@ -73,6 +74,7 @@
my $non_std_spa_port = 12345;
my $spoof_user = 'testuser';
+my $cmd_exec_test_file = '/tmp/fwknoptest';
#================== end config ===================
my $passed = 0;
@@ -1491,6 +1493,24 @@
'fatal' => $NO
},
+ ### command execution tests
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client+server',
+ 'detail' => 'command execution',
+ 'err_msg' => 'could not complete SPA cycle',
+ 'function' => \&spa_cmd_exec_cycle,
+ 'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ qq|$fwknopCmd --server-cmd "echo fwknoptest > $cmd_exec_test_file" | .
+ "-a $fake_ip -D $loopback_ip --get-key $local_key_file " .
+ "--verbose --verbose",
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'def'} -a $cf{'cmd_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
+ 'fatal' => $NO
+ },
+
{
'category' => 'Rijndael SPA',
'subcategory' => 'server',
@@ -2330,6 +2350,20 @@ ()
return $rv;
}
+sub spa_cmd_exec_cycle() {
+ my $test_hr = shift;
+
+ my $rv = &spa_cycle($test_hr);
+
+ if (-e $cmd_exec_test_file) {
+ unlink $cmd_exec_test_file;
+ } else {
+ $rv = 0;
+ }
+
+ return $rv;
+}
+
sub replay_detection() {
my $test_hr = shift;
@@ -3248,6 +3282,7 @@ ()
die "[*] $conf_dir directory does not exist." unless -d $conf_dir;
die "[*] $lib_dir directory does not exist." unless -d $lib_dir;
+ unlink $cmd_exec_test_file if -e $cmd_exec_test_file;
for my $name (keys %cf) {
die "[*] $cf{$name} does not exist" unless -e $cf{$name};
chmod 0600, $cf{$name} or die "[*] Could not chmod 0600 $cf{$name}";

0 comments on commit f8374c8

Please sign in to comment.