FKO(3pm) | User Contributed Perl Documentation | FKO(3pm) |
FKO - Perl module wrapper for libfko
use FKO; # Create a new empty FKO object. # my $fko = FKO->new(); if(!$fko) { die "Unable to create FKO object: $FKO::error_str\n"; } # Override the username (default is current user). # my $err = $fko->username('joeuser'); if($err) { die "Error setting username: ", $fko->errstr($err), "\n"; } # Set the SPA message (see libfko docs for details). # $err = $fko->spa_message('1.2.3.4,tcp/22'); # ..error checking, etc... $err = $fko->spa_data_final('mycryptkey', 'myhmackey'); # ..error checking, etc... # Get the encrypted/authenticated/encoded SPA data. # my $spa_data = $fko->spa_data(); ## Incoming SPA data ## # Create an FKO object to process incoming (or existing) # SPA data. # my $fko_in = FKO->new($enc_spa_data, 'mycryptkey', FKO::FKO_ENC_MODE_CBC, 'myhmackey', FKO::FKO_HMAC_SHA256) or die "Unable to create FKO object: $FKO::error_str\n"; my $timestamp = $fko_in->timestamp(); my $fko_user = $fko_in->username(); my $spa_msg = $fko_in->spa_message(); my $digest = $fko_in->spa_digest(); # Pull the digest type. my $digest_type = $fko_in->spa_digest_type(); if($digest_type == FKO::FKO_DIGEST_SHA256) { # do something } elsif($digest_type == FKO::FKO_DIGEST_MD5) { # do something else }
This module is essentially a Perl wrapper for the Firewall Knock Operator (fwknop) library, "libfko". Fwknop is an open source implementation of Single Packet Authorization (SPA) for access to networked resources that are protected by a default-drop packet filter.
The original fwknop is implemented in Perl. The libfko library is an implementation of the fwknop back-end data processing routines written in C as part of the project to move all of fwknop to C.
See the "libfko" documentation for additional information on usage and the functionality provided by "libfko". More information on SPA and fwknop can be found at http://www.cipherdyne.org/fwknop.
You can also pass existing encoded/encrypted SPA data, a decryption password, and an HMAC key (along with associated encryption and HMAC modes) to "new". This will create a new object, authenticate, decrypt, and decode the data, and store it within the object for later retrieval using the various methods described below.
If there are any errors during the creation or decoding of the data new will return undef and the appropriate error message will be available in the $FKO::error_str variable.
Create an empty object:
my $fko = FKO->new();
Create an object using existing data:
my $fko = FKO->new($spa_data, 'decrypt_pw', FKO::FKO_ENC_MODE_CBC, 'myhmackey', FKO::FKO_HMAC_SHA256);
The utility methods are those that perform the non-data-set/get functions like error messages, data processing, and clean-up.
Though "destroy" will be called if the object goes out of scope, it is good practice to clean up after yourself. This is especially true if you are processing multiple SPA messages in a loop, etc.
This function is normally not called directly as it is automatically called from the internal "fko_spa_data_final" function (which is wrapped by this module's "spa_data_final" function.
Note: This function does not need to be called directly if encrypted SPA data was passed to this module's constructor when the object was created as the "new" function will call decrypt and decode itself.
This function is normally not called directly as it is called by other libfko functions during normal processing (i.e during encypt and/or final functions.
This function is normally not called directly as it is called by other libfko functions during normal processing.
There are a few data and method types supported by libfko, along with a few functions for getting and setting them. Most of these types are represented using constants defined in the FKO module.
The encryption type parameter is an integer value. Constants have been defined to represent this value. Currently, the only supported encryption types are:
The default libfko encryption algorithm.
GnuPG encryption (if supported by the underlying libfko implementation).
The HMAC type parameter is an integer value. Constants have been defined to represent this value. Currently, the supported HMAC types are:
The default libfko HMAC digest algorithm is SHA-256
Use the MD5 digest algorithm (not recommended) to generate the HMAC.
Use the SHA-1 digest algorithm to generate the HMAC.
Use the SHA-512 digest algorithm to generate the HMAC.
The digest type parameter is an integer value. Constants have been defined to represent this value. Currently, the supported digest types are:
The MD5 message digest algorithm.
The SHA1 message digest algorithm.
The SHA256 message digest algorithm. This is the libfko default.
The SHA384 message digest algorithm. This is the libfko default.
The SHA512 message digest algorithm. This is the libfko default.
The message type parameter is an integer value. Constants have been defined to represent this value. Currently, the supported digest types are:
A request to have the fwknop server execute the given command. The format for this type is: "<ip of requestor>:<command text>"
For example:
"192.168.1.2:uname -a"
A basic access request. This is the most common type in use. The format for this type is: "<ip of requestor>:<protocol>/<port>".
For example:
"192.168.1.2:tcp/22"
An access request that also provide information for the fwknop server to create a Network Address Translation (NAT to an internal address. The format for this string is: "<internal ip>,<ext nat port>".
For example:
"10.10.1.2,9922"
This is an "FKO_ACCESS_REQUEST" with a timeout parameter for the fwknop server. The timeout value is provided via the "client_timeout" data field.
This is an "FKO_NAT_ACCESS_REQUEST" with a timeout parameter for the fwknop server. The timeout value is provided via the "client_timeout" data field.
This is similar to the "FKO_NAT_ACCESS" request except the NAT is to the local to the server (i.e. a service listening on 127.0.0.1).
This is an "FKO_LOCAL_NAT_ACCESS_REQUEST" with a timeout parameter for the fwknop server. The timeout value is provided via the "client_timeout" data field.
The SPA data methods are used for setting or retrieving the various SPA data field values. Some of these simply return a read-only value, while others are used to set or get values.
Note: The following methods are presented roughly in the order their respective data values appear in an fwknop SPA message. Many of these have reasonable default values at creation and are not typically used in most circumstances.
If a provided value is not a valid 16-character decimal string, the function will return the "FKO_ERROR_INVALID_DATA" error code.
Upon creation of a new FKO object, this value is automatically generated.
If a value of 0 is given, libfko will attempt to determine and set the username by first looking for the environment variable "SPOOF_USER" and use its value if found. Otherwise, it will try to determine the username itself using various system methods, then fallback to the environment variables "LOGNAME" or "USER". If none of those work, the function will return the "FKO_ERROR_USERNAME_UNKNOWN" error code.
Upon creation of a new FKO object, this value is automatically generated based on the libfko method described above.
If an argument is provided, it will represent an offset to be applied to the current timestamp value at the time this function was called.
Upon creation of a new FKO object, this value is automatically generated based on the time of object creation.
This function is normally not called directly as it is called by other libfko functions during normal processing.
If an argument is given, it is expected to be an existing encrypted and encoded SPA data string (perhaps data received by an fwknop server). The provided data is stored in the object (the current context).
Note: When data is provided via this function, it is not automatically decoded. You would need to call "decrypt_spa_data($pw)" to complete the decryption, decoding, and parsing process.
If no argument is given, the current value is returned. Otherwise, gpg_recipient will be set to the given value.
If no argument is given, the current value is returned. Otherwise, gpg_signer will be set to the given value.
If no argument is given, the current value is returned. Otherwise, gpg_home_dir will be set to the given value.
GPG Signature Verification
By default libfko will attempt to verify GPG signatures when decrypting GPG-encrypted data. If the signature is missing, expired, revoked, or otherwise bad, the decoding operation will fail.
The following functions are provided to process GPG key information, or manage how libfko deals with GPG signatures. Like the other GPG-related functions, these also have the following prerequisites:
If no argument is given, the current value is returned. Otherwise, the gpg_signature_verify flag will be set to the given value.
If no argument is given, the current value is returned. Otherwise, the gpg_ignore_verify_error flag will be set to the given value.
Perl, the "libfko" manual.
Additional information on the Firewall Knock Operater (fwknop) can be found at http://www.cipherdyne.org/fwknop.
Damien S. Stuart, <dstuart@dstuart.org>
Copyright (C) 2009 by Damien S. Stuart
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.8 or, at your option, any later version of Perl 5 you may have available.
2019-02-28 | perl v5.28.1 |