diff --git a/server/Makefile.am b/server/Makefile.am index c98bf382..4ddcef68 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -6,7 +6,7 @@ BASE_SOURCE_FILES = fwknopd.h config_init.c config_init.h \ process_packet.h log_msg.c log_msg.h utils.c utils.h \ sig_handler.c sig_handler.h replay_cache.c replay_cache.h \ access.c access.h fwknopd_errors.c fwknopd_errors.h \ - tcp_server.c tcp_server.h udp_server.c udp_server.h \ + udp_server.c udp_server.h \ fw_util.c fw_util.h fw_util_ipf.c fw_util_ipf.h \ fw_util_firewalld.c fw_util_firewalld.h \ fw_util_iptables.c fw_util_iptables.h \ diff --git a/server/cmd_opts.h b/server/cmd_opts.h index a2feed5d..9dab4a39 100644 --- a/server/cmd_opts.h +++ b/server/cmd_opts.h @@ -56,8 +56,6 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = { "CMD_EXEC_TIMEOUT", //"BLACKLIST", "ENABLE_SPA_OVER_HTTP", - "ENABLE_TCP_SERVER", - "TCPSERV_PORT", "ENABLE_UDP_SERVER", "UDPSERV_PORT", "UDPSERV_SELECT_TIMEOUT", diff --git a/server/config_init.c b/server/config_init.c index e0cf3de3..769f7830 100644 --- a/server/config_init.c +++ b/server/config_init.c @@ -157,9 +157,6 @@ validate_int_var_ranges(fko_srv_options_t *opts) opts->rules_chk_threshold = range_check(opts, "RULES_CHECK_THRESHOLD", opts->config[CONF_RULES_CHECK_THRESHOLD], 0, RCHK_MAX_RULES_CHECK_THRESHOLD); - opts->tcpserv_port = range_check(opts, - "TCPSERV_PORT", opts->config[CONF_TCPSERV_PORT], - 1, RCHK_MAX_TCPSERV_PORT); opts->udpserv_port = range_check(opts, "UDPSERV_PORT", opts->config[CONF_UDPSERV_PORT], 1, RCHK_MAX_UDPSERV_PORT); @@ -912,16 +909,6 @@ validate_options(fko_srv_options_t *opts) set_config_entry(opts, CONF_ENABLE_SPA_OVER_HTTP, DEF_ENABLE_SPA_OVER_HTTP); - /* Enable TCP server. - */ - if(opts->config[CONF_ENABLE_TCP_SERVER] == NULL) - set_config_entry(opts, CONF_ENABLE_TCP_SERVER, DEF_ENABLE_TCP_SERVER); - - /* TCP Server port. - */ - if(opts->config[CONF_TCPSERV_PORT] == NULL) - set_config_entry(opts, CONF_TCPSERV_PORT, DEF_TCPSERV_PORT); - #if USE_LIBNETFILTER_QUEUE /* Enable NFQ Capture */ diff --git a/server/fwknopd.c b/server/fwknopd.c index 55e9c60d..9b82e07d 100644 --- a/server/fwknopd.c +++ b/server/fwknopd.c @@ -34,7 +34,6 @@ #include "fw_util.h" #include "sig_handler.h" #include "replay_cache.h" -#include "tcp_server.h" #include "udp_server.h" #if USE_LIBNETFILTER_QUEUE @@ -270,23 +269,6 @@ main(int argc, char **argv) } } - /* If the TCP server option was set, fire it up here. Note that in - * this mode, fwknopd still acquires SPA packets via libpcap. If you - * want to use UDP only without the libpcap dependency, then fwknop - * needs to be compiled with --enable-udp-server. Note that the UDP - * server can be run even when fwknopd links against libpcap as well, - * but there is no reason to link against it if SPA packets are - * always going to be acquired via a UDP socket. - */ - if(strncasecmp(opts.config[CONF_ENABLE_TCP_SERVER], "Y", 1) == 0) - { - if(run_tcp_server(&opts) < 0) - { - log_msg(LOG_ERR, "Fatal run_tcp_server() error"); - clean_exit(&opts, FW_CLEANUP, EXIT_FAILURE); - } - } - #if USE_LIBPCAP /* Intiate pcap capture mode... */ @@ -311,23 +293,6 @@ main(int argc, char **argv) log_msg(LOG_INFO, "Shutting Down fwknopd."); - /* Kill the TCP server (if we have one running). - */ - if(opts.tcp_server_pid > 0) - { - log_msg(LOG_INFO, "Killing the TCP server (pid=%i)", - opts.tcp_server_pid); - - kill(opts.tcp_server_pid, SIGTERM); - - /* --DSS XXX: This seems to be necessary if the tcp server - * was restarted by this program. We need to - * investigate and fix this. For now, this works - * (it is kludgy, but does no harm afaik). - */ - kill(opts.tcp_server_pid, SIGKILL); - } - clean_exit(&opts, FW_CLEANUP, EXIT_SUCCESS); return(EXIT_SUCCESS); /* This never gets called */ @@ -609,8 +574,6 @@ static int handle_signals(fko_srv_options_t *opts) { log_msg(LOG_WARNING, "Got SIGHUP. Re-reading configs."); free_configs(opts); - if(opts->tcp_server_pid > 0) - kill(opts->tcp_server_pid, SIGTERM); usleep(1000000); got_sighup = 0; rv = 0; /* this means fwknopd will not exit */ diff --git a/server/fwknopd.conf b/server/fwknopd.conf index 647ecf05..742db72f 100644 --- a/server/fwknopd.conf +++ b/server/fwknopd.conf @@ -158,19 +158,6 @@ # #ENABLE_RULE_PREPEND N; -# Enable the fwknopd TCP server. This is a "dummy" TCP server that will -# accept TCP connection requests on the specified TCPSERV_PORT. -# If set to "Y", fwknopd will fork off a child process to listen for and -# accept incoming TCP requests. This server only accepts the -# request. It does not otherwise communicate. This is only to allow the -# incoming SPA over TCP packet which is detected via PCAP. The connection -# is closed after 1 second regardless. -# Note that fwknopd still only gets its data via pcap, so the filter -# defined by PCAP_FILTER needs to be updated to include this TCP port. -# -#ENABLE_TCP_SERVER N; -#TCPSERV_PORT 62201; - # Set/override the locale (via the LC_ALL locale category). Leave this # entry commented out to have fwknopd honor the default system locale. # diff --git a/server/fwknopd_common.h b/server/fwknopd_common.h index e47e2e10..9775b014 100644 --- a/server/fwknopd_common.h +++ b/server/fwknopd_common.h @@ -108,8 +108,6 @@ #define DEF_SUDO_EXE "/usr/bin/sudo" #endif #define DEF_ENABLE_SPA_OVER_HTTP "N" -#define DEF_ENABLE_TCP_SERVER "N" -#define DEF_TCPSERV_PORT "62201" #if USE_LIBPCAP #define DEF_ENABLE_UDP_SERVER "N" #else @@ -138,7 +136,6 @@ #define RCHK_MAX_PCAP_LOOP_SLEEP (2 << 22) #define RCHK_MAX_SPA_PACKET_AGE 100000 /* seconds, can disable */ #define RCHK_MAX_SNIFF_BYTES (2 << 14) -#define RCHK_MAX_TCPSERV_PORT ((2 << 16) - 1) #define RCHK_MAX_UDPSERV_PORT ((2 << 16) - 1) #define RCHK_MAX_UDPSERV_SELECT_TIMEOUT (2 << 22) #define RCHK_MAX_PCAP_DISPATCH_COUNT (2 << 22) @@ -256,8 +253,6 @@ enum { CONF_CMD_EXEC_TIMEOUT, //CONF_BLACKLIST, CONF_ENABLE_SPA_OVER_HTTP, - CONF_ENABLE_TCP_SERVER, - CONF_TCPSERV_PORT, CONF_ENABLE_UDP_SERVER, CONF_UDPSERV_PORT, CONF_UDPSERV_SELECT_TIMEOUT, @@ -667,7 +662,6 @@ typedef struct fko_srv_options unsigned char pcap_any_direction; int data_link_offset; - int tcp_server_pid; int lock_fd; /* Values used in --key-gen mode only @@ -697,7 +691,6 @@ typedef struct fko_srv_options /* Data elements that are derived from configuration entries - avoids * calling strtol_wrapper() after the config is parsed. */ - unsigned short tcpserv_port; unsigned short udpserv_port; int udpserv_select_timeout; int rules_chk_threshold; diff --git a/server/nfq_capture.c b/server/nfq_capture.c index 3b72e89a..076f0ae1 100644 --- a/server/nfq_capture.c +++ b/server/nfq_capture.c @@ -36,7 +36,6 @@ #include "log_msg.h" #include "fwknopd_errors.h" #include "sig_handler.h" -#include "tcp_server.h" #include #if HAVE_SYS_WAIT_H #include @@ -171,37 +170,6 @@ nfq_capture(fko_srv_options_t *opts) */ while(1) { - /* If we got a SIGCHLD and it was the tcp server, then handle it here. - ** XXX: --DSS Do we need this here? I'm guessing we would not be using - ** the TCP server in NF_QUEUE capture mode. - */ - if(got_sigchld) - { - if(opts->tcp_server_pid > 0) - { - child_pid = waitpid(0, &status, WNOHANG); - - if(child_pid == opts->tcp_server_pid) - { - if(WIFSIGNALED(status)) - log_msg(LOG_WARNING, "TCP server got signal: %i", WTERMSIG(status)); - - log_msg(LOG_WARNING, - "TCP server exited with status of %i. Attempting restart.", - WEXITSTATUS(status) - ); - - opts->tcp_server_pid = 0; - - /* Attempt to restart tcp server ? */ - usleep(1000000); - run_tcp_server(opts); - } - } - - got_sigchld = 0; - } - /* Any signal except USR1, USR2, and SIGCHLD mean break the loop. */ if(got_signal != 0) diff --git a/server/pcap_capture.c b/server/pcap_capture.c index e25904b5..5cd50676 100644 --- a/server/pcap_capture.c +++ b/server/pcap_capture.c @@ -41,7 +41,6 @@ #include "log_msg.h" #include "fwknopd_errors.h" #include "sig_handler.h" -#include "tcp_server.h" #if HAVE_SYS_WAIT_H #include @@ -63,9 +62,7 @@ pcap_capture(fko_srv_options_t *opts) int promisc = 0; int set_direction = 1; int pcap_file_mode = 0; - int status; int chk_rm_all = 0; - pid_t child_pid; #if FIREWALL_IPFW time_t now; @@ -189,34 +186,6 @@ pcap_capture(fko_srv_options_t *opts) */ while(1) { - /* If we got a SIGCHLD and it was the tcp server, then handle it here. - */ - if(got_sigchld) - { - if(opts->tcp_server_pid > 0) - { - child_pid = waitpid(0, &status, WNOHANG); - - if(child_pid == opts->tcp_server_pid) - { - if(WIFSIGNALED(status)) - log_msg(LOG_WARNING, "TCP server got signal: %i", WTERMSIG(status)); - - log_msg(LOG_WARNING, - "TCP server exited with status of %i. Attempting restart.", - WEXITSTATUS(status) - ); - - opts->tcp_server_pid = 0; - - /* Attempt to restart tcp server ? */ - usleep(1000000); - run_tcp_server(opts); - } - } - - got_sigchld = 0; - } if(sig_do_stop()) { diff --git a/server/tcp_server.c b/server/tcp_server.c deleted file mode 100644 index 7ba55bf1..00000000 --- a/server/tcp_server.c +++ /dev/null @@ -1,252 +0,0 @@ -/** - * \file server/tcp_server.c - * - * \brief Spawns off a dummy tcp server for fwknopd. Its purpose is - * to accept a tcp connection, then drop it after the first packet. - */ - -/* Fwknop is developed primarily by the people listed in the file 'AUTHORS'. - * Copyright (C) 2009-2015 fwknop developers and contributors. For a full - * list of contributors, see the file 'CREDITS'. - * - * License (GNU General Public License): - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 - * USA - * - ***************************************************************************** -*/ -#include "fwknopd_common.h" -#include "tcp_server.h" -#include "log_msg.h" -#include "utils.h" -#include - -#if HAVE_SYS_SOCKET_H - #include -#endif -#if HAVE_ARPA_INET_H - #include -#endif -#if HAVE_NETDB - #include -#endif - -#include -#include - -/* Fork off and run a "dummy" TCP server. The return value is the PID of - * the child process or -1 if there is a fork error. -*/ -int -run_tcp_server(fko_srv_options_t *opts) -{ -#if !CODE_COVERAGE - pid_t pid, ppid; -#endif - int s_sock, c_sock, sfd_flags, clen, selval; - int reuse_addr = 1, rv=1; - fd_set sfd_set; - struct sockaddr_in saddr, caddr; - struct timeval tv; - char sipbuf[MAX_IPV4_STR_LEN] = {0}; - - log_msg(LOG_INFO, "Kicking off TCP server to listen on port %i.", - opts->tcpserv_port); - -#if !CODE_COVERAGE - /* Fork off a child process to run the command and provide its outputs. - */ - pid = fork(); - - /* Non-zero pid means we are the parent or there was a fork error. - * in either case we simply return that value to the caller. - */ - if (pid != 0) - { - opts->tcp_server_pid = pid; - return(pid); - } - - /* Get our parent PID so we can periodically check for it. We want to - * know when it goes away so we can too. - */ - ppid = getppid(); - - /* We are the child. The first thing to do is close our copy of the - * parent PID file so we don't end up holding the lock if the parent - * suffers a sudden death that doesn't take us out too. - */ - close(opts->lock_fd); -#endif - - /* Now, let's make a TCP server - */ - if ((s_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) - { - log_msg(LOG_ERR, "run_tcp_server: socket() failed: %s", - strerror(errno)); - return -1; - } - - /* So that we can re-bind to it without TIME_WAIT problems - */ - if(setsockopt(s_sock, SOL_SOCKET, SO_REUSEADDR, &reuse_addr, sizeof(reuse_addr)) == -1) - { - log_msg(LOG_ERR, "run_tcp_server: setsockopt error: %s", - strerror(errno)); - close(s_sock); - return -1; - } - - /* Make our main socket non-blocking so we don't have to be stuck on - * listening for incoming connections. - */ - if((sfd_flags = fcntl(s_sock, F_GETFL, 0)) < 0) - { - log_msg(LOG_ERR, "run_tcp_server: fcntl F_GETFL error: %s", - strerror(errno)); - close(s_sock); - return -1; - } - -#if !CODE_COVERAGE - sfd_flags |= O_NONBLOCK; - - if(fcntl(s_sock, F_SETFL, sfd_flags) < 0) - { - log_msg(LOG_ERR, "run_tcp_server: fcntl F_SETFL error setting O_NONBLOCK: %s", - strerror(errno)); - close(s_sock); - return -1; - } -#endif - - /* Construct local address structure */ - memset(&saddr, 0, sizeof(saddr)); - saddr.sin_family = AF_INET; /* Internet address family */ - saddr.sin_addr.s_addr = htonl(INADDR_ANY); /* Any incoming interface */ - saddr.sin_port = htons(opts->tcpserv_port); /* Local port */ - - /* Bind to the local address */ - if (bind(s_sock, (struct sockaddr *) &saddr, sizeof(saddr)) < 0) - { - log_msg(LOG_ERR, "run_tcp_server: bind() failed: %s", - strerror(errno)); - close(s_sock); - - /* In the case of code coverage, don't die on bind() fail, as netcat may be running */ -#if CODE_COVERAGE - return 0; -#endif - return -1; - } - - /* Mark the socket so it will listen for incoming connections - * (but only one at a time) - */ - if (listen(s_sock, 1) < 0) - { - log_msg(LOG_ERR, "run_tcp_server: listen() failed: %s", - strerror(errno)); - close(s_sock); - return -1; - } - - FD_ZERO(&sfd_set); - - /* Now loop and accept and drop connections after the first packet or a - * short timeout. - */ - while(1) - { - clen = sizeof(caddr); - - /* Initialize and setup the socket for select. - */ - FD_SET(s_sock, &sfd_set); - - /* Set our select timeout to 200 ms. - */ - tv.tv_sec = 0; - tv.tv_usec = 200000; - - selval = select(s_sock+1, &sfd_set, NULL, NULL, &tv); - - if(selval == -1) - { - /* Select error - so kill the child and bail. - */ - log_msg(LOG_ERR, "run_tcp_server: select error socket: %s", - strerror(errno)); - rv = -1; - break; - } - -#if !CODE_COVERAGE - if(selval == 0) - { - /* Timeout - So we check to make sure our parent is still there by simply - * using kill(ppid, 0) and checking the return value. - */ - if(kill(ppid, 0) != 0 && errno == ESRCH) - { - rv = -1; - break; - } - continue; - } -#endif - - if(! FD_ISSET(s_sock, &sfd_set)) - continue; - - /* Wait for a client to connect - */ - if((c_sock = accept(s_sock, (struct sockaddr *) &caddr, (socklen_t *)&clen)) < 0) - { - log_msg(LOG_ERR, "run_tcp_server: accept() failed: %s", - strerror(errno)); - rv = -1; - break; - } - - if(opts->verbose) - { - memset(sipbuf, 0x0, MAX_IPV4_STR_LEN); - inet_ntop(AF_INET, &(caddr.sin_addr.s_addr), sipbuf, MAX_IPV4_STR_LEN); - log_msg(LOG_INFO, "tcp_server: Got TCP connection from %s.", sipbuf); - } - - /* Though hacky and clunky, we just sleep for a second then - * close the socket. No need to read or write anything. This - * just gives the client a sufficient window to send their - * request on this socket. In any case the socket is closed - * after that time. - */ - usleep(1000000); - shutdown(c_sock, SHUT_RDWR); - close(c_sock); - -#if CODE_COVERAGE - break; -#endif - } /* infinite while loop */ - - close(s_sock); - return rv; -} - -/***EOF***/ diff --git a/server/tcp_server.h b/server/tcp_server.h deleted file mode 100644 index 13db296e..00000000 --- a/server/tcp_server.h +++ /dev/null @@ -1,39 +0,0 @@ -/** - * \file server/tcp_server.h - * - * \brief Header file for tcp_server.c. - */ - -/* Fwknop is developed primarily by the people listed in the file 'AUTHORS'. - * Copyright (C) 2009-2015 fwknop developers and contributors. For a full - * list of contributors, see the file 'CREDITS'. - * - * License (GNU General Public License): - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 - * USA - * - ***************************************************************************** -*/ -#ifndef TCP_SERVER_H -#define TCP_SERVER_H - -/* Function prototypes -*/ -int run_tcp_server(fko_srv_options_t *opts); - -#endif /* TCP_SERVER_H */ - -/***EOF***/ diff --git a/test/test-fwknop.pl b/test/test-fwknop.pl index 08b46df9..d05e23d0 100755 --- a/test/test-fwknop.pl +++ b/test/test-fwknop.pl @@ -631,7 +631,6 @@ 'gpg_large_signing_key_access' => "$conf_dir/gpg_large_signing_key_access.conf", 'gpg_subkey_access' => "$conf_dir/gpg_subkey_access.conf", 'gpg_server_large_key_access' => "$conf_dir/gpg_server_large_key_access.conf", - 'tcp_server' => "$conf_dir/tcp_server_fwknopd.conf", 'udp_server' => "$conf_dir/udp_server_fwknopd.conf", 'spa_over_http' => "$conf_dir/spa_over_http_fwknopd.conf", 'spa_x_forwarded_for' => "$conf_dir/spa_x_forwarded_for_fwknopd.conf", @@ -3131,26 +3130,6 @@ () return $rv; } -sub tcp_spa_cycle() { - my $test_hr = shift; - - my ($rv, $server_was_stopped, $fw_rule_created, $fw_rule_removed) - = &client_server_interaction($test_hr, [], $USE_CLIENT); - if (!$rv) { - $rv = 1; - #start netcat listening on tcp/62201 - system("nc -k -l 62201 > /dev/null 2>&1 &"); - my ($rv, $server_was_stopped, $fw_rule_created, $fw_rule_removed) - = &client_server_interaction($test_hr, [], $USE_CLIENT); - - #stop netcat - system("killall nc"); -} - $rv = 0 unless &process_output_matches($test_hr); - - return $rv; -} - sub iptables_no_flush_init_exit() { my $test_hr = shift; diff --git a/test/tests/rijndael.pl b/test/tests/rijndael.pl index e2bed6a0..fc1d7d15 100644 --- a/test/tests/rijndael.pl +++ b/test/tests/rijndael.pl @@ -592,20 +592,6 @@ 'fw_rule_removed' => $NEW_RULE_REMOVED, 'server_positive_output_matches' => [qr/SPA\sPacket\sfrom\sIP\:\s$spoof_ip\s/], }, - - ### SPA over TCP (not really "single" packet auth since a TCP connection - ### is established) - { - 'category' => 'Rijndael', - 'subcategory' => 'client+server', - 'detail' => "SPA over TCP connection", - 'function' => \&tcp_spa_cycle, - 'cmdline' => "$default_client_args -P tcp", - 'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'tcp_server'} -a $cf{'def_access'} " . - "-d $default_digest_file -p $default_pid_file $intf_str", - 'fw_rule_created' => $NEW_RULE_REQUIRED, - 'fw_rule_removed' => $NEW_RULE_REMOVED, - }, { 'category' => 'Rijndael', 'subcategory' => 'client+server',