From: Jonathan McDowell Date: Wed, 15 Jun 2005 10:41:54 +0000 (+0000) Subject: cscvs to tla changeset 14 X-Git-Url: https://the.earth.li/gitweb/?a=commitdiff_plain;h=b3a4e4c944a9535aaf39fe414d76171b4169bd6b;p=autodns.git cscvs to tla changeset 14 Author: noodles Date: 2005/06/15 10:14:28 Add checking of signature time, to try to limit replay attacks. git-archimport-id: noodles@earth.li--pie/autodns--mainline--1.0--patch-13 --- diff --git a/autodns.conf b/autodns.conf index b320c27..56e09f8 100644 --- a/autodns.conf +++ b/autodns.conf @@ -29,3 +29,9 @@ $lockfile="/etc/bind/autodns.lck"; # The command to reload the nameserver domains list. $reload_command="sudo ndc reconfig 2>&1"; + +# When we consider a signature to have expired and so to be rejected. +# Intended to help prevent reply attacks. Value is in seconds and the +# signature can be +/- this many seconds from current time before being +# rejected. +$expiry = 7200; diff --git a/autodns.pl b/autodns.pl index d017e60..5aba950 100755 --- a/autodns.pl +++ b/autodns.pl @@ -5,10 +5,11 @@ # http://www.earth.li/projectpurple/progs/autodns.html # Released under the GPL. # -# $Id: autodns.pl,v 1.13 2005/05/31 17:17:46 noodles Exp $ +# $Id: autodns.pl,v 1.14 2005/06/15 10:14:28 noodles Exp $ # use strict; +use Date::Parse; use Fcntl qw(:flock); use File::Temp qw(tempfile); use IPC::Open3; @@ -21,7 +22,7 @@ my ($user, $server, $inprocess, $delcount, $addcount); my ($domain, @MAIL, @GPGERROR, @COMMANDS, %zones, $VERSION); use vars qw($me $ccreply $conffile $domainlistroot @cfgfiles $usersfile - $lockfile $reload_command); + $lockfile $reload_command $expiry); $VERSION="0.0.8"; @@ -267,10 +268,12 @@ if ($entity->parts) { # Check who it's from and if the signature was a good one. $gpggood=1; +my $sigtime = 0; foreach (@GPGERROR) { chomp; - if (/Signature made.* (.*)$/) { - $gpguser=$1; + if (/Signature made (.*) using.*ID (.*)$/) { + $sigtime = str2time($1); + $gpguser=$2; } elsif (/error/) { $gpggood = 0; print REPLY "Some errors ocurred\n"; @@ -299,6 +302,21 @@ if ($gpggood) { exit; } +# Check if the signature is outside our acceptable range. +if (!defined($sigtime)) { + print REPLY "Couldn't parse signature time.\n"; + close REPLY; + exit; +} elsif ($sigtime > (time + $expiry)) { + print REPLY "Signature too far into the future.\n"; + close REPLY; + exit; +} elsif ($sigtime < (time - $expiry)) { + print REPLY "Signature too far into the past.\n"; + close REPLY; + exit; +} + # Now let's check if we know this person. ($user, $priv, $server) = getuserinfo($gpguser);