(Vlad Glagolev) Submitted an OpenBSD port for fwknop-2.0.3
authorMichael Rash <mbr@cipherdyne.org>
Fri, 14 Sep 2012 01:24:54 +0000 (21:24 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Fri, 14 Sep 2012 01:24:54 +0000 (21:24 -0400)
(Vlad Glagolev) Submitted an OpenBSD port for fwknop-2.0.3, and this has
been checked in under extras/openbsd/.

ChangeLog
extras/openbsd/distinfo [new file with mode: 0644]
extras/openbsd/patches/patch-lib_fko_decode_c [new file with mode: 0644]
extras/openbsd/patches/patch-server_replay_cache_c [new file with mode: 0644]
extras/openbsd/pkg/DESCR [new file with mode: 0644]
extras/openbsd/pkg/PFRAG.shared [new file with mode: 0644]
extras/openbsd/pkg/PLIST [new file with mode: 0644]
extras/openbsd/pkg/fwknopd.rc [new file with mode: 0644]

index 0ba633e..5c90315 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,8 @@ fwknop-2.0.4 (09/20/2012):
     - [server] (Vlad Glagolev) Submitted a patch to fix command exec mode
       under SPA message type validity test.  Support for command exec mode was
       also added to the test suite.
+    - (Vlad Glagolev) Submitted an OpenBSD port for fwknop-2.0.3, and this has
+      been checked in under extras/openbsd/.
 
 fwknop-2.0.3 (09/03/2012):
     - [server] Fernando Arnaboldi from IOActive found several DoS/code
diff --git a/extras/openbsd/distinfo b/extras/openbsd/distinfo
new file mode 100644 (file)
index 0000000..cd068ab
--- /dev/null
@@ -0,0 +1,5 @@
+MD5 (fwknop-2.0.3.tar.bz2) = uMVchsaM3498+XuupPUvwA==
+RMD160 (fwknop-2.0.3.tar.bz2) = 0ezyQ2TclSzt1UD7uc6/k4p1iC4=
+SHA1 (fwknop-2.0.3.tar.bz2) = gdEQFITdn9V6G/lIjViomCIR8E8=
+SHA256 (fwknop-2.0.3.tar.bz2) = mN3uya+Sd7agyNjlfqZeGbIMaIBH6YPnSI/UrygCzVc=
+SIZE (fwknop-2.0.3.tar.bz2) = 755890
diff --git a/extras/openbsd/patches/patch-lib_fko_decode_c b/extras/openbsd/patches/patch-lib_fko_decode_c
new file mode 100644 (file)
index 0000000..640a7fe
--- /dev/null
@@ -0,0 +1,14 @@
+--- lib/fko_decode.c.orig      Wed Sep  5 06:04:48 2012
++++ lib/fko_decode.c   Sat Sep  8 15:11:00 2012
+@@ -285,9 +285,9 @@ fko_decode_spa_data(fko_ctx_t ctx)
+     b64_decode(tbuf, (unsigned char*)ctx->message);
+-    /* Require a message similar to: 1.2.3.4,tcp/22
++    /* Require a message similar to: 1.2.3.4,tcp/22 (if it's not command message)
+     */
+-    if(validate_access_msg(ctx->message) != FKO_SUCCESS)
++    if(ctx->message_type != FKO_COMMAND_MSG && validate_access_msg(ctx->message) != FKO_SUCCESS)
+     {
+         free(tbuf);
+         return(FKO_ERROR_INVALID_DATA);
diff --git a/extras/openbsd/patches/patch-server_replay_cache_c b/extras/openbsd/patches/patch-server_replay_cache_c
new file mode 100644 (file)
index 0000000..04e1a0c
--- /dev/null
@@ -0,0 +1,27 @@
+--- server/replay_cache.c.orig Wed Sep  5 06:04:48 2012
++++ server/replay_cache.c      Sat Sep  8 09:46:56 2012
+@@ -565,7 +565,6 @@ is_replay_dbm_cache(fko_srv_options_t *opts, char *dig
+ #endif
+     datum       db_key, db_ent;
+-    char       *digest = NULL;
+     int         digest_len, res = SPA_MSG_SUCCESS;
+     digest_cache_info_t dc_info;
+@@ -638,7 +637,6 @@ add_replay_dbm_cache(fko_srv_options_t *opts, char *di
+ #endif
+     datum       db_key, db_ent;
+-    char       *digest = NULL;
+     int         digest_len, res = SPA_MSG_SUCCESS;
+     digest_cache_info_t dc_info;
+@@ -705,7 +703,7 @@ add_replay_dbm_cache(fko_srv_options_t *opts, char *di
+     return(res);
+ #endif /* NO_DIGEST_CACHE */
+-
++}
+ #endif /* USE_FILE_CACHE */
+ #if USE_FILE_CACHE
diff --git a/extras/openbsd/pkg/DESCR b/extras/openbsd/pkg/DESCR
new file mode 100644 (file)
index 0000000..7c22734
--- /dev/null
@@ -0,0 +1,14 @@
+fwknop stands for the "FireWall KNock OPerator", and implements an authorization
+scheme called Single Packet Authorization (SPA) that is based around packet
+filter and libpcap.
+
+SPA requires only a single encrypted packet in order to communicate various
+pieces of information including desired access through a packet filter's policy
+and/or complete commands to execute on the target system. By using packet filter
+to maintain a "default drop" stance, the main application of this program is to
+protect services such as OpenSSH with an additional layer of security in order
+to make the exploitation of vulnerabilities (both 0-day and unpatched code) much
+more difficult.
+
+With fwknop deployed, anyone using nmap to look for sshd can't even tell that it
+is listening; it makes no difference if they have a 0-day exploit or not.
diff --git a/extras/openbsd/pkg/PFRAG.shared b/extras/openbsd/pkg/PFRAG.shared
new file mode 100644 (file)
index 0000000..ad3ce29
--- /dev/null
@@ -0,0 +1,2 @@
+@comment $OpenBSD$
+@lib lib/libfko.so.${LIBfko_VERSION}
diff --git a/extras/openbsd/pkg/PLIST b/extras/openbsd/pkg/PLIST
new file mode 100644 (file)
index 0000000..64fd1f9
--- /dev/null
@@ -0,0 +1,11 @@
+@comment $OpenBSD$
+%%SHARED%%
+@bin bin/fwknop
+include/fko.h
+@info info/libfko.info
+lib/libfko.a
+@comment lib/libfko.la
+@man man/man8/fwknop.8
+@man man/man8/fwknopd.8
+@bin sbin/fwknopd
+@rcscript ${RCDIR}/fwknopd
diff --git a/extras/openbsd/pkg/fwknopd.rc b/extras/openbsd/pkg/fwknopd.rc
new file mode 100644 (file)
index 0000000..121d405
--- /dev/null
@@ -0,0 +1,9 @@
+#!/bin/sh
+#
+# $OpenBSD$
+
+daemon="${TRUEPREFIX}/sbin/fwknopd"
+
+. /etc/rc.d/rc.subr
+
+rc_cmd $1