fwknop.git
3 weeks agoMerge branch 'master' of https://github.com/mrash/fwknop master
Michael Rash [Sat, 4 Oct 2014 14:38:08 +0000]
Merge branch 'master' of https://github.com/mrash/fwknop

3 weeks ago[client] minor tab->spaces fix
Michael Rash [Sat, 4 Oct 2014 14:32:52 +0000]
[client] minor tab->spaces fix

3 weeks agoMerge pull request #135 from tombriden/multi_ports
Michael Rash [Fri, 3 Oct 2014 04:08:45 +0000]
Merge pull request #135 from tombriden/multi_ports

android: allow definition of multiple tcp/udp ports

3 weeks agoMerge pull request #137 from schuellerf/master
Michael Rash [Fri, 3 Oct 2014 04:03:06 +0000]
Merge pull request #137 from schuellerf/master

Support for "--no-save-args" in .fwknoprc

3 weeks agoAdd "NO_SAVE_ARGS" to initial config file
Florian Schüller [Wed, 1 Oct 2014 12:12:57 +0000]
Add "NO_SAVE_ARGS" to initial config file

3 weeks agoSupport for "--no-save-args" in .fwknoprc
Florian Schüller [Wed, 1 Oct 2014 12:12:10 +0000]
Support for "--no-save-args" in .fwknoprc

3 weeks agoUse the fwknop User-Agent for wget SSL external IP resolutions
Michael Rash [Sun, 28 Sep 2014 03:23:12 +0000]
Use the fwknop User-Agent for wget SSL external IP resolutions

Bug fix to ensure that a User-Agent string can be specified when the
fwknop client uses wget via SSL to resolve the external IP address. This
closes issue #134 on github reported by Barry Allard. The fwknop now
uses the wget '-U' option to specify the User-Agent string with a
default of "Fwknop/<version>". In addition, a new command line argument
"--use-wget-user-agent" to allow the default wget User-Agent string to
apply instead.

4 weeks agoandroid: allow definition of multiple tcp/udp ports
Tom Briden [Sat, 27 Sep 2014 10:14:10 +0000]
android: allow definition of multiple tcp/udp ports

7 weeks agofirewalld support from Gerry Reno
Michael Rash [Thu, 4 Sep 2014 03:28:51 +0000]
firewalld support from Gerry Reno

7 weeks ago[server] firewalld reports 'success' as a string upon command success in contrast...
Michael Rash [Thu, 4 Sep 2014 03:15:34 +0000]
[server] firewalld reports 'success' as a string upon command success in contrast to iptables

7 weeks agoadded feature: firewalld
Gerry Reno [Mon, 1 Sep 2014 01:13:42 +0000]
added feature: firewalld

7 weeks agomore changes for firewalld
Gerry Reno [Sun, 31 Aug 2014 20:13:46 +0000]
more changes for firewalld

7 weeks agomore changes for firewalld
Gerry Reno [Sun, 31 Aug 2014 17:51:08 +0000]
more changes for firewalld

7 weeks agomore changes for firewalld
Gerry Reno [Sun, 31 Aug 2014 06:23:39 +0000]
more changes for firewalld

7 weeks agomore changes for firewalld
Gerry Reno [Sun, 31 Aug 2014 04:29:17 +0000]
more changes for firewalld

7 weeks agofirst cut at firewalld
Gerry Reno [Sun, 31 Aug 2014 04:06:37 +0000]
first cut at firewalld

8 weeks agoadded .gitignore
Gerry Reno [Sat, 30 Aug 2014 23:09:02 +0000]
added .gitignore

8 weeks agoAdded WIN32 definitions for popen (_popen) and pclose (_pclose) to accommodate the...
Damien Stuart [Sat, 30 Aug 2014 20:18:46 +0000]
Added WIN32 definitions for popen (_popen) and pclose (_pclose) to accommodate the call to wget on Windows-based systems.

8 weeks agoMerge branch 'master' of ssh://github.com/mrash/fwknop
Michael Rash [Wed, 27 Aug 2014 03:23:31 +0000]
Merge branch 'master' of ssh://github.com/mrash/fwknop

8 weeks agoMerge pull request #127 from g-reno/android-keypreserve
Michael Rash [Wed, 27 Aug 2014 03:22:15 +0000]
Merge pull request #127 from g-reno/android-keypreserve

restore keys from prefs when app is launched

8 weeks agofwknopd man page updates for access.conf vars
Michael Rash [Wed, 27 Aug 2014 03:21:14 +0000]
fwknopd man page updates for access.conf vars

2 months agoChangeLog update for FCS bug fix
Michael Rash [Fri, 22 Aug 2014 01:15:09 +0000]
ChangeLog update for FCS bug fix

2 months agominor code restructure for Ethernet FCS header processing
Michael Rash [Fri, 22 Aug 2014 01:08:27 +0000]
minor code restructure for Ethernet FCS header processing

2 months agoadded Ethernet FCS header test with pcap contributed by Bill Stubs
Michael Rash [Fri, 22 Aug 2014 01:07:52 +0000]
added Ethernet FCS header test with pcap contributed by Bill Stubs

2 months agoMerge branch 'beaglebone_libpcap_workaround' of https://github.com/stubbsw/fwknop...
Michael Rash [Fri, 22 Aug 2014 00:44:48 +0000]
Merge branch 'beaglebone_libpcap_workaround' of https://github.com/stubbsw/fwknop into stubbsw-beaglebone_libpcap_workaround

2 months agorestore keys from prefs when app is launched
Gerry Reno [Thu, 21 Aug 2014 22:16:00 +0000]
restore keys from prefs when app is launched

2 months agopcap of spa with Ethernet FCS
stubbsw [Thu, 21 Aug 2014 11:04:55 +0000]
pcap of  spa with Ethernet FCS

Captured with:
tcpdump -i eth0 -l -nn -s 0 -w fcs_spa.pcap udp port 62201

Generated remotely with:
LD_LIBRARY_PATH=./lib/.libs ./client/.libs/fwknop -A tcp/22 -a 127.0.0.2
-D 192.168.18.11 --no-save-args --verbose --verbose --rc-file
./test/conf/fwknoprc_default_hmac_base64_key

2 months agoMerge pull request #125 from stubbsw/beaglebone_libpcap_workaround
Michael Rash [Thu, 21 Aug 2014 03:20:40 +0000]
Merge pull request #125 from stubbsw/beaglebone_libpcap_workaround

workaround libpcap 4 extra bytes

2 months agoupdate to indicate Ethernet FCS support vs. bug
stubbsw [Tue, 19 Aug 2014 10:54:18 +0000]
update to indicate Ethernet FCS support vs. bug

2 months agoworkaround libpcap 4 extra bytes
stubbsw [Sun, 17 Aug 2014 15:50:56 +0000]
workaround libpcap 4 extra bytes

Workaround for libpcap returning a length that is 4 bytes longer than
the
packet on the wire. Observed on:

Linux beaglebone 3.8.13-bone50 #1 SMP Tue May 13 13:24:52 UTC 2014
armv7l GNU/Linux
ldd fwknopd
libfko.so.2 => /usr/local/lib/libfko.so.2 (0xb6f62000)
libpcap.so.0.8 => /usr/lib/arm-linux-gnueabihf/libpcap.so.0.8
(0xb6f20000)
libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0xb6e3b000)
/lib/ld-linux-armhf.so.3 (0xb6f94000)
libgcc_s.so.1 => /lib/arm-linux-gnueabihf/libgcc_s.so.1 (0xb6e17000)

Calculate the new pkt_end from the length in the ip header.

2 months agoappend gdbm change to all changes since 2.6.2 2.6.3
Michael Rash [Tue, 29 Jul 2014 02:41:56 +0000]
append gdbm change to all changes since 2.6.2

2 months agoremoved gdbm/gdbm-devel dependencies for the RPM, bumped libfko to 2.0.3 for the RPM
Michael Rash [Tue, 29 Jul 2014 02:40:13 +0000]
removed gdbm/gdbm-devel dependencies for the RPM, bumped libfko to 2.0.3 for the RPM

2 months agoextended ChangeLog.git to include libfko version bump
Michael Rash [Tue, 29 Jul 2014 02:28:46 +0000]
extended ChangeLog.git to include libfko version bump

2 months agobumped libfko version to 2.0.3
Michael Rash [Tue, 29 Jul 2014 01:46:32 +0000]
bumped libfko version to 2.0.3

2 months agochanges since 2.6.2 to ChangeLog.git
Michael Rash [Mon, 28 Jul 2014 03:20:55 +0000]
changes since 2.6.2 to ChangeLog.git

2 months agobumped version to 2.6.3 in preparation for release
Michael Rash [Mon, 28 Jul 2014 03:03:11 +0000]
bumped version to 2.6.3 in preparation for release

2 months ago[test suite] added FreeBSD-10.0 and OpenBSD-5.5 compatibility tests
Michael Rash [Mon, 28 Jul 2014 02:56:15 +0000]
[test suite] added FreeBSD-10.0 and OpenBSD-5.5 compatibility tests

2 months agoadded configure_max_coverage.sh helper script
Michael Rash [Mon, 28 Jul 2014 02:40:04 +0000]
added configure_max_coverage.sh helper script

2 months ago[test suite] WGET_CMD and RESOLVE_HTTP_ONLY fwknoprc test coverage
Michael Rash [Mon, 28 Jul 2014 02:31:49 +0000]
[test suite] WGET_CMD and RESOLVE_HTTP_ONLY fwknoprc test coverage

2 months agorevert gpg trustdb.gpg update from test suite
Michael Rash [Mon, 28 Jul 2014 02:10:01 +0000]
revert gpg trustdb.gpg update from test suite

2 months ago[client] have autoconf resolve the absolute path to wget for SSL IP resolution
Michael Rash [Mon, 28 Jul 2014 02:03:58 +0000]
[client] have autoconf resolve the absolute path to wget for SSL IP resolution

2 months ago[server] fix shift operation bug in SOURCE subnet processing spotted by Coverity
Michael Rash [Sun, 27 Jul 2014 03:43:48 +0000]
[server] fix shift operation bug in SOURCE subnet processing spotted by Coverity

3 months agoMerge branch 'libfiu_fault_injection'
Michael Rash [Fri, 25 Jul 2014 21:44:27 +0000]
Merge branch 'libfiu_fault_injection'

Conflicts:
test/tests/rijndael_hmac_fuzzing.pl

3 months ago[client] Updated IP resolution mode -R to use SSL libfiu_fault_injection
Michael Rash [Fri, 25 Jul 2014 21:42:06 +0000]
[client] Updated IP resolution mode -R to use SSL

External IP resolution via '-R' (or '--resolve-ip-http') is now done via SSL by
default. The IP resolution URL is now 'https://www.cipherdyne.org/cgi-gin/myip',
and a warning is generated in '-R' mode whenever a non-HTTPS URL is specified
(it is safer just to use the default). The fwknop client leverages 'wget' for
this operation since that is cleaner than having fwknop link against an SSL
library.

3 months ago[client] call freeaddrinfo() early after iterating through getaddrinfo() results
Michael Rash [Wed, 23 Jul 2014 02:35:43 +0000]
[client] call freeaddrinfo() early after iterating through getaddrinfo() results

3 months agoadded extras/coverity/ directory for Coverity script
Michael Rash [Wed, 23 Jul 2014 02:05:29 +0000]
added extras/coverity/ directory for Coverity script

3 months ago[client] make close() on socket handle more intuitive (resolves 'double close' bugs...
Michael Rash [Wed, 23 Jul 2014 02:04:44 +0000]
[client] make close() on socket handle more intuitive (resolves 'double close' bugs flagged by Coverity)

3 months ago[test suite] add access.conf file path to a few basic tests
Michael Rash [Tue, 22 Jul 2014 22:56:12 +0000]
[test suite] add access.conf file path to a few basic tests

3 months ago[test suite] handle PF on FreeBSD
Michael Rash [Tue, 22 Jul 2014 22:48:54 +0000]
[test suite] handle PF on FreeBSD

3 months ago[test suite] update wrapper Makefile gcc -> cc
Michael Rash [Tue, 22 Jul 2014 22:40:29 +0000]
[test suite] update wrapper Makefile gcc -> cc

3 months ago[test suite] README update to include --enable-complete mode
Michael Rash [Tue, 22 Jul 2014 03:59:44 +0000]
[test suite] README update to include --enable-complete mode

3 months agofixed several socket handle leaks under error conditions spotted by Coverity
Michael Rash [Tue, 22 Jul 2014 03:55:08 +0000]
fixed several socket handle leaks under error conditions spotted by Coverity

3 months agoadded lcov coverage link
Michael Rash [Sat, 19 Jul 2014 21:26:15 +0000]
added lcov coverage link

3 months agoChangeLog updates
Michael Rash [Sat, 19 Jul 2014 21:18:59 +0000]
ChangeLog updates

3 months ago[server] minor update print -> fprintf for PF firewall interface
Michael Rash [Sat, 19 Jul 2014 20:40:59 +0000]
[server] minor update print -> fprintf for PF firewall interface

3 months agofix gcc -Wstrlcpy-strlcat-size warnings
Michael Rash [Sat, 19 Jul 2014 20:30:53 +0000]
fix gcc -Wstrlcpy-strlcat-size warnings

3 months agofixed README paths
Michael Rash [Sat, 19 Jul 2014 20:30:00 +0000]
fixed README paths

3 months agofixed README paths
Michael Rash [Sat, 19 Jul 2014 20:22:42 +0000]
fixed README paths

3 months ago[server] Bug fix for PF firewalls without ALTQ support on FreeBSD.
Michael Rash [Sat, 19 Jul 2014 00:54:11 +0000]
[server] Bug fix for PF firewalls without ALTQ support on FreeBSD.

With this commit PF rules are added correctly regardless of whether ALTQ support
is available or not. Thanks to Barry Allard for discovering and reporting this
issue. Closes issue #121 on github.

3 months agominor README.md summary update
Michael Rash [Sat, 12 Jul 2014 03:41:32 +0000]
minor README.md summary update

3 months agominor README.md formating updates
Michael Rash [Sat, 12 Jul 2014 03:29:13 +0000]
minor README.md formating updates

3 months agoMerge pull request #122 from steakknife/convert_readme
Michael Rash [Fri, 11 Jul 2014 14:43:50 +0000]
Merge pull request #122 from steakknife/convert_readme

readme -> md

3 months agoreadme -> md
Barry Allard [Wed, 9 Jul 2014 02:09:29 +0000]
readme -> md

Signed-off-by: Barry Allard <barry.allard@gmail.com>

3 months ago[test suite] add --gpg-home-dir arg to GPG test
Michael Rash [Tue, 8 Jul 2014 03:55:34 +0000]
[test suite] add --gpg-home-dir arg to GPG test

3 months ago[test suite] add variable expansion and fwknopd override tests
Michael Rash [Tue, 8 Jul 2014 03:50:24 +0000]
[test suite] add variable expansion and fwknopd override tests

3 months ago[test suite] run interrupt signal test against foreground fwknopd process
Michael Rash [Tue, 8 Jul 2014 03:41:17 +0000]
[test suite] run interrupt signal test against foreground fwknopd process

3 months ago[server] handle signal vars in dedicated function
Michael Rash [Tue, 8 Jul 2014 03:37:08 +0000]
[server] handle signal vars in dedicated function

3 months ago[server] alert the user when config file variable expansion references invalid var
Michael Rash [Tue, 8 Jul 2014 03:30:49 +0000]
[server] alert the user when config file variable expansion references invalid var

3 months ago[test suite] add GPG test for a manually altered SPA packet
Michael Rash [Tue, 8 Jul 2014 03:16:47 +0000]
[test suite] add GPG test for a manually altered SPA packet

3 months ago[test suite] add SYSLOG_FACILITY tests
Michael Rash [Tue, 8 Jul 2014 02:35:27 +0000]
[test suite] add SYSLOG_FACILITY tests

3 months ago[server] refactor main() into a more natural breakdown of functions
Michael Rash [Tue, 8 Jul 2014 02:34:45 +0000]
[server] refactor main() into a more natural breakdown of functions

3 months ago[server] Fix uninitialized value usage after proper SPA authentication/decryption
Michael Rash [Tue, 8 Jul 2014 02:27:53 +0000]
[server] Fix uninitialized value usage after proper SPA authentication/decryption

Bug fix discovered with the libfiu fault injection tag
"fko_get_username_init" combined with valgrind analysis. This bug
is only triggered after a valid authenticated and decrypted SPA
packet is sniffed by fwknopd:

==11181== Conditional jump or move depends on uninitialised value(s)
==11181==    at 0x113B6D: incoming_spa (incoming_spa.c:707)
==11181==    by 0x11559F: process_packet (process_packet.c:211)
==11181==    by 0x5270857: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.4.0)
==11181==    by 0x114BCC: pcap_capture (pcap_capture.c:270)
==11181==    by 0x10F32C: main (fwknopd.c:195)
==11181==  Uninitialised value was created by a stack allocation
==11181==    at 0x113476: incoming_spa (incoming_spa.c:294)

3 months ago[test suite] extend invalid sniff interface test to include promisc mode
Michael Rash [Sun, 6 Jul 2014 04:10:26 +0000]
[test suite] extend invalid sniff interface test to include promisc mode

3 months ago[test suite] add invalid sniff interface test
Michael Rash [Sun, 6 Jul 2014 03:44:40 +0000]
[test suite] add invalid sniff interface test

3 months ago[test suite] add invalid gpg sig ID list
Michael Rash [Sat, 5 Jul 2014 00:05:54 +0000]
[test suite] add invalid gpg sig ID list

3 months ago[test suite] add GPG_DISABLE_SIG test
Michael Rash [Fri, 4 Jul 2014 23:54:56 +0000]
[test suite] add GPG_DISABLE_SIG test

3 months ago[server] call clean_exit() upon check_dir_path() error
Michael Rash [Thu, 3 Jul 2014 14:31:30 +0000]
[server] call clean_exit() upon check_dir_path() error

3 months ago[test suite] minor test coverage addition for invalid locale setting
Michael Rash [Thu, 3 Jul 2014 14:17:52 +0000]
[test suite] minor test coverage addition for invalid locale setting

3 months ago[test suite] additional valgrind suppression for pcap-file processing
Michael Rash [Thu, 3 Jul 2014 12:52:48 +0000]
[test suite] additional valgrind suppression for pcap-file processing

3 months ago[server] Require sig ID's or fingerprints when sigs are validated
Michael Rash [Sun, 29 Jun 2014 22:46:19 +0000]
[server] Require sig ID's or fingerprints when sigs are validated

When validating access.conf stanzas make sure that one of
GPG_REMOTE_ID or GPG_FINGERPRINT_ID is specified whenever GnuPG
signatures are to be verified for incoming SPA packets. Signature
verification is the default, and can only be disabled with
GPG_DISABLE_SIG but this is NOT recommended.

3 months ago[server] add access.conf variable GPG_FINGERPRINT_ID
Michael Rash [Sun, 29 Jun 2014 21:07:55 +0000]
[server] add access.conf variable GPG_FINGERPRINT_ID

Add a new GPG_FINGERPRINT_ID variable to the access.conf file
so that full GnuPG fingerprints can be required for incoming SPA packets
in addition to the appreviated GnuPG signatures listed in GPG_REMOTE_ID.
From the test suite, an example fingerprint is

GPG_FINGERPRINT_ID            00CC95F05BC146B6AC4038C9E36F443C6A3FAD56

3 months ago[server] Call clean_exit() from daemon parent process
Michael Rash [Sun, 29 Jun 2014 21:23:20 +0000]
[server] Call clean_exit() from daemon parent process

When becoming a daemon, make sure the fwknopd parent process calls
clean_exit() to release memory before calling exit().

4 months ago[test suite] added iptables OUTPUT chain test
Michael Rash [Wed, 25 Jun 2014 02:54:27 +0000]
[test suite] added iptables OUTPUT chain test

4 months ago[test suite] add Rjindael HMAC --no-ipt-check-support test for udp/53
Michael Rash [Mon, 23 Jun 2014 22:27:22 +0000]
[test suite] add Rjindael HMAC --no-ipt-check-support test for udp/53

4 months ago[test suite] updated --gdb mode to run the first found fwknop command from an output...
Michael Rash [Mon, 23 Jun 2014 22:21:29 +0000]
[test suite] updated --gdb mode to run the first found fwknop command from an output/*.test file

4 months ago[server] call clean_exit() on expand_acc_string_list() error
Michael Rash [Mon, 23 Jun 2014 22:10:01 +0000]
[server] call clean_exit() on expand_acc_string_list() error

4 months ago[server] call clean_exit() on add_acc_string() error
Michael Rash [Mon, 23 Jun 2014 22:02:57 +0000]
[server] call clean_exit() on add_acc_string() error

4 months ago[server] make sure clean_exit() is called on any add_acc_b64_string() errs
Michael Rash [Fri, 20 Jun 2014 23:35:02 +0000]
[server] make sure clean_exit() is called on any add_acc_b64_string() errs

4 months ago[server] minor memory leak fix for invalid FORCE_NAT var in access.conf
Michael Rash [Fri, 20 Jun 2014 23:22:35 +0000]
[server] minor memory leak fix for invalid FORCE_NAT var in access.conf

This commit fixes the following leak found by valgrind:

==6241== 568 bytes in 1 blocks are still reachable in loss record 1 of 1
==6241==    at 0x4C2A2DB: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6241==    by 0x551537A: __fopen_internal (iofopen.c:73)
==6241==    by 0x118C8E: parse_access_file (access.c:1143)
==6241==    by 0x10F134: main (fwknopd.c:250)

4 months ago[server] minor pointer typo fix
Michael Rash [Tue, 17 Jun 2014 03:08:50 +0000]
[server] minor pointer typo fix

4 months ago[test suite] add valgrind suppressions for libfiu
Michael Rash [Mon, 16 Jun 2014 03:10:02 +0000]
[test suite] add valgrind suppressions for libfiu

4 months ago[test suite] consolidate valgrind success/failure criteria into a single function
Michael Rash [Sun, 15 Jun 2014 14:55:19 +0000]
[test suite] consolidate valgrind success/failure criteria into a single function

4 months ago[test suite] added suppressions to fko-wrapper/run_valgrind.sh
Michael Rash [Sun, 15 Jun 2014 14:34:52 +0000]
[test suite] added suppressions to fko-wrapper/run_valgrind.sh

4 months ago[libfko] removed fko_new_strdup() fault injection tag since fko_destroy() isn't called
Michael Rash [Sun, 15 Jun 2014 14:21:21 +0000]
[libfko] removed fko_new_strdup() fault injection tag since fko_destroy() isn't called

4 months ago[server] check fiu_enable() return value in --fault-injection mode
Michael Rash [Sun, 15 Jun 2014 13:48:37 +0000]
[server] check fiu_enable() return value in --fault-injection mode

4 months ago[test suite] added strtol_wrapper() fault injection tags
Michael Rash [Sun, 15 Jun 2014 13:41:43 +0000]
[test suite] added strtol_wrapper() fault injection tags

4 months ago[libfko] additional fault injection additions with test suite support
Michael Rash [Sun, 15 Jun 2014 01:27:18 +0000]
[libfko] additional fault injection additions with test suite support

4 months ago[test suite] additional fault injection tests
Michael Rash [Fri, 13 Jun 2014 00:29:54 +0000]
[test suite] additional fault injection tests

4 months ago[test suite] minor update to not parse crash messages out of crash test output file
Michael Rash [Fri, 13 Jun 2014 00:29:24 +0000]
[test suite] minor update to not parse crash messages out of crash test output file

4 months ago[test suite] add several fault injection tests
Michael Rash [Thu, 12 Jun 2014 04:02:18 +0000]
[test suite] add several fault injection tests