2 years agoMerge from master minor bug fix to include default encryption mode crypto_update
Michael Rash [Tue, 10 Jul 2012 12:30:11 +0000]
Merge from master minor bug fix to include default encryption mode

When getting raw digest for replay attack detection specify the default
encryption mode (which doesn't actually get used when passing a NULL key).

2 years agoMerge branch 'master' into crypto_update
Michael Rash [Tue, 10 Jul 2012 12:23:16 +0000]
Merge branch 'master' into crypto_update

2 years agobumped version to 2.0.1-pre2 fwknop-2.0.1-pre2
Michael Rash [Tue, 10 Jul 2012 02:58:35 +0000]
bumped version to 2.0.1-pre2

2 years agoadded valgrind parsing note
Michael Rash [Tue, 10 Jul 2012 02:39:13 +0000]
added valgrind parsing note

2 years ago[test suite] minor directory path bug fix for --diff mode
Michael Rash [Tue, 10 Jul 2012 02:05:57 +0000]
[test suite] minor directory path bug fix for --diff mode

2 years agoswitched back to older ChangeLog format which is more readable fwknop-2.0.1-pre1
Michael Rash [Tue, 10 Jul 2012 01:29:49 +0000]
switched back to older ChangeLog format which is more readable

2 years agobumped version to 2.0.1-pre1
Michael Rash [Mon, 9 Jul 2012 20:32:10 +0000]
bumped version to 2.0.1-pre1

2 years agoadded dual_key_usage_access.conf to Makefile.am for 'make dist' target
Michael Rash [Mon, 9 Jul 2012 20:30:26 +0000]
added dual_key_usage_access.conf to Makefile.am for 'make dist' target

2 years agomerged usage() information from master
Michael Rash [Mon, 9 Jul 2012 02:00:13 +0000]
merged usage() information from master

2 years agoadded unique function names to --enable-valgrind suspect functions test
Michael Rash [Mon, 9 Jul 2012 01:21:36 +0000]
added unique function names to --enable-valgrind suspect functions test

2 years agoadded new test in --enable-valgrind mode to collect suspect functions
Michael Rash [Sun, 8 Jul 2012 19:30:35 +0000]
added new test in --enable-valgrind mode to collect suspect functions

2 years agoOnly cache replay digests for SPA packets that decrypt
Michael Rash [Sun, 8 Jul 2012 12:36:30 +0000]
Only cache replay digests for SPA packets that decrypt

This change ensures that we only cache replay digests for those SPA packets
that actually decrypt.  Not doing this would have allowed an attacker to
potentially fill up digest cache space with digests for garbage packets.

2 years agoAdded a test for a dual-usage key in access.conf
Michael Rash [Sun, 8 Jul 2012 12:35:50 +0000]
Added a test for a dual-usage key in access.conf

2 years agoBug fix for multi-stanza key use and replay attack detection
Michael Rash [Sun, 8 Jul 2012 01:31:30 +0000]
Bug fix for multi-stanza key use and replay attack detection

This commit fixes a bug where the same encryption key used for two stanzas in
the access.conf file would result in access requests that matched the second
stanza to always be treated as a replay attack.  This has been fixed for
the fwknop-2.0.1 release, and was reported by Andy Rowland.  Now the fwknopd
server computes the SHA256 digest of raw incoming payload data before
decryption, and compares this against all previous hashes.  Previous to this
commit, fwknopd would add a new hash to the replay digest list right after
the first access.conf stanza match, so when SPA packet data matched the
second access.conf stanza a matching replay digest would already be there.

2 years agoBug fix to not force asymmetric gpg decryption
Michael Rash [Sat, 23 Jun 2012 19:13:03 +0000]
Bug fix to not force asymmetric gpg decryption

fwknopd access stanzas can have both Rijndael and GnuPG keys, so this
commit fixes a bug where any gpg info would force only gpg decryption
attempts even if a Rijndael key is provided in the stanza.

2 years agoadded test for invalid SOURCE access lines
Michael Rash [Sun, 17 Jun 2012 17:57:06 +0000]
added test for invalid SOURCE access lines

2 years agoBug fix to throw out invalid access.conf SOURCE entries
Michael Rash [Sun, 17 Jun 2012 17:42:23 +0000]
Bug fix to throw out invalid access.conf SOURCE entries

This commit causes fwknopd to exit whenever an invalid SOURCE entry is seen
such as ":ANY".  Previous to this commit, valgrind threw the following errors
with ":ANY" as an access.conf SOURCE entry:

Invalid read of size 8
   at 0x117695: free_acc_source_list (access.c:512)
   by 0x1177E3: free_acc_stanza_data (access.c:564)
   by 0x117C67: free_acc_stanzas (access.c:654)
   by 0x10E32E: free_configs (config_init.c:106)
   by 0x10D085: main (fwknopd.c:376)
 Address 0x5a80658 is 8 bytes inside a block of size 16 free'd
   at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x116AE0: add_source_mask (access.c:255)
   by 0x116D57: expand_acc_source (access.c:303)
   by 0x117A82: expand_acc_ent_lists (access.c:620)
   by 0x119570: parse_access_file (access.c:1043)
   by 0x10C77E: main (fwknopd.c:193)

Invalid free() / delete / delete[] / realloc()
   at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x1176A8: free_acc_source_list (access.c:514)
   by 0x1177E3: free_acc_stanza_data (access.c:564)
   by 0x117C67: free_acc_stanzas (access.c:654)
   by 0x10E32E: free_configs (config_init.c:106)
   by 0x10D085: main (fwknopd.c:376)
 Address 0x5a80650 is 0 bytes inside a block of size 16 free'd
   at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x116AE0: add_source_mask (access.c:255)
   by 0x116D57: expand_acc_source (access.c:303)
   by 0x117A82: expand_acc_ent_lists (access.c:620)
   by 0x119570: parse_access_file (access.c:1043)
   by 0x10C77E: main (fwknopd.c:193)

    in use at exit: 8 bytes in 1 blocks
  total heap usage: 1,659 allocs, 1,659 frees, 238,310 bytes allocated

2 years agoTest suite support for function coverage testing via gcov
Michael Rash [Fri, 15 Jun 2012 00:43:57 +0000]
Test suite support for function coverage testing via gcov

Added --enable-profile-coverage to the configure script to have the fwknop
binaries compiled with gcc profiling support in order to see which functions
get executed by the test suite via gcov.  The last test executed by the test
suite under --enable-profile-coverage contains all fwknop functions that
were not executed under the test run (function execution totals are

2 years agomerged minor updates from master
Michael Rash [Mon, 28 May 2012 18:24:02 +0000]
merged minor updates from master

2 years agogcc warning fix fox: fko_decode.c:43:17: warning: variable ‘edata_size’ set but not...
Michael Rash [Mon, 28 May 2012 18:22:33 +0000]
gcc warning fix fox: fko_decode.c:43:17: warning: variable ‘edata_size’ set but not used [-Wunused-but-set-variable]

2 years agoupdated PF anchor check to not rely on listing the PF policy
Michael Rash [Mon, 28 May 2012 18:19:52 +0000]
updated PF anchor check to not rely on listing the PF policy

2 years agoadded Ted Wynnychenko for OpenBSD PF testing
Michael Rash [Mon, 28 May 2012 18:18:34 +0000]
added Ted Wynnychenko for OpenBSD PF testing

3 years agobug fix to ensure to pick up proper entropy min/max values
Michael Rash [Mon, 13 Feb 2012 18:56:24 +0000]
bug fix to ensure to pick up proper entropy min/max values

3 years agoupdated to local_spa.key from the test suite directory
Michael Rash [Mon, 13 Feb 2012 17:48:58 +0000]
updated to local_spa.key from the test suite directory

3 years agoensure CBC is the default symmetric encryption mode
Michael Rash [Mon, 13 Feb 2012 01:52:17 +0000]
ensure CBC is the default symmetric encryption mode

3 years agoupdated docs to reference the default AES encryption mode of CBC
Michael Rash [Fri, 10 Feb 2012 20:59:26 +0000]
updated docs to reference the default AES encryption mode of CBC

3 years agobugfix to ensure that incoming SPA data in AES mode is a multiple of the Rjindael...
Michael Rash [Fri, 10 Feb 2012 20:10:19 +0000]
bugfix to ensure that incoming SPA data in AES mode is a multiple of the Rjindael blocksize (16)

3 years agoadded test suite support for AES CTR, OFB, CFB, and ECB encryption modes
Michael Rash [Fri, 10 Feb 2012 20:09:27 +0000]
added test suite support for AES CTR, OFB, CFB, and ECB encryption modes

3 years agominor header addition for spa-entropy.pl
Michael Rash [Fri, 10 Feb 2012 18:38:30 +0000]
minor header addition for spa-entropy.pl

3 years agoupdated to not base64 decode encrypted packet data by default (can override with...
Michael Rash [Thu, 9 Feb 2012 20:23:07 +0000]
updated to not base64 decode encrypted packet data by default (can override with --base64-decode)

3 years agoadded --gpg entropy measurement, added sensible gnuplot yrange calculations
Michael Rash [Thu, 9 Feb 2012 19:56:18 +0000]
added --gpg entropy measurement, added sensible gnuplot yrange calculations

3 years agoswitched CBC mode test (which is the default Rjindael encryption mode) to ECB mode
Michael Rash [Wed, 8 Feb 2012 19:29:33 +0000]
switched CBC mode test (which is the default Rjindael encryption mode) to ECB mode

3 years agoRe-worked encryption/decryption handling
Michael Rash [Wed, 8 Feb 2012 19:16:42 +0000]
Re-worked encryption/decryption handling

For SPA packets encrypted with Rjindael, fwknop has always used CBC mode
even though ECB mode is mentioned in a couple of places.  This change makes
more transparent use of block_encrypt() and block_decrypt() to ensure that
the appropriate mode is used.  The default is CBC mode, but others can be
selected as well (-M <mode> for the fwknop client, and ENCRYPTION_MODE in
access.conf for the fwknopd server).

3 years agoupdate display_ctx() to show the entire plaintext data on one line
Michael Rash [Wed, 8 Feb 2012 19:15:36 +0000]
update display_ctx() to show the entire plaintext data on one line

3 years agomade default openssl encryption mode 'aes-256-ecb'
Michael Rash [Mon, 6 Feb 2012 20:19:03 +0000]
made default openssl encryption mode 'aes-256-ecb'

3 years agoadded the ability to encrypt fwknop client plaintext data with openssl
Michael Rash [Mon, 6 Feb 2012 20:12:31 +0000]
added the ability to encrypt fwknop client plaintext data with openssl

3 years agoadded spa-entropy/ directory for measuring entropy across SPA packets
Michael Rash [Mon, 30 Jan 2012 03:07:06 +0000]
added spa-entropy/ directory for measuring entropy across SPA packets

3 years agoadded test suite support for CBC mode Rijndael tcp/22 test
Michael Rash [Sun, 29 Jan 2012 22:31:12 +0000]
added test suite support for CBC mode Rijndael tcp/22 test

3 years agoUpdate to make AES encryption modes selectable
Michael Rash [Wed, 25 Jan 2012 01:26:21 +0000]
Update to make AES encryption modes selectable

This is a significant update to allow AES encryption modes to be selected on a
per-key basis.  For now, only ECB and CBC (recommended) modes are supported.
The default is ECB modes in order to maintain backwards compatibility with the
older perl version of fwknop and the Crypt::CBC CPAN module.  This will likely
be changed to use CBC mode by default because of its better security

In the access.conf file on the server side, there is a new configuration
variable "ENCRYPTION_MODE" that controls the mode for the corresponding AES
key.  On the client side, a new command line argument "--encryption-mode"
controls how the client encrypts SPA packets.

3 years agoconvert Rijndael blocksize values '16' to use RIJNDAEL_BLOCKSIZE macro
Michael Rash [Sun, 15 Jan 2012 20:57:45 +0000]
convert Rijndael blocksize values '16' to use RIJNDAEL_BLOCKSIZE macro

3 years agoadded --stat output to ChangeLog fwknop-2.0 fwknop-2.0
Michael Rash [Mon, 2 Jan 2012 23:35:41 +0000]
added --stat output to ChangeLog

3 years agomoved ChangeLog-v2.0 to ChangeLog
Michael Rash [Mon, 2 Jan 2012 23:33:42 +0000]
moved ChangeLog-v2.0 to ChangeLog

3 years agoremoved old ChangeLog files
Michael Rash [Mon, 2 Jan 2012 23:32:35 +0000]
removed old ChangeLog files

3 years agoAdded ChangeLog, ShortLog, and diffstat files for the 2.0 release.
Michael Rash [Mon, 2 Jan 2012 23:26:05 +0000]
Added ChangeLog, ShortLog, and diffstat files for the 2.0 release.

3 years agobumped version to 2.0
Michael Rash [Mon, 2 Jan 2012 22:47:01 +0000]
bumped version to 2.0

3 years agoadded FKO_CHECK_COMPILER_ARG_LDFLAGS_ONLY to fix ro-relocations and immediate binding...
Michael Rash [Mon, 2 Jan 2012 20:26:42 +0000]
added FKO_CHECK_COMPILER_ARG_LDFLAGS_ONLY to fix ro-relocations and immediate binding protection compliation warnings on FreeBSD

3 years agominor test suite update to look for linker warnings in a more generic way
Michael Rash [Mon, 2 Jan 2012 20:25:35 +0000]
minor test suite update to look for linker warnings in a more generic way

3 years agominor test suite addition to check for linker input file warnings
Michael Rash [Mon, 2 Jan 2012 20:10:55 +0000]
minor test suite addition to check for linker input file warnings

3 years agobumped version to 2.0
Michael Rash [Mon, 2 Jan 2012 16:29:16 +0000]
bumped version to 2.0

3 years agominor wording update subversion -> git
Michael Rash [Mon, 2 Jan 2012 14:53:36 +0000]
minor wording update subversion -> git

3 years agoRefactored configure.ac to use a custom macro for compiler flag checks.
Damien S. Stuart [Thu, 29 Dec 2011 19:19:16 +0000]
Refactored configure.ac to use a custom macro for compiler flag checks.
Set version to 2.0 (non-release candidate).
Minor typo fixes.

3 years agoupdated copyright and license statement - fwknop is GPL software
Michael Rash [Tue, 13 Dec 2011 01:41:39 +0000]
updated copyright and license statement - fwknop is GPL software

3 years agominor addition of the local_spa.key file for 'make dist' fwknop-2.0rc5 fwknop-2.0rc5
Michael Rash [Tue, 6 Dec 2011 03:23:00 +0000]
minor addition of the local_spa.key file for 'make dist'

3 years agoadded local_spa.key file
Michael Rash [Tue, 6 Dec 2011 03:21:31 +0000]
added local_spa.key file

3 years agoadded local_spa.key file
Michael Rash [Tue, 6 Dec 2011 03:20:39 +0000]
added local_spa.key file

3 years agominor addition of the CREDITS file for 'make dist'
Michael Rash [Tue, 6 Dec 2011 03:16:38 +0000]
minor addition of the CREDITS file for 'make dist'

3 years agoAdded the CREDITS file for 'make dist'
Michael Rash [Tue, 6 Dec 2011 03:16:03 +0000]
Added the CREDITS file for 'make dist'

3 years agochange log doc updates
Michael Rash [Tue, 6 Dec 2011 03:11:58 +0000]
change log doc updates

3 years agoAdded various files to Makefile.am so that 'make dist' continues to work
Michael Rash [Tue, 6 Dec 2011 03:10:47 +0000]
Added various files to Makefile.am so that 'make dist' continues to work

3 years agoadded CREDITS file, bumped software version, added ChangeLog files
Michael Rash [Tue, 6 Dec 2011 02:14:31 +0000]
added CREDITS file, bumped software version, added ChangeLog files

3 years agoadded CREDITS file, bumped software version, added ChangeLog files
Michael Rash [Tue, 6 Dec 2011 02:14:14 +0000]
added CREDITS file, bumped software version, added ChangeLog files

3 years agominor compiler warning fix on OpenBSD test_suite
Michael Rash [Sun, 4 Dec 2011 02:21:29 +0000]
minor compiler warning fix on OpenBSD

3 years agominor compile fixes for FreeBSD
Michael Rash [Sat, 3 Dec 2011 18:10:35 +0000]
minor compile fixes for FreeBSD

3 years agoAdded FORCE_NAT mode to the access.conf file
Michael Rash [Thu, 1 Dec 2011 01:51:19 +0000]
Added FORCE_NAT mode to the access.conf file

This commit adds a new configuration variable "FORCE_NAT" to the access.conf

    For any valid SPA packet, force the requested connection to be NAT'd
    through to the specified (usually internal) IP and port value.  This is
    useful if there are multiple internal systems running a service such as
    SSHD, and you want to give transparent access to only one internal system
    for each stanza in the access.conf file.  This way, multiple external
    users can each directly access only one internal system per SPA key.

This commit also implements a few minor code cleanups.

3 years agominor newline fix for access.conf output dump
Michael Rash [Tue, 29 Nov 2011 04:20:11 +0000]
minor newline fix for access.conf output dump

3 years agomemory leak bugfix as a follow up to commit b280f5cde0246cdef33dee3f8be66a2bcef77336
Michael Rash [Tue, 29 Nov 2011 04:18:07 +0000]
memory leak bugfix as a follow up to commit b280f5cde0246cdef33dee3f8be66a2bcef77336

3 years agoAdded access stanza expiration feature, multiple access stanza bug fix
Michael Rash [Tue, 29 Nov 2011 03:03:21 +0000]
Added access stanza expiration feature, multiple access stanza bug fix

This commit does two major things:

1) Two new access.conf variables are added "ACCESS_EXPIRE" and
"ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without having
to modify the access.conf file and restart fwknopd.

2) Allow an access stanza that matches the SPA source address to not
automatically short circuit other stanzas if there is an error (such as when
there are multiple encryption keys involved and an incoming SPA packet is
meant for, say, the second stanza and the first therefore doesn't allow
proper decryption).

3 years agoadded SPA packet aging tests
Michael Rash [Wed, 23 Nov 2011 03:56:48 +0000]
added SPA packet aging tests

3 years agobug fix to exclude SPA packets with timestamps in the future that are too great ...
Michael Rash [Wed, 23 Nov 2011 03:56:36 +0000]
bug fix to exclude SPA packets with timestamps in the future that are too great (old packets were properly excluded already)

3 years agoadded test for --test mode in the fwknop client
Michael Rash [Wed, 23 Nov 2011 03:40:26 +0000]
added test for --test mode in the fwknop client

3 years agobug fix to honor the fwknop client --time-offset-plus and --time-offset-minus options
Michael Rash [Wed, 23 Nov 2011 03:34:10 +0000]
bug fix to honor the fwknop client --time-offset-plus and --time-offset-minus options

3 years agoadded DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd check for...
Michael Rash [Wed, 23 Nov 2011 03:13:27 +0000]
added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd check for ENABLE_IPT_FORWARDING variable before attempting NAT access

3 years agoadded tests for various access.conf variables
Michael Rash [Sat, 19 Nov 2011 04:23:50 +0000]
added tests for various access.conf variables

3 years agoadded IP/subnet match tests, added --Anonymize-results mode
Michael Rash [Fri, 18 Nov 2011 02:17:50 +0000]
added IP/subnet match tests, added --Anonymize-results mode

3 years agosimplified the client/server interaction code, started on IP filtering tests, added...
Michael Rash [Wed, 16 Nov 2011 02:45:51 +0000]
simplified the client/server interaction code, started on IP filtering tests, added spoof username tests

3 years agominor test wording consolidation
Michael Rash [Fri, 11 Nov 2011 03:54:25 +0000]
minor test wording consolidation

3 years agoThis commit fixes two memory leaks and adds a common exit function.
Michael Rash [Fri, 11 Nov 2011 03:33:32 +0000]
This commit fixes two memory leaks and adds a common exit function.

The two memory leaks were found with the test suite running in
--enable-valgrind mode - here are the relevant error messages:

For fwknopd server GPG clean up:

==345== 9 bytes in 1 blocks are definitely lost in loss record 2 of 2
==345==   at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==345==   by 0x52F6B81: strdup (strdup.c:43)
==345==   by 0x10FA57: add_string_list_ent (access.c:308)
==345==   by 0x110513: parse_access_file (access.c:387)
==345==   by 0x10B5FB: main (fwknopd.c:193)

For fwknop client rc file processing:

==8045== 568 bytes in 1 blocks are still reachable in loss record 12 of 12
==8045==    at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==8045==    by 0x50A53AA: __fopen_internal (iofopen.c:76)
==8045==    by 0x10C3FF: process_rc (config_init.c:446)
==8045==    by 0x10C8F6: config_init (config_init.c:671)
==8045==    by 0x10AC9E: main (fwknop.c:62)

There is also a new clean_exit() function that makes it easier to ensure that
resources are deallocated upon existing.

3 years agoremove CMD timestamps for --diff mode
Michael Rash [Fri, 11 Nov 2011 03:33:00 +0000]
remove CMD timestamps for --diff mode

3 years agoadded --diff mode to the test suite to compare results from one execution to the...
Michael Rash [Sun, 6 Nov 2011 18:51:23 +0000]
added --diff mode to the test suite to compare results from one execution to the next

3 years agoconsolidated several test functions into a single generic_exec() function
Michael Rash [Sat, 5 Nov 2011 03:46:31 +0000]
consolidated several test functions into a single generic_exec() function

3 years agoFixed fwknopd memory leak, several other fixes and updates
Michael Rash [Fri, 4 Nov 2011 02:15:19 +0000]
Fixed fwknopd memory leak, several other fixes and updates

This commit does several things.  First, a memory leak in fwknopd has been
fixed by ensuring to free access.conf stanzas.  This bug was found with the
new test suite running in --enable-valgrind mode.  Here is what some of the
valgrind output looked like to find the leak:

==19217== 11 bytes in 1 blocks are indirectly lost in loss record 3 of 5
==19217==    at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==19217==    by 0x52F6B81: strdup (strdup.c:43)
==19217==    by 0x10FC8B: add_acc_string (access.c:49)
==19217==    by 0x1105C8: parse_access_file (access.c:756)
==19217==    by 0x10B79B: main (fwknopd.c:194)
==19217== 16 bytes in 1 blocks are indirectly lost in loss record 4 of 5
==19217==    at 0x4C27480: calloc (vg_replace_malloc.c:467)
==19217==    by 0x10FEC0: add_source_mask (access.c:88)
==19217==    by 0x110100: expand_acc_source (access.c:191)
==19217==    by 0x1104B0: parse_access_file (access.c:500)
==19217==    by 0x10B79B: main (fwknopd.c:194)
==19217== 183 (152 direct, 31 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
==19217==    at 0x4C27480: calloc (vg_replace_malloc.c:467)
==19217==    by 0x1103E4: parse_access_file (access.c:551)
==19217==    by 0x10B79B: main (fwknopd.c:194)
==19217== LEAK SUMMARY:
==19217==    definitely lost: 152 bytes in 1 blocks
==19217==    indirectly lost: 31 bytes in 3 blocks
==19217==      possibly lost: 0 bytes in 0 blocks
==19217==    still reachable: 8 bytes in 1 blocks
==19217==         suppressed: 0 bytes in 0 blocks

Second, this commit changes how fwknopd acquires packet data with
pcap_dispatch() - packets are now processed within the callback function
process_packet() that is provided to pcap_dispatch(), the global packet
counter is incremented by the return value from pcap_dispatch() (since this is
the number of packets processed per pcap loop), and there are two new
fwknopd.conf variables PCAP_DISPATCH_COUNT and PCAP_LOOP_SLEEP to control the
number of packets that pcap_dispatch() should process per loop and the number
of microseconds that fwknopd should sleep per loop respectively.  Without this
change, it was fairly easy to cause fwknopd to miss packets by creating bursts
of packets that would all be processed one at time with the usleep() delay
between each.  For fwknopd deployed on a busy network and with a permissive
pcap filter (i.e. something other than the default that causes fwknopd to look
at, say, TCP ACK's), this change should help.

Third, the criteria that a packet must reach before data copying into the
buffer designed for SPA processing has been tightened.  A packet less than
/greater than the minimum/maximum expected sizes is ignored before data is
copied, and the base64 check is done as well.

3 years agoadded complete SPA cycle tests for tcp ports 23 and 9418 (git), and for udp 53 dns
Michael Rash [Mon, 31 Oct 2011 02:14:00 +0000]
added complete SPA cycle tests for tcp ports 23 and 9418 (git), and for udp 53 dns

3 years agoupdated client SPA verbose message to include the server IP/host
Michael Rash [Sun, 30 Oct 2011 03:49:29 +0000]
updated client SPA verbose message to include the server IP/host

3 years agominor looping criteria update for valgrind tests
Michael Rash [Sun, 30 Oct 2011 03:48:42 +0000]
minor looping criteria update for valgrind tests

3 years ago[test-suite] added the ability to run all fwknop tests through valgrind
Michael Rash [Sat, 29 Oct 2011 20:59:57 +0000]
[test-suite] added the ability to run all fwknop tests through valgrind

3 years agobugfix to return preprocess_spa_data() result properly to calling function
Michael Rash [Sat, 29 Oct 2011 20:55:28 +0000]
bugfix to return preprocess_spa_data() result properly to calling function

3 years agoupdate to remove packet direction requirement when sniffing on OpenBSD loopback inter...
Michael Rash [Sat, 29 Oct 2011 03:01:06 +0000]
update to remove packet direction requirement when sniffing on OpenBSD loopback interfaces

3 years agominor whitespace removal
Michael Rash [Sat, 29 Oct 2011 03:00:26 +0000]
minor whitespace removal

3 years agoadded stack protection detection for OpenBSD systems
Michael Rash [Sat, 29 Oct 2011 02:59:52 +0000]
added stack protection detection for OpenBSD systems

3 years agoUpdate to ensure libfko.so path is detected properly on OpenBSD
Michael Rash [Sat, 29 Oct 2011 02:42:27 +0000]
Update to ensure libfko.so path is detected properly on OpenBSD

3 years agoUpdate to print all firewall commands in --verbose mode
Michael Rash [Fri, 28 Oct 2011 01:51:55 +0000]
Update to print all firewall commands in --verbose mode

This commit makes it easier to determine exactly which commands fwknopd
runs in --verbose mode when interacting with the underlying firewall.
This commit also adds --verbose --verbose mode to the test suite.

3 years agoadded 'const' to function prototype vars where possible
Michael Rash [Wed, 26 Oct 2011 01:00:40 +0000]
added 'const' to function prototype vars where possible

Added the 'const' qualifier to function prototype variables where possible.
In addition, reduced some functions to file-scope with 'static' where possible.

Also made a few minor changes to remove extra whitespace, and fixed a bug
in create_fwknoprc() to ensure the new fwknoprc filehandle is closed.

3 years agocompiler warning fix for sscanf() on freebsd
Michael Rash [Tue, 25 Oct 2011 01:52:13 +0000]
compiler warning fix for sscanf() on freebsd

This commit fixes the following gcc warning on freebsd systems:

replay_cache.c: In function 'replay_file_cache_init':
replay_cache.c:312: warning: format '%ld' expects type 'long int *', but argument 9 has type 'time_t *'

3 years agoupdate to detect loopback interface
Michael Rash [Tue, 25 Oct 2011 00:48:56 +0000]
update to detect loopback interface

3 years agominor whitespace removal
Michael Rash [Tue, 25 Oct 2011 00:48:20 +0000]
minor whitespace removal

3 years agoadded LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual command execution...
Michael Rash [Sun, 23 Oct 2011 02:29:27 +0000]
added LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual command execution easier

3 years agoadded digest cache validation after GPG tests
Michael Rash [Sun, 23 Oct 2011 02:06:00 +0000]
added digest cache validation after GPG tests

3 years agominor update to match include/exclude criteria on the whole test message
Michael Rash [Sun, 23 Oct 2011 01:54:22 +0000]
minor update to match include/exclude criteria on the whole test message

3 years agoextended packet validity tests in GPG mode
Michael Rash [Sun, 23 Oct 2011 01:29:44 +0000]
extended packet validity tests in GPG mode

3 years agoadded first GPG complete cycle SPA test
Michael Rash [Sat, 22 Oct 2011 20:48:30 +0000]
added first GPG complete cycle SPA test