fwknop.git
17 months agoConvert strncmp() calls to constant_runtime_cmp() at various places hmac_timing_bug_fix
Michael Rash [Sun, 2 Jun 2013 01:55:45 +0000]
Convert strncmp() calls to constant_runtime_cmp() at various places

This commit is a follow up to Ryman's report (#85) of a potential timing attack
that could be leveraged against fwknop when strncmp() is used to compare HMAC
digests.  All strncmp() calls that do similar things have been replaced with a
new constant_runtime_cmp() function that mitigates this problem.

17 months ago[libfko] HMAC comparison timing bug fix
Michael Rash [Sat, 1 Jun 2013 13:09:17 +0000]
[libfko] HMAC comparison timing bug fix

Ryman reported a timing attack bug in the HMAC comparison operation (#85) and
suggested a fix derived from YaSSL:
http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg320402.html

17 months ago[server] minor update to rename PCAP_ANY_DIRECTION -> ENABLE_PCAP_ANY_DIRECTION
Michael Rash [Sat, 1 Jun 2013 03:19:48 +0000]
[server] minor update to rename PCAP_ANY_DIRECTION -> ENABLE_PCAP_ANY_DIRECTION

17 months ago[client] allow -D to be used in --save-rc-stanza mode if -n is not given
Michael Rash [Sat, 1 Jun 2013 03:01:47 +0000]
[client] allow -D to be used in --save-rc-stanza mode if -n is not given

This change simplifies the fwknop client usage by allowing the -D argument to
be used as the stanza name if -n is not also specified in --save-rc-stanza
mode.

17 months agoadded HMAC digests section to libfko info doc
Michael Rash [Sat, 1 Jun 2013 02:47:06 +0000]
added HMAC digests section to libfko info doc

17 months agoupdate man page in client/server directories to the latest
Michael Rash [Sat, 1 Jun 2013 01:36:49 +0000]
update man page in client/server directories to the latest

17 months ago[test suite] minor update to reduce logging noise in valgrind comparison test
Michael Rash [Fri, 31 May 2013 02:50:29 +0000]
[test suite] minor update to reduce logging noise in valgrind comparison test

17 months agominor configure.ac typo fix for --help output
Michael Rash [Fri, 31 May 2013 02:42:13 +0000]
minor configure.ac typo fix for --help output

17 months agominor documentation updates
Michael Rash [Fri, 31 May 2013 02:26:09 +0000]
minor documentation updates

17 months ago[client] don't print keys to stdout in --save-rc-stanza --key-gen mode
Michael Rash [Fri, 31 May 2013 02:03:11 +0000]
[client] don't print keys to stdout in --save-rc-stanza --key-gen mode

This is a minor commit to not print keys to stdout when both --save-rc-stanza
and --key-gen are set on the command line.

17 months agoMerge remote-tracking branch 'fjoncourt/save_rc_stanza'
Michael Rash [Wed, 29 May 2013 22:53:08 +0000]
Merge remote-tracking branch 'fjoncourt/save_rc_stanza'

This set of fixes from Franck allows for much better --save-rc-stanza
functionality - new SPA keys can automatically be saved to the fwknoprc
file when --key-gen and --save-rc-stanza are given, keys aren't overwritten
upon updating the arguments for an existing stanza, and more.

Conflicts:
client/config_init.c

17 months agoThe -R command line switch is now handled in fwknoprc as RESOLVE_IP_HTTP variable.
Franck Joncourt [Wed, 29 May 2013 12:06:57 +0000]
The -R command line switch is now handled in fwknoprc as RESOLVE_IP_HTTP variable.

17 months agoFixed ask_overwrite(). Generated keys are now stored in fwknoprc.
Franck Joncourt [Wed, 29 May 2013 10:19:56 +0000]
Fixed ask_overwrite(). Generated keys are now stored in fwknoprc.

 * ask_overwrite() : when the user inputs more than one char when prompted,
   a second call to the function does not take the second char anymore.
   We parse all of the chars until we reach an LF char and discard all of them
   except the first one.
   The overwrite is requested only when the user sets 'y', if there is anything
   else we asssume 'N'.

 * When -k is used on the command line along with the --save-rc-stanza, the
   generated keys are also written in the stanza in fwknoprc.

17 months agoThe variables are now stored in a hash (variable name and position) rather than
Franck Joncourt [Tue, 28 May 2013 15:14:36 +0000]
The variables are now stored in a hash (variable name and position) rather than
an array containing only their name. It is now possible to sort them without
 worrying about their position in the enumeration.

Improve variable naming for a better understanding (var_ndx becomes var_pos).

17 months agoInterim commit to handle bitmask with more than 32 positions.
Franck Joncourt [Mon, 27 May 2013 16:18:47 +0000]
Interim commit to handle bitmask with more than 32 positions.

17 months agoSet command line argument bitmask as a 64-bits value to be able to handle more arguments.
Franck Joncourt [Sat, 25 May 2013 19:56:01 +0000]
Set command line argument bitmask as a 64-bits value to be able to handle more arguments.

 Interim commit to add the VERBOSE variable to be stored in the fwknoprc file when
 -v is used with --save-rc-stanza. The VERBOSE variable is also read by fwknop
 and the verbosity level is set accordingly.

18 months agominor Makefile.am update to set permissions on access.conf.inst and fwknopd.conf...
Michael Rash [Fri, 24 May 2013 02:29:41 +0000]
minor Makefile.am update to set permissions on access.conf.inst and fwknopd.conf.inst files

18 months ago[client] minor fix to set -R mode with a resolve URL is also set
Michael Rash [Fri, 24 May 2013 02:10:34 +0000]
[client] minor fix to set -R mode with a resolve URL is also set

The command line arg validation function also checks this.

18 months ago[test suite] bug fix on FreeBSD to just run the server for the active/expire sets...
Michael Rash [Fri, 24 May 2013 02:02:43 +0000]
[test suite] bug fix on FreeBSD to just run the server for the active/expire sets not equal test

18 months ago[server] update access.conf comments to conform to no trailing semicolon or colon...
Michael Rash [Thu, 23 May 2013 01:21:59 +0000]
[server] update access.conf comments to conform to no trailing semicolon or colon within the variable name

18 months agominor client man page wording update
Michael Rash [Thu, 23 May 2013 01:20:42 +0000]
minor client man page wording update

18 months ago[test suite] minor formatting update to access.conf files to mimic fwknoprc vars...
Michael Rash [Wed, 22 May 2013 02:12:03 +0000]
[test suite] minor formatting update to access.conf files to mimic fwknoprc vars (no colon or trailing semicolon)

18 months agoman page updates - access.conf section now includes variable guidance
Michael Rash [Wed, 22 May 2013 02:10:13 +0000]
man page updates - access.conf section now includes variable guidance

18 months agoUse {0} initializer for all stack allocated char arrays
Michael Rash [Wed, 22 May 2013 02:00:15 +0000]
Use {0} initializer for all stack allocated char arrays

Lots of places in the code were already using {0} to initialize stack char
arrays, but memset() was being used as well.  This commit removes all
unnecessary memset() calls against char arrays that are already initialized
via {0} (which sets all members to zero for such arrays).

18 months agoMerge remote-tracking branch 'fjoncourt/save_rc_stanza'
Michael Rash [Tue, 21 May 2013 01:57:42 +0000]
Merge remote-tracking branch 'fjoncourt/save_rc_stanza'

Closes issues #81 and #82 thanks to Franck.

18 months agoFixed stanza name in log message. We display the stanza we were looking for, not...
Franck Joncourt [Mon, 20 May 2013 19:58:18 +0000]
Fixed stanza name in log message. We display the stanza we were looking for, not the current one.

18 months agoMerge remote-tracking branch 'upstream/master' into save_rc_stanza
Franck Joncourt [Mon, 20 May 2013 09:08:33 +0000]
Merge remote-tracking branch 'upstream/master' into save_rc_stanza

18 months ago[test suite] added 'equal keys' files
Michael Rash [Sun, 19 May 2013 20:15:19 +0000]
[test suite] added 'equal keys' files

18 months agoDo not assume two rc sections are separated by an empty line. (mrash/fwknop#81)
Franck Joncourt [Sun, 19 May 2013 20:00:51 +0000]
Do not assume two rc sections are separated by an empty line. (mrash/fwknop#81)

18 months ago[client] finished documenting client command line options via the man page
Michael Rash [Sun, 19 May 2013 19:50:16 +0000]
[client] finished documenting client command line options via the man page

18 months ago[test suite] added client -f firewall timeout tests
Michael Rash [Sun, 19 May 2013 19:29:20 +0000]
[test suite] added client -f firewall timeout tests

18 months ago[server] port list memory leak bug fix for OpenBSD/pf and FreeBSD/ipfw firewall inter...
Michael Rash [Sun, 19 May 2013 18:36:32 +0000]
[server] port list memory leak bug fix for OpenBSD/pf and FreeBSD/ipfw firewall interface code found by Coverity

18 months agoupdated client and server man page material
Michael Rash [Sun, 19 May 2013 18:12:58 +0000]
updated client and server man page material

18 months agoMerge branch 'master' of github.com:mrash/fwknop
Michael Rash [Sun, 19 May 2013 16:57:36 +0000]
Merge branch 'master' of github.com:mrash/fwknop

18 months agoMerge pull request #80 from fjoncourt/fix-gpl2.0
Michael Rash [Sun, 19 May 2013 16:57:07 +0000]
Merge pull request #80 from fjoncourt/fix-gpl2.0

[FTBS] Fixed gpl2.0.texi

18 months agoFixed gpl2.0.texi to make it build.
Franck Joncourt [Sun, 19 May 2013 15:14:35 +0000]
Fixed gpl2.0.texi to make it build.

 The @appendixsubsec entries are substituted by @appendixsec entries.

18 months ago[client] minor --verbose display update to say source port is 'OS assigned' when...
Michael Rash [Sun, 19 May 2013 02:49:38 +0000]
[client] minor --verbose display update to say source port is 'OS assigned' when not otherwise set

18 months ago[client] bug fix to separate out --named-config vs. --no-save-args command line args
Michael Rash [Sun, 19 May 2013 02:36:13 +0000]
[client] bug fix to separate out --named-config vs. --no-save-args command line args

18 months ago[test suite] slurp openssl HMAC from file into single string (it may be binary data)
Michael Rash [Sat, 18 May 2013 20:39:08 +0000]
[test suite] slurp openssl HMAC from file into single string (it may be binary data)

18 months agoadded test suite HMAC != enc key conf files
Michael Rash [Sat, 18 May 2013 16:13:50 +0000]
added test suite HMAC != enc key conf files

18 months ago[client+server] ensure HMAC key and encryption passphrase are not the same
Michael Rash [Sat, 18 May 2013 16:10:18 +0000]
[client+server] ensure HMAC key and encryption passphrase are not the same

18 months ago[client] added warning in --verbose mode if -s is used instead of -a or -R
Michael Rash [Sat, 18 May 2013 14:51:49 +0000]
[client] added warning in --verbose mode if -s is used instead of -a or -R

18 months ago[test suite] minor bug fix to preserve the init file
Michael Rash [Sat, 18 May 2013 12:34:20 +0000]
[test suite] minor bug fix to preserve the init file

18 months agocontinued man page updates in preparation for the 2.5 release
Michael Rash [Sat, 18 May 2013 03:05:58 +0000]
continued man page updates in preparation for the 2.5 release

18 months ago[server] added check to ensure any existing fwknop jump rule is not duplicated at...
Michael Rash [Sat, 18 May 2013 02:34:26 +0000]
[server] added check to ensure any existing fwknop jump rule is not duplicated at init

18 months ago[server] apply same logging policy for --fw-* modes as --foreground mode
Michael Rash [Sat, 18 May 2013 02:28:03 +0000]
[server] apply same logging policy for --fw-* modes as --foreground mode

18 months ago[client] --key-gen bug fix to print keys to stdout
Michael Rash [Sat, 18 May 2013 01:03:16 +0000]
[client] --key-gen bug fix to print keys to stdout

18 months agoMerge remote-tracking branch 'fjoncourt/master'
Michael Rash [Thu, 16 May 2013 01:31:17 +0000]
Merge remote-tracking branch 'fjoncourt/master'

Closes issues #76 and #60.

18 months ago[client] man page update for GPG key signing material
Michael Rash [Thu, 16 May 2013 01:17:39 +0000]
[client] man page update for GPG key signing material

18 months ago[client] completed fwknop client man page rc variable documentation
Michael Rash [Thu, 16 May 2013 00:59:29 +0000]
[client] completed fwknop client man page rc variable documentation

18 months agoHMAC and PBKDF1 ChangeLog updates
Michael Rash [Wed, 15 May 2013 03:28:45 +0000]
HMAC and PBKDF1 ChangeLog updates

18 months ago[docs] fwknop client man page update for HMAC material
Michael Rash [Wed, 15 May 2013 03:22:03 +0000]
[docs] fwknop client man page update for HMAC material

18 months agoMerge remote-tracking branch 'upstream/master'
Franck Joncourt [Tue, 14 May 2013 20:15:19 +0000]
Merge remote-tracking branch 'upstream/master'

18 months agoFixed gcc warnings on openbsd. - mrash/fwknop#60
Franck Joncourt [Tue, 14 May 2013 20:08:44 +0000]
Fixed gcc warnings on openbsd. - mrash/fwknop#60

18 months agominor write_test_file() path bug fix
Michael Rash [Tue, 14 May 2013 03:11:33 +0000]
minor write_test_file() path bug fix

18 months agoMerge remote-tracking branch 'fjoncourt/master'
Michael Rash [Tue, 14 May 2013 03:10:26 +0000]
Merge remote-tracking branch 'fjoncourt/master'

Merged update from Franck - closes issue #71.

18 months ago[server] minor memory leak bug fix during SPA digest calculation found by Coverity
Michael Rash [Tue, 14 May 2013 00:52:14 +0000]
[server] minor memory leak bug fix during SPA digest calculation found by Coverity

18 months ago[server] minor memory leak bug fix during access.conf parsing found by Coverity
Michael Rash [Tue, 14 May 2013 00:48:23 +0000]
[server] minor memory leak bug fix during access.conf parsing found by Coverity

18 months ago[server] varargs cleanup bug fix found by Coverity
Michael Rash [Tue, 14 May 2013 00:42:07 +0000]
[server] varargs cleanup bug fix found by Coverity

18 months ago[server] fix pointer NULL check after strdup() - found by Coverity
Michael Rash [Tue, 14 May 2013 00:41:25 +0000]
[server] fix pointer NULL check after strdup() - found by Coverity

18 months ago[server] minor cosmetic (unnecessary NULL checks and one un-triggerable memory leak...
Michael Rash [Tue, 14 May 2013 00:40:29 +0000]
[server] minor cosmetic (unnecessary NULL checks and one un-triggerable memory leak) found by Coverity

18 months ago[server] minor memory leak bug fix during access.conf parsing found by Coverity
Michael Rash [Tue, 14 May 2013 00:38:39 +0000]
[server] minor memory leak bug fix during access.conf parsing found by Coverity

18 months agoMerge remote-tracking branch 'upstream/master'
Franck Joncourt [Mon, 13 May 2013 14:30:27 +0000]
Merge remote-tracking branch 'upstream/master'

18 months agobumped VERSION file to fwknop-2.5-pre1 fwknop-2.5-pre1
Michael Rash [Mon, 13 May 2013 02:42:13 +0000]
bumped VERSION file to fwknop-2.5-pre1

18 months ago[test suite] added hmac_get_key_access.conf file
Michael Rash [Mon, 13 May 2013 02:30:28 +0000]
[test suite] added hmac_get_key_access.conf file

18 months agoAdded blurb on Coverity to the ChangeLog
Michael Rash [Mon, 13 May 2013 01:04:25 +0000]
Added blurb on Coverity to the ChangeLog

18 months ago[test suite] added fko_destroy() calls to fko-wrapper
Michael Rash [Mon, 13 May 2013 00:57:19 +0000]
[test suite] added fko_destroy() calls to fko-wrapper

18 months ago[server] fixed potential double-free condition found by Coverity
Michael Rash [Mon, 13 May 2013 00:54:44 +0000]
[server] fixed potential double-free condition found by Coverity

Within the access loop always call fko_destroy() right up front whenever
ctx != NULL to ensure a clean slate each time through the loop regardless of
what state may have been reached the previous time through the loop.

18 months ago[client] set ctx=NULL after fko_destroy() calls
Michael Rash [Mon, 13 May 2013 00:54:04 +0000]
[client] set ctx=NULL after fko_destroy() calls

18 months ago[libfko] set ctx=NULL after fko_destroy(), add NULL check for encrypted msg pointer...
Michael Rash [Mon, 13 May 2013 00:53:22 +0000]
[libfko] set ctx=NULL after fko_destroy(), add NULL check for encrypted msg pointer in fko_new_with_data()

18 months ago[libfko] added context initialized check to fko_decrypt_spa_data()
Michael Rash [Mon, 13 May 2013 00:49:00 +0000]
[libfko] added context initialized check to fko_decrypt_spa_data()

18 months ago[libfko] bug fix to apply ctx initialization check before attempting to use ctx-...
Michael Rash [Sun, 12 May 2013 19:02:31 +0000]
[libfko] bug fix to apply ctx initialization check before attempting to use ctx->message_type in fko_set_spa_client_timeout()

18 months ago[test suite] add -x to run_valgrind.sh fko-wrapper script
Michael Rash [Sun, 12 May 2013 18:43:19 +0000]
[test suite] add -x to run_valgrind.sh fko-wrapper script

18 months ago[test suite] added -g to fko_wrapper Makefile for debugging symbols
Michael Rash [Sun, 12 May 2013 18:42:35 +0000]
[test suite] added -g to fko_wrapper Makefile for debugging symbols

18 months agoAdded tests to validate the encryption mode for the client.
Franck Joncourt [Sun, 12 May 2013 15:35:19 +0000]
Added tests to validate the encryption mode for the client.
Renamed the CBC legacy VI encryption mode by legacy as mentionned in the man page.

18 months agoRewrite enc_mode_inttostr() and enc_mode_strtoint().
Franck Joncourt [Sun, 12 May 2013 14:52:52 +0000]
Rewrite enc_mode_inttostr() and enc_mode_strtoint().

Make sure both functions works the same way and refer to the same
encryption mode string.

Updated the fwknop usage message to display the encryption mode.

18 months ago[test suite] allow valgrind coverage test to run after --test-limit
Michael Rash [Sat, 11 May 2013 17:28:55 +0000]
[test suite] allow valgrind coverage test to run after --test-limit

18 months ago[libfko] changed 'state' context element to 'int' type to fix a 'extra high-order...
Michael Rash [Fri, 10 May 2013 02:43:05 +0000]
[libfko] changed 'state' context element to 'int' type to fix a 'extra high-order bits' bug found by Coverity

18 months ago[server] setsockopt() nad fcntl() return value checking (found by Coverity)
Michael Rash [Fri, 10 May 2013 02:35:08 +0000]
[server] setsockopt() nad fcntl() return value checking (found by Coverity)

18 months ago[libfko] fixed remaining sizeof() usage bug in SHA256 code found by Coverity
Michael Rash [Fri, 10 May 2013 02:14:06 +0000]
[libfko] fixed remaining sizeof() usage bug in SHA256 code found by Coverity

18 months ago[libfko] fixed remaining buffer constraints in lib/hmac.c code found by Coverity
Michael Rash [Fri, 10 May 2013 02:13:25 +0000]
[libfko] fixed remaining buffer constraints in lib/hmac.c code found by Coverity

18 months ago[client] removed unnecessary array NULL check found by Coverity
Michael Rash [Fri, 10 May 2013 02:10:38 +0000]
[client] removed unnecessary array NULL check found by Coverity

18 months ago[libfko] memory leak fixes found by Coverity
Michael Rash [Fri, 10 May 2013 01:56:13 +0000]
[libfko] memory leak fixes found by Coverity

18 months agovarious sizeof() usage and type bug fixes found by Coverity
Michael Rash [Fri, 10 May 2013 01:17:27 +0000]
various sizeof() usage and type bug fixes found by Coverity

18 months ago[test suite] minor bug fix for printing the number of test buckets to be executed
Michael Rash [Fri, 10 May 2013 01:11:45 +0000]
[test suite] minor bug fix for printing the number of test buckets to be executed

18 months agofixed several resource leak conditions found by Coverity
Michael Rash [Thu, 9 May 2013 03:55:35 +0000]
fixed several resource leak conditions found by Coverity

18 months ago[server] double free bug fix in access.conf parsing routine caught by Coverity
Michael Rash [Thu, 9 May 2013 03:44:13 +0000]
[server] double free bug fix in access.conf parsing routine caught by Coverity

18 months ago[server] fixed several (non-exploitable) overflow conditions found by Coverity
Michael Rash [Wed, 8 May 2013 03:35:34 +0000]
[server] fixed several (non-exploitable) overflow conditions found by Coverity

18 months agoremove dead code caught by Coverity
Michael Rash [Wed, 8 May 2013 03:02:49 +0000]
remove dead code caught by Coverity

18 months ago[server] bug fix for GPG 'nesting level does not match indentation' issue (discovered...
Michael Rash [Wed, 8 May 2013 02:52:35 +0000]
[server] bug fix for GPG 'nesting level does not match indentation' issue (discovered by Coverity)

18 months ago[client] fix missing 'break' in switch statement (discovered by Coverity)
Michael Rash [Wed, 8 May 2013 01:43:38 +0000]
[client] fix missing 'break' in switch statement (discovered by Coverity)

18 months ago[server] added --pcap-any-direction along with config file support
Michael Rash [Tue, 7 May 2013 02:23:59 +0000]
[server] added --pcap-any-direction along with config file support

From the config file comments:

This variable controls whether fwknopd is permitted to sniff SPA packets
regardless of whether they are received on the sniffing interface or sent
from the sniffing interface.  In the later case, this can be useful to have
fwknopd sniff SPA packets that are forwarded through a system and destined
for a different network.  If the sniffing interface is the egress interface
for such packets, then this variable will need to be set to "Y" in order for
fwknopd to see them.  The default is "N" so that fwknopd only looks for SPA
packets that are received on the sniffin

PCAP_ANY_DIRECTION         N;

18 months agominor typo fix
Michael Rash [Tue, 7 May 2013 02:22:22 +0000]
minor typo fix

18 months agoMerge remote-tracking branch 'upstream/master'
Franck Joncourt [Mon, 6 May 2013 09:52:35 +0000]
Merge remote-tracking branch 'upstream/master'

18 months agoAdded new tests to the test suite to validate the --save-rc-stanza command line argument.
Franck Joncourt [Mon, 6 May 2013 09:49:16 +0000]
Added new tests to the test suite to validate the --save-rc-stanza command line argument.

18 months agoReplaced printf() by log_msg().
Franck Joncourt [Mon, 6 May 2013 08:02:02 +0000]
Replaced printf() by log_msg().

18 months ago[client] added --get-hmac-key to mirror --get-key, closes #68
Michael Rash [Mon, 6 May 2013 01:54:07 +0000]
[client] added --get-hmac-key to mirror --get-key, closes #68

18 months agoMerge branch 'master' of github.com:mrash/fwknop
Michael Rash [Mon, 6 May 2013 01:01:26 +0000]
Merge branch 'master' of github.com:mrash/fwknop

18 months agoMerge remote-tracking branch 'origin/win32_fixes'
Michael Rash [Mon, 6 May 2013 00:59:04 +0000]
Merge remote-tracking branch 'origin/win32_fixes'

This fixes issue #69 thanks to Damien.

18 months agoRegenerated the client and server manpage .in files from the asciidoc sources
Damien S. Stuart [Mon, 6 May 2013 00:44:47 +0000]
Regenerated the client and server manpage .in files from the asciidoc sources