fwknop.git
2 years agoAdded local client/server strlcpy() / strlcat() definitions shared_lib_testing
Michael Rash [Fri, 7 Dec 2012 04:49:27 +0000]
Added local client/server strlcpy() / strlcat() definitions

This change removes client/server dependency on lib/ copies of strlcpy()/strlcat()
and applies the -export-symbols-regex '^fko_' fix to ensure libfko functions are
properly prefixed.

2 years agoChanges to address header references, platform support, error messages, and the perl...
Damien Stuart [Sat, 1 Dec 2012 16:06:41 +0000]
Changes to address header references, platform support, error messages, and the perl module test suite.

Rearranged headers to reduce duplication and remove local header
references from fko.h.
Removed references to headers that did not need to be explicitly set.
Moved the MAX_PROTO_STR_LEN and MAX_PORT_STR_LEN definitions to the
fko_limits.h file.
Fixed bug where invalid nat_access or command messages were returning
FKO_ERROR_INVALID_SPA_ACCESS_MSG error code instead of the one
appropriate to the message type.
Fixed bad nat_access_msg test in Perl module test suite (caught by new
validation code).

2 years agoRe-tweaks for accommodating the windows build and systems that do not have strnlen
Damien Stuart [Sat, 1 Dec 2012 04:40:24 +0000]
Re-tweaks for accommodating the windows build and systems that do not have strnlen

2 years agoBug fix for perl FKO compilation
Michael Rash [Thu, 29 Nov 2012 03:39:07 +0000]
Bug fix for perl FKO compilation

This commit removes lib/ includes of common/ header files that was breaking
the perl FKO module compilation.

2 years ago[server] Ignore pcap non-blocking setting in --pcap-file mode
Michael Rash [Wed, 28 Nov 2012 03:54:55 +0000]
[server] Ignore pcap non-blocking setting in --pcap-file mode

When setting --pcap-file mode from the command line some versions of libpcap
do not appear to allow non-blocking mode to be set and throw the following
error:

[*] Error setting pcap nonblocking to 0:

This commit ignores the non-blocking setting in --pcap-file mode.

2 years agoMerge branch 'master' of github.com:mrash/fwknop
Michael Rash [Fri, 23 Nov 2012 02:43:43 +0000]
Merge branch 'master' of github.com:mrash/fwknop

2 years agoMerge branch 'master' of github.com:mrash/fwknop
Damien Stuart [Thu, 22 Nov 2012 03:33:13 +0000]
Merge branch 'master' of github.com:mrash/fwknop

Conflicts:
configure.ac

2 years agoTweaks to fix autoconf-related portability issues and autogen.sh reliability
Damien Stuart [Thu, 22 Nov 2012 03:16:39 +0000]
Tweaks to fix autoconf-related portability issues and autogen.sh reliability

2 years agoTweaks to fix autoconf-related portability issues and autogen.sh reliability
Damien Stuart [Thu, 22 Nov 2012 03:16:39 +0000]
Tweaks to fix autoconf-related portability issues and autogen.sh reliability

2 years agorevert 7db2d1e796bba7af393e2d5c40db65b95fcee066 (--disable-gpg arg) since --without...
Michael Rash [Thu, 22 Nov 2012 02:49:16 +0000]
revert 7db2d1e796bba7af393e2d5c40db65b95fcee066 (--disable-gpg arg) since --without-gpgme works properly

2 years agobug fix for firewall rule deletion check in backwards compatibility tests on FreeBSD...
Michael Rash [Thu, 22 Nov 2012 02:29:26 +0000]
bug fix for firewall rule deletion check in backwards compatibility tests on FreeBSD and OpenBSD

2 years agoremoved duplicate android_access.conf file introduced in a local mrash commit
Michael Rash [Tue, 20 Nov 2012 13:28:46 +0000]
removed duplicate android_access.conf file introduced in a local mrash commit

2 years agoMerge branch 'master' of github.com:mrash/fwknop
Michael Rash [Tue, 20 Nov 2012 13:27:33 +0000]
Merge branch 'master' of github.com:mrash/fwknop

2 years agoNow commiting only the change to Makefile.am this time
Damien Stuart [Mon, 19 Nov 2012 17:22:40 +0000]
Now commiting only the change to Makefile.am this time

2 years agoRevert "Tweaks to EXTRA_DIST. Added one missing and removed one invalid entry under...
Damien Stuart [Mon, 19 Nov 2012 17:19:12 +0000]
Revert "Tweaks to EXTRA_DIST.  Added one missing and removed one invalid entry under the test directory."

This reverts commit 556ca2c146a598cddada4dd8cdf3f9b12f32f202.

2 years agoAdded the --icmp-xxxx arg descriptions to the fwknop usage message.
Damien Stuart [Mon, 19 Nov 2012 14:48:34 +0000]
Added the --icmp-xxxx arg descriptions to the fwknop usage message.

2 years agoTweaks to EXTRA_DIST. Added one missing and removed one invalid entry under the...
Damien Stuart [Mon, 19 Nov 2012 14:30:15 +0000]
Tweaks to EXTRA_DIST.  Added one missing and removed one invalid entry under the test directory.

2 years agoTweaks to fix issues with building the lib and client under Windows. Added .fwknop...
Damien Stuart [Mon, 19 Nov 2012 04:59:10 +0000]
Tweaks to fix issues with building the lib and client under Windows. Added .fwknop.last support on Windows.  Bumped the lib version to 0.0.4. Fixed bug in username detection code.  Removed -Werror from AM_INIT_AUTOMAKE which prevented setting of CPPFLAG for the lib build in some circumstances.

2 years ago[test suite] added android_access.conf file for Android SPA test
Michael Rash [Sat, 17 Nov 2012 19:06:39 +0000]
[test suite] added android_access.conf file for Android SPA test

2 years ago[test suite] minor update to not look for lib/.libs/ in --enable-recompile mode
Michael Rash [Fri, 16 Nov 2012 03:36:29 +0000]
[test suite] minor update to not look for lib/.libs/ in --enable-recompile mode

2 years ago[test suite] backwards compatibility tests
Michael Rash [Fri, 16 Nov 2012 02:16:11 +0000]
[test suite] backwards compatibility tests

Added a few backwards compatibility tests for versions of fwknop going back to
2.0, and also added a compatibility test for an SPA packet produced by Android
4.2.1.

2 years agominor gcc warnings todo note for OpenBSD
Michael Rash [Thu, 15 Nov 2012 04:46:29 +0000]
minor gcc warnings todo note for OpenBSD

2 years agobumped version to 2.0.4
Michael Rash [Thu, 15 Nov 2012 04:45:43 +0000]
bumped version to 2.0.4

2 years agominor marking text update around fuzzing packet count
Michael Rash [Wed, 14 Nov 2012 02:18:29 +0000]
minor marking text update around fuzzing packet count

2 years agoadditional SPA validation check to ensure no non-ascii printable chars in decoded...
Michael Rash [Wed, 14 Nov 2012 02:16:27 +0000]
additional SPA validation check to ensure no non-ascii printable chars in decoded message

2 years agominor spacing fix
Michael Rash [Wed, 14 Nov 2012 02:12:41 +0000]
minor spacing fix

2 years agoAdded chain_exists() check to fwknopd SPA rule creation
Michael Rash [Tue, 13 Nov 2012 02:48:26 +0000]
Added chain_exists() check to fwknopd SPA rule creation

Added chain_exists() check to SPA rule creation so that if any
of the fwknop chains are deleted out from under fwknopd they will be
recreated on the fly.  This mitigates scenarios where fwknopd might be
started before a system level firewall policy is applied due to init
script ordering, or if an iptables policy is re-applied without
restarting fwknopd.

2 years agoadded fuzzing packet count to FKO server fuzzing test
Michael Rash [Sat, 10 Nov 2012 01:42:43 +0000]
added fuzzing packet count to FKO server fuzzing test

2 years agominor todo reorganization
Michael Rash [Sat, 10 Nov 2012 01:42:08 +0000]
minor todo reorganization

2 years agoMerge branch 'master' of github.com:mrash/fwknop
Michael Rash [Fri, 9 Nov 2012 03:25:33 +0000]
Merge branch 'master' of github.com:mrash/fwknop

2 years ago[client] (Franck Joncourt) Fixed Ctrl-C problem where SPA packets were sent anyway
Michael Rash [Fri, 9 Nov 2012 03:22:04 +0000]
[client] (Franck Joncourt) Fixed Ctrl-C problem where SPA packets were sent anyway

[client] (Franck Joncourt) Contributed a patch to allow the fwknop
client to be stopped during the password entry prompt with Ctrl-C before
any SPA packet is sent on the wire.

2 years agoadded blurb about Android-4.1.2
Michael Rash [Fri, 9 Nov 2012 03:09:23 +0000]
added blurb about Android-4.1.2

2 years agominor README update for proper 4.1.2 version of Android
Michael Rash [Fri, 9 Nov 2012 03:07:16 +0000]
minor README update for proper 4.1.2 version of Android

2 years agoadded updated properties files for Android-4.1.2
Michael Rash [Fri, 9 Nov 2012 03:06:25 +0000]
added updated properties files for Android-4.1.2

2 years agominor bug fix to leverage fko_errstr() returned error string properly
Michael Rash [Fri, 9 Nov 2012 02:42:18 +0000]
minor bug fix to leverage fko_errstr() returned error string properly

2 years agoadded fko header files for the Android client
Michael Rash [Fri, 9 Nov 2012 02:39:21 +0000]
added fko header files for the Android client

2 years ago[server] Added '--pcap-file <file>' option
Michael Rash [Fri, 9 Nov 2012 02:33:23 +0000]
[server] Added '--pcap-file <file>' option

Added a new '--pcap-file <file>' option to allow pcap files to
be processed directly by fwknopd instead of sniffing an interface.  This
feature is mostly intended for debugging purposes.

2 years agominor update to use explicit FKO_SUCCESS value in if() result check
Michael Rash [Fri, 9 Nov 2012 02:03:45 +0000]
minor update to use explicit FKO_SUCCESS value in if() result check

2 years agoallow '_' chars in usernames provided to libfko
Michael Rash [Fri, 9 Nov 2012 02:02:44 +0000]
allow '_' chars in usernames provided to libfko

2 years agoIgnore trailing whitespace on .fwknoprc directives
Damien Stuart [Fri, 9 Nov 2012 00:41:46 +0000]
Ignore trailing whitespace on .fwknoprc directives

2 years agoAdditional todo tasks
Michael Rash [Tue, 6 Nov 2012 01:39:03 +0000]
Additional todo tasks

2 years ago[test suite] added pinentry check for gpg tests that have keys that require associate...
Michael Rash [Tue, 6 Nov 2012 01:38:34 +0000]
[test suite] added pinentry check for gpg tests that have keys that require associated passphrases

2 years agoAdded test suite config file: disable_aging_nat_fwknopd.conf
Michael Rash [Mon, 5 Nov 2012 03:13:52 +0000]
Added test suite config file: disable_aging_nat_fwknopd.conf

2 years agobug fix to include multi-gpg ID no password test
Michael Rash [Sun, 4 Nov 2012 03:11:24 +0000]
bug fix to include multi-gpg ID no password test

2 years agoMerge branch 'master' of github.com:mrash/fwknop
Michael Rash [Sat, 3 Nov 2012 23:00:56 +0000]
Merge branch 'master' of github.com:mrash/fwknop

2 years agoMerge pull request #11 from tomyuk/master
Michael Rash [Sat, 3 Nov 2012 23:00:57 +0000]
Merge pull request #11 from tomyuk/master

add missing include files to lib/Makefile.am

2 years ago--enable-recompile try raw make if sudo make fails
Michael Rash [Sat, 3 Nov 2012 22:09:12 +0000]
--enable-recompile try raw make if sudo make fails

2 years agoadded run-test-suite.sh LD_LIBRARY_PATH wrapper
Michael Rash [Sat, 3 Nov 2012 20:50:26 +0000]
added run-test-suite.sh LD_LIBRARY_PATH wrapper

2 years agoAdded missing include files
Tomoyuki Kano [Sat, 3 Nov 2012 10:08:10 +0000]
Added missing include files

2 years agoadd missing include files to lib/Makefile.am
Tomoyuki Kano [Sat, 3 Nov 2012 10:03:48 +0000]
add missing include files to lib/Makefile.am

2 years agobug fix to include cmd_access.conf in Makefile.am
Michael Rash [Sat, 3 Nov 2012 01:07:23 +0000]
bug fix to include cmd_access.conf in Makefile.am

2 years ago[client+server] Added --disable-gpg to the autoconf config
Michael Rash [Thu, 1 Nov 2012 01:37:55 +0000]
[client+server] Added --disable-gpg to the autoconf config

Added --disable-gpg to the autoconf ./configure script
via configure.ac.  This makes it easy to not have fwknop/fwknopd
link against libgpgme even if it is installed on the local system.

2 years agoadded fuzzing patches from the test/fuzzing/patches/ directory
Michael Rash [Wed, 31 Oct 2012 02:39:36 +0000]
added fuzzing patches from the test/fuzzing/patches/ directory

2 years agoadded '-Wformat -Wformat-security' to compile args - no associated warnings in curren...
Michael Rash [Wed, 31 Oct 2012 02:03:40 +0000]
added '-Wformat -Wformat-security' to compile args - no associated warnings in current code

2 years agoUpdated build CFLAGS and LDFLAGS for PIE support similar to Debian hardening-includes
Michael Rash [Wed, 31 Oct 2012 01:40:21 +0000]
Updated build CFLAGS and LDFLAGS for PIE support similar to Debian hardening-includes

The Debian hardening-includes package sets CFLAGS and LDFLAGS as follows for PIE support:

_HARDENED_PIE_CFLAGS  := -fPIE
_HARDENED_PIE_LDFLAGS := -fPIE -pie

The configure.ac file has been updated to conform to the above.

2 years ago[test suite] bug fix to ensure binary existence check in build security tests
Michael Rash [Wed, 31 Oct 2012 01:23:30 +0000]
[test suite] bug fix to ensure binary existence check in build security tests

2 years agominor fuzzing README update
Michael Rash [Mon, 29 Oct 2012 03:31:09 +0000]
minor fuzzing README update

2 years agoadded non digit rand val fuzzing encoding tests
Michael Rash [Sun, 28 Oct 2012 02:45:28 +0000]
added non digit rand val fuzzing encoding tests

2 years agoadded fuzzing encoding strip eq return packets
Michael Rash [Sun, 28 Oct 2012 02:34:52 +0000]
added fuzzing encoding strip eq return packets

2 years agoadded encoding_append_b64_modified_byte equals sign fuzzing encoding tests
Michael Rash [Sun, 28 Oct 2012 02:28:33 +0000]
added encoding_append_b64_modified_byte equals sign fuzzing encoding tests

2 years agoadded encoding_append_b64_modified_byte fuzzing encoding tests
Michael Rash [Sun, 28 Oct 2012 02:07:40 +0000]
added encoding_append_b64_modified_byte fuzzing encoding tests

2 years agoadded non-base64 char to access msg for fuzzing encoding tests
Michael Rash [Sat, 27 Oct 2012 03:13:41 +0000]
added non-base64 char to access msg for fuzzing encoding tests

2 years agoadded fuzzing encoding packets (extra colon 3)
Michael Rash [Sat, 27 Oct 2012 03:07:35 +0000]
added fuzzing encoding packets (extra colon 3)

2 years agoadded fuzzing encoding packets (extra colon 2)
Michael Rash [Sat, 27 Oct 2012 03:06:09 +0000]
added fuzzing encoding packets (extra colon 2)

2 years agoadded fuzzing encoding packets (extra colon 1)
Michael Rash [Sat, 27 Oct 2012 01:47:08 +0000]
added fuzzing encoding packets (extra colon 1)

2 years agoadded in new test/fuzzing/patches/ files
Michael Rash [Sat, 27 Oct 2012 01:43:24 +0000]
added in new test/fuzzing/patches/ files

2 years agoadded non-base64 encoding fuzzing packets
Michael Rash [Fri, 26 Oct 2012 19:52:09 +0000]
added non-base64 encoding fuzzing packets

2 years ago[libfko] bug fix to check b64_decode() return value
Michael Rash [Fri, 26 Oct 2012 19:36:08 +0000]
[libfko] bug fix to check b64_decode() return value

Bug fix to check b64_decode() return value to ensure that
non-base64 encoded data is never used.  Even though other validation
routines checked decoded results, it is important to discard invalid
data as early as possible.  Note too that such invalid data would only
be provided to b64_decode() after proper decryption, so the client must
provide authentic SPA data.

2 years agoadded rm colon5 fuzzing packets
Michael Rash [Fri, 26 Oct 2012 02:12:47 +0000]
added rm colon5 fuzzing packets

2 years agoadded fuzzing encoding test that removes colon #5
Michael Rash [Fri, 26 Oct 2012 02:04:09 +0000]
added fuzzing encoding test that removes colon #5

2 years agoadded fuzzing encoding test that removes colon #4
Michael Rash [Fri, 26 Oct 2012 02:01:12 +0000]
added fuzzing encoding test that removes colon #4

2 years agoadded test/fuzzing/patches/encoding_rm_colon1.patch file
Michael Rash [Fri, 26 Oct 2012 01:57:40 +0000]
added test/fuzzing/patches/encoding_rm_colon1.patch file

2 years agoAdded fuzzing encoding tests that remove the 2nd and 3rd colons
Michael Rash [Fri, 26 Oct 2012 01:55:01 +0000]
Added fuzzing encoding tests that remove the 2nd and 3rd colons

2 years agoAdded fuzzing spa packet generation for invalid encodings
Michael Rash [Fri, 26 Oct 2012 01:37:52 +0000]
Added fuzzing spa packet generation for invalid encodings

This commit adds the ability to generate SPA packets that are valid except for
the last encoding step before encryption.  This is independent of supplying
invalid data for SPA packet fields.  To invoke the test suite in this mode,
do something like:

 # ./test-fwknop.pl --enable-perl-module-pkt-gen  --fuzzing-test-tag "encoded_colon1_missing"  --fuzzing-class encoding

This assumes that lib/fko_encode.c has been patched to subvert the encoding
step itself before encryption.  In this case, the first colon after the random
value is removed.

2 years agoadded non-base64 user character fuzzing SPA packets
Michael Rash [Thu, 25 Oct 2012 04:42:02 +0000]
added non-base64 user character fuzzing SPA packets

2 years agoadded extra_timestamp_digit fuzzing SPA packets
Michael Rash [Thu, 25 Oct 2012 04:29:01 +0000]
added extra_timestamp_digit fuzzing SPA packets

2 years agoadded colon_1_to_a fuzzing SPA packets
Michael Rash [Thu, 25 Oct 2012 04:24:19 +0000]
added colon_1_to_a fuzzing SPA packets

2 years agoadded fuzzing/README file
Michael Rash [Thu, 25 Oct 2012 04:20:55 +0000]
added fuzzing/README file

2 years agoeasier SPA fuzzing packet generation and importing
Michael Rash [Thu, 25 Oct 2012 04:20:08 +0000]
easier SPA fuzzing packet generation and importing

2 years agoPatch from Franck Joncourt for setting permissions via open()
Michael Rash [Wed, 24 Oct 2012 01:47:56 +0000]
Patch from Franck Joncourt for setting permissions via open()

[client+server] Applied patch from Franck Joncourt to remove unnecessary
chmod() call when creating client rc file and server replay cache file.
The permissions are now set appropriately via open(), and at the same
time this patch fixes a potential race condition since the previous code
used fopen() followed by chmod().

2 years agoadded validate_username() call to SPA packet encoding routine
Michael Rash [Tue, 23 Oct 2012 00:31:19 +0000]
added validate_username() call to SPA packet encoding routine

2 years agoadded MIPS compilation bug for todo.org tracking
Michael Rash [Tue, 23 Oct 2012 00:30:42 +0000]
added MIPS compilation bug for todo.org tracking

2 years agoadded test/fuzzing/ directory for fuzzing data and patches
Michael Rash [Sat, 20 Oct 2012 02:14:24 +0000]
added test/fuzzing/ directory for fuzzing data and patches

2 years agominor ChangeLog updates
Michael Rash [Sat, 20 Oct 2012 02:11:27 +0000]
minor ChangeLog updates

2 years agofixed --enable-recompile argument for OpenBSD
Michael Rash [Fri, 19 Oct 2012 03:10:02 +0000]
fixed --enable-recompile argument for OpenBSD

2 years agoadded libfko validate_username() for decrypted SPA data
Michael Rash [Fri, 19 Oct 2012 03:01:54 +0000]
added libfko validate_username() for decrypted SPA data

2 years agoadded 'Rejected' messages to test output for bogus SPA packet perl FKO tests
Michael Rash [Fri, 19 Oct 2012 02:24:48 +0000]
added 'Rejected' messages to test output for bogus SPA packet perl FKO tests

2 years agoremoved non-SPA packet lines
Michael Rash [Fri, 19 Oct 2012 02:24:11 +0000]
removed non-SPA packet lines

2 years agoadded bogus_spa_packets file for perl FKO fuzzing tests
Michael Rash [Fri, 19 Oct 2012 02:08:38 +0000]
added bogus_spa_packets file for perl FKO fuzzing tests

2 years agocontinued validation code driven by perl FKO module
Michael Rash [Wed, 17 Oct 2012 01:23:43 +0000]
continued validation code driven by perl FKO module

2 years ago[libfko] validation of NAT access strings
Michael Rash [Tue, 16 Oct 2012 00:52:23 +0000]
[libfko] validation of NAT access strings

Added validation of NAT access strings in the various NAT modes in libfko.
This applies to both the client and server, and test suite support was added
as well.

2 years agoadded perl FKO module client timeout test
Michael Rash [Sat, 13 Oct 2012 18:08:38 +0000]
added perl FKO module client timeout test

2 years agoadditional perl FKO module access message test strings
Michael Rash [Sat, 13 Oct 2012 15:38:23 +0000]
additional perl FKO module access message test strings

2 years agoadded perl FKO module cmd mode tests
Michael Rash [Sat, 13 Oct 2012 15:31:31 +0000]
added perl FKO module cmd mode tests

2 years agostarted on fuzzing tests with the perl FKO module
Michael Rash [Sat, 13 Oct 2012 03:52:14 +0000]
started on fuzzing tests with the perl FKO module

2 years agoforce usernames to be alpha numeric chars and dashes
Michael Rash [Sat, 13 Oct 2012 03:51:28 +0000]
force usernames to be alpha numeric chars and dashes

2 years agominor todo.org update to set icmp type/code task to completed
Michael Rash [Fri, 12 Oct 2012 03:50:16 +0000]
minor todo.org update to set icmp type/code task to completed

2 years agoadded icmp type/code blurb
Michael Rash [Fri, 12 Oct 2012 03:40:04 +0000]
added icmp type/code blurb

2 years agoApplied perl FKO module libfko path patch from Franck Joncourt
Michael Rash [Fri, 12 Oct 2012 03:36:50 +0000]
Applied perl FKO module libfko path patch from Franck Joncourt

Applied patch from Franck Joncourt to have the perl FKO module link
against libfko in the local directory (if it exists) so that it doesn't
have to have libfko completely installed in /usr/lib/.  This allows the
test suite to run FKO tests without installing libfko.

Added the ability to the test suite to compile, install, and run some
basic tests against the perl FKO module.

2 years agoAdded Sean Greven for his FreeBSD port
Michael Rash [Tue, 9 Oct 2012 02:06:33 +0000]
Added Sean Greven for his FreeBSD port