fwknop.git
14 months agoset libfko version to 2.0.0 for the RPM per Damien's recommendation fwknop-2.5
Michael Rash [Sat, 20 Jul 2013 00:34:01 +0000]
set libfko version to 2.0.0 for the RPM per Damien's recommendation

14 months ago[libfko] set version-info to 2:0:0 per Damien and Franck's recommendations
Michael Rash [Sat, 20 Jul 2013 00:33:38 +0000]
[libfko] set version-info to 2:0:0 per Damien and Franck's recommendations

14 months agoChangeLog.git file now shows changes since 2.0.4
Michael Rash [Fri, 19 Jul 2013 03:14:00 +0000]
ChangeLog.git file now shows changes since 2.0.4

14 months ago[client] added --use-hmac to --help output (noticed by Damien)
Michael Rash [Fri, 19 Jul 2013 03:06:24 +0000]
[client] added --use-hmac to --help output (noticed by Damien)

14 months agoadded fwknop-2.5 release date
Michael Rash [Fri, 19 Jul 2013 03:05:49 +0000]
added fwknop-2.5 release date

14 months ago[client] fix minor memory leak in getpasswd() routine caught by the test suite in...
Michael Rash [Thu, 18 Jul 2013 21:30:25 +0000]
[client] fix minor memory leak in getpasswd() routine caught by the test suite in valgrind mode

14 months ago[client] fix minor compilation warning about an unused variable
Michael Rash [Thu, 18 Jul 2013 04:15:22 +0000]
[client] fix minor compilation warning about an unused variable

14 months agoRevert "[libfko] Have 'make install' run ldconfig if basic fwknop/fwknopd -h exec...
Michael Rash [Thu, 18 Jul 2013 03:51:54 +0000]
Revert "[libfko] Have 'make install' run ldconfig if basic fwknop/fwknopd -h exec fails"

This reverts commit f55b89c867ab63aaf69daae0aec0c19f1c52d521.

Damien recommended not having 'make install' run ldconfig since it breaks an RPM
build of fwknop, and most package managers should be doing this step anyway.

14 months agominor ChangeLog text tweaks and one typo fix
Michael Rash [Thu, 18 Jul 2013 03:34:37 +0000]
minor ChangeLog text tweaks and one typo fix

14 months agoTweaks to unbreak the windows build: Renamed FD_SET macro to FD_SET_ALT to avoid...
Damien S. Stuart [Thu, 18 Jul 2013 02:46:24 +0000]
Tweaks to unbreak the windows build: Renamed FD_SET macro to FD_SET_ALT to avoid conflict with the well-known FD_SET macro. Made the client read password from file descriptor a non-supported function on Windows.

14 months agoadd legacy_iv_long_key2_access.conf file to Makefile.am
Michael Rash [Sun, 14 Jul 2013 21:46:48 +0000]
add legacy_iv_long_key2_access.conf file to Makefile.am

14 months ago[server] restore backwards compatibility for Rijndael keys > 16 bytes in legacy mode...
Michael Rash [Sun, 14 Jul 2013 19:37:24 +0000]
[server] restore backwards compatibility for Rijndael keys > 16 bytes in legacy mode by truncating (upgrading recommended of course)

14 months ago[test suite] account for timestamp differences in iptables rule duplication tests
Michael Rash [Sun, 14 Jul 2013 18:38:03 +0000]
[test suite] account for timestamp differences in iptables rule duplication tests

14 months ago[server] iptables rule duplication bug fix to look for protocol name with -C support...
Michael Rash [Sun, 14 Jul 2013 18:37:22 +0000]
[server] iptables rule duplication bug fix to look for protocol name with -C support isn't available

14 months ago[test suite] bug fix to ensure multiple SPA packets are sent for iptables duplicated...
Michael Rash [Sun, 14 Jul 2013 03:22:58 +0000]
[test suite] bug fix to ensure multiple SPA packets are sent for iptables duplicated rules tests

14 months ago[server] removed iptables '-C' redirection since 2>&1 is always appended by other...
Michael Rash [Sun, 14 Jul 2013 03:22:29 +0000]
[server] removed iptables '-C' redirection since 2>&1 is always appended by other macros

14 months ago[server] Account for older versions of iptables that don't have -C
Michael Rash [Sat, 13 Jul 2013 03:22:50 +0000]
[server] Account for older versions of iptables that don't have -C

This commit updates fwknopd to test for the existance of the iptables '-C'
rule checking functionality since older versions of iptables don't have this.
If it isn't offered by the installed version of iptables, then revert to parsing
fwknop chains to see if iptables rules already exist before adding new rules (to
avoid duplicates).

14 months ago[libfko] apply zero_buf() to stack allocated Rijndael context for encrypt/decrypt
Michael Rash [Sat, 13 Jul 2013 03:21:38 +0000]
[libfko] apply zero_buf() to stack allocated Rijndael context for encrypt/decrypt

14 months agominor README typo fixes
Michael Rash [Fri, 12 Jul 2013 02:13:40 +0000]
minor README typo fixes

14 months ago[server] compile bug fix for pf/ipfw firewall systems
Michael Rash [Thu, 11 Jul 2013 03:11:29 +0000]
[server] compile bug fix for pf/ipfw firewall systems

14 months ago[libfko] use zero_free_rv - dead code bug fix found by CLANG static analyzer
Michael Rash [Thu, 11 Jul 2013 03:10:23 +0000]
[libfko] use zero_free_rv - dead code bug fix found by CLANG static analyzer

14 months ago[libfko] always call free() from zero_free() on all non-NULL buf pointers
Michael Rash [Thu, 11 Jul 2013 03:09:41 +0000]
[libfko] always call free() from zero_free() on all non-NULL buf pointers

14 months ago[libfko] bug fix to set digest length upon SPA packet decode
Michael Rash [Thu, 11 Jul 2013 03:07:43 +0000]
[libfko] bug fix to set digest length upon SPA packet decode

This bug was caught with the fko_wrapper.c multi-call tester running under
valgrind.

14 months ago[client] minor man page update to state that -a is more secure than -R
Michael Rash [Wed, 10 Jul 2013 03:21:12 +0000]
[client] minor man page update to state that -a is more secure than -R

14 months agosimplified zero_free() calls in support of #93
Michael Rash [Wed, 10 Jul 2013 02:17:05 +0000]
simplified zero_free() calls in support of #93

14 months agoallow zero length to return FKO_SUCCESS from zero_buf() call
Michael Rash [Wed, 10 Jul 2013 01:40:23 +0000]
allow zero length to return FKO_SUCCESS from zero_buf() call

14 months ago[libfko] return proper GPG error code upon gpg_decrypt() failure
Michael Rash [Wed, 10 Jul 2013 01:18:45 +0000]
[libfko] return proper GPG error code upon gpg_decrypt() failure

14 months ago[libfko] add ctx initialized check to fko_gpg_errstr()
Michael Rash [Wed, 10 Jul 2013 01:18:06 +0000]
[libfko] add ctx initialized check to fko_gpg_errstr()

14 months agoclarified NEWS file to state that fwknop is distributed under the GPL v2
Michael Rash [Wed, 10 Jul 2013 01:17:03 +0000]
clarified NEWS file to state that fwknop is distributed under the GPL v2

14 months ago[client] in '-M legacy' mode truncate the key to 16 bytes
Michael Rash [Wed, 10 Jul 2013 01:13:07 +0000]
[client] in '-M legacy' mode truncate the key to 16 bytes

This change helps to maintain backwards compatibility with older fwknopd daemons
that cannot handle Rijndael keys greater than 16 bytes.  Blair Zajac suggested
printing a warning in '-M legacy' mode when keys are attempted > 16 bytes long,
and this warning is included in this commit.

14 months ago[client] make legacy encryption mode and HMAC usage mutually exclusive
Michael Rash [Tue, 9 Jul 2013 03:06:57 +0000]
[client] make legacy encryption mode and HMAC usage mutually exclusive

14 months agocontinued zeroing out of sensitive data buffers in support of issue #93
Michael Rash [Tue, 9 Jul 2013 03:00:18 +0000]
continued zeroing out of sensitive data buffers in support of issue #93

14 months agocontinued changes to zero out sensitive information before exit (#93)
Michael Rash [Mon, 8 Jul 2013 02:32:30 +0000]
continued changes to zero out sensitive information before exit (#93)

14 months ago[server] update fw_config_init() to allow access stanza key information to be zeroed...
Michael Rash [Sat, 6 Jul 2013 19:05:09 +0000]
[server] update fw_config_init() to allow access stanza key information to be zeroed out upon error (#93)

14 months ago[server] minor header formating update
Michael Rash [Sat, 6 Jul 2013 18:53:04 +0000]
[server] minor header formating update

14 months ago[server] zero out access stanza key information before exit (in support of #93)
Michael Rash [Sat, 6 Jul 2013 18:52:46 +0000]
[server] zero out access stanza key information before exit (in support of #93)

14 months agoAnother change.
Franck Joncourt [Sun, 30 Jun 2013 20:38:41 +0000]
Another change.

14 months agoMerge remote-tracking branch 'upstream/master'
Franck Joncourt [Sun, 30 Jun 2013 20:22:34 +0000]
Merge remote-tracking branch 'upstream/master'

14 months agos/GNU Public/GNU General Public/g
Franck Joncourt [Sun, 30 Jun 2013 20:21:22 +0000]
s/GNU Public/GNU General Public/g

14 months agoAdded LICENSE section and a link to the fwknop tutorial
Michael Rash [Sun, 30 Jun 2013 20:12:29 +0000]
Added LICENSE section and a link to the fwknop tutorial

14 months agominor man page documentation updates (added twitter reference)
Michael Rash [Sun, 30 Jun 2013 19:55:01 +0000]
minor man page documentation updates (added twitter reference)

14 months agoupdated README to include the introduction from the fwknop man page
Michael Rash [Sun, 30 Jun 2013 19:52:47 +0000]
updated README to include the introduction from the fwknop man page

14 months ago[libfko] Have 'make install' run ldconfig if basic fwknop/fwknopd -h exec fails fwknop-2.5-pre3
Michael Rash [Sun, 30 Jun 2013 18:50:12 +0000]
[libfko] Have 'make install' run ldconfig if basic fwknop/fwknopd -h exec fails

This commit makes sure that if running 'fwknop -h' or 'fwknopd -h' appears to
fail then run ldconfig under the 'make install' step.  George Herlin reported
that on some systems ldconfig was not automatically getting executed via the
autoconf Makefile config, and since fwknop/fwknopd depend on a shared library
(libfko), ldconfig needs to be executed by 'make install' if it wasn't already
done.

14 months ago[libfko] fix a few 'Overfull \hbox' errors in libfko .pdf generation
Michael Rash [Sat, 29 Jun 2013 14:39:07 +0000]
[libfko] fix a few 'Overfull \hbox' errors in libfko .pdf generation

14 months ago[server] convert several LOG_INFO messages to LOG_DEBUG
Michael Rash [Fri, 28 Jun 2013 02:15:39 +0000]
[server] convert several LOG_INFO messages to LOG_DEBUG

14 months agoMerge remote-tracking branch 'fjoncourt/master'
Michael Rash [Fri, 28 Jun 2013 01:55:58 +0000]
Merge remote-tracking branch 'fjoncourt/master'

14 months ago* Mentionned the VERBOSE variable in fwknopd.conf.
Franck Joncourt [Tue, 25 Jun 2013 20:04:54 +0000]
* Mentionned the VERBOSE variable in fwknopd.conf.
* Made sure the -v command line switch overrides the value of the
  VERBOSE variable set in an fwknopd.conf file.

14 months agos/VERBOSITY/VERBOSE/g on the server side for consistency purposes.
Franck Joncourt [Tue, 25 Jun 2013 19:56:53 +0000]
s/VERBOSITY/VERBOSE/g on the server side for consistency purposes.

14 months agoFixed use of --verbose command line switch.
Franck Joncourt [Mon, 24 Jun 2013 21:15:50 +0000]
Fixed use of --verbose command line switch.

Set default log verbosity to LOG_INFO in the log_msg driver.

14 months agoInterim commit to add a VERBOSE variable to fwknopd.
Franck Joncourt [Thu, 20 Jun 2013 21:33:04 +0000]
Interim commit to add a VERBOSE variable to fwknopd.

14 months ago[test suite] bug fix for rotate digest cache tests
Michael Rash [Fri, 28 Jun 2013 01:26:49 +0000]
[test suite] bug fix for rotate digest cache tests

When the test suite is executed with '--include "rotate"' then previous tests
aren't executed in order to create a new digest cache file.  So, when init() is
called and a clean slate is established, there is nothing to rotate away.  This
change creates the default digest cache data (comment line only) if the file
doesn't already exist for the rotate tests.

14 months agobumped VERSION file to fwknop-2.5
Michael Rash [Fri, 28 Jun 2013 01:26:31 +0000]
bumped VERSION file to fwknop-2.5

14 months agobump version to 2.5, minor fwknopd -S exit status update
Michael Rash [Fri, 28 Jun 2013 01:21:10 +0000]
bump version to 2.5, minor fwknopd -S exit status update

This commit bumps the fwknop version to 2.5 and sets the libfko version to 2.0 to
signal incompatibility with older libfko versions.  Backwards compatibility is
maintained in SPA packet construction, but function prototypes in libfko-2.0 are
no longer compatible with older versions.

This commit also returns non-zero exit status under 'fwknopd --status' if there
is no existing fwknopd process.  This is better than always exiting with a zero
status regardless of whether fwknopd is already running or not, and adds a level
of scriptability to --status usage.  This change was suggested by George Herlin.

14 months agoMerge remote-tracking branch 'upstream/master'
Franck Joncourt [Tue, 25 Jun 2013 21:03:28 +0000]
Merge remote-tracking branch 'upstream/master'

14 months ago* Mentionned the VERBOSE variable in fwknopd.conf.
Franck Joncourt [Tue, 25 Jun 2013 20:04:54 +0000]
* Mentionned the VERBOSE variable in fwknopd.conf.
* Made sure the -v command line switch overrides the value of the
  VERBOSE variable set in an fwknopd.conf file.

14 months agos/VERBOSITY/VERBOSE/g on the server side for consistency purposes.
Franck Joncourt [Tue, 25 Jun 2013 19:56:53 +0000]
s/VERBOSITY/VERBOSE/g on the server side for consistency purposes.

14 months agoFixed use of --verbose command line switch.
Franck Joncourt [Mon, 24 Jun 2013 21:15:50 +0000]
Fixed use of --verbose command line switch.

Set default log verbosity to LOG_INFO in the log_msg driver.

15 months agoChangeLog 2.5 updates
Michael Rash [Sat, 22 Jun 2013 01:37:23 +0000]
ChangeLog 2.5 updates

15 months ago[server] minor --help update to include cipherdyne.org URL
Michael Rash [Sat, 22 Jun 2013 01:11:23 +0000]
[server] minor --help update to include cipherdyne.org URL

15 months ago[client] re-use encryption/HMAC keys in --test mode
Michael Rash [Sat, 22 Jun 2013 01:08:38 +0000]
[client] re-use encryption/HMAC keys in --test mode

The client --test mode decrypts SPA packet data as a final step, but get_keys()
was being called to re-acquire the encryption/HMAC keys.  This commit reuses
the same keys that were supplied for SPA packet encryption/authentication
because the most important code to test is not get_keys() but rather libfko
encryption/decryption/authentication operations.

15 months ago[client] minor man page backwards compatibility wording tweak
Michael Rash [Fri, 21 Jun 2013 02:12:29 +0000]
[client] minor man page backwards compatibility wording tweak

15 months ago[client] add GPG_NO_SIGNING_PW to --save-rc-stanza functionality
Michael Rash [Fri, 21 Jun 2013 02:11:42 +0000]
[client] add GPG_NO_SIGNING_PW to --save-rc-stanza functionality

15 months agoInterim commit to add a VERBOSE variable to fwknopd.
Franck Joncourt [Thu, 20 Jun 2013 21:33:04 +0000]
Interim commit to add a VERBOSE variable to fwknopd.

15 months agoadded fwknoprc gpg signing pw test conf files to Makefile.am
Michael Rash [Thu, 20 Jun 2013 03:47:04 +0000]
added fwknoprc gpg signing pw test conf files to Makefile.am

15 months agoremove newline chars from log_msg() calls
Michael Rash [Thu, 20 Jun 2013 03:42:58 +0000]
remove newline chars from log_msg() calls

15 months ago[test suite] added tests for KEY synonym GPG_SIGNING_PW
Michael Rash [Thu, 20 Jun 2013 03:41:37 +0000]
[test suite] added tests for KEY synonym GPG_SIGNING_PW

15 months ago[libfko] defensive coding update to quiet minor CLANG static analyzer false positives
Michael Rash [Thu, 20 Jun 2013 03:38:37 +0000]
[libfko] defensive coding update to quiet minor CLANG static analyzer false positives

15 months ago[client] man page update to include GPG_SIGNING_PW synonym for KEY variable in GPG...
Michael Rash [Thu, 20 Jun 2013 03:37:19 +0000]
[client] man page update to include GPG_SIGNING_PW synonym for KEY variable in GPG mode

15 months ago[test suite] minor permission modification update to use %cf hash
Michael Rash [Wed, 19 Jun 2013 03:12:42 +0000]
[test suite] minor permission modification update to use %cf hash

15 months ago[client] add GPG_ALLOW_NO_SIGNING_PW and --gpg-no-signing-pw
Michael Rash [Wed, 19 Jun 2013 02:51:22 +0000]
[client] add GPG_ALLOW_NO_SIGNING_PW and --gpg-no-signing-pw

This change brings similar functionality to the client as the GPG_ALLOW_NO_PW
keyword in the server access.conf file.  Although this option is less likely
to be used than the analogous server functionality, it stands to reason that
the client should offer this feature.  The test suite has also been updated to
not use the --get-key option for the 'no password' GPG tests.

15 months ago[test suite] bug fix for missing file permission mods noticed by Franck
Michael Rash [Wed, 19 Jun 2013 02:50:10 +0000]
[test suite] bug fix for missing file permission mods noticed by Franck

15 months agoMerge remote-tracking branch 'fjoncourt/master'
Michael Rash [Wed, 19 Jun 2013 02:48:33 +0000]
Merge remote-tracking branch 'fjoncourt/master'

New strategy for log_module from Franck, closes #89

15 months agoFixed default verbosity to LOG_NOTICE rather than LOG_WARNING.
Franck Joncourt [Tue, 18 Jun 2013 20:12:41 +0000]
Fixed default verbosity to LOG_NOTICE rather than LOG_WARNING.

15 months agoReplaced some uses of *fprintf(stderr* by *log_msg(LOG_ERR* in config_init.c
Franck Joncourt [Mon, 17 Jun 2013 10:31:07 +0000]
Replaced some uses of *fprintf(stderr* by *log_msg(LOG_ERR* in config_init.c

15 months agoMerge remote-tracking branch 'upstream/master'
Franck Joncourt [Sun, 16 Jun 2013 20:28:26 +0000]
Merge remote-tracking branch 'upstream/master'

15 months agos/fprintf(stderr/log_msg(LOG_ERR/
Franck Joncourt [Sun, 16 Jun 2013 20:16:41 +0000]
s/fprintf(stderr/log_msg(LOG_ERR/

15 months agoFix static_log_flag in the log_module.
Franck Joncourt [Sun, 16 Jun 2013 19:24:37 +0000]
Fix static_log_flag in the log_module.

15 months agoFix log_msg().
Franck Joncourt [Sun, 16 Jun 2013 19:16:25 +0000]
Fix log_msg().

  * Added new constant LOG_WITHOUT_SYSLOG to be able to print messages to
    stderr only.
  * Renamed LOG_STDERR_MASK as LOG_VERBOSITY_MASK for a better understanding.

15 months agoInterim commit to make the log_msg strategy.
Franck Joncourt [Sun, 16 Jun 2013 17:12:06 +0000]
Interim commit to make the log_msg strategy.

  * log_msg : New log_set_verbosity(): It sets the default verbosity for the
    log module according to the verbose option set by the user through the command
    line.
  * Remove useless checks of the verbose option when log_msg() is invoked.

15 months ago[client] minor man page backwards compatibility update to include better examples
Michael Rash [Sun, 16 Jun 2013 12:27:29 +0000]
[client] minor man page backwards compatibility update to include better examples

15 months ago[test suite] bug fix for proper replay attack regex searching of test output, added...
Michael Rash [Sun, 16 Jun 2013 01:20:39 +0000]
[test suite] bug fix for proper replay attack regex searching of test output, added several replay attack tests

15 months ago[server] ensure 'Rule added' log messages are generated when create_rule() is called
Michael Rash [Fri, 14 Jun 2013 01:23:59 +0000]
[server] ensure 'Rule added' log messages are generated when create_rule() is called

15 months agominor typo and format fixes
Michael Rash [Fri, 14 Jun 2013 01:22:58 +0000]
minor typo and format fixes

15 months ago[server] when log_msg() is called fflush() output to stderr (when stderr is used)
Michael Rash [Fri, 14 Jun 2013 01:21:40 +0000]
[server] when log_msg() is called fflush() output to stderr (when stderr is used)

15 months ago[client] truncate args save file with open()
Michael Rash [Fri, 14 Jun 2013 01:20:11 +0000]
[client] truncate args save file with open()

15 months ago[test suite] minor OS compatibility test re-order
Michael Rash [Thu, 13 Jun 2013 03:10:19 +0000]
[test suite] minor OS compatibility test re-order

15 months ago[libfko] BYTEORDER macro update to 4321 or 1234 if all other methods fail
Michael Rash [Thu, 13 Jun 2013 03:09:55 +0000]
[libfko] BYTEORDER macro update to 4321 or 1234 if all other methods fail

15 months ago[test suite] added a few OS compatibility tests
Michael Rash [Wed, 12 Jun 2013 02:01:23 +0000]
[test suite] added a few OS compatibility tests

15 months ago[test suite] minor bug fix to add 'iptables' to custom chain test titles fwknop-2.5-pre2
Michael Rash [Tue, 11 Jun 2013 02:38:55 +0000]
[test suite] minor bug fix to add 'iptables' to custom chain test titles

15 months agobump version to 2.5-pre2
Michael Rash [Tue, 11 Jun 2013 02:34:48 +0000]
bump version to 2.5-pre2

15 months ago[libfko] handle endian detection on PPC (and other) systems
Michael Rash [Tue, 11 Jun 2013 02:27:57 +0000]
[libfko] handle endian detection on PPC (and other) systems

Blair Zajac contributed a patch to handle endian detection on PPC systems
and issue a compile time error if it cannot be determined.  This commit affects
the BYTEORDER macro.

15 months ago[libfko] use local strndup() if autoconf HAVE_STRNDUP not defined
Michael Rash [Tue, 11 Jun 2013 01:45:26 +0000]
[libfko] use local strndup() if autoconf HAVE_STRNDUP not defined

Blair Zajac reported that strndup() is not available on some PPC systems, so
this commit switches to use the local lib/fko_util.c implementation similarly
to what is done for Windows systems.

15 months agoadded missing test suite conf/ files to Makefile.am
Michael Rash [Tue, 11 Jun 2013 01:21:52 +0000]
added missing test suite conf/ files to Makefile.am

15 months ago[test suite] additional --save-rc-stanza tests for vars not printed in fwknop client...
Michael Rash [Tue, 11 Jun 2013 01:18:37 +0000]
[test suite] additional --save-rc-stanza tests for vars not printed in fwknop client decode output

15 months ago[test suite] added backwards compatibility tests with a dual usage key in access...
Michael Rash [Tue, 11 Jun 2013 01:16:33 +0000]
[test suite] added backwards compatibility tests with a dual usage key in access.conf

15 months ago[client] minor man page wording update for backwards compatibility section
Michael Rash [Tue, 11 Jun 2013 01:14:09 +0000]
[client] minor man page wording update for backwards compatibility section

15 months ago[client] minor man page tweak to use rc VERBOSE bool value (which is the default...
Michael Rash [Sun, 9 Jun 2013 20:00:46 +0000]
[client] minor man page tweak to use rc VERBOSE bool value (which is the default now)

15 months ago[commit] default --verbose rc handling to bool Y/N values, but allow integers too...
Michael Rash [Sun, 9 Jun 2013 19:58:22 +0000]
[commit] default --verbose rc handling to bool Y/N values, but allow integers too when --verbose is given multiple times

15 months ago[client] minor man page tweak
Michael Rash [Sun, 9 Jun 2013 19:57:16 +0000]
[client] minor man page tweak

15 months ago[test suite] added tests for setting gpg recipient, signer, and homedir via the clien...
Michael Rash [Sun, 9 Jun 2013 19:27:19 +0000]
[test suite] added tests for setting gpg recipient, signer, and homedir via the client rc file