fwknop.git
17 months ago[test suite] minor bug fix to add 'iptables' to custom chain test titles fwknop-2.5-pre2
Michael Rash [Tue, 11 Jun 2013 02:38:55 +0000]
[test suite] minor bug fix to add 'iptables' to custom chain test titles

17 months agobump version to 2.5-pre2
Michael Rash [Tue, 11 Jun 2013 02:34:48 +0000]
bump version to 2.5-pre2

17 months ago[libfko] handle endian detection on PPC (and other) systems
Michael Rash [Tue, 11 Jun 2013 02:27:57 +0000]
[libfko] handle endian detection on PPC (and other) systems

Blair Zajac contributed a patch to handle endian detection on PPC systems
and issue a compile time error if it cannot be determined.  This commit affects
the BYTEORDER macro.

17 months ago[libfko] use local strndup() if autoconf HAVE_STRNDUP not defined
Michael Rash [Tue, 11 Jun 2013 01:45:26 +0000]
[libfko] use local strndup() if autoconf HAVE_STRNDUP not defined

Blair Zajac reported that strndup() is not available on some PPC systems, so
this commit switches to use the local lib/fko_util.c implementation similarly
to what is done for Windows systems.

17 months agoadded missing test suite conf/ files to Makefile.am
Michael Rash [Tue, 11 Jun 2013 01:21:52 +0000]
added missing test suite conf/ files to Makefile.am

17 months ago[test suite] additional --save-rc-stanza tests for vars not printed in fwknop client...
Michael Rash [Tue, 11 Jun 2013 01:18:37 +0000]
[test suite] additional --save-rc-stanza tests for vars not printed in fwknop client decode output

17 months ago[test suite] added backwards compatibility tests with a dual usage key in access...
Michael Rash [Tue, 11 Jun 2013 01:16:33 +0000]
[test suite] added backwards compatibility tests with a dual usage key in access.conf

17 months ago[client] minor man page wording update for backwards compatibility section
Michael Rash [Tue, 11 Jun 2013 01:14:09 +0000]
[client] minor man page wording update for backwards compatibility section

17 months ago[client] minor man page tweak to use rc VERBOSE bool value (which is the default...
Michael Rash [Sun, 9 Jun 2013 20:00:46 +0000]
[client] minor man page tweak to use rc VERBOSE bool value (which is the default now)

17 months ago[commit] default --verbose rc handling to bool Y/N values, but allow integers too...
Michael Rash [Sun, 9 Jun 2013 19:58:22 +0000]
[commit] default --verbose rc handling to bool Y/N values, but allow integers too when --verbose is given multiple times

17 months ago[client] minor man page tweak
Michael Rash [Sun, 9 Jun 2013 19:57:16 +0000]
[client] minor man page tweak

17 months ago[test suite] added tests for setting gpg recipient, signer, and homedir via the clien...
Michael Rash [Sun, 9 Jun 2013 19:27:19 +0000]
[test suite] added tests for setting gpg recipient, signer, and homedir via the client rc file

17 months agoMerge branch 'master' of github.com:mrash/fwknop
Michael Rash [Sun, 9 Jun 2013 18:33:29 +0000]
Merge branch 'master' of github.com:mrash/fwknop

17 months ago[server] fix 'Use of untrusted string value' bug found by Coverity
Michael Rash [Sun, 9 Jun 2013 18:28:17 +0000]
[server] fix 'Use of untrusted string value' bug found by Coverity

This commit changes iptables policy parsing to re-use rule_exists() for fwknop
jump rule detection instead of using sscanf() against iptables policy list
output.  Also, fwknop jump rules are now deleted from iptables policies in a
loop to ensure all are removed even if there are duplicates (even though this
should not happen under normal circumstances anyway).

17 months agoMerge pull request #87 from fjoncourt/master
Michael Rash [Fri, 7 Jun 2013 03:22:55 +0000]
Merge pull request #87 from fjoncourt/master

Fwknop manpage update (fd and stdin command)

17 months ago[server] minor addition of IPT_CHK_RULE_ARGS macro for iptables -C usage
Michael Rash [Thu, 6 Jun 2013 02:33:42 +0000]
[server] minor addition of IPT_CHK_RULE_ARGS macro for iptables -C usage

17 months ago[server] minor bug fix to switch iptables comment match check to built-in INPUT chain
Michael Rash [Thu, 6 Jun 2013 01:46:51 +0000]
[server] minor bug fix to switch iptables comment match check to built-in INPUT chain

17 months agoMerge remote-tracking branch 'upstream/master'
Franck Joncourt [Wed, 5 Jun 2013 19:47:41 +0000]
Merge remote-tracking branch 'upstream/master'

Conflicts:
client/fwknop.8.in

17 months agoUpdated fwknop manpage to document both the use of stdin and fd commands.
Franck Joncourt [Wed, 5 Jun 2013 19:38:26 +0000]
Updated fwknop manpage to document both the use of stdin and fd commands.

17 months ago[server] comment additions regarding Coverity low priority TOCTOU issues
Michael Rash [Wed, 5 Jun 2013 02:17:59 +0000]
[server] comment additions regarding Coverity low priority TOCTOU issues

17 months ago[extras] update spa-entropy.pl script to point fwknop client in gpg mode to the no...
Michael Rash [Wed, 5 Jun 2013 01:17:15 +0000]
[extras] update spa-entropy.pl script to point fwknop client in gpg mode to the no-pw homedir

17 months agoMerge branch 'gpgme_autoconf_macro'
Michael Rash [Tue, 4 Jun 2013 01:59:26 +0000]
Merge branch 'gpgme_autoconf_macro'

This commit adds a new m4/gpgme.m4 to allow autogen.sh to work properly when
libgpgme is not installed.  Closes #72.

17 months agoa few HMAC doc updates to the libfko.texi file
Michael Rash [Tue, 4 Jun 2013 01:45:29 +0000]
a few HMAC doc updates to the libfko.texi file

17 months agofko-wrapper update to print fko_errstr() text, and to have one successful HMAC cycle
Michael Rash [Tue, 4 Jun 2013 00:54:40 +0000]
fko-wrapper update to print fko_errstr() text, and to have one successful HMAC cycle

17 months agoMerge remote-tracking branch 'fjoncourt/master'
Michael Rash [Mon, 3 Jun 2013 02:54:23 +0000]
Merge remote-tracking branch 'fjoncourt/master'

Closes #74 - allows a passphrase to be read from STDIN or from a file descriptor
via --fd.

17 months ago[test suite] minor bug fix to include the new legacy long key file in Makefile.am
Michael Rash [Mon, 3 Jun 2013 02:08:54 +0000]
[test suite] minor bug fix to include the new legacy long key file in Makefile.am

17 months ago[test suite] added backwards compatibility test for truncated keys longer > 16 chars
Michael Rash [Mon, 3 Jun 2013 01:19:19 +0000]
[test suite] added backwards compatibility test for truncated keys longer > 16 chars

17 months agoMerge remote-tracking branch 'upstream/master'
Franck Joncourt [Sun, 2 Jun 2013 19:54:25 +0000]
Merge remote-tracking branch 'upstream/master'

Conflicts:
client/config_init.c

17 months agoAdding support for reading encryption/key password from a file descriptor.
Franck Joncourt [Sun, 2 Jun 2013 19:36:17 +0000]
Adding support for reading encryption/key password from a file descriptor.

 * Added tests to the test suite.
 * Updated the usage message.
 * Fixed the password functions.

reference : mrash/fwknop#74

17 months agostarted on libfko.texi function prototype and FKO error code documentation updates
Michael Rash [Sun, 2 Jun 2013 18:50:37 +0000]
started on libfko.texi function prototype and FKO error code documentation updates

17 months agorestored the NEWS file since autoconf seems to need it
Michael Rash [Sun, 2 Jun 2013 18:29:37 +0000]
restored the NEWS file since autoconf seems to need it

17 months agoUpdated copyright dates, removed NEWS file in favor of the ChangeLog
Michael Rash [Sun, 2 Jun 2013 18:07:01 +0000]
Updated copyright dates, removed NEWS file in favor of the ChangeLog

17 months agoAdded backwards compatibility section to the client man page
Michael Rash [Sun, 2 Jun 2013 17:51:25 +0000]
Added backwards compatibility section to the client man page

Added backwards compatibility section and new material on a 'quick start'
subsection for the EXAMPLES section.

17 months agoChangeLog update to mention the constant_runtime_cmp() change
Michael Rash [Sun, 2 Jun 2013 02:30:29 +0000]
ChangeLog update to mention the constant_runtime_cmp() change

17 months agoMerge branch 'hmac_timing_bug_fix'
Michael Rash [Sun, 2 Jun 2013 02:23:35 +0000]
Merge branch 'hmac_timing_bug_fix'

Fixes #85

17 months agoadded fwknopd man page blurb for the ENABLE_PCAP_ANY_DIRECTION variable
Michael Rash [Sun, 2 Jun 2013 02:10:32 +0000]
added fwknopd man page blurb for the ENABLE_PCAP_ANY_DIRECTION variable

17 months agoConvert strncmp() calls to constant_runtime_cmp() at various places hmac_timing_bug_fix
Michael Rash [Sun, 2 Jun 2013 01:55:45 +0000]
Convert strncmp() calls to constant_runtime_cmp() at various places

This commit is a follow up to Ryman's report (#85) of a potential timing attack
that could be leveraged against fwknop when strncmp() is used to compare HMAC
digests.  All strncmp() calls that do similar things have been replaced with a
new constant_runtime_cmp() function that mitigates this problem.

17 months agoInterim commit to be able to load key from file descriptor (fd 0 for example).
Franck Joncourt [Sat, 1 Jun 2013 21:14:56 +0000]
Interim commit to be able to load key from file descriptor (fd 0 for example).

17 months ago[libfko] HMAC comparison timing bug fix
Michael Rash [Sat, 1 Jun 2013 13:09:17 +0000]
[libfko] HMAC comparison timing bug fix

Ryman reported a timing attack bug in the HMAC comparison operation (#85) and
suggested a fix derived from YaSSL:
http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg320402.html

17 months ago[server] minor update to rename PCAP_ANY_DIRECTION -> ENABLE_PCAP_ANY_DIRECTION
Michael Rash [Sat, 1 Jun 2013 03:19:48 +0000]
[server] minor update to rename PCAP_ANY_DIRECTION -> ENABLE_PCAP_ANY_DIRECTION

17 months ago[client] allow -D to be used in --save-rc-stanza mode if -n is not given
Michael Rash [Sat, 1 Jun 2013 03:01:47 +0000]
[client] allow -D to be used in --save-rc-stanza mode if -n is not given

This change simplifies the fwknop client usage by allowing the -D argument to
be used as the stanza name if -n is not also specified in --save-rc-stanza
mode.

17 months agoadded HMAC digests section to libfko info doc
Michael Rash [Sat, 1 Jun 2013 02:47:06 +0000]
added HMAC digests section to libfko info doc

17 months agoupdate man page in client/server directories to the latest
Michael Rash [Sat, 1 Jun 2013 01:36:49 +0000]
update man page in client/server directories to the latest

17 months ago[test suite] minor update to reduce logging noise in valgrind comparison test
Michael Rash [Fri, 31 May 2013 02:50:29 +0000]
[test suite] minor update to reduce logging noise in valgrind comparison test

17 months agominor configure.ac typo fix for --help output
Michael Rash [Fri, 31 May 2013 02:42:13 +0000]
minor configure.ac typo fix for --help output

17 months agominor documentation updates
Michael Rash [Fri, 31 May 2013 02:26:09 +0000]
minor documentation updates

17 months ago[client] don't print keys to stdout in --save-rc-stanza --key-gen mode
Michael Rash [Fri, 31 May 2013 02:03:11 +0000]
[client] don't print keys to stdout in --save-rc-stanza --key-gen mode

This is a minor commit to not print keys to stdout when both --save-rc-stanza
and --key-gen are set on the command line.

17 months agoMerge remote-tracking branch 'fjoncourt/save_rc_stanza'
Michael Rash [Wed, 29 May 2013 22:53:08 +0000]
Merge remote-tracking branch 'fjoncourt/save_rc_stanza'

This set of fixes from Franck allows for much better --save-rc-stanza
functionality - new SPA keys can automatically be saved to the fwknoprc
file when --key-gen and --save-rc-stanza are given, keys aren't overwritten
upon updating the arguments for an existing stanza, and more.

Conflicts:
client/config_init.c

17 months agoThe -R command line switch is now handled in fwknoprc as RESOLVE_IP_HTTP variable.
Franck Joncourt [Wed, 29 May 2013 12:06:57 +0000]
The -R command line switch is now handled in fwknoprc as RESOLVE_IP_HTTP variable.

17 months agoFixed ask_overwrite(). Generated keys are now stored in fwknoprc.
Franck Joncourt [Wed, 29 May 2013 10:19:56 +0000]
Fixed ask_overwrite(). Generated keys are now stored in fwknoprc.

 * ask_overwrite() : when the user inputs more than one char when prompted,
   a second call to the function does not take the second char anymore.
   We parse all of the chars until we reach an LF char and discard all of them
   except the first one.
   The overwrite is requested only when the user sets 'y', if there is anything
   else we asssume 'N'.

 * When -k is used on the command line along with the --save-rc-stanza, the
   generated keys are also written in the stanza in fwknoprc.

17 months agoThe variables are now stored in a hash (variable name and position) rather than
Franck Joncourt [Tue, 28 May 2013 15:14:36 +0000]
The variables are now stored in a hash (variable name and position) rather than
an array containing only their name. It is now possible to sort them without
 worrying about their position in the enumeration.

Improve variable naming for a better understanding (var_ndx becomes var_pos).

17 months agoInterim commit to handle bitmask with more than 32 positions.
Franck Joncourt [Mon, 27 May 2013 16:18:47 +0000]
Interim commit to handle bitmask with more than 32 positions.

18 months agoSet command line argument bitmask as a 64-bits value to be able to handle more arguments.
Franck Joncourt [Sat, 25 May 2013 19:56:01 +0000]
Set command line argument bitmask as a 64-bits value to be able to handle more arguments.

 Interim commit to add the VERBOSE variable to be stored in the fwknoprc file when
 -v is used with --save-rc-stanza. The VERBOSE variable is also read by fwknop
 and the verbosity level is set accordingly.

18 months agominor Makefile.am update to set permissions on access.conf.inst and fwknopd.conf...
Michael Rash [Fri, 24 May 2013 02:29:41 +0000]
minor Makefile.am update to set permissions on access.conf.inst and fwknopd.conf.inst files

18 months ago[client] minor fix to set -R mode with a resolve URL is also set
Michael Rash [Fri, 24 May 2013 02:10:34 +0000]
[client] minor fix to set -R mode with a resolve URL is also set

The command line arg validation function also checks this.

18 months ago[test suite] bug fix on FreeBSD to just run the server for the active/expire sets...
Michael Rash [Fri, 24 May 2013 02:02:43 +0000]
[test suite] bug fix on FreeBSD to just run the server for the active/expire sets not equal test

18 months ago[server] update access.conf comments to conform to no trailing semicolon or colon...
Michael Rash [Thu, 23 May 2013 01:21:59 +0000]
[server] update access.conf comments to conform to no trailing semicolon or colon within the variable name

18 months agominor client man page wording update
Michael Rash [Thu, 23 May 2013 01:20:42 +0000]
minor client man page wording update

18 months ago[test suite] minor formatting update to access.conf files to mimic fwknoprc vars...
Michael Rash [Wed, 22 May 2013 02:12:03 +0000]
[test suite] minor formatting update to access.conf files to mimic fwknoprc vars (no colon or trailing semicolon)

18 months agoman page updates - access.conf section now includes variable guidance
Michael Rash [Wed, 22 May 2013 02:10:13 +0000]
man page updates - access.conf section now includes variable guidance

18 months agoUse {0} initializer for all stack allocated char arrays
Michael Rash [Wed, 22 May 2013 02:00:15 +0000]
Use {0} initializer for all stack allocated char arrays

Lots of places in the code were already using {0} to initialize stack char
arrays, but memset() was being used as well.  This commit removes all
unnecessary memset() calls against char arrays that are already initialized
via {0} (which sets all members to zero for such arrays).

18 months agoMerge remote-tracking branch 'fjoncourt/save_rc_stanza'
Michael Rash [Tue, 21 May 2013 01:57:42 +0000]
Merge remote-tracking branch 'fjoncourt/save_rc_stanza'

Closes issues #81 and #82 thanks to Franck.

18 months agoMerge remote-tracking branch 'upstream/master'
Franck Joncourt [Mon, 20 May 2013 20:02:31 +0000]
Merge remote-tracking branch 'upstream/master'

18 months agoFixed stanza name in log message. We display the stanza we were looking for, not...
Franck Joncourt [Mon, 20 May 2013 19:58:18 +0000]
Fixed stanza name in log message. We display the stanza we were looking for, not the current one.

18 months agoMerge remote-tracking branch 'upstream/master' into save_rc_stanza
Franck Joncourt [Mon, 20 May 2013 09:08:33 +0000]
Merge remote-tracking branch 'upstream/master' into save_rc_stanza

18 months ago[test suite] added 'equal keys' files
Michael Rash [Sun, 19 May 2013 20:15:19 +0000]
[test suite] added 'equal keys' files

18 months agoDo not assume two rc sections are separated by an empty line. (mrash/fwknop#81)
Franck Joncourt [Sun, 19 May 2013 20:00:51 +0000]
Do not assume two rc sections are separated by an empty line. (mrash/fwknop#81)

18 months ago[client] finished documenting client command line options via the man page
Michael Rash [Sun, 19 May 2013 19:50:16 +0000]
[client] finished documenting client command line options via the man page

18 months ago[test suite] added client -f firewall timeout tests
Michael Rash [Sun, 19 May 2013 19:29:20 +0000]
[test suite] added client -f firewall timeout tests

18 months ago[server] port list memory leak bug fix for OpenBSD/pf and FreeBSD/ipfw firewall inter...
Michael Rash [Sun, 19 May 2013 18:36:32 +0000]
[server] port list memory leak bug fix for OpenBSD/pf and FreeBSD/ipfw firewall interface code found by Coverity

18 months agoupdated client and server man page material
Michael Rash [Sun, 19 May 2013 18:12:58 +0000]
updated client and server man page material

18 months agoMerge branch 'master' of github.com:mrash/fwknop
Michael Rash [Sun, 19 May 2013 16:57:36 +0000]
Merge branch 'master' of github.com:mrash/fwknop

18 months agoMerge pull request #80 from fjoncourt/fix-gpl2.0
Michael Rash [Sun, 19 May 2013 16:57:07 +0000]
Merge pull request #80 from fjoncourt/fix-gpl2.0

[FTBS] Fixed gpl2.0.texi

18 months agoFixed gpl2.0.texi to make it build.
Franck Joncourt [Sun, 19 May 2013 15:14:35 +0000]
Fixed gpl2.0.texi to make it build.

 The @appendixsubsec entries are substituted by @appendixsec entries.

18 months agoMerge remote-tracking branch 'upstream/master'
Franck Joncourt [Sun, 19 May 2013 13:34:20 +0000]
Merge remote-tracking branch 'upstream/master'

18 months ago[client] minor --verbose display update to say source port is 'OS assigned' when...
Michael Rash [Sun, 19 May 2013 02:49:38 +0000]
[client] minor --verbose display update to say source port is 'OS assigned' when not otherwise set

18 months ago[client] bug fix to separate out --named-config vs. --no-save-args command line args
Michael Rash [Sun, 19 May 2013 02:36:13 +0000]
[client] bug fix to separate out --named-config vs. --no-save-args command line args

18 months ago[test suite] slurp openssl HMAC from file into single string (it may be binary data)
Michael Rash [Sat, 18 May 2013 20:39:08 +0000]
[test suite] slurp openssl HMAC from file into single string (it may be binary data)

18 months agoadded test suite HMAC != enc key conf files
Michael Rash [Sat, 18 May 2013 16:13:50 +0000]
added test suite HMAC != enc key conf files

18 months ago[client+server] ensure HMAC key and encryption passphrase are not the same
Michael Rash [Sat, 18 May 2013 16:10:18 +0000]
[client+server] ensure HMAC key and encryption passphrase are not the same

18 months ago[client] added warning in --verbose mode if -s is used instead of -a or -R
Michael Rash [Sat, 18 May 2013 14:51:49 +0000]
[client] added warning in --verbose mode if -s is used instead of -a or -R

18 months ago[test suite] minor bug fix to preserve the init file
Michael Rash [Sat, 18 May 2013 12:34:20 +0000]
[test suite] minor bug fix to preserve the init file

18 months agoFirst draft to be able to use stdin as an input for submitting fwknop key.
Franck Joncourt [Sat, 18 May 2013 08:54:44 +0000]
First draft to be able to use stdin as an input for submitting fwknop key.

mrash/fwknop#74

18 months agocontinued man page updates in preparation for the 2.5 release
Michael Rash [Sat, 18 May 2013 03:05:58 +0000]
continued man page updates in preparation for the 2.5 release

18 months ago[server] added check to ensure any existing fwknop jump rule is not duplicated at...
Michael Rash [Sat, 18 May 2013 02:34:26 +0000]
[server] added check to ensure any existing fwknop jump rule is not duplicated at init

18 months ago[server] apply same logging policy for --fw-* modes as --foreground mode
Michael Rash [Sat, 18 May 2013 02:28:03 +0000]
[server] apply same logging policy for --fw-* modes as --foreground mode

18 months ago[client] --key-gen bug fix to print keys to stdout
Michael Rash [Sat, 18 May 2013 01:03:16 +0000]
[client] --key-gen bug fix to print keys to stdout

18 months agoMerge remote-tracking branch 'fjoncourt/master'
Michael Rash [Thu, 16 May 2013 01:31:17 +0000]
Merge remote-tracking branch 'fjoncourt/master'

Closes issues #76 and #60.

18 months ago[client] man page update for GPG key signing material
Michael Rash [Thu, 16 May 2013 01:17:39 +0000]
[client] man page update for GPG key signing material

18 months ago[client] completed fwknop client man page rc variable documentation
Michael Rash [Thu, 16 May 2013 00:59:29 +0000]
[client] completed fwknop client man page rc variable documentation

18 months agoHMAC and PBKDF1 ChangeLog updates
Michael Rash [Wed, 15 May 2013 03:28:45 +0000]
HMAC and PBKDF1 ChangeLog updates

18 months ago[docs] fwknop client man page update for HMAC material
Michael Rash [Wed, 15 May 2013 03:22:03 +0000]
[docs] fwknop client man page update for HMAC material

18 months agoMerge remote-tracking branch 'upstream/master'
Franck Joncourt [Tue, 14 May 2013 20:15:19 +0000]
Merge remote-tracking branch 'upstream/master'

18 months agoFixed gcc warnings on openbsd. - mrash/fwknop#60
Franck Joncourt [Tue, 14 May 2013 20:08:44 +0000]
Fixed gcc warnings on openbsd. - mrash/fwknop#60

18 months agominor write_test_file() path bug fix
Michael Rash [Tue, 14 May 2013 03:11:33 +0000]
minor write_test_file() path bug fix

18 months agoMerge remote-tracking branch 'fjoncourt/master'
Michael Rash [Tue, 14 May 2013 03:10:26 +0000]
Merge remote-tracking branch 'fjoncourt/master'

Merged update from Franck - closes issue #71.

18 months ago[server] minor memory leak bug fix during SPA digest calculation found by Coverity
Michael Rash [Tue, 14 May 2013 00:52:14 +0000]
[server] minor memory leak bug fix during SPA digest calculation found by Coverity

18 months ago[server] minor memory leak bug fix during access.conf parsing found by Coverity
Michael Rash [Tue, 14 May 2013 00:48:23 +0000]
[server] minor memory leak bug fix during access.conf parsing found by Coverity

18 months ago[server] varargs cleanup bug fix found by Coverity
Michael Rash [Tue, 14 May 2013 00:42:07 +0000]
[server] varargs cleanup bug fix found by Coverity

18 months ago[server] fix pointer NULL check after strdup() - found by Coverity
Michael Rash [Tue, 14 May 2013 00:41:25 +0000]
[server] fix pointer NULL check after strdup() - found by Coverity