diff --git a/ChangeLog b/ChangeLog index 0ba633ea..5c903159 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ fwknop-2.0.4 (09/20/2012): - [server] (Vlad Glagolev) Submitted a patch to fix command exec mode under SPA message type validity test. Support for command exec mode was also added to the test suite. + - (Vlad Glagolev) Submitted an OpenBSD port for fwknop-2.0.3, and this has + been checked in under extras/openbsd/. fwknop-2.0.3 (09/03/2012): - [server] Fernando Arnaboldi from IOActive found several DoS/code diff --git a/extras/openbsd/distinfo b/extras/openbsd/distinfo new file mode 100644 index 00000000..cd068ab6 --- /dev/null +++ b/extras/openbsd/distinfo @@ -0,0 +1,5 @@ +MD5 (fwknop-2.0.3.tar.bz2) = uMVchsaM3498+XuupPUvwA== +RMD160 (fwknop-2.0.3.tar.bz2) = 0ezyQ2TclSzt1UD7uc6/k4p1iC4= +SHA1 (fwknop-2.0.3.tar.bz2) = gdEQFITdn9V6G/lIjViomCIR8E8= +SHA256 (fwknop-2.0.3.tar.bz2) = mN3uya+Sd7agyNjlfqZeGbIMaIBH6YPnSI/UrygCzVc= +SIZE (fwknop-2.0.3.tar.bz2) = 755890 diff --git a/extras/openbsd/patches/patch-lib_fko_decode_c b/extras/openbsd/patches/patch-lib_fko_decode_c new file mode 100644 index 00000000..640a7fee --- /dev/null +++ b/extras/openbsd/patches/patch-lib_fko_decode_c @@ -0,0 +1,14 @@ +--- lib/fko_decode.c.orig Wed Sep 5 06:04:48 2012 ++++ lib/fko_decode.c Sat Sep 8 15:11:00 2012 +@@ -285,9 +285,9 @@ fko_decode_spa_data(fko_ctx_t ctx) + + b64_decode(tbuf, (unsigned char*)ctx->message); + +- /* Require a message similar to: 1.2.3.4,tcp/22 ++ /* Require a message similar to: 1.2.3.4,tcp/22 (if it's not command message) + */ +- if(validate_access_msg(ctx->message) != FKO_SUCCESS) ++ if(ctx->message_type != FKO_COMMAND_MSG && validate_access_msg(ctx->message) != FKO_SUCCESS) + { + free(tbuf); + return(FKO_ERROR_INVALID_DATA); diff --git a/extras/openbsd/patches/patch-server_replay_cache_c b/extras/openbsd/patches/patch-server_replay_cache_c new file mode 100644 index 00000000..04e1a0ca --- /dev/null +++ b/extras/openbsd/patches/patch-server_replay_cache_c @@ -0,0 +1,27 @@ +--- server/replay_cache.c.orig Wed Sep 5 06:04:48 2012 ++++ server/replay_cache.c Sat Sep 8 09:46:56 2012 +@@ -565,7 +565,6 @@ is_replay_dbm_cache(fko_srv_options_t *opts, char *dig + #endif + datum db_key, db_ent; + +- char *digest = NULL; + int digest_len, res = SPA_MSG_SUCCESS; + + digest_cache_info_t dc_info; +@@ -638,7 +637,6 @@ add_replay_dbm_cache(fko_srv_options_t *opts, char *di + #endif + datum db_key, db_ent; + +- char *digest = NULL; + int digest_len, res = SPA_MSG_SUCCESS; + + digest_cache_info_t dc_info; +@@ -705,7 +703,7 @@ add_replay_dbm_cache(fko_srv_options_t *opts, char *di + + return(res); + #endif /* NO_DIGEST_CACHE */ +- ++} + #endif /* USE_FILE_CACHE */ + + #if USE_FILE_CACHE diff --git a/extras/openbsd/pkg/DESCR b/extras/openbsd/pkg/DESCR new file mode 100644 index 00000000..7c22734b --- /dev/null +++ b/extras/openbsd/pkg/DESCR @@ -0,0 +1,14 @@ +fwknop stands for the "FireWall KNock OPerator", and implements an authorization +scheme called Single Packet Authorization (SPA) that is based around packet +filter and libpcap. + +SPA requires only a single encrypted packet in order to communicate various +pieces of information including desired access through a packet filter's policy +and/or complete commands to execute on the target system. By using packet filter +to maintain a "default drop" stance, the main application of this program is to +protect services such as OpenSSH with an additional layer of security in order +to make the exploitation of vulnerabilities (both 0-day and unpatched code) much +more difficult. + +With fwknop deployed, anyone using nmap to look for sshd can't even tell that it +is listening; it makes no difference if they have a 0-day exploit or not. diff --git a/extras/openbsd/pkg/PFRAG.shared b/extras/openbsd/pkg/PFRAG.shared new file mode 100644 index 00000000..ad3ce292 --- /dev/null +++ b/extras/openbsd/pkg/PFRAG.shared @@ -0,0 +1,2 @@ +@comment $OpenBSD$ +@lib lib/libfko.so.${LIBfko_VERSION} diff --git a/extras/openbsd/pkg/PLIST b/extras/openbsd/pkg/PLIST new file mode 100644 index 00000000..64fd1f97 --- /dev/null +++ b/extras/openbsd/pkg/PLIST @@ -0,0 +1,11 @@ +@comment $OpenBSD$ +%%SHARED%% +@bin bin/fwknop +include/fko.h +@info info/libfko.info +lib/libfko.a +@comment lib/libfko.la +@man man/man8/fwknop.8 +@man man/man8/fwknopd.8 +@bin sbin/fwknopd +@rcscript ${RCDIR}/fwknopd diff --git a/extras/openbsd/pkg/fwknopd.rc b/extras/openbsd/pkg/fwknopd.rc new file mode 100644 index 00000000..121d4050 --- /dev/null +++ b/extras/openbsd/pkg/fwknopd.rc @@ -0,0 +1,9 @@ +#!/bin/sh +# +# $OpenBSD$ + +daemon="${TRUEPREFIX}/sbin/fwknopd" + +. /etc/rc.d/rc.subr + +rc_cmd $1