DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Added ChangeLog, ShortLog, and diffstat files for the 2.0 release.

Browse Source
This commit is contained in:
Michael Rash 2012-01-02 18:26:05 -05:00
parent 4ecbcba77c
commit 305708aa27
6 changed files with 5803 additions and 1149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3916
ChangeLog-v2.0 Normal file
View File

File diff suppressed because it is too large Load Diff

815
ChangeLog-v2.0rc5
View File

@ -1,815 +0,0 @@
commit 7a231a3b72758d93b4b9425fd403247aa2018499
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Dec 5 22:21:31 2011 -0500
added local_spa.key file
commit 3d0ceccf65010a84dd30fc5e9c567e24f03104ce
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Dec 5 22:20:39 2011 -0500
added local_spa.key file
commit 710f98a9b572cd126cd3f662b29244bc0d6e6533
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Dec 5 22:16:38 2011 -0500
minor addition of the CREDITS file for 'make dist'
commit 9bcd7cb137103db89400f4f652ab834e05ea5eba
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Dec 5 22:16:03 2011 -0500
Added the CREDITS file for 'make dist'
commit 3b2ec921be16db4bcccb4a0bfe13ebdb620a5b31
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Dec 5 22:11:58 2011 -0500
change log doc updates
commit 474a18b57d054939e6f4063d5ef491b4cee4a240
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Dec 5 22:10:47 2011 -0500
Added various files to Makefile.am so that 'make dist' continues to work
commit 690fe25fa4201af8f76c28450177581ce14a1459
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Dec 5 21:14:31 2011 -0500
added CREDITS file, bumped software version, added ChangeLog files
commit bcba9d6bdef6032a992e64a8bd6bd7604b83b006
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Dec 5 21:14:14 2011 -0500
added CREDITS file, bumped software version, added ChangeLog files
commit 893b89a3eba5fa9945095f8df4460f912fdb0cbc
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Dec 3 21:21:29 2011 -0500
minor compiler warning fix on OpenBSD
commit 860b4527a455d1d50f2b563f4939ee1990b53bd8
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Dec 3 13:10:35 2011 -0500
minor compile fixes for FreeBSD
commit 9b7c1a8ce69fe51337458cce4e7b5e9cb3d7654b
Author: Michael Rash <mbr@cipherdyne.org>
Date: Wed Nov 30 20:51:19 2011 -0500
Added FORCE_NAT mode to the access.conf file
This commit adds a new configuration variable "FORCE_NAT" to the access.conf
file:
For any valid SPA packet, force the requested connection to be NAT'd
through to the specified (usually internal) IP and port value. This is
useful if there are multiple internal systems running a service such as
SSHD, and you want to give transparent access to only one internal system
for each stanza in the access.conf file. This way, multiple external
users can each directly access only one internal system per SPA key.
This commit also implements a few minor code cleanups.
commit 8585958e6e164d47c3d9dc106d4a15aee18599b9
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Nov 28 23:20:11 2011 -0500
minor newline fix for access.conf output dump
commit 2a1243fee6d618096bc402b5a56ae3c2670b8b50
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Nov 28 23:18:07 2011 -0500
memory leak bugfix as a follow up to commit b280f5cde0246cdef33dee3f8be66a2bcef77336
commit b280f5cde0246cdef33dee3f8be66a2bcef77336
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Nov 28 22:03:21 2011 -0500
Added access stanza expiration feature, multiple access stanza bug fix
This commit does two major things:
1) Two new access.conf variables are added "ACCESS_EXPIRE" and
"ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without having
to modify the access.conf file and restart fwknopd.
2) Allow an access stanza that matches the SPA source address to not
automatically short circuit other stanzas if there is an error (such as when
there are multiple encryption keys involved and an incoming SPA packet is
meant for, say, the second stanza and the first therefore doesn't allow
proper decryption).
commit 9e884e9759362ce401bf77dab819b24e10caca62
Author: Michael Rash <mbr@cipherdyne.org>
Date: Tue Nov 22 22:56:48 2011 -0500
added SPA packet aging tests
commit 72a4353fd850c099816f6e1acb9fad12bcb2ff27
Author: Michael Rash <mbr@cipherdyne.org>
Date: Tue Nov 22 22:56:36 2011 -0500
bug fix to exclude SPA packets with timestamps in the future that are too great (old packets were properly excluded already)
commit 644b9e943214ed6ede762af72f395b73ea03faf0
Author: Michael Rash <mbr@cipherdyne.org>
Date: Tue Nov 22 22:40:26 2011 -0500
added test for --test mode in the fwknop client
commit 0015da44427bf988372818b26916a6229e9f68ca
Author: Michael Rash <mbr@cipherdyne.org>
Date: Tue Nov 22 22:34:10 2011 -0500
bug fix to honor the fwknop client --time-offset-plus and --time-offset-minus options
commit 05b189ff4fe61c7149efcf4f18cada14553e6dbe
Author: Michael Rash <mbr@cipherdyne.org>
Date: Tue Nov 22 22:13:27 2011 -0500
added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd check for ENABLE_IPT_FORWARDING variable before attempting NAT access
commit dd2deec73dc5f0d630ab86e92fe1e0073d692414
Author: Michael Rash <mbr@cipherdyne.org>
Date: Fri Nov 18 23:23:50 2011 -0500
added tests for various access.conf variables
commit 63498c9032bfe74bc91de5d6607391e7b7cdfe36
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Nov 17 21:17:50 2011 -0500
added IP/subnet match tests, added --Anonymize-results mode
commit 34cd0c7a78a62e1df2533641ca08adaaafa2aa7d
Author: Michael Rash <mbr@cipherdyne.org>
Date: Tue Nov 15 21:45:51 2011 -0500
simplified the client/server interaction code, started on IP filtering tests, added spoof username tests
commit 3d94aaa9205e5703c50635b9007efab485d9b2da
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Nov 10 22:54:25 2011 -0500
minor test wording consolidation
commit 50b48147c0392cd91f7ad83af56b20d0abbd3c3e
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Nov 10 22:33:32 2011 -0500
This commit fixes two memory leaks and adds a common exit function.
The two memory leaks were found with the test suite running in
--enable-valgrind mode - here are the relevant error messages:
For fwknopd server GPG clean up:
==345== 9 bytes in 1 blocks are definitely lost in loss record 2 of 2
==345== at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==345== by 0x52F6B81: strdup (strdup.c:43)
==345== by 0x10FA57: add_string_list_ent (access.c:308)
==345== by 0x110513: parse_access_file (access.c:387)
==345== by 0x10B5FB: main (fwknopd.c:193)
For fwknop client rc file processing:
==8045== 568 bytes in 1 blocks are still reachable in loss record 12 of 12
==8045== at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==8045== by 0x50A53AA: __fopen_internal (iofopen.c:76)
==8045== by 0x10C3FF: process_rc (config_init.c:446)
==8045== by 0x10C8F6: config_init (config_init.c:671)
==8045== by 0x10AC9E: main (fwknop.c:62)
There is also a new clean_exit() function that makes it easier to ensure that
resources are deallocated upon existing.
commit 9ebd55f52289d5904fbde3b8838ca92c7271d9e9
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Nov 10 22:33:00 2011 -0500
remove CMD timestamps for --diff mode
commit 9e19b8bc267031900c555c55fc5c1e54b6093461
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sun Nov 6 13:51:23 2011 -0500
added --diff mode to the test suite to compare results from one execution to the next
commit a5a3c06ef225c737acbd21c6cedd1a94f1a6c484
Author: Michael Rash <mbr@cipherdyne.org>
Date: Fri Nov 4 23:46:31 2011 -0400
consolidated several test functions into a single generic_exec() function
commit f41a26b389605311a21a95a9ad2b23f460ed02ee
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Nov 3 22:15:19 2011 -0400
Fixed fwknopd memory leak, several other fixes and updates
This commit does several things. First, a memory leak in fwknopd has been
fixed by ensuring to free access.conf stanzas. This bug was found with the
new test suite running in --enable-valgrind mode. Here is what some of the
valgrind output looked like to find the leak:
==19217== 11 bytes in 1 blocks are indirectly lost in loss record 3 of 5
==19217== at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==19217== by 0x52F6B81: strdup (strdup.c:43)
==19217== by 0x10FC8B: add_acc_string (access.c:49)
==19217== by 0x1105C8: parse_access_file (access.c:756)
==19217== by 0x10B79B: main (fwknopd.c:194)
==19217==
==19217== 16 bytes in 1 blocks are indirectly lost in loss record 4 of 5
==19217== at 0x4C27480: calloc (vg_replace_malloc.c:467)
==19217== by 0x10FEC0: add_source_mask (access.c:88)
==19217== by 0x110100: expand_acc_source (access.c:191)
==19217== by 0x1104B0: parse_access_file (access.c:500)
==19217== by 0x10B79B: main (fwknopd.c:194)
==19217==
==19217== 183 (152 direct, 31 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
==19217== at 0x4C27480: calloc (vg_replace_malloc.c:467)
==19217== by 0x1103E4: parse_access_file (access.c:551)
==19217== by 0x10B79B: main (fwknopd.c:194)
==19217==
==19217== LEAK SUMMARY:
==19217== definitely lost: 152 bytes in 1 blocks
==19217== indirectly lost: 31 bytes in 3 blocks
==19217== possibly lost: 0 bytes in 0 blocks
==19217== still reachable: 8 bytes in 1 blocks
==19217== suppressed: 0 bytes in 0 blocks
Second, this commit changes how fwknopd acquires packet data with
pcap_dispatch() - packets are now processed within the callback function
process_packet() that is provided to pcap_dispatch(), the global packet
counter is incremented by the return value from pcap_dispatch() (since this is
the number of packets processed per pcap loop), and there are two new
fwknopd.conf variables PCAP_DISPATCH_COUNT and PCAP_LOOP_SLEEP to control the
number of packets that pcap_dispatch() should process per loop and the number
of microseconds that fwknopd should sleep per loop respectively. Without this
change, it was fairly easy to cause fwknopd to miss packets by creating bursts
of packets that would all be processed one at time with the usleep() delay
between each. For fwknopd deployed on a busy network and with a permissive
pcap filter (i.e. something other than the default that causes fwknopd to look
at, say, TCP ACK's), this change should help.
Third, the criteria that a packet must reach before data copying into the
buffer designed for SPA processing has been tightened. A packet less than
/greater than the minimum/maximum expected sizes is ignored before data is
copied, and the base64 check is done as well.
commit 97a8d751c1b02271e812701d4cb938833d36918a
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sun Oct 30 22:14:00 2011 -0400
added complete SPA cycle tests for tcp ports 23 and 9418 (git), and for udp 53 dns
commit 044ea54d936745e29c856de71818f0497633d531
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 29 23:49:29 2011 -0400
updated client SPA verbose message to include the server IP/host
commit 8e4b45dd568ef86ba773605662a5d058be714d33
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 29 23:48:42 2011 -0400
minor looping criteria update for valgrind tests
commit ea3e81787121e56e1a44cc0a5ee3b9ba64c4f5eb
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 29 16:59:57 2011 -0400
[test-suite] added the ability to run all fwknop tests through valgrind
commit f999e2e6720021328e2f34bf57d05b8081d8ffae
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 29 16:55:28 2011 -0400
bugfix to return preprocess_spa_data() result properly to calling function
commit b1b830f744b01e0a3f0d4a19b6d38dd51afaae1f
Author: Michael Rash <mbr@cipherdyne.org>
Date: Fri Oct 28 23:01:06 2011 -0400
update to remove packet direction requirement when sniffing on OpenBSD loopback interfaces
commit cde71b1b274cae5af3b6e986e5ac369d79c0cc3a
Author: Michael Rash <mbr@cipherdyne.org>
Date: Fri Oct 28 23:00:26 2011 -0400
minor whitespace removal
commit dbbbe60fe4b6908bff56d026d886381c83a44087
Author: Michael Rash <mbr@cipherdyne.org>
Date: Fri Oct 28 22:59:52 2011 -0400
added stack protection detection for OpenBSD systems
commit 2e96ece4b074beff06aaca2f51bd90c84bfeeef8
Author: Michael Rash <mbr@cipherdyne.org>
Date: Fri Oct 28 22:42:27 2011 -0400
Update to ensure libfko.so path is detected properly on OpenBSD
commit 464dbe95d07657794aaac9e230153ffd84a2ed06
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 27 21:51:55 2011 -0400
Update to print all firewall commands in --verbose mode
This commit makes it easier to determine exactly which commands fwknopd
runs in --verbose mode when interacting with the underlying firewall.
This commit also adds --verbose --verbose mode to the test suite.
commit 6388e8ac7fab3d89b164862c9e113fed37e9f397
Author: Michael Rash <mbr@cipherdyne.org>
Date: Tue Oct 25 21:00:40 2011 -0400
added 'const' to function prototype vars where possible
Added the 'const' qualifier to function prototype variables where possible.
In addition, reduced some functions to file-scope with 'static' where possible.
Also made a few minor changes to remove extra whitespace, and fixed a bug
in create_fwknoprc() to ensure the new fwknoprc filehandle is closed.
commit 85377267e299118d5302afde3dfeed426b353879
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Oct 24 21:52:13 2011 -0400
compiler warning fix for sscanf() on freebsd
This commit fixes the following gcc warning on freebsd systems:
replay_cache.c: In function 'replay_file_cache_init':
replay_cache.c:312: warning: format '%ld' expects type 'long int *', but argument 9 has type 'time_t *'
commit 1c6fc0f3f80e086b43471e756f8249015fe2e4b2
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Oct 24 20:48:56 2011 -0400
update to detect loopback interface
commit 3299fb25815bcec09b5410d3393ab806f8b78a68
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Oct 24 20:48:20 2011 -0400
minor whitespace removal
commit c9860811f5de4b28f674d53d16b1bca10f12bed8
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 22 22:29:27 2011 -0400
added LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual command execution easier
commit 50bcc537eea23e9cd269a51e63d9da525c0a91ac
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 22 22:06:00 2011 -0400
added digest cache validation after GPG tests
commit 1b8606461cc21108b190f871bf2d8b0929589fce
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 22 21:54:22 2011 -0400
minor update to match include/exclude criteria on the whole test message
commit 9e3a4b4c920444df10b6a74eb574a542091adbfc
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 22 21:29:44 2011 -0400
extended packet validity tests in GPG mode
commit 09e6ed1405436b975cb41c89dc2517f0e73c54bb
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 22 16:48:30 2011 -0400
added first GPG complete cycle SPA test
commit 2d9dbe1fca011cd6bf726b86fb21af97da11ce49
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 22 15:19:54 2011 -0400
minor whitespace removal
commit e4f4ee78253f1f44c8809173ad2209ba8364e2c5
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 22 14:25:56 2011 -0400
added test to validate digest.cache structure
commit 266150218a021894e6dab0a8b4d7525183fe004a
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 22 10:57:25 2011 -0400
added -P bpf test for complete SPA cycle over non standard SPA port
commit 0ab39a64a5b86babdd0c5f7412fe160bca13cb69
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Oct 22 10:48:37 2011 -0400
added -P bpf filter test
commit 6848983b474d4571b1434a349d10ac21b278ebda
Author: Michael Rash <mbr@cipherdyne.org>
Date: Fri Oct 21 23:43:08 2011 -0400
added Rijndael SPA validity tests
commit 081b58d9510e4bbafb6dd57b4e55a02d7105e43a
Author: Michael Rash <mbr@cipherdyne.org>
Date: Fri Oct 21 23:13:24 2011 -0400
added rule timeout detection
commit 9b816ed29af1be3a259d9c154418cbe624c2a93f
Author: Michael Rash <mbr@cipherdyne.org>
Date: Fri Oct 21 22:55:45 2011 -0400
added replay attack detection test
commit 0bda4ee1e5f671c2e64a2b961de2f2ed0f9170a5
Author: Michael Rash <mbr@cipherdyne.org>
Date: Fri Oct 21 22:54:49 2011 -0400
minor removal of whitespace
commit caf458ad3fb2ce9408035630869e877f0c97768d
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 20 23:33:41 2011 -0400
added first complete SPA cycle test
commit 44598fd7dd6be8207bae512b8b6e13f08e265d2a
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 20 23:31:59 2011 -0400
Added --digest-file and --pid-file args
Added --digest-file and --pid-file args so that the user can easily alter
these paths from the command line.
commit 6f699f7e5d28ac1d8e66d66b9cedb3094a35439e
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 20 00:06:58 2011 -0400
added client/server interaction test capability
commit b8571bcc05cc81448b8d52ef8eef71f2eaefa987
Author: Michael Rash <mbr@cipherdyne.org>
Date: Tue Oct 18 21:28:38 2011 -0400
Minor PID string length fix
Changed PID string length to 7 to accomodate an ending newline and NULL
char when writing to the fwknopd .pid file. Without this fix, with a
5 digit PID the trailing newline would be truncated (no room for the
ending NULL char).
commit 0e7a0e9a378c5b9605228075718f53012e87cadd
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Oct 17 23:03:28 2011 -0400
Added --fw-list-all and --fw-flush
Added new command line options --fw-list-all and --fw-flush to allow all
firewall rules to be displayed including those not created by fwknopd, and
allow all firewall rules created by fwknopd to be deleted.
Also switched -D config dump output to stdout.
commit e479e776dbd848ba82e65e22b35e7e479a788161
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Oct 17 22:55:01 2011 -0400
Added usage of sudo for recompilation test
The test suite now recompiles fwknop only if the --enable-recompile-check
option is used, and if so, uses sudo (if installed) to have the resulting
binaries own by the original user (instead of by root). Also made a couple
of API changes to create test output files automatically if they don't
exist.
commit 11c240c41b74c110068b8748b28a074ac121608c
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 13 22:44:35 2011 -0400
minor update to allow fw rules to be dumped before parsing the access.conf file
commit e36c833f554f59312c02e5efec0bbc77ab0ee301
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 13 22:02:21 2011 -0400
minor whitespace fixes
commit 9962dc08088b31d116b7b5d41bf8e3ced8cfa814
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 13 20:59:30 2011 -0400
minor wording update netfilter -> iptables
commit 45ecc6f39932271f7a70b1fe8dec99dc9d2438c0
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 13 20:41:12 2011 -0400
minor bugfix to ensure that the proper firewall is used to collect system specs
commit 103cd2a8fb0ebe7919a5647ae90a9425242ca0ae
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 13 20:30:05 2011 -0400
added the test/conf/ directory for config files use by the test suite
commit 6f0d2c509121de45f470dae4c17b6a7e46ea19d0
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 13 20:29:37 2011 -0400
minor typo fix
commit 64160a0c57aee0c406be5158836fe10b3f38e3f9
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 13 20:29:19 2011 -0400
started on basic SPA generation, updated to use LD_LIBRARY_PATH for local libfko instance
commit a1f4a65f27b73ebe5744c7ae4bf64a0876032e13
Author: Michael Rash <mbr@cipherdyne.org>
Date: Wed Oct 12 23:37:28 2011 -0400
interim commit to add major functionality to the fwknop test suite
commit 4a41ecc9556fedd4bb04206081b4096a2fddaeee
Author: Michael Rash <mbr@cipherdyne.org>
Date: Wed Oct 12 23:36:51 2011 -0400
removed
commit 88d8eb03b30a03ebb43a7da33c5f65d2de2c3289
Author: Michael Rash <mbr@cipherdyne.org>
Date: Wed Oct 12 23:36:04 2011 -0400
minor update to switch to stdout when exiting with success
commit 41c0be29b7a3ea6a0c859b43e43ccdc3aa5e30ba
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 6 23:02:29 2011 -0400
switched --help output to stdout from stderr
commit 26f58a705dbdf9a07e430fc2558871d491c27d63
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Oct 6 22:53:27 2011 -0400
minor update to account for hardening-check return values
commit 1a3e1caffe707e71fd3cf99ffaa4547f7fda017a
Author: Michael Rash <mbr@cipherdyne.org>
Date: Tue Oct 4 23:15:04 2011 -0400
Initial start on a test suite
This commit begins development on a comprehensive test suite for fwknop.
The initial tests are focused on compilation correctness and security options
as determined by the "hardening-check" script from Kees Cook of the Debian
security team.
commit 05f3cec96a03251d1a308d90200c9dc479ae4558
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sun Sep 25 21:12:30 2011 -0400
Added --help usage information
With the --help command line argument, the following information is printed:
$ ./fwknop-launcher-lsof.pl --help
Usage: fwknop-launcher-lsof.pl [options]
Options:
-c, --config <file> - Path to fwknop-launcher.conf config file.
-l, --lsof-cmd <path> - Path to lsof command.
-f, --fwknop-cmd <path> - Path to fwknop client command.
-s, --sleep <seconds> - Specify sleep interval (default:
1 seconds)
-n --no-daemon - Run in foreground mode.
-u, --user <username> - Specify username (usually this is not
needed).
--home-dir <dir> - Path to user's home directory (usually
this is not needed).
-v --verbose - Print verbose information to the terminal
(requires --no-daemon).
--help - Print usage info and exit.
commit 71ea0c6bfd3be6ff8d95e6f1d1029394e51c07f4
Merge: 7748423 35ee5a2
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sun Sep 25 21:02:54 2011 -0400
Merge branch 'master' into fwknop-launcher
commit 7748423b15958fedfcaeb942f3f26cdc5b40dcde
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Sep 24 22:24:30 2011 -0400
Added the fwknop lsof launcher under the extras/ directory
The fwknop lsof launcher (extras/fwknop-launcher/fwknop-launcher-lsof.pl) is a
lightweight daemon that allows the user to not have to manually run the fwknop
client when attempting to gain access to a service that is protected by Single
Packet Authorization via fwknopd. This is accomplished by checking the output
of lsof to look for pending connections in the SYN_SENT state, which (usually)
indicate that a remote firewall is blocking the attempted connection. At this
point, the launcher executes the fwknop client with the --get-key arg (so the
user must place the key in the local filesystem) to generate an SPA packet for
the attempted connection. The remote fwknopd daemon will reconfigure the
firewall to allow temporary access, and this usually happens fast enough that
the original connection attempt will then succeed.
The idea for this was originally for a pcap-based connection watcher by
Sebastien Jeanquier.
commit 35ee5a202debe2e7c15227f7704753c977281de2
Merge: 35abc34 668ed90
Author: Michael Rash <michael.rash@gmail.com>
Date: Wed Sep 21 18:10:16 2011 -0700
Merge pull request #5 from maxkas/master
Fwknop client for iPhone devices - contributed by Max Kastanas
commit 668ed9033f601f052fe58ebf87a8eff144b50fcf
Author: Max Kastanas <max2idea@users.sf.net>
Date: Fri Sep 16 22:51:53 2011 -0700
Codebase of Fwknop client for iOS (iPhone) devices
commit 35abc349ab91ff40f0706a66e9ba50188cb94cb2
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Sep 12 23:04:41 2011 -0400
minor typo fix: fwkop -> fwknop
commit f693a2721cf499815853639c8dfb924ab4c427cd
Merge: e07ccdd 87416c0
Author: Damien Stuart <dstuart@dstuart.org>
Date: Sat Sep 10 11:30:09 2011 -0400
Merge branch 'master' of https://github.com/mrash/fwknop
commit e07ccdd5508c488a818790c16728ebdc13be284c
Author: Damien Stuart <dstuart@dstuart.org>
Date: Sat Sep 10 11:25:08 2011 -0400
Added the cmd_opts.h file to server and client's Makefile.am so they are included with make dist.
commit 87416c0cdf544ff636ea963bd90f1f22dd7ca49a
Author: Michael Rash <mbr@cipherdyne.org>
Date: Fri Sep 9 22:09:37 2011 -0400
Replaced all strcpy() calls with strlcpy()
OpenBSD especially gives compiler warnings whenever strcpy() is used. All such
calls have been replaced with strlcpy().
commit 0b8c4890758bfd6612780c28041d7b1e3e9f1a15
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Sep 8 23:44:50 2011 -0400
Added read-only relocations and immediate bindings
Commit 4248b2687054b38e79e2ab9eecf71e5b299172f4 removed read-only relocations
and immediate bindings for FreeBSD systems (and the same was done for OpenBSD
systems too). This commit adds these security features back in as linker
options by only changing LDFLAGS as opposed to also adding the corresponding
flags to CFLAGS. The end result is that the following errors are fixed:
gcc: -z: linker input file unused because linking not done
gcc: relro: linker input file unused because linking not done
commit c65e25c6568c53d44d0163ebd4889260466bcdfa
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Sep 8 21:33:52 2011 -0400
Check for active_rules > 0 before decrementing
In the fw_config struct the active_rules member is unsigned, so this change
ensures that we don't try to decrement it below zero whenever a firewall rule
is deleted or an error condition occurs.
commit 88b6d44f1f70daf951cf7e1d237114f96ad30a9a
Author: Michael Rash <mbr@cipherdyne.org>
Date: Thu Sep 8 00:20:20 2011 -0400
Update to make _exp_ string a #define
Replaced all instances of "_exp_" with the #define EXPIRE_COMMENT_PREFIX so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed.
commit 2531896ebf98d80380f462b4fae9e16940206a40
Author: Michael Rash <mbr@cipherdyne.org>
Date: Wed Sep 7 23:24:18 2011 -0400
Added the ability to delete PF rules
This commit adds the ability to fwknopd to delete PF rules after the SPA timer
expires. The strategy implemented is similar to iptables and ipfw, except
that all PF rules are added to an 'anchor', and deleting a specific expired
rule is done by listing all rules in the anchor and reinstantiating it via
'pfctl -a <anchor> -f -' with the expired rule deleted. fwknopd uses the
"_exp_<expire time>" convention in a PF rule label similarly to how fwknopd
interfaces with iptables (via the 'comment' match), and ipfw (via the
"//<comment>" feature).
commit f9810904c36c270a5d19111ae7566c6d410bed4a
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Sep 3 21:00:12 2011 -0400
minor comment typo fixes
commit d60dde17b71b898a821a60d9a1166c32436c17c2
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Sep 3 14:50:28 2011 -0400
PF rules are now added to the fwknop anchor
This commit implements the ability to add PF firewall rules to the fwknop
anchor after a valid SPA packet is sniffed off the wire. A subsequent commit
will add the ability to delete these rules.
commit 6938f7a6aecb1395f750c56a4e10489d6d060fc9
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sun Aug 28 13:37:23 2011 -0400
Minor copyright holder update
Minor copyright holder update
commit 10ff421e1ef86c1b437645764abe11819a88c292
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sun Aug 28 13:27:15 2011 -0400
For PF firewalls implemented a check for an active fwknop anchor
This commit ensures that for PF firewalls that the fwknop anchor is active and
linked into the running PF policy. This is accomplished by looking for the
string 'anchor "fwknop"' in the output of "pfctl -s rules". If the anchor
exists, then fwknopd will be able to influence traffic via rules added and
removed from the fwknop anchor.
commit 5bc5ef4305cafd26ee3faaf5eefb3f6b9f05441e
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Aug 27 11:07:19 2011 -0400
Added --fw-list info to --help
Added --fw-list output to usage info when --help is specified from the command
line.
commit 0649ef924a8c979fd815c2d2e8416a16aeabeb62
Author: Michael Rash <mbr@cipherdyne.org>
Date: Sat Aug 27 10:57:17 2011 -0400
PF support on OpenBSD in progress, fwknop --fw-list now works
This is the first commit that has fwknopd interact with the PF firewall on
OpenBSD (via fwknopd --fw-list to show any active fwknopd rules).
commit dcf2d94bf675a906c570814d9cd65e2a1bfd2e77
Author: Michael Rash <mbr@cipherdyne.org>
Date: Wed Aug 24 23:55:36 2011 -0400
Added autoconf check for pf firewalls
On OpenBSD systems fwknop now checks for pf firewalls via autoconf. The next
step will be to fill in support for pf via the C code.
commit 649b7a88c1d6caa0e3760c7694b9d5b5b855dd4c
Author: Michael Rash <mbr@cipherdyne.org>
Date: Wed Aug 24 23:17:45 2011 -0400
Disabled read-only relocations and immediate binding compiler protections
Similarly to FreeBSD systems, gcc throws the following warnings with read-only
relcations and immediate binding protections - disbabled for now:
gcc: -z: linker input file unused because linking not done
gcc: relro: linker input file unused because linking not done
gcc: -z: linker input file unused because linking not done
gcc: now: linker input file unused because linking not done
commit 47da588003b9bf1645a97823cfa940b8c5a93071
Author: Michael Rash <mbr@cipherdyne.org>
Date: Mon Aug 22 21:39:28 2011 -0400
removed 2.0.0 branch specific ChangeLog, ShortLog and diffstat files

453
ShortLog-v2.0 Normal file
View File

@ -0,0 +1,453 @@
Damien S. Stuart (1):
Refactored configure.ac to use a custom macro for compiler flag checks. Set version to 2.0 (non-release candidate). Minor typo fixes.
Damien Stuart (233):
Initial import.
Initial Makefile and first cut at fwknop.h, the spa_random_number function, and a program for testing the functions.
Added strlcat/cpy functions. Added spa_user function.
Added spa_timestamp function.
Added more source files. Split out libfwknop functions to a static lib. Misc updates.
Added base64 and md5 code.
Added sha256 code.
Added sha1 refactored the access to the digest routines via digest.c. Other misc teaks to format and style of digest code.
Added rijndael code, spa digest and message functions, and a shitload of other changes and tweaks.
Makefile tweak.
More updates to address compatibility issues with the perl version of fwknop.
Total re-arrangement for autoconf/automake implementation.
Another major re-write of the fwknop library.
Re-arrangement of source tree.
Remove files that were stored as sym links.
Putting the reg version of the files back
Updates to allow for building libfko as a shared lib. (make use of libtool).
Added documentation stub.
Made fko.h an include_HEADER for proper distribution.
Tweaks to add some more ctx state tracking.
Minor docs update - Added GPL to info doc.
Added some basic format checking to spa message data and message_type checks when client_timeout is set/unset.
Added fallback for isdigit() if ctype.h is not available.
Added decrypting/decoding/parsing of SPA data.
Added gpl-2.0.texi file to doc/Makefile.am so it is included in the dist.
Code format tweaks. Added a couple more convenience functions.
more checks for configure. omit salt from Rijndael-encrypted data as returned by fko_get_dpa_data.
Update to docs.
Some progress on the libfko doc.
Documentation updates and minor tweaks.
Documentation fixes.
Reorganized libfko doc.
Made the context struct opaque to users of the library. Somewhat major API tweak in that fko_ctx_t is not a pointer type and the fko_new functions take a pointer to that.
Broke these out from fko.h.
Minor tweaks, and fixed one potential memory allocation issue discovered with valgrind.
Updated README
First cut at GPG encrytion support (decryption and doc update are pending).
Fixed a potential bug where the NULL-termination of the base64-encoded data was being lost during process just before rijndael decryption.
Removing files that are auto-generated by the autogen.sh script.
Fixed gpgme check so it would not fail if gpgme was not installed. Setup to allow using --with[out]-gpgme option to configure.
Fixed configure.ac again (I broke it with my last change). Added first cut at gpg decryption routine.
Added fwknop.h to the source list in Makefile.am so it will be included in the distrubution.
Documentation updates and minor tweaks. Made it version 1.10.0 consistent in caonfigure.ac and fko.h.
Make version consistent for real this time.
Fixed flag on gpgme_keylist_next that was forcing only private keys for recipient. Fixed typo in docs.
Added more gpgme-related errors and error checking. Other minor tweaks.
Slightly improved and cleaner GPG error handling (there is still plenty of room for improvement).
Some minor cleanup and tweaks to gpgme code.
Add more compiler conditionals for GPGME support to fix error during compiles on systems without gpgme.
Replaced deprecated gpgme_key_release calls with gpgme_key_unref. Fixed more potential memory leaks.
Split out the source files. Added processing for a couple more command-line options.
Added getpasswd routine for getting a password from the user. A few updates to the lib to accomodate clearing the password after we are done with it. Update the fwknop program to reflect/use some of the new functionality.
Update libfko docs for the gpgme-related error codes and function.
Fixed minor typo
Fixed typo in Makefile.am
Added better autoconf handling of gpgpme. Fixes so libfko will compile under FreeBSD (7.0 release anyway).
Better error checking/message for decription. Fixed typo in docs.
Updated autoconf files and code to support Solaris (ver 10 x86 at least). This includes better type checking and resolving some conflicting names under Solaris.
Tweaked byte order determination for Solaris systems.
Added gpg-home-dir support to libfko and the fwknop program. Added the fko_set_spa_data() function. Documentation updates and other tweaks to support these changes.
Fixed typo in doc
Fixed segfault issue when spa_data_final was called before spa_message was set.
Fixed double-free when destroy was called after a failed gpg encryption/decryption.
Added perl module code to the repository.
Interim check-in of API changes, libfko and fwknop binary now support the updated API. Docs and Perl module are pending.
Tweaks to updated API. Added GPG signature checking and processing functions. Updated Perl module and perldoc for new API and functions.
Updated documentation to reflect API changes and GPG signature functions.
Added the Perl module files to Makefile.am so they will be included in the dist.
Changed fko version to 1.9.12. Made signing GPG-encrypted messages optional.
Made the dist name "fwknop-c" so as not to confuse it with the current "fwknop".
Updates and revisions to accommodate a Windows build.
Updated Makefile.am to add win32 directory to the dist.
Added getopt_long and getlogin capability to the Windows build.
Removed old test code from fwknop client. Other tweaks and enhancements.
Fixed bad variable name after moving the winsock startup code to a the send_spa_packet function.
Implemented sending spa data via TCP or ICMP via SOCK_RAW (unix only so far).
Added sending via tcp (established) conneciton. removed --debug as an option. Some minor code reformatting and refactoring.
Tweak for win32 platform
Yet another tweak for win32.
Tweaks again for win32 build
Brought Error constants in sync with libfko.
Minor updates to non-code-related files. Changed some copyrights to 2009.
Forgot to bump the perl module minor version number.
Added a TODO file
Added the digest types constants to the types and individual export tags.
Added handling of Backspace and Ctrl-U in the Win32 handling of get_passswd.
Tweaks to the win32 build (Visual Studio project configs).
Fixed spa access message validation routine to allow for multiple comma-separated requests in one message.
Tweaks to cover WIN32 build. Added print of error if tcp connect() fails.
Fixed some formatting errors in the POD.
Added SHA384 and SHA512 digests. Tweaks for getting rid of windows warnings. Use recv instead of read on socket. Bumped version to 0.63 (libfko) and 0.23 (FKO perl module).
Forgot to add the files for the updated SHA digests (oops).
Update the VS project file for the new SHA digest files and functions.
Fixed typo (actually a cut-and-paste remnant) in the doc.
Major rearrangement. Renamed directories: "fko" to "lib", "src" to "client". Added "common" and "server" directories. Setup autoconf to allow disabling the server and/or client builds.
Forgot to add the server dir.
Made the configure help message show --disable-xxx as the options for whether or not to build the server or client.
Some minor refactoring of the TIME_OFFSET handling. Other minor code formatting tweaks.
Updates to accommodate the Windows build.
Changed http_resolve_host code to make it work with or without trailing whitespace in returned content. Updated the IP address format and value checking code. Switched back to whatsmyip.com as default IP resolver.
Updated ip,port format and value check.
Fixed another minor typo in the doc
Added fwknop.man.asciidoc to docs and fwknop.8 man page to client (derived from fwknop.man.asciidoc).
Added check for libpcap. More stubbing in on the server code side.
Added more server command-line and config file processing code. Updated autoconf config for new checks and files.
Added override config handling and updated the config_init routines to parse everything in the correct order (i.e. config file, override configs, then command-line).
Minor manpage tweak
More tweaks to config file processing, including simple variable expansion.
Added some more stuff to deal with byte order identification on Solaris 10 x86 systems.
Added perl/legacy distribution (fwknop-1.9.12). Renamed this distribution from fwknop-c to simply fwknop. Made the version 2.0.0-alpha.
Removed the wipe_pw routine as it could result in segfaults when a static key is used.
Added some more (stubbed-in) server code and functions. Minor doc tweak.
Updated pid/lock file handling. Implemetned -K option.
Updates and enhancements to logging functions. Now log_msg writes only to stderr when running in foreground. Default log facility is LOG_DAEMON. Config file options of ENABLE_PACP_PROMISC, HOSTNAME, SYSLOG_IDENTITY, and SYSLOG_FACILITY are processed.
Updated sniffer to be able to handle the linux "any" interface.
Added stubs and some handling for signals. SIGHUP induces the re-reading the configs and restarting the capture loop. SIGTERM and SIGINT simply trigger a graceful exit. Trimmed some more of the configuration options.
Fixed memory leak issue in libfko when fko_new_with_data() was called with a bad key. Added autoconf checks for gdbm with fallback to ndbm for server builds. Added digest cache capability using gdbm (in ndbm compatibility mode) or ndbm for replay detection.
Changed digest cache to use gdbm directly wth fallback to ndbm (still not tested).
Fixed missed MY_DBM_CLOSE call
Fixed minor typo in the POD synopsis (thanks Franck!).
Updated digest cache to store additional information including src ip, created, first_replay, last_replay, and replay count.
Fixed bug in signal handling when libpcap version 1.0 is used. Minor doc update.
The default conf and run directories are captured from the autoconf output. Added post install hook to create the xxx/var/run/fwknop directory (which works, but breaks the "make distcheck" feature of autoconf). Changed order of config processing and set conf struct for some default and overridden parameters so they will be shown properly when -D is used.
Autoconf updates for detecting locally installed program paths and changes to facilitate portability. Also set AM_MAINTAINER_MODE so we are not forced to regen/reconfigure when we change one of the autoconf source files (but we do now need to remember to do it ourselves before making a new dist).
Made local exe checks run only of a server is being built. Removed checks for external progs that may not be needed yet.
Added configure args for specifying specific pathes to the local executables used by fwknopd.
Fixed incorrect variable in configure.ac.
Added check for SPA packet age against the MAX_SPA_PACKET_AGE if ENABLE SPA_PACKET_AGING is set to "Y" in the conf file. Made the digest cache check only of ENABLE_DIGEST_PERSISTENCE is "Y".
Added check for and create of run dir and/or basename of digest_cache (if different from run dir). Added set_locale() call based on LOCALE setting in the conf file.
Added access.conf handling and processing. Added a new acces.conf parameter: RESTRICT_PORTS for specifying 1 or more proto/ports that are explicitly not allowed.
Updated changelog. Made the fwknop.man.asciidoc match the changes made to the fwknopd.8 manpage.
Commented out AM_MAINTAINER_MODE.
Added support for multiple GPG_REMOTE_ID values from access.conf (still need to implement the use of those however). Also, went back to support colons (:) as an optional part of the access.conf parameter name (better to keep backward compatibility).
Added additional sanity checks and clean-up of access.conf processing and functionality. Fixes require source and added check for required username. Added fallback to use GPG_DECRYPT_PW if it was set and the normal KEY failed with a decyption error. Fixed packet count checks to allow a limit of 0 to mean unlimited number of packets.
Bumped working version to 2.0.0-alpha-pre2 to differentiate from the tagged 2.0.0-alpha-pre1. Updated Changelog.
Fixed libfko so gpgme engine is gpg by default. Added functions to libfko to set/get path to gpgme engine. Fixed some memory leaks. Reworkd the get_user_pw routine. Added code in fwknopd to put back the "hQ" string on the front of incoming GPG-encypted message data. Removed the previously add pretty-print routine to configure. Updated configure to check for path to gpg executable. Updated docs accordingly.
Forgot to remove the m4 dir from Makefil.am
Tweaks to eliminate warnings on win32 build of libfko and client.
Updated TODO list (removed items that were compled and/or deprecated).
Added an initial fwknopd.8 man page (and source asciidoc). Added the --locale and --no-locale command-line option support. The set_config_entry function now allows setting a config entry to NULL to clear and free it.
Changed to fix possible double-free bug under some circumstances.
Started firewall rule processing. Added rule initialization. Added some of the initial routines for external command execution with ability to capture stdout, stderr, and exit status.
Minor tweaks to firewall rules processing and external command execution code.
Added the fwknopd.8 man page.
First cut at creating access rules and removing them when they expire (not sure I like this implementation but it is a start).
Very minor comment and code tweaks (mostly just an excuse to test the relocation of the svn server).
Added support for FWKNOP_OUTPUT_ACCESS and NAT_ACCESS modes (still needs testing and tweaking).
Tweaked firewall rule creation code. Added SNAT/MASQUERADE support. Fixed rule processing code so an INPUT rule was not created for NAT request. Still needs more review and testing.
Mostly documentation file updates.
Added support for parsing and processing SPA requests over HTTP. Beefed up verbose logging a bit. Added some more sanity checks on the validity of incoming SPA data before attempting to decode.
Tweak to client usage message output. Added TCP server funcionality to the server (call it a first cut).
More tweaks. Added SIGCHLD handler and code to try to restart the TCP server if it dies for whatever reason.
Some tweaks to the sigchld handling in the server. Other misc minor cleanup.
More updates to take care of warnings on Ubuntu systems (fixes for common sense warnings that should have come up om my Fedora system but didn't).
Start of cleanup for beta release candidate. Removed locale-related code (for now) as it was breaking some things like logging. removed some unimplemented and/or unused parameters and config directives (as well as thier respective documentation references. Added a --rotate-digest-cache command-line arg to force a rename of the digest cache file and start a new one.
More tweaks, clean-up and documentation tweaks for the first release. Made client http-proxy option allow case insensitive match and to take an option :port as part of the argument.
Added support for COMMAND_MSG requests. Also added CMD_EXEC_USER to access.conf to allow for fwknopd to setuid to the specified user before running the command. Other minor tweaks.
Added the GPG signature checking code. Added GPG_REQUIRE_SIG and GPG_IGNORE_SIG_VERIFY_ERROR parameters to access.conf. Implement the checking of GPG signature IDs against the GPG_REOMOTE_ID list.
Updates to TCP server to close the lock file handle, use a non-blocking socket, and detect when the parent fwknop dies so it can exit as well.
Changed the way running external commands are hanlded to address issues with it not working on some systems/configurations. Just using system and popen and fw commands are run with stdout and stderr tied to gether.
Put locale code back in. More cleanup of config directives and options.
More cleanup. Removed the direction field (src, dst, both) from the chain configuration directives. Remove the HOSTNAME parameter as it was not used.
Due to issues and usage restrictions on whatismyip.com, I am making the default resolve_ip_http url www.cipherdyne.org/cgi-bin/myip.
Added .fwknoprc file creation and processing. This allows for saved default and named configuration profiles. Updated fwknop manpage to reflect the new capability. Also cleaned up messages (errors, info) from the program.
Added installation hook to set the perms on the .conf files to 600 during make install. Minot doc tweak.
Fixed bad param name in generated .fwknoprc file.
Fixed bug where named-stanza was not being found when it indeed existed.
Added fwknop.spec for rpm builds. Removed the server post install hook as it breaks make distcheck and rpm builds.
Minor cleanup on the spec file.
Fixed bug where ALLOW_IP of resolve was not overridden by an ALLOW_IP parameter in a named stanza. Removed erroneous invalid parameter from the initially generated .fwknoprc file.
Fixed issues found by the Windows compiler (that I would think would have been flagged by gcc).
Removed unreferenced variables.
Use USERPROFILE instead of HOME for homedir determination on win32 builds.
Fixed autoconf config so libfko and fwknop client are not linked with libpcap and libgdbm. Fixed some issues in the fwknop.spec file.
Fixed another oops in the spec file.
Renamed the legacy perl verison of fwknop.spec to fwkop-legacy.spec to resolve rpmbuild confusion when using the -tx options.
Manpage updates
Added AC_SYS_LARGE_FILE to configure.ac
Modified top-level Makefile.am so the legacy perl stuff is not packaged into the distribution tar file. More cleanup of the fwknopd man page.
Slightly revamped how signals were setup.
Reworked how man pages are generated. Now, man pages in the client and server directory are "fwknop(d).8.in" and a target was added to Makefile.am to create the man pages while doing variable substitutions based on directives specified via the configure script. Minor tweak to fwknop.spec file.
Removed checks for sig verification flag on gpg_sig info related functions.
Reverted last libfko change. Added set verify_sig flag when remote_ids are specified.
Moved force set of verify flag on remote_id value to before decryption phase.
Added the fwknopd_errors.[ch] files which provides the get_errstr() and fwknopd_errstr() functions. The get_errstr() function takes and error_code, tries to determine the type, then calls the appropriate xxx_errstr function to return a description string. Fixed some minor errors in the libfko API docs.
Almost all he conf variables have a default value if they are not there (or set). All the entries in the initial fwknop.conf file are not commented out adn can be override as needed.
Fixed some misplaced dependencies in the fwknop.spec file.
Updated the version number in the win32 config.h copy
Updates and clean-up to address the many compiler warnings when compiled with -Wall. Also some autoconf updates
Per Franck Joncourt - Corrected misspelled word in fwknopd man page and access.conf.
Added check to make sure a firewall program is set.
Removed a debug print statement.
Cleaned out some old commented-out sections configure.ac and fixed an issue where exteranl file checks would fail when running configure in cross-compiler environment. No code changes made.
Added extras directory. Bumped version in autoconf to 1.0.0rc2.
Fixed issue with spaces in in access.conf comma-separated values. Fixed issue with GPG signature check being forced when GPG_REMOTE_ID is set and GPG_REQUIRE_SIG was "N". Updated dependency in the spec file. Updates to ChangeLog.
Added some OpenWRT-related files to the extras directory.
Tweaks to autoconf files.
Updates to accomodate building and compiling on FreeBSD systems.
Oops left out new header for last update.
Uncommented call to check_firewall_rules (left in while debugging freebsd build).
Refactored firewall rule code to separate files by firewall type. Stubbed in ipfw and ipf firewall types. Updated autoconf to set a firewall type and path depending on configure arguments.
Start of addition of access requests via ipfw.
Added rule expire and purge for ipfw. Almost there...
Missed a config file update on the last check-in.
Wrapped #ifdef around a linux-specific chunk.
Made fw_cleanup not remove rules from the expired rule set. Added code to read in any existing expired rules into the rule_map at startup.
Made autoconf print an error message indicating ipf is not supported if it is specified. Changelog updates.
Minor fwknopd man page tweak.
Fixed handling of man page generation in Makefile.am so it works from alternate build directories.
Set pcap non-block mode back on unless it is a freebsd system. Server verbose output no longer shows access key or GPG password.
Tweaks to the fwknop.spec file
Put the usleep back pcap_capture (oops).
Needed to bump libfko revision to 2 do identify as part of newer dist.
Update added HAVE_ERRNO_H 1 to win32/config.h.
Bumped version to rc3 (even though we may go straight to release) and lib rev to 3.
Updated perl module for additional error messages.
Updated the GPL blurb at the top of the source files. Added some missing copyright statements (Thanks to Franck Joncourt).
Added code to zero out rcfile path before setting it. Also added a bounds check to that as well.
Minor comment and documentation tweaks. Add the python directory which contains my first cut at a libfko Python wrapper module.
Added the Fko class code to wrap the _fko wrapper around libfko.
Added pydoc text to the fko python module. Minot tweak to setup.py.
Do not need parens around expression in if statements in python (still learning).
Fixed bug where libfko would segfault if fko_get_spa_data() was called before fko_spa_data_final() was called (and successful). Added include of time.h in fko.h.
Additional docs and classes added to the fko python module. Minor tweak and bumped version in the fwknop.spec file.
Removed unnecessary include.
Adding Max Kastanas's fwknop client app code for Android
Minor update to the android README
Added python/fko.py to Makefile.am so it is also included in distributions. Minor tweak to address compile error on Mac os X.
Fix check and handling of ndbm as an option for the digest cache.
Added a no-digest-cache configure option and capability (though it is not recommended).
Set FD_CLOEXEC on pid file descriptor. Added support for setting the URL for resolving source IP via command-line or the .fwknoprc file.
Added the cmd_opts.h file to server and client's Makefile.am so they are included with make dist.
Merge branch 'master' of https://github.com/mrash/fwknop
Max Kastanas (1):
Codebase of Fwknop client for iOS (iPhone) devices
Michael Rash (210):
Merged in fwknop-c-ubuntu branch changes via:
- Added command line argument processing for:
- Added code to send SPA packet data over a UDP socket. - Added minor validation step to enforce --Destination usage if not running in --Test mode (will extend this validation to include other option).
minor update to not force --Destination in --Version mode
added Id tag expansion
-Added the --get-key option to allow SPA passwords to be read from a file. This feature will be useful for an automated test suite that drives the fwknop C client against an SPA server implementation.
Added the following options:
minor bug fix to anticipate closing newline in a password read from a file via --get-key
updated to concatenate the allow IP and access string for fko_set_spa_message()
updated Copyright to Damien
Minor bug fix to process gpg command line arguments properly when handling the command line.
removed unnecessary initialization of string vars to 0x0 because the earlier memset() takes care of this
added the --save-packet argument so that SPA packet data can be saved to the local filesystem by the fwknop-c client
added --save-packet-append so that SPA packet data can be appended to a file
minor link update for the cipherdyne.org website
minor wording update to match fwknop help to config_init.h for --server-proto option
minor typo fix (gps -> gpg)
bug fix suggested by Damien to allow the recompute of the SPA digest to properly happen when calling spa_digest() with a true value
initial stab at libfko server daemon TODO's
added B64_GPG_PREFIX 'hQ' string for GnuPG prefix handling (similar to the 'Salted__' handling for Rijndael SPA packet encryption
- Added the ability to send SPA packets over valid HTTP requests with the fwknop-c client. - Added support for transmitting SPA packets over IPv6 via TCP and UDP sockets, and also via HTTP. - Added GnuPG 'hQ' base64 encoded prefix handling (this prefix is stripped out of encrypted SPA packet data). - Added hostname resolution support to the fwknop-c client if the SPA server is specified as a hostname instead of an IP address. - Minor bug fix to allow a GnuPG password to be specified via the --get-key functionality.
* Got forward and local NAT modes working with the --nat-access, --nat-local, --nat-port, and --nat-randport options. All NAT modes are now passing the fwknop test suite. * Added the --server-command option to build an SPA packet with a command for the server to execute. * Added the --fw-timeout option for client side timeouts to be specified. * Added the --time-offset-plus and --time-offset-minus options to allow the user to influence the timestamp associated with an SPA packet. * Added the --rand-port option so that the SPA packet destination port can be randomized.
* Added the --show-last and --no-save command line options to show the command line used for the previous fwknop invocation, and to have the fwknop client not save its command line arguments. * Bug fix to force libfko to recalculate the random data embedded in the the SPA packet after a random port is acquired via --rand-port or --nat-rand-port. This is a precaution so that an attacker cannot guess some of the internal SPA data based on the destination port number.
changed the minimum destination SPA port from 1024 to 10,000
minor doc updates
Added the --source-ip argument to build SPA packets with 0.0.0.0 (the fwknopd server can wrap access controls around this)
bugfix to order HTTP request headers properly, updated the user agent for SPA over HTTP to use the options->http_user_agent variable (can be set from the command line)
added the --resolve-ip-http and --user-agent command line args so the fwknop-c client can resolve the external network via http://www.cipherdyne.org/cgi/myip.cgi
updated SPA over HTTP packets to always begin the a slash right after the GET string, updated to print SPA packets over HTTP to stderr in test/verbose mode
updated to handle the fwknop-c version string '2.0.0-alpha' in HTTP tests
Added --List-mode so that identifying strings for tests can be printed on stdout. This is useful to see what is available for --test-include regex's.
Added better --debug output for time differences on incoming SPA packets. This makes it easier to tell when there are problems with time synchronization between the fwknop client and fwknopd server systems.
- Added --http-proxy argument to the fwknop C client. - (Legacy code): Changed HTTP proxy handling to point an SPA packet to an HTTP proxy with -D specifying the end point host and --HTTP-proxy pointing to the proxy host. This fix was suggested by Jonathan Bennett.
added Daniel Lopez, and Jonathan Bennett's proxy fix
added the latest http proxy fixes to the ChangeLog
(Legacy code) Applied patch from Jonthan Bennett to support the usage of the http_proxy environmental variable for sending SPA packets through an HTTP proxy. The patch also adds support for specifying an HTTP proxy user and password via the following syntax:
* (Legacy code) Bug fix to allow the --rand-port argument to function along without an inappropriate check for the --Server-port arg.
minor bug fix to ensure that -R resolution work with --URL=http://www.cipherdyne.org/cgi/clientip.cgi
minor bug fix to not append --Server-port option in --rand-port mode
bumped version to 2.0.0-alpha-pre1
minor update to include the -f arg in the usage() output
Added --packet-limit to fwknopd so that the number of incoming candidate SPA packets can be limited from the command line. When this limit is reached (any packet that contains application layer data and passes the pcap filter is included in the count) then fwknopd exits.
added Id tag expansion
added Id tag expansion
minor spacing fix
added --http-proxy and --no-save-args to usage() output
added --http-proxy argument to the fwknop.8 man page
removed unnecessary --no-save arg since --no-save-args covers it
Added --access-file command line arg to fwknopd so that the path to the access.conf file can be specified from the command line.
added -a arg to fwknopd usage() output
minor update to the fwknop client to use '#define GETOPTS_OPTION_STRING' for getopt() command line arg processing.
* Added a new command line argument "--last-cmd" to run the fwknop client with the same command line arguments as the previous time it was executed. The previous arguments are parsed out of the ~/.fwknop.run file (if it exists). * Bug fix to not send any SPA packet out on the wire if a NULL password/key is provided to the fwknop client. This could happen if the user tried to abort fwknop execution by sending the process a SIGINT while being prompted to enter the password/key for SPA encryption.
(legacy code) (test suite) Bug fix for GnuPG SPA/HTTP tests not pointing to the proper HTTP output file
* Fixed a few minor warnings like the following:
added --last-cmd argument to fwknop(8) man page via the fwknop.man.asciidoc file
added --server-cmd arg to fwknop client man page and help output
bug fix in --packet-limit handling to ensure multi-packet processing when the arg is not used
Added minor validation code to access.conf parsing to ensure that a SOURCE stanza begins with the SOURCE variable and that there is at least one usage of the OPEN_PORTS and KEY variables. The OPEN_PORTS requirement might be relaxed when PERMIT_CLIENT_PORTS handling is added.
bug fix to ensure the --last-cmd re-parsing of command line args via getopt_long() has a reset index
Update to call parse_proto_and_port() before allocating a new port list. This fixes the following stack trace when generating an SPA packet that contains "none/0" for the port list:
updated to call dump_access_list() if -D was given to dump config information
applied patch from Franck to catch a couple of man page typos
Updated to define a default gpg keyring path of /root/.gnupg, and if the GPG_HOME_DIR variable is not defined in the fwknopd.conf file or the access.conf file, then this default will take over.
minor macro update to define the default gpg keyring
minor update to check the gpg keyring path setting in access stanzas only if a decrypt password is specified
- added is_valid_dir() utility function for checking directory stat()/existence (this is used for gpg keyring path validation).
added --fw-list arg to the fwknopd daemon to list all current firewall rules for any running fwknopd process
removed additional wait() call from run_extcmd(), updated --fw-list to just use system() to execute the iptables listing commands
Bug fix for USE_NDBM variable so that client-only builds work. The specific error before the patch along with the command line invocation of the "configure" script appear below:
minor bug fix to account for PATH_SEP being defined as a character instead of a string
minor off-by-one fix for home directory path separator
Removed legacy $Id$ tags from svn
Bug fix for uninitialized variable found with splint static analyzer
Minor rename in support of non-dbm file cache
Added autoconf support for non-dbm file cache.
Updated digest file path for gdbm/ndbm support
Added --pcap-filter to the fwknopd command line
Merge branch 'master' into optional_dbm_support
Implemented linked list cache of SPA digests
Started on code to parse the digest cache file
Added dst IP to tracked SPA data
Added source port and protocol to digest tracking
Added digest file import code
Consolidated replay warnings in a single function
Implemented memory clean up for digest cache list
Added fwknop-2.0.0rc2 openwrt support from Jonathan Bennett
Minor variable cleanup to fix compiler warnings
Added stack protection, PIE, fortify source, etc.
Updated replay warnings to include proto/port info
Update to force base64 check for all SPA data
Update to add any missing iptables jump rules
Renamed ChangeLog -> ChangeLog.old for new ChangeLog handling
Added ChangeLog derived from git commit messages.
Bumped version to fwknop-2.0.0-rc3
added the VERSION file
Bug fix for ./configure args to disable compile time security options
Added -Wall for all gcc warnings during compile
minor commit to fix minor compilations warnings
Minor restructuring to suppress compiler "defined but not used warnings"
Update to suppress additional compiler warning
On FreeBSD disable read-only relocations and immediate binding protections
Fixed a few minor compiler warnings on FreeBSD
On FreeBSD, made gpgme header path inclusion optional
Bug fix to create the digest.cache file at init
Bug fix for missing set existence check on ipfw firewalls
Bug fix for ipfw firewalls to not always require seeing 'Dynamic' rules
Updated ChangeLog with all changes from 2.0.0-rc3
Added version specific ChangeLog, ShortLog, and diffstat files.
bumped version to 2.0.0rc4
removed 2.0.0 branch specific ChangeLog, ShortLog and diffstat files
Disabled read-only relocations and immediate binding compiler protections
Added autoconf check for pf firewalls
PF support on OpenBSD in progress, fwknop --fw-list now works
Added --fw-list info to --help
For PF firewalls implemented a check for an active fwknop anchor
Minor copyright holder update
PF rules are now added to the fwknop anchor
minor comment typo fixes
Added the ability to delete PF rules
Update to make _exp_ string a #define
Check for active_rules > 0 before decrementing
Added read-only relocations and immediate bindings
Replaced all strcpy() calls with strlcpy()
minor typo fix: fwkop -> fwknop
Merge pull request #5 from maxkas/master
Added the fwknop lsof launcher under the extras/ directory
Merge branch 'master' into fwknop-launcher
Added --help usage information
Initial start on a test suite
minor update to account for hardening-check return values
switched --help output to stdout from stderr
minor update to switch to stdout when exiting with success
removed
interim commit to add major functionality to the fwknop test suite
started on basic SPA generation, updated to use LD_LIBRARY_PATH for local libfko instance
minor typo fix
added the test/conf/ directory for config files use by the test suite
minor bugfix to ensure that the proper firewall is used to collect system specs
minor wording update netfilter -> iptables
minor whitespace fixes
minor update to allow fw rules to be dumped before parsing the access.conf file
Added usage of sudo for recompilation test
Added --fw-list-all and --fw-flush
Minor PID string length fix
added client/server interaction test capability
Added --digest-file and --pid-file args
added first complete SPA cycle test
minor removal of whitespace
added replay attack detection test
added rule timeout detection
added Rijndael SPA validity tests
added -P bpf filter test
added -P bpf test for complete SPA cycle over non standard SPA port
added test to validate digest.cache structure
minor whitespace removal
added first GPG complete cycle SPA test
extended packet validity tests in GPG mode
minor update to match include/exclude criteria on the whole test message
added digest cache validation after GPG tests
added LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual command execution easier
minor whitespace removal
update to detect loopback interface
compiler warning fix for sscanf() on freebsd
added 'const' to function prototype vars where possible
Update to print all firewall commands in --verbose mode
Update to ensure libfko.so path is detected properly on OpenBSD
added stack protection detection for OpenBSD systems
minor whitespace removal
update to remove packet direction requirement when sniffing on OpenBSD loopback interfaces
bugfix to return preprocess_spa_data() result properly to calling function
[test-suite] added the ability to run all fwknop tests through valgrind
minor looping criteria update for valgrind tests
updated client SPA verbose message to include the server IP/host
added complete SPA cycle tests for tcp ports 23 and 9418 (git), and for udp 53 dns
Fixed fwknopd memory leak, several other fixes and updates
consolidated several test functions into a single generic_exec() function
added --diff mode to the test suite to compare results from one execution to the next
remove CMD timestamps for --diff mode
This commit fixes two memory leaks and adds a common exit function.
minor test wording consolidation
simplified the client/server interaction code, started on IP filtering tests, added spoof username tests
added IP/subnet match tests, added --Anonymize-results mode
added tests for various access.conf variables
added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd check for ENABLE_IPT_FORWARDING variable before attempting NAT access
bug fix to honor the fwknop client --time-offset-plus and --time-offset-minus options
added test for --test mode in the fwknop client
bug fix to exclude SPA packets with timestamps in the future that are too great (old packets were properly excluded already)
added SPA packet aging tests
Added access stanza expiration feature, multiple access stanza bug fix
memory leak bugfix as a follow up to commit b280f5cde0246cdef33dee3f8be66a2bcef77336
minor newline fix for access.conf output dump
Added FORCE_NAT mode to the access.conf file
minor compile fixes for FreeBSD
minor compiler warning fix on OpenBSD
added CREDITS file, bumped software version, added ChangeLog files
added CREDITS file, bumped software version, added ChangeLog files
Added various files to Makefile.am so that 'make dist' continues to work
change log doc updates
Added the CREDITS file for 'make dist'
minor addition of the CREDITS file for 'make dist'
added local_spa.key file
added local_spa.key file
minor addition of the local_spa.key file for 'make dist'
updated copyright and license statement - fwknop is GPL software
minor wording update subversion -> git
bumped version to 2.0
minor test suite addition to check for linker input file warnings
minor test suite update to look for linker warnings in a more generic way
added FKO_CHECK_COMPILER_ARG_LDFLAGS_ONLY to fix ro-relocations and immediate binding protection compliation warnings on FreeBSD
bumped version to 2.0

123
ShortLog-v2.0rc5
View File

@ -1,123 +0,0 @@
Damien Stuart (2):
Added the cmd_opts.h file to server and client's Makefile.am so they
are included with make dist.
Merge branch 'master' of https://github.com/mrash/fwknop
Max Kastanas (1):
Codebase of Fwknop client for iOS (iPhone) devices
Michael Rash (93):
removed 2.0.0 branch specific ChangeLog, ShortLog and diffstat files
Disabled read-only relocations and immediate binding compiler
protections
Added autoconf check for pf firewalls
PF support on OpenBSD in progress, fwknop --fw-list now works
Added --fw-list info to --help
For PF firewalls implemented a check for an active fwknop anchor
Minor copyright holder update
PF rules are now added to the fwknop anchor
minor comment typo fixes
Added the ability to delete PF rules
Update to make _exp_ string a #define
Check for active_rules > 0 before decrementing
Added read-only relocations and immediate bindings
Replaced all strcpy() calls with strlcpy()
minor typo fix: fwkop -> fwknop
Merge pull request #5 from maxkas/master
Added the fwknop lsof launcher under the extras/ directory
Merge branch 'master' into fwknop-launcher
Added --help usage information
Initial start on a test suite
minor update to account for hardening-check return values
switched --help output to stdout from stderr
minor update to switch to stdout when exiting with success
removed
interim commit to add major functionality to the fwknop test suite
started on basic SPA generation, updated to use LD_LIBRARY_PATH for
local libfko instance
minor typo fix
added the test/conf/ directory for config files use by the test suite
minor bugfix to ensure that the proper firewall is used to collect
system specs
minor wording update netfilter -> iptables
minor whitespace fixes
minor update to allow fw rules to be dumped before parsing the
access.conf file
Added usage of sudo for recompilation test
Added --fw-list-all and --fw-flush
Minor PID string length fix
added client/server interaction test capability
Added --digest-file and --pid-file args
added first complete SPA cycle test
minor removal of whitespace
added replay attack detection test
added rule timeout detection
added Rijndael SPA validity tests
added -P bpf filter test
added -P bpf test for complete SPA cycle over non standard SPA port
added test to validate digest.cache structure
minor whitespace removal
added first GPG complete cycle SPA test
extended packet validity tests in GPG mode
minor update to match include/exclude criteria on the whole test
message
added digest cache validation after GPG tests
added LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual
command execution easier
minor whitespace removal
update to detect loopback interface
compiler warning fix for sscanf() on freebsd
added 'const' to function prototype vars where possible
Update to print all firewall commands in --verbose mode
Update to ensure libfko.so path is detected properly on OpenBSD
added stack protection detection for OpenBSD systems
minor whitespace removal
update to remove packet direction requirement when sniffing on
OpenBSD loopback interfaces
bugfix to return preprocess_spa_data() result properly to calling
function
[test-suite] added the ability to run all fwknop tests through
valgrind
minor looping criteria update for valgrind tests
updated client SPA verbose message to include the server IP/host
added complete SPA cycle tests for tcp ports 23 and 9418 (git), and
for udp 53 dns
Fixed fwknopd memory leak, several other fixes and updates
consolidated several test functions into a single generic_exec()
function
added --diff mode to the test suite to compare results from one
execution to the next
remove CMD timestamps for --diff mode
This commit fixes two memory leaks and adds a common exit function.
minor test wording consolidation
simplified the client/server interaction code, started on IP
filtering tests, added spoof username tests
added IP/subnet match tests, added --Anonymize-results mode
added tests for various access.conf variables
added DNAT mode tests, minor memory leak fix in NAT mode, added
fwknopd check for ENABLE_IPT_FORWARDING variable before attempting
NAT access
bug fix to honor the fwknop client --time-offset-plus and
--time-offset-minus options
added test for --test mode in the fwknop client
bug fix to exclude SPA packets with timestamps in the future that are
too great (old packets were properly excluded already)
added SPA packet aging tests
Added access stanza expiration feature, multiple access stanza bug
fix
memory leak bugfix as a follow up to commit
b280f5cde0246cdef33dee3f8be66a2bcef77336
minor newline fix for access.conf output dump
Added FORCE_NAT mode to the access.conf file
minor compile fixes for FreeBSD
minor compiler warning fix on OpenBSD
added CREDITS file, bumped software version, added ChangeLog files
added CREDITS file, bumped software version, added ChangeLog files
Added various files to Makefile.am so that 'make dist' continues to
work
change log doc updates
Added the CREDITS file for 'make dist'
minor addition of the CREDITS file for 'make dist'
added local_spa.key file
added local_spa.key file

1434
diffstat-v2.0 Normal file
View File

File diff suppressed because it is too large Load Diff

211
diffstat-v2.0rc5
View File

@ -1,211 +0,0 @@
CREDITS | 17 +
ChangeLog-v2.0.0 | 3020 ------------------------
ChangeLog-v2.0rc5 | 797 +++++++
Makefile.am | 68 +
ShortLog-v2.0.0 | 654 -----
ShortLog-v2.0rc5 | 120 +
VERSION | 2 +-
android/project/jni/config.h | 6 +-
client/Makefile.am | 2 +-
client/config_init.c | 59 +-
client/fwknop.c | 84 +-
client/fwknop_common.h | 6 +-
client/getpasswd.c | 4 +-
client/http_resolve_host.c | 8 +-
client/spa_comm.c | 62 +-
client/spa_comm.h | 2 +-
client/utils.c | 2 +-
client/utils.h | 2 +-
common/common.h | 4 +-
common/netinet_common.h | 11 +-
configure.ac | 66 +-
diffstat-v2.0.0 | 1310 ----------
diffstat-v2.0rc5 | 209 ++
doc/fwknop.man.asciidoc | 8 +-
doc/fwknopd.man.asciidoc | 93 +-
doc/libfko.texi | 12 +-
extras/fwknop-launcher/fwknop-launcher-lsof.pl | 350 +++
extras/fwknop-launcher/fwknop-launcher.conf | 30 +
extras/openwrt/package/fwknop/Makefile | 2 +-
fwknop.spec | 8 +-
iphone/COPYING | 340 +++
iphone/Classes/FwknopController.h | 30 +
iphone/Classes/FwknopController.m | 309 +++
iphone/Classes/MyAppDelegate.h | 33 +
iphone/Classes/MyAppDelegate.m | 53 +
iphone/Classes/bridge_fwknop.c | 28 +
iphone/Classes/bridge_fwknop.h | 21 +
iphone/Classes/config.h | 346 +++
iphone/Classes/fwknop/fwknop_client.c | 162 ++
iphone/Classes/fwknop/fwknop_client.h | 60 +
iphone/Classes/fwknop/send_spa_packet.c | 94 +
iphone/Classes/libfwknop/README | 11 +
iphone/Classes/libfwknop/config.h | 14 +
iphone/Classes/libfwknop/fko_common.b | 140 ++
iphone/Classes/libfwknop/get_libfko_files.sh | 38 +
iphone/Classes/logutils.h | 33 +
iphone/Fwknop.pch | 23 +
iphone/Fwknop.xcodeproj/dev.mode1v3 | 1539 ++++++++++++
iphone/Fwknop.xcodeproj/dev.pbxuser | 2859 ++++++++++++++++++++++
iphone/Fwknop.xcodeproj/project.pbxproj | 413 ++++
iphone/Info.plist | 30 +
iphone/README | 42 +
iphone/lock_57x57.png | Bin 0 -> 3466 bytes
iphone/main.m | 29 +
lib/base64.c | 2 +-
lib/base64.h | 2 +-
lib/cipher_funcs.c | 22 +-
lib/cipher_funcs.h | 4 +-
lib/digest.c | 4 +-
lib/fko.h | 28 +-
lib/fko_client_timeout.c | 6 +-
lib/fko_decode.c | 34 +-
lib/fko_digest.c | 24 +-
lib/fko_encode.c | 18 +-
lib/fko_encryption.c | 58 +-
lib/fko_error.c | 10 +-
lib/fko_funcs.c | 18 +-
lib/fko_message.c | 12 +-
lib/fko_nat_access.c | 2 +-
lib/fko_rand_value.c | 4 +-
lib/fko_server_auth.c | 2 +-
lib/fko_timestamp.c | 6 +-
lib/fko_user.c | 1 -
lib/gpgme_funcs.c | 2 +-
lib/gpgme_funcs.h | 2 +-
lib/rijndael.c | 268 ++--
server/Makefile.am | 7 +-
server/access.c | 261 ++-
server/access.h | 7 +-
server/cmd_opts.h | 17 +-
server/config_init.c | 112 +-
server/config_init.h | 2 +-
server/extcmd.c | 8 +-
server/extcmd.h | 4 +-
server/fw_util.h | 14 +-
server/fw_util_ipf.c | 15 +-
server/fw_util_ipfw.c | 231 ++-
server/fw_util_ipfw.h | 5 +-
server/fw_util_iptables.c | 272 ++-
server/fw_util_iptables.h | 25 +-
server/fw_util_pf.c | 559 +++++
server/fw_util_pf.h | 48 +
server/fwknopd.8.in | 5 +-
server/fwknopd.c | 172 +-
server/fwknopd.conf | 41 +-
server/fwknopd.h | 2 +
server/fwknopd_common.h | 51 +-
server/fwknopd_errors.c | 29 +-
server/fwknopd_errors.h | 7 +-
server/incoming_spa.c | 683 ++++---
server/incoming_spa.h | 2 +-
server/log_msg.c | 12 +-
server/pcap_capture.c | 61 +-
server/process_packet.c | 33 +-
server/replay_cache.c | 13 +-
server/tcp_server.c | 10 +-
server/utils.c | 23 +-
server/utils.h | 3 +-
test/conf/client-gpg/pubring.gpg | Bin 0 -> 2480 bytes
test/conf/client-gpg/secring.gpg | Bin 0 -> 1350 bytes
test/conf/client-gpg/trustdb.gpg | Bin 0 -> 1360 bytes
test/conf/default_access.conf | 3 +
test/conf/default_fwknopd.conf | 4 +
test/conf/expired_epoch_stanza_access.conf | 4 +
test/conf/expired_stanza_access.conf | 4 +
test/conf/force_nat_access.conf | 4 +
test/conf/future_expired_stanza_access.conf | 4 +
test/conf/gpg_access.conf | 7 +
test/conf/invalid_expire_access.conf | 4 +
test/conf/ip_source_match_access.conf | 3 +
test/conf/mismatch_open_ports_access.conf | 4 +
test/conf/mismatch_user_access.conf | 4 +
test/conf/multi_gpg_access.conf | 7 +
test/conf/multi_source_match_access.conf | 3 +
test/conf/multi_stanzas_access.conf | 15 +
test/conf/multi_stanzas_with_broken_keys.conf | 19 +
test/conf/nat_fwknopd.conf | 5 +
test/conf/no_multi_source_match_access.conf | 3 +
test/conf/no_source_match_access.conf | 3 +
test/conf/no_subnet_source_match_access.conf | 3 +
test/conf/open_ports_access.conf | 4 +
test/conf/override_fwknopd.conf | 1 +
test/conf/require_src_access.conf | 5 +
test/conf/require_user_access.conf | 4 +
test/conf/server-gpg/pubring.gpg | Bin 0 -> 2480 bytes
test/conf/server-gpg/secring.gpg | Bin 0 -> 1352 bytes
test/conf/server-gpg/trustdb.gpg | Bin 0 -> 1360 bytes
test/conf/subnet_source_match_access.conf | 3 +
test/hardening-check | 285 +++
test/local_spa.key | 3 +
test/test-fwknop.pl | 2689 +++++++++++++++++++++
win32/config.h | 2 +-
142 files changed, 13849 insertions(+), 6178 deletions(-)
create mode 100644 CREDITS
delete mode 100644 ChangeLog-v2.0.0
create mode 100644 ChangeLog-v2.0rc5
delete mode 100644 ShortLog-v2.0.0
create mode 100644 ShortLog-v2.0rc5
delete mode 100644 diffstat-v2.0.0
create mode 100644 diffstat-v2.0rc5
create mode 100755 extras/fwknop-launcher/fwknop-launcher-lsof.pl
create mode 100644 extras/fwknop-launcher/fwknop-launcher.conf
create mode 100755 iphone/COPYING
create mode 100755 iphone/Classes/FwknopController.h
create mode 100755 iphone/Classes/FwknopController.m
create mode 100755 iphone/Classes/MyAppDelegate.h
create mode 100755 iphone/Classes/MyAppDelegate.m
create mode 100644 iphone/Classes/bridge_fwknop.c
create mode 100644 iphone/Classes/bridge_fwknop.h
create mode 100644 iphone/Classes/config.h
create mode 100644 iphone/Classes/fwknop/fwknop_client.c
create mode 100644 iphone/Classes/fwknop/fwknop_client.h
create mode 100644 iphone/Classes/fwknop/send_spa_packet.c
create mode 100644 iphone/Classes/libfwknop/README
create mode 100644 iphone/Classes/libfwknop/config.h
create mode 100644 iphone/Classes/libfwknop/fko_common.b
create mode 100755 iphone/Classes/libfwknop/get_libfko_files.sh
create mode 100644 iphone/Classes/logutils.h
create mode 100755 iphone/Fwknop.pch
create mode 100644 iphone/Fwknop.xcodeproj/dev.mode1v3
create mode 100644 iphone/Fwknop.xcodeproj/dev.pbxuser
create mode 100755 iphone/Fwknop.xcodeproj/project.pbxproj
create mode 100755 iphone/Info.plist
create mode 100755 iphone/README
create mode 100644 iphone/lock_57x57.png
create mode 100755 iphone/main.m
create mode 100644 server/fw_util_pf.c
create mode 100644 server/fw_util_pf.h
create mode 100644 test/conf/client-gpg/pubring.gpg
create mode 100644 test/conf/client-gpg/secring.gpg
create mode 100644 test/conf/client-gpg/trustdb.gpg
create mode 100644 test/conf/default_access.conf
create mode 100644 test/conf/default_fwknopd.conf
create mode 100644 test/conf/expired_epoch_stanza_access.conf
create mode 100644 test/conf/expired_stanza_access.conf
create mode 100644 test/conf/force_nat_access.conf
create mode 100644 test/conf/future_expired_stanza_access.conf
create mode 100644 test/conf/gpg_access.conf
create mode 100644 test/conf/invalid_expire_access.conf
create mode 100644 test/conf/ip_source_match_access.conf
create mode 100644 test/conf/mismatch_open_ports_access.conf
create mode 100644 test/conf/mismatch_user_access.conf
create mode 100644 test/conf/multi_gpg_access.conf
create mode 100644 test/conf/multi_source_match_access.conf
create mode 100644 test/conf/multi_stanzas_access.conf
create mode 100644 test/conf/multi_stanzas_with_broken_keys.conf
create mode 100644 test/conf/nat_fwknopd.conf
create mode 100644 test/conf/no_multi_source_match_access.conf
create mode 100644 test/conf/no_source_match_access.conf
create mode 100644 test/conf/no_subnet_source_match_access.conf
create mode 100644 test/conf/open_ports_access.conf
create mode 100644 test/conf/override_fwknopd.conf
create mode 100644 test/conf/require_src_access.conf
create mode 100644 test/conf/require_user_access.conf
create mode 100644 test/conf/server-gpg/pubring.gpg
create mode 100644 test/conf/server-gpg/secring.gpg
create mode 100644 test/conf/server-gpg/trustdb.gpg
create mode 100644 test/conf/subnet_source_match_access.conf
create mode 100755 test/hardening-check
create mode 100644 test/local_spa.key
create mode 100755 test/test-fwknop.pl