bump version to 2.5, minor fwknopd -S exit status update

This commit bumps the fwknop version to 2.5 and sets the libfko version to 2.0 to signal incompatibility with older libfko versions. Backwards compatibility is maintained in SPA packet construction, but function prototypes in libfko-2.0 are no longer compatible with older versions. This commit also returns non-zero exit status under 'fwknopd --status' if there is no existing fwknopd process. This is better than always exiting with a zero status regardless of whether fwknopd is already running or not, and adds a level of scriptability to --status usage. This change was suggested by George Herlin.
2013-06-27 21:21:10 -04:00 · 2013-06-27 21:21:10 -04:00 · 37b624ac8b
commit 37b624ac8b
parent 2812897666
8 changed files with 28 additions and 23 deletions
--- a/client/fwknop.8.in
+++ b/client/fwknop.8.in
@ -2,12 +2,12 @@
 .\"     Title: fwknop
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
-.\"      Date: 06/20/2013
+.\"      Date: 06/27/2013
 .\"    Manual: Fwknop Client
 .\"    Source: Fwknop Client
 .\"  Language: English
 .\"
-.TH "FWKNOP" "8" "06/20/2013" "Fwknop Client" "Fwknop Client"
+.TH "FWKNOP" "8" "06/27/2013" "Fwknop Client" "Fwknop Client"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@ -156,7 +156,7 @@ rc file is a more powerful mechanism for specifying not only the HMAC key but ot
 .RS 4
 Have
 \fBfwknop\fR
-generate both Rijndael and HMAC keys that can be used for SPA packet encryption\&. These keys are derived from /dev/random and then base64 encoded before being printed to stdout, and are meant to be included within the \(lq$HOME/\&.fwknoprc\(rq file (or the file referenced by
+generate both Rijndael and HMAC keys that can be used for SPA packet encryption\&. These keys are derived from /dev/urandom and then base64 encoded before being printed to stdout, and are meant to be included within the \(lq$HOME/\&.fwknoprc\(rq file (or the file referenced by
 \fB\-\-get\-key\fR)\&. Such keys are generally more secure than passphrases that are typed in from the command line\&.
 .RE
 .PP
@ -916,7 +916,7 @@ So, assuming that the IP \fI2\&.2\&.2\&.2\fR is the system where \fBfwknopd\fR i
 .RE
 .\}
 .sp
-With the access request arguments and encryption and HMAC keys generated and saved in \(lq$HOME/\&.fwknoprc\(rq, the keys themselves need to be transferred to the \fI2\&.2\&.2\&.2\fR system where fwknopd is running\&. As always, this should be done via some secure means such as SSH before SPA is enabled and SSHD is blocked by the firewall\&. Here is what the new \fI2\&.2\&.2\&.2\fR stanza looks like in the \&.fwknoprc file:
+With the access request arguments and encryption and HMAC keys generated and saved in \(lq$HOME/\&.fwknoprc\(rq, the keys themselves need to be transferred to the \fI2\&.2\&.2\&.2\fR system where fwknopd is running\&. As always, this should be done via some secure means such as SSH before SPA is enabled and SSHD is blocked by the firewall\&. Here is what the new \fI2\&.2\&.2\&.2\fR stanza looks like in the \fI~/\&.fwknoprc\fR file:
 .sp
 .if n \{\
 .RS 4
@ -950,7 +950,7 @@ The keys are base64 encoded blobs of random data, and both the \fBKEY_BASE64\fR
       Random Value: 8950423288486978
           Username: mbr
          Timestamp: 1370194770
-        FKO Version: 2\&.5\&.0
+        FKO Version: 2\&.5
       Message Type: 1 (Access msg)
     Message String: 1\&.1\&.1\&.1,tcp/22
         Nat Access: <NULL>
@ -970,7 +970,7 @@ The keys are base64 encoded blobs of random data, and both the \fBKEY_BASE64\fR
 .\}
 .SS "Access mode examples"
 .sp
-The most common usage of \fBfwknop\fR is to gain access to SSH running on a remote system that has the \fBfwknopd\fR daemon deployed along with a default\-drop firewall policy\&. The following command illustrates this where IP \fI1\&.1\&.1\&.1\fR is the IP to be allowed through the firewall running on \fI3\&.3\&.3\&.3\fR (note that the \fI@sysconfdir@/fwknop/access\&.conf\fR file consumed by \fBfwknopd\fR will need to have matching encryption and HMAC keys, and configuration specifics can be found in the \fIfwknopd(8)\fR manual page)\&. Also, note the examples below prompt the user to supply the encryption and HMAC keys via stdin instead of writing them to disk as in the case of using the \(lq$HOME/\&.fwknoprc\(rq file in the example above\&. However, all of the following examples can be converted to using the \&.fwknoprc file just by adding the \fB\-\-save\-rc\-stanza\fR argument:
+The most common usage of \fBfwknop\fR is to gain access to SSH running on a remote system that has the \fBfwknopd\fR daemon deployed along with a default\-drop firewall policy\&. The following command illustrates this where IP \fI1\&.1\&.1\&.1\fR is the IP to be allowed through the firewall running on \fI3\&.3\&.3\&.3\fR (note that the \fI@sysconfdir@/fwknop/access\&.conf\fR file consumed by \fBfwknopd\fR will need to have matching encryption and HMAC keys, and configuration specifics can be found in the \fIfwknopd(8)\fR manual page)\&. Also, note the examples below prompt the user to supply the encryption and HMAC keys via stdin instead of writing them to disk as in the case of using the \(lq$HOME/\&.fwknoprc\(rq file in the example above\&. However, all of the following examples can be converted to using the ~/\&.fwknoprc file just by adding the \fB\-\-save\-rc\-stanza\fR argument:
 .sp
 .if n \{\
 .RS 4
@ -999,7 +999,7 @@ If the \fB\-\-verbose\fR flag is added to the command line, then some SPA packet
       Random Value: 1916307060193417
           Username: mbr
          Timestamp: 1368498909
-        FKO Version: 2\&.5\&.0
+        FKO Version: 2\&.5
       Message Type: 1 (Access msg)
     Message String: 1\&.1\&.1\&.1,tcp/22
         Nat Access: <NULL>
--- a/configure.ac
+++ b/configure.ac
@ -11,7 +11,7 @@ AC_PREREQ(2.62)
 dnl Define our name, version and email.
 m4_define(my_package,   [fwknop])
-m4_define(my_version,   [2.5.0b])
+m4_define(my_version,   [2.5])
 m4_define(my_bug_email, [dstuart@dstuart.org])
 AC_INIT(my_package, my_version, my_bug_email)
--- a/doc/fwknop.man.asciidoc
+++ b/doc/fwknop.man.asciidoc
@ -760,7 +760,7 @@ With the access request arguments and encryption and HMAC keys generated and sav
 in ``$HOME/.fwknoprc'', the keys themselves need to be transferred to the '2.2.2.2'
 system where fwknopd is running.  As always, this should be done via some secure
 means such as SSH before SPA is enabled and SSHD is blocked by the firewall.  Here
-is what the new '2.2.2.2' stanza looks like in the .fwknoprc file:
+is what the new '2.2.2.2' stanza looks like in the '~/.fwknoprc' file:
 ..........................
    $ tail -n 8 /home/user/.fwknoprc
@ -791,7 +791,7 @@ file (some *--verbose* output is included for illustration):
       Random Value: 8950423288486978
           Username: mbr
          Timestamp: 1370194770
-        FKO Version: 2.5.0
+        FKO Version: 2.5
       Message Type: 1 (Access msg)
     Message String: 1.1.1.1,tcp/22
         Nat Access: <NULL>
@ -818,7 +818,7 @@ and HMAC keys, and configuration specifics can be found in the 'fwknopd(8)'
 manual page).  Also, note the examples below prompt the user to supply the
 encryption and HMAC keys via stdin instead of writing them to disk as in the
 case of using the ``$HOME/.fwknoprc'' file in the example above.  However, all
-of the following examples can be converted to using the .fwknoprc file just by
+of the following examples can be converted to using the ~/.fwknoprc file just by
 adding the *--save-rc-stanza* argument:
 ..........................
@ -840,7 +840,7 @@ specifics are printed to stdout (not all output is shown for brevity):
       Random Value: 1916307060193417
           Username: mbr
          Timestamp: 1368498909
-        FKO Version: 2.5.0
+        FKO Version: 2.5
       Message Type: 1 (Access msg)
     Message String: 1.1.1.1,tcp/22
         Nat Access: <NULL>
--- a/doc/fwknopd.man.asciidoc
+++ b/doc/fwknopd.man.asciidoc
@ -136,7 +136,8 @@ COMMAND-LINE OPTIONS
 *-S, --status*::
    Display the status of any *fwknopd* processes that may or not be
-    running.
+    running.  If there is an existing fwknopd process then 0 is returned for the
    exit status and 1 is returned otherwise.
 *-v, --verbose*::
    Run *fwknopd* in verbose mode. This can option can be specified
@ -155,7 +156,7 @@ FWKNOPD CONFIG AND ACCESS VARIABLES
 *fwknopd* references the '@sysconfdir@/fwknop/fwknopd.conf'' file for configuration variables
 that define its operational parameters (what network interface and port
 to sniff, what features to enable/disable, etc.). The 'fwknopd.conf' file
-does not define any access control directives. 
+does not define any access control directives.
 The access control directives are contained in the '@sysconfdir@/fwknop/access.conf' file.
 Access control directives define encryption keys and level of access that
--- a/fwknop.spec
+++ b/fwknop.spec
@ -13,7 +13,7 @@
 %define _mandir /usr/share/man
 Name:		fwknop
-Version:	2.5.0b
+Version:	2.5
 Epoch:		1
 Release:	1%{?dist}
 Summary:	Firewall Knock Operator client.  An implementation of Single Packet Authorization.
@ -30,13 +30,13 @@ Requires:	libfko, iptables
 %package -n libfko
-Version:	1.0.0
+Version:	2.0
 Summary:	The fwknop library
 Group:		Development/Libraries
 Requires:   gpg, gpgme
 %package -n libfko-devel
-Version:	1.0.0
+Version:	2.0
 Summary:	The fwknop library header and API docs
 Group:		Development/Libraries
 Requires:	libfko
--- a/lib/fko.h
+++ b/lib/fko.h
@ -53,7 +53,7 @@ extern "C" {
 /* General params
 */
-#define FKO_PROTOCOL_VERSION "2.5.0" /* The fwknop protocol version */
+#define FKO_PROTOCOL_VERSION "2.0" /* The fwknop protocol version */
 /* Supported FKO Message types...
 */
--- a/server/fwknopd.8.in
+++ b/server/fwknopd.8.in
@ -2,12 +2,12 @@
 .\"     Title: fwknopd
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
-.\"      Date: 06/01/2013
+.\"      Date: 06/27/2013
 .\"    Manual: Fwknop Server
 .\"    Source: Fwknop Server
 .\"  Language: English
 .\"
-.TH "FWKNOPD" "8" "06/01/2013" "Fwknop Server" "Fwknop Server"
+.TH "FWKNOPD" "8" "06/27/2013" "Fwknop Server" "Fwknop Server"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@ -202,7 +202,7 @@ Rotate the digest cache file by renaming it to \(lq<name>\-old\(rq, and starting
 .RS 4
 Display the status of any
 \fBfwknopd\fR
-processes that may or not be running\&.
+processes that may or not be running\&. If there is an existing fwknopd process then 0 is returned for the exit status and 1 is returned otherwise\&.
 .RE
 .PP
 \fB\-v, \-\-verbose\fR
--- a/server/fwknopd.c
+++ b/server/fwknopd.c
@ -101,11 +101,15 @@ main(int argc, char **argv)
            old_pid = write_pid_file(&opts);
            if(old_pid > 0)
            {
                fprintf(stdout, "Detected fwknopd is running (pid=%i).\n", old_pid);
                clean_exit(&opts, NO_FW_CLEANUP, EXIT_SUCCESS);
            }
            else
            {
                fprintf(stdout, "No running fwknopd detected.\n");
-
+                clean_exit(&opts, NO_FW_CLEANUP, EXIT_FAILURE);
-            clean_exit(&opts, NO_FW_CLEANUP, EXIT_SUCCESS);
+            }
        }
        /* Restart the currently running fwknopd?