From 863838d0ba54c666150d98c643c7cc0456404e18 Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Mon, 13 Aug 2012 22:39:03 -0400 Subject: [PATCH] [server] Preserve any existing config files in /etc/fwknop/ Updated the 'make install' step to not overwrite any existing config files in /etc/fwknop/ and instead install new copies from the source tree at /etc/fwknop/fwknopd.conf.inst and /etc/fwknop/access.conf.inst --- ChangeLog | 5 +- ChangeLog.git | 313 +++++++++++++++++++++++++++++++++++++++ Makefile.am | 41 ++++- server/Makefile.am | 3 +- server/access.conf.inst | 1 + server/fwknopd.conf.inst | 1 + todo.org | 8 + 7 files changed, 366 insertions(+), 6 deletions(-) create mode 100644 ChangeLog.git create mode 120000 server/access.conf.inst create mode 120000 server/fwknopd.conf.inst diff --git a/ChangeLog b/ChangeLog index 67a66bc0..6bcdbd02 100644 --- a/ChangeLog +++ b/ChangeLog @@ -63,7 +63,10 @@ fwknop-2.0.2 (08//2012): This check is controlled by the new ENABLE_IPT_COMMENT_CHECK variable, and was suggested by Hank Leininger. - [server] 'make install' fix to ensure restrictive permissions on the - /etc/fwknop/ directory and /etc/fwknop/* files. + /etc/fwknop/ directory and /etc/fwknop/* files. Also updated the 'make + install' step to not overwrite any existing config files in /etc/fwknop/ + and instead install new copies from the source tree at + /etc/fwknop/fwknopd.conf.inst and /etc/fwknop/access.conf.inst fwknop-2.0.1 (07/23/2012): - [server] Bug fix where the same encryption key used for two stanzas in diff --git a/ChangeLog.git b/ChangeLog.git new file mode 100644 index 00000000..aee3b003 --- /dev/null +++ b/ChangeLog.git @@ -0,0 +1,313 @@ +commit 8fafd4b80bf215da311dc2b53f33b0e4cd269944 (HEAD, refs/heads/master) +Author: Michael Rash +Date: Sun Aug 12 19:57:11 2012 -0400 + + [server] 'make install' permissions fix + + Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files. + Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax. + + ChangeLog | 2 ++ + Makefile.am | 3 +++ + todo.org | 5 +++-- + 3 files changed, 8 insertions(+), 2 deletions(-) + +commit 543de16613b89723ef1350df3e59df126586800e +Author: Michael Rash +Date: Sun Aug 12 15:44:13 2012 -0400 + + [server] iptables 'comment' match check + + Implemented a new check to ensure that the iptables 'comment' match exists to + ensure the proper environment for fwknopd operations. This check is controlled + by the new ENABLE_IPT_COMMENT_CHECK variable, and was suggested by Hank + Leininger. + + CREDITS | 5 +++ + ChangeLog | 4 +++ + server/cmd_opts.h | 1 + + server/config_init.c | 6 ++++ + server/fw_util.h | 1 + + server/fw_util_iptables.c | 75 ++++++++++++++++++++++++++++++++++++++++++++- + server/fw_util_iptables.h | 1 + + server/fwknopd.conf | 9 ++++++ + server/fwknopd_common.h | 26 ++++++++-------- + todo.org | 5 ++- + 10 files changed, 119 insertions(+), 14 deletions(-) + +commit a087b11887ff4fffb4057198e559d448b016ac0e +Author: Michael Rash +Date: Sun Aug 12 15:23:38 2012 -0400 + + todo update + + todo.org | 8 ++++++++ + 1 file changed, 8 insertions(+) + +commit a686d96d444ab739742e31967153b2bf02b62f0d +Author: Michael Rash +Date: Sun Aug 12 09:29:51 2012 -0400 + + Added todo.org org mode file + + The todo.org mode file was built with vim and the VimOrganizer project: + + https://github.com/hsitz/VimOrganizer + + Makefile.am | 1 + + todo.org | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +commit dc23c640bb2f757a2121ea0a83d18648dcaec32f (tag: refs/tags/fwknop-2.0.2-pre2) +Author: Michael Rash +Date: Sat Aug 11 09:33:54 2012 -0400 + + added gpg_no_pw_access.conf file for no password gpg tests + + Makefile.am | 1 + + 1 file changed, 1 insertion(+) + +commit 72229b5f46084e9cfca36bb2e1ba23c4b7f09b66 +Author: Michael Rash +Date: Sat Aug 11 09:21:49 2012 -0400 + + bumped version to fwknop-2.0.2-pre2 + + VERSION | 2 +- + configure.ac | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 27ccfe35d36c7ba1d94734fb21a46c77aaf30719 (refs/remotes/origin/master) +Author: Michael Rash +Date: Fri Aug 10 21:52:09 2012 -0400 + + [server] Added GPG_ALLOW_NO_PW variable and associated test suite support + + For GPG mode, added a new access.conf variable "GPG_ALLOW_NO_PW" to make it + possible to leverage a server-side GPG key pair that has no associated + password. This comes in handy when a system requires the user to leverage + gpg-agent / pinentry which can present a problem in automated environments as + required by the fwknopd server. Now, it might seem like a problem to remove + the passphrase from a GPG key pair, but it's important to note that simply + doing this is little worse than storing the passphrase in the clear on disk + anyway in the access.conf file. Further, this link help provides additional + detail: + + http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-use-gnupg-in-an-automated-environment + + ChangeLog | 23 +++++ + Makefile.am | 12 ++- + server/access.c | 13 +++ + server/incoming_spa.c | 2 +- + test/conf/client-gpg-no-pw/pubring.gpg | Bin 0 -> 2480 bytes + test/conf/client-gpg-no-pw/secring.gpg | Bin 0 -> 1274 bytes + test/conf/client-gpg-no-pw/trustdb.gpg | Bin 0 -> 1360 bytes + test/conf/gpg_no_pw_access.conf | 7 ++ + test/conf/server-gpg-no-pw/pubring.gpg | Bin 0 -> 2480 bytes + test/conf/server-gpg-no-pw/secring.gpg | Bin 0 -> 1276 bytes + test/conf/server-gpg-no-pw/trustdb.gpg | Bin 0 -> 1360 bytes + test/test-fwknop.pl | 176 ++++++++++++++++++++++++++++++++ + 12 files changed, 229 insertions(+), 4 deletions(-) + +commit 0af3bd0ee10768f6838aafe9fdc66187e5be9ee4 +Author: Michael Rash +Date: Fri Aug 10 21:48:02 2012 -0400 + + [server] Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT + + Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT for ipfw firewalls to emulate + the corresponding functionality that is implemented for iptables firewalls. + + Bug fix for ipfw firewalls to ensure that if the ipfw expire set is zero, then + do not disable this set whenever the FLUSH_IPFW* variables are enabled. + + These changes were suggested by Jonathan Schulz. + + server/cmd_opts.h | 2 + + server/config_init.c | 26 +++++++++++- + server/fw_util_ipfw.c | 46 ++++++++++++-------- + server/fwknopd.conf | 108 ++++++++++++++++++++++++++--------------------- + server/fwknopd_common.h | 4 ++ + 5 files changed, 121 insertions(+), 65 deletions(-) + +commit c6f3fde5371c1be48d8e1bc7e17dde89e19d02fc +Author: Michael Rash +Date: Fri Aug 10 21:43:49 2012 -0400 + + bug fix to implement FLUSH_IPT_AT_INIT and FLUSH_IPT_AT_EXIT functionality + + server/fw_util_iptables.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +commit fbdae500641b4ab46bc54dbf2e509eae2625dc44 +Author: Michael Rash +Date: Wed Aug 8 21:27:33 2012 -0400 + + added Geoff Carstairs for the FORCE_NAT idea + + CREDITS | 7 +++++++ + 1 file changed, 7 insertions(+) + +commit fd3044012843dfcaa9ab4f9030c70732f29a3b90 +Author: Michael Rash +Date: Sun Aug 5 14:07:42 2012 -0400 + + added Aldan Beaubien for reporting the Morpheus NULL IP problem + + CREDITS | 5 +++++ + 1 file changed, 5 insertions(+) + +commit e70739d2117a229e842d3a1bc43f1cf2a6fab46e +Author: Michael Rash +Date: Sun Aug 5 13:05:55 2012 -0400 + + minor whitespace update + + server/fw_util_ipfw.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +commit f6ac4484c95f443dfce9c6b7dafbff8126ade9ad +Author: Michael Rash +Date: Sun Aug 5 13:05:30 2012 -0400 + + minor memset value update 0 -> 0x0 to conform to other memset() calls + + client/http_resolve_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 4cde31584fb9afed499b5951b7ae88b7765808c3 (tag: refs/tags/fwknop-2.0.2-pre1) +Author: Michael Rash +Date: Fri Aug 3 22:16:22 2012 -0400 + + bumped version to 2.0.2-pre1 + + VERSION | 2 +- + android/project/jni/config.h | 6 +++--- + configure.ac | 2 +- + fwknop.spec | 2 +- + iphone/Classes/config.h | 6 +++--- + lib/fko.h | 2 +- + 6 files changed, 10 insertions(+), 10 deletions(-) + +commit 79a947603a7c2bc4636d33834ca0b9fdd033a894 +Author: Michael Rash +Date: Fri Aug 3 22:08:14 2012 -0400 + + added changes for the 2.0.2 release (so far) + + ChangeLog | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +commit 29512bd8ec16f47db568694ec172075412ca115d +Author: Michael Rash +Date: Fri Aug 3 21:49:03 2012 -0400 + + [client] -R http recv() read until close (Jonathan Schulz) + + Applied patch from Jonathan Schulz to ensure that the fwknop client reads all + data from a remote webserver when resolving the client IP address in -R mode. + Jonathan indicated that some webservers would transfer HTTP headers and data + separately, and a single recv() would therefore fail to get the necessary IP + information. + + client/http_resolve_host.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +commit 7c1db891061dba5cdc29fb8cfe0c88e0a4a408dd +Author: Michael Rash +Date: Fri Aug 3 21:30:24 2012 -0400 + + minor white space fix tabs->spaces + + client/http_resolve_host.c | 82 ++++++++++++++++++++++---------------------- + 1 file changed, 41 insertions(+), 41 deletions(-) + +commit 7061b7bd3ecb1de6ae151b6b85af9251d46e32c6 +Author: Michael Rash +Date: Wed Aug 1 23:40:34 2012 -0400 + + added Jonathan Schulz + + CREDITS | 4 ++++ + 1 file changed, 4 insertions(+) + +commit 84e036f95b6b239c95c696b884c3989fc30af338 +Author: Michael Rash +Date: Wed Aug 1 23:27:34 2012 -0400 + + Change HTTP connection type to 'close' in -R mode + + Applied patch from Jonathan Schulz to change the HTTP connection type to + 'close' for the client in -R mode. + + client/http_resolve_host.c | 2 +- + client/spa_comm.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 5fd3343ca9ae8cce9e39d8a4ccb0efb41ae78128 +Author: Michael Rash +Date: Wed Aug 1 22:30:02 2012 -0400 + + added client IP resolution test with complete SPA->SSH cycle + + test/test-fwknop.pl | 39 ++++++++++++++++++++++++++++++++++++--- + 1 file changed, 36 insertions(+), 3 deletions(-) + +commit 016098a2543126f2fa01b3f4057646f0ad2842c5 +Author: Michael Rash +Date: Sun Jul 29 23:31:15 2012 -0400 + + Replay attack bug fix (encryption prefixes) + + Ensure that an attacker cannot force a replay attack by intercepting an + SPA packet and the replaying it with the base64 version of "Salted__" + (for Rindael) or the "hQ" prefix (for GnuPG). This is an important fix. + The following comment was added into the fwknopd code: + + /* Ignore any SPA packets that contain the Rijndael or GnuPG prefixes + * since an attacker might have tacked them on to a previously seen + * SPA packet in an attempt to get past the replay check. And, we're + * no worse off since a legitimate SPA packet that happens to include + * a prefix after the outer one is stripped off won't decrypt properly + * anyway because libfko would not add a new one. + */ + + Conflicts: + + lib/cipher_funcs.h + + lib/cipher_funcs.h | 6 ------ + lib/fko.h | 8 ++++++++ + server/incoming_spa.c | 14 ++++++++++++++ + test/test-fwknop.pl | 48 +++++++++++++++++++++++++++++++++++++++++++++--- + 4 files changed, 67 insertions(+), 9 deletions(-) + +commit c0e53482fa766f1c89d18931e35ebca6297f8018 +Author: Michael Rash +Date: Sun Jul 29 21:31:44 2012 -0400 + + [libfko] minor memory leak fix for user detection (corner case) + + lib/fko_user.c | 4 ++++ + 1 file changed, 4 insertions(+) + +commit 060fbb607f25ea2cd511d4cd548dc419d8eb3884 +Author: Michael Rash +Date: Sat Jul 28 00:08:30 2012 -0400 + + [server] replay attack detection memory leak bug fix + + This commit fixes the following memory leak found with valgrind: + + 44 bytes in 1 blocks are definitely lost in loss record 2 of 2 + at 0x482BE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) + by 0x490EA50: strdup (strdup.c:43) + by 0x10CD69: incoming_spa (incoming_spa.c:162) + by 0x10E000: process_packet (process_packet.c:200) + by 0x4862E63: ??? (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1) + by 0x4865667: pcap_dispatch (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1) + by 0x10DABF: pcap_capture (pcap_capture.c:226) + by 0x10A798: main (fwknopd.c:299) + + server/incoming_spa.c | 4 ++++ + 1 file changed, 4 insertions(+) diff --git a/Makefile.am b/Makefile.am index 68eb30bd..30e530df 100644 --- a/Makefile.am +++ b/Makefile.am @@ -48,7 +48,8 @@ EXTRA_DIST = \ android/project/jni/libfwknop/get_libfko_files.sh \ android/project/jni/logutils.h \ android/project/jni/Android.mk \ - ChangeLog* \ + ChangeLog \ + ChangeLog.git \ CREDITS \ todo.org \ extras/fwknop.init.debian \ @@ -169,6 +170,40 @@ dist-hook: rm -f $(distdir)/client/fwknop.8 rm -f $(distdir)/server/fwknopd.8 +uninstall-local: + if test -f $(sysconfdir)/fwknop/fwknopd.conf; then \ + rm -f $(sysconfdir)/fwknop/fwknopd.conf; \ + fi + if test -f $(sysconfdir)/fwknop/fwknopd.conf.inst; then \ + rm -f $(sysconfdir)/fwknop/fwknopd.conf.inst; \ + fi + if test -f $(sysconfdir)/fwknop/access.conf; then \ + rm -f $(sysconfdir)/fwknop/access.conf; \ + fi + if test -f $(sysconfdir)/fwknop/access.conf.inst; then \ + rm -f $(sysconfdir)/fwknop/access.conf.inst; \ + fi + install-exec-hook: - chmod 500 $(sysconfdir)/fwknop - chmod 700 $(sysconfdir)/fwknop/* + if test -d $(sysconfdir)/fwknop; then \ + chmod 700 $(sysconfdir)/fwknop; \ + fi + if test -f $(sysconfdir)/fwknop/fwknopd.conf; then :; \ + else \ + if test -f $(sysconfdir)/fwknop/fwknopd.conf.inst; then \ + mv $(sysconfdir)/fwknop/fwknopd.conf.inst $(sysconfdir)/fwknop/fwknopd.conf; \ + fi \ + fi + if test -f $(sysconfdir)/fwknop/access.conf; then :; \ + else \ + if test -f $(sysconfdir)/fwknop/access.conf.inst; then \ + mv $(sysconfdir)/fwknop/access.conf.inst $(sysconfdir)/fwknop/access.conf; \ + fi \ + fi + if test -f $(sysconfdir)/fwknop/fwknopd.conf; then \ + chmod 600 $(sysconfdir)/fwknop/fwknopd.conf; \ + fi + if test -f $(sysconfdir)/fwknop/access.conf; then \ + chmod 600 $(sysconfdir)/fwknop/access.conf; \ + fi + diff --git a/server/Makefile.am b/server/Makefile.am index e04e2964..a61a17ee 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -28,7 +28,7 @@ fwknopddir = @sysconfdir@/fwknop dist_man_MANS = fwknopd.8 -dist_fwknopd_DATA = fwknopd.conf access.conf +dist_fwknopd_DATA = fwknopd.conf.inst access.conf.inst EXTRA_DIST = fwknopd.8.in @@ -44,4 +44,3 @@ fwknopd.8: $(top_srcdir)/server/fwknopd.8.in clean-local: rm -f fwknopd.8 - diff --git a/server/access.conf.inst b/server/access.conf.inst new file mode 120000 index 00000000..a21e0935 --- /dev/null +++ b/server/access.conf.inst @@ -0,0 +1 @@ +access.conf \ No newline at end of file diff --git a/server/fwknopd.conf.inst b/server/fwknopd.conf.inst new file mode 120000 index 00000000..324aed32 --- /dev/null +++ b/server/fwknopd.conf.inst @@ -0,0 +1 @@ +fwknopd.conf \ No newline at end of file diff --git a/todo.org b/todo.org index 2a6aaa85..7d051c67 100644 --- a/todo.org +++ b/todo.org @@ -2,6 +2,13 @@ This is the main todo org mode file for the fwknop project ** COMPLETED This bucket is for completed tasks. +*** Preserve existing configs under 'make install' + :CLOSED: <2012-08-13 Mon> + - The current 'make install' behavior overwrites any existing fwknopd config + files from a previous installation. + - Updated to install fwknopd.conf -> /etc/fwknop/fwknopd.conf.inst if the + fwknopd.conf file already exists, and similarly for the access.conf + file. *** fwknopd iptables comment match detection :CLOSED: <2012-08-12 Sun> Hank Leininger suggested that fwknopd do better detection for the iptables @@ -20,3 +27,4 @@ ** ipfw active/expire sets cannot be the same Add a check to ensure that active and expire sets are not the same value in fwknopd.conf, and add a corresponding test in the test suite. +