[server] Preserve any existing config files in /etc/fwknop/

Updated the 'make install' step to not overwrite any existing config files in /etc/fwknop/ and instead install new copies from the source tree at /etc/fwknop/fwknopd.conf.inst and /etc/fwknop/access.conf.inst
2012-08-13 22:39:03 -04:00 · 2012-08-13 22:39:03 -04:00 · 863838d0ba
commit 863838d0ba
parent 8fafd4b80b
7 changed files with 366 additions and 6 deletions
--- a/5
+++ b/5
@ -63,7 +63,10 @@ fwknop-2.0.2 (08//2012):
      This check is controlled by the new ENABLE_IPT_COMMENT_CHECK variable,
      and was suggested by Hank Leininger.
    - [server] 'make install' fix to ensure restrictive permissions on the
-      /etc/fwknop/ directory and /etc/fwknop/* files.
+      /etc/fwknop/ directory and /etc/fwknop/* files.  Also updated the 'make
+      install' step to not overwrite any existing config files in /etc/fwknop/
+      and instead install new copies from the source tree at
+      /etc/fwknop/fwknopd.conf.inst and /etc/fwknop/access.conf.inst

 fwknop-2.0.1 (07/23/2012):
    - [server] Bug fix where the same encryption key used for two stanzas in
--- a/ChangeLog.git
+++ b/ChangeLog.git
@ -0,0 +1,313 @@
+commit 8fafd4b80bf215da311dc2b53f33b0e4cd269944 (HEAD, refs/heads/master)
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Aug 12 19:57:11 2012 -0400
+
+    [server] 'make install' permissions fix
+    
+    Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files.
+    Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.
+
+ ChangeLog   |    2 ++
+ Makefile.am |    3 +++
+ todo.org    |    5 +++--
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 543de16613b89723ef1350df3e59df126586800e
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Aug 12 15:44:13 2012 -0400
+
+    [server] iptables 'comment' match check
+    
+    Implemented a new check to ensure that the iptables 'comment' match exists to
+    ensure the proper environment for fwknopd operations.  This check is controlled
+    by the new ENABLE_IPT_COMMENT_CHECK variable, and was suggested by Hank
+    Leininger.
+
+ CREDITS                   |    5 +++
+ ChangeLog                 |    4 +++
+ server/cmd_opts.h         |    1 +
+ server/config_init.c      |    6 ++++
+ server/fw_util.h          |    1 +
+ server/fw_util_iptables.c |   75 ++++++++++++++++++++++++++++++++++++++++++++-
+ server/fw_util_iptables.h |    1 +
+ server/fwknopd.conf       |    9 ++++++
+ server/fwknopd_common.h   |   26 ++++++++--------
+ todo.org                  |    5 ++-
+ 10 files changed, 119 insertions(+), 14 deletions(-)
+
+commit a087b11887ff4fffb4057198e559d448b016ac0e
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Aug 12 15:23:38 2012 -0400
+
+    todo update
+
+ todo.org |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+commit a686d96d444ab739742e31967153b2bf02b62f0d
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Aug 12 09:29:51 2012 -0400
+
+    Added todo.org org mode file
+    
+    The todo.org mode file was built with vim and the VimOrganizer project:
+    
+    https://github.com/hsitz/VimOrganizer
+
+ Makefile.am |    1 +
+ todo.org    |   10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+commit dc23c640bb2f757a2121ea0a83d18648dcaec32f (tag: refs/tags/fwknop-2.0.2-pre2)
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sat Aug 11 09:33:54 2012 -0400
+
+    added gpg_no_pw_access.conf file for no password gpg tests
+
+ Makefile.am |    1 +
+ 1 file changed, 1 insertion(+)
+
+commit 72229b5f46084e9cfca36bb2e1ba23c4b7f09b66
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sat Aug 11 09:21:49 2012 -0400
+
+    bumped version to fwknop-2.0.2-pre2
+
+ VERSION      |    2 +-
+ configure.ac |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 27ccfe35d36c7ba1d94734fb21a46c77aaf30719 (refs/remotes/origin/master)
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Aug 10 21:52:09 2012 -0400
+
+    [server] Added GPG_ALLOW_NO_PW variable and associated test suite support
+    
+    For GPG mode, added a new access.conf variable "GPG_ALLOW_NO_PW" to make it
+    possible to leverage a server-side GPG key pair that has no associated
+    password.  This comes in handy when a system requires the user to leverage
+    gpg-agent / pinentry which can present a problem in automated environments as
+    required by the fwknopd server.  Now, it might seem like a problem to remove
+    the passphrase from a GPG key pair, but it's important to note that simply
+    doing this is little worse than storing the passphrase in the clear on disk
+    anyway in the access.conf file.  Further, this link help provides additional
+    detail:
+    
+    http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-use-gnupg-in-an-automated-environment
+
+ ChangeLog                              |   23 +++++
+ Makefile.am                            |   12 ++-
+ server/access.c                        |   13 +++
+ server/incoming_spa.c                  |    2 +-
+ test/conf/client-gpg-no-pw/pubring.gpg |  Bin 0 -> 2480 bytes
+ test/conf/client-gpg-no-pw/secring.gpg |  Bin 0 -> 1274 bytes
+ test/conf/client-gpg-no-pw/trustdb.gpg |  Bin 0 -> 1360 bytes
+ test/conf/gpg_no_pw_access.conf        |    7 ++
+ test/conf/server-gpg-no-pw/pubring.gpg |  Bin 0 -> 2480 bytes
+ test/conf/server-gpg-no-pw/secring.gpg |  Bin 0 -> 1276 bytes
+ test/conf/server-gpg-no-pw/trustdb.gpg |  Bin 0 -> 1360 bytes
+ test/test-fwknop.pl                    |  176 ++++++++++++++++++++++++++++++++
+ 12 files changed, 229 insertions(+), 4 deletions(-)
+
+commit 0af3bd0ee10768f6838aafe9fdc66187e5be9ee4
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Aug 10 21:48:02 2012 -0400
+
+    [server] Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT
+    
+    Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT for ipfw firewalls to emulate
+    the corresponding functionality that is implemented for iptables firewalls.
+    
+    Bug fix for ipfw firewalls to ensure that if the ipfw expire set is zero, then
+    do not disable this set whenever the FLUSH_IPFW* variables are enabled.
+    
+    These changes were suggested by Jonathan Schulz.
+
+ server/cmd_opts.h       |    2 +
+ server/config_init.c    |   26 +++++++++++-
+ server/fw_util_ipfw.c   |   46 ++++++++++++--------
+ server/fwknopd.conf     |  108 ++++++++++++++++++++++++++---------------------
+ server/fwknopd_common.h |    4 ++
+ 5 files changed, 121 insertions(+), 65 deletions(-)
+
+commit c6f3fde5371c1be48d8e1bc7e17dde89e19d02fc
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Aug 10 21:43:49 2012 -0400
+
+    bug fix to implement FLUSH_IPT_AT_INIT and FLUSH_IPT_AT_EXIT functionality
+
+ server/fw_util_iptables.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+commit fbdae500641b4ab46bc54dbf2e509eae2625dc44
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Wed Aug 8 21:27:33 2012 -0400
+
+    added Geoff Carstairs for the FORCE_NAT idea
+
+ CREDITS |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+commit fd3044012843dfcaa9ab4f9030c70732f29a3b90
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Aug 5 14:07:42 2012 -0400
+
+    added Aldan Beaubien for reporting the Morpheus NULL IP problem
+
+ CREDITS |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+commit e70739d2117a229e842d3a1bc43f1cf2a6fab46e
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Aug 5 13:05:55 2012 -0400
+
+    minor whitespace update
+
+ server/fw_util_ipfw.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+commit f6ac4484c95f443dfce9c6b7dafbff8126ade9ad
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Aug 5 13:05:30 2012 -0400
+
+    minor memset value update 0 -> 0x0 to conform to other memset() calls
+
+ client/http_resolve_host.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 4cde31584fb9afed499b5951b7ae88b7765808c3 (tag: refs/tags/fwknop-2.0.2-pre1)
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Aug 3 22:16:22 2012 -0400
+
+    bumped version to 2.0.2-pre1
+
+ VERSION                      |    2 +-
+ android/project/jni/config.h |    6 +++---
+ configure.ac                 |    2 +-
+ fwknop.spec                  |    2 +-
+ iphone/Classes/config.h      |    6 +++---
+ lib/fko.h                    |    2 +-
+ 6 files changed, 10 insertions(+), 10 deletions(-)
+
+commit 79a947603a7c2bc4636d33834ca0b9fdd033a894
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Aug 3 22:08:14 2012 -0400
+
+    added changes for the 2.0.2 release (so far)
+
+ ChangeLog |   38 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+commit 29512bd8ec16f47db568694ec172075412ca115d
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Aug 3 21:49:03 2012 -0400
+
+    [client] -R http recv() read until close (Jonathan Schulz)
+    
+    Applied patch from Jonathan Schulz to ensure that the fwknop client reads all
+    data from a remote webserver when resolving the client IP address in -R mode.
+    Jonathan indicated that some webservers would transfer HTTP headers and data
+    separately, and a single recv() would therefore fail to get the necessary IP
+    information.
+
+ client/http_resolve_host.c |   13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+commit 7c1db891061dba5cdc29fb8cfe0c88e0a4a408dd
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Aug 3 21:30:24 2012 -0400
+
+    minor white space fix tabs->spaces
+
+ client/http_resolve_host.c |   82 ++++++++++++++++++++++----------------------
+ 1 file changed, 41 insertions(+), 41 deletions(-)
+
+commit 7061b7bd3ecb1de6ae151b6b85af9251d46e32c6
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Wed Aug 1 23:40:34 2012 -0400
+
+    added Jonathan Schulz
+
+ CREDITS |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+commit 84e036f95b6b239c95c696b884c3989fc30af338
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Wed Aug 1 23:27:34 2012 -0400
+
+    Change HTTP connection type to 'close' in -R mode
+    
+    Applied patch from Jonathan Schulz to change the HTTP connection type to
+    'close' for the client in -R mode.
+
+ client/http_resolve_host.c |    2 +-
+ client/spa_comm.c          |    4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 5fd3343ca9ae8cce9e39d8a4ccb0efb41ae78128
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Wed Aug 1 22:30:02 2012 -0400
+
+    added client IP resolution test with complete SPA->SSH cycle
+
+ test/test-fwknop.pl |   39 ++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 36 insertions(+), 3 deletions(-)
+
+commit 016098a2543126f2fa01b3f4057646f0ad2842c5
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Jul 29 23:31:15 2012 -0400
+
+    Replay attack bug fix (encryption prefixes)
+    
+    Ensure that an attacker cannot force a replay attack by intercepting an
+    SPA packet and the replaying it with the base64 version of "Salted__"
+    (for Rindael) or the "hQ" prefix (for GnuPG).  This is an important fix.
+    The following comment was added into the fwknopd code:
+    
+    /* Ignore any SPA packets that contain the Rijndael or GnuPG prefixes
+     * since an attacker might have tacked them on to a previously seen
+     * SPA packet in an attempt to get past the replay check.  And, we're
+     * no worse off since a legitimate SPA packet that happens to include
+     * a prefix after the outer one is stripped off won't decrypt properly
+     * anyway because libfko would not add a new one.
+    */
+    
+    Conflicts:
+    
+    	lib/cipher_funcs.h
+
+ lib/cipher_funcs.h    |    6 ------
+ lib/fko.h             |    8 ++++++++
+ server/incoming_spa.c |   14 ++++++++++++++
+ test/test-fwknop.pl   |   48 +++++++++++++++++++++++++++++++++++++++++++++---
+ 4 files changed, 67 insertions(+), 9 deletions(-)
+
+commit c0e53482fa766f1c89d18931e35ebca6297f8018
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Jul 29 21:31:44 2012 -0400
+
+    [libfko] minor memory leak fix for user detection (corner case)
+
+ lib/fko_user.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+commit 060fbb607f25ea2cd511d4cd548dc419d8eb3884
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sat Jul 28 00:08:30 2012 -0400
+
+    [server] replay attack detection memory leak bug fix
+    
+    This commit fixes the following memory leak found with valgrind:
+    
+    44 bytes in 1 blocks are definitely lost in loss record 2 of 2
+       at 0x482BE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
+       by 0x490EA50: strdup (strdup.c:43)
+       by 0x10CD69: incoming_spa (incoming_spa.c:162)
+       by 0x10E000: process_packet (process_packet.c:200)
+       by 0x4862E63: ??? (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
+       by 0x4865667: pcap_dispatch (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
+       by 0x10DABF: pcap_capture (pcap_capture.c:226)
+       by 0x10A798: main (fwknopd.c:299)
+
+ server/incoming_spa.c |    4 ++++
+ 1 file changed, 4 insertions(+)
--- a/Makefile.am
+++ b/Makefile.am
@ -48,7 +48,8 @@ EXTRA_DIST = \
    android/project/jni/libfwknop/get_libfko_files.sh \
    android/project/jni/logutils.h \
    android/project/jni/Android.mk \
-    ChangeLog* \
+    ChangeLog \
+    ChangeLog.git \
    CREDITS \
    todo.org \
    extras/fwknop.init.debian \
@ -169,6 +170,40 @@ dist-hook:
 	rm -f $(distdir)/client/fwknop.8
 	rm -f $(distdir)/server/fwknopd.8

+uninstall-local:
+	if test -f $(sysconfdir)/fwknop/fwknopd.conf; then \
+		rm -f $(sysconfdir)/fwknop/fwknopd.conf; \
+	fi
+	if test -f $(sysconfdir)/fwknop/fwknopd.conf.inst; then \
+		rm -f $(sysconfdir)/fwknop/fwknopd.conf.inst; \
+	fi
+	if test -f $(sysconfdir)/fwknop/access.conf; then \
+		rm -f $(sysconfdir)/fwknop/access.conf; \
+	fi
+	if test -f $(sysconfdir)/fwknop/access.conf.inst; then \
+		rm -f $(sysconfdir)/fwknop/access.conf.inst; \
+	fi
+
 install-exec-hook:
-	chmod 500 $(sysconfdir)/fwknop
-	chmod 700 $(sysconfdir)/fwknop/*
+	if test -d $(sysconfdir)/fwknop; then \
+		chmod 700 $(sysconfdir)/fwknop; \
+	fi
+	if test -f $(sysconfdir)/fwknop/fwknopd.conf; then :; \
+	else \
+		if test -f $(sysconfdir)/fwknop/fwknopd.conf.inst; then \
+			mv $(sysconfdir)/fwknop/fwknopd.conf.inst $(sysconfdir)/fwknop/fwknopd.conf; \
+		fi \
+	fi
+	if test -f $(sysconfdir)/fwknop/access.conf; then :; \
+	else \
+		if test -f $(sysconfdir)/fwknop/access.conf.inst; then \
+			mv $(sysconfdir)/fwknop/access.conf.inst $(sysconfdir)/fwknop/access.conf; \
+		fi \
+	fi
+	if test -f $(sysconfdir)/fwknop/fwknopd.conf; then \
+		chmod 600 $(sysconfdir)/fwknop/fwknopd.conf; \
+	fi
+	if test -f $(sysconfdir)/fwknop/access.conf; then \
+		chmod 600 $(sysconfdir)/fwknop/access.conf; \
+	fi
+
--- a/server/Makefile.am
+++ b/server/Makefile.am
@ -28,7 +28,7 @@ fwknopddir        = @sysconfdir@/fwknop

 dist_man_MANS     = fwknopd.8

-dist_fwknopd_DATA = fwknopd.conf access.conf
+dist_fwknopd_DATA = fwknopd.conf.inst access.conf.inst

 EXTRA_DIST        = fwknopd.8.in

@ -44,4 +44,3 @@ fwknopd.8: $(top_srcdir)/server/fwknopd.8.in

 clean-local:
 	rm -f fwknopd.8
-
--- a/server/access.conf.inst
+++ b/server/access.conf.inst
@ -0,0 +1 @@
+access.conf
--- a/server/fwknopd.conf.inst
+++ b/server/fwknopd.conf.inst
@ -0,0 +1 @@
+fwknopd.conf
--- a/todo.org
+++ b/todo.org
@ -2,6 +2,13 @@
  This is the main todo org mode file for the fwknop project
 ** COMPLETED
   This bucket is for completed tasks.
+*** Preserve existing configs under 'make install'
+    :CLOSED: <2012-08-13 Mon>
+    - The current 'make install' behavior overwrites any existing fwknopd config
+    files from a previous installation.
+    - Updated to install fwknopd.conf -> /etc/fwknop/fwknopd.conf.inst if the
+      fwknopd.conf file already exists, and similarly for the access.conf
+      file.
 *** fwknopd iptables comment match detection
    :CLOSED: <2012-08-12 Sun>
   Hank Leininger suggested that fwknopd do better detection for the iptables
@ -20,3 +27,4 @@
 ** ipfw active/expire sets cannot be the same
   Add a check to ensure that active and expire sets are not the same value in
   fwknopd.conf, and add a corresponding test in the test suite.
+