diff --git a/Makefile.am b/Makefile.am index 0e8a37a4..4153df8d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,3 +1,4 @@ +ACLOCAL_AMFLAGS = -I m4 if WANT_CLIENT CLIENT_DIR = client @@ -38,7 +39,6 @@ EXTRA_DIST = \ android/project/nbproject/private/config.properties \ android/project/nbproject/genfiles.properties \ android/project/build.properties \ - android/project/assets \ android/project/AndroidManifest.xml \ android/project/jni/fwknop/fwknop_client.c \ android/project/jni/fwknop/fwknop_client.h \ diff --git a/README b/README index 6ba264fd..8901abd3 100644 --- a/README +++ b/README @@ -73,13 +73,12 @@ migrate to this version, there are some things to be aware of: NOTE FOR DEVELOPERS =================== -If you are pulling this distribution from Subversion, you will need to -run the "autoreconf -i" the first time after unpacking. After that, you -can leave off the "-i" option of "autoreconf" when you want to regenerate -the configuration. If, for wome reason, autoreconf does not work for you, -you can try the "autogen.sh" script in the top of the distribution directory -in order to generate the autoconf (and other) meta files, and the `configure' -script. +If you are pulling this distribution from Subversion, you should run the +"autogen.sh" script to generate the autoconf files. If you get errors about +missing directories or files, try running "autogen.sh" again. After that +you can run the "autoreconf -i" when you want to regenerate the configuration. +If, for some reason, autoreconf does not work for you, the "autogen.sh" +script should suffice. The fwknop and fwknopd man page nroff sources are included in their respective directorys (client and server). These nroff files are derived diff --git a/configure.ac b/configure.ac index 8757135d..a6f74ca5 100644 --- a/configure.ac +++ b/configure.ac @@ -11,11 +11,12 @@ AC_PREREQ(2.62) dnl Define our name, version and email. m4_define(my_package, [fwknop]) -m4_define(my_version, [2.0rc5]) +m4_define(my_version, [2.0]) m4_define(my_bug_email, [dstuart@dstuart.org]) AC_INIT(my_package, my_version, my_bug_email) +AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR(config) AC_CANONICAL_TARGET @@ -39,104 +40,42 @@ AH_BOTTOM([ #endif /* FWKNOP_CONFIG_H */ ]) -dnl Decide whether or not to build the client +dnl FKO_CHECK_COMPILER_ARG([COMPILER FLAG]) dnl -want_client=yes -AC_ARG_ENABLE([client], - [AS_HELP_STRING([--disable-client], - [Do not build the fwknop client @<:@default is to build@:>@])], - [want_client=$enableval], - []) -AM_CONDITIONAL([WANT_CLIENT], [test "$want_client" = yes]) - -dnl Decide whether or not to build the server +dnl Macro to check compiler support for the given compiler option. +dnl Adds to CFLAGS and LDFLAGS if supported. dnl -want_server=yes -AC_ARG_ENABLE([server], - [AS_HELP_STRING([--disable-server], - [Do not build the fwknop server @<:@default is to build@:>@])], - [want_server=$enableval], - []) -AM_CONDITIONAL([WANT_SERVER], [test "$want_server" = yes]) - -dnl Decide whether or not to enable the digest-cache +dnl The structure of this macro was adapted from OpenSSH. dnl -want_digest_cache=yes -AC_ARG_ENABLE([digest-cache], - [AS_HELP_STRING([--disable-digest-cache], - [Do not enable the fwknopd digest-cache @<:@default is to build@:>@])], - [want_digest_cache=$enableval], - []) -dnl AM_CONDITIONAL([WANT_DIGEST_CACHE], [test "$want_digest_cache" = yes]) - -dnl Decide whether or not to try to look for gdbm/ndbm (default to just -dnl use a file-based solution - reduces dependencies) -dnl -want_file_cache=yes -AC_ARG_ENABLE([file-cache], - [AS_HELP_STRING([--disable-file-cache], - [Replace file cache with gdbm/ndbm @<:@default on@:>@])], - [want_file_cache=$enableval], - []) -AS_IF([test "$want_file_cache" = yes], [ - AC_DEFINE([USE_FILE_CACHE], [1], [Define this to enable non-gdbm/ndbm digest storing (eliminates gdbm/ndbm dependency).]) -]) - -dnl Decide whether or not to enable all warnings with -Wall -dnl -use_wall=yes -AC_ARG_ENABLE([wall], - [AS_HELP_STRING([--disable-wall], - [Do not enable all warnings via -Wall @<:@default is on@:>@])], - [use_wall=$enableval], - []) - - -dnl Decide whether or not to enable -fstack-protector -dnl -use_stack_protector=yes -AC_ARG_ENABLE([stack-protector], - [AS_HELP_STRING([--disable-stack-protector], - [Do not enable -fstack-protector @<:@default is on@:>@])], - [use_stack_protector=$enableval], - []) - -dnl Decide whether or not to enable Position Independent Executable (PIE) -dnl support -dnl -use_pie=yes -AC_ARG_ENABLE([pie], - [AS_HELP_STRING([--disable-pie], - [Do not enable Position Independent Executable support @<:@default is on@:>@])], - [use_pie=$enableval], - []) - -dnl Decide whether or not to enable -D_FORTIFY_SOURCE support -dnl -use_fortify_source=yes -AC_ARG_ENABLE([fortify-source], - [AS_HELP_STRING([--disable-fortify-source], - [Do not enable -D_FORTIFY_SOURCE support @<:@default is on@:>@])], - [use_fortify_source=$enableval], - []) - -dnl Decide whether or not to use read-only relocations protection -dnl -use_ro_relocations=yes -AC_ARG_ENABLE([ro-relocations], - [AS_HELP_STRING([--disable-ro-relocations], - [Do not enable read-only relocations protection @<:@default is on@:>@])], - [use_ro_relocations=$enableval], - []) - -dnl Decide whether or not to use immediate binding protection -dnl -use_immediate_binding=yes -AC_ARG_ENABLE([immediate-binding], - [AS_HELP_STRING([--disable-immediate-binding], - [Do not enable immediate binding protection @<:@default is on@:>@])], - [use_immediate_binding=$enableval], - []) +AC_DEFUN([FKO_CHECK_COMPILER_ARG], [ + saved_CFLAGS="$CFLAGS" + saved_LDFLAGS="$LDFLAGS" + CFLAGS="$CFLAGS $1 -Werror" + LDFLAGS="$LDFLAGS $1 -Werror" + AC_MSG_CHECKING([if $CC supports $1]) + AC_LINK_IFELSE( + [AC_LANG_SOURCE([ +#include +int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} + ])], + [ + CFLAGS="$saved_CFLAGS $1" + LDFLAGS="$saved_LDFLAGS $1" + AC_RUN_IFELSE( + [AC_LANG_SOURCE([ +#include +int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} + ])], + [AC_MSG_RESULT(yes)], + [AC_MSG_RESULT(no) + CFLAGS="$saved_CFLAGS" + LDFLAGS="$saved_LDFLAGS"], + [AC_MSG_WARN([cross compiling: cannot test])]) + ], + [AC_MSG_RESULT(no) + CFLAGS="$saved_CFLAGS" + LDFLAGS="$saved_LDFLAGS"] + )])dnl AC_GNU_SOURCE @@ -149,16 +88,92 @@ AC_PROG_GREP AC_PROG_INSTALL AC_PROG_LN_S AC_PROG_MAKE_SET -AC_PROG_RANLIB AC_PROG_LIBTOOL -case "$host" in -*-*-linux*) - ;; -*-*-openbsd*) - AC_DEFINE_UNQUOTED([PLATFORM_OPENBSD], [1], [Define if you are running on OpenBSD]) - ;; -esac +dnl Decide whether or not to enable all warnings with -Wall +dnl +use_wall=yes +AC_ARG_ENABLE([wall], + [AS_HELP_STRING([--disable-wall], + [Do not enable all warnings via -Wall @<:@default is on@:>@])], + [use_wall=$enableval], + []) + +if test "x$use_wall" = "xyes"; then + FKO_CHECK_COMPILER_ARG([-Wall]) +fi + +dnl Check for security features offered by the compiler + +dnl -fstack-protector-all doesn't always work for some GCC versions +dnl and/or platforms, so we test if we can. If it's not supported +dnl on a given platform gcc will emit a warning so we use -Werror. +dnl +dnl Decide whether or not to enable -fstack-protector +dnl +use_stack_protector=yes +AC_ARG_ENABLE([stack-protector], + [AS_HELP_STRING([--disable-stack-protector], + [Do not enable -fstack-protector @<:@default is on@:>@])], + [use_stack_protector=$enableval], + []) + +if test "x$use_stack_protector" = "xyes"; then + FKO_CHECK_COMPILER_ARG([-fstack-protector-all -fstack-protector]) +fi + +dnl Decide whether or not to enable Position Independent Executable (PIE) +dnl support +dnl +use_pie=yes +AC_ARG_ENABLE([pie], + [AS_HELP_STRING([--disable-pie], + [Do not enable Position Independent Executable support @<:@default is on@:>@])], + [use_pie=$enableval], + []) + +if test "x$use_pie" = "xyes"; then + FKO_CHECK_COMPILER_ARG([-fPIE -pie]) +fi + +dnl Decide whether or not to enable -D_FORTIFY_SOURCE support +dnl +use_fortify_source=yes +AC_ARG_ENABLE([fortify-source], + [AS_HELP_STRING([--disable-fortify-source], + [Do not enable -D_FORTIFY_SOURCE support @<:@default is on@:>@])], + [use_fortify_source=$enableval], + []) + +if test "x$use_fortify_source" = "xyes"; then + FKO_CHECK_COMPILER_ARG([-D_FORTIFY_SOURCE=2]) +fi + +dnl Decide whether or not to use read-only relocations protection +dnl +use_ro_relocations=yes +AC_ARG_ENABLE([ro-relocations], + [AS_HELP_STRING([--disable-ro-relocations], + [Do not enable read-only relocations protection @<:@default is on@:>@])], + [use_ro_relocations=$enableval], + []) + +if test "x$use_ro_relocations" = "xyes"; then + FKO_CHECK_COMPILER_ARG([-Wl,-z,relro]) +fi + +dnl Decide whether or not to use immediate binding protection +dnl +use_immediate_binding=yes +AC_ARG_ENABLE([immediate-binding], + [AS_HELP_STRING([--disable-immediate-binding], + [Do not enable immediate binding protection @<:@default is on@:>@])], + [use_immediate_binding=$enableval], + []) + +if test "x$use_immediate_binding" = "xyes"; then + FKO_CHECK_COMPILER_ARG([-Wl,-z,now]) +fi # Checks for header files. # @@ -202,216 +217,56 @@ AC_CHECK_FUNCS([bzero gettimeofday memmove memset socket strchr strcspn strdup s AC_SEARCH_LIBS([socket], [socket]) AC_SEARCH_LIBS([inet_addr], [nsl]) -# Add -Wall -# -if test "x$use_wall" = "xyes"; then - for t in -Wall; do - AC_MSG_CHECKING(if $CC supports $t) - saved_CFLAGS="$CFLAGS" - saved_LDFLAGS="$LDFLAGS" - CFLAGS="$CFLAGS $t -Werror" - LDFLAGS="$LDFLAGS $t -Werror" - AC_LINK_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - CFLAGS="$saved_CFLAGS $t" - LDFLAGS="$saved_LDFLAGS $t" - AC_MSG_CHECKING(if $t works) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - break ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_WARN([cross compiling: cannot test]) - break ] - ) - ], - [ AC_MSG_RESULT(no) ] - ) - CFLAGS="$saved_CFLAGS" - LDFLAGS="$saved_LDFLAGS" - done -fi +case "$host" in +*-*-linux*) + ;; +*-*-openbsd*) + AC_DEFINE_UNQUOTED([PLATFORM_OPENBSD], [1], [Define if you are running on OpenBSD]) + ;; +esac -# Check for security features offered by the compiler -# +dnl Decide whether or not to build the client +dnl +want_client=yes +AC_ARG_ENABLE([client], + [AS_HELP_STRING([--disable-client], + [Do not build the fwknop client @<:@default is to build@:>@])], + [want_client=$enableval], + []) +AM_CONDITIONAL([WANT_CLIENT], [test "$want_client" = yes]) -# Adapted from OpenSSH: -# -fstack-protector-all doesn't always work for some GCC versions -# and/or platforms, so we test if we can. If it's not supported -# on a given platform gcc will emit a warning so we use -Werror. -if test "x$use_stack_protector" = "xyes"; then - for t in -fstack-protector-all -fstack-protector; do - AC_MSG_CHECKING(if $CC supports $t) - saved_CFLAGS="$CFLAGS" - saved_LDFLAGS="$LDFLAGS" - CFLAGS="$CFLAGS $t -Werror" - LDFLAGS="$LDFLAGS $t -Werror" - AC_LINK_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - CFLAGS="$saved_CFLAGS $t" - LDFLAGS="$saved_LDFLAGS $t" - AC_MSG_CHECKING(if $t works) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - break ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_WARN([cross compiling: cannot test]) - break ] - ) - ], - [ AC_MSG_RESULT(no) ] - ) - CFLAGS="$saved_CFLAGS" - LDFLAGS="$saved_LDFLAGS" - done -fi +dnl Decide whether or not to build the server +dnl +want_server=yes +AC_ARG_ENABLE([server], + [AS_HELP_STRING([--disable-server], + [Do not build the fwknop server @<:@default is to build@:>@])], + [want_server=$enableval], + []) +AM_CONDITIONAL([WANT_SERVER], [test "$want_server" = yes]) -if test "x$use_pie" = "xyes"; then - for t in "-fPIE -pie"; do - AC_MSG_CHECKING(if $CC supports $t) - saved_CFLAGS="$CFLAGS" - saved_LDFLAGS="$LDFLAGS" - CFLAGS="$CFLAGS $t -Werror" - LDFLAGS="$LDFLAGS $t -Werror" - AC_LINK_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - CFLAGS="$saved_CFLAGS $t" - LDFLAGS="$saved_LDFLAGS $t" - AC_MSG_CHECKING(if $t works) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - break ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_WARN([cross compiling: cannot test]) - break ] - ) - ], - [ AC_MSG_RESULT(no) ] - ) - CFLAGS="$saved_CFLAGS" - LDFLAGS="$saved_LDFLAGS" - done -fi +dnl Decide whether or not to enable the digest-cache +dnl +want_digest_cache=yes +AC_ARG_ENABLE([digest-cache], + [AS_HELP_STRING([--disable-digest-cache], + [Do not enable the fwknopd digest-cache @<:@default is to build@:>@])], + [want_digest_cache=$enableval], + []) +dnl AM_CONDITIONAL([WANT_DIGEST_CACHE], [test "$want_digest_cache" = yes]) -if test "x$use_fortify_source" = "xyes"; then - for t in "-D_FORTIFY_SOURCE=2"; do - AC_MSG_CHECKING(if $CC supports $t) - saved_CFLAGS="$CFLAGS" - saved_LDFLAGS="$LDFLAGS" - CFLAGS="$CFLAGS $t -Werror" - LDFLAGS="$LDFLAGS $t -Werror" - AC_LINK_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - CFLAGS="$saved_CFLAGS $t" - LDFLAGS="$saved_LDFLAGS $t" - AC_MSG_CHECKING(if $t works) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - break ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_WARN([cross compiling: cannot test]) - break ] - ) - ], - [ AC_MSG_RESULT(no) ] - ) - CFLAGS="$saved_CFLAGS" - LDFLAGS="$saved_LDFLAGS" - done -fi - -if test "x$use_ro_relocations" = "xyes"; then - for t in "-Wl,-z,relro"; do - AC_MSG_CHECKING(if $CC supports $t) - saved_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS $t -Werror" - AC_LINK_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - LDFLAGS="$saved_LDFLAGS $t" - AC_MSG_CHECKING(if $t works) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - break ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_WARN([cross compiling: cannot test]) - break ] - ) - ], - [ AC_MSG_RESULT(no) ] - ) - LDFLAGS="$saved_LDFLAGS" - done -fi - -if test "x$use_immediate_binding" = "xyes"; then - for t in "-Wl,-z,now"; do - AC_MSG_CHECKING(if $CC supports $t) - saved_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS $t -Werror" - AC_LINK_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - LDFLAGS="$saved_LDFLAGS $t" - AC_MSG_CHECKING(if $t works) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([ -#include -int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;} - ])], - [ AC_MSG_RESULT(yes) - break ], - [ AC_MSG_RESULT(no) ], - [ AC_MSG_WARN([cross compiling: cannot test]) - break ] - ) - ], - [ AC_MSG_RESULT(no) ] - ) - LDFLAGS="$saved_LDFLAGS" - done -fi +dnl Decide whether or not to try to look for gdbm/ndbm (default to just +dnl use a file-based solution - reduces dependencies) +dnl +want_file_cache=yes +AC_ARG_ENABLE([file-cache], + [AS_HELP_STRING([--disable-file-cache], + [Replace file cache with gdbm/ndbm @<:@default on@:>@])], + [want_file_cache=$enableval], + []) +AS_IF([test "$want_file_cache" = yes], [ + AC_DEFINE([USE_FILE_CACHE], [1], [Define this to enable non-gdbm/ndbm digest storing (eliminates gdbm/ndbm dependency).]) +]) # Check for 3rd-party libs # diff --git a/fwknop.spec b/fwknop.spec index 5308f674..f6338e8e 100644 --- a/fwknop.spec +++ b/fwknop.spec @@ -13,9 +13,8 @@ %define _mandir /usr/share/man Name: fwknop -Version: 2.0rc5 -# Uncomment this when the version becomes 2.0.0 (without the rcX). -#Epoch: 1 +Version: 2.0 +Epoch: 1 Release: 1%{?dist} Summary: Firewall Knock Operator client. An implementation of Single Packet Authorization. diff --git a/server/pcap_capture.c b/server/pcap_capture.c index 79365143..41eaf909 100644 --- a/server/pcap_capture.c +++ b/server/pcap_capture.c @@ -158,7 +158,7 @@ pcap_capture(fko_srv_options_t *opts) } /* Initialize our signal handlers. You can check the return value for - * the number of signals that were *not* set. Those that we not set + * the number of signals that were *not* set. Those that were not set * will be listed in the log/stderr output. */ if(set_sig_handlers() > 0) diff --git a/server/process_packet.c b/server/process_packet.c index 1ef96d59..8923b231 100644 --- a/server/process_packet.c +++ b/server/process_packet.c @@ -8,7 +8,7 @@ * Purpose: Packet parser/decoder for fwknopd server. Takes the raw packet * data from libpcap and parses/extracts the packet data payload, * then creates an FKO context with that data. If the context - * creation is successfull, it is queued for processing. + * creation is successful, it is queued for processing. * * Copyright 2010 Damien Stuart (dstuart@dstuart.org) * diff --git a/server/tcp_server.c b/server/tcp_server.c index 77c0ac32..b3bedb79 100644 --- a/server/tcp_server.c +++ b/server/tcp_server.c @@ -117,7 +117,7 @@ run_tcp_server(fko_srv_options_t *opts) if(fcntl(s_sock, F_SETFL, sfd_flags) < 0) { - log_msg(LOG_ERR, "run_tcp_server: fcntl F_SETFL error setting )_NONBLOCK: %s", + log_msg(LOG_ERR, "run_tcp_server: fcntl F_SETFL error setting O_NONBLOCK: %s", strerror(errno)); exit(EXIT_FAILURE); }