diff --git a/ChangeLog b/ChangeLog index 1be9513e..f774ff88 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7546 +1,46 @@ -commit a36082b543178695cd97508b920b682be0fa983e -Author: Michael Rash -Date: Mon Jan 2 18:33:42 2012 -0500 - - moved ChangeLog-v2.0 to ChangeLog - - ChangeLog | 3916 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - ChangeLog-v2.0 | 3916 -------------------------------------------------------- - 2 files changed, 3916 insertions(+), 3916 deletions(-) - -commit 36f21f95ceda35eefd5a6a8224308f38c2a6d6cd -Author: Michael Rash -Date: Mon Jan 2 18:32:35 2012 -0500 - - removed old ChangeLog files - - ChangeLog | 3020 --------------------------------------------------------- - ChangeLog.old | 227 ----- - 2 files changed, 0 insertions(+), 3247 deletions(-) - -commit 305708aa27587793a76b478bf9e7a4fafe957666 -Author: Michael Rash -Date: Mon Jan 2 18:26:05 2012 -0500 - - Added ChangeLog, ShortLog, and diffstat files for the 2.0 release. - - ChangeLog-v2.0 | 3916 +++++++++++++++++++++++++++++++++++++++++++++++++++++ - ChangeLog-v2.0rc5 | 815 ----------- - ShortLog-v2.0 | 453 +++++++ - ShortLog-v2.0rc5 | 123 -- - diffstat-v2.0 | 1434 ++++++++++++++++++++ - diffstat-v2.0rc5 | 211 --- - 6 files changed, 5803 insertions(+), 1149 deletions(-) - -commit 4ecbcba77c8e16986222c3218e35e3ff0deffd82 -Author: Michael Rash -Date: Mon Jan 2 17:47:01 2012 -0500 - - bumped version to 2.0 - - extras/fwknop-launcher/fwknop-launcher-lsof.pl | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -commit 9dae73d972946d588636753e3342166d68b1847e -Author: Michael Rash -Date: Mon Jan 2 15:26:42 2012 -0500 - - added FKO_CHECK_COMPILER_ARG_LDFLAGS_ONLY to fix ro-relocations and immediate binding protection compliation warnings on FreeBSD - - configure.ac | 34 ++++++++++++++++++++++++++++++++-- - 1 files changed, 32 insertions(+), 2 deletions(-) - -commit 6f6a9d727dc52f294064aec44e1a1c6d16a67ed9 -Author: Michael Rash -Date: Mon Jan 2 15:25:35 2012 -0500 - - minor test suite update to look for linker warnings in a more generic way - - test/test-fwknop.pl | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -commit 1bd2592d15bb89c1a6ce4462ff9c685f0186d09a -Author: Michael Rash -Date: Mon Jan 2 15:10:55 2012 -0500 - - minor test suite addition to check for linker input file warnings - - test/test-fwknop.pl | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -commit a6a6a004d462b693c86eb27ddb220cd5a0b82aa7 -Author: Michael Rash -Date: Mon Jan 2 11:29:16 2012 -0500 - - bumped version to 2.0 - - VERSION | 2 +- - android/project/jni/config.h | 6 +++--- - extras/openwrt/package/fwknop/Makefile | 2 +- - win32/config.h | 2 +- - 4 files changed, 6 insertions(+), 6 deletions(-) - -commit ac0bf15ea7b4cf94ad1fbc4524f14784e721322e -Author: Michael Rash -Date: Mon Jan 2 09:53:36 2012 -0500 - - minor wording update subversion -> git - - README | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -commit aff8832d66a7fbf3cc867cd24149ccfb29df6504 -Author: Damien S. Stuart -Date: Thu Dec 29 14:19:16 2011 -0500 - - Refactored configure.ac to use a custom macro for compiler flag checks. - Set version to 2.0 (non-release candidate). - Minor typo fixes. - - Makefile.am | 2 +- - README | 13 +- - configure.ac | 387 +++++++++++++++-------------------------------- - fwknop.spec | 5 +- - server/pcap_capture.c | 2 +- - server/process_packet.c | 2 +- - server/tcp_server.c | 2 +- - 7 files changed, 133 insertions(+), 280 deletions(-) - -commit 99b1a487568235c0a76373024498e5a50af36621 -Author: Michael Rash -Date: Mon Dec 12 20:41:39 2011 -0500 - - updated copyright and license statement - fwknop is GPL software - - AUTHORS | 10 +++------- - 1 files changed, 3 insertions(+), 7 deletions(-) - -commit 7ac5319847b6cf75dc5d5cdb4cdd41b55ee711b3 -Author: Michael Rash -Date: Mon Dec 5 22:23:00 2011 -0500 - - minor addition of the local_spa.key file for 'make dist' - - ChangeLog-v2.0rc5 | 18 ++++++++++++++++++ - ShortLog-v2.0rc5 | 5 ++++- - diffstat-v2.0rc5 | 10 ++++++---- - 3 files changed, 28 insertions(+), 5 deletions(-) - -commit 7a231a3b72758d93b4b9425fd403247aa2018499 -Author: Michael Rash -Date: Mon Dec 5 22:21:31 2011 -0500 - - added local_spa.key file - - Makefile.am | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -commit 3d0ceccf65010a84dd30fc5e9c567e24f03104ce -Author: Michael Rash -Date: Mon Dec 5 22:20:39 2011 -0500 - - added local_spa.key file - - test/local_spa.key | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -commit 710f98a9b572cd126cd3f662b29244bc0d6e6533 -Author: Michael Rash -Date: Mon Dec 5 22:16:38 2011 -0500 - - minor addition of the CREDITS file for 'make dist' - - ChangeLog-v2.0rc5 | 12 ++++++++++++ - ShortLog-v2.0rc5 | 4 +++- - diffstat-v2.0rc5 | 10 +++++----- - 3 files changed, 20 insertions(+), 6 deletions(-) - -commit 9bcd7cb137103db89400f4f652ab834e05ea5eba -Author: Michael Rash -Date: Mon Dec 5 22:16:03 2011 -0500 - - Added the CREDITS file for 'make dist' - - Makefile.am | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -commit 3b2ec921be16db4bcccb4a0bfe13ebdb620a5b31 -Author: Michael Rash -Date: Mon Dec 5 22:11:58 2011 -0500 - - change log doc updates - - ChangeLog-v2.0rc5 | 18 ++++++++++++++++++ - ShortLog-v2.0rc5 | 6 +++++- - diffstat-v2.0rc5 | 19 ++++++++++++++++--- - 3 files changed, 39 insertions(+), 4 deletions(-) - -commit 474a18b57d054939e6f4063d5ef491b4cee4a240 -Author: Michael Rash -Date: Mon Dec 5 22:10:47 2011 -0500 - - Added various files to Makefile.am so that 'make dist' continues to work - - Makefile.am | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 files changed, 66 insertions(+), 0 deletions(-) - -commit 690fe25fa4201af8f76c28450177581ce14a1459 -Author: Michael Rash -Date: Mon Dec 5 21:14:31 2011 -0500 - - added CREDITS file, bumped software version, added ChangeLog files - - VERSION | 2 +- - android/project/jni/config.h | 6 +++--- - configure.ac | 2 +- - extras/openwrt/package/fwknop/Makefile | 2 +- - fwknop.spec | 2 +- - win32/config.h | 2 +- - 6 files changed, 8 insertions(+), 8 deletions(-) - -commit bcba9d6bdef6032a992e64a8bd6bd7604b83b006 -Author: Michael Rash -Date: Mon Dec 5 21:14:14 2011 -0500 - - added CREDITS file, bumped software version, added ChangeLog files - - CREDITS | 17 ++ - ChangeLog-v2.0rc5 | 767 +++++++++++++++++++++++++++++++++++++++++++++++++++++ - ShortLog-v2.0rc5 | 114 ++++++++ - diffstat-v2.0rc5 | 196 ++++++++++++++ - 4 files changed, 1094 insertions(+), 0 deletions(-) - -commit 893b89a3eba5fa9945095f8df4460f912fdb0cbc -Author: Michael Rash -Date: Sat Dec 3 21:21:29 2011 -0500 - - minor compiler warning fix on OpenBSD - - server/fw_util_pf.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -commit 860b4527a455d1d50f2b563f4939ee1990b53bd8 -Author: Michael Rash -Date: Sat Dec 3 13:10:35 2011 -0500 - - minor compile fixes for FreeBSD - - server/access.c | 8 ++++++++ - server/fw_util_ipfw.c | 4 ++-- - server/incoming_spa.c | 12 ++++++++++++ - 3 files changed, 22 insertions(+), 2 deletions(-) - -commit 9b7c1a8ce69fe51337458cce4e7b5e9cb3d7654b -Author: Michael Rash -Date: Wed Nov 30 20:51:19 2011 -0500 - - Added FORCE_NAT mode to the access.conf file - - This commit adds a new configuration variable "FORCE_NAT" to the access.conf - file: - - For any valid SPA packet, force the requested connection to be NAT'd - through to the specified (usually internal) IP and port value. This is - useful if there are multiple internal systems running a service such as - SSHD, and you want to give transparent access to only one internal system - for each stanza in the access.conf file. This way, multiple external - users can each directly access only one internal system per SPA key. - - This commit also implements a few minor code cleanups. - - client/config_init.c | 24 +++++----- - client/fwknop_common.h | 4 +- - client/http_resolve_host.c | 6 +- - common/common.h | 4 +- - doc/fwknop.man.asciidoc | 4 +- - doc/fwknopd.man.asciidoc | 18 +++++-- - server/access.c | 51 ++++++++++++++++++-- - server/fw_util.h | 2 +- - server/fw_util_ipf.c | 4 +- - server/fw_util_ipfw.c | 2 +- - server/fw_util_iptables.c | 32 +++++++----- - server/fw_util_pf.c | 2 +- - server/fwknopd.c | 2 +- - server/fwknopd_common.h | 8 ++- - server/incoming_spa.c | 2 +- - server/tcp_server.c | 6 +- - test/conf/expired_stanza_access.conf | 2 +- - test/conf/force_nat_access.conf | 4 ++ - test/conf/future_expired_stanza_access.conf | 4 ++ - test/conf/invalid_expire_access.conf | 4 ++ - test/test-fwknop.pl | 70 +++++++++++++++++++++++++++ - 21 files changed, 199 insertions(+), 56 deletions(-) - -commit 8585958e6e164d47c3d9dc106d4a15aee18599b9 -Author: Michael Rash -Date: Mon Nov 28 23:20:11 2011 -0500 - - minor newline fix for access.conf output dump - - server/access.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -commit 2a1243fee6d618096bc402b5a56ae3c2670b8b50 -Author: Michael Rash -Date: Mon Nov 28 23:18:07 2011 -0500 - - memory leak bugfix as a follow up to commit b280f5cde0246cdef33dee3f8be66a2bcef77336 - - server/incoming_spa.c | 3 ++- - 1 files changed, 2 insertions(+), 1 deletions(-) - -commit b280f5cde0246cdef33dee3f8be66a2bcef77336 -Author: Michael Rash -Date: Mon Nov 28 22:03:21 2011 -0500 - - Added access stanza expiration feature, multiple access stanza bug fix - - This commit does two major things: - - 1) Two new access.conf variables are added "ACCESS_EXPIRE" and - "ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without having - to modify the access.conf file and restart fwknopd. - - 2) Allow an access stanza that matches the SPA source address to not - automatically short circuit other stanzas if there is an error (such as when - there are multiple encryption keys involved and an incoming SPA packet is - meant for, say, the second stanza and the first therefore doesn't allow - proper decryption). - - doc/fwknopd.man.asciidoc | 11 + - server/access.c | 99 +++-- - server/access.h | 2 +- - server/fw_util_iptables.c | 2 +- - server/fwknopd_common.h | 2 + - server/incoming_spa.c | 642 ++++++++++++++----------- - server/incoming_spa.h | 2 +- - test/conf/expired_epoch_stanza_access.conf | 4 + - test/conf/expired_stanza_access.conf | 4 + - test/conf/multi_stanzas_with_broken_keys.conf | 19 + - test/test-fwknop.pl | 51 ++- - 11 files changed, 530 insertions(+), 308 deletions(-) - -commit 9e884e9759362ce401bf77dab819b24e10caca62 -Author: Michael Rash -Date: Tue Nov 22 22:56:48 2011 -0500 - - added SPA packet aging tests - - test/test-fwknop.pl | 27 +++++++++++++++++++++++++++ - 1 files changed, 27 insertions(+), 0 deletions(-) - -commit 72a4353fd850c099816f6e1acb9fad12bcb2ff27 -Author: Michael Rash -Date: Tue Nov 22 22:56:36 2011 -0500 - - bug fix to exclude SPA packets with timestamps in the future that are too great (old packets were properly excluded already) - - server/incoming_spa.c | 4 ++-- - 1 files changed, 2 insertions(+), 2 deletions(-) - -commit 644b9e943214ed6ede762af72f395b73ea03faf0 -Author: Michael Rash -Date: Tue Nov 22 22:40:26 2011 -0500 - - added test for --test mode in the fwknop client - - test/test-fwknop.pl | 12 ++++++++++++ - 1 files changed, 12 insertions(+), 0 deletions(-) - -commit 0015da44427bf988372818b26916a6229e9f68ca -Author: Michael Rash -Date: Tue Nov 22 22:34:10 2011 -0500 - - bug fix to honor the fwknop client --time-offset-plus and --time-offset-minus options - - client/fwknop.c | 21 +++++++++++++++++++++ - 1 files changed, 21 insertions(+), 0 deletions(-) - -commit 05b189ff4fe61c7149efcf4f18cada14553e6dbe -Author: Michael Rash -Date: Tue Nov 22 22:13:27 2011 -0500 - - added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd check for ENABLE_IPT_FORWARDING variable before attempting NAT access - - server/fw_util_iptables.c | 11 +- - server/fwknopd_errors.h | 3 +- - server/incoming_spa.c | 18 ++++- - test/conf/nat_fwknopd.conf | 5 + - test/test-fwknop.pl | 224 +++++++++++++++++++++++++++----------------- - 5 files changed, 169 insertions(+), 92 deletions(-) - -commit dd2deec73dc5f0d630ab86e92fe1e0073d692414 -Author: Michael Rash -Date: Fri Nov 18 23:23:50 2011 -0500 - - added tests for various access.conf variables - - server/access.c | 4 + - test/conf/mismatch_open_ports_access.conf | 4 + - test/conf/mismatch_user_access.conf | 4 + - test/conf/multi_gpg_access.conf | 7 + - test/conf/multi_stanzas_access.conf | 15 ++ - test/conf/open_ports_access.conf | 4 + - test/conf/require_src_access.conf | 5 + - test/conf/require_user_access.conf | 4 + - test/test-fwknop.pl | 270 ++++++++++++++++++++++++----- - 9 files changed, 274 insertions(+), 43 deletions(-) - -commit 63498c9032bfe74bc91de5d6607391e7b7cdfe36 -Author: Michael Rash -Date: Thu Nov 17 21:17:50 2011 -0500 - - added IP/subnet match tests, added --Anonymize-results mode - - server/access.c | 25 +++- - server/access.h | 2 +- - server/incoming_spa.c | 20 ++-- - test/conf/multi_source_match_access.conf | 3 + - test/conf/no_multi_source_match_access.conf | 3 + - test/conf/no_subnet_source_match_access.conf | 3 + - test/test-fwknop.pl | 190 ++++++++++++++++++++------ - 7 files changed, 189 insertions(+), 57 deletions(-) - -commit 34cd0c7a78a62e1df2533641ca08adaaafa2aa7d -Author: Michael Rash -Date: Tue Nov 15 21:45:51 2011 -0500 - - simplified the client/server interaction code, started on IP filtering tests, added spoof username tests - - test/conf/ip_source_match_access.conf | 3 + - test/conf/no_source_match_access.conf | 3 + - test/conf/subnet_source_match_access.conf | 3 + - test/test-fwknop.pl | 358 ++++++++++++++--------------- - 4 files changed, 181 insertions(+), 186 deletions(-) - -commit 3d94aaa9205e5703c50635b9007efab485d9b2da -Author: Michael Rash -Date: Thu Nov 10 22:54:25 2011 -0500 - - minor test wording consolidation - - test/test-fwknop.pl | 42 +++++++++++++++++++++--------------------- - 1 files changed, 21 insertions(+), 21 deletions(-) - -commit 50b48147c0392cd91f7ad83af56b20d0abbd3c3e -Author: Michael Rash -Date: Thu Nov 10 22:33:32 2011 -0500 - - This commit fixes two memory leaks and adds a common exit function. - - The two memory leaks were found with the test suite running in - --enable-valgrind mode - here are the relevant error messages: - - For fwknopd server GPG clean up: - - ==345== 9 bytes in 1 blocks are definitely lost in loss record 2 of 2 - ==345== at 0x4C2815C: malloc (vg_replace_malloc.c:236) - ==345== by 0x52F6B81: strdup (strdup.c:43) - ==345== by 0x10FA57: add_string_list_ent (access.c:308) - ==345== by 0x110513: parse_access_file (access.c:387) - ==345== by 0x10B5FB: main (fwknopd.c:193) - - For fwknop client rc file processing: - - ==8045== 568 bytes in 1 blocks are still reachable in loss record 12 of 12 - ==8045== at 0x4C2815C: malloc (vg_replace_malloc.c:236) - ==8045== by 0x50A53AA: __fopen_internal (iofopen.c:76) - ==8045== by 0x10C3FF: process_rc (config_init.c:446) - ==8045== by 0x10C8F6: config_init (config_init.c:671) - ==8045== by 0x10AC9E: main (fwknop.c:62) - - There is also a new clean_exit() function that makes it easier to ensure that - resources are deallocated upon existing. - - client/config_init.c | 3 ++- - client/fwknop.c | 9 +++++++++ - client/fwknop_common.h | 2 ++ - lib/fko_user.c | 1 - - server/access.c | 21 +++++++++++---------- - server/config_init.c | 21 ++++++++++----------- - server/fw_util_ipf.c | 2 +- - server/fw_util_ipfw.c | 4 ++-- - server/fw_util_pf.c | 2 +- - server/fwknopd.c | 38 ++++++++++++++++++++++++++------------ - server/fwknopd_common.h | 6 ++++++ - server/incoming_spa.c | 1 + - server/log_msg.c | 2 +- - server/pcap_capture.c | 12 ++++++------ - server/replay_cache.c | 2 +- - 15 files changed, 79 insertions(+), 47 deletions(-) - -commit 9ebd55f52289d5904fbde3b8838ca92c7271d9e9 -Author: Michael Rash -Date: Thu Nov 10 22:33:00 2011 -0500 - - remove CMD timestamps for --diff mode - - test/test-fwknop.pl | 13 +++++++++---- - 1 files changed, 9 insertions(+), 4 deletions(-) - -commit 9e19b8bc267031900c555c55fc5c1e54b6093461 -Author: Michael Rash -Date: Sun Nov 6 13:51:23 2011 -0500 - - added --diff mode to the test suite to compare results from one execution to the next - - test/test-fwknop.pl | 119 +++++++++++++++++++++++++++++++++++++++++++++++++- - 1 files changed, 116 insertions(+), 3 deletions(-) - -commit a5a3c06ef225c737acbd21c6cedd1a94f1a6c484 -Author: Michael Rash -Date: Fri Nov 4 23:46:31 2011 -0400 - - consolidated several test functions into a single generic_exec() function - - test/test-fwknop.pl | 124 ++++++++++++++++++-------------------------------- - 1 files changed, 45 insertions(+), 79 deletions(-) - -commit f41a26b389605311a21a95a9ad2b23f460ed02ee -Author: Michael Rash -Date: Thu Nov 3 22:15:19 2011 -0400 - - Fixed fwknopd memory leak, several other fixes and updates - - This commit does several things. First, a memory leak in fwknopd has been - fixed by ensuring to free access.conf stanzas. This bug was found with the - new test suite running in --enable-valgrind mode. Here is what some of the - valgrind output looked like to find the leak: - - ==19217== 11 bytes in 1 blocks are indirectly lost in loss record 3 of 5 - ==19217== at 0x4C2815C: malloc (vg_replace_malloc.c:236) - ==19217== by 0x52F6B81: strdup (strdup.c:43) - ==19217== by 0x10FC8B: add_acc_string (access.c:49) - ==19217== by 0x1105C8: parse_access_file (access.c:756) - ==19217== by 0x10B79B: main (fwknopd.c:194) - ==19217== - ==19217== 16 bytes in 1 blocks are indirectly lost in loss record 4 of 5 - ==19217== at 0x4C27480: calloc (vg_replace_malloc.c:467) - ==19217== by 0x10FEC0: add_source_mask (access.c:88) - ==19217== by 0x110100: expand_acc_source (access.c:191) - ==19217== by 0x1104B0: parse_access_file (access.c:500) - ==19217== by 0x10B79B: main (fwknopd.c:194) - ==19217== - ==19217== 183 (152 direct, 31 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5 - ==19217== at 0x4C27480: calloc (vg_replace_malloc.c:467) - ==19217== by 0x1103E4: parse_access_file (access.c:551) - ==19217== by 0x10B79B: main (fwknopd.c:194) - ==19217== - ==19217== LEAK SUMMARY: - ==19217== definitely lost: 152 bytes in 1 blocks - ==19217== indirectly lost: 31 bytes in 3 blocks - ==19217== possibly lost: 0 bytes in 0 blocks - ==19217== still reachable: 8 bytes in 1 blocks - ==19217== suppressed: 0 bytes in 0 blocks - - Second, this commit changes how fwknopd acquires packet data with - pcap_dispatch() - packets are now processed within the callback function - process_packet() that is provided to pcap_dispatch(), the global packet - counter is incremented by the return value from pcap_dispatch() (since this is - the number of packets processed per pcap loop), and there are two new - fwknopd.conf variables PCAP_DISPATCH_COUNT and PCAP_LOOP_SLEEP to control the - number of packets that pcap_dispatch() should process per loop and the number - of microseconds that fwknopd should sleep per loop respectively. Without this - change, it was fairly easy to cause fwknopd to miss packets by creating bursts - of packets that would all be processed one at time with the usleep() delay - between each. For fwknopd deployed on a busy network and with a permissive - pcap filter (i.e. something other than the default that causes fwknopd to look - at, say, TCP ACK's), this change should help. - - Third, the criteria that a packet must reach before data copying into the - buffer designed for SPA processing has been tightened. A packet less than - /greater than the minimum/maximum expected sizes is ignored before data is - copied, and the base64 check is done as well. - - doc/fwknopd.man.asciidoc | 30 ++++++++++++++++++++++-------- - server/access.c | 30 +++++++++++++++++++++++------- - server/access.h | 1 + - server/cmd_opts.h | 2 ++ - server/config_init.c | 15 +++++++++++++++ - server/fwknopd.conf | 14 ++++++++++++++ - server/fwknopd_common.h | 4 ++++ - server/incoming_spa.c | 45 +++++++++++++++------------------------------ - server/pcap_capture.c | 25 +++++++++---------------- - server/process_packet.c | 17 +++++++++++++---- - server/utils.c | 21 +++++++++++++++++++++ - server/utils.h | 1 + - test/test-fwknop.pl | 5 ----- - 13 files changed, 140 insertions(+), 70 deletions(-) - -commit 97a8d751c1b02271e812701d4cb938833d36918a -Author: Michael Rash -Date: Sun Oct 30 22:14:00 2011 -0400 - - added complete SPA cycle tests for tcp ports 23 and 9418 (git), and for udp 53 dns - - test/test-fwknop.pl | 92 +++++++++++++++++++++++++++++++++++++++++++++++++- - 1 files changed, 90 insertions(+), 2 deletions(-) - -commit 044ea54d936745e29c856de71818f0497633d531 -Author: Michael Rash -Date: Sat Oct 29 23:49:29 2011 -0400 - - updated client SPA verbose message to include the server IP/host - - client/fwknop.c | 38 -------------------------------------- - client/spa_comm.c | 36 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 36 insertions(+), 38 deletions(-) - -commit 8e4b45dd568ef86ba773605662a5d058be714d33 -Author: Michael Rash -Date: Sat Oct 29 23:48:42 2011 -0400 - - minor looping criteria update for valgrind tests - - test/test-fwknop.pl | 26 ++++++++++++++++---------- - 1 files changed, 16 insertions(+), 10 deletions(-) - -commit ea3e81787121e56e1a44cc0a5ee3b9ba64c4f5eb -Author: Michael Rash -Date: Sat Oct 29 16:59:57 2011 -0400 - - [test-suite] added the ability to run all fwknop tests through valgrind - - test/test-fwknop.pl | 230 ++++++++++++++++++++++++++++++--------------------- - 1 files changed, 134 insertions(+), 96 deletions(-) - -commit f999e2e6720021328e2f34bf57d05b8081d8ffae -Author: Michael Rash -Date: Sat Oct 29 16:55:28 2011 -0400 - - bugfix to return preprocess_spa_data() result properly to calling function - - server/incoming_spa.c | 4 ++-- - 1 files changed, 2 insertions(+), 2 deletions(-) - -commit b1b830f744b01e0a3f0d4a19b6d38dd51afaae1f -Author: Michael Rash -Date: Fri Oct 28 23:01:06 2011 -0400 - - update to remove packet direction requirement when sniffing on OpenBSD loopback interfaces - - server/pcap_capture.c | 24 +++++++++++++++--------- - 1 files changed, 15 insertions(+), 9 deletions(-) - -commit cde71b1b274cae5af3b6e986e5ac369d79c0cc3a -Author: Michael Rash -Date: Fri Oct 28 23:00:26 2011 -0400 - - minor whitespace removal - - server/process_packet.c | 4 ++-- - 1 files changed, 2 insertions(+), 2 deletions(-) - -commit dbbbe60fe4b6908bff56d026d886381c83a44087 -Author: Michael Rash -Date: Fri Oct 28 22:59:52 2011 -0400 - - added stack protection detection for OpenBSD systems - - test/hardening-check | 16 ++++++++++++++++ - 1 files changed, 16 insertions(+), 0 deletions(-) - -commit 2e96ece4b074beff06aaca2f51bd90c84bfeeef8 -Author: Michael Rash -Date: Fri Oct 28 22:42:27 2011 -0400 - - Update to ensure libfko.so path is detected properly on OpenBSD - - test/test-fwknop.pl | 26 +++++++++++++++++++++----- - 1 files changed, 21 insertions(+), 5 deletions(-) - -commit 464dbe95d07657794aaac9e230153ffd84a2ed06 -Author: Michael Rash -Date: Thu Oct 27 21:51:55 2011 -0400 - - Update to print all firewall commands in --verbose mode - - This commit makes it easier to determine exactly which commands fwknopd - runs in --verbose mode when interacting with the underlying firewall. - This commit also adds --verbose --verbose mode to the test suite. - - server/access.c | 1 + - server/config_init.c | 4 +- - server/fw_util.h | 2 +- - server/fw_util_ipfw.c | 96 ++++++++++++++++++++++++++++++---------- - server/fw_util_iptables.c | 108 +++++++++++++++++++++++++++++++------------- - server/fw_util_pf.c | 6 +- - server/fwknopd.c | 4 +- - server/incoming_spa.c | 4 +- - server/log_msg.c | 2 +- - test/test-fwknop.pl | 59 +++++++----------------- - 10 files changed, 179 insertions(+), 107 deletions(-) - -commit 6388e8ac7fab3d89b164862c9e113fed37e9f397 -Author: Michael Rash -Date: Tue Oct 25 21:00:40 2011 -0400 - - added 'const' to function prototype vars where possible - - Added the 'const' qualifier to function prototype variables where possible. - In addition, reduced some functions to file-scope with 'static' where possible. - - Also made a few minor changes to remove extra whitespace, and fixed a bug - in create_fwknoprc() to ensure the new fwknoprc filehandle is closed. - - client/config_init.c | 24 ++-- - client/fwknop.c | 26 ++-- - client/getpasswd.c | 4 +- - client/spa_comm.c | 26 +++-- - client/spa_comm.h | 2 +- - client/utils.c | 2 +- - client/utils.h | 2 +- - lib/base64.c | 2 +- - lib/base64.h | 2 +- - lib/cipher_funcs.c | 22 ++-- - lib/cipher_funcs.h | 4 +- - lib/digest.c | 4 +- - lib/fko.h | 28 +++--- - lib/fko_client_timeout.c | 6 +- - lib/fko_decode.c | 34 +++--- - lib/fko_digest.c | 24 ++-- - lib/fko_encode.c | 16 ++-- - lib/fko_encryption.c | 58 +++++----- - lib/fko_error.c | 2 +- - lib/fko_funcs.c | 18 ++-- - lib/fko_message.c | 10 +- - lib/fko_nat_access.c | 2 +- - lib/fko_rand_value.c | 4 +- - lib/fko_server_auth.c | 2 +- - lib/fko_timestamp.c | 6 +- - lib/gpgme_funcs.c | 2 +- - lib/gpgme_funcs.h | 2 +- - lib/rijndael.c | 268 ++++++++++++++++++++++---------------------- - server/access.c | 32 +++--- - server/access.h | 4 +- - server/config_init.c | 21 ++-- - server/config_init.h | 2 +- - server/extcmd.c | 8 +- - server/extcmd.h | 4 +- - server/fw_util.h | 8 +- - server/fw_util_ipf.c | 8 +- - server/fw_util_ipfw.c | 14 +- - server/fw_util_ipfw.h | 2 +- - server/fw_util_iptables.c | 16 ++-- - server/fw_util_pf.c | 10 +- - server/fwknopd.c | 8 +- - server/fwknopd_errors.c | 29 +++--- - server/fwknopd_errors.h | 4 +- - server/incoming_spa.c | 6 +- - server/process_packet.c | 12 +- - server/tcp_server.c | 4 +- - server/utils.c | 2 +- - server/utils.h | 2 +- - 48 files changed, 402 insertions(+), 396 deletions(-) - -commit 85377267e299118d5302afde3dfeed426b353879 -Author: Michael Rash -Date: Mon Oct 24 21:52:13 2011 -0400 - - compiler warning fix for sscanf() on freebsd - - This commit fixes the following gcc warning on freebsd systems: - - replay_cache.c: In function 'replay_file_cache_init': - replay_cache.c:312: warning: format '%ld' expects type 'long int *', but argument 9 has type 'time_t *' - - server/replay_cache.c | 5 ++++- - 1 files changed, 4 insertions(+), 1 deletions(-) - -commit 1c6fc0f3f80e086b43471e756f8249015fe2e4b2 -Author: Michael Rash -Date: Mon Oct 24 20:48:56 2011 -0400 - - update to detect loopback interface - - test/test-fwknop.pl | 70 +++++++++++++++++++++++++++++++++++++++++++++------ - 1 files changed, 62 insertions(+), 8 deletions(-) - -commit 3299fb25815bcec09b5410d3393ab806f8b78a68 -Author: Michael Rash -Date: Mon Oct 24 20:48:20 2011 -0400 - - minor whitespace removal - - server/fw_util_ipfw.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -commit c9860811f5de4b28f674d53d16b1bca10f12bed8 -Author: Michael Rash -Date: Sat Oct 22 22:29:27 2011 -0400 - - added LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual command execution easier - - test/test-fwknop.pl | 71 +++++++++++++++++++++++++++----------------------- - 1 files changed, 38 insertions(+), 33 deletions(-) - -commit 50bcc537eea23e9cd269a51e63d9da525c0a91ac -Author: Michael Rash -Date: Sat Oct 22 22:06:00 2011 -0400 - - added digest cache validation after GPG tests - - test/test-fwknop.pl | 9 +++++++++ - 1 files changed, 9 insertions(+), 0 deletions(-) - -commit 1b8606461cc21108b190f871bf2d8b0929589fce -Author: Michael Rash -Date: Sat Oct 22 21:54:22 2011 -0400 - - minor update to match include/exclude criteria on the whole test message - - test/test-fwknop.pl | 10 +++++----- - 1 files changed, 5 insertions(+), 5 deletions(-) - -commit 9e3a4b4c920444df10b6a74eb574a542091adbfc -Author: Michael Rash -Date: Sat Oct 22 21:29:44 2011 -0400 - - extended packet validity tests in GPG mode - - test/test-fwknop.pl | 112 +++++++++++++++++++++++++++++++-------------------- - 1 files changed, 68 insertions(+), 44 deletions(-) - -commit 09e6ed1405436b975cb41c89dc2517f0e73c54bb -Author: Michael Rash -Date: Sat Oct 22 16:48:30 2011 -0400 - - added first GPG complete cycle SPA test - - test/conf/client-gpg/pubring.gpg | Bin 0 -> 2480 bytes - test/conf/client-gpg/secring.gpg | Bin 0 -> 1350 bytes - test/conf/client-gpg/trustdb.gpg | Bin 0 -> 1360 bytes - test/conf/gpg_access.conf | 7 ++++ - test/conf/server-gpg/pubring.gpg | Bin 0 -> 2480 bytes - test/conf/server-gpg/secring.gpg | Bin 0 -> 1352 bytes - test/conf/server-gpg/trustdb.gpg | Bin 0 -> 1360 bytes - test/test-fwknop.pl | 65 ++++++++++++++++++++++++++++++++++++++ - 8 files changed, 72 insertions(+), 0 deletions(-) - -commit 2d9dbe1fca011cd6bf726b86fb21af97da11ce49 -Author: Michael Rash -Date: Sat Oct 22 15:19:54 2011 -0400 - - minor whitespace removal - - server/fwknopd.conf | 11 +++++------ - 1 files changed, 5 insertions(+), 6 deletions(-) - -commit e4f4ee78253f1f44c8809173ad2209ba8364e2c5 -Author: Michael Rash -Date: Sat Oct 22 14:25:56 2011 -0400 - - added test to validate digest.cache structure - - test/test-fwknop.pl | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++- - 1 files changed, 53 insertions(+), 1 deletions(-) - -commit 266150218a021894e6dab0a8b4d7525183fe004a -Author: Michael Rash -Date: Sat Oct 22 10:57:25 2011 -0400 - - added -P bpf test for complete SPA cycle over non standard SPA port - - test/test-fwknop.pl | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ - 1 files changed, 48 insertions(+), 0 deletions(-) - -commit 0ab39a64a5b86babdd0c5f7412fe160bca13cb69 -Author: Michael Rash -Date: Sat Oct 22 10:48:37 2011 -0400 - - added -P bpf filter test - - test/test-fwknop.pl | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 files changed, 68 insertions(+), 0 deletions(-) - -commit 6848983b474d4571b1434a349d10ac21b278ebda -Author: Michael Rash -Date: Fri Oct 21 23:43:08 2011 -0400 - - added Rijndael SPA validity tests - - test/test-fwknop.pl | 310 +++++++++++++++++++++++++++++++++++++++++++++++---- - 1 files changed, 290 insertions(+), 20 deletions(-) - -commit 081b58d9510e4bbafb6dd57b4e55a02d7105e43a -Author: Michael Rash -Date: Fri Oct 21 23:13:24 2011 -0400 - - added rule timeout detection - - test/conf/default_access.conf | 1 + - test/test-fwknop.pl | 18 ++++++++++++++++-- - 2 files changed, 17 insertions(+), 2 deletions(-) - -commit 9b816ed29af1be3a259d9c154418cbe624c2a93f -Author: Michael Rash -Date: Fri Oct 21 22:55:45 2011 -0400 - - added replay attack detection test - - test/test-fwknop.pl | 201 +++++++++++++++++++++++++++++++++++++-------------- - 1 files changed, 148 insertions(+), 53 deletions(-) - -commit 0bda4ee1e5f671c2e64a2b961de2f2ed0f9170a5 -Author: Michael Rash -Date: Fri Oct 21 22:54:49 2011 -0400 - - minor removal of whitespace - - server/fw_util_iptables.c | 6 +++--- - 1 files changed, 3 insertions(+), 3 deletions(-) - -commit caf458ad3fb2ce9408035630869e877f0c97768d -Author: Michael Rash -Date: Thu Oct 20 23:33:41 2011 -0400 - - added first complete SPA cycle test - - test/test-fwknop.pl | 243 ++++++++++++++++++++++++++++++++++++++++++--------- - 1 files changed, 201 insertions(+), 42 deletions(-) - -commit 44598fd7dd6be8207bae512b8b6e13f08e265d2a -Author: Michael Rash -Date: Thu Oct 20 23:31:59 2011 -0400 - - Added --digest-file and --pid-file args - - Added --digest-file and --pid-file args so that the user can easily alter - these paths from the command line. - - doc/fwknopd.man.asciidoc | 12 +++++++++++- - server/cmd_opts.h | 6 ++++-- - server/config_init.c | 20 ++++++++++++++++---- - server/fwknopd.c | 7 +------ - 4 files changed, 32 insertions(+), 13 deletions(-) - -commit 6f699f7e5d28ac1d8e66d66b9cedb3094a35439e -Author: Michael Rash -Date: Thu Oct 20 00:06:58 2011 -0400 - - added client/server interaction test capability - - test/test-fwknop.pl | 351 +++++++++++++++++++++++++++++++++++++++++---------- - 1 files changed, 283 insertions(+), 68 deletions(-) - -commit b8571bcc05cc81448b8d52ef8eef71f2eaefa987 -Author: Michael Rash -Date: Tue Oct 18 21:28:38 2011 -0400 - - Minor PID string length fix - - Changed PID string length to 7 to accomodate an ending newline and NULL - char when writing to the fwknopd .pid file. Without this fix, with a - 5 digit PID the trailing newline would be truncated (no room for the - ending NULL char). - - server/fwknopd.c | 13 ++++++++----- - server/fwknopd.h | 2 ++ - 2 files changed, 10 insertions(+), 5 deletions(-) - -commit 0e7a0e9a378c5b9605228075718f53012e87cadd -Author: Michael Rash -Date: Mon Oct 17 23:03:28 2011 -0400 - - Added --fw-list-all and --fw-flush - - Added new command line options --fw-list-all and --fw-flush to allow all - firewall rules to be displayed including those not created by fwknopd, and - allow all firewall rules created by fwknopd to be deleted. - - Also switched -D config dump output to stdout. - - doc/fwknopd.man.asciidoc | 11 +++++- - server/access.c | 8 ++-- - server/cmd_opts.h | 4 ++ - server/config_init.c | 13 +++++- - server/fw_util_ipf.c | 3 + - server/fw_util_ipfw.c | 90 +++++++++++++++++++++++++++++--------------- - server/fw_util_ipfw.h | 1 + - server/fw_util_iptables.c | 74 +++++++++++++++++++++++++++--------- - server/fw_util_iptables.h | 25 ++++++------ - server/fw_util_pf.c | 5 ++- - server/fwknopd.c | 9 ++++- - server/fwknopd_common.h | 2 + - 12 files changed, 173 insertions(+), 72 deletions(-) - -commit e479e776dbd848ba82e65e22b35e7e479a788161 -Author: Michael Rash -Date: Mon Oct 17 22:55:01 2011 -0400 - - Added usage of sudo for recompilation test - - The test suite now recompiles fwknop only if the --enable-recompile-check - option is used, and if so, uses sudo (if installed) to have the resulting - binaries own by the original user (instead of by root). Also made a couple - of API changes to create test output files automatically if they don't - exist. - - test/test-fwknop.pl | 187 ++++++++++++++++++++++++++++++++++----------------- - 1 files changed, 125 insertions(+), 62 deletions(-) - -commit 11c240c41b74c110068b8748b28a074ac121608c -Author: Michael Rash -Date: Thu Oct 13 22:44:35 2011 -0400 - - minor update to allow fw rules to be dumped before parsing the access.conf file - - server/fwknopd.c | 28 ++++++++++++++-------------- - 1 files changed, 14 insertions(+), 14 deletions(-) - -commit e36c833f554f59312c02e5efec0bbc77ab0ee301 -Author: Michael Rash -Date: Thu Oct 13 22:02:21 2011 -0400 - - minor whitespace fixes - - server/fwknopd.c | 55 +++++++++++++++++++++++++++-------------------------- - 1 files changed, 28 insertions(+), 27 deletions(-) - -commit 9962dc08088b31d116b7b5d41bf8e3ced8cfa814 -Author: Michael Rash -Date: Thu Oct 13 20:59:30 2011 -0400 - - minor wording update netfilter -> iptables - - doc/fwknopd.man.asciidoc | 9 +++++---- - server/fwknopd.8.in | 5 +++-- - 2 files changed, 8 insertions(+), 6 deletions(-) - -commit 45ecc6f39932271f7a70b1fe8dec99dc9d2438c0 -Author: Michael Rash -Date: Thu Oct 13 20:41:12 2011 -0400 - - minor bugfix to ensure that the proper firewall is used to collect system specs - - test/test-fwknop.pl | 6 ++++-- - 1 files changed, 4 insertions(+), 2 deletions(-) - -commit 103cd2a8fb0ebe7919a5647ae90a9425242ca0ae -Author: Michael Rash -Date: Thu Oct 13 20:30:05 2011 -0400 - - added the test/conf/ directory for config files use by the test suite - - test/conf/default_access.conf | 2 ++ - test/conf/default_fwknopd.conf | 4 ++++ - test/conf/override_fwknopd.conf | 1 + - 3 files changed, 7 insertions(+), 0 deletions(-) - -commit 6f0d2c509121de45f470dae4c17b6a7e46ea19d0 -Author: Michael Rash -Date: Thu Oct 13 20:29:37 2011 -0400 - - minor typo fix - - doc/libfko.texi | 8 ++++---- - lib/fko_error.c | 8 ++++---- - lib/fko_message.c | 2 +- - 3 files changed, 9 insertions(+), 9 deletions(-) - -commit 64160a0c57aee0c406be5158836fe10b3f38e3f9 -Author: Michael Rash -Date: Thu Oct 13 20:29:19 2011 -0400 - - started on basic SPA generation, updated to use LD_LIBRARY_PATH for local libfko instance - - test/test-fwknop.pl | 182 +++++++++++++++++++++++++++++++++++++++++++------- - 1 files changed, 156 insertions(+), 26 deletions(-) - -commit a1f4a65f27b73ebe5744c7ae4bf64a0876032e13 -Author: Michael Rash -Date: Wed Oct 12 23:37:28 2011 -0400 - - interim commit to add major functionality to the fwknop test suite - - test/test-fwknop.pl | 437 ++++++++++++++++++++++++++++++++++++++++----------- - 1 files changed, 342 insertions(+), 95 deletions(-) - -commit 4a41ecc9556fedd4bb04206081b4096a2fddaeee -Author: Michael Rash -Date: Wed Oct 12 23:36:51 2011 -0400 - - removed - - server/fwknopd.c.orig | 664 -------------------------------------------- - server/fwknopd.c.rej | 39 --- - server/incoming_spa.c.orig | 541 ------------------------------------ - server/replay_cache.c.orig | 326 ---------------------- - 4 files changed, 0 insertions(+), 1570 deletions(-) - -commit 88d8eb03b30a03ebb43a7da33c5f65d2de2c3289 -Author: Michael Rash -Date: Wed Oct 12 23:36:04 2011 -0400 - - minor update to switch to stdout when exiting with success - - server/fwknopd.c | 10 +- - server/fwknopd.c.orig | 664 ++++++++++++++++++++++++++++++++++++++++++++ - server/fwknopd.c.rej | 39 +++ - server/incoming_spa.c.orig | 541 ++++++++++++++++++++++++++++++++++++ - server/replay_cache.c.orig | 326 ++++++++++++++++++++++ - 5 files changed, 1575 insertions(+), 5 deletions(-) - -commit 41c0be29b7a3ea6a0c859b43e43ccdc3aa5e30ba -Author: Michael Rash -Date: Thu Oct 6 23:02:29 2011 -0400 - - switched --help output to stdout from stderr - - client/config_init.c | 6 +++--- - server/config_init.c | 4 ++-- - 2 files changed, 5 insertions(+), 5 deletions(-) - -commit 26f58a705dbdf9a07e430fc2558871d491c27d63 -Author: Michael Rash -Date: Thu Oct 6 22:53:27 2011 -0400 - - minor update to account for hardening-check return values - - test/test-fwknop.pl | 24 ++++++++++-------------- - 1 files changed, 10 insertions(+), 14 deletions(-) - -commit 1a3e1caffe707e71fd3cf99ffaa4547f7fda017a -Author: Michael Rash -Date: Tue Oct 4 23:15:04 2011 -0400 - - Initial start on a test suite - - This commit begins development on a comprehensive test suite for fwknop. - The initial tests are focused on compilation correctness and security options - as determined by the "hardening-check" script from Kees Cook of the Debian - security team. - - test/hardening-check | 269 ++++++++++++++++++++++++++++ - test/test-fwknop.pl | 481 ++++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 750 insertions(+), 0 deletions(-) - -commit 05f3cec96a03251d1a308d90200c9dc479ae4558 -Author: Michael Rash -Date: Sun Sep 25 21:12:30 2011 -0400 - - Added --help usage information - - With the --help command line argument, the following information is printed: - - $ ./fwknop-launcher-lsof.pl --help - - Usage: fwknop-launcher-lsof.pl [options] - - Options: - - -c, --config - Path to fwknop-launcher.conf config file. - -l, --lsof-cmd - Path to lsof command. - -f, --fwknop-cmd - Path to fwknop client command. - -s, --sleep - Specify sleep interval (default: - 1 seconds) - -n --no-daemon - Run in foreground mode. - -u, --user - Specify username (usually this is not - needed). - --home-dir - Path to user's home directory (usually - this is not needed). - -v --verbose - Print verbose information to the terminal - (requires --no-daemon). - --help - Print usage info and exit. - - extras/fwknop-launcher/fwknop-launcher-lsof.pl | 23 ++++++++++++++++++++++- - 1 files changed, 22 insertions(+), 1 deletions(-) - -commit 71ea0c6bfd3be6ff8d95e6f1d1029394e51c07f4 -Merge: 7748423 35ee5a2 -Author: Michael Rash -Date: Sun Sep 25 21:02:54 2011 -0400 - - Merge branch 'master' into fwknop-launcher - -commit 7748423b15958fedfcaeb942f3f26cdc5b40dcde -Author: Michael Rash -Date: Sat Sep 24 22:24:30 2011 -0400 - - Added the fwknop lsof launcher under the extras/ directory - - The fwknop lsof launcher (extras/fwknop-launcher/fwknop-launcher-lsof.pl) is a - lightweight daemon that allows the user to not have to manually run the fwknop - client when attempting to gain access to a service that is protected by Single - Packet Authorization via fwknopd. This is accomplished by checking the output - of lsof to look for pending connections in the SYN_SENT state, which (usually) - indicate that a remote firewall is blocking the attempted connection. At this - point, the launcher executes the fwknop client with the --get-key arg (so the - user must place the key in the local filesystem) to generate an SPA packet for - the attempted connection. The remote fwknopd daemon will reconfigure the - firewall to allow temporary access, and this usually happens fast enough that - the original connection attempt will then succeed. - - The idea for this was originally for a pcap-based connection watcher by - Sebastien Jeanquier. - - extras/fwknop-launcher/fwknop-launcher-lsof.pl | 329 ++++++++++++++++++++++++ - extras/fwknop-launcher/fwknop-launcher.conf | 30 +++ - 2 files changed, 359 insertions(+), 0 deletions(-) - -commit 35ee5a202debe2e7c15227f7704753c977281de2 -Merge: 35abc34 668ed90 -Author: Michael Rash -Date: Wed Sep 21 18:10:16 2011 -0700 - - Merge pull request #5 from maxkas/master - - Fwknop client for iPhone devices - contributed by Max Kastanas - -commit 668ed9033f601f052fe58ebf87a8eff144b50fcf -Author: Max Kastanas -Date: Fri Sep 16 22:51:53 2011 -0700 - - Codebase of Fwknop client for iOS (iPhone) devices - - iphone/COPYING | 340 +++ - iphone/Classes/FwknopController.h | 30 + - iphone/Classes/FwknopController.m | 309 +++ - iphone/Classes/MyAppDelegate.h | 33 + - iphone/Classes/MyAppDelegate.m | 53 + - iphone/Classes/bridge_fwknop.c | 28 + - iphone/Classes/bridge_fwknop.h | 21 + - iphone/Classes/config.h | 346 ++++ - iphone/Classes/fwknop/fwknop_client.c | 162 ++ - iphone/Classes/fwknop/fwknop_client.h | 60 + - iphone/Classes/fwknop/send_spa_packet.c | 94 + - iphone/Classes/libfwknop/README | 11 + - iphone/Classes/libfwknop/config.h | 14 + - iphone/Classes/libfwknop/fko_common.b | 140 ++ - iphone/Classes/libfwknop/get_libfko_files.sh | 38 + - iphone/Classes/logutils.h | 33 + - iphone/Fwknop.pch | 23 + - iphone/Fwknop.xcodeproj/dev.mode1v3 | 1539 ++++++++++++++ - iphone/Fwknop.xcodeproj/dev.pbxuser | 2859 ++++++++++++++++++++++++++ - iphone/Fwknop.xcodeproj/project.pbxproj | 413 ++++ - iphone/Info.plist | 30 + - iphone/README | 42 + - iphone/lock_57x57.png | Bin 0 -> 3466 bytes - iphone/main.m | 29 + - 24 files changed, 6647 insertions(+), 0 deletions(-) - -commit 35abc349ab91ff40f0706a66e9ba50188cb94cb2 -Author: Michael Rash -Date: Mon Sep 12 23:04:41 2011 -0400 - - minor typo fix: fwkop -> fwknop - - doc/fwknop.man.asciidoc | 4 ++-- - doc/fwknopd.man.asciidoc | 4 ++-- - doc/libfko.texi | 4 ++-- - fwknop.spec | 2 +- - 4 files changed, 7 insertions(+), 7 deletions(-) - -commit f693a2721cf499815853639c8dfb924ab4c427cd -Merge: e07ccdd 87416c0 -Author: Damien Stuart -Date: Sat Sep 10 11:30:09 2011 -0400 - - Merge branch 'master' of https://github.com/mrash/fwknop - -commit e07ccdd5508c488a818790c16728ebdc13be284c -Author: Damien Stuart -Date: Sat Sep 10 11:25:08 2011 -0400 - - Added the cmd_opts.h file to server and client's Makefile.am so they are included with make dist. - - client/Makefile.am | 2 +- - fwknop.spec | 4 +++- - server/Makefile.am | 2 +- - 3 files changed, 5 insertions(+), 3 deletions(-) - -commit 87416c0cdf544ff636ea963bd90f1f22dd7ca49a -Author: Michael Rash -Date: Fri Sep 9 22:09:37 2011 -0400 - - Replaced all strcpy() calls with strlcpy() - - OpenBSD especially gives compiler warnings whenever strcpy() is used. All such - calls have been replaced with strlcpy(). - - client/config_init.c | 2 +- - client/fwknop.c | 2 +- - client/http_resolve_host.c | 2 +- - lib/fko_encode.c | 2 +- - server/fwknopd.c | 4 ++-- - server/log_msg.c | 8 +++++++- - server/replay_cache.c | 6 ++++-- - 7 files changed, 17 insertions(+), 9 deletions(-) - -commit 0b8c4890758bfd6612780c28041d7b1e3e9f1a15 -Author: Michael Rash -Date: Thu Sep 8 23:44:50 2011 -0400 - - Added read-only relocations and immediate bindings - - Commit 4248b2687054b38e79e2ab9eecf71e5b299172f4 removed read-only relocations - and immediate bindings for FreeBSD systems (and the same was done for OpenBSD - systems too). This commit adds these security features back in as linker - options by only changing LDFLAGS as opposed to also adding the corresponding - flags to CFLAGS. The end result is that the following errors are fixed: - - gcc: -z: linker input file unused because linking not done - gcc: relro: linker input file unused because linking not done - - configure.ac | 28 ---------------------------- - 1 files changed, 0 insertions(+), 28 deletions(-) - -commit c65e25c6568c53d44d0163ebd4889260466bcdfa -Author: Michael Rash -Date: Thu Sep 8 21:33:52 2011 -0400 - - Check for active_rules > 0 before decrementing - - In the fw_config struct the active_rules member is unsigned, so this change - ensures that we don't try to decrement it below zero whenever a firewall rule - is deleted or an error condition occurs. - - server/fw_util_ipfw.c | 25 ++++++++++++++++++------- - server/fw_util_iptables.c | 23 ++++++++++++----------- - 2 files changed, 30 insertions(+), 18 deletions(-) - -commit 88b6d44f1f70daf951cf7e1d237114f96ad30a9a -Author: Michael Rash -Date: Thu Sep 8 00:20:20 2011 -0400 - - Update to make _exp_ string a #define - - Replaced all instances of "_exp_" with the #define EXPIRE_COMMENT_PREFIX so - that the prefix can easily be changed. so - that the prefix can easily be changed. so - that the prefix can easily be changed. so - that the prefix can easily be changed. - - server/fw_util.h | 2 ++ - server/fw_util_ipfw.c | 6 +++--- - server/fw_util_ipfw.h | 2 +- - server/fw_util_iptables.c | 6 +++--- - server/fw_util_iptables.h | 10 +++++----- - server/fw_util_pf.c | 6 +++--- - server/fw_util_pf.h | 2 +- - 7 files changed, 18 insertions(+), 16 deletions(-) - -commit 2531896ebf98d80380f462b4fae9e16940206a40 -Author: Michael Rash -Date: Wed Sep 7 23:24:18 2011 -0400 - - Added the ability to delete PF rules - - This commit adds the ability to fwknopd to delete PF rules after the SPA timer - expires. The strategy implemented is similar to iptables and ipfw, except - that all PF rules are added to an 'anchor', and deleting a specific expired - rule is done by listing all rules in the anchor and reinstantiating it via - 'pfctl -a -f -' with the expired rule deleted. fwknopd uses the - "_exp_" convention in a PF rule label similarly to how fwknopd - interfaces with iptables (via the 'comment' match), and ipfw (via the - "//" feature). - - server/fw_util_pf.c | 216 +++++++++++++++++++++++++++++++++++++++++++++-- - server/fw_util_pf.h | 2 - - server/fwknopd_common.h | 3 + - 3 files changed, 210 insertions(+), 11 deletions(-) - -commit f9810904c36c270a5d19111ae7566c6d410bed4a -Author: Michael Rash -Date: Sat Sep 3 21:00:12 2011 -0400 - - minor comment typo fixes - - server/fw_util_pf.c | 2 +- - server/fwknopd.c | 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - -commit d60dde17b71b898a821a60d9a1166c32436c17c2 -Author: Michael Rash -Date: Sat Sep 3 14:50:28 2011 -0400 - - PF rules are now added to the fwknop anchor - - This commit implements the ability to add PF firewall rules to the fwknop - anchor after a valid SPA packet is sniffed off the wire. A subsequent commit - will add the ability to delete these rules. - - server/fw_util_ipfw.c | 2 +- - server/fw_util_pf.c | 114 +++++++++++++++++++++++++++++++++++++++++++++---- - server/fw_util_pf.h | 10 +++- - server/incoming_spa.c | 4 +- - 4 files changed, 115 insertions(+), 15 deletions(-) - -commit 6938f7a6aecb1395f750c56a4e10489d6d060fc9 -Author: Michael Rash -Date: Sun Aug 28 13:37:23 2011 -0400 - - Minor copyright holder update - - Minor copyright holder update - - server/fw_util_pf.c | 3 ++- - 1 files changed, 2 insertions(+), 1 deletions(-) - -commit 10ff421e1ef86c1b437645764abe11819a88c292 -Author: Michael Rash -Date: Sun Aug 28 13:27:15 2011 -0400 - - For PF firewalls implemented a check for an active fwknop anchor - - This commit ensures that for PF firewalls that the fwknop anchor is active and - linked into the running PF policy. This is accomplished by looking for the - string 'anchor "fwknop"' in the output of "pfctl -s rules". If the anchor - exists, then fwknopd will be able to influence traffic via rules added and - removed from the fwknop anchor. - - server/fw_util_pf.c | 86 +++++++++++++++++++++++++++++++++++++++++++--- - server/fw_util_pf.h | 8 +++- - server/fwknopd_common.h | 2 - - 3 files changed, 86 insertions(+), 10 deletions(-) - -commit 5bc5ef4305cafd26ee3faaf5eefb3f6b9f05441e -Author: Michael Rash -Date: Sat Aug 27 11:07:19 2011 -0400 - - Added --fw-list info to --help - - Added --fw-list output to usage info when --help is specified from the command - line. - - server/config_init.c | 2 ++ - 1 files changed, 2 insertions(+), 0 deletions(-) - -commit 0649ef924a8c979fd815c2d2e8416a16aeabeb62 -Author: Michael Rash -Date: Sat Aug 27 10:57:17 2011 -0400 - - PF support on OpenBSD in progress, fwknop --fw-list now works - - This is the first commit that has fwknopd interact with the PF firewall on - OpenBSD (via fwknopd --fw-list to show any active fwknopd rules). - - common/netinet_common.h | 11 +++- - configure.ac | 5 +- - server/Makefile.am | 7 +- - server/access.c | 14 ++-- - server/cmd_opts.h | 7 +- - server/config_init.c | 16 +++- - server/fw_util.h | 2 + - server/fw_util_ipfw.c | 6 +- - server/fw_util_iptables.c | 2 +- - server/fw_util_pf.c | 187 +++++++++++++++++++++++++++++++++++++++++++++ - server/fw_util_pf.h | 42 ++++++++++ - server/fwknopd.conf | 16 ++++ - server/fwknopd_common.h | 28 +++++-- - 13 files changed, 311 insertions(+), 32 deletions(-) - -commit dcf2d94bf675a906c570814d9cd65e2a1bfd2e77 -Author: Michael Rash -Date: Wed Aug 24 23:55:36 2011 -0400 - - Added autoconf check for pf firewalls - - On OpenBSD systems fwknop now checks for pf firewalls via autoconf. The next - step will be to fill in support for pf via the C code. - - configure.ac | 44 +++++++++++++++++++++++++++++++++++--------- - 1 files changed, 35 insertions(+), 9 deletions(-) - -commit 649b7a88c1d6caa0e3760c7694b9d5b5b855dd4c -Author: Michael Rash -Date: Wed Aug 24 23:17:45 2011 -0400 - - Disabled read-only relocations and immediate binding compiler protections - - Similarly to FreeBSD systems, gcc throws the following warnings with read-only - relcations and immediate binding protections - disbabled for now: - - gcc: -z: linker input file unused because linking not done - gcc: relro: linker input file unused because linking not done - gcc: -z: linker input file unused because linking not done - gcc: now: linker input file unused because linking not done - - configure.ac | 11 +++++++++++ - 1 files changed, 11 insertions(+), 0 deletions(-) - -commit 47da588003b9bf1645a97823cfa940b8c5a93071 -Author: Michael Rash -Date: Mon Aug 22 21:39:28 2011 -0400 - - removed 2.0.0 branch specific ChangeLog, ShortLog and diffstat files - - ChangeLog-v2.0.0 | 3020 ------------------------------------------------------ - ShortLog-v2.0.0 | 654 ------------ - diffstat-v2.0.0 | 1310 ----------------------- - 3 files changed, 0 insertions(+), 4984 deletions(-) - -commit 17beb2d348a076aa86a5732b9b572b21c1fcb594 -Author: Michael Rash -Date: Sun Aug 21 14:06:41 2011 -0400 - - bumped version to 2.0.0rc4 - - VERSION | 2 +- - android/project/jni/config.h | 6 +++--- - configure.ac | 2 +- - extras/openwrt/package/fwknop/Makefile | 2 +- - fwknop.spec | 2 +- - win32/config.h | 2 +- - 6 files changed, 8 insertions(+), 8 deletions(-) - -commit b937ae234730241a25144b63ed1eadf3291da642 -Author: Michael Rash -Date: Sun Aug 21 14:02:25 2011 -0400 - - Added version specific ChangeLog, ShortLog, and diffstat files. - - Added version specific ChangeLog, ShortLog, and diffstat files (these go all - the way back to the beginning of the svn import since 2.0.0 will be the - first official non-"rc" release of the new C code). - - ChangeLog-v2.0.0 | 3020 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ - ShortLog-v2.0.0 | 654 ++++++++++++ - diffstat-v2.0.0 | 1310 +++++++++++++++++++++++ - 3 files changed, 4984 insertions(+), 0 deletions(-) - -commit 4ed4558192616adb737344710f9349ab4bc1db9c -Author: Michael Rash -Date: Sun Aug 21 14:00:16 2011 -0400 - - Updated ChangeLog with all changes from 2.0.0-rc3 - - Updated ChangeLog with all changes from 2.0.0-rc3 - - ChangeLog | 143 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 files changed, 143 insertions(+), 0 deletions(-) - -commit 35456877fa257889c7d894cc24c98fba06106ca6 -Author: Michael Rash -Date: Sun Aug 21 13:50:16 2011 -0400 - - Bug fix for ipfw firewalls to not always require seeing 'Dynamic' rules - - This commit fixes an issue on ipfw firewalls where fwknopd would always require - seeing ipfw 'Dynamic' rules associated with newly added connections. But, such - connections may never be established for various reasons. Previous to this - commit the following warning was frequently generated by fwknopd: - - Unexpected error: did not find 'Dynamic rules' string in list output. - - server/fw_util_ipfw.c | 97 ++++++++++++++++++++++++++----------------------- - 1 files changed, 51 insertions(+), 46 deletions(-) - -commit 4b2a96578bcc8ba07371989dcc124ef42813acea -Author: Michael Rash -Date: Sun Aug 21 13:28:16 2011 -0400 - - Bug fix for missing set existence check on ipfw firewalls - - This commit fixes an issues on systems running the ipfw firewall where the - 'set' where fwknopd puts new access rules was attempted to be deleted without - first checking to see whether it exists. The following errors would be - generated (now fixed): - - ipfw: rule 16777217: setsockopt(IP_FW_DEL): Invalid argument - Error 17664 from cmd:'/sbin/ipfw delete set 1': - Fatal: Errors detected during ipfw rules initialization. - - server/fw_util_ipfw.c | 28 ++++++++++++++++++++++++++-- - 1 files changed, 26 insertions(+), 2 deletions(-) - -commit 03859387b6667839d8eb6eaf1601e2c14c24d355 -Author: Michael Rash -Date: Sat Aug 20 22:34:24 2011 -0400 - - Bug fix to create the digest.cache file at init - - Bug fix to ensure that the digest.cache file gets created at fwknopd init time - so fwknopd does not throw the following error: - - Error opening digest cache file. Incoming digests will not be remembered. - - server/replay_cache.c | 15 ++++++++++++--- - 1 files changed, 12 insertions(+), 3 deletions(-) - -commit 04afd2846dd563296c40667557ef4ac0d47aeb0c -Author: Michael Rash -Date: Sat Aug 20 22:02:21 2011 -0400 - - On FreeBSD, made gpgme header path inclusion optional - - If gpgme is installed on FreeBSD systems it appears that - -I/usr/local/include/gpgme must be added to the include path, but this change - only adds the path if gpgme is installed and going to be used. - - configure.ac | 21 +++++++++++++++------ - 1 files changed, 15 insertions(+), 6 deletions(-) - -commit 6eeb41309401a0c8a47613bcc9f3ce58aa1f6436 -Author: Michael Rash -Date: Sat Aug 20 13:33:00 2011 -0400 - - Fixed a few minor compiler warnings on FreeBSD - - This commit fixes a few warnings about possible uninitialized and unused - variables. - - configure.ac | 2 +- - server/fw_util_ipfw.c | 10 +++------- - server/fwknopd.c | 4 ++-- - 3 files changed, 6 insertions(+), 10 deletions(-) - -commit 4248b2687054b38e79e2ab9eecf71e5b299172f4 -Author: Michael Rash -Date: Sat Aug 20 13:19:33 2011 -0400 - - On FreeBSD disable read-only relocations and immediate binding protections - - gcc on FreeBSD generates the following errors when the -Wl,-z,relro -Wl,-z,now - flags are used: - - gcc: -z: linker input file unused because linking not done - gcc: relro: linker input file unused because linking not done - gcc: -z: linker input file unused because linking not done - gcc: now: linker input file unused because linking not done - - configure.ac | 9 +++++++++ - 1 files changed, 9 insertions(+), 0 deletions(-) - -commit ff7c4219e8a946fa28aeec941a17d3998ab87ae7 -Author: Michael Rash -Date: Sat Aug 20 12:56:30 2011 -0400 - - Update to suppress additional compiler warning - - This change fixes the following compiler warning that was seen with many of - the source files in server/ - - fwknopd_common.h:223: warning: ‘config_map’ defined but not used - - client/cmd_opts.h | 31 +++++++++++++++++++- - server/cmd_opts.h | 71 +++++++++++++++++++++++++++++++++++++++++++++ - server/fwknopd_common.h | 73 ++--------------------------------------------- - 3 files changed, 104 insertions(+), 71 deletions(-) - -commit ab7226092dcf687a46916e1841cc05107a5fce8f -Author: Michael Rash -Date: Sat Aug 20 12:34:57 2011 -0400 - - Minor restructuring to suppress compiler "defined but not used warnings" - - This commit fixes several compiler warnings like the following (now that -Wall - is the default): - - config_init.h:68: warning: ‘cmd_opts’ defined but not used - - client/cmd_opts.h | 79 +++++++++++++++++++++++++++++++++++++++++++++ - client/config_init.c | 2 +- - client/config_init.h | 71 ---------------------------------------- - server/access.c | 1 - - server/cmd_opts.h | 74 ++++++++++++++++++++++++++++++++++++++++++ - server/config_init.c | 2 +- - server/config_init.h | 59 --------------------------------- - server/fw_util.c | 1 - - server/fw_util_ipf.c | 1 - - server/fw_util_ipfw.c | 1 - - server/fw_util_iptables.c | 1 - - server/fwknopd.c | 2 +- - server/pcap_capture.c | 1 - - server/utils.h | 21 ++++++++++++ - 14 files changed, 177 insertions(+), 139 deletions(-) - -commit db681fb7916470ec981f0d4e4514402cb49eca3f -Author: Michael Rash -Date: Fri Aug 19 22:00:16 2011 -0400 - - minor commit to fix minor compilations warnings - - client/spa_comm.c | 1 + - lib/fko_encryption.c | 2 +- - 2 files changed, 2 insertions(+), 1 deletions(-) - -commit 637f7a4c936d91a18ef71f364c5fe1c7c5256f5e -Author: Michael Rash -Date: Fri Aug 19 21:14:24 2011 -0400 - - Added -Wall for all gcc warnings during compile - - Enable gcc compilation to include -Wall for all warnings (can be disabled - with --disable-wall to ./configure). - - configure.ac | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- - 1 files changed, 48 insertions(+), 1 deletions(-) - -commit bf59c2688f3dc11913c347c4d1e92c95dfcaa671 -Author: Michael Rash -Date: Fri Aug 19 20:51:50 2011 -0400 - - Bug fix for ./configure args to disable compile time security options - - The ./configure script would generate the following error for the attempted - use of the --without-stackprotector (and other related options like - --without-pie): - - configure: WARNING: unrecognized options: --without-stackprotect - - configure.ac | 62 +++++++++++++++++++++++++++++++++------------------------ - 1 files changed, 36 insertions(+), 26 deletions(-) - -commit 41fc93407e303a47a412ee91a54f136f80a903f1 -Author: Michael Rash -Date: Thu Aug 18 22:26:52 2011 -0400 - - added the VERSION file - - VERSION | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -commit 8b0787c270dc12552275d610bf38115f95cd5972 -Author: Michael Rash -Date: Thu Aug 18 22:25:12 2011 -0400 - - Bumped version to fwknop-2.0.0-rc3 - - Bumped version to fwknop-2.0.0-rc3 - - android/project/jni/config.h | 6 +++--- - extras/openwrt/package/fwknop/Makefile | 2 +- - win32/config.h | 2 +- - 3 files changed, 5 insertions(+), 5 deletions(-) - -commit 1e494aba2ec806bec8f670c5378cf6dd5624c012 -Author: Michael Rash -Date: Thu Aug 18 21:13:58 2011 -0400 - - Added ChangeLog derived from git commit messages. - - There will be branch and release specific ChangeLog files as well. - - ChangeLog | 2877 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 files changed, 2877 insertions(+), 0 deletions(-) - -commit 409c08ac5c3f6310306ddba9b34c985db491722c -Author: Michael Rash -Date: Thu Aug 18 21:10:09 2011 -0400 - - Renamed ChangeLog -> ChangeLog.old for new ChangeLog handling - - The ChangeLog will be derived from commit messages. - - ChangeLog | 227 --------------------------------------------------------- - ChangeLog.old | 227 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 227 insertions(+), 227 deletions(-) - -commit b9122f648e57a9f3cfa84c3462ab2463fe04e275 -Author: Michael Rash -Date: Thu Aug 18 20:37:31 2011 -0400 - - Update to add any missing iptables jump rules - - Upon the receipt of a valid SPA packet, a check is done to make sure that - a jump rule from the appropriate built-in iptables chains exists to the - fwknop chains. Such rules could have been deleted by other manipulations - of the iptables policy, so it is important to ensure they exist. Running - in foreground (-f) mode, here is an illustration of the jump rule being - added after it got deleted: - - SPA Packet from IP: 127.0.0.1 received. - Added jump rule from chain: INPUT to chain: FWKNOP_INPUT - Added Rule to FWKNOP_INPUT for 127.0.0.1, tcp/22 expires at 1313680648 - - server/fw_util_iptables.c | 71 ++++++++++++++++++++++++++++++++++----------- - 1 files changed, 54 insertions(+), 17 deletions(-) - -commit acdf15f158c32bb12b141ecb8bd37fae5f7bfcb1 -Author: Michael Rash -Date: Wed Aug 17 21:24:03 2011 -0400 - - Update to force base64 check for all SPA data - - Previous to this change a check was done for base64 characters in incoming - SPA data only up to MIN_SPA_DATA_SIZE. This check may be reinstantiated for - SPA packets that are delivered over HTTP (and the packet data is embedded - within a URL that may also contain non-base64 chars), but in the meantime the - fwknopd daemon should not accept SPA packets over arbitrary ports with any - non-base64 chars. - - server/incoming_spa.c | 3 +-- - 1 files changed, 1 insertions(+), 2 deletions(-) - -commit 92b7e2588ee64f253720cf8d819ee64f42333aee -Author: Michael Rash -Date: Wed Aug 17 21:07:35 2011 -0400 - - Updated replay warnings to include proto/port info - - Replay warnings now include port and protocol information. Here is an example: - - SPA Packet from IP: 127.0.0.1 received. - Replay detected from source IP: 127.0.0.1 - Destination proto/port: 17/62201 - Original source IP: 127.0.0.1 - Original dst proto/port: 17/62201 - Entry created: 08/17/11 21:06:07 - First replay: 08/17/11 21:06:32 - Last replay: 08/17/11 21:06:45 - Replay count: 7 - - server/replay_cache.c | 17 ++++++++++++++--- - server/replay_cache.h | 4 ++-- - 2 files changed, 16 insertions(+), 5 deletions(-) - -commit df96e42c51b6847d91575dfd68f8cb23ba3aa318 -Author: Michael Rash -Date: Wed Aug 17 20:36:28 2011 -0400 - - Added stack protection, PIE, fortify source, etc. - - Added various security options that can be enabled at compile time. These - options include everything that the "hardening-check" script written by Kees - Cook checks for. After this change, the hardening-check script produces the - following output against the fwknopd binary: - - $ hardening-check server/.libs/fwknopd - server/.libs/fwknopd: - Position Independent Executable: yes - Stack protected: yes - Fortify Source functions: yes - Read-only relocations: yes - Immediate binding: yes - - One of the compile outputs (for example) that shows the new options is: - - /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -g -O2 -fstack-protector-all -fPIE -pie -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -MT fko_decode.lo -MD -MP -MF .deps/fko_decode.Tpo -c -o fko_decode.lo fko_decode.c - - From the hardening-check man page, here is a description of each of these - options: - - NAME - hardening-check - check binaries for security hardening features - - SYNOPSIS - Examine a given set of ELF binaries and check for several security - hardening features, failing if they are not all found. - - DESCRIPTION - This utility checks a given list of ELF binaries for several security - hardening features that can be compiled into an executable. These - features are: - - Position Independent Executable - This indicates that the executable was built in such a way - (PIE) that the "text" section of the program can be relocated - in memory. To take full advantage of this feature, the - executing kernel must support text Address Space Layout - Randomization (ASLR). - - Stack Protected - This indicates that the executable was compiled with the - gcc(1) option -fstack-protector. The program will be - resistant to have its stack overflowed. - - Fortify Source functions - This indicates that the executable was compiled with - -D_FORTIFY_SOURCE=2 and -O2 or higher. This causes certain - unsafe glibc functions with their safer counterparts (e.g. - strncpy instead of strcpy). - - Read-only relocations - This indicates that the executable was build with -Wl,-z,relro - to have ELF markings (RELRO) that ask the runtime linker to - mark any regions of the relocation table as "read-only" if - they were resolved before execution begins. This reduces the - possible areas of memory in a program that can be used by an - attacker that performs a successful memory corruption exploit. - - Immediate binding - This indicates that the executable was built with -Wl,-z,now - to have ELF markings (BIND_NOW) that ask the runtime linker to - resolve all relocations before starting program execution. - When combined with RELRO above, this further reduces the - regions of memory available to memory corruption attacks. - - configure.ac | 240 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- - 1 files changed, 230 insertions(+), 10 deletions(-) - -commit 60b6a5a4d8a3075ef5d0bc7025859f704ef90bb0 -Author: Michael Rash -Date: Sun Aug 14 22:46:09 2011 -0400 - - Minor variable cleanup to fix compiler warnings - - Minor cleanup to fix compiler warnings about unused variables. - - server/access.c | 2 -- - server/pcap_capture.c | 3 +++ - 2 files changed, 3 insertions(+), 2 deletions(-) - -commit e7d275ee312c618c3233a504c5aa54b72312f39a -Author: Michael Rash -Date: Sun Aug 14 21:55:29 2011 -0400 - - Added fwknop-2.0.0rc2 openwrt support from Jonathan Bennett - - Applied a patch sent from Jonathan Bennett to add fwknop-2.0.0rc2 support to - openwrt. One thing to note about this patch is that the +libgdbm library - dependency has been removed because fwknop now implements its own digest - tracking file without needing gdbm/ndbm on the system. - - extras/openwrt/package/fwknop/Makefile | 61 ++++++++++++++++++++++++++++++++ - 1 files changed, 61 insertions(+), 0 deletions(-) - -commit 878fae8e8a22ea2c34ca544e84e163347835f361 -Author: Michael Rash -Date: Sun Aug 14 19:42:50 2011 -0400 - - Implemented memory clean up for digest cache list - - Upon fwknopd shutdown, a new function free_replay_list() is now called in order - to free heap allocated memory dedicated to SPA digest tracking. Without this - fix, valgrind reports the following (some output snipped): - - valgrind --leak-check=full ./server/.libs/fwknopd -f -i lo -P "udp port 62201" - - ==30864== 431 (48 direct, 383 indirect) bytes in 1 blocks are definitely lost in loss record 17 of 17 - ==30864== at 0x4C27480: calloc (vg_replace_malloc.c:467) - ==30864== by 0x407CB7: replay_check_file_cache (replay_cache.c:461) - ==30864== by 0x407B69: replay_check (replay_cache.c:413) - ==30864== by 0x405813: incoming_spa (incoming_spa.c:363) - ==30864== by 0x406275: pcap_capture (pcap_capture.c:223) - ==30864== by 0x40317D: main (fwknopd.c:297) - - server/fwknopd.c | 5 +++++ - server/replay_cache.c | 32 ++++++++++++++++++++++++++++++++ - server/replay_cache.h | 1 + - 3 files changed, 38 insertions(+), 0 deletions(-) - -commit 5ee6715cffe9dd4bbed3c0c3eaa75b5dc618b9a6 -Author: Michael Rash -Date: Sun Aug 14 12:36:25 2011 -0400 - - Consolidated replay warnings in a single function - - For both the simple digest file cache and the gdbm/ndbm tracking methods, all - replay warnings are generated by a single function "replay_warning()". - - server/replay_cache.c | 145 +++++++++++++++++++++++++------------------------ - server/replay_cache.h | 3 +- - 2 files changed, 75 insertions(+), 73 deletions(-) - -commit c13cca4aa18317e462c4900e3779de67fa194e21 -Author: Michael Rash -Date: Sat Aug 13 22:35:52 2011 -0400 - - Added digest file import code - - The digest file is now imported as a linked list of digest cache entries at - init time for SPA replay attack detection. - - server/replay_cache.c | 104 +++++++++++++++++++++++++++++++++++++++++++----- - 1 files changed, 93 insertions(+), 11 deletions(-) - -commit 941a4aa9a39ca5a42ecec92a6fa6908ebcc2c9f2 -Author: Michael Rash -Date: Sat Aug 13 21:00:54 2011 -0400 - - Added source port and protocol to digest tracking - - Added the source port and protocol fields to valid SPA packets in the digest - cache. This can help to discover replay trends. The format of the digest - file cache is now: - -