DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
2,643 Commits 15 Branches 0 Tags
Commit Graph

165 Commits

Author SHA1 Message Date
Michael Rash
04afd2846d On FreeBSD, made gpgme header path inclusion optional 
If gpgme is installed on FreeBSD systems it appears that
-I/usr/local/include/gpgme must be added to the include path, but this change
only adds the path if gpgme is installed and going to be used.
 2011-08-20 22:02:21 -04:00
Michael Rash
6eeb413094 Fixed a few minor compiler warnings on FreeBSD 
This commit fixes a few warnings about possible uninitialized and unused
variables.
 2011-08-20 13:33:00 -04:00
Michael Rash
4248b26870 On FreeBSD disable read-only relocations and immediate binding protections 
gcc on FreeBSD generates the following errors when the -Wl,-z,relro -Wl,-z,now
flags are used:

gcc: -z: linker input file unused because linking not done
gcc: relro: linker input file unused because linking not done
gcc: -z: linker input file unused because linking not done
gcc: now: linker input file unused because linking not done
 2011-08-20 13:19:33 -04:00
Michael Rash
637f7a4c93 Added -Wall for all gcc warnings during compile 
Enable gcc compilation to include -Wall for all warnings (can be disabled
with --disable-wall to ./configure).
 2011-08-19 21:14:24 -04:00
Michael Rash
bf59c2688f Bug fix for ./configure args to disable compile time security options 
The ./configure script would generate the following error for the attempted
use of the --without-stackprotector (and other related options like
--without-pie):

configure: WARNING: unrecognized options: --without-stackprotect
 2011-08-19 20:51:50 -04:00
Michael Rash
df96e42c51 Added stack protection, PIE, fortify source, etc. 
Added various security options that can be enabled at compile time.  These
options include everything that the "hardening-check" script written by Kees
Cook checks for.  After this change, the hardening-check script produces the
following output against the fwknopd binary:

$ hardening-check server/.libs/fwknopd
server/.libs/fwknopd:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: yes

One of the compile outputs (for example) that shows the new options is:

/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I..     -g -O2 -fstack-protector-all -fPIE -pie -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -MT fko_decode.lo -MD -MP -MF .deps/fko_decode.Tpo -c -o fko_decode.lo fko_decode.c

From the hardening-check man page, here is a description of each of these
options:

NAME
       hardening-check - check binaries for security hardening features

SYNOPSIS
       Examine a given set of ELF binaries and check for several security
       hardening features, failing if they are not all found.

DESCRIPTION
       This utility checks a given list of ELF binaries for several security
       hardening features that can be compiled into an executable.  These
       features are:

       Position Independent Executable
               This indicates that the executable was built in such a way
               (PIE) that the "text" section of the program can be relocated
               in memory.  To take full advantage of this feature, the
               executing kernel must support text Address Space Layout
               Randomization (ASLR).

       Stack Protected
               This indicates that the executable was compiled with the
               gcc(1) option -fstack-protector.  The program will be
               resistant to have its stack overflowed.

       Fortify Source functions
               This indicates that the executable was compiled with
               -D_FORTIFY_SOURCE=2 and -O2 or higher.  This causes certain
               unsafe glibc functions with their safer counterparts (e.g.
               strncpy instead of strcpy).

       Read-only relocations
               This indicates that the executable was build with -Wl,-z,relro
               to have ELF markings (RELRO) that ask the runtime linker to
               mark any regions of the relocation table as "read-only" if
               they were resolved before execution begins.  This reduces the
               possible areas of memory in a program that can be used by an
               attacker that performs a successful memory corruption exploit.

       Immediate binding
               This indicates that the executable was built with -Wl,-z,now
               to have ELF markings (BIND_NOW) that ask the runtime linker to
               resolve all relocations before starting program execution.
               When combined with RELRO above, this further reduces the
               regions of memory available to memory corruption attacks.
 2011-08-17 20:36:28 -04:00
Michael Rash
0525cd4a5c Added autoconf support for non-dbm file cache. 
This change starts on support for a simple file-based cache mechanism
for tracking SPA digests.  This removes the libgdbm/libndbm dependency
by default, but it can be re-enabled with the --disable-file-cache
argument to the ./configure script.
 2011-08-10 20:56:42 -04:00
Damien Stuart
39e7412bb8 Added a no-digest-cache configure option and capability (though it is not recommended). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@313 510a4753-2344-4c79-9c09-4d669213fbeb
 2011-03-27 02:38:41 +00:00
Damien Stuart
03361fea74 Fix check and handling of ndbm as an option for the digest cache. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@312 510a4753-2344-4c79-9c09-4d669213fbeb
 2011-03-26 16:33:02 +00:00
Damien Stuart
781218e7e1 Bumped version to rc3 (even though we may go straight to release) and lib rev to 3. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@298 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-10-31 01:45:28 +00:00
Damien Stuart
bbe8c9d7a1 Set pcap non-block mode back on unless it is a freebsd system. Server verbose output no longer shows access key or GPG password. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@290 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-10-21 01:53:04 +00:00
Damien Stuart
1381f18374 Made autoconf print an error message indicating ipf is not supported if it is specified. Changelog updates. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@287 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-08-29 01:50:58 +00:00
Damien Stuart
838b80fd7d Refactored firewall rule code to separate files by firewall type. Stubbed in ipfw and ipf firewall types. Updated autoconf to set a firewall type and path depending on configure arguments. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@279 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-08-10 02:29:09 +00:00
Damien Stuart
6126b7b7ca Updates to accomodate building and compiling on FreeBSD systems. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@276 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-08-08 18:53:35 +00:00
Damien Stuart
51adbe26a2 Tweaks to autoconf files. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@275 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-08-01 02:13:03 +00:00
Michael Rash
7dc24c133e Bug fix for USE_NDBM variable so that client-only builds work. The specific 
error before the patch along with the command line invocation of the
"configure" script appear below:

$ ./configure --prefix=/usr --disable-server
[...]
configure: error: conditional "USE_NDBM" was never defined.
Usually this means the macro was only invoked conditionally.




git-svn-id: file:///home/mbr/svn/fwknop/trunk@272 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-29 11:01:53 +00:00
Damien Stuart
35f71a82fd Added extras directory. Bumped version in autoconf to 1.0.0rc2. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@271 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-25 15:40:51 +00:00
Damien Stuart
94130067a6 Cleaned out some old commented-out sections configure.ac and fixed an issue where exteranl file checks would fail when running configure in cross-compiler environment. No code changes made. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@269 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-19 02:39:26 +00:00
Damien Stuart
b0886a1d49 Updates and clean-up to address the many compiler warnings when compiled with -Wall. Also some autoconf updates 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@265 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-16 14:28:32 +00:00
Damien Stuart
4c995c146b Almost all he conf variables have a default value if they are not there (or set). All the entries in the initial fwknop.conf file are not commented out adn can be override as needed. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@262 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-15 01:38:16 +00:00
Damien Stuart
153d1ec962 Added AC_SYS_LARGE_FILE to configure.ac 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@248 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-09 18:18:41 +00:00
Damien Stuart
9d2a4c2471 Fixed autoconf config so libfko and fwknop client are not linked with libpcap and libgdbm. Fixed some issues in the fwknop.spec file. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@244 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-08 01:59:51 +00:00
Damien Stuart
2a67766589 Added fwknop.spec for rpm builds. Removed the server post install hook as it breaks make distcheck and rpm builds. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@238 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-07 02:32:01 +00:00
Damien Stuart
b6c57aa6a0 Changed the way running external commands are hanlded to address issues with it not working on some systems/configurations. Just using system and popen and fw commands are run with stdout and stderr tied to gether. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@230 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-03 02:07:28 +00:00
Damien Stuart
aef097a31f Some tweaks to the sigchld handling in the server. Other misc minor cleanup. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@222 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-22 01:14:42 +00:00
Damien Stuart
d0373a5b33 Fixed libfko so gpgme engine is gpg by default. Added functions to libfko to set/get path to gpgme engine. Fixed some memory leaks. Reworkd the get_user_pw routine. Added code in fwknopd to put back the "hQ" string on the front of incoming GPG-encypted message data. Removed the previously add pretty-print routine to configure. Updated configure to check for path to gpg executable. Updated docs accordingly. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@205 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-02-06 03:43:54 +00:00
Damien Stuart
02e5d45bf0 Bumped working version to 2.0.0-alpha-pre2 to differentiate from the tagged 2.0.0-alpha-pre1. Updated Changelog. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@204 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-31 01:42:49 +00:00
Damien Stuart
e3bd3b703e Added additional sanity checks and clean-up of access.conf processing and functionality. Fixes require source and added check for required username. Added fallback to use GPG_DECRYPT_PW if it was set and the normal KEY failed with a decyption error. Fixed packet count checks to allow a limit of 0 to mean unlimited number of packets. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@203 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-30 20:22:53 +00:00
Damien Stuart
bcdef1938a Commented out AM_MAINTAINER_MODE. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@190 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-06 03:05:45 +00:00
Damien Stuart
909ff4eaec Added check for and create of run dir and/or basename of digest_cache (if different from run dir). Added set_locale() call based on LOCALE setting in the conf file. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@177 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-02 16:42:07 +00:00
Damien Stuart
142d07142b Fixed incorrect variable in configure.ac. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@175 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-12-29 04:27:54 +00:00
Damien Stuart
b823580203 Added configure args for specifying specific pathes to the local executables used by fwknopd. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@174 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-12-29 03:56:32 +00:00
Damien Stuart
2310b366ee Made local exe checks run only of a server is being built. Removed checks for external progs that may not be needed yet. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@173 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-12-29 02:45:47 +00:00
Damien Stuart
861c0e8e1a Autoconf updates for detecting locally installed program paths and changes to facilitate portability. Also set AM_MAINTAINER_MODE so we are not forced to regen/reconfigure when we change one of the autoconf source files (but we do now need to remember to do it ourselves before making a new dist). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@172 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-12-28 03:20:55 +00:00
Michael Rash
fecdd4a764 bumped version to 2.0.0-alpha-pre1 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@168 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-11-20 05:17:02 +00:00
Damien Stuart
5cf8813eac Updated digest cache to store additional information including src ip, created, first_replay, last_replay, and replay count. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@163 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-11-02 01:46:56 +00:00
Damien Stuart
4b8e3e974b Changed digest cache to use gdbm directly wth fallback to ndbm (still not tested). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@154 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-10-18 14:26:06 +00:00
Damien Stuart
8c1261ca39 Fixed memory leak issue in libfko when fko_new_with_data() was called with a bad key. Added autoconf checks for gdbm with fallback to ndbm for server builds. Added digest cache capability using gdbm (in ndbm compatibility mode) or ndbm for replay detection. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@153 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-10-16 02:23:02 +00:00
Damien Stuart
2bf25e62a7 Added perl/legacy distribution (fwknop-1.9.12). Renamed this distribution from fwknop-c to simply fwknop. Made the version 2.0.0-alpha. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@143 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-09-11 00:43:24 +00:00
Damien Stuart
791eb4055b Added check for libpcap. More stubbing in on the server code side. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@137 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-09-04 21:14:44 +00:00
Damien Stuart
1da9ea0f6b Made the configure help message show --disable-xxx as the options for whether or not to build the server or client. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@129 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-08-09 16:19:50 +00:00
Damien Stuart
53b7fae8bb Major rearrangement. Renamed directories: "fko" to "lib", "src" to "client". Added "common" and "server" directories. Setup autoconf to allow disabling the server and/or client builds. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@127 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-08-09 15:43:16 +00:00
Damien Stuart
7f45031cef Added SHA384 and SHA512 digests. Tweaks for getting rid of windows warnings. Use recv instead of read on socket. Bumped version to 0.63 (libfko) and 0.23 (FKO perl module). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@123 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-08-02 18:28:34 +00:00
Damien Stuart
488ca566e1 Minor updates to non-code-related files. Changed some copyrights to 2009. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@100 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-06-07 20:33:53 +00:00
Damien Stuart
ee78a35cfd Made the dist name "fwknop-c" so as not to confuse it with the current "fwknop". 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@87 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-05-19 00:48:28 +00:00
Damien Stuart
2865912c0a Tweaks to updated API. Added GPG signature checking and processing functions. Updated Perl module and perldoc for new API and functions. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@83 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-05-03 15:47:45 +00:00
Damien Stuart
6e90c5efc6 Added gpg-home-dir support to libfko and the fwknop program. Added the fko_set_spa_data() function. Documentation updates and other tweaks to support these changes. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@75 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-03-17 02:05:25 +00:00
Damien Stuart
b82f0e99dd Tweaked byte order determination for Solaris systems. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@74 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-03-15 14:37:35 +00:00
Damien Stuart
7f0e7a9a35 Updated autoconf files and code to support Solaris (ver 10 x86 at least). This includes better type checking and resolving some conflicting names under Solaris. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@73 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-03-15 14:00:42 +00:00
Damien Stuart
41127cd7ed Added better autoconf handling of gpgpme. Fixes so libfko will compile under FreeBSD (7.0 release anyway). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@68 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-02-22 19:15:24 +00:00