DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
1,184 Commits 15 Branches 0 Tags
0c19e5170a9ec5d2f0dfd943e05df514eb26684b
Commit Graph

1184 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Michael Rash
0c19e5170a [test suite] added backwards compatibility tests with a dual usage key in access.conf 2013-06-10 21:16:33 -04:00
Michael Rash
a3e06966b5 [client] minor man page wording update for backwards compatibility section 2013-06-10 21:14:09 -04:00
Michael Rash
46dadecf5a [client] minor man page tweak to use rc VERBOSE bool value (which is the default now) 2013-06-09 16:00:46 -04:00
Michael Rash
056fd44c24 [commit] default --verbose rc handling to bool Y/N values, but allow integers too when --verbose is given multiple times 2013-06-09 15:58:22 -04:00
Michael Rash
dbfa2579a7 [client] minor man page tweak 2013-06-09 15:57:16 -04:00
Michael Rash
88e1e0e099 [test suite] added tests for setting gpg recipient, signer, and homedir via the client rc file 2013-06-09 15:27:19 -04:00
Michael Rash
ac587f3c63 Merge branch 'master' of github.com:mrash/fwknop 2013-06-09 14:33:29 -04:00
Michael Rash
7a1bdea514 [server] fix 'Use of untrusted string value' bug found by Coverity 
This commit changes iptables policy parsing to re-use rule_exists() for fwknop
jump rule detection instead of using sscanf() against iptables policy list
output.  Also, fwknop jump rules are now deleted from iptables policies in a
loop to ensure all are removed even if there are duplicates (even though this
should not happen under normal circumstances anyway).
 2013-06-09 14:28:17 -04:00
Michael Rash
3d688a5a08 Merge pull request #87 from fjoncourt/master 
Fwknop manpage update (fd and stdin command)
 2013-06-06 20:22:55 -07:00
Michael Rash
f491c41697 [server] minor addition of IPT_CHK_RULE_ARGS macro for iptables -C usage 2013-06-06 21:29:08 -04:00
Michael Rash
866e0a95d5 [server] minor bug fix to switch iptables comment match check to built-in INPUT chain 2013-06-05 21:46:51 -04:00
Franck Joncourt
e515ba45fe Merge remote-tracking branch 'upstream/master' 
Conflicts:
	client/fwknop.8.in
 2013-06-05 21:47:41 +02:00
Franck Joncourt
7dec26852a Updated fwknop manpage to document both the use of stdin and fd commands. 2013-06-05 21:38:26 +02:00
Michael Rash
17974a1c05 [server] comment additions regarding Coverity low priority TOCTOU issues 2013-06-04 22:17:59 -04:00
Michael Rash
59eb7fcf0f [extras] update spa-entropy.pl script to point fwknop client in gpg mode to the no-pw homedir 2013-06-04 21:17:15 -04:00
Michael Rash
8b62984887 Merge branch 'gpgme_autoconf_macro' 
This commit adds a new m4/gpgme.m4 to allow autogen.sh to work properly when
libgpgme is not installed.  Closes #72.
 2013-06-03 21:59:26 -04:00
Michael Rash
7c4beabea0 a few HMAC doc updates to the libfko.texi file 2013-06-03 21:45:29 -04:00
Michael Rash
69ba2d7a06 fko-wrapper update to print fko_errstr() text, and to have one successful HMAC cycle 2013-06-03 20:54:40 -04:00
Michael Rash
66399fed1a Merge remote-tracking branch 'fjoncourt/master' 
Closes #74 - allows a passphrase to be read from STDIN or from a file descriptor
via --fd.
 2013-06-02 22:54:23 -04:00
Michael Rash
e7716b49c6 [test suite] minor bug fix to include the new legacy long key file in Makefile.am 2013-06-02 22:08:54 -04:00
Michael Rash
164888e075 [test suite] added backwards compatibility test for truncated keys longer > 16 chars 2013-06-02 21:19:19 -04:00
Franck Joncourt
583e1e02c7 Merge remote-tracking branch 'upstream/master' 
Conflicts:
	client/config_init.c
 2013-06-02 21:54:25 +02:00
Franck Joncourt
9fce10abd8 Adding support for reading encryption/key password from a file descriptor. 
* Added tests to the test suite.
 * Updated the usage message.
 * Fixed the password functions.

reference : mrash/fwknop#74
 2013-06-02 21:36:17 +02:00
Michael Rash
2874205d05 started on libfko.texi function prototype and FKO error code documentation updates 2013-06-02 14:50:37 -04:00
Michael Rash
491e25a6bd restored the NEWS file since autoconf seems to need it 2013-06-02 14:29:37 -04:00
Michael Rash
382099e85a Updated copyright dates, removed NEWS file in favor of the ChangeLog 2013-06-02 14:07:01 -04:00
Michael Rash
1b41e606a7 Added backwards compatibility section to the client man page 
Added backwards compatibility section and new material on a 'quick start'
subsection for the EXAMPLES section.
 2013-06-02 13:51:25 -04:00
Michael Rash
1c8d247887 ChangeLog update to mention the constant_runtime_cmp() change 2013-06-01 22:30:29 -04:00
Michael Rash
af88af3e51 Merge branch 'hmac_timing_bug_fix' 
Fixes #85
 2013-06-01 22:23:35 -04:00
Michael Rash
b95292ef90 added fwknopd man page blurb for the ENABLE_PCAP_ANY_DIRECTION variable 2013-06-01 22:10:32 -04:00
Michael Rash
54872acfc3 Convert strncmp() calls to constant_runtime_cmp() at various places 
This commit is a follow up to Ryman's report (#85) of a potential timing attack
that could be leveraged against fwknop when strncmp() is used to compare HMAC
digests.  All strncmp() calls that do similar things have been replaced with a
new constant_runtime_cmp() function that mitigates this problem.
 2013-06-01 21:55:45 -04:00
Franck Joncourt
f3af0d48c5 Interim commit to be able to load key from file descriptor (fd 0 for example). 2013-06-01 23:14:56 +02:00
Michael Rash
6706c53902 [libfko] HMAC comparison timing bug fix 
Ryman reported a timing attack bug in the HMAC comparison operation (#85) and
suggested a fix derived from YaSSL:
http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg320402.html
 2013-06-01 09:09:17 -04:00
Michael Rash
0f0f73636f [server] minor update to rename PCAP_ANY_DIRECTION -> ENABLE_PCAP_ANY_DIRECTION 2013-05-31 23:19:48 -04:00
Michael Rash
9b2cd9e2e5 [client] allow -D to be used in --save-rc-stanza mode if -n is not given 
This change simplifies the fwknop client usage by allowing the -D argument to
be used as the stanza name if -n is not also specified in --save-rc-stanza
mode.
 2013-05-31 23:01:47 -04:00
Michael Rash
32a6d05cdb added HMAC digests section to libfko info doc 2013-05-31 22:47:06 -04:00
Michael Rash
9cbb80d434 update man page in client/server directories to the latest 2013-05-31 21:36:49 -04:00
Michael Rash
b4171fe90c [test suite] minor update to reduce logging noise in valgrind comparison test 2013-05-30 22:50:29 -04:00
Michael Rash
b5c8146823 minor configure.ac typo fix for --help output 2013-05-30 22:42:13 -04:00
Michael Rash
1e77535068 minor documentation updates 2013-05-30 22:26:09 -04:00
Michael Rash
0504627c2e [client] don't print keys to stdout in --save-rc-stanza --key-gen mode 
This is a minor commit to not print keys to stdout when both --save-rc-stanza
and --key-gen are set on the command line.
 2013-05-30 22:03:11 -04:00
Michael Rash
0001b37f44 Merge remote-tracking branch 'fjoncourt/save_rc_stanza' 
This set of fixes from Franck allows for much better --save-rc-stanza
functionality - new SPA keys can automatically be saved to the fwknoprc
file when --key-gen and --save-rc-stanza are given, keys aren't overwritten
upon updating the arguments for an existing stanza, and more.

Conflicts:
	client/config_init.c
 2013-05-29 18:53:08 -04:00
Franck Joncourt
6d9f840ab7 The -R command line switch is now handled in fwknoprc as RESOLVE_IP_HTTP variable. 2013-05-29 14:06:57 +02:00
Franck Joncourt
cf6cb01f67 Fixed ask_overwrite(). Generated keys are now stored in fwknoprc. 
* ask_overwrite() : when the user inputs more than one char when prompted,
   a second call to the function does not take the second char anymore.
   We parse all of the chars until we reach an LF char and discard all of them
   except the first one.
   The overwrite is requested only when the user sets 'y', if there is anything
   else we asssume 'N'.

 * When -k is used on the command line along with the --save-rc-stanza, the
   generated keys are also written in the stanza in fwknoprc.
 2013-05-29 12:19:56 +02:00
Franck Joncourt
82caa9a6a9 The variables are now stored in a hash (variable name and position) rather than 
an array containing only their name. It is now possible to sort them without
 worrying about their position in the enumeration.

Improve variable naming for a better understanding (var_ndx becomes var_pos).
 2013-05-28 17:14:36 +02:00
Franck Joncourt
dedc4bc8aa Interim commit to handle bitmask with more than 32 positions. 2013-05-27 18:18:47 +02:00
Franck Joncourt
cc07d10d73 Set command line argument bitmask as a 64-bits value to be able to handle more arguments. 
Interim commit to add the VERBOSE variable to be stored in the fwknoprc file when
 -v is used with --save-rc-stanza. The VERBOSE variable is also read by fwknop
 and the verbosity level is set accordingly.
 2013-05-25 21:56:01 +02:00
Michael Rash
478f86669c minor Makefile.am update to set permissions on access.conf.inst and fwknopd.conf.inst files 2013-05-23 14:48:40 -04:00
Michael Rash
67f96dc3d4 [client] minor fix to set -R mode with a resolve URL is also set 
The command line arg validation function also checks this.
 2013-05-23 14:46:17 -04:00
Michael Rash
b9bd984768 [test suite] bug fix on FreeBSD to just run the server for the active/expire sets not equal test 2013-05-23 14:44:29 -04:00