Bug fix to ensure that a User-Agent string can be specified when the
fwknop client uses wget via SSL to resolve the external IP address. This
closes issue #134 on github reported by Barry Allard. The fwknop now
uses the wget '-U' option to specify the User-Agent string with a
default of "Fwknop/<version>". In addition, a new command line argument
"--use-wget-user-agent" to allow the default wget User-Agent string to
apply instead.
External IP resolution via '-R' (or '--resolve-ip-http') is now done via SSL by
default. The IP resolution URL is now 'https://www.cipherdyne.org/cgi-gin/myip',
and a warning is generated in '-R' mode whenever a non-HTTPS URL is specified
(it is safer just to use the default). The fwknop client leverages 'wget' for
this operation since that is cleaner than having fwknop link against an SSL
library.
This is a significant commit to add the ability to leverage libfko fault
injections from both the fwknop client and server command lines via a
new option '--fault-injection-tag <tag name>'. This option is used by
the test suite with the tests/fault_injection.pl tests.
This commit fixes a minor memory leak in the fwknop client before
calling exit() when an abnormally large number of command line arguments
are given. The leak was found with valgrind together with the test
suite (specifically the 'show last args (4)' test):
==23748== 175 bytes in 50 blocks are definitely lost in loss record 1 of 1
==23748== at 0x4C2C494: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23748== by 0x1112F1: run_last_args (fwknop.c:991)
==23748== by 0x110D36: prev_exec (fwknop.c:916)
==23748== by 0x10D953: main (fwknop.c:170)
Additional test coverage was added for the client via the
basic_operations.pl tests.
- [server] When GnuPG is used, the default now is to require that
incoming SPA packets are signed by a key listed in GPG_REMOTE_ID for each
access.conf stanza. In other words, the usage of GPG_REQUIRE_SIG
is no longer necessary in order to authenticate SPA packets via the
GnuPG signature. Verification of GnuPG signatures can be disabled with a
new access.conf variable GPG_DISABLE_SIG, but this is NOT a
recommended configuration.
- [client+server] Add --gpg-exe command line argument and GPG_EXE
config variable to ~/.fwknoprc and the access.conf file so that the path
to GnuPG can be changed from the default /usr/bin/gpg path.
This commit updates all authorship and copyright information to include a
standard header that references the AUTHORS and CREDITS file. This standard
header was written by the Debian legal team at the request of Franck Joncourt.
Suggested doc update to fwknop man pages to accurately describe the usage
of digits instead of bytes for SPA random data. About 53 bits of entropy
are actually used, although this is in addition to the 64-bit random salt
in for key derivation used by PBKDF1 in Rjindael CBC mode.
This commit replaces the separately implemented client/server
is_base64() check with a single libfko function, and libfko itself now
uses it as well before prepending Rijndael or GnuPG base64 encoded
prefixes.
