Commit Graph

405 Commits

Author SHA1 Message Date
Michael Rash
1dccab0fc8 [server] handle signal vars in dedicated function 2014-07-08 16:26:51 -05:00
Michael Rash
3c06948414 [server] alert the user when config file variable expansion references invalid var 2014-07-08 16:25:53 -05:00
Michael Rash
1b47173906 [test suite] add SYSLOG_FACILITY tests 2014-07-07 21:35:27 -05:00
Michael Rash
5c54ef00ad [server] refactor main() into a more natural breakdown of functions 2014-07-07 21:34:45 -05:00
Michael Rash
9f2e01eb01 [server] Fix uninitialized value usage after proper SPA authentication/decryption
Bug fix discovered with the libfiu fault injection tag
"fko_get_username_init" combined with valgrind analysis. This bug
is only triggered after a valid authenticated and decrypted SPA
packet is sniffed by fwknopd:

==11181== Conditional jump or move depends on uninitialised value(s)
==11181==    at 0x113B6D: incoming_spa (incoming_spa.c:707)
==11181==    by 0x11559F: process_packet (process_packet.c:211)
==11181==    by 0x5270857: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.4.0)
==11181==    by 0x114BCC: pcap_capture (pcap_capture.c:270)
==11181==    by 0x10F32C: main (fwknopd.c:195)
==11181==  Uninitialised value was created by a stack allocation
==11181==    at 0x113476: incoming_spa (incoming_spa.c:294)
2014-07-07 21:27:53 -05:00
Michael Rash
a2ff2a396c [server] call clean_exit() upon check_dir_path() error 2014-07-03 10:31:30 -04:00
Michael Rash
43b770320a [server] Require sig ID's or fingerprints when sigs are validated
When validating access.conf stanzas make sure that one of
GPG_REMOTE_ID or GPG_FINGERPRINT_ID is specified whenever GnuPG
signatures are to be verified for incoming SPA packets. Signature
verification is the default, and can only be disabled with
GPG_DISABLE_SIG but this is NOT recommended.
2014-06-30 11:52:42 -04:00
Michael Rash
77384a904e [server] add access.conf variable GPG_FINGERPRINT_ID
Add a new GPG_FINGERPRINT_ID variable to the access.conf file
so that full GnuPG fingerprints can be required for incoming SPA packets
in addition to the appreviated GnuPG signatures listed in GPG_REMOTE_ID.
From the test suite, an example fingerprint is

GPG_FINGERPRINT_ID            00CC95F05BC146B6AC4038C9E36F443C6A3FAD56
2014-06-30 11:11:09 -04:00
Michael Rash
11b9732c16 [server] Call clean_exit() from daemon parent process
When becoming a daemon, make sure the fwknopd parent process calls
clean_exit() to release memory before calling exit().
2014-06-30 10:09:39 -04:00
Michael Rash
e0001e4a5d [server] call clean_exit() on expand_acc_string_list() error 2014-06-24 17:00:30 -04:00
Michael Rash
189d0ea0bc [server] call clean_exit() on add_acc_string() error 2014-06-24 07:39:06 -04:00
Michael Rash
ff65274e28 [server] make sure clean_exit() is called on any add_acc_b64_string() errs 2014-06-20 17:26:08 -04:00
Michael Rash
fd0805c57a [server] minor memory leak fix for invalid FORCE_NAT var in access.conf
This commit fixes the following leak found by valgrind:

==6241== 568 bytes in 1 blocks are still reachable in loss record 1 of 1
==6241==    at 0x4C2A2DB: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6241==    by 0x551537A: __fopen_internal (iofopen.c:73)
==6241==    by 0x118C8E: parse_access_file (access.c:1143)
==6241==    by 0x10F134: main (fwknopd.c:250)
2014-06-20 16:47:44 -04:00
Michael Rash
74440be653 [server] minor pointer typo fix 2014-06-16 23:08:50 -04:00
Michael Rash
054793fd9e [server] check fiu_enable() return value in --fault-injection mode 2014-06-15 09:48:37 -04:00
Michael Rash
06ce514111 [test suite] add several fault injection tests 2014-06-12 00:02:18 -04:00
Michael Rash
e02750e666 [server] skip firewall rules check in --test mode 2014-06-12 00:01:12 -04:00
Michael Rash
816962982f [server] clean up fko_destroy() calls in main access stanza loop 2014-06-11 23:59:08 -04:00
Michael Rash
8d31de7295 [server] skip replay storage in --test mode (since we're not granting access anyway) 2014-06-10 09:32:17 -04:00
Michael Rash
70f70091b1 [server] skip fw initialization and cleanup in --test mode 2014-06-10 09:21:01 -04:00
Michael Rash
4ab677cfe0 [server] minor fwknopd --help output update 2014-06-09 20:40:44 -04:00
Michael Rash
6d1d66fe03 add --fault-injection-tag support to the client/server/libfko
This is a significant commit to add the ability to leverage libfko fault
injections from both the fwknop client and server command lines via a
new option '--fault-injection-tag <tag name>'.  This option is used by
the test suite with the tests/fault_injection.pl tests.
2014-06-05 23:05:49 -04:00
Michael Rash
0c544f2690 [server] add --test mode to enable broader fuzzing coverage 2014-05-08 07:35:42 -04:00
Michael Rash
64a4642c47 [server] minor fix to remove unnecessary opts.status check 2014-05-08 07:28:48 -04:00
Michael Rash
02ed5f5ad4 [server] add --exit-parse-config option, man page updates (minor formatting change) 2014-05-04 09:17:27 -04:00
Michael Rash
5f24fc8c5f [server] add --dump-serv-err-codes for test coverage 2014-05-02 22:59:05 -04:00
Michael Rash
11f3e9b8d3 [server] add test coverage for tcp server when FUZZING_INTERFACES is defined 2014-05-02 22:29:03 -04:00
Michael Rash
fb21e3a575 [server] bug fix to handle SPA packets via http 2014-04-29 23:25:31 -04:00
Michael Rash
6dde30bc91 [test suite] significant test coverage update
This commit adds a lot of test coverage support as guided by gcov +
lcov.

Also added the --no-ipt-check-support option to fwknopd (this is only
useful in practice on older Linux distros where 'iptables -C' is not
available, but it helps with test coverage).
2014-04-29 20:54:01 -04:00
Michael Rash
67dd1d5bdd [server] bug fix to allow IP-formatted masks for SOURCE lines in access.conf 2014-04-12 15:21:00 -04:00
Michael Rash
fdb8c890e9 [server] make parse_access_file() exit if there is a variable formatting problem 2014-04-10 23:08:19 -04:00
Michael Rash
ac6ffe2ec7 [server] Validate GPG sigs with libfko fko_gpg_signature_id_match() function 2014-04-09 23:56:03 -04:00
Michael Rash
c4a59ec90f [server] fix IP subnet mask CIDR range restriction bug found by Coverity 2014-03-27 21:59:30 -04:00
Michael Rash
73bc473563 [client+server] verify GnuPG signatures by default
- [server] When GnuPG is used, the default now is to require that
incoming SPA packets are signed by a key listed in GPG_REMOTE_ID for each
access.conf stanza. In other words, the usage of GPG_REQUIRE_SIG
is no longer necessary in order to authenticate SPA packets via the
GnuPG signature. Verification of GnuPG signatures can be disabled with a
new access.conf variable GPG_DISABLE_SIG, but this is NOT a
recommended configuration.
- [client+server] Add --gpg-exe command line argument and GPG_EXE
config variable to ~/.fwknoprc and the access.conf file so that the path
to GnuPG can be changed from the default /usr/bin/gpg path.
2014-03-25 19:53:13 -04:00
Michael Rash
5baf8a3fa9 replace malloc() with calloc() calls 2014-03-15 22:02:57 -04:00
Michael Rash
9e990c9be0 fix header non-ascii chars, and introduce test suite support for detecting this in source files 2014-03-14 09:14:35 -04:00
Michael Rash
bfdbb8f260 Updated authorship and copyright information
This commit updates all authorship and copyright information to include a
standard header that references the AUTHORS and CREDITS file. This standard
header was written by the Debian legal team at the request of Franck Joncourt.
2014-03-04 17:53:10 -05:00
Michael Rash
3eeca9b2e3 [server] minor comment typo fix 2014-03-01 14:34:20 -05:00
Michael Rash
cf6a38ea0d [server] better checking for read() return value flagged by Coverity 2014-01-12 21:40:20 -05:00
Michael Rash
05d6e1c4a7 [server] fixed copy-and-paste NULL check bug found by Coverity 2014-01-12 21:08:55 -05:00
Michael Rash
919f25f85d [server] fw_initialize() vs. fw_config_init() bug fix for use_masquerade 2013-12-14 19:41:00 -05:00
Michael Rash
92cdb47ff7 [server] added FORCE_MASQUERADE to fwknopd(8) man page, closes #101
This commit completes the addition of generalized NAT (both DNAT and
SNAT) capabilities to access.conf stanzas.
2013-12-14 15:44:39 -05:00
Michael Rash
3b2cd063fe [server] pcap_dispatch() packet count default to 100
Updated pcap_dispatch() default packet count from zero to 100.
This change was made to ensure backwards compatibility with older
versions of libpcap per the pcap_dispatch() man page, and also because
some of a report from Les Aker of an unexpected crash on Arch Linux with
libpcap-1.5.1 that is fixed by this change (closes #110).
2013-12-10 22:24:39 -06:00
Michael Rash
5f50ac22db [server] use SIGKILL if necessary for -K
This change sends SIGKILL to fwknopd under -K if SIGTERM does not do the job
first.  This can be necessary in some cases if libpcap does not properly handle
a packet count of zero in pcap_dispatch() (see github issue #110).  On a side
note, the default packet dispatch count of zero will likely be changed because
of that issue too.
2013-12-10 14:35:38 -06:00
Michael Rash
46b5f2ecaf [server] added the ability to use FORCE_MASQUERADE to access.conf stanzas 2013-12-05 23:00:19 -05:00
Michael Rash
e0114e60c2 [server] Added FORCE_SNAT to access.conf stanzas.
Added FORCE_SNAT to the access.conf file so that per-access stanza SNAT
criteria can be specified for SPA access.
2013-12-04 21:52:07 -05:00
Michael Rash
d7aa820e33 [server] Bug fix for SPA NAT modes on iptables firewalls for chain re-creation
For SPA NAT modes this commit ensures that custom fwknop chains are re-created
if they get deleted out from under the running fwknopd instance.
2013-12-03 21:42:23 -05:00
Michael Rash
78f696b2f7 [libfko] implemented shared utility function for ipv4 address checking
This commit implements a single shared utility function for checking the
validaty of an IPv4 address, and both libfko and the fwknopd server use it
now.  The client will be updated as well.
2013-11-20 17:13:55 -05:00
Michael Rash
5f5367cf62 [server] minor error code text typo fixes 2013-11-19 23:14:46 -05:00
Michael Rash
196fef65b6 [libfko] move is_base64 check to libfko
This commit replaces the separately implemented client/server
is_base64() check with a single libfko function, and libfko itself now
uses it as well before prepending Rijndael or GnuPG base64 encoded
prefixes.
2013-11-16 19:20:08 -05:00