Michael Rash
74428adae6
[server] Bug fix for PF firewalls without ALTQ support on FreeBSD.
...
With this commit PF rules are added correctly regardless of whether ALTQ support
is available or not. Thanks to Barry Allard for discovering and reporting this
issue. Closes issue #121 on github.
2014-07-18 20:54:11 -04:00
Michael Rash
51506db24c
minor README.md summary update
2014-07-11 22:41:32 -05:00
Michael Rash
6fe1107bbf
minor README.md formating updates
2014-07-11 22:29:13 -05:00
Michael Rash
f7004cec62
Merge pull request #122 from steakknife/convert_readme
...
readme -> md
2014-07-11 09:43:50 -05:00
Barry Allard
3d504cfc17
readme -> md
...
Signed-off-by: Barry Allard <barry.allard@gmail.com >
2014-07-08 19:09:29 -07:00
Michael Rash
3bd1d0742e
[test suite] add --gpg-home-dir arg to GPG test
2014-07-08 16:32:26 -05:00
Michael Rash
7e1346c49a
[test suite] add variable expansion and fwknopd override tests
2014-07-08 16:31:06 -05:00
Michael Rash
824ebe94f8
[test suite] run interrupt signal test against foreground fwknopd process
2014-07-08 16:28:42 -05:00
Michael Rash
1dccab0fc8
[server] handle signal vars in dedicated function
2014-07-08 16:26:51 -05:00
Michael Rash
3c06948414
[server] alert the user when config file variable expansion references invalid var
2014-07-08 16:25:53 -05:00
Michael Rash
0e5c4644fc
[test suite] add GPG test for a manually altered SPA packet
2014-07-07 22:16:47 -05:00
Michael Rash
1b47173906
[test suite] add SYSLOG_FACILITY tests
2014-07-07 21:35:27 -05:00
Michael Rash
5c54ef00ad
[server] refactor main() into a more natural breakdown of functions
2014-07-07 21:34:45 -05:00
Michael Rash
9f2e01eb01
[server] Fix uninitialized value usage after proper SPA authentication/decryption
...
Bug fix discovered with the libfiu fault injection tag
"fko_get_username_init" combined with valgrind analysis. This bug
is only triggered after a valid authenticated and decrypted SPA
packet is sniffed by fwknopd:
==11181== Conditional jump or move depends on uninitialised value(s)
==11181== at 0x113B6D: incoming_spa (incoming_spa.c:707)
==11181== by 0x11559F: process_packet (process_packet.c:211)
==11181== by 0x5270857: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.4.0)
==11181== by 0x114BCC: pcap_capture (pcap_capture.c:270)
==11181== by 0x10F32C: main (fwknopd.c:195)
==11181== Uninitialised value was created by a stack allocation
==11181== at 0x113476: incoming_spa (incoming_spa.c:294)
2014-07-07 21:27:53 -05:00
Michael Rash
5474ced90b
[test suite] extend invalid sniff interface test to include promisc mode
2014-07-05 23:10:26 -05:00
Michael Rash
77eb1a763f
[test suite] add invalid sniff interface test
2014-07-05 22:44:40 -05:00
Michael Rash
f0285ae2b5
[test suite] add invalid gpg sig ID list
2014-07-04 20:05:54 -04:00
Michael Rash
ffa77a9e54
[test suite] add GPG_DISABLE_SIG test
2014-07-04 19:54:56 -04:00
Michael Rash
a2ff2a396c
[server] call clean_exit() upon check_dir_path() error
2014-07-03 10:31:30 -04:00
Michael Rash
5ced103207
[test suite] minor test coverage addition for invalid locale setting
2014-07-03 10:17:52 -04:00
Michael Rash
fed2da3bb0
[test suite] additional valgrind suppression for pcap-file processing
2014-07-03 08:52:48 -04:00
Michael Rash
43b770320a
[server] Require sig ID's or fingerprints when sigs are validated
...
When validating access.conf stanzas make sure that one of
GPG_REMOTE_ID or GPG_FINGERPRINT_ID is specified whenever GnuPG
signatures are to be verified for incoming SPA packets. Signature
verification is the default, and can only be disabled with
GPG_DISABLE_SIG but this is NOT recommended.
2014-06-30 11:52:42 -04:00
Michael Rash
77384a904e
[server] add access.conf variable GPG_FINGERPRINT_ID
...
Add a new GPG_FINGERPRINT_ID variable to the access.conf file
so that full GnuPG fingerprints can be required for incoming SPA packets
in addition to the appreviated GnuPG signatures listed in GPG_REMOTE_ID.
From the test suite, an example fingerprint is
GPG_FINGERPRINT_ID 00CC95F05BC146B6AC4038C9E36F443C6A3FAD56
2014-06-30 11:11:09 -04:00
Michael Rash
11b9732c16
[server] Call clean_exit() from daemon parent process
...
When becoming a daemon, make sure the fwknopd parent process calls
clean_exit() to release memory before calling exit().
2014-06-30 10:09:39 -04:00
Michael Rash
e41e0f5aaf
[test suite] added iptables OUTPUT chain test
2014-06-24 22:54:27 -04:00
Michael Rash
a4615a76b5
[test suite] add Rjindael HMAC --no-ipt-check-support test for udp/53
2014-06-24 18:21:46 -04:00
Michael Rash
125f99aa3b
[test suite] updated --gdb mode to run the first found fwknop command from an output/*.test file
2014-06-24 17:50:50 -04:00
Michael Rash
e0001e4a5d
[server] call clean_exit() on expand_acc_string_list() error
2014-06-24 17:00:30 -04:00
Michael Rash
189d0ea0bc
[server] call clean_exit() on add_acc_string() error
2014-06-24 07:39:06 -04:00
Michael Rash
ff65274e28
[server] make sure clean_exit() is called on any add_acc_b64_string() errs
2014-06-20 17:26:08 -04:00
Michael Rash
fd0805c57a
[server] minor memory leak fix for invalid FORCE_NAT var in access.conf
...
This commit fixes the following leak found by valgrind:
==6241== 568 bytes in 1 blocks are still reachable in loss record 1 of 1
==6241== at 0x4C2A2DB: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6241== by 0x551537A: __fopen_internal (iofopen.c:73)
==6241== by 0x118C8E: parse_access_file (access.c:1143)
==6241== by 0x10F134: main (fwknopd.c:250)
2014-06-20 16:47:44 -04:00
Michael Rash
74440be653
[server] minor pointer typo fix
2014-06-16 23:08:50 -04:00
Michael Rash
3557158620
[test suite] add valgrind suppressions for libfiu
2014-06-16 17:14:52 -04:00
Michael Rash
389e55ddfc
[test suite] consolidate valgrind success/failure criteria into a single function
2014-06-16 17:13:54 -04:00
Michael Rash
55a03f3392
[test suite] added suppressions to fko-wrapper/run_valgrind.sh
2014-06-16 17:12:59 -04:00
Michael Rash
4878607254
[libfko] removed fko_new_strdup() fault injection tag since fko_destroy() isn't called
2014-06-16 17:11:52 -04:00
Michael Rash
054793fd9e
[server] check fiu_enable() return value in --fault-injection mode
2014-06-15 09:48:37 -04:00
Michael Rash
34f7ebd082
[test suite] added strtol_wrapper() fault injection tags
2014-06-15 09:41:43 -04:00
Michael Rash
42a20616b4
[libfko] additional fault injection additions with test suite support
2014-06-14 21:27:18 -04:00
Michael Rash
c00a3e7b26
[test suite] additional fault injection tests
2014-06-12 20:29:54 -04:00
Michael Rash
13ca6261b3
[test suite] minor update to not parse crash messages out of crash test output file
2014-06-12 20:29:24 -04:00
Michael Rash
06ce514111
[test suite] add several fault injection tests
2014-06-12 00:02:18 -04:00
Michael Rash
d8b2ae370a
[test suite] always run crash check at the end of test run
2014-06-12 00:01:58 -04:00
Michael Rash
e02750e666
[server] skip firewall rules check in --test mode
2014-06-12 00:01:12 -04:00
Michael Rash
410624a858
[libfko] free() temp buffer right after strdup() call, add libfiu fault injection tags
2014-06-12 00:00:40 -04:00
Michael Rash
816962982f
[server] clean up fko_destroy() calls in main access stanza loop
2014-06-11 23:59:08 -04:00
Michael Rash
b8ad48eaa9
[test suite] added fiu-run fault injection tests against the fwknopd server
2014-06-10 09:34:48 -04:00
Michael Rash
8d31de7295
[server] skip replay storage in --test mode (since we're not granting access anyway)
2014-06-10 09:32:17 -04:00
Michael Rash
70f70091b1
[server] skip fw initialization and cleanup in --test mode
2014-06-10 09:21:01 -04:00
Michael Rash
4ab677cfe0
[server] minor fwknopd --help output update
2014-06-09 20:40:44 -04:00