Commit Graph

152 Commits

Author SHA1 Message Date
Michael Rash
5df4376602 add new test suite files to Makefile.am 2014-11-15 00:36:33 -05:00
Michael Rash
aaa44656bc [server] add support for American Fuzzy Lop (ALF) fuzzing 2014-11-13 20:55:04 -05:00
Michael Rash
7a98eed759 [test suite] add spa_fuzzing.py and a few minor helper files for FreeBSD/OpenBSD 2014-11-01 20:44:35 -04:00
Michael Rash
387c1acdf7 add fcs_spa.pcap to Makefile.am 2014-10-28 21:29:34 -04:00
Michael Rash
58d47cb385 [test suite] additional code coverage for a few areas 2014-10-24 20:39:40 -04:00
Michael Rash
b8f1cf6c6c make sure test suite conf files are included in Makefile.am 2014-10-21 22:49:03 -04:00
Michael Rash
56a6b7dee5 give firewalld its own namespace (can track firewalld changes independently of iptables) 2014-10-21 22:43:21 -04:00
Michael Rash
6945e23bc9 [test suite] UDP server command execution tests, run configure arg recompile tests after gcov profiling stuff 2014-10-20 22:23:46 -04:00
Michael Rash
15f73c7f9e [test suite] added configure args test with UDP server test for fwknopd not linking against libpcap 2014-10-19 22:58:35 -04:00
Michael Rash
a6007918a8 added setuid/setgid cmd exec test files 2014-10-10 08:15:44 -04:00
Michael Rash
ed9e1ac236 added setgid() call for command execution along with CMD_EXEC_GROUP access.conf var 2014-10-07 16:18:14 -04:00
Michael Rash
e6d162215f [test suite] added command execution setuid() 'nobody' test 2014-10-06 22:04:20 -04:00
Michael Rash
fedc691e21 [test suite] added generate_core.sh script and --enable-cores-pattern arg for the test suite 2014-10-06 21:10:02 -04:00
Michael Rash
24ccf03a90 added configure_max_coverage.sh helper script 2014-07-28 15:50:25 -04:00
Michael Rash
655abf6f0b [test suite] WGET_CMD and RESOLVE_HTTP_ONLY fwknoprc test coverage 2014-07-28 09:46:08 -04:00
Michael Rash
59718f1a36 [client] Updated IP resolution mode -R to use SSL
External IP resolution via '-R' (or '--resolve-ip-http') is now done via SSL by
default. The IP resolution URL is now 'https://www.cipherdyne.org/cgi-gin/myip',
and a warning is generated in '-R' mode whenever a non-HTTPS URL is specified
(it is safer just to use the default). The fwknop client leverages 'wget' for
this operation since that is cleaner than having fwknop link against an SSL
library.
2014-07-25 17:42:06 -04:00
Michael Rash
ec54b4fd11 fixed README paths 2014-07-19 16:30:00 -04:00
Michael Rash
6fe1107bbf minor README.md formating updates 2014-07-11 22:29:13 -05:00
Michael Rash
7e1346c49a [test suite] add variable expansion and fwknopd override tests 2014-07-08 16:31:06 -05:00
Michael Rash
f0285ae2b5 [test suite] add invalid gpg sig ID list 2014-07-04 20:05:54 -04:00
Michael Rash
ffa77a9e54 [test suite] add GPG_DISABLE_SIG test 2014-07-04 19:54:56 -04:00
Michael Rash
a2ff2a396c [server] call clean_exit() upon check_dir_path() error 2014-07-03 10:31:30 -04:00
Michael Rash
43b770320a [server] Require sig ID's or fingerprints when sigs are validated
When validating access.conf stanzas make sure that one of
GPG_REMOTE_ID or GPG_FINGERPRINT_ID is specified whenever GnuPG
signatures are to be verified for incoming SPA packets. Signature
verification is the default, and can only be disabled with
GPG_DISABLE_SIG but this is NOT recommended.
2014-06-30 11:52:42 -04:00
Michael Rash
77384a904e [server] add access.conf variable GPG_FINGERPRINT_ID
Add a new GPG_FINGERPRINT_ID variable to the access.conf file
so that full GnuPG fingerprints can be required for incoming SPA packets
in addition to the appreviated GnuPG signatures listed in GPG_REMOTE_ID.
From the test suite, an example fingerprint is

GPG_FINGERPRINT_ID            00CC95F05BC146B6AC4038C9E36F443C6A3FAD56
2014-06-30 11:11:09 -04:00
Michael Rash
e41e0f5aaf [test suite] added iptables OUTPUT chain test 2014-06-24 22:54:27 -04:00
Michael Rash
cf3f41821b [test suite] add fault injection tests 2014-05-22 08:36:11 -05:00
Michael Rash
a2f2777e9f [test suite] add fko_basic.c file to the FKO wrapper 2014-05-22 08:24:16 -05:00
Michael Rash
7d1ad9a4fa add new test suite conf files 2014-05-08 07:26:18 -04:00
Michael Rash
fb21e3a575 [server] bug fix to handle SPA packets via http 2014-04-29 23:25:31 -04:00
Michael Rash
0ff2100993 [test suite/client] memory leak bug fix and test coverage
This commit fixes a minor memory leak in the fwknop client before
calling exit() when an abnormally large number of command line arguments
are given.  The leak was found with valgrind together with the test
suite (specifically the 'show last args (4)' test):

==23748== 175 bytes in 50 blocks are definitely lost in loss record 1 of 1
==23748==    at 0x4C2C494: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23748==    by 0x1112F1: run_last_args (fwknop.c:991)
==23748==    by 0x110D36: prev_exec (fwknop.c:916)
==23748==    by 0x10D953: main (fwknop.c:170)

Additional test coverage was added for the client via the
basic_operations.pl tests.
2014-04-08 21:12:46 -04:00
Michael Rash
d9c1eb8f51 [test suite] more client/config_init.c test coverage 2014-04-07 22:31:56 -04:00
Michael Rash
2da2704d4c [test suite] fwknoprc GPG tests, more time offset tests 2014-04-03 19:30:58 -04:00
Michael Rash
f2484e599f [test suite] rc file time offset tests 2014-04-01 10:41:36 -04:00
Michael Rash
7e1f3aad69 [test suite] add long_spa.key file 2014-03-31 13:58:40 -04:00
Michael Rash
3ca546092b [test suite] additional rc file code coverage tests 2014-03-29 22:23:45 -04:00
Michael Rash
22b1b2d9d2 [test suite] additional client/config_init.c code coverage test for fwknoprc file parsing 2014-03-29 21:44:24 -04:00
Michael Rash
74a4cabb9c [test suite] Added valgrind suppressions for gpgme
Running the test suite with --enable-valgrind resulted in large numbers
of leaks detected in gpgme functions.  This commit adds a valgrind
suppressions file to squash these errors (which are not fwknop's fault),
and also enables the valgrind --child-slient-after-fork option by
default.  Both of these can disable in test suite execution with two
new options: --valgrind-disable-suppressions and
--valgrind-disable-child-silent.
2014-03-27 12:02:30 -04:00
Michael Rash
73bc473563 [client+server] verify GnuPG signatures by default
- [server] When GnuPG is used, the default now is to require that
incoming SPA packets are signed by a key listed in GPG_REMOTE_ID for each
access.conf stanza. In other words, the usage of GPG_REQUIRE_SIG
is no longer necessary in order to authenticate SPA packets via the
GnuPG signature. Verification of GnuPG signatures can be disabled with a
new access.conf variable GPG_DISABLE_SIG, but this is NOT a
recommended configuration.
- [client+server] Add --gpg-exe command line argument and GPG_EXE
config variable to ~/.fwknoprc and the access.conf file so that the path
to GnuPG can be changed from the default /usr/bin/gpg path.
2014-03-25 19:53:13 -04:00
Michael Rash
ad512ff6e7 [test suite] added Rijndael+HMAC SPOOF_SRC fwknoprc file test 2014-03-13 21:43:51 -04:00
Michael Rash
4181b43f55 [test suite] Added Rijndael+HMAC NAT rand port via client rc file test 2014-03-13 20:10:26 -04:00
Michael Rash
83595bdabb [test suite] Added Rijndael+HMAC command execution test 2014-03-13 19:40:47 -04:00
Michael Rash
873b06b422 [test suite] added portrange bpf filter test 2014-02-07 07:49:50 -05:00
Michael Rash
a347be354d merged android4.4_support branch 2014-01-10 22:46:54 -05:00
Michael Rash
d09e278646 added fko-wrapper no valgrind script 2013-12-29 20:02:56 -05:00
Michael Rash
bd0b8a1953 [android] updated README file, added project/sdk.paths file 2013-12-26 20:44:35 -05:00
Michael Rash
db58f2008e [android] Added test/conf/hmac_android_access.conf file to Makefile.am 2013-12-23 23:16:03 -05:00
Michael Rash
8fdb5d6395 [android] added ant.properties file 2013-12-23 22:51:26 -05:00
Michael Rash
171da60f23 [android] added project.properties file 2013-12-23 22:44:53 -05:00
Michael Rash
3b330f2036 [android] Makefile.am minor script path update 2013-12-23 22:40:18 -05:00
Michael Rash
e25d05f050 [android] update Makefile.am for latest Android directory tree 2013-12-23 22:39:21 -05:00