This is a significant commit to allow all ports and protocols to be
NAT'd in conjunction with FORWARD ACCEPT rules. This commit is in
support of 6b7a3bbdae to allow fwknopd to
function as an SPA gateway.
Bug fix to ensure that a User-Agent string can be specified when the
fwknop client uses wget via SSL to resolve the external IP address. This
closes issue #134 on github reported by Barry Allard. The fwknop now
uses the wget '-U' option to specify the User-Agent string with a
default of "Fwknop/<version>". In addition, a new command line argument
"--use-wget-user-agent" to allow the default wget User-Agent string to
apply instead.
External IP resolution via '-R' (or '--resolve-ip-http') is now done via SSL by
default. The IP resolution URL is now 'https://www.cipherdyne.org/cgi-gin/myip',
and a warning is generated in '-R' mode whenever a non-HTTPS URL is specified
(it is safer just to use the default). The fwknop client leverages 'wget' for
this operation since that is cleaner than having fwknop link against an SSL
library.
When validating access.conf stanzas make sure that one of
GPG_REMOTE_ID or GPG_FINGERPRINT_ID is specified whenever GnuPG
signatures are to be verified for incoming SPA packets. Signature
verification is the default, and can only be disabled with
GPG_DISABLE_SIG but this is NOT recommended.
Add a new GPG_FINGERPRINT_ID variable to the access.conf file
so that full GnuPG fingerprints can be required for incoming SPA packets
in addition to the appreviated GnuPG signatures listed in GPG_REMOTE_ID.
From the test suite, an example fingerprint is
GPG_FINGERPRINT_ID 00CC95F05BC146B6AC4038C9E36F443C6A3FAD56
This commit adds a lot of test coverage support as guided by gcov +
lcov.
Also added the --no-ipt-check-support option to fwknopd (this is only
useful in practice on older Linux distros where 'iptables -C' is not
available, but it helps with test coverage).
Add a new fko_set_encoded_data() function gated by #define
FUZZING_INTERFACES to allow encryption and authentication to be bypassed
for fuzzing purposes (and only fuzzing purposes). The fko-wrapper code
has been extended to process data in the
test/fko-wrapper/fuzz_spa_payloads file, which is created by the new
python fuzzer. Typical workflow is:
$ cd test/fko-wrapper
$ ../spa_fuzzer.py > fuzz_spa_payloads
$ make fuzzing
(as root):
./test-fwknop.pl --enable-profile-coverage --enable-fuzzing-interfaces --enable-all --include wrapper
[+] Starting the fwknop test suite...
args: --enable-profile-coverage --enable-fuzzing-interfaces --enable-all --include wrapper
Saved results from previous run to: output.last/
Valgrind mode enabled, will import previous coverage from:
output.last/valgrind-coverage/
[+] Total test buckets to execute: 2
[Rijndael] [fko-wrapper] multiple libfko calls (with valgrind)......pass (1)
[Rijndael] [fko-wrapper] multiple libfko calls......................pass (2)
[profile coverage] gcov profile coverage............................pass (3)
[valgrind output] [flagged functions] ..............................pass (4)
Run time: 5.85 minutes
[+] 0/0/0 OpenSSL tests passed/failed/executed
[+] 0/0/0 OpenSSL HMAC tests passed/failed/executed
[+] 4/0/4 test buckets passed/failed/executed
