commit 65dc33dd9c2cc6e484e94d86e8b23e69cb7dbd56 (HEAD, refs/heads/master) Author: Michael Rash Date: Thu Jul 18 23:06:24 2013 -0400 [client] added --use-hmac to --help output (noticed by Damien) client/config_init.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 35d168cf21d94cdf162521b0d62d62710fd341ae Author: Michael Rash Date: Thu Jul 18 23:05:49 2013 -0400 added fwknop-2.5 release date ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3ee8b47870736f96adf6add91532acde8ff377cb (refs/remotes/web/master, refs/remotes/origin/master) Author: Michael Rash Date: Thu Jul 18 17:30:25 2013 -0400 [client] fix minor memory leak in getpasswd() routine caught by the test suite in valgrind mode client/getpasswd.c | 6 ++++++ 1 file changed, 6 insertions(+) commit f2d829535b9692a0df01f8b41ec9894c6474b2e1 Author: Michael Rash Date: Thu Jul 18 00:15:22 2013 -0400 [client] fix minor compilation warning about an unused variable client/getpasswd.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 708e3027f5293f3c7cf7edff48ad3ef73c918809 Author: Michael Rash Date: Wed Jul 17 23:51:54 2013 -0400 Revert "[libfko] Have 'make install' run ldconfig if basic fwknop/fwknopd -h exec fails" This reverts commit f55b89c867ab63aaf69daae0aec0c19f1c52d521. Damien recommended not having 'make install' run ldconfig since it breaks an RPM build of fwknop, and most package managers should be doing this step anyway. CREDITS | 3 --- Makefile.am | 11 ----------- 2 files changed, 14 deletions(-) commit f7a821d0820965a8e4b800744c89018f26da669a Author: Michael Rash Date: Wed Jul 17 23:34:37 2013 -0400 minor ChangeLog text tweaks and one typo fix ChangeLog | 14 +++++++------- lib/rijndael.c | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) commit 4b0f0802eedb1451029aac319ff063182650ee07 Author: Damien S. Stuart Date: Wed Jul 17 22:46:24 2013 -0400 Tweaks to unbreak the windows build: Renamed FD_SET macro to FD_SET_ALT to avoid conflict with the well-known FD_SET macro. Made the client read password from file descriptor a non-supported function on Windows. client/cmd_opts.h | 4 ++-- client/config_init.c | 10 +++++++++- client/getpasswd.c | 27 +++++++-------------------- common/common.h | 1 + lib/fko_common.h | 2 +- 5 files changed, 20 insertions(+), 24 deletions(-) commit 39213beda75697fa89a9d825d48e40803f1171ff Author: Michael Rash Date: Sun Jul 14 17:46:48 2013 -0400 add legacy_iv_long_key2_access.conf file to Makefile.am Makefile.am | 1 + 1 file changed, 1 insertion(+) commit dac75c0242c988ebe3eafc71c52967c805712bfe Author: Michael Rash Date: Sun Jul 14 15:37:24 2013 -0400 [server] restore backwards compatibility for Rijndael keys > 16 bytes in legacy mode by truncating (upgrading recommended of course) server/access.c | 15 +++++++++++++- test/conf/legacy_iv_long_key2_access.conf | 4 ++++ test/test-fwknop.pl | 1 + test/tests/rijndael_backwards_compatibility.pl | 28 ++++++++++++++++++-------- 4 files changed, 39 insertions(+), 9 deletions(-) commit 510361fa73a9a04ae8553cc3b4bb783aab03fb13 Author: Michael Rash Date: Sun Jul 14 14:38:03 2013 -0400 [test suite] account for timestamp differences in iptables rule duplication tests test/test-fwknop.pl | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 3 deletions(-) commit dcf9c99fb5ab245cd363b277aafb240ac07e8125 Author: Michael Rash Date: Sun Jul 14 14:37:22 2013 -0400 [server] iptables rule duplication bug fix to look for protocol name with -C support isn't available server/fw_util_iptables.c | 41 ++++++++++++++++++++++++++++++----------- 1 file changed, 30 insertions(+), 11 deletions(-) commit 44aefd117764c147a23fb3f6bf61c0456f9d0ef8 Author: Michael Rash Date: Sat Jul 13 23:22:58 2013 -0400 [test suite] bug fix to ensure multiple SPA packets are sent for iptables duplicated rules tests test/test-fwknop.pl | 102 ++++++++++++++++++++------------------------ test/tests/rijndael.pl | 4 +- test/tests/rijndael_hmac.pl | 1 - 3 files changed, 49 insertions(+), 58 deletions(-) commit baa964a8cd7bdc61032fe9285ac6c651fd7403a0 Author: Michael Rash Date: Sat Jul 13 23:22:29 2013 -0400 [server] removed iptables '-C' redirection since 2>&1 is always appended by other macros server/fw_util_iptables.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a7de80e66eda7317c428d3c38dd08212553473ce Author: Michael Rash Date: Fri Jul 12 23:22:50 2013 -0400 [server] Account for older versions of iptables that don't have -C This commit updates fwknopd to test for the existance of the iptables '-C' rule checking functionality since older versions of iptables don't have this. If it isn't offered by the installed version of iptables, then revert to parsing fwknop chains to see if iptables rules already exist before adding new rules (to avoid duplicates). server/fw_util_iptables.c | 350 ++++++++++++++++++++++++++++++++++++++-------- server/fw_util_iptables.h | 4 +- 2 files changed, 297 insertions(+), 57 deletions(-) commit f391b1391dd73faf8e65ff47d31431d6585049cf Author: Michael Rash Date: Fri Jul 12 23:21:38 2013 -0400 [libfko] apply zero_buf() to stack allocated Rijndael context for encrypt/decrypt lib/cipher_funcs.c | 8 ++++++++ 1 file changed, 8 insertions(+) commit 3e8e9f76a07f75d5cb3da7df08ac09e511002f5e Author: Michael Rash Date: Thu Jul 11 22:13:40 2013 -0400 minor README typo fixes README | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 96641059064136c828f5a282bba4a289e39b37ce Author: Michael Rash Date: Wed Jul 10 23:11:29 2013 -0400 [server] compile bug fix for pf/ipfw firewall systems server/fw_util_ipfw.c | 4 ++-- server/fw_util_pf.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit e75c10c6e594dcb3c13e5771ed98094d5912b1b0 Author: Michael Rash Date: Wed Jul 10 23:10:23 2013 -0400 [libfko] use zero_free_rv - dead code bug fix found by CLANG static analyzer lib/fko_encryption.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit 6c24b1c858194b809c19167c1aeabccd73fd10f5 Author: Michael Rash Date: Wed Jul 10 23:09:41 2013 -0400 [libfko] always call free() from zero_free() on all non-NULL buf pointers lib/fko_util.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit a42bfd38c2303ef78a42fcf2e0583560172a86d7 Author: Michael Rash Date: Wed Jul 10 23:07:43 2013 -0400 [libfko] bug fix to set digest length upon SPA packet decode This bug was caught with the fko_wrapper.c multi-call tester running under valgrind. lib/fko_decode.c | 5 +++++ 1 file changed, 5 insertions(+) commit a009ebfde29586e6aa94904a281c756b050f3ba1 Author: Michael Rash Date: Tue Jul 9 23:21:12 2013 -0400 [client] minor man page update to state that -a is more secure than -R client/fwknop.8.in | 22 +++++++++++++++++----- doc/fwknop.man.asciidoc | 13 ++++++++++--- 2 files changed, 27 insertions(+), 8 deletions(-) commit 3756b831f5ff1db9b3f97647bb93a0e12cc394ae Author: Michael Rash Date: Tue Jul 9 22:17:05 2013 -0400 simplified zero_free() calls in support of #93 lib/fko_encryption.c | 100 +++++++++++++++++++++++++++++++-------------------- lib/fko_funcs.c | 10 +++--- lib/fko_hmac.c | 24 +++++++------ lib/fko_util.c | 10 +++--- lib/fko_util.h | 2 +- 5 files changed, 85 insertions(+), 61 deletions(-) commit 189a183e1887d9ddb7693184e6784f768234d42b Author: Michael Rash Date: Tue Jul 9 21:40:23 2013 -0400 allow zero length to return FKO_SUCCESS from zero_buf() call client/fwknop.c | 8 ++++++-- lib/fko_util.c | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) commit 69760d49c5a5c0e4d3f5279d75c556c82f7d522c Author: Michael Rash Date: Tue Jul 9 21:18:45 2013 -0400 [libfko] return proper GPG error code upon gpg_decrypt() failure lib/fko_encryption.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) commit 5915ee72a94ffb2ef4200f1578fd34a0817d0b30 Author: Michael Rash Date: Tue Jul 9 21:18:06 2013 -0400 [libfko] add ctx initialized check to fko_gpg_errstr() lib/fko_error.c | 6 ++++++ 1 file changed, 6 insertions(+) commit bf2a8d5914f1cc6138e00427ae9c9d825622bed2 Author: Michael Rash Date: Tue Jul 9 21:17:03 2013 -0400 clarified NEWS file to state that fwknop is distributed under the GPL v2 NEWS | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) commit 5e3ec3b61117d116695e895f475d2a4e9fc2dc78 Author: Michael Rash Date: Tue Jul 9 21:13:07 2013 -0400 [client] in '-M legacy' mode truncate the key to 16 bytes This change helps to maintain backwards compatibility with older fwknopd daemons that cannot handle Rijndael keys greater than 16 bytes. Blair Zajac suggested printing a warning in '-M legacy' mode when keys are attempted > 16 bytes long, and this warning is included in this commit. CREDITS | 3 +++ client/fwknop.c | 36 +++++++++++++++++++++++++----------- 2 files changed, 28 insertions(+), 11 deletions(-) commit 1b524f8104fad766176f99ee6530988e19dd94fb Author: Michael Rash Date: Mon Jul 8 23:06:57 2013 -0400 [client] make legacy encryption mode and HMAC usage mutually exclusive client/config_init.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) commit 24c4c5e208bcc61734c61b6b07546c981963685b Author: Michael Rash Date: Mon Jul 8 23:00:18 2013 -0400 continued zeroing out of sensitive data buffers in support of issue #93 client/fwknop.c | 73 +++++++++++++++++--------------- lib/fko.h | 5 ++- lib/fko_context.h | 1 + lib/fko_encryption.c | 114 ++++++++++++++++++++++++++++---------------------- lib/fko_error.c | 3 ++ lib/fko_funcs.c | 28 +++++++++---- lib/fko_hmac.c | 35 +++++++++++----- lib/fko_util.c | 36 ++++++++++++++++ lib/fko_util.h | 2 + server/access.c | 21 ++++------ server/incoming_spa.c | 31 +++++++++++--- 11 files changed, 227 insertions(+), 122 deletions(-) commit 1e77f6ed53b0d7ee1ccd1fbdb6d4f2f8579ec608 Author: Michael Rash Date: Sun Jul 7 22:32:30 2013 -0400 continued changes to zero out sensitive information before exit (#93) client/config_init.c | 3 +- client/fwknop.c | 315 ++++++++++++++++++++++++++++---------------------- client/getpasswd.c | 16 +-- client/getpasswd.h | 2 +- client/spa_comm.c | 21 ++-- client/utils.c | 75 ++++++------ lib/fko_encryption.c | 1 - server/access.c | 5 +- server/config_init.c | 3 +- server/fwknopd.c | 6 +- server/replay_cache.c | 3 +- server/utils.c | 75 +++++++----- 12 files changed, 297 insertions(+), 228 deletions(-) commit 6f6f7b8de28ab8ef42601256a28134dd80f82f48 Author: Michael Rash Date: Sat Jul 6 15:05:09 2013 -0400 [server] update fw_config_init() to allow access stanza key information to be zeroed out upon error (#93) server/fw_util.h | 2 +- server/fw_util_ipf.c | 2 +- server/fw_util_ipfw.c | 12 ++++++------ server/fw_util_iptables.c | 42 +++++++++++++++++++++++++++--------------- server/fw_util_pf.c | 2 +- server/fwknopd.c | 3 ++- 6 files changed, 38 insertions(+), 25 deletions(-) commit cb61fd886d8559f9754392c7934f68b9f22ce2da Author: Michael Rash Date: Sat Jul 6 14:53:04 2013 -0400 [server] minor header formating update server/fwknopd_common.h | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) commit 4ff518d54a3b64457defe41328a65664b0c63fe0 Author: Michael Rash Date: Sat Jul 6 14:52:46 2013 -0400 [server] zero out access stanza key information before exit (in support of #93) server/access.c | 28 ++++++++++++++++++++++++++++ server/fw_util.h | 2 +- server/fw_util_ipf.c | 3 ++- server/fw_util_ipfw.c | 10 ++++++---- server/fw_util_iptables.c | 13 +++++-------- server/fw_util_pf.c | 4 ++-- server/fwknopd.c | 3 ++- 7 files changed, 46 insertions(+), 17 deletions(-) commit ff8a3ef3a4a3b15f2f60b71f649733c3153a5763 (refs/remotes/fjoncourt/master) Author: Franck Joncourt Date: Sun Jun 30 22:38:41 2013 +0200 Another change. README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9d7feb52f6db0d6c67691909a93ebf96317c8620 Merge: c2e1a00 ce10734 Author: Franck Joncourt Date: Sun Jun 30 22:22:34 2013 +0200 Merge remote-tracking branch 'upstream/master' commit c2e1a00154836f4c05aa8d9c5356d722c6db206a Author: Franck Joncourt Date: Sun Jun 30 22:21:22 2013 +0200 s/GNU Public/GNU General Public/g android/project/jni/config.h | 2 +- android/project/jni/fwknop/fko.h | 2 +- android/project/jni/fwknop/fko_limits.h | 2 +- android/project/jni/fwknop/fko_message.h | 2 +- android/project/jni/fwknop/fwknop_client.c | 2 +- android/project/jni/fwknop/fwknop_client.h | 2 +- android/project/jni/fwknop/send_spa_packet.c | 2 +- android/project/jni/logutils.h | 2 +- android/project/src/com/max2idea/android/fwknop/Fwknop.java | 2 +- client/cmd_opts.h | 2 +- client/config_init.c | 2 +- client/config_init.h | 2 +- client/fwknop.8.in | 2 +- client/fwknop.c | 2 +- client/fwknop.h | 2 +- client/fwknop_common.h | 2 +- client/getpasswd.c | 2 +- client/getpasswd.h | 2 +- client/http_resolve_host.c | 2 +- client/log_msg.c | 2 +- client/log_msg.h | 2 +- client/spa_comm.c | 2 +- client/spa_comm.h | 2 +- client/utils.c | 2 +- client/utils.h | 2 +- common/common.h | 2 +- common/netinet_common.h | 2 +- extras/fwknop-launcher/fwknop-launcher-lsof.pl | 2 +- iphone/Classes/fwknop/fwknop_client.c | 2 +- iphone/Classes/fwknop/fwknop_client.h | 2 +- iphone/Classes/fwknop/send_spa_packet.c | 2 +- iphone/Classes/libfwknop/fko_common.b | 2 +- lib/base64.c | 2 +- lib/base64.h | 2 +- lib/cipher_funcs.c | 2 +- lib/cipher_funcs.h | 2 +- lib/digest.c | 2 +- lib/digest.h | 2 +- lib/fko.h | 2 +- lib/fko_client_timeout.c | 2 +- lib/fko_common.h | 2 +- lib/fko_context.h | 2 +- lib/fko_decode.c | 2 +- lib/fko_digest.c | 2 +- lib/fko_encode.c | 2 +- lib/fko_encryption.c | 2 +- lib/fko_error.c | 2 +- lib/fko_funcs.c | 2 +- lib/fko_hmac.c | 2 +- lib/fko_limits.h | 2 +- lib/fko_message.c | 2 +- lib/fko_message.h | 2 +- lib/fko_nat_access.c | 2 +- lib/fko_rand_value.c | 2 +- lib/fko_server_auth.c | 2 +- lib/fko_state.h | 2 +- lib/fko_timestamp.c | 2 +- lib/fko_user.c | 2 +- lib/fko_user.h | 2 +- lib/fko_util.c | 2 +- lib/fko_util.h | 2 +- lib/gpgme_funcs.c | 2 +- lib/gpgme_funcs.h | 2 +- lib/hmac.c | 2 +- lib/hmac.h | 2 +- lib/md5.h | 2 +- lib/rijndael.c | 2 +- lib/rijndael.h | 2 +- lib/sha1.h | 2 +- perl/legacy/fwknop/Makefile | 2 +- perl/legacy/fwknop/deps/Crypt-Rijndael/README | 2 +- perl/legacy/fwknop/deps/Crypt-Rijndael/Rijndael.pm | 2 +- perl/legacy/fwknop/fwknop | 2 +- perl/legacy/fwknop/fwknop.h | 2 +- perl/legacy/fwknop/fwknop_funcs.c | 2 +- perl/legacy/fwknop/fwknop_serv | 2 +- perl/legacy/fwknop/fwknopd | 2 +- perl/legacy/fwknop/install.pl | 2 +- perl/legacy/fwknop/knopmd.c | 2 +- perl/legacy/fwknop/knoptm | 2 +- perl/legacy/fwknop/knopwatchd.c | 2 +- perl/legacy/fwknop/packaging/cd_rpmbuilder | 2 +- perl/legacy/fwknop/test/base64_byte_frequency.pl | 2 +- perl/legacy/fwknop/test/fwknop_test.pl | 2 +- server/access.c | 2 +- server/access.h | 2 +- server/cmd_opts.h | 2 +- server/config_init.c | 2 +- server/config_init.h | 2 +- server/extcmd.c | 2 +- server/extcmd.h | 2 +- server/fw_util.c | 2 +- server/fw_util.h | 2 +- server/fw_util_ipf.c | 2 +- server/fw_util_ipf.h | 2 +- server/fw_util_ipfw.c | 2 +- server/fw_util_ipfw.h | 2 +- server/fw_util_iptables.c | 2 +- server/fw_util_iptables.h | 2 +- server/fw_util_pf.c | 2 +- server/fw_util_pf.h | 2 +- server/fwknopd.c | 2 +- server/fwknopd.h | 2 +- server/fwknopd_common.h | 2 +- server/fwknopd_errors.c | 2 +- server/fwknopd_errors.h | 2 +- server/incoming_spa.c | 2 +- server/incoming_spa.h | 2 +- server/log_msg.c | 2 +- server/log_msg.h | 2 +- server/pcap_capture.c | 2 +- server/pcap_capture.h | 2 +- server/process_packet.c | 2 +- server/process_packet.h | 2 +- server/replay_cache.c | 2 +- server/replay_cache.h | 2 +- server/sig_handler.c | 2 +- server/sig_handler.h | 2 +- server/tcp_server.c | 2 +- server/tcp_server.h | 2 +- server/utils.c | 2 +- server/utils.h | 2 +- win32/config.h | 2 +- win32/getlogin.h | 2 +- 124 files changed, 124 insertions(+), 124 deletions(-) commit ce10734c3a27257a83515b15538f04ddc57303a7 Author: Michael Rash Date: Sun Jun 30 16:12:29 2013 -0400 Added LICENSE section and a link to the fwknop tutorial README | 11 +++++++++++ 1 file changed, 11 insertions(+) commit a792e8bf4eacf59aaefb12281241cd563cc33ebe Author: Michael Rash Date: Sun Jun 30 15:55:01 2013 -0400 minor man page documentation updates (added twitter reference) client/fwknop.8.in | 8 +++++--- doc/fwknop.man.asciidoc | 7 +++++-- doc/fwknopd.man.asciidoc | 7 +++++-- server/fwknopd.8.in | 8 +++++--- 4 files changed, 20 insertions(+), 10 deletions(-) commit f1e946cf02c5354b173f2dd5c74f6b8549a93202 Author: Michael Rash Date: Sun Jun 30 15:52:47 2013 -0400 updated README to include the introduction from the fwknop man page README | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 72 insertions(+), 21 deletions(-) commit f55b89c867ab63aaf69daae0aec0c19f1c52d521 (tag: refs/tags/fwknop-2.5-pre3) Author: Michael Rash Date: Sun Jun 30 14:50:12 2013 -0400 [libfko] Have 'make install' run ldconfig if basic fwknop/fwknopd -h exec fails This commit makes sure that if running 'fwknop -h' or 'fwknopd -h' appears to fail then run ldconfig under the 'make install' step. George Herlin reported that on some systems ldconfig was not automatically getting executed via the autoconf Makefile config, and since fwknop/fwknopd depend on a shared library (libfko), ldconfig needs to be executed by 'make install' if it wasn't already done. CREDITS | 3 +++ Makefile.am | 11 +++++++++++ 2 files changed, 14 insertions(+) commit 8ed088051e461c480b8b534a3830f0371a56e18a Author: Michael Rash Date: Sat Jun 29 10:39:07 2013 -0400 [libfko] fix a few 'Overfull \hbox' errors in libfko .pdf generation doc/libfko.texi | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) commit 5a4a8a5baa725c59ad3764f2eed563a1202805f1 Author: Michael Rash Date: Thu Jun 27 22:15:39 2013 -0400 [server] convert several LOG_INFO messages to LOG_DEBUG server/fw_util_ipfw.c | 26 +++++++++++++------------- server/fw_util_iptables.c | 36 ++++++++++++++++++------------------ 2 files changed, 31 insertions(+), 31 deletions(-) commit 7eacb5ba5a0b1b4d094de5ce831624d20353c7e2 Merge: 5a0700e 47a7ffe Author: Michael Rash Date: Thu Jun 27 21:55:58 2013 -0400 Merge remote-tracking branch 'fjoncourt/master' commit 5a0700eb469d86f659a8eae0bc7cd616508751e3 Author: Franck Joncourt Date: Tue Jun 25 22:04:54 2013 +0200 * Mentionned the VERBOSE variable in fwknopd.conf. * Made sure the -v command line switch overrides the value of the VERBOSE variable set in an fwknopd.conf file. server/config_init.c | 8 ++------ server/fwknopd.conf | 7 +++++++ 2 files changed, 9 insertions(+), 6 deletions(-) commit 10fdbb509ccaa8dca454f2e1a19dfa93d3951c86 Author: Franck Joncourt Date: Tue Jun 25 21:56:53 2013 +0200 s/VERBOSITY/VERBOSE/g on the server side for consistency purposes. server/cmd_opts.h | 2 +- server/config_init.c | 8 ++++---- server/fwknopd_common.h | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) commit 7fde3949daa0926b402f3184589270d1c8d64041 Author: Franck Joncourt Date: Mon Jun 24 23:15:50 2013 +0200 Fixed use of --verbose command line switch. Set default log verbosity to LOG_INFO in the log_msg driver. server/config_init.c | 44 ++++++++++++++++++++++++-------------------- server/log_msg.h | 2 +- 2 files changed, 25 insertions(+), 21 deletions(-) commit 5db1eeb2686030ee6fa367b983ef916561c4dc77 Author: Franck Joncourt Date: Thu Jun 20 23:33:04 2013 +0200 Interim commit to add a VERBOSE variable to fwknopd. client/config_init.c | 3 +++ server/cmd_opts.h | 1 + server/config_init.c | 21 ++++++++++++++++++--- server/fwknopd_common.h | 1 + 4 files changed, 23 insertions(+), 3 deletions(-) commit 25058f9d130dbc7ecbc415031a982b569adab50f Author: Michael Rash Date: Thu Jun 27 21:26:49 2013 -0400 [test suite] bug fix for rotate digest cache tests When the test suite is executed with '--include "rotate"' then previous tests aren't executed in order to create a new digest cache file. So, when init() is called and a clean slate is established, there is nothing to rotate away. This change creates the default digest cache data (comment line only) if the file doesn't already exist for the rotate tests. test/test-fwknop.pl | 8 ++++++++ 1 file changed, 8 insertions(+) commit 1a9c8914df18c6cc0ac43435b1ba645c01c634bd Author: Michael Rash Date: Thu Jun 27 21:26:31 2013 -0400 bumped VERSION file to fwknop-2.5 VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 37b624ac8b45093096492555ecfc3541ef462891 Author: Michael Rash Date: Thu Jun 27 21:21:10 2013 -0400 bump version to 2.5, minor fwknopd -S exit status update This commit bumps the fwknop version to 2.5 and sets the libfko version to 2.0 to signal incompatibility with older libfko versions. Backwards compatibility is maintained in SPA packet construction, but function prototypes in libfko-2.0 are no longer compatible with older versions. This commit also returns non-zero exit status under 'fwknopd --status' if there is no existing fwknopd process. This is better than always exiting with a zero status regardless of whether fwknopd is already running or not, and adds a level of scriptability to --status usage. This change was suggested by George Herlin. client/fwknop.8.in | 14 +++++++------- configure.ac | 2 +- doc/fwknop.man.asciidoc | 8 ++++---- doc/fwknopd.man.asciidoc | 5 +++-- fwknop.spec | 6 +++--- lib/fko.h | 2 +- server/fwknopd.8.in | 6 +++--- server/fwknopd.c | 8 ++++++-- 8 files changed, 28 insertions(+), 23 deletions(-) commit 47a7ffe22bc82f8f60867979842d6147b0bc4bbf Merge: 5413d1c d125146 Author: Franck Joncourt Date: Tue Jun 25 23:03:28 2013 +0200 Merge remote-tracking branch 'upstream/master' commit 5413d1c48c9e37adada0b7c74018d7da5746d188 Author: Franck Joncourt Date: Tue Jun 25 22:04:54 2013 +0200 * Mentionned the VERBOSE variable in fwknopd.conf. * Made sure the -v command line switch overrides the value of the VERBOSE variable set in an fwknopd.conf file. server/config_init.c | 8 ++------ server/fwknopd.conf | 7 +++++++ 2 files changed, 9 insertions(+), 6 deletions(-) commit 4525a7e57c1a9e0880e30c69688c569c9ab1ed45 Author: Franck Joncourt Date: Tue Jun 25 21:56:53 2013 +0200 s/VERBOSITY/VERBOSE/g on the server side for consistency purposes. server/cmd_opts.h | 2 +- server/config_init.c | 8 ++++---- server/fwknopd_common.h | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) commit 07f96f86f8e61d7d57b1675d465d1b0d24ad09b0 Author: Franck Joncourt Date: Mon Jun 24 23:15:50 2013 +0200 Fixed use of --verbose command line switch. Set default log verbosity to LOG_INFO in the log_msg driver. server/config_init.c | 44 ++++++++++++++++++++++++-------------------- server/log_msg.h | 2 +- 2 files changed, 25 insertions(+), 21 deletions(-) commit 2812897666092abb2887aa4d7012535629dbf17f Author: Michael Rash Date: Fri Jun 21 21:37:23 2013 -0400 ChangeLog 2.5 updates ChangeLog | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) commit d125146c37de1e31e1a59bc133c64c59ea22ea1e Author: Michael Rash Date: Fri Jun 21 21:11:23 2013 -0400 [server] minor --help update to include cipherdyne.org URL server/config_init.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 371036bad0974e1968615be1ddabaa2cbf8405cd Author: Michael Rash Date: Fri Jun 21 21:08:38 2013 -0400 [client] re-use encryption/HMAC keys in --test mode The client --test mode decrypts SPA packet data as a final step, but get_keys() was being called to re-acquire the encryption/HMAC keys. This commit reuses the same keys that were supplied for SPA packet encryption/authentication because the most important code to test is not get_keys() but rather libfko encryption/decryption/authentication operations. client/fwknop.c | 41 ++++++++--------------------------------- client/fwknop.h | 5 ----- server/fwknopd.h | 5 ----- 3 files changed, 8 insertions(+), 43 deletions(-) commit 6b132862fdb7503fba53c5da61992229a5f7db60 Author: Michael Rash Date: Thu Jun 20 22:12:29 2013 -0400 [client] minor man page backwards compatibility wording tweak client/fwknop.8.in | 6 +++--- doc/fwknop.man.asciidoc | 16 +++++++++------- 2 files changed, 12 insertions(+), 10 deletions(-) commit 047513710aec6d20dd9f0d030854267c1db9f0ef Author: Michael Rash Date: Thu Jun 20 22:11:42 2013 -0400 [client] add GPG_NO_SIGNING_PW to --save-rc-stanza functionality client/config_init.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit afd6f6b23c1f1b8906ae4eebe87f110a602c9d76 Author: Franck Joncourt Date: Thu Jun 20 23:33:04 2013 +0200 Interim commit to add a VERBOSE variable to fwknopd. client/config_init.c | 3 +++ server/cmd_opts.h | 1 + server/config_init.c | 21 ++++++++++++++++++--- server/fwknopd_common.h | 1 + 4 files changed, 23 insertions(+), 3 deletions(-) commit 1d17c4093bbd0ae15808a8c3ffbf9f9811e31071 Author: Michael Rash Date: Wed Jun 19 23:47:04 2013 -0400 added fwknoprc gpg signing pw test conf files to Makefile.am Makefile.am | 2 ++ 1 file changed, 2 insertions(+) commit 68acbaadc407b10d973f1157f9638088d620ea98 Author: Michael Rash Date: Wed Jun 19 23:42:58 2013 -0400 remove newline chars from log_msg() calls client/config_init.c | 14 ++++++++-- client/fwknop.c | 2 +- client/http_resolve_host.c | 2 +- client/spa_comm.c | 4 +-- client/utils.c | 3 +- server/access.c | 69 ++++++++++++++++++++++++++++++---------------- server/config_init.c | 36 ++++++++++++------------ server/fw_util_ipf.c | 3 +- server/fw_util_ipfw.c | 26 +++++++++-------- server/fw_util_iptables.c | 17 ++++++------ server/fw_util_pf.c | 5 ++-- server/fwknopd.c | 8 +++--- server/incoming_spa.c | 7 +++-- server/log_msg.c | 2 +- server/pcap_capture.c | 10 +++---- server/replay_cache.c | 6 ++-- server/tcp_server.c | 2 +- server/utils.c | 10 +++---- 18 files changed, 132 insertions(+), 94 deletions(-) commit 13626a2a749046771268dc5b1be3431fc03ffa7d Author: Michael Rash Date: Wed Jun 19 23:41:37 2013 -0400 [test suite] added tests for KEY synonym GPG_SIGNING_PW test/conf/fwknoprc_gpg_signing_pw | 2 ++ test/conf/fwknoprc_named_gpg_signing_pw | 7 ++++++ test/test-fwknop.pl | 2 ++ test/tests/basic_operations.pl | 4 ++-- test/tests/gpg.pl | 40 +++++++++++++++++++++++++++++++++ test/tests/gpg_no_pw.pl | 2 +- 6 files changed, 54 insertions(+), 3 deletions(-) commit 54c26ede6e250e19667aff6f9c4d6da5bff31d7e Author: Michael Rash Date: Wed Jun 19 23:38:37 2013 -0400 [libfko] defensive coding update to quiet minor CLANG static analyzer false positives lib/cipher_funcs.c | 3 +++ lib/fko_encryption.c | 10 +++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) commit e3a2289d70f79b0527bad40bc674090cdfeee9d0 Author: Michael Rash Date: Wed Jun 19 23:37:19 2013 -0400 [client] man page update to include GPG_SIGNING_PW synonym for KEY variable in GPG mode client/fwknop.8.in | 18 ++++++++++++++++-- doc/fwknop.man.asciidoc | 11 +++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) commit a2d16f8c5ee53360d95579c7640a0ff3967d4a69 Author: Michael Rash Date: Tue Jun 18 23:12:42 2013 -0400 [test suite] minor permission modification update to use %cf hash test/test-fwknop.pl | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) commit 13173343ee0a4797abfba868117fe08fe3a10b92 Author: Michael Rash Date: Tue Jun 18 22:51:22 2013 -0400 [client] add GPG_ALLOW_NO_SIGNING_PW and --gpg-no-signing-pw This change brings similar functionality to the client as the GPG_ALLOW_NO_PW keyword in the server access.conf file. Although this option is less likely to be used than the analogous server functionality, it stands to reason that the client should offer this feature. The test suite has also been updated to not use the --get-key option for the 'no password' GPG tests. client/cmd_opts.h | 2 + client/config_init.c | 110 +++++++++++++++++++++++++++++++++--------------- client/fwknop.8.in | 13 +++++- client/fwknop.c | 23 +++++----- client/fwknop_common.h | 1 + doc/fwknop.man.asciidoc | 6 +++ test/test-fwknop.pl | 6 +++ test/tests/gpg_no_pw.pl | 61 ++++++++++----------------- 8 files changed, 135 insertions(+), 87 deletions(-) commit 21dc87ace5f34637e4fb130910793694a1c39d1f Author: Michael Rash Date: Tue Jun 18 22:50:10 2013 -0400 [test suite] bug fix for missing file permission mods noticed by Franck test/test-fwknop.pl | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) commit 2014cf767a4f2aa9e87e0b4de47a1b60fa257e3d Merge: afbf6d5 5667d8e Author: Michael Rash Date: Tue Jun 18 22:48:33 2013 -0400 Merge remote-tracking branch 'fjoncourt/master' New strategy for log_module from Franck, closes #89 commit 5667d8e151397955e25817f47dc42463a6397225 Author: Franck Joncourt Date: Tue Jun 18 22:12:41 2013 +0200 Fixed default verbosity to LOG_NOTICE rather than LOG_WARNING. server/log_msg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2cc1ac65bc05d3a7fb8ffae60f8556e74665bc19 Author: Franck Joncourt Date: Mon Jun 17 12:31:07 2013 +0200 Replaced some uses of *fprintf(stderr* by *log_msg(LOG_ERR* in config_init.c server/config_init.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) commit f418bc21872e7c34651bb4c4d2e3f6efccf395a1 Merge: 57cf6dc b0c9ed5 Author: Franck Joncourt Date: Sun Jun 16 22:28:26 2013 +0200 Merge remote-tracking branch 'upstream/master' commit 57cf6dc4727703dedb3ff9ce489ce43201896ea2 Author: Franck Joncourt Date: Sun Jun 16 22:16:41 2013 +0200 s/fprintf(stderr/log_msg(LOG_ERR/ server/access.c | 120 +++++++++++++++++++++++----------------------- server/fw_util_ipf.c | 2 +- server/fw_util_ipfw.c | 14 +++--- server/fw_util_iptables.c | 8 ++-- server/fw_util_pf.c | 2 +- server/fwknopd.c | 9 ++-- server/replay_cache.c | 15 +++--- server/utils.c | 10 ++-- 8 files changed, 89 insertions(+), 91 deletions(-) commit 84f870494941aed8549e302f2736d46a4f3eef37 Author: Franck Joncourt Date: Sun Jun 16 21:24:37 2013 +0200 Fix static_log_flag in the log_module. server/log_msg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 935565cd90d1cf0f8f2c2e9a435ec4e5b500348b Author: Franck Joncourt Date: Sun Jun 16 21:16:25 2013 +0200 Fix log_msg(). * Added new constant LOG_WITHOUT_SYSLOG to be able to print messages to stderr only. * Renamed LOG_STDERR_MASK as LOG_VERBOSITY_MASK for a better understanding. server/log_msg.c | 21 +++++++++++---------- server/log_msg.h | 7 ++++--- 2 files changed, 15 insertions(+), 13 deletions(-) commit b48295c69b2d5396689c4bf6d28a2cd70393d084 Author: Franck Joncourt Date: Sun Jun 16 19:12:06 2013 +0200 Interim commit to make the log_msg strategy. * log_msg : New log_set_verbosity(): It sets the default verbosity for the log module according to the verbose option set by the user through the command line. * Remove useless checks of the verbose option when log_msg() is invoked. server/fw_util_ipfw.c | 74 +++++++++++++++++------------------------- server/fw_util_iptables.c | 82 ++++++++++++++++++----------------------------- server/fwknopd.c | 15 +++++---- server/incoming_spa.c | 24 ++++++-------- server/log_msg.c | 21 ++++++++++++ server/log_msg.h | 3 ++ server/pcap_capture.c | 2 +- 7 files changed, 103 insertions(+), 118 deletions(-) commit afbf6d51c02f2148a96d20f447ede9c27bb0dcfa Author: Michael Rash Date: Sun Jun 16 08:27:29 2013 -0400 [client] minor man page backwards compatibility update to include better examples client/fwknop.8.in | 32 +++++++++++++++++++++++++++++--- doc/fwknop.man.asciidoc | 28 ++++++++++++++++++++++++++-- 2 files changed, 55 insertions(+), 5 deletions(-) commit b0c9ed52ba32da6e9514f74a4037f03c3539f793 Author: Michael Rash Date: Sat Jun 15 21:20:39 2013 -0400 [test suite] bug fix for proper replay attack regex searching of test output, added several replay attack tests test/test-fwknop.pl | 4 +--- test/tests/gpg.pl | 14 ++++++------ test/tests/gpg_hmac.pl | 18 +++++++++++++-- test/tests/gpg_no_pw.pl | 19 +++++++++++++--- test/tests/gpg_no_pw_hmac.pl | 18 ++++++++++++--- test/tests/rijndael_hmac.pl | 42 +++++++++++++++++++++++++++++++++++ test/tests/rijndael_replay_attacks.pl | 11 ++++----- 7 files changed, 103 insertions(+), 23 deletions(-) commit 8155cf33315d1bb4a8827ed87d8e12a226c0bec6 Author: Michael Rash Date: Thu Jun 13 21:23:59 2013 -0400 [server] ensure 'Rule added' log messages are generated when create_rule() is called server/fw_util_iptables.c | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) commit c23d2d644f1ef116822fa418a2971a55c87210a7 Author: Michael Rash Date: Thu Jun 13 21:22:58 2013 -0400 minor typo and format fixes server/fwknopd.c | 2 +- server/replay_cache.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) commit 1341601a663725896324aeb30d90e519e0648b71 Author: Michael Rash Date: Thu Jun 13 21:21:40 2013 -0400 [server] when log_msg() is called fflush() output to stderr (when stderr is used) server/log_msg.c | 1 + 1 file changed, 1 insertion(+) commit 48b2213780fda6bc02b76bd013ae30dd56030165 Author: Michael Rash Date: Thu Jun 13 21:20:11 2013 -0400 [client] truncate args save file with open() client/fwknop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit fc8a74131bbb804a73a9b6e49371e7393459d8c5 Author: Michael Rash Date: Wed Jun 12 23:10:19 2013 -0400 [test suite] minor OS compatibility test re-order test/tests/os_compatibility.pl | 83 +++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 45 deletions(-) commit ea0ecc8cbe9b02e481fbcabe80181ee804de0265 Author: Michael Rash Date: Wed Jun 12 23:09:55 2013 -0400 [libfko] BYTEORDER macro update to 4321 or 1234 if all other methods fail lib/fko_common.h | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) commit 12eab497c2ddc443cecf3248f75970ad47651f04 Author: Michael Rash Date: Tue Jun 11 22:01:23 2013 -0400 [test suite] added a few OS compatibility tests Makefile.am | 1 + test/test-fwknop.pl | 9 +++ test/tests/os_compatibility.pl | 159 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 169 insertions(+) commit ef8aa2e471548126ee921aff7328385dd7e1bbc0 (tag: refs/tags/fwknop-2.5-pre2) Author: Michael Rash Date: Mon Jun 10 22:38:55 2013 -0400 [test suite] minor bug fix to add 'iptables' to custom chain test titles test/tests/rijndael_hmac.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 978ddda33773f7be96e7898fa5915ad9cf24ae9a Author: Michael Rash Date: Mon Jun 10 22:34:48 2013 -0400 bump version to 2.5-pre2 VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ffeb285f7bf6856b2ce1c2f5bdbec0f06322f384 Author: Michael Rash Date: Mon Jun 10 22:27:57 2013 -0400 [libfko] handle endian detection on PPC (and other) systems Blair Zajac contributed a patch to handle endian detection on PPC systems and issue a compile time error if it cannot be determined. This commit affects the BYTEORDER macro. CREDITS | 6 ++++++ lib/fko_common.h | 18 ++++++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) commit 5c7f5f1b0ba7d5241edb944c3bb024d610839c8b Author: Michael Rash Date: Mon Jun 10 21:45:26 2013 -0400 [libfko] use local strndup() if autoconf HAVE_STRNDUP not defined Blair Zajac reported that strndup() is not available on some PPC systems, so this commit switches to use the local lib/fko_util.c implementation similarly to what is done for Windows systems. lib/fko_util.c | 4 ++-- lib/fko_util.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 63ecfd54f280fe4888af3777bc05249e92561226 Author: Michael Rash Date: Mon Jun 10 21:21:52 2013 -0400 added missing test suite conf/ files to Makefile.am Makefile.am | 5 +++++ 1 file changed, 5 insertions(+) commit f9df2f6ecaa3bb8b63139ac77e26f9db9fd43011 Author: Michael Rash Date: Mon Jun 10 21:18:37 2013 -0400 [test suite] additional --save-rc-stanza tests for vars not printed in fwknop client decode output test/test-fwknop.pl | 79 +++++++++++++++++++++++++++++++----------- test/tests/basic_operations.pl | 78 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 136 insertions(+), 21 deletions(-) commit 0c19e5170a9ec5d2f0dfd943e05df514eb26684b Author: Michael Rash Date: Mon Jun 10 21:16:33 2013 -0400 [test suite] added backwards compatibility tests with a dual usage key in access.conf Makefile.am | 1 + test/conf/dual_key_legacy_iv_access.conf | 10 +++++++ test/test-fwknop.pl | 13 +++++++++ test/tests/rijndael_backwards_compatibility.pl | 37 ++++++++++++++++++++++++++ 4 files changed, 61 insertions(+) commit a3e06966b51b5a934af40351e4dd647201e31eb4 Author: Michael Rash Date: Mon Jun 10 21:14:09 2013 -0400 [client] minor man page wording update for backwards compatibility section client/fwknop.8.in | 6 +++--- doc/fwknop.man.asciidoc | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) commit 46dadecf5a0cc4b8722131dc71a0a148158ab7a3 Author: Michael Rash Date: Sun Jun 9 16:00:46 2013 -0400 [client] minor man page tweak to use rc VERBOSE bool value (which is the default now) client/fwknop.8.in | 2 +- doc/fwknop.man.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 056fd44c2416676d055e0232af22abfd59a8abbb Author: Michael Rash Date: Sun Jun 9 15:58:22 2013 -0400 [commit] default --verbose rc handling to bool Y/N values, but allow integers too when --verbose is given multiple times client/config_init.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) commit dbfa2579a75ec488b538b7df49440ff9d59a2b88 Author: Michael Rash Date: Sun Jun 9 15:57:16 2013 -0400 [client] minor man page tweak client/fwknop.8.in | 6 +++--- doc/fwknop.man.asciidoc | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) commit 88e1e0e09951122ce8749659c5381a4ec9c80cdc Author: Michael Rash Date: Sun Jun 9 15:27:19 2013 -0400 [test suite] added tests for setting gpg recipient, signer, and homedir via the client rc file test/conf/fwknoprc_gpg_args_hmac_key | 7 +++++++ test/conf/fwknoprc_gpg_args_no_pw_hmac_key | 7 +++++++ test/test-fwknop.pl | 2 ++ test/tests/gpg_hmac.pl | 21 +++++++++++++++++---- test/tests/gpg_no_pw_hmac.pl | 14 ++++++++++++++ 5 files changed, 47 insertions(+), 4 deletions(-) commit ac587f3c6387db6bfcd051ea031dbc007278fcca Merge: 7a1bdea 3d688a5 Author: Michael Rash Date: Sun Jun 9 14:33:29 2013 -0400 Merge branch 'master' of github.com:mrash/fwknop commit 7a1bdea5140de8791d22125fca8a5b6eb50619ec Author: Michael Rash Date: Sun Jun 9 14:28:17 2013 -0400 [server] fix 'Use of untrusted string value' bug found by Coverity This commit changes iptables policy parsing to re-use rule_exists() for fwknop jump rule detection instead of using sscanf() against iptables policy list output. Also, fwknop jump rules are now deleted from iptables policies in a loop to ensure all are removed even if there are duplicates (even though this should not happen under normal circumstances anyway). server/fw_util.h | 1 + server/fw_util_iptables.c | 72 ++++++++++--------------------- server/fw_util_iptables.h | 4 +- test/conf/custom_input_chain_fwknopd.conf | 2 + test/conf/custom_nat_chain_fwknopd.conf | 5 +++ test/test-fwknop.pl | 2 + test/tests/rijndael_hmac.pl | 37 ++++++++++++++++ 7 files changed, 73 insertions(+), 50 deletions(-) commit 3d688a5a0801ce82624bdd54f5532ce844caa44a Merge: 8b62984 e515ba4 Author: Michael Rash Date: Thu Jun 6 20:22:55 2013 -0700 Merge pull request #87 from fjoncourt/master Fwknop manpage update (fd and stdin command) commit f491c4169758a400b70ed5ccfd997a36354fe75f Author: Michael Rash Date: Wed Jun 5 22:33:42 2013 -0400 [server] minor addition of IPT_CHK_RULE_ARGS macro for iptables -C usage server/fw_util_iptables.c | 2 +- server/fw_util_iptables.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) commit 866e0a95d51369f8cfc9c85baa9964b9c443adbf Author: Michael Rash Date: Wed Jun 5 21:46:51 2013 -0400 [server] minor bug fix to switch iptables comment match check to built-in INPUT chain server/fw_util_iptables.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit e515ba45feae4e562e3a62a3595f4382820751c9 Merge: 7dec268 8b62984 Author: Franck Joncourt Date: Wed Jun 5 21:47:41 2013 +0200 Merge remote-tracking branch 'upstream/master' Conflicts: client/fwknop.8.in commit 7dec26852a9cf63ef686332df9aede7e12695f09 Author: Franck Joncourt Date: Wed Jun 5 21:38:26 2013 +0200 Updated fwknop manpage to document both the use of stdin and fd commands. client/fwknop.8.in | 14 ++++++++++++-- doc/fwknop.man.asciidoc | 10 ++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) commit 17974a1c05c4ffa3ec76c60582d407ee18c7f93a Author: Michael Rash Date: Tue Jun 4 22:17:59 2013 -0400 [server] comment additions regarding Coverity low priority TOCTOU issues server/access.c | 14 ++++++++++++++ server/config_init.c | 6 ++++-- 2 files changed, 18 insertions(+), 2 deletions(-) commit 59eb7fcf0f0e1b1e305eca9f41a978a14872b133 Author: Michael Rash Date: Tue Jun 4 21:17:15 2013 -0400 [extras] update spa-entropy.pl script to point fwknop client in gpg mode to the no-pw homedir extras/spa-entropy/spa-entropy.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8b629848875fbc8f2fe84e7ddd259f15a7c59d28 Merge: 7c4beab 48a3f7a Author: Michael Rash Date: Mon Jun 3 21:59:26 2013 -0400 Merge branch 'gpgme_autoconf_macro' This commit adds a new m4/gpgme.m4 to allow autogen.sh to work properly when libgpgme is not installed. Closes #72. commit 7c4beabea0c4be58d2e9b30bb27353cc0949df40 Author: Michael Rash Date: Mon Jun 3 21:45:29 2013 -0400 a few HMAC doc updates to the libfko.texi file doc/libfko.texi | 87 ++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 68 insertions(+), 19 deletions(-) commit 69ba2d7a06556033e35cc0df5928bae39e1117d0 Author: Michael Rash Date: Mon Jun 3 20:54:40 2013 -0400 fko-wrapper update to print fko_errstr() text, and to have one successful HMAC cycle test/fko-wrapper/fko_wrapper.c | 113 ++++++++++++++++++++++++++--------------- 1 file changed, 71 insertions(+), 42 deletions(-) commit 66399fed1a47dfac0af636cfcdde92c1aa68eb4b Merge: e7716b4 583e1e0 Author: Michael Rash Date: Sun Jun 2 22:54:23 2013 -0400 Merge remote-tracking branch 'fjoncourt/master' Closes #74 - allows a passphrase to be read from STDIN or from a file descriptor via --fd. commit e7716b49c6318fd242e25ddc7620560bfc6af9e2 Author: Michael Rash Date: Sun Jun 2 22:08:54 2013 -0400 [test suite] minor bug fix to include the new legacy long key file in Makefile.am Makefile.am | 1 + 1 file changed, 1 insertion(+) commit 164888e075a671d3df6185b0e2b67ceb0f166518 Author: Michael Rash Date: Sun Jun 2 21:19:19 2013 -0400 [test suite] added backwards compatibility test for truncated keys longer > 16 chars test/conf/legacy_iv_long_key_access.conf | 4 ++++ test/test-fwknop.pl | 1 + test/tests/rijndael_backwards_compatibility.pl | 27 ++++++++++++++++++++++++++ 3 files changed, 32 insertions(+) commit 583e1e02c77ae975c1b5bee8926206de78f66650 Merge: 9fce10a 1c8d247 Author: Franck Joncourt Date: Sun Jun 2 21:54:25 2013 +0200 Merge remote-tracking branch 'upstream/master' Conflicts: client/config_init.c commit 9fce10abd8d37bc1bd58dfda05b82450d5ff343e Author: Franck Joncourt Date: Sun Jun 2 21:36:17 2013 +0200 Adding support for reading encryption/key password from a file descriptor. * Added tests to the test suite. * Updated the usage message. * Fixed the password functions. reference : mrash/fwknop#74 client/config_init.c | 24 ++++++++++++++---------- client/getpasswd.c | 32 +++++++++++++++++++------------- client/utils.h | 3 +++ test/test-fwknop.pl | 1 + test/tests/basic_operations.pl | 12 ++++++++++-- test/tests/rijndael.pl | 26 ++++++++++++++++++++++++++ 6 files changed, 73 insertions(+), 25 deletions(-) commit 2874205d05c7d51e38b653746f87760f6fd4bd7a Author: Michael Rash Date: Sun Jun 2 14:50:37 2013 -0400 started on libfko.texi function prototype and FKO error code documentation updates doc/libfko.texi | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) commit 491e25a6bdc4be4058eb79d4af17d92d3ad19bd4 Author: Michael Rash Date: Sun Jun 2 14:29:37 2013 -0400 restored the NEWS file since autoconf seems to need it NEWS | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) commit 382099e85aa0ca18b2d52ca422ac3faa819e4999 Author: Michael Rash Date: Sun Jun 2 14:07:01 2013 -0400 Updated copyright dates, removed NEWS file in favor of the ChangeLog AUTHORS | 2 +- NEWS | 38 --------------------------------- android/project/jni/fwknop/fko.h | 2 +- android/project/jni/fwknop/fko_limits.h | 2 +- client/cmd_opts.h | 2 +- client/config_init.c | 2 +- client/config_init.h | 2 +- client/fwknop.c | 2 +- client/fwknop.h | 2 +- client/fwknop_common.h | 2 +- client/getpasswd.c | 2 +- client/getpasswd.h | 2 +- client/http_resolve_host.c | 2 +- client/log_msg.c | 2 +- client/log_msg.h | 2 +- client/spa_comm.c | 2 +- client/spa_comm.h | 2 +- client/utils.c | 2 +- client/utils.h | 2 +- common/common.h | 2 +- common/netinet_common.h | 2 +- iphone/Classes/libfwknop/fko_common.b | 2 +- lib/base64.c | 2 +- lib/base64.h | 2 +- lib/cipher_funcs.c | 2 +- lib/cipher_funcs.h | 2 +- lib/digest.c | 2 +- lib/digest.h | 2 +- lib/fko.h | 2 +- lib/fko_client_timeout.c | 2 +- lib/fko_common.h | 2 +- lib/fko_context.h | 2 +- lib/fko_decode.c | 2 +- lib/fko_digest.c | 2 +- lib/fko_encode.c | 2 +- lib/fko_encryption.c | 2 +- lib/fko_error.c | 2 +- lib/fko_funcs.c | 2 +- lib/fko_limits.h | 2 +- lib/fko_message.c | 2 +- lib/fko_nat_access.c | 2 +- lib/fko_rand_value.c | 2 +- lib/fko_server_auth.c | 2 +- lib/fko_state.h | 2 +- lib/fko_timestamp.c | 2 +- lib/fko_user.c | 2 +- lib/fko_util.h | 2 +- lib/gpgme_funcs.c | 2 +- lib/gpgme_funcs.h | 2 +- server/access.c | 2 +- server/access.h | 2 +- server/cmd_opts.h | 2 +- server/config_init.c | 2 +- server/config_init.h | 2 +- server/extcmd.c | 2 +- server/extcmd.h | 2 +- server/fw_util.c | 2 +- server/fw_util.h | 2 +- server/fw_util_ipf.c | 2 +- server/fw_util_ipf.h | 2 +- server/fw_util_ipfw.c | 2 +- server/fw_util_ipfw.h | 2 +- server/fw_util_iptables.c | 2 +- server/fw_util_iptables.h | 2 +- server/fw_util_pf.h | 2 +- server/fwknopd.c | 2 +- server/fwknopd.h | 2 +- server/fwknopd_common.h | 2 +- server/fwknopd_errors.c | 2 +- server/fwknopd_errors.h | 2 +- server/incoming_spa.c | 2 +- server/incoming_spa.h | 2 +- server/log_msg.c | 2 +- server/log_msg.h | 2 +- server/pcap_capture.c | 2 +- server/pcap_capture.h | 2 +- server/process_packet.c | 2 +- server/process_packet.h | 2 +- server/replay_cache.c | 2 +- server/replay_cache.h | 2 +- server/sig_handler.c | 2 +- server/sig_handler.h | 2 +- server/tcp_server.c | 2 +- server/tcp_server.h | 2 +- server/utils.c | 2 +- server/utils.h | 2 +- 86 files changed, 85 insertions(+), 123 deletions(-) commit 1b41e606a7cd69c7a66da37c3aa78806a8f9efe5 Author: Michael Rash Date: Sun Jun 2 13:51:25 2013 -0400 Added backwards compatibility section to the client man page Added backwards compatibility section and new material on a 'quick start' subsection for the EXAMPLES section. client/fwknop.8.in | 128 +++++++++++++++++++++++++++++-------- doc/fwknop.man.asciidoc | 163 +++++++++++++++++++++++++++++++++++++++--------- 2 files changed, 234 insertions(+), 57 deletions(-) commit 1c8d247887cae8979f7381b5808aa2b4e50e8b07 Author: Michael Rash Date: Sat Jun 1 22:30:29 2013 -0400 ChangeLog update to mention the constant_runtime_cmp() change CREDITS | 2 +- ChangeLog | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) commit af88af3e512c3b61b6f1a8bf2a3657df44ae92ad Merge: b95292e 54872ac Author: Michael Rash Date: Sat Jun 1 22:23:35 2013 -0400 Merge branch 'hmac_timing_bug_fix' Fixes #85 commit b95292ef906df0310728c7455c2599711fae1b7d Author: Michael Rash Date: Sat Jun 1 22:10:32 2013 -0400 added fwknopd man page blurb for the ENABLE_PCAP_ANY_DIRECTION variable doc/fwknopd.man.asciidoc | 11 +++++++++++ server/fwknopd.8.in | 9 +++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) commit 54872acfc34542d4ab800d4126a153854228cf11 (refs/remotes/web/hmac_timing_bug_fix, refs/heads/hmac_timing_bug_fix) Author: Michael Rash Date: Sat Jun 1 21:55:45 2013 -0400 Convert strncmp() calls to constant_runtime_cmp() at various places This commit is a follow up to Ryman's report (#85) of a potential timing attack that could be leveraged against fwknop when strncmp() is used to compare HMAC digests. All strncmp() calls that do similar things have been replaced with a new constant_runtime_cmp() function that mitigates this problem. lib/cipher_funcs.c | 8 ++++---- lib/fko_decode.c | 2 +- lib/fko_hmac.c | 31 +++---------------------------- lib/fko_util.c | 27 +++++++++++++++++++++++++++ lib/fko_util.h | 1 + server/incoming_spa.c | 6 +++--- server/replay_cache.c | 3 ++- 7 files changed, 41 insertions(+), 37 deletions(-) commit f3af0d48c5806c89fbc3a5ad35fe5dfabde6f645 Author: Franck Joncourt Date: Sat Jun 1 23:14:56 2013 +0200 Interim commit to be able to load key from file descriptor (fd 0 for example). client/config_init.c | 7 ++++--- client/fwknop_common.h | 3 ++- client/getpasswd.c | 52 +++++++++++++++++++++++++++++++------------------- client/getpasswd.h | 2 +- 4 files changed, 39 insertions(+), 25 deletions(-) commit 6706c539023f9a2dec1aed94f6e18ae1e7877c84 (refs/remotes/origin/hmac_timing_bug_fix) Author: Michael Rash Date: Sat Jun 1 09:09:17 2013 -0400 [libfko] HMAC comparison timing bug fix Ryman reported a timing attack bug in the HMAC comparison operation (#85) and suggested a fix derived from YaSSL: http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg320402.html CREDITS | 5 +++++ lib/fko_hmac.c | 28 +++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) commit 0f0f73636f1a4c9292f01b1a2669e73984ec4d20 Author: Michael Rash Date: Fri May 31 23:19:48 2013 -0400 [server] minor update to rename PCAP_ANY_DIRECTION -> ENABLE_PCAP_ANY_DIRECTION server/cmd_opts.h | 6 +++--- server/config_init.c | 2 +- server/fwknopd.conf | 2 +- server/fwknopd_common.h | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) commit 9b2cd9e2e50ebbaed18e5cc86d302e3bfeb65b14 Author: Michael Rash Date: Fri May 31 23:01:47 2013 -0400 [client] allow -D to be used in --save-rc-stanza mode if -n is not given This change simplifies the fwknop client usage by allowing the -D argument to be used as the stanza name if -n is not also specified in --save-rc-stanza mode. client/config_init.c | 17 +++++++++++------ client/fwknop.8.in | 6 +++++- doc/fwknop.man.asciidoc | 4 +++- 3 files changed, 19 insertions(+), 8 deletions(-) commit 32a6d05cdba45ac2f007450df6193ec9d3259548 Author: Michael Rash Date: Fri May 31 22:47:06 2013 -0400 added HMAC digests section to libfko info doc doc/libfko.texi | 86 +++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 62 insertions(+), 24 deletions(-) commit 9cbb80d434eec1d90e40f0954fbe6be8cf9f69f1 Author: Michael Rash Date: Fri May 31 21:36:49 2013 -0400 update man page in client/server directories to the latest client/fwknop.8.in | 114 ++++++++++++++++++++++++++++------------------------ server/fwknopd.8.in | 18 +++++++-- 2 files changed, 77 insertions(+), 55 deletions(-) commit b4171fe90cd0198d8fc84e21ab8ddeb52139e5be Author: Michael Rash Date: Thu May 30 22:50:29 2013 -0400 [test suite] minor update to reduce logging noise in valgrind comparison test test/test-fwknop.pl | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) commit b5c81468232ca5b171611af3e09fb418298054d1 Author: Michael Rash Date: Thu May 30 22:42:13 2013 -0400 minor configure.ac typo fix for --help output configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1e775350682b906d4c96e1a1a31f41dd5d578779 Author: Michael Rash Date: Thu May 30 22:26:09 2013 -0400 minor documentation updates doc/fwknop.man.asciidoc | 40 +++++++++++++++++++++++----------------- doc/libfko.texi | 23 ++++++++++++++--------- 2 files changed, 37 insertions(+), 26 deletions(-) commit 0504627c2e2fd06ac94c7cdd823f82b22e4354c2 Author: Michael Rash Date: Thu May 30 22:03:11 2013 -0400 [client] don't print keys to stdout in --save-rc-stanza --key-gen mode This is a minor commit to not print keys to stdout when both --save-rc-stanza and --key-gen are set on the command line. client/config_init.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++-- client/fwknop.c | 32 +------------------------------ 2 files changed, 52 insertions(+), 33 deletions(-) commit 0001b37f44f3e61af8cab32cdc378d84932bacf7 Merge: 478f866 6d9f840 Author: Michael Rash Date: Wed May 29 18:53:08 2013 -0400 Merge remote-tracking branch 'fjoncourt/save_rc_stanza' This set of fixes from Franck allows for much better --save-rc-stanza functionality - new SPA keys can automatically be saved to the fwknoprc file when --key-gen and --save-rc-stanza are given, keys aren't overwritten upon updating the arguments for an existing stanza, and more. Conflicts: client/config_init.c commit 6d9f840ab7599603ba279d7c7abdb630c4728d04 (refs/remotes/fjoncourt/save_rc_stanza) Author: Franck Joncourt Date: Wed May 29 14:06:57 2013 +0200 The -R command line switch is now handled in fwknoprc as RESOLVE_IP_HTTP variable. client/config_init.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) commit cf6cb01f671859f1ded102faed885e17c5bcf323 Author: Franck Joncourt Date: Wed May 29 12:19:56 2013 +0200 Fixed ask_overwrite(). Generated keys are now stored in fwknoprc. * ask_overwrite() : when the user inputs more than one char when prompted, a second call to the function does not take the second char anymore. We parse all of the chars until we reach an LF char and discard all of them except the first one. The overwrite is requested only when the user sets 'y', if there is anything else we asssume 'N'. * When -k is used on the command line along with the --save-rc-stanza, the generated keys are also written in the stanza in fwknoprc. client/config_init.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++----- client/fwknop.c | 13 --------- 2 files changed, 74 insertions(+), 21 deletions(-) commit 82caa9a6a97ea633f15f75bb887168e4d6e14ded Author: Franck Joncourt Date: Tue May 28 17:14:36 2013 +0200 The variables are now stored in a hash (variable name and position) rather than an array containing only their name. It is now possible to sort them without worrying about their position in the enumeration. Improve variable naming for a better understanding (var_ndx becomes var_pos). client/config_init.c | 314 +++++++++++++++++++++++++++++---------------------- 1 file changed, 177 insertions(+), 137 deletions(-) commit dedc4bc8aa10638b6f928a55e228374cd4d9f14d Author: Franck Joncourt Date: Mon May 27 18:18:47 2013 +0200 Interim commit to handle bitmask with more than 32 positions. client/config_init.c | 309 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 207 insertions(+), 102 deletions(-) commit cc07d10d733c4ddc542de4726a9a09c67fed2af7 Author: Franck Joncourt Date: Sat May 25 21:56:01 2013 +0200 Set command line argument bitmask as a 64-bits value to be able to handle more arguments. Interim commit to add the VERBOSE variable to be stored in the fwknoprc file when -v is used with --save-rc-stanza. The VERBOSE variable is also read by fwknop and the verbosity level is set accordingly. client/config_init.c | 31 +++++++++++++++++++++++-------- client/log_msg.h | 2 ++ 2 files changed, 25 insertions(+), 8 deletions(-) commit 478f86669c62347d0e82f8a3df0211c275a40227 Author: Michael Rash Date: Thu May 23 22:29:41 2013 -0400 minor Makefile.am update to set permissions on access.conf.inst and fwknopd.conf.inst files Makefile.am | 6 ++++++ 1 file changed, 6 insertions(+) commit 67f96dc3d4ddee424952ec9dbf62ea24e584dee5 Author: Michael Rash Date: Thu May 23 22:10:34 2013 -0400 [client] minor fix to set -R mode with a resolve URL is also set The command line arg validation function also checks this. client/config_init.c | 1 + 1 file changed, 1 insertion(+) commit b9bd984768e1f48ac35a0064098ec0f32b42438c Author: Michael Rash Date: Thu May 23 22:02:43 2013 -0400 [test suite] bug fix on FreeBSD to just run the server for the active/expire sets not equal test test/tests/rijndael.pl | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) commit 9a21bc11ba430312e121444d126ad8cc4aab9bb7 Author: Michael Rash Date: Wed May 22 21:21:59 2013 -0400 [server] update access.conf comments to conform to no trailing semicolon or colon within the variable name server/access.conf | 51 ++++++++++++++++++++++++++------------------------- 1 file changed, 26 insertions(+), 25 deletions(-) commit 3bc28305c39ec58f36847bc060edc7debca67d17 Author: Michael Rash Date: Wed May 22 21:20:42 2013 -0400 minor client man page wording update doc/fwknop.man.asciidoc | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) commit 47d235f4feba6ecc32b842a6a28ed7da2329cdd8 Author: Michael Rash Date: Tue May 21 22:12:03 2013 -0400 [test suite] minor formatting update to access.conf files to mimic fwknoprc vars (no colon or trailing semicolon) test/conf/android_access.conf | 6 +++--- test/conf/android_legacy_iv_access.conf | 8 ++++---- test/conf/base64_key_access.conf | 6 +++--- test/conf/cfb_mode_access.conf | 8 ++++---- test/conf/cmd_access.conf | 8 ++++---- test/conf/ctr_mode_access.conf | 8 ++++---- test/conf/default_access.conf | 6 +++--- test/conf/dual_key_usage_access.conf | 16 +++++++-------- test/conf/ecb_mode_access.conf | 8 ++++---- test/conf/expired_epoch_stanza_access.conf | 8 ++++---- test/conf/expired_stanza_access.conf | 8 ++++---- test/conf/force_nat_access.conf | 8 ++++---- test/conf/future_expired_stanza_access.conf | 8 ++++---- test/conf/fuzzing_open_ports_access.conf | 8 ++++---- test/conf/fuzzing_restrict_ports_access.conf | 10 +++++----- test/conf/fuzzing_source_access.conf | 8 ++++---- test/conf/gpg_access.conf | 14 ++++++------- test/conf/gpg_hmac_access.conf | 16 +++++++-------- test/conf/gpg_no_pw_access.conf | 12 +++++------ test/conf/gpg_no_pw_hmac_access.conf | 16 +++++++-------- test/conf/hmac_access.conf | 8 ++++---- test/conf/hmac_dual_key_usage_access.conf | 22 ++++++++++---------- test/conf/hmac_equal_keys_access.conf | 30 ++++++++++++++-------------- test/conf/hmac_force_nat_access.conf | 10 +++++----- test/conf/hmac_get_key_access.conf | 8 ++++---- test/conf/hmac_invalid_type_access.conf | 10 +++++----- test/conf/hmac_md5_access.conf | 10 +++++----- test/conf/hmac_md5_long_key_access.conf | 10 +++++----- test/conf/hmac_md5_short_key_access.conf | 10 +++++----- test/conf/hmac_no_b64_access.conf | 8 ++++---- test/conf/hmac_no_b64_cygwin_access.conf | 8 ++++---- test/conf/hmac_sha1_access.conf | 10 +++++----- test/conf/hmac_sha1_long_key_access.conf | 10 +++++----- test/conf/hmac_sha1_short_key_access.conf | 10 +++++----- test/conf/hmac_sha256_access.conf | 10 +++++----- test/conf/hmac_sha256_long_key_access.conf | 10 +++++----- test/conf/hmac_sha256_open_ports_access.conf | 12 +++++------ test/conf/hmac_sha256_short_key_access.conf | 10 +++++----- test/conf/hmac_sha384_access.conf | 10 +++++----- test/conf/hmac_sha384_long_key_access.conf | 10 +++++----- test/conf/hmac_sha384_short_key_access.conf | 10 +++++----- test/conf/hmac_sha512_access.conf | 10 +++++----- test/conf/hmac_sha512_long_key_access.conf | 10 +++++----- test/conf/hmac_sha512_short_key2_access.conf | 10 +++++----- test/conf/hmac_sha512_short_key_access.conf | 10 +++++----- test/conf/hmac_simple_keys_access.conf | 8 ++++---- test/conf/invalid_expire_access.conf | 8 ++++---- test/conf/invalid_source_access.conf | 12 +++++------ test/conf/ip_source_match_access.conf | 6 +++--- test/conf/legacy_iv_access.conf | 8 ++++---- test/conf/mismatch_open_ports_access.conf | 8 ++++---- test/conf/mismatch_user_access.conf | 8 ++++---- test/conf/multi_gpg_access.conf | 14 ++++++------- test/conf/multi_gpg_no_pw_access.conf | 14 ++++++------- test/conf/multi_source_match_access.conf | 6 +++--- test/conf/multi_stanzas_access.conf | 24 +++++++++++----------- test/conf/no_multi_source_match_access.conf | 6 +++--- test/conf/no_source_match_access.conf | 6 +++--- test/conf/no_subnet_source_match_access.conf | 6 +++--- test/conf/ofb_mode_access.conf | 8 ++++---- test/conf/open_ports_access.conf | 8 ++++---- test/conf/require_src_access.conf | 10 +++++----- test/conf/require_user_access.conf | 8 ++++---- test/conf/subnet_source_match_access.conf | 6 +++--- 64 files changed, 321 insertions(+), 319 deletions(-) commit cfbbac2654fd59f74334976292380deaade1ffe3 Author: Michael Rash Date: Tue May 21 22:10:13 2013 -0400 man page updates - access.conf section now includes variable guidance client/fwknop.8.in | 78 ++++++++++++++++----- doc/fwknop.man.asciidoc | 115 +++++++++++++++++-------------- doc/fwknopd.man.asciidoc | 170 +++++++++++++++++++++++++++------------------- server/fwknopd.8.in | 171 +++++++++++++++++++++++++++-------------------- 4 files changed, 324 insertions(+), 210 deletions(-) commit 52462e7dbaa8b525f986f43524549ead36e09325 Author: Michael Rash Date: Tue May 21 22:00:15 2013 -0400 Use {0} initializer for all stack allocated char arrays Lots of places in the code were already using {0} to initialize stack char arrays, but memset() was being used as well. This commit removes all unnecessary memset() calls against char arrays that are already initialized via {0} (which sets all members to zero for such arrays). client/config_init.c | 48 ++++++++++++++++++++-------------------------- client/fwknop.c | 25 ++++++++---------------- client/getpasswd.c | 2 -- client/http_resolve_host.c | 2 +- client/spa_comm.c | 6 +++--- lib/cipher_funcs.c | 13 ++++--------- lib/fko_hmac.c | 2 -- lib/hmac.c | 13 ------------- server/access.c | 18 ++++++++--------- server/config_init.c | 4 ++-- server/extcmd.c | 2 +- server/fw_util_ipf.c | 4 ++-- server/fw_util_ipfw.c | 4 ++-- server/fw_util_iptables.c | 14 +++++++------- server/fw_util_pf.c | 10 +++++----- server/fwknopd_common.h | 9 +++++---- server/incoming_spa.c | 2 +- server/replay_cache.c | 6 +++--- server/tcp_server.c | 2 +- server/utils.c | 3 +-- 20 files changed, 76 insertions(+), 113 deletions(-) commit 2e2e7fcc0eb9065aa40c5ea915ecb48a99bd9c51 Merge: fad0ef8 98e6314 Author: Michael Rash Date: Mon May 20 21:57:42 2013 -0400 Merge remote-tracking branch 'fjoncourt/save_rc_stanza' Closes issues #81 and #82 thanks to Franck. commit 05585cab8a916eb734108fd93f32865b5ae8f8fd Merge: 6c59c9a fad0ef8 Author: Franck Joncourt Date: Mon May 20 22:02:31 2013 +0200 Merge remote-tracking branch 'upstream/master' commit 98e631451f34cff6713b51d0291a3ab626786ba8 Author: Franck Joncourt Date: Mon May 20 21:58:18 2013 +0200 Fixed stanza name in log message. We display the stanza we were looking for, not the current one. client/config_init.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 209b189f202d02134d2523f7479b240ab9863b1a Merge: 5e3d9b6 fad0ef8 Author: Franck Joncourt Date: Mon May 20 11:08:33 2013 +0200 Merge remote-tracking branch 'upstream/master' into save_rc_stanza commit fad0ef8690eba98279558b2984cbe72920262804 Author: Michael Rash Date: Sun May 19 16:15:19 2013 -0400 [test suite] added 'equal keys' files test/conf/fwknoprc_hmac_equal_keys | 4 ++++ test/conf/hmac_equal_keys_access.conf | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) commit 5e3d9b6e0bdf661fea02f960b8db841afc48d56f Author: Franck Joncourt Date: Sun May 19 22:00:51 2013 +0200 Do not assume two rc sections are separated by an empty line. (mrash/fwknop#81) client/config_init.c | 68 +++++++++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 30 deletions(-) commit dc2ff2119caa81a9a3187e95f51ed34544398749 Author: Michael Rash Date: Sun May 19 15:50:16 2013 -0400 [client] finished documenting client command line options via the man page doc/fwknop.man.asciidoc | 69 +++++++++++++++++++++++++++++++++++-------------- 1 file changed, 50 insertions(+), 19 deletions(-) commit 72ab0bf5d5b046d28004fea523a03ec6c1f50800 Author: Michael Rash Date: Sun May 19 15:29:20 2013 -0400 [test suite] added client -f firewall timeout tests test/tests/rijndael_hmac.pl | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) commit 16f96a3e5391d381048e2ea2331d4ab50a2b12d8 Author: Michael Rash Date: Sun May 19 14:36:32 2013 -0400 [server] port list memory leak bug fix for OpenBSD/pf and FreeBSD/ipfw firewall interface code found by Coverity server/access.c | 5 +++-- server/fw_util_ipfw.c | 3 +++ server/fw_util_pf.c | 4 ++++ 3 files changed, 10 insertions(+), 2 deletions(-) commit e31459bb1e4664482b5ccd49d9ff0326d63aabe5 Author: Michael Rash Date: Sun May 19 14:12:58 2013 -0400 updated client and server man page material client/fwknop.8.in | 503 +++++++++++++++++++++++++++++++++++----------------- server/fwknopd.8.in | 59 ++++-- 2 files changed, 381 insertions(+), 181 deletions(-) commit 0cc5c3495ec30691e5d7e5b65de056e4ab2a7847 Merge: 0a279cc 4e5b960 Author: Michael Rash Date: Sun May 19 12:57:36 2013 -0400 Merge branch 'master' of github.com:mrash/fwknop commit 4e5b96054cf98af86cb5297faa4c668aee16843d Merge: 96bbf7e 3e16d66 Author: Michael Rash Date: Sun May 19 09:57:07 2013 -0700 Merge pull request #80 from fjoncourt/fix-gpl2.0 [FTBS] Fixed gpl2.0.texi commit 3e16d6694c07e8e92eaf590cb79b19dd4f729524 (refs/remotes/fjoncourt/fix-gpl2.0) Author: Franck Joncourt Date: Sun May 19 17:14:35 2013 +0200 Fixed gpl2.0.texi to make it build. The @appendixsubsec entries are substituted by @appendixsec entries. doc/gpl-2.0.texi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 6c59c9ade80d905dbf597917fb55f80214a69631 Merge: cee5807 96bbf7e Author: Franck Joncourt Date: Sun May 19 15:34:20 2013 +0200 Merge remote-tracking branch 'upstream/master' commit 0a279ccbfcb0be44e4e82f9ced28641a8d5cc3ef Author: Michael Rash Date: Sat May 18 22:49:38 2013 -0400 [client] minor --verbose display update to say source port is 'OS assigned' when not otherwise set client/spa_comm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 96bbf7e61abd9b0238392e79b412e332e3e95783 Author: Michael Rash Date: Sat May 18 22:36:13 2013 -0400 [client] bug fix to separate out --named-config vs. --no-save-args command line args client/config_init.c | 47 ++++++++++++++++++++++++++--------------------- client/fwknop.c | 2 +- doc/fwknop.man.asciidoc | 2 +- 3 files changed, 28 insertions(+), 23 deletions(-) commit 15b1382160d48b253d951eceadbe14a01034d55b Author: Michael Rash Date: Sat May 18 16:39:08 2013 -0400 [test suite] slurp openssl HMAC from file into single string (it may be binary data) test/test-fwknop.pl | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 61459c65f5a926a2740b067b47206be8c4c04c2c Author: Michael Rash Date: Sat May 18 12:13:50 2013 -0400 added test suite HMAC != enc key conf files Makefile.am | 2 ++ 1 file changed, 2 insertions(+) commit 23a354fced4a32d083f4f854b5feb2ad6747cf18 Author: Michael Rash Date: Sat May 18 12:10:18 2013 -0400 [client+server] ensure HMAC key and encryption passphrase are not the same client/fwknop.c | 12 ++++++++++++ server/access.c | 30 +++++++++++++++++++++++++++++- test/test-fwknop.pl | 3 +++ test/tests/rijndael_hmac.pl | 24 ++++++++++++++++++++++++ 4 files changed, 68 insertions(+), 1 deletion(-) commit 731ca0e038ecd9f3e7e4a4a138ef98dc021f37b6 Author: Michael Rash Date: Sat May 18 10:51:49 2013 -0400 [client] added warning in --verbose mode if -s is used instead of -a or -R client/config_init.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) commit c02ec41ca099815c5422ed16c4e339afa604d8c4 Author: Michael Rash Date: Sat May 18 08:34:20 2013 -0400 [test suite] minor bug fix to preserve the init file test/test-fwknop.pl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit cee5807debf3f49ed520ed8cfe648e9254ac62a1 Author: Franck Joncourt Date: Sat May 18 10:54:44 2013 +0200 First draft to be able to use stdin as an input for submitting fwknop key. mrash/fwknop#74 client/cmd_opts.h | 4 ++ client/config_init.c | 7 +++ client/fwknop.c | 12 ++-- client/fwknop_common.h | 1 + client/getpasswd.c | 168 +++++++++++++++++++++++++++++-------------------- client/getpasswd.h | 2 +- 6 files changed, 118 insertions(+), 76 deletions(-) commit ebe1aec54250f5ae8fbacd84254f0b71a0d370c6 Author: Michael Rash Date: Fri May 17 23:05:58 2013 -0400 continued man page updates in preparation for the 2.5 release doc/fwknop.man.asciidoc | 175 +++++++++++++++++++++++++---------------------- doc/fwknopd.man.asciidoc | 69 ++++++++++++++----- 2 files changed, 146 insertions(+), 98 deletions(-) commit 7cb23c75cca87d497215da27b6a263a694bc0b27 Author: Michael Rash Date: Fri May 17 22:34:26 2013 -0400 [server] added check to ensure any existing fwknop jump rule is not duplicated at init CREDITS | 4 +++ server/fw_util_iptables.c | 66 +++++++++++++++++++++++++++++++++++------------ 2 files changed, 53 insertions(+), 17 deletions(-) commit cabcaf2174b1a2e0c714f8a9ca56ff3ab2ed95d4 Author: Michael Rash Date: Fri May 17 22:28:03 2013 -0400 [server] apply same logging policy for --fw-* modes as --foreground mode server/log_msg.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit 45244114f82b4ab1453bbb7b22b7bb75d96b6df0 Author: Michael Rash Date: Fri May 17 21:03:16 2013 -0400 [client] --key-gen bug fix to print keys to stdout client/config_init.c | 5 ++++- client/fwknop.c | 11 ++++++++++- lib/fko_funcs.c | 10 ++++++++-- test/test-fwknop.pl | 27 ++++++++++++++++++--------- test/tests/rijndael.pl | 3 ++- 5 files changed, 42 insertions(+), 14 deletions(-) commit b6562d3bf379fc5937e73e6c17eb03a7cade32fb Merge: 2c8469e 95615c9 Author: Michael Rash Date: Wed May 15 21:31:17 2013 -0400 Merge remote-tracking branch 'fjoncourt/master' Closes issues #76 and #60. commit 2c8469e95e219f42c0a206454d6d0919a7447e4c Author: Michael Rash Date: Wed May 15 21:17:39 2013 -0400 [client] man page update for GPG key signing material doc/fwknop.man.asciidoc | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) commit a6f9f1d9ec23df5cb1e4f60234602e315f154349 Author: Michael Rash Date: Wed May 15 20:59:29 2013 -0400 [client] completed fwknop client man page rc variable documentation doc/fwknop.man.asciidoc | 203 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 138 insertions(+), 65 deletions(-) commit 366255188adf06b8a9bc05fc554a89232ba6decb Author: Michael Rash Date: Tue May 14 23:28:45 2013 -0400 HMAC and PBKDF1 ChangeLog updates ChangeLog | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) commit e1a7011bf37413fb2d90907a48be80773c2efffd Author: Michael Rash Date: Tue May 14 23:22:03 2013 -0400 [docs] fwknop client man page update for HMAC material doc/fwknop.man.asciidoc | 210 +++++++++++++++++++++++++++++------------------- 1 file changed, 129 insertions(+), 81 deletions(-) commit 95615c90e2eb9a6e246709bce79bc7fedd609736 Merge: bb90a8b e73d13e Author: Franck Joncourt Date: Tue May 14 22:15:19 2013 +0200 Merge remote-tracking branch 'upstream/master' commit bb90a8bf7557bce71223ef66119a0dd98eecea91 Author: Franck Joncourt Date: Tue May 14 22:08:44 2013 +0200 Fixed gcc warnings on openbsd. - mrash/fwknop#60 client/getpasswd.c | 2 +- lib/digest.c | 70 +++++++++++++++++------------- lib/digest.h | 10 ++--- lib/fko_encode.c | 6 +-- lib/fko_rand_value.c | 6 ++- lib/gpgme_funcs.c | 2 +- server/utils.c | 120 ++++++++++++++++++++++++++++++--------------------- 7 files changed, 127 insertions(+), 89 deletions(-) commit e73d13e14086b00435f0248d8d8a7df0885a771f Author: Michael Rash Date: Mon May 13 23:11:33 2013 -0400 minor write_test_file() path bug fix test/test-fwknop.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4e5fb77dd046b99a629aa2da0349b0128fef92f5 Merge: fb80575 31d94d5 Author: Michael Rash Date: Mon May 13 23:10:26 2013 -0400 Merge remote-tracking branch 'fjoncourt/master' Merged update from Franck - closes issue #71. commit fb80575209a8276767457b2c5fefaa42ea1aca23 Author: Michael Rash Date: Mon May 13 20:52:14 2013 -0400 [server] minor memory leak bug fix during SPA digest calculation found by Coverity server/incoming_spa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6a2bc3db2718ab06c07c93b208dbd072d0ba5560 Author: Michael Rash Date: Mon May 13 20:48:23 2013 -0400 [server] minor memory leak bug fix during access.conf parsing found by Coverity server/access.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 8e31f8feb02585e1b110efd6e01228425bff11ce Author: Michael Rash Date: Mon May 13 20:42:07 2013 -0400 [server] varargs cleanup bug fix found by Coverity server/log_msg.c | 3 +++ 1 file changed, 3 insertions(+) commit d60870740da90c2eca0a8910dd5cd616438ddabd Author: Michael Rash Date: Mon May 13 20:41:25 2013 -0400 [server] fix pointer NULL check after strdup() - found by Coverity server/incoming_spa.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 0c3da4bee4126ab96cabf35f45d2d02751d9e543 Author: Michael Rash Date: Mon May 13 20:40:29 2013 -0400 [server] minor cosmetic (unnecessary NULL checks and one un-triggerable memory leak) found by Coverity server/fw_util_iptables.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) commit cdd0a5f3f379627cd91ddf2cd597b30d11c5795b Author: Michael Rash Date: Mon May 13 20:38:39 2013 -0400 [server] minor memory leak bug fix during access.conf parsing found by Coverity server/access.c | 1 + 1 file changed, 1 insertion(+) commit 9dbb62ae1ef53fccdefa1894d09c422719d5af83 Merge: 31d94d5 c83bc15 Author: Franck Joncourt Date: Mon May 13 16:30:27 2013 +0200 Merge remote-tracking branch 'upstream/master' commit 48a3f7a1797c557aa7babf13c7a2e5188016bb7b (refs/remotes/web/gpgme_autoconf_macro, refs/remotes/origin/gpgme_autoconf_macro, refs/heads/gpgme_autoconf_macro) Author: Michael Rash Date: Sun May 12 23:48:44 2013 -0400 added m4/gpgme.m4 file Makefile.am | 1 + 1 file changed, 1 insertion(+) commit c83bc15c5eb9d6597df17cd9b421ab818548b210 (tag: refs/tags/fwknop-2.5-pre1) Author: Michael Rash Date: Sun May 12 22:42:13 2013 -0400 bumped VERSION file to fwknop-2.5-pre1 VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1144284913d78764e22742a45fe0cdaa0cb27fb7 Merge: c6b2c0d 3246c3c Author: Michael Rash Date: Sun May 12 22:31:18 2013 -0400 Merge branch 'master' into gpgme_autoconf_macro commit 3246c3c6b0a40c380660f4885334c06e48213977 Author: Michael Rash Date: Sun May 12 22:30:28 2013 -0400 [test suite] added hmac_get_key_access.conf file test/conf/hmac_get_key_access.conf | 4 ++++ 1 file changed, 4 insertions(+) commit c6b2c0def42765f1124a0b43acdb8e04e8c071a2 Author: Michael Rash Date: Sun May 12 22:25:16 2013 -0400 Added gpgme autoconf m4 macro to fix an undefined AM_PATH_GPGME error For systems that don't have libgpgme installed, the addition of the m4/gpgme.m4 file fixes the following error when running the autogen.sh script: configure.ac:313: error: possibly undefined macro: AC_DEFINE If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.ac:326: error: possibly undefined macro: AM_PATH_GPGME configure.ac:329: error: possibly undefined macro: AC_MSG_FAILURE autogen.sh | 2 +- m4/gpgme.m4 | 307 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 308 insertions(+), 1 deletion(-) commit 09f073d393ea29c9ad22b72491e0cf97da058c1c Author: Michael Rash Date: Sun May 12 21:04:25 2013 -0400 Added blurb on Coverity to the ChangeLog ChangeLog | 8 ++++++++ 1 file changed, 8 insertions(+) commit 838782f19810d38ef2ffe556426faaf6e49d42f5 Author: Michael Rash Date: Sun May 12 20:57:19 2013 -0400 [test suite] added fko_destroy() calls to fko-wrapper test/fko-wrapper/fko_wrapper.c | 127 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 118 insertions(+), 9 deletions(-) commit 1caf6035d9e475f3c98ee97e9c28996c7f5e54d6 Author: Michael Rash Date: Sun May 12 20:54:44 2013 -0400 [server] fixed potential double-free condition found by Coverity Within the access loop always call fko_destroy() right up front whenever ctx != NULL to ensure a clean slate each time through the loop regardless of what state may have been reached the previous time through the loop. server/incoming_spa.c | 58 +++++++++++++++++++++++++-------------------------- 1 file changed, 28 insertions(+), 30 deletions(-) commit c555a35489b830b20f2270b91bace1e42d455e3e Author: Michael Rash Date: Sun May 12 20:54:04 2013 -0400 [client] set ctx=NULL after fko_destroy() calls client/fwknop.c | 27 +++++++++++++++++++++++++++ client/getpasswd.c | 2 ++ 2 files changed, 29 insertions(+) commit d85c2e74ce06ac461bb84dd508f8a5562a0483c8 Author: Michael Rash Date: Sun May 12 20:53:22 2013 -0400 [libfko] set ctx=NULL after fko_destroy(), add NULL check for encrypted msg pointer in fko_new_with_data() lib/fko_funcs.c | 120 ++++++++++++++++++++++++++++++-------------------------- 1 file changed, 65 insertions(+), 55 deletions(-) commit 7b3c854a024c9778b4c16fea075e5a80a53c7ea2 Author: Michael Rash Date: Sun May 12 20:49:00 2013 -0400 [libfko] added context initialized check to fko_decrypt_spa_data() lib/fko_encryption.c | 3 +++ 1 file changed, 3 insertions(+) commit 6d0f970b3441b5980cff69eeb636963558b1e617 Author: Michael Rash Date: Sun May 12 15:02:31 2013 -0400 [libfko] bug fix to apply ctx initialization check before attempting to use ctx->message_type in fko_set_spa_client_timeout() lib/fko_client_timeout.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 38395b04c69268004519a54efd3331e6e1c6583d Author: Michael Rash Date: Sun May 12 14:43:19 2013 -0400 [test suite] add -x to run_valgrind.sh fko-wrapper script test/fko-wrapper/run_valgrind.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3302dd42207d1aa40a3a90386aec8e6a34169c36 Author: Michael Rash Date: Sun May 12 14:42:35 2013 -0400 [test suite] added -g to fko_wrapper Makefile for debugging symbols test/fko-wrapper/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 31d94d50b1d841073d6c7160cfb83d7279d907cf Author: Franck Joncourt Date: Sun May 12 17:35:19 2013 +0200 Added tests to validate the encryption mode for the client. Renamed the CBC legacy VI encryption mode by legacy as mentionned in the man page. lib/fko_util.c | 2 +- test/tests/basic_operations.pl | 81 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+), 1 deletion(-) commit 160c21d6b63f79f12d5166c860aad05cc76aad87 Author: Franck Joncourt Date: Sun May 12 16:52:52 2013 +0200 Rewrite enc_mode_inttostr() and enc_mode_strtoint(). Make sure both functions works the same way and refer to the same encryption mode string. Updated the fwknop usage message to display the encryption mode. client/config_init.c | 9 ++++ lib/fko_common.h | 4 ++ lib/fko_util.c | 130 ++++++++++++++++++++++++++++++--------------------- 3 files changed, 90 insertions(+), 53 deletions(-) commit a8410d8f2a6a77ae2be76a67f05af80f47927f9d Author: Michael Rash Date: Sat May 11 13:28:55 2013 -0400 [test suite] allow valgrind coverage test to run after --test-limit test/test-fwknop.pl | 58 ++++++++++++++++++++++++++--------------------------- 1 file changed, 28 insertions(+), 30 deletions(-) commit 282b0198ecabc69b1aa9adc9bc839b6a9dea2967 Author: Michael Rash Date: Thu May 9 22:43:05 2013 -0400 [libfko] changed 'state' context element to 'int' type to fix a 'extra high-order bits' bug found by Coverity lib/fko_context.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit aafc3ac264e9e8b347ba6b3b3b487e94b03fe7ef Author: Michael Rash Date: Thu May 9 22:35:08 2013 -0400 [server] setsockopt() nad fcntl() return value checking (found by Coverity) server/fwknopd.c | 7 ++++++- server/tcp_server.c | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) commit 72e4edbf6a3b0c4bc361183b94e5495908e1e618 Author: Michael Rash Date: Thu May 9 22:14:06 2013 -0400 [libfko] fixed remaining sizeof() usage bug in SHA256 code found by Coverity lib/sha2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 62edf0910147435290c8fb8bc3d9d78c37ef1758 Author: Michael Rash Date: Thu May 9 22:13:25 2013 -0400 [libfko] fixed remaining buffer constraints in lib/hmac.c code found by Coverity lib/hmac.c | 52 ++++++++++++++++------------------------------------ 1 file changed, 16 insertions(+), 36 deletions(-) commit add518016c533c06fbdce5eb8a9adb5a903e178f Author: Michael Rash Date: Thu May 9 22:10:38 2013 -0400 [client] removed unnecessary array NULL check found by Coverity client/config_init.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 9046acaf22650b2c3f71185d8a1201647c431a7b Author: Michael Rash Date: Thu May 9 21:56:13 2013 -0400 [libfko] memory leak fixes found by Coverity lib/fko_encryption.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 8c09d38941485623a452b4f2c8fd3946482414d0 Author: Michael Rash Date: Thu May 9 21:17:27 2013 -0400 various sizeof() usage and type bug fixes found by Coverity client/config_init.c | 2 +- client/fwknop.c | 14 +++++++------- lib/fko_encryption.c | 6 ++++-- lib/hmac.c | 10 +++++----- lib/md5.c | 3 ++- lib/sha2.c | 10 +++++----- server/fwknopd.c | 7 +++++-- 7 files changed, 29 insertions(+), 23 deletions(-) commit b92f892ae089679a80cb3ecc0217c5c0b8b700d8 Author: Michael Rash Date: Thu May 9 21:11:45 2013 -0400 [test suite] minor bug fix for printing the number of test buckets to be executed test/test-fwknop.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9f9bbcbcdd8a47ee29bf60bb2f2728685bbc7aec Author: Michael Rash Date: Wed May 8 23:55:35 2013 -0400 fixed several resource leak conditions found by Coverity client/config_init.c | 9 +++++---- client/spa_comm.c | 1 + lib/fko_encryption.c | 23 ++++++++++++++++++++++- lib/fko_user.c | 10 +++++++++- server/fwknopd.c | 31 +++++++++++++++++-------------- 5 files changed, 54 insertions(+), 20 deletions(-) commit aaa28d4ab3437f3641aedf98074d8325ecec1196 Author: Michael Rash Date: Wed May 8 23:44:13 2013 -0400 [server] double free bug fix in access.conf parsing routine caught by Coverity server/access.c | 2 -- 1 file changed, 2 deletions(-) commit 3a1efd9321b428fc3dcebab18ee1d3453de4cab0 Author: Michael Rash Date: Tue May 7 23:35:34 2013 -0400 [server] fixed several (non-exploitable) overflow conditions found by Coverity lib/fko_encryption.c | 2 +- lib/hmac.c | 60 +++++++++++++++++++++++++++++++++++++++------------- 2 files changed, 46 insertions(+), 16 deletions(-) commit 8d980ae68646af35b531713b2d01bbf24e3a9468 Author: Michael Rash Date: Tue May 7 23:02:49 2013 -0400 remove dead code caught by Coverity client/fwknop.c | 2 +- lib/cipher_funcs.c | 6 ++---- server/extcmd.c | 3 --- 3 files changed, 3 insertions(+), 8 deletions(-) commit 50f0ee2f7db5d0d2290efa3fee10339318fa023f Author: Michael Rash Date: Tue May 7 22:52:35 2013 -0400 [server] bug fix for GPG 'nesting level does not match indentation' issue (discovered by Coverity) server/incoming_spa.c | 2 ++ 1 file changed, 2 insertions(+) commit e1c6f04ef9658557fbfe99ff0953d206d8f0f0f5 Author: Michael Rash Date: Tue May 7 21:43:38 2013 -0400 [client] fix missing 'break' in switch statement (discovered by Coverity) client/config_init.c | 2 ++ 1 file changed, 2 insertions(+) commit 8f423e8b89915b0b1c6ae37b9d505d37f2c18315 Author: Michael Rash Date: Mon May 6 22:23:59 2013 -0400 [server] added --pcap-any-direction along with config file support From the config file comments: This variable controls whether fwknopd is permitted to sniff SPA packets regardless of whether they are received on the sniffing interface or sent from the sniffing interface. In the later case, this can be useful to have fwknopd sniff SPA packets that are forwarded through a system and destined for a different network. If the sniffing interface is the egress interface for such packets, then this variable will need to be set to "Y" in order for fwknopd to see them. The default is "N" so that fwknopd only looks for SPA packets that are received on the sniffin PCAP_ANY_DIRECTION N; server/cmd_opts.h | 3 +++ server/config_init.c | 3 +++ server/fwknopd.conf | 12 ++++++++++++ server/fwknopd_common.h | 9 +++++++++ server/pcap_capture.c | 3 ++- test/test-fwknop.pl | 9 ++++++--- 6 files changed, 35 insertions(+), 4 deletions(-) commit 5aac3d978c8eadb81b10a055d176a950994f91ac Author: Michael Rash Date: Mon May 6 22:22:22 2013 -0400 minor typo fix test/tests/rijndael.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a9a143a85d54bf4443a1b6c9ef61d8e74cc55da0 Merge: d4577ab eb143db Author: Franck Joncourt Date: Mon May 6 11:52:35 2013 +0200 Merge remote-tracking branch 'upstream/master' commit d4577ab697414cddb1fdb9d3794249a7cb005ed4 Author: Franck Joncourt Date: Mon May 6 11:49:16 2013 +0200 Added new tests to the test suite to validate the --save-rc-stanza command line argument. test/test-fwknop.pl | 2 +- test/tests/basic_operations.pl | 223 ++++++++++++++++++++++++++++++++++++++--- 2 files changed, 209 insertions(+), 16 deletions(-) commit b3cbf1ecfa513647e03f207bf4ba7b16d0ffa2a8 Author: Franck Joncourt Date: Mon May 6 10:02:02 2013 +0200 Replaced printf() by log_msg(). client/fwknop.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit eb143db9a7f540f83ee538aff63f44e151c453dc Author: Michael Rash Date: Sun May 5 21:54:07 2013 -0400 [client] added --get-hmac-key to mirror --get-key, closes #68 ChangeLog | 4 ++++ Makefile.am | 1 + client/cmd_opts.h | 2 ++ client/config_init.c | 17 ++++++++++++++++ client/fwknop.c | 30 +++++++++++++-------------- client/fwknop_common.h | 1 + client/getpasswd.c | 28 ++++++++++++++++---------- client/getpasswd.h | 6 +++++- doc/fwknop.man.asciidoc | 49 ++++++++++++++++++++++++++++++++------------- test/test-fwknop.pl | 18 ++++++++++++++++- test/tests/rijndael_hmac.pl | 18 +++++++++++++++++ 11 files changed, 132 insertions(+), 42 deletions(-) commit 83493a424c7c0d7e7e927b2384a55ec56b2dadbe Merge: 314cc3e 0363a20 Author: Michael Rash Date: Sun May 5 21:01:26 2013 -0400 Merge branch 'master' of github.com:mrash/fwknop commit 314cc3eb23d9ef58790afe4f75530d8eb1558b14 Merge: 3c32839 63fed30 Author: Michael Rash Date: Sun May 5 20:59:04 2013 -0400 Merge remote-tracking branch 'origin/win32_fixes' This fixes issue #69 thanks to Damien. commit 0363a2099a03a11d9d034381fb0a371f5f10ed92 Author: Damien S. Stuart Date: Sun May 5 20:44:47 2013 -0400 Regenerated the client and server manpage .in files from the asciidoc sources client/fwknop.8.in | 125 ++++++++++++++++++++++++++++++++++++++++++---- server/fwknopd.8.in | 139 +++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 236 insertions(+), 28 deletions(-) commit 63fed301b82b8f92bc9a80fa7167743c2fd0cd54 (refs/remotes/origin/win32_fixes) Merge: 2c1a911 c0c0941 Author: Damien S. Stuart Date: Sun May 5 20:37:02 2013 -0400 Merge branch 'win32_fixes' of ssh://github.com/mrash/fwknop into win32_fixes commit 2c1a911a50982afc417f49bbd7f2c0122f6d6297 Author: Damien S. Stuart Date: Sun May 5 20:36:33 2013 -0400 Copied the win32 Visual Studio solution and project files to preserve a VS 2008 version. win32/README.VISUAL_STUDIO | 26 ++ win32/fwknop-client.vcproj.vs2008 | 543 +++++++++++++++++++++++++++++++++++++ win32/libfko.sln.vs2008 | 44 +++ win32/libfko.vcproj.vs2008 | 558 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 1171 insertions(+) commit c0c0941d5525375e5a5513e1d723c974ff030cf5 Author: Damien Stuart Date: Sun May 5 19:02:48 2013 -0400 Tweaked WIN32 conditional for using inet_ntoa instead of inet_ntop to apply only to versions below Vista (WINVER <= 0x0600) client/utils.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit b84415c33cbff2f13448c89eb46820b04c63583c Author: Damien Stuart Date: Sun May 5 16:37:18 2013 -0400 Use inet_aton on Windows (Older windows versions do not have enet_ntop). client/utils.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) commit 327257ef5fc7d5d5985c24b302bdccbeeee77259 Author: Franck Joncourt Date: Sun May 5 22:03:21 2013 +0200 Fixed command line arguments (key-base64-rijndael and key-base64-hmac). The cmd_opts structure containing the command line args does not follow the documentation. This update fix it. client/cmd_opts.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit ea8a9419ed6f33607e0a73dbe8fd088e9e3574dd Author: Franck Joncourt Date: Sun May 5 22:00:02 2013 +0200 Added force-stanza to the client documentation. doc/fwknop.man.asciidoc | 4 ++++ 1 file changed, 4 insertions(+) commit f3da6853488109414928beba98fa9a411c3c41ac Merge: 17a105f 5804e15 Author: Franck Joncourt Date: Sun May 5 21:47:21 2013 +0200 Merge remote-tracking branch 'upstream/master' commit 17a105fd8a08e060ec667d825f524751effda522 Author: Franck Joncourt Date: Sun May 5 21:43:31 2013 +0200 Added GPG_SIGNER and GPG_RECIPIENT to the list of important variables. client/config_init.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit b8145f6d7f1d7c545f2f98fce4e754273d3f1984 Author: Franck Joncourt Date: Sun May 5 21:13:26 2013 +0200 Added --force-stanza command line arg to avoid prompting the user. client/cmd_opts.h | 2 ++ client/config_init.c | 14 ++++++++++++-- client/fwknop_common.h | 1 + 3 files changed, 15 insertions(+), 2 deletions(-) commit 15d9c6197b3cc233c906e0901a291a6329297b71 Author: Damien Stuart Date: Sun May 5 13:20:20 2013 -0400 Fixes to get hmac_support and 2.5 changes working for the Windows lib and client builds. client/spa_comm.c | 8 ++++---- client/utils.c | 2 ++ client/utils.h | 11 +++++++++-- common/common.h | 10 ++++++++++ lib/cipher_funcs.c | 2 +- lib/fko_encryption.c | 2 +- lib/fko_util.c | 22 ++++++++++++++++++++++ lib/fko_util.h | 4 ++++ win32/fwknop-client.vcproj | 24 ++++++++++++++++++++++++ win32/libfko.vcproj | 20 ++++++++++++++++++++ 10 files changed, 97 insertions(+), 8 deletions(-) commit 3c3283992c71291b9028121fe90e5381a5b3ef36 Author: Michael Rash Date: Sat May 4 14:16:06 2013 -0400 (Franck Joncourt) patch to address sprintf() warnings for issue #60 client/http_resolve_host.c | 4 +++- server/fw_util_iptables.c | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) commit 9d8d1de60d1aece79ce5c5f700bfc1976bbc7e5e Author: Franck Joncourt Date: Sat May 4 17:02:02 2013 +0200 Ask the user whether he wants to overwrite a variable in the updated rc file or not. client/config_init.c | 42 +++++++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 11 deletions(-) commit 5804e15859aee23e9af2fd4bd917c4c5fbc29372 Merge: d61d5b9 621e7b1 Author: Michael Rash Date: Sat May 4 09:41:27 2013 -0400 Merge remote-tracking branch 'ag4ve/master' (Shawn Wilson) This adds better source IP logging for fwknopd log messages. Closes #70. commit 9f43f7a6ff994d5515469e109c005352b0f17332 Merge: f217506 d61d5b9 Author: Franck Joncourt Date: Sat May 4 15:34:34 2013 +0200 Merge remote-tracking branch 'upstream/master' commit f2175062347a1b300d4b71440fd257d7e0ab4c02 Author: Franck Joncourt Date: Sat May 4 15:33:03 2013 +0200 Fixed names of function for better understanding. client/config_init.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) commit d61d5b964ea50356aff3474718be9ef1c24a7012 Author: Michael Rash Date: Fri May 3 23:17:24 2013 -0400 [test suite] added Cygwin client compatibility tests Makefile.am | 1 + test/conf/hmac_no_b64_cygwin_access.conf | 4 ++++ test/test-fwknop.pl | 1 + test/tests/rijndael.pl | 19 +++++++++++++++++++ test/tests/rijndael_backwards_compatibility.pl | 12 ++++++++++++ test/tests/rijndael_hmac.pl | 21 +++++++++++++++++++++ 6 files changed, 58 insertions(+) commit 589a68b97bc9c84d4f24dd8015a30901aac087b8 Author: Michael Rash Date: Fri May 3 20:56:05 2013 -0400 [test suite] additional iptables init/exit 'no flush' tests test/tests/gpg.pl | 43 +++++++++++++++++++++++++++++++++ test/tests/gpg_no_pw.pl | 58 +++++++++++++++++++++++++++++++++++++++++++++ test/tests/rijndael_hmac.pl | 44 ++++++++++++++++++++++++++++++++++ 3 files changed, 145 insertions(+) commit df5f2d3ac07d0ed42b7c8989fc7bf653b513b911 Author: Michael Rash Date: Fri May 3 20:55:20 2013 -0400 [test suite] minor update to not count HMAC OpenSSL tests against non-ascii HMAC keys when the hexkey option is not supported test/test-fwknop.pl | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) commit 621e7b1c6d4b3033bb1825a7389143d91ae1666c (refs/remotes/ag4ve/master) Merge: 9dc1d26 c086105 Author: Shawn Wilson Date: Fri May 3 12:28:49 2013 -0400 Merge branch 'master' of github.com:ag4ve/fwknop Pull in forked upstream commit 5f06cefb0286ee3337767ff321c972af7da908fe Author: Michael Rash Date: Fri May 3 08:35:24 2013 -0400 [test suite] added check for test script inclusion in Makefile.am Makefile.am | 1 + test/test-fwknop.pl | 25 +++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) commit 84768dda6fd6828d30e6cf26a4a107a9aaf5fb59 Author: Franck Joncourt Date: Fri May 3 13:49:32 2013 +0200 Continued implementing a way to not overwrite KEY.. variables with --save-rc-stanza mrash/fwknop#67 client/config_init.c | 159 +++++++++++++++++++++++++++++++-------------------- 1 file changed, 98 insertions(+), 61 deletions(-) commit c086105eb1b473c68f1d7677320c6564c4478806 Author: Michael Rash Date: Thu May 2 22:29:51 2013 -0400 [server] added tests on Linux systems for the iptables FLUSH_IPT_* vars test/test-fwknop.pl | 256 +++++++++++++++++++++++++++++------------------- test/tests/gpg.pl | 4 +- test/tests/gpg_no_pw.pl | 4 +- test/tests/rijndael.pl | 62 +++++++++++- 4 files changed, 221 insertions(+), 105 deletions(-) commit 2297dfd8c2c2a953efde72cd3051d21858c167f4 Author: Michael Rash Date: Thu May 2 22:26:21 2013 -0400 [server] minor memory leak bug fix for invalid date processing Bug fix to ensure to release memory when invalid access stanza dates are set and fwknopd has to exit. This leak was caught with the test suite in --enable-valgrind mode based on the following output: ==31947== 568 bytes in 1 blocks are still reachable in loss record 1 of 1 ==31947== at 0x4C2CD7B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31947== by 0x52EE42A: __fopen_internal (iofopen.c:73) ==31947== by 0x1116A2: parse_access_file (access.c:909) ==31947== by 0x10BAD5: main (fwknopd.c:194) server/access.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) commit c71ce885be0c5d389aa37bbe2246704d584d575c Author: Franck Joncourt Date: Thu May 2 23:58:28 2013 +0200 First attempt to not ovewrite some configuration variables with --save-rc-stanza. At this time it only does not overwrite the KEY and HMAC variable without asking the user what he wants to do. client/config_init.c | 153 +++++++++++++++++++++++++++++++++++---------------- 1 file changed, 107 insertions(+), 46 deletions(-) commit 56ef34738edd53a2b7abafd7926f03af62b47251 Author: Michael Rash Date: Wed May 1 23:55:34 2013 -0400 [test suite] add new test files to Makefile.am Makefile.am | 6 ++++++ test/conf/no_flush_exit_fwknopd.conf | 1 + test/conf/no_flush_init_fwknopd.conf | 1 + test/conf/no_flush_init_or_exit_fwknopd.conf | 2 ++ 4 files changed, 10 insertions(+) commit 9dc1d26d6af5f02213a2f1385077c9189fb062d3 Author: Shawn Wilson Date: Wed May 1 10:59:48 2013 -0400 fixed more typos server/incoming_spa.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit e50d776ff7aa7b7990e8dede1db8684aab5e79c5 Author: Shawn Wilson Date: Wed May 1 10:42:13 2013 -0400 correct variable name typo server/incoming_spa.c | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) commit 52e35b735d6b534705cf104774052dd495a3f627 Author: Shawn Wilson Date: Wed May 1 10:31:44 2013 -0400 add ip address to messages where appropriate server/incoming_spa.c | 94 +++++++++++++++++++++++++-------------------------- 1 file changed, 47 insertions(+), 47 deletions(-) commit 23de2d6b5faf73318e105dc84977b262337ba312 Author: Franck Joncourt Date: Wed May 1 15:52:01 2013 +0200 Removed duplicate variable in the test suite (fake_spoof_ip/spoof_ip). test/test-fwknop.pl | 3 +-- test/tests/rijndael.pl | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) commit fca497f0d85ac583675797ec35eebc25dfa86be6 Author: Franck Joncourt Date: Wed May 1 15:13:42 2013 +0200 New tests for rc file processing (SPA_SOURCE_PORT, FW_TIMEOUT). Added spa source port variable to dump_transmit_options() and renamed port to destination port. client/spa_comm.c | 12 +++++++++--- test/tests/basic_operations.pl | 37 +++++++++++++++++++++++++++++++++++-- 2 files changed, 44 insertions(+), 5 deletions(-) commit 209c0f16da9ca6bd677fc2378bafb2bd52c5d738 Author: Franck Joncourt Date: Wed May 1 14:33:35 2013 +0200 Protocol string is set has const char in fko_protocol_t. client/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 0f2487776206ea078693dd558879b1d6935dd6bb Author: Michael Rash Date: Wed May 1 08:21:11 2013 -0400 [test suite] minor comment addition so this isn't a zero-byte file test/conf/default_fwknopd.conf | 1 + 1 file changed, 1 insertion(+) commit d93648cf99f0a307f5a9cd18b0620e02d586abcd Author: Franck Joncourt Date: Tue Apr 30 22:22:03 2013 +0200 Moved/Created proto_intostr() and proto_strtoint() to utils.c. This allows to update dump_transmit_options() to use the log module to dump data. client/config_init.c | 75 +++-------------------------------------------- client/spa_comm.c | 39 +++++++----------------- client/utils.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++ client/utils.h | 14 +++++---- common/common.h | 4 +++ 5 files changed, 110 insertions(+), 105 deletions(-) commit 10a4e1f675096b325e959b1ae8bec7a15aac5ee1 Author: Franck Joncourt Date: Tue Apr 30 15:37:08 2013 +0200 Updated the TParam typedef to conform to the fko_cli_options_t typedef. client/config_init.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) commit 2110790a304934633742b39c02a8c8385cbcde73 Author: Franck Joncourt Date: Tue Apr 30 13:54:58 2013 +0200 Added new rc file processing tests for the SPA_SERVER_PORT. client/config_init.c | 2 +- test/tests/basic_operations.pl | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) commit 90175250e5683bf75707c8f5330120562cdbc7f4 Author: Michael Rash Date: Mon Apr 29 22:14:39 2013 -0400 [client] add USE_HMAC handling to parse_rc_param() client/config_init.c | 6 ++++++ 1 file changed, 6 insertions(+) commit 892ee15ff9e574d78e716f87e89fa822e708a398 Author: Michael Rash Date: Mon Apr 29 21:52:07 2013 -0400 ChangeLog and credits updates for Franck CREDITS | 3 +++ ChangeLog | 3 +++ 2 files changed, 6 insertions(+) commit df5066447d48f1d09300784b306602866c66abef Author: Michael Rash Date: Mon Apr 29 21:43:21 2013 -0400 Started on --save-rc-stanza tests, client bug fix for HMAC verification in --test mode client/config_init.c | 38 ++++++++++---------- client/fwknop.c | 15 +++----- test/test-fwknop.pl | 27 ++++++++++++++- test/tests/basic_operations.pl | 78 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 127 insertions(+), 31 deletions(-) commit b53699ef9246f905461a56bdb54fd0d342f4e0c5 Author: Franck Joncourt Date: Mon Apr 29 22:53:06 2013 +0200 Added tests for the SPA_SERVER_PROTO variable from an rc file. test/tests/basic_operations.pl | 56 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) commit 36202d8c66488be645af8aba80b377550c26e745 Merge: 7a71938 ea5bb69 Author: Franck Joncourt Date: Mon Apr 29 22:21:18 2013 +0200 Merge remote-tracking branch 'upstream/master' commit 7a719389ca48cda8f1f3d8ef1faab1a5d8ee52bf Author: Franck Joncourt Date: Mon Apr 29 22:18:29 2013 +0200 Integrated the log module in the whol client source code. perror() is also replaced by log_msg() client/fwknop.c | 116 ++++++++++++++++++++++----------------------- client/getpasswd.c | 4 +- client/http_resolve_host.c | 40 ++++++++-------- client/spa_comm.c | 89 +++++++++++++++++----------------- client/utils.c | 15 +++--- 5 files changed, 131 insertions(+), 133 deletions(-) commit ea5bb6937a79ffb70b307b4bf16ee1c17bc04c1e Author: Michael Rash Date: Sun Apr 28 21:52:14 2013 -0400 [test suite] add client rc file processing tests (digest only for now, more coming) test/test-fwknop.pl | 114 +++++++++++++++++++++++++++++++++++++++++ test/tests/basic_operations.pl | 56 ++++++++++++++++++++ 2 files changed, 170 insertions(+) commit b719c06769cb5367fb4998abb3451d2a75bae337 Author: Michael Rash Date: Sun Apr 28 21:51:16 2013 -0400 [client] ensure to set HMAC mode by default only when an HMAC key is used client/config_init.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit 486f0ea52f6375c529f081143e0729e37fa77cb5 Author: Michael Rash Date: Sat Apr 27 22:41:17 2013 -0400 [test suite] restore gpg directories after test suite runs Makefile.am | 1 + test/conf/client-gpg-no-pw/trustdb.gpg | Bin 1360 -> 1360 bytes test/conf/client-gpg/trustdb.gpg | Bin 1360 -> 1360 bytes test/conf/gpg_dirs_orig.tar.gz | Bin 0 -> 3876 bytes test/conf/server-gpg-no-pw/trustdb.gpg | Bin 1360 -> 1360 bytes test/conf/server-gpg/trustdb.gpg | Bin 1360 -> 1360 bytes test/test-fwknop.pl | 17 +++++++++++++++++ 7 files changed, 18 insertions(+) commit dd05975217767104092189270f8470cca83df4e2 Merge: 12a6e9e b04de68 Author: Michael Rash Date: Sat Apr 27 22:26:38 2013 -0400 Merge remote-tracking branch 'fjoncourt/master' This merges changes from Franck Joncourt for issues #55 (log module for fwknop) and #64 (hostname resolution not working for -P icmp spoofing). commit 12a6e9e93a739494a985620619878a4a7983558c Author: Michael Rash Date: Sat Apr 27 20:41:12 2013 -0400 Convert most strlcat() calls to use destination bound from sizeof() This commit helps to ensure correctness of strlcat() calls in support of fixing issue #2. client/fwknop.c | 6 +++--- server/config_init.c | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) commit b04de687ce6e9bcb43cb558dee6b2a5606e4d147 Author: Franck Joncourt Date: Sat Apr 27 23:31:40 2013 +0200 Fixed hostname resolution while spoof ip is used. mrash/fwknop#64 client/fwknop.c | 76 -------------------------------- client/spa_comm.c | 21 ++++++--- client/utils.c | 77 +++++++++++++++++++++++++++++++++ client/utils.h | 5 +++ test/conf/client-gpg-no-pw/trustdb.gpg | Bin 1360 -> 1360 bytes test/conf/client-gpg/trustdb.gpg | Bin 1360 -> 1360 bytes test/conf/server-gpg-no-pw/trustdb.gpg | Bin 1360 -> 1360 bytes test/conf/server-gpg/trustdb.gpg | Bin 1360 -> 1360 bytes test/test-fwknop.pl | 11 ++--- test/tests/rijndael.pl | 14 ++++++ 10 files changed, 118 insertions(+), 86 deletions(-) commit 0bf0d8f8766dbe4c55b8c789e8b167977d85b25c Merge: 6063679 0ec547e Author: Franck Joncourt Date: Sat Apr 27 22:38:27 2013 +0200 Merge remote-tracking branch 'upstream/master' commit 6063679c6da2179acd058945f1620b7780b112e7 Author: Franck Joncourt Date: Sat Apr 27 22:19:40 2013 +0200 Continue implementing the log_msg module. client/config_init.c | 2 +- client/config_init.h | 8 ++++---- client/log_msg.c | 44 ++++++++++++++++++++++++++------------------ 3 files changed, 31 insertions(+), 23 deletions(-) commit b3f55bf1aba4ba5f80660223492f66fe2be9f4fe Author: Michael Rash Date: Sat Apr 27 14:59:30 2013 -0400 Convert most strlcpy() calls to use destination bound from sizeof() This commit helps to ensure correctness of strlcpy() calls in support of fixing issue #2. client/config_init.c | 88 +++++++++++++++++++++++----------------------- client/fwknop.c | 4 +-- client/http_resolve_host.c | 18 +++++----- client/spa_comm.c | 3 +- server/config_init.c | 10 +++--- server/fw_util_ipf.c | 2 +- server/fw_util_ipfw.c | 4 +-- server/fw_util_iptables.c | 14 ++++---- server/fw_util_pf.c | 6 ++-- server/fwknopd.c | 7 ++-- 10 files changed, 79 insertions(+), 77 deletions(-) commit 6b095d948d6c4a84ed3d3aaa8158436b1c0d442e Author: Michael Rash Date: Sat Apr 27 12:56:50 2013 -0400 [test suite] minor openssl verification update to print base64 decode flag value test/test-fwknop.pl | 1 + 1 file changed, 1 insertion(+) commit eb727e1271ad09eee12c7e12499434cc00158d8e Author: Michael Rash Date: Fri Apr 26 21:56:26 2013 -0400 removed roadmap.org file in favor of using github milestones Makefile.am | 2 -- roadmap.org | 69 ------------------------------------------------------------- 2 files changed, 71 deletions(-) commit 6036619b1c7c094224cce7f86a21e0c64b0e5ee9 Author: Michael Rash Date: Fri Apr 26 21:47:49 2013 -0400 removed todo.org file in favor of using github issues todo.org | 179 --------------------------------------------------------------- 1 file changed, 179 deletions(-) commit 2396193e06558016357451ae9c97f43e913d4079 Author: Franck Joncourt Date: Fri Apr 26 17:16:05 2013 +0200 Replaced all references to *fprintf(stderr,* by log_msg() in config_init.c client/config_init.c | 155 +++++++++++++++++++++++++++------------------------ client/log_msg.c | 2 + 2 files changed, 83 insertions(+), 74 deletions(-) commit 65d0517a9c9fe7905a240f0c483082950fbbcd52 Author: Franck Joncourt Date: Fri Apr 26 16:18:08 2013 +0200 Inverted log level enumeration client/Makefile.am | 3 ++- client/config_init.c | 3 +++ client/fwknop.c | 3 +++ client/fwknop_common.h | 1 + client/log_msg.c | 15 +++++---------- client/log_msg.h | 13 +++++++------ 6 files changed, 21 insertions(+), 17 deletions(-) commit bb70a9752f93e843ad7f859c3cd899f10f938f91 Author: Franck Joncourt Date: Fri Apr 26 14:08:25 2013 +0200 Ajout du module log_msg pour le client client/log_msg.c | 111 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ client/log_msg.h | 48 ++++++++++++++++++++++++ 2 files changed, 159 insertions(+) commit 0ec547e04d5bfda5558051eab719e8e7e4f88fcf Author: Michael Rash Date: Thu Apr 25 21:32:02 2013 -0400 [server] another minor CLANG static analyzer fix server/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a6e8919728998f4aa2490d8e7b3342e2d27f10fd Author: Michael Rash Date: Thu Apr 25 21:29:37 2013 -0400 [server] fix minor CLANG static analyzer bugs These are simple logic fixes that would not have impacted run time to address the following warnings generated by the CLANG static analyzer: incoming_spa.c:433:17: warning: Value stored to 'attempted_decrypt' is never read attempted_decrypt = 1; ^ ~ incoming_spa.c:647:13: warning: Value stored to 'acc' is never read acc = acc->next; ^ ~~~~~~~~~ server/incoming_spa.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit bf889f7b6e0b9c6b2970574f1d3af38af3857c4e Author: Franck Joncourt Date: Thu Apr 25 23:03:02 2013 +0200 Used args enumeration for both the update_rc() and add_rc_param(). Updated fwknop client to refer to the fwknop args enumeration rather than the config variable names directly. This should make easier to handle future changes of the variable name. New function to validate a string matches a YES pattern in the configuration file : is_yes_str(). The parse_rc_param() only returns at the end of the function, unless a fatal error has been encountered. client/config_init.c | 139 +++++++++++++++++++++++++++++++++------------------ 1 file changed, 90 insertions(+), 49 deletions(-) commit 5e82adbf3fb45487fa749eb3abe4b5f876d39ae9 Author: Michael Rash Date: Tue Apr 23 21:56:41 2013 -0400 [test suite] added GPG password required HMAC tests, added --disable-valgrind argument test/conf/fwknoprc_gpg_hmac_key | 3 + test/conf/gpg_hmac_access.conf | 8 +++ test/test-fwknop.pl | 29 ++++++++-- test/tests/gpg_hmac.pl | 124 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 160 insertions(+), 4 deletions(-) commit 4ea683678b7dd9975d5b048046ab4e6e5450f064 Author: Michael Rash Date: Mon Apr 22 20:59:32 2013 -0400 [test suite] added gpg_no_pw_hmac_access.conf file test/conf/gpg_no_pw_hmac_access.conf | 8 ++++++++ 1 file changed, 8 insertions(+) commit f02cc0ddd251321daa1cb63f683356d5931bded2 Author: Michael Rash Date: Mon Apr 22 20:45:59 2013 -0400 Added HMAC support to GPG encryption modes, closes #58 ChangeLog | 5 +- Makefile.am | 1 + lib/cipher_funcs.c | 35 +++++++++++ lib/cipher_funcs.h | 1 + lib/fko_context.h | 1 + lib/fko_encryption.c | 22 +------ lib/fko_hmac.c | 25 ++++++-- server/access.c | 20 ++++-- server/incoming_spa.c | 3 +- test/test-fwknop.pl | 28 +++++++-- test/tests/gpg_no_pw_hmac.pl | 115 ++++++++++++++++++++++++++++++++++ test/tests/rijndael_replay_attacks.pl | 2 - 12 files changed, 219 insertions(+), 39 deletions(-) commit 2f72960e0fb91b1e257a24461f30263f3b9c0f7a Author: Michael Rash Date: Sun Apr 21 21:13:15 2013 -0400 [test suite] clean command tmp files before and after each test test/test-fwknop.pl | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) commit 08add2fd48e23a259fd6a80ee765fa3668711201 Author: Michael Rash Date: Sun Apr 21 20:48:42 2013 -0400 [server] minor function prototype convention update for create_rule() server/fw_util_iptables.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 6c1b755beae3133aab427f8242403e04bfde247f Author: Michael Rash Date: Sat Apr 20 15:31:26 2013 -0400 [test suite] removed unnecessary comment lines from test config files test/conf/default_fwknopd.conf | 4 -- test/conf/disable_aging_fwknopd.conf | 4 -- test/conf/disable_aging_nat_fwknopd.conf | 4 -- test/conf/dual_key_usage_access.conf | 1 - test/conf/fwknoprc_default_hmac_base64_key | 69 ------------------------ test/conf/fwknoprc_hmac_invalid_type | 69 ------------------------ test/conf/fwknoprc_hmac_key2 | 69 ------------------------ test/conf/fwknoprc_hmac_md5_key | 69 ------------------------ test/conf/fwknoprc_hmac_md5_long_key | 69 ------------------------ test/conf/fwknoprc_hmac_md5_short_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha1_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha1_long_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha1_short_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha256_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha256_long_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha256_short_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha384_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha384_long_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha384_short_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha512_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha512_long_key | 69 ------------------------ test/conf/fwknoprc_hmac_sha512_short_key | 69 ------------------------ test/conf/fwknoprc_hmac_simple_keys | 69 ------------------------ test/conf/fwknoprc_invalid_base64_key | 70 ------------------------- test/conf/fwknoprc_named_key | 70 ------------------------- test/conf/fwknoprc_with_default_base64_key | 69 ------------------------ test/conf/fwknoprc_with_default_key | 69 ------------------------ test/conf/fwknoprc_with_named_key | 70 ------------------------- test/conf/hmac_dual_key_usage_access.conf | 1 - test/conf/hmac_simple_keys_access.conf | 2 - test/conf/icmp_pcap_filter_fwknopd.conf | 4 -- test/conf/invalid_source_access.conf | 1 - test/conf/ipfw_active_expire_equal_fwknopd.conf | 4 -- test/conf/local_nat_fwknopd.conf | 4 -- test/conf/multi_stanzas_access.conf | 3 -- test/conf/multi_stanzas_with_broken_keys.conf | 4 -- test/conf/nat_fwknopd.conf | 4 -- test/conf/tcp_pcap_filter_fwknopd.conf | 4 -- test/conf/tcp_server_fwknopd.conf | 4 -- 39 files changed, 1707 deletions(-) commit f0036f7f22a315571fd4ba10102de2f3db4a5f4f Author: Michael Rash Date: Sat Apr 20 11:12:04 2013 -0400 [client] set HMAC mode whenever any HMAC option is given, add --key-hmac arg client/cmd_opts.h | 2 ++ client/config_init.c | 32 +++++++++++++++++++++++++++++++- doc/fwknop.man.asciidoc | 12 +++++++++++- 3 files changed, 44 insertions(+), 2 deletions(-) commit 387b6e40d3a4fc5cf8b5d69b959a3a5af31b6abb Author: Michael Rash Date: Sat Apr 20 11:09:48 2013 -0400 [test suite] updated non-based64 keys in non-base64 key files test/conf/fwknoprc_hmac_key2 | 4 ++-- test/conf/hmac_no_b64_access.conf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit e447ef57c0f2d70d3f8d0eda80c43aeeb0a8bb4a Author: Michael Rash Date: Sat Apr 20 11:04:53 2013 -0400 [test suite] bug fix to properly extract 'KEY' variable for Rijndael key information test/test-fwknop.pl | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit 9a366c2d677ee28c4c5db096f2f1f377b3cf2a7a Author: Michael Rash Date: Fri Apr 19 19:43:15 2013 -0400 [test suite] consolidated client/server interaction result variables into client_server_interaction() test/test-fwknop.pl | 260 ++++++++++++++++++++++--------------------------- test/tests/rijndael.pl | 2 + 2 files changed, 120 insertions(+), 142 deletions(-) commit f010d88016f570e26e19bf32e3ff9494262cf436 Author: Michael Rash Date: Fri Apr 19 19:42:06 2013 -0400 removed trailing semicolon from KEY value test/conf/fwknoprc_named_key | 2 +- test/conf/fwknoprc_with_named_key | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit d356d07bb8c57aec240168c1c433116eb47b15dc Author: Michael Rash Date: Thu Apr 18 22:17:18 2013 -0400 minor typo fix in ChangeLog file ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 39115c6dde3019c54b31f3b31533bbc5e80ccb23 Author: Michael Rash Date: Thu Apr 18 21:15:00 2013 -0400 added Ruhsam Bernhard to the credits file CREDITS | 6 ++++++ 1 file changed, 6 insertions(+) commit 77c876c1108a2be36d7a6a6fc152d32a4396b3b8 (refs/remotes/web/hmac_support, refs/remotes/origin/hmac_support, refs/remotes/ag4ve/hmac_support, refs/heads/hmac_support) Author: Michael Rash Date: Thu Apr 18 20:53:37 2013 -0400 credits and changelog updates CREDITS | 11 +++++++++++ ChangeLog | 17 +++++++++++++++++ 2 files changed, 28 insertions(+) commit a61939c005e2b09d6800e2171f607c9d1948f022 Author: Michael Rash Date: Wed Apr 17 23:50:51 2013 -0400 [test suite] Reorganize client/server interactions to be more rigorous This is a significant commit that alters how the test suite interacts with the fwknop client and server by looking for indications that SPA packets are actually received. This is done by first waiting for 'main event loop' in fwknopd log output to ensure that fwknopd is ready to receive packets, sending the SPA packet(s), and then watching for for 'SPA Packet from IP' in fwknopd output. This is an improvement over the previous strategy that was only based on timeout values since it works identically regardless of whether fwknop is being run under valgrind or when the test suite is run on an embedded system with very limited resources. Another check is run for fwknopd receiving the SIGTERM signal to shutdown via 'fwknopd -K', and that failing, the test suite manually kills the process (though this should be rarely needed). The above strategy is the result of discussions with George Herlin who proposed the verification-based approach to test suite operations. Other things this commit changes is the ability to detect whether OpenSSL supports the 'hexkey:' style specification for HMAC keys (an older version of FreeBSD doesn't support this) and falls back to the '-hmac ' method if not. test/test-fwknop.pl | 441 ++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 310 insertions(+), 131 deletions(-) commit b17cb08ddc9707771f7a67ae55d8f7a51f990d88 Author: Michael Rash Date: Wed Apr 17 23:27:54 2013 -0400 fixed two type mismatch compilation warnings for the perl FKO extension perl/FKO/FKO.xs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit d785dcbe6264ddf37ef709ff01551d813ec21851 Author: Michael Rash Date: Mon Apr 15 22:02:19 2013 -0400 [test suite] added tests/python_fko.pl for python tests Makefile.am | 1 + 1 file changed, 1 insertion(+) commit cbf751e8ddd513ed953d2f8fd64864e6c3211d98 Author: Michael Rash Date: Fri Apr 12 21:50:47 2013 -0400 [test suite] check for fwknopd ready to receive packets This commit was inspired through conversations with George Herlin. test/test-fwknop.pl | 39 +++++++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) commit 87fc50bb317573511af09e25b1b39009fc9b6f43 Merge: c112cb4 fbd38d8 Author: Michael Rash Date: Fri Apr 12 21:16:20 2013 -0400 Merge remote-tracking branch 'fjoncourt/hmac_support' into hmac_support This commit from Franck Joncourt closes #43 commit fbd38d805b2fca970369c16fe3cd936272288165 Author: Franck Joncourt Date: Fri Apr 12 14:48:26 2013 +0200 Added some else statements and their comments. client/fwknop.c | 10 ++++++++++ 1 file changed, 10 insertions(+) commit d988f95a46994de722424c63faebb4537315becd Author: Franck Joncourt Date: Thu Apr 11 13:36:58 2013 +0200 Fixed test-fwknop.pl to remove any references to my test files. test/test-fwknop.pl | 3 --- 1 file changed, 3 deletions(-) commit 9faa625d956ac0a9da881d008055840d7ba2713f Author: Franck Joncourt Date: Thu Apr 11 13:08:36 2013 +0200 Removed tests. test/tests/client_nat.pl | 24 ------------------------ 1 file changed, 24 deletions(-) commit c112cb4811f435091466556aa5a11a812d0263c5 Author: Michael Rash Date: Wed Apr 10 23:31:58 2013 -0400 [test suite] get hmac iptables duplicated and sha512 long key tests to pass client/fwknop.c | 3 ++- test/test-fwknop.pl | 21 +++++++++++++-------- test/tests/rijndael_hmac.pl | 12 +++++------- 3 files changed, 20 insertions(+), 16 deletions(-) commit fd767a1f47937c64c60a2a79066d23a0b34a827f Author: Franck Joncourt Date: Wed Apr 10 16:06:06 2013 +0200 Resolve ip address in all of tha nat modes (mrash/fwknop#43). client/fwknop.c | 155 +++++++++++++++++++++++++++++++++++++++++++++-------- test/local_spa.key | 1 - 2 files changed, 133 insertions(+), 23 deletions(-) commit 8f3e6a4ed104527e14dcc124fc8940e7730d1dc4 Merge: ed2d6ec 05ced0a Author: Franck Joncourt Date: Wed Apr 10 15:12:54 2013 +0200 Merge remote-tracking branch 'upstream/hmac_support' into hmac_support commit 378305a8ab2732a812e3de9a50967088f1daf71a Author: Michael Rash Date: Tue Apr 9 22:48:54 2013 -0400 [test suite] added perl FKO Rijndael key test with embedded NULL char test/test-fwknop.pl | 74 +++++++++++++++++++++++++++++++++++++++++-- test/tests/perl_FKO_module.pl | 9 ++++++ 2 files changed, 80 insertions(+), 3 deletions(-) commit b45a1b07ad2210443a84b0dcf959a03e3712e358 Author: Michael Rash Date: Tue Apr 9 21:28:32 2013 -0400 minor var naming/spacing update test/test-fwknop.pl | 123 +++++++++++++++++++++++++--------------------------- 1 file changed, 60 insertions(+), 63 deletions(-) commit 05ced0a5143b0296b480c1c4e834e494880ca615 Author: Michael Rash Date: Mon Apr 8 22:14:06 2013 -0400 add HMAC_KEY variable support to access.conf (alternative to HMAC_KEY_BASE64) Makefile.am | 2 ++ server/access.c | 13 +++++++ test/conf/fwknoprc_hmac_key2 | 73 +++++++++++++++++++++++++++++++++++++++ test/conf/hmac_no_b64_access.conf | 4 +++ test/test-fwknop.pl | 2 ++ test/tests/rijndael_hmac.pl | 18 ++++++++++ 6 files changed, 112 insertions(+) commit 748715acf83c8baee7d3d37295306c59fd7e00f7 Author: Michael Rash Date: Mon Apr 8 20:45:14 2013 -0400 [test suite] added python->C HMAC test Makefile.am | 1 + test/conf/hmac_sha512_short_key2_access.conf | 5 +++ test/fko-python.py | 6 +-- test/test-fwknop.pl | 55 ++++++++++++++++++++++++++++ test/tests/python_fko.pl | 12 ++++++ 5 files changed, 76 insertions(+), 3 deletions(-) commit 57773993e4de17823084cd3fe93d122a0607d687 Author: Michael Rash Date: Sun Apr 7 20:57:35 2013 -0400 [test suite] don't remove output/ directory in --list mode, closes #53 test/test-fwknop.pl | 58 +++++++++++++++++++++++++++-------------------------- 1 file changed, 30 insertions(+), 28 deletions(-) commit cccab3c22bba7466f498a061d5f9d0493d76daef Author: Michael Rash Date: Sun Apr 7 16:28:33 2013 -0400 [test suite] restore --diff mode, fixes #52 test/test-fwknop.pl | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) commit a59b5acc991e8e097005f9636f9f36275385ff29 Merge: 4f9fbe4 8f667c1 Author: Michael Rash Date: Sun Apr 7 15:11:09 2013 -0400 Merge patch from Franck in support of issue #43 commit 4f9fbe4549258c4e1e80e4236f24ca875a7f4dbd Author: Michael Rash Date: Sun Apr 7 13:33:42 2013 -0400 [test suite] NAT name resolution tests This commit adds tests for NAT name resolution in support of issue #43. test/tests/rijndael.pl | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) commit ed2d6ec8eaa3624e79697acc653ab59ef3845dd5 Author: Franck Joncourt Date: Sun Apr 7 19:00:38 2013 +0200 Added tests to the test suite in order to check the update. test/local_spa.key | 1 + test/test-fwknop.pl | 3 +++ test/tests/client_nat.pl | 24 ++++++++++++++++++++++++ 3 files changed, 28 insertions(+) commit 8f667c17acc1dd95bf2596ecb87998db09f95834 Author: Franck Joncourt Date: Sat Apr 6 22:59:59 2013 +0200 Fixed Nat mode not resolving hostname to IP's. Linked mrash/fwknop#43 client/fwknop.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 102 insertions(+), 12 deletions(-) commit fcac5ca413df89e2e766e3a78554ada1564bfaed Author: Michael Rash Date: Mon Apr 1 23:02:45 2013 -0400 [test suite] minor encryption key variable name update test/test-fwknop.pl | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 98d5b6d8a02bc03d01dbf849f088db224f6e6145 Author: Michael Rash Date: Mon Apr 1 23:01:45 2013 -0400 added 'legacy' initialization vector text to man pages doc/fwknop.man.asciidoc | 6 +++++- doc/fwknopd.man.asciidoc | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) commit 9ee21aae127d351d14ff81c981729e3d82f2b9a9 Merge: 6b845cc fb18b77 Author: Michael Rash Date: Fri Mar 29 20:45:30 2013 -0400 Merge branch 'hmac_support' of ssh://192.168.10.1/home/mbr/git/bare_repos/fwknop into hmac_support commit fb18b778d191316bf78c962d9478c605b31f3757 Author: Michael Rash Date: Fri Mar 29 20:44:48 2013 -0400 added test/fko-python.py test script Makefile.am | 1 + 1 file changed, 1 insertion(+) commit 08c9cc0938d6cad9e059a920e9a4bcbecae810b9 Author: Michael Rash Date: Fri Mar 29 20:42:44 2013 -0400 HMAC function rename for consistency Make sure that HMAC function names conform to previously established get_*, set_* naming convention. client/fwknop.c | 2 +- lib/fko.h | 4 ++-- lib/fko_funcs.c | 2 +- lib/fko_hmac.c | 6 +++--- perl/FKO/FKO.xs | 6 +++--- perl/FKO/lib/FKO.pm | 6 +++--- python/fko.py | 8 ++++---- python/fkomodule.c | 16 ++++++++-------- server/utils.c | 2 +- test/fko-python.py | 37 +++++++++++++++++++++++++++++++++++++ test/fko-wrapper/fko_wrapper.c | 2 +- 11 files changed, 64 insertions(+), 27 deletions(-) commit d6b4a2a1c3f52853cd959817c93511f6c2070db1 Author: Michael Rash Date: Thu Mar 28 20:42:12 2013 -0400 added fuzzing tests for long Rijndael and HMAC keys test/test-fwknop.pl | 124 ++++++++++++++++++++++++++++++++++++++++-- test/tests/perl_FKO_module.pl | 15 +++++ 2 files changed, 134 insertions(+), 5 deletions(-) commit 6ecf6514c9ec47fd3d3cc9aae0c626ec16d33e85 Author: Michael Rash Date: Sun Mar 24 21:04:18 2013 -0400 Enforce Rijndael and HMAC key length maximum sizes This commit fixes a couple of overflow conditions for Rijndael and HMAC keys that are larger than anticipated maximums. In the case of Rijndael, PKCS#5 1.5 is supported up to key sizes of 32 bytes or smaller (and maintains compatibility with OpenSSL, and future versions will support PKCS#5 2.0 (PBKDF2) while allowing for larger key sizes. HMAC keys may be up to 128 bytes even for digest algorithms such as SHA256 that have block sizes that are smaller than this. lib/fko.h | 2 ++ lib/fko_encryption.c | 6 ++++++ lib/fko_error.c | 6 ++++++ lib/fko_hmac.c | 6 ++++++ 4 files changed, 20 insertions(+) commit 08ab1cf8e1ebb0217e060a67226357a02b982c33 Author: Michael Rash Date: Sat Mar 23 08:56:22 2013 -0400 remove execute bit client/config_init.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) commit 6b845cce432fe61e3cccbbd850048a921b983626 Author: Michael Rash Date: Sat Mar 23 08:53:48 2013 -0400 remove execute bit client/config_init.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) commit 6ca996a1731562ce2aca07d97757b6a5a3f2e437 Author: Michael Rash Date: Fri Mar 22 22:34:10 2013 -0400 [test suite] minor spacing update test/test-fwknop.pl | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) commit 112dc6959e58f5f34961c261a0eba2a635369c77 Merge: 42cfc58 11ba153 Author: Michael Rash Date: Thu Mar 21 21:58:05 2013 -0400 Merge remote-tracking branch 'fjoncourt/hmac_support' into hmac_support commit 42cfc58e20db72b7bdcff848e0e6a9838028e923 Author: Michael Rash Date: Thu Mar 21 21:55:18 2013 -0400 [perl FKO] add HMAC support along with test suite HMAC verification (closes #16) perl/FKO/FKO.xs | 43 ++++++++++++ perl/FKO/lib/FKO.pm | 54 ++++++++++++++- test/test-fwknop.pl | 149 ++++++++++++++++++++++++++++++++++++++++-- test/tests/perl_FKO_module.pl | 9 +++ 4 files changed, 249 insertions(+), 6 deletions(-) commit d677e18e2527be218aadfae96d7cbcd75d0c68d2 Author: Michael Rash Date: Thu Mar 21 21:48:38 2013 -0400 minor ChangeLog wording update for HMAC section ChangeLog | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 11ba15383227e763377fcd5cb4b2f31f880010a0 Merge: 4b63181 49c956d Author: Franck Joncourt Date: Wed Mar 20 22:33:45 2013 +0100 Merge remote-tracking branch 'upstream/hmac_support' into hmac_support commit 4b6318138746b851dc07bf00556f5d99364cceac Author: Franck Joncourt Date: Wed Mar 20 22:31:58 2013 +0100 Updated fwknop documentation. client/config_init.c | 2 +- doc/fwknop.man.asciidoc | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) commit b6bd8a8e8cf426c8da97b9a8409e27225c48bd65 Author: Franck Joncourt Date: Wed Mar 20 21:38:52 2013 +0100 Fixed issue when trying to save options for a new stanza. client/config_init.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 49c956dafc423bc7a2440e53589748a3c1287598 Author: Michael Rash Date: Tue Mar 19 21:23:36 2013 -0400 [test suite] added two basic tests for installation and operations of the python fko extension test/test-fwknop.pl | 70 ++++++++++++++++++++++++++++++++++++++++++++++++ test/tests/python_fko.pl | 17 ++++++++++++ 2 files changed, 87 insertions(+) commit b92fcce648ba64ffcb54a8e6c3586c3b6965dc3c Author: Michael Rash Date: Tue Mar 19 21:22:32 2013 -0400 [python extension] minor function name updates python/README | 2 +- python/fko.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit 8c3cab02699926d4df9a1e71eed9e25102bed90c Author: Michael Rash Date: Tue Mar 19 21:15:45 2013 -0400 [python extension] update key_gen() parse tuple format arg to handle hmac_type integer python/fkomodule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e4689892ef152674e25c647ad0665539bf34e852 Author: Michael Rash Date: Tue Mar 19 21:09:11 2013 -0400 [client] minor http resolve update to include URL in error output client/http_resolve_host.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit ab40e300226484bb445680daad2e57dfa099b6ea Author: Michael Rash Date: Mon Mar 18 21:49:00 2013 -0400 minor typo fix test/test-fwknop.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d8090a81430ec7b91d7aa4572ea4b6d0ee56c2cd Author: Franck Joncourt Date: Mon Mar 18 22:06:31 2013 +0100 Allowed an fwknoprc stanza (-n) to be overriden by arguments from the command line. Added a sanity check to make sure the -n option is used with the --save-rc-stanza option. client/config_init.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) commit 817a719a9c4e8de4992b3136abcac6caa2eee47b Author: Michael Rash Date: Sun Mar 17 23:03:48 2013 -0400 [python module] update fko_new_with_data() call to include hmac_type python/fkomodule.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 92af5b53beff297dffa06280f557a208d1f49c05 Merge: 247edec d299f1d Author: Michael Rash Date: Sun Mar 17 23:02:57 2013 -0400 Merge remote-tracking branch 'fjoncourt/python_binding' into hmac_support commit 247edec004eabd81fab9eed5cb06a7e5d9a554a8 Author: Michael Rash Date: Sun Mar 17 22:48:29 2013 -0400 minor hmac prototype update to add const qualifier lib/hmac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 066e90d955e98b20c260626a8921348e82dde125 Author: Michael Rash Date: Sun Mar 17 22:42:52 2013 -0400 [test suite] added hmac_force_nat_access.conf file to Makefile.am Makefile.am | 1 + 1 file changed, 1 insertion(+) commit c7b5611fa4947f4d0dd0086b140e6390d0db6d43 Merge: 7e784df b9046df Author: Michael Rash Date: Sun Mar 17 21:34:23 2013 -0400 Merge remote-tracking branch 'fjoncourt/hmac_support' into hmac_support Significant merge from Franck Joncourt to add the ability to save command line args to ~/.fwknoprc stanzas. This merge is in support of #4. Conflicts: lib/fko_util.c lib/fko_util.h commit d299f1de665bb8b0e0443637d873cdddcae57df6 (refs/remotes/fjoncourt/python_binding) Author: Franck Joncourt Date: Sun Mar 17 12:03:07 2013 +0100 Add ne wdirective to setup.py in order to be able to build the python binding without having libfko installed on the system. python/setup.py | 2 ++ 1 file changed, 2 insertions(+) commit 7e784df3870373f055a2f0f8d818829501bcb1c0 Author: Michael Rash Date: Sat Mar 16 14:43:15 2013 -0400 [server] allow long Rijndael command messages This change allows SPA clients to include long messages in command mode and generally allows decryption operations to dictate success/failure instead of SPA packet length to gate decryption attempts. Closes #40. server/incoming_spa.c | 39 +++++++++++++++++++++++++++++++-------- 1 file changed, 31 insertions(+), 8 deletions(-) commit 1de5e370e1f4b1464bfcd94c7ff4c76bbc1922bc Author: Michael Rash Date: Sat Mar 16 14:40:08 2013 -0400 [test suite] added 'server_conf' hash key verification test/test-fwknop.pl | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) commit 4bdb71315a049e072f95e3426fe9c149ca763586 Author: Michael Rash Date: Sat Mar 16 14:38:20 2013 -0400 [client] --nat-rand-port bug fix Bug fix for --nat-rand-port mode to ensure that the port to be NAT'd is properly defined so that the fwknopd server will NAT connnections to this port instead of applying the NAT operation to the port that is to be accessed via -A. This change also prints the randomly assigned port to stdout regardless of whether --verbose mode is used (since it not then the user will have no idea which port is actually going to be NAT'd on the fwknopd side). ChangeLog | 18 +- Makefile.am | 1 + client/fwknop.c | 212 ++++++++++++++---- test/conf/fwknoprc_hmac_sha512_long_key | 73 ++++++ test/conf/hmac_force_nat_access.conf | 5 + test/conf/hmac_sha256_open_ports_access.conf | 6 + test/conf/hmac_sha512_long_key_access.conf | 5 + test/test-fwknop.pl | 4 + test/tests/rijndael.pl | 89 +++++++- test/tests/rijndael_hmac.pl | 318 +++++++++++++++++++++++++++ 10 files changed, 678 insertions(+), 53 deletions(-) commit 253ccb7cea76d4b6f381998b7c00c785674b138f Author: Michael Rash Date: Thu Mar 14 22:26:44 2013 -0400 added encryption type/mode and message type string representations for FKO context diplay output client/fwknop.c | 15 ++++++++++--- lib/fko_util.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lib/fko_util.h | 3 +++ server/utils.c | 20 ++++++++++++++++-- 4 files changed, 98 insertions(+), 5 deletions(-) commit b9046df64de2472fa59a318a99f86b6ef2eaa78e Author: Franck Joncourt Date: Thu Mar 14 22:39:36 2013 +0100 Remove useless comment. client/config_init.c | 3 --- 1 file changed, 3 deletions(-) commit 212075094cf2b5380e85af34145917921639423d Author: Franck Joncourt Date: Thu Mar 14 22:16:37 2013 +0100 Added the possibility to parse only sedction in a fwknoprc file and not only the whole file - more. client/config_init.c | 270 +++++++++++---------------------------------------- 1 file changed, 57 insertions(+), 213 deletions(-) commit 366536055fd18600c879f4147b4612ce2f056d97 Author: Franck Joncourt Date: Wed Mar 13 07:13:50 2013 +0100 Added the possibility to parse only sedction in a fwknoprc file and not only the whole file client/config_init.c | 193 ++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 185 insertions(+), 8 deletions(-) commit aa36f3ffee347c67218be36d5cf851be8b46cffc Author: Michael Rash Date: Tue Mar 12 23:25:53 2013 -0400 bug fix to remove hmac_sha512_long_key_access.conf file (doesn't exist) from Makefile.am Makefile.am | 1 - 1 file changed, 1 deletion(-) commit 3ef3ab29c87f307d10dccf2d9857dd4aacc687de Author: Michael Rash Date: Tue Mar 12 23:20:12 2013 -0400 [test suite] 'key_file' hash key update for HMAC SHA384 test test/tests/rijndael_hmac.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 0b9f25362e231e4a072fdfddd60ad673107e1b47 Author: Michael Rash Date: Tue Mar 12 23:10:09 2013 -0400 [test suite] minor bug fix for HMAC SHA384 default key test rc file path test/tests/rijndael_hmac.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 9e32cdd6d92555aff99653cba67b1518f2c7d310 Author: Michael Rash Date: Tue Mar 12 22:50:37 2013 -0400 [test suite] added files to Makefile.am and added a test to verify this Makefile.am | 33 +++++++++++++++++++++++++++++++++ test/test-fwknop.pl | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) commit 55d188ed1f6a04d3c89ce0df8ddb768247a77e7f Author: Michael Rash Date: Tue Mar 12 22:18:43 2013 -0400 [test suite] added HMAC key tests test/conf/fwknoprc_hmac_md5_key | 73 ++++++++++++ test/conf/fwknoprc_hmac_md5_long_key | 73 ++++++++++++ test/conf/fwknoprc_hmac_md5_short_key | 73 ++++++++++++ test/conf/fwknoprc_hmac_sha1_key | 73 ++++++++++++ test/conf/fwknoprc_hmac_sha1_long_key | 73 ++++++++++++ test/conf/fwknoprc_hmac_sha1_short_key | 73 ++++++++++++ test/conf/fwknoprc_hmac_sha256_key | 73 ++++++++++++ test/conf/fwknoprc_hmac_sha256_long_key | 73 ++++++++++++ test/conf/fwknoprc_hmac_sha256_short_key | 73 ++++++++++++ test/conf/fwknoprc_hmac_sha384_key | 73 ++++++++++++ test/conf/fwknoprc_hmac_sha384_long_key | 73 ++++++++++++ test/conf/fwknoprc_hmac_sha384_short_key | 73 ++++++++++++ test/conf/hmac_md5_access.conf | 2 +- test/conf/hmac_md5_long_key_access.conf | 5 + test/conf/hmac_md5_short_key_access.conf | 5 + test/conf/hmac_sha1_long_key_access.conf | 5 + test/conf/hmac_sha1_short_key_access.conf | 5 + test/conf/hmac_sha256_access.conf | 5 + test/conf/hmac_sha256_long_key_access.conf | 5 + test/conf/hmac_sha256_short_key_access.conf | 5 + test/conf/hmac_sha384_access.conf | 2 +- test/conf/hmac_sha384_long_key_access.conf | 5 + test/conf/hmac_sha384_short_key_access.conf | 5 + test/test-fwknop.pl | 165 +++++++++++++++++----------- test/tests/rijndael_hmac.pl | 151 ++++++++++++++++++++++++- 25 files changed, 1172 insertions(+), 69 deletions(-) commit fe22423a44f09c41d1e7452c216d07a6a8f4c020 Author: Michael Rash Date: Tue Mar 12 22:17:41 2013 -0400 [libfko] bug fix to maintain OpenSSL compatibility for HMAC keys longer than associated block size lib/hmac.c | 168 ++++++++++++++++++++++++++++++++++++------------------------- lib/hmac.h | 2 + 2 files changed, 102 insertions(+), 68 deletions(-) commit 402a545cb29b04420cb17c722f103bd27c316a4d Author: Michael Rash Date: Mon Mar 11 23:12:56 2013 -0400 convert standard hmac access.conf file for HMAC SHA512 to use key size of 128 bytes test/conf/fwknoprc_hmac_sha512_key | 73 +++++++++++++++++++++++++++++ test/conf/fwknoprc_hmac_sha512_short_key | 73 +++++++++++++++++++++++++++++ test/conf/hmac_sha512_access.conf | 2 +- test/conf/hmac_sha512_short_key_access.conf | 5 ++ 4 files changed, 152 insertions(+), 1 deletion(-) commit bf6cc6c6059ca1759c8724432c57d3e19ab068ff Author: Michael Rash Date: Mon Mar 11 23:02:07 2013 -0400 --key-gen bug fix to allow --key-len and --hmac-key-len values to apply to generated key lengths lib/fko_funcs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 02d0255a7cc8de78b82398b88bccba12c43152a4 Author: Michael Rash Date: Mon Mar 11 22:55:00 2013 -0400 update base64 key char arrays to use MAX_B64_KEY_LEN macro client/fwknop_common.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 6478d2b892850960e0c68bd5e0d8bd25896c775d Author: Michael Rash Date: Mon Mar 11 22:54:10 2013 -0400 minor fix to remove extraneous memset() call client/fwknop.c | 1 - 1 file changed, 1 deletion(-) commit 70c17be91603b2236d4366a1181466f8e5d99546 Author: Michael Rash Date: Mon Mar 11 22:50:02 2013 -0400 added MAX_B64_KEY_LEN for full length SHA512 keys client/config_init.c | 4 ++-- client/fwknop_common.h | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) commit 4ef2a1ec57e33f36eec2fb44e70597990fc34902 Author: Michael Rash Date: Mon Mar 11 22:41:08 2013 -0400 fix fko_new_with_data() call to include the hmac type test/fko-wrapper/fko_wrapper.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit 6e7a56067bcdce14bfdd2a4a8dd4955fc225dd29 Author: Michael Rash Date: Mon Mar 11 21:13:20 2013 -0400 [perl FKO module] add hmac_type to fko_new_with_data() calls perl/FKO/FKO.xs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 343bd449d4d826668a816fe3b840582b401fa545 Author: Michael Rash Date: Sun Mar 10 21:59:39 2013 -0400 HMAC MD5 bug fix to ensure to set the MD5 block length to 64 lib/md5.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bd2af22691da42dc65db89946ef0876632db5734 Author: Michael Rash Date: Sun Mar 10 21:58:52 2013 -0400 [test suite] set HMAC_DIGEST_TYPE to md5 for HMAC MD5 test test/conf/hmac_md5_access.conf | 1 + 1 file changed, 1 insertion(+) commit 3598fc7d7d6af540c5e75c23ac20649e833060dd Author: Michael Rash Date: Sun Mar 10 18:56:19 2013 -0400 added missing hmac_md5() function to hmac.h lib/hmac.h | 2 ++ 1 file changed, 2 insertions(+) commit 7274f6724eb46bd74315db64a3f3a21e8722f4f4 Merge: dc0ce29 19cf0d5 Author: Michael Rash Date: Sun Mar 10 18:12:41 2013 -0400 Merge branch 'hmac_support' of github.com:mrash/fwknop into hmac_support commit 19cf0d51fde2db386637537dd1c4c8b42dda084b Merge: 744e002 0529d23 Author: Damien Stuart Date: Sun Mar 10 17:17:39 2013 -0400 Merge branch 'hmac_support' of github.com:mrash/fwknop into hmac_support commit 744e002779158911a0e4b9fb6bf53f7fafce4f2c Author: Damien Stuart Date: Sun Mar 10 17:17:19 2013 -0400 Removed tmp lib and include dirs from the python module setup.py file. python/setup.py | 2 -- 1 file changed, 2 deletions(-) commit dc0ce294777763c5211bdd241a31ee6a4bc2d045 Author: Michael Rash Date: Sun Mar 10 16:37:34 2013 -0400 bug fix to anticipate OpenSSL HMAC output that spans multiple lines (as in SHA512) test/test-fwknop.pl | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit c5b5cba72968bc39e76f80a4f47063640ef9e92a Author: Michael Rash Date: Sun Mar 10 16:30:06 2013 -0400 Added HMAC MD5 support (need test suite validation still) lib/fko_hmac.c | 6 ++++- lib/hmac.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- lib/md5.h | 6 +++-- 3 files changed, 87 insertions(+), 7 deletions(-) commit 977ee18c3f75966de0be52cce54eace40c0185ef Author: Franck Joncourt Date: Sun Mar 10 20:55:19 2013 +0100 New function bool_to_yesno. client/config_init.c | 45 ++++++++++++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 15 deletions(-) commit 0529d235958364de42c3d806ce02da2e52f36a17 Author: Michael Rash Date: Sun Mar 10 15:13:34 2013 -0400 remove minor debugging statement server/access.c | 1 - 1 file changed, 1 deletion(-) commit 6882ac57ec9bfc945d29304df11fe60dc70b8d5a Author: Michael Rash Date: Sun Mar 10 14:56:39 2013 -0400 add HMAC-SHA1 support lib/fko_hmac.c | 6 ++++- lib/hmac.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lib/hmac.h | 2 ++ lib/sha1.h | 2 ++ 4 files changed, 83 insertions(+), 1 deletion(-) commit 7821e83dfc818b69ffe8ad867d9de42729ccd308 Merge: 22dde8e 6fa3be3 Author: Michael Rash Date: Sun Mar 10 14:32:07 2013 -0400 Merge branch 'hmac_support' of github.com:mrash/fwknop into hmac_support Conflicts: client/fwknop.c lib/fko_hmac.c commit 22dde8eb351fb2ad01e0f6d532c787a19e1e44ae Author: Michael Rash Date: Sun Mar 10 14:26:05 2013 -0400 SPA with HMAC SHA256 and SHA384 now works This is a fairly significant commit that lays the groundwork for getting selectable HMAC modes working for both the client and server. One libfko API change was required so that the hmac_type is passed into fko_new_with_data(). This allows the server to set the hmac_type via access.conf stanzas. The effort in this commit will be extended to allow HMAC MD5, SHA1, and SHA512 also function properly. client/fwknop.c | 4 +- lib/fko.h | 2 +- lib/fko_error.c | 2 +- lib/fko_funcs.c | 15 +++++++- lib/fko_hmac.c | 81 +++++++++++++++++++++++++++++++-------- server/access.c | 13 ++++++- server/incoming_spa.c | 6 +-- test/conf/hmac_sha1_access.conf | 1 + test/conf/hmac_sha384_access.conf | 1 + test/test-fwknop.pl | 2 +- test/tests/rijndael_hmac.pl | 26 +++++++------ 11 files changed, 114 insertions(+), 39 deletions(-) commit 6fa3be393c02dfd9725690a84900f519bfa7659f Author: Damien Stuart Date: Sun Mar 10 13:21:24 2013 -0400 Renamed fko_set_hmac_type to fko_set_spa_hmac_type. Incorporated libfko changes and additions to the fko python module code. client/fwknop.c | 4 +- fwknop.spec | 2 +- lib/fko.h | 4 +- lib/fko_hmac.c | 4 +- perl/FKO/FKO.xs | 2 +- python/fko.py | 255 ++++++++++++++++++++++---- python/fkomodule.c | 407 +++++++++++++++++++++++++++++++++++++++-- python/setup.py | 6 +- test/fko-wrapper/fko_wrapper.c | 4 +- 9 files changed, 631 insertions(+), 57 deletions(-) commit 8a2bc732b76b5a265cc38890e0c0eee1a1170ce6 Author: Franck Joncourt Date: Sun Mar 10 18:17:08 2013 +0100 Fixed data format for some arguments in fwknoprc when they are saved. client/config_init.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) commit 6f45b2c3b15c40ab57e503cb148d6e9781cae240 Author: Michael Rash Date: Sat Mar 9 23:27:08 2013 -0500 added HMAC SHA384 and SHA512 support, bug fix to allow shorter HMAC key lengths than associated digest block size client/fwknop.c | 4 +- lib/fko_hmac.c | 2 +- lib/fko_util.c | 19 +++++++ lib/fko_util.h | 1 + lib/hmac.c | 167 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- lib/hmac.h | 6 +- 6 files changed, 191 insertions(+), 8 deletions(-) commit f9fa3c2b6d2df719a826771d3935f535799eade4 Author: Michael Rash Date: Sat Mar 9 23:25:59 2013 -0500 [test suite] derive HMAC digest type from client display context output test/test-fwknop.pl | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) commit 6741cfc22b6f4bb174aa7c8160da0882ea90bf29 Author: Michael Rash Date: Sat Mar 9 16:47:42 2013 -0500 convert HMAC functions to static where possible lib/hmac.c | 44 +++++++++++++++++++++++++++++--------------- lib/hmac.h | 13 ------------- 2 files changed, 29 insertions(+), 28 deletions(-) commit 3ff39dfab48c587005781027589a8a8605b34ca5 Author: Michael Rash Date: Sat Mar 9 16:41:32 2013 -0500 [test suite] minor variable conversion to 'our' vars test/test-fwknop.pl | 64 ++++++++++++++++++++++++++--------------------------- 1 file changed, 32 insertions(+), 32 deletions(-) commit c5163fcc24a1ef22c4540044aaacc9c9063741ff Author: Franck Joncourt Date: Sat Mar 9 12:39:05 2013 +0100 Added new parameters HMAC_DIGEST_TYPE to the save capability. client/config_init.c | 7 ++++++- lib/fko_util.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ lib/fko_util.h | 1 + 3 files changed, 52 insertions(+), 1 deletion(-) commit c2ef7f224ad067251b5c6b4790a2465be943139f Author: Franck Joncourt Date: Sat Mar 9 12:17:17 2013 +0100 Moved static functions from the client to the fko_util.c file. client/config_init.c | 128 --------------------------------------------------- lib/fko_util.c | 94 +++++++++++++++++++++++++++++++++++++ lib/fko_util.h | 22 +++++---- 3 files changed, 106 insertions(+), 138 deletions(-) commit 469f9a5f395ec56dc23e7ef14561abb38fbb7a43 Merge: 053db37 1a39047 Author: Franck Joncourt Date: Sat Mar 9 11:54:45 2013 +0100 Merge remote-tracking branch 'upstream/hmac_support' into hmac_support Conflicts: client/cmd_opts.h client/config_init.c commit 1a39047b925666bc90436ea72b090a29790710d3 Author: Michael Rash Date: Fri Mar 8 22:12:19 2013 -0500 ensure to close access.conf file ptr when an error condition is found and exit() is going to be called server/access.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) commit 8b5cf3446fe33dba185d6399c510a76f2243eed7 Author: Michael Rash Date: Fri Mar 8 22:05:11 2013 -0500 [test suite] minor bug fix for command line definition for invalid HMAC test test/tests/rijndael_hmac.pl | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit d13eba7d133bfdc03ffe8e59a752c6e20db1cb23 Author: Michael Rash Date: Fri Mar 8 21:48:19 2013 -0500 [test suite] minor category/subcategory update for fuzzing tests test/tests/rijndael_fuzzing.pl | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) commit 7fe5c55fcfc8e90207fc6e0ef9e29e9d50a6d420 Author: Michael Rash Date: Fri Mar 8 21:10:45 2013 -0500 [test suite] added various hmac verification conf files test/conf/fwknoprc_hmac_invalid_type | 73 +++++++++++++++++++++++++++++++++ test/conf/hmac_invalid_type_access.conf | 5 +++ test/conf/hmac_md5_access.conf | 4 ++ test/conf/hmac_sha1_access.conf | 4 ++ test/conf/hmac_sha384_access.conf | 4 ++ test/conf/hmac_sha512_access.conf | 5 +++ 6 files changed, 95 insertions(+) commit d4362b7b3858fefe066b52f9dcdaa026dca4b802 Author: Michael Rash Date: Fri Mar 8 21:09:51 2013 -0500 [test suite] import test definitions from tests/*.pl files Makefile.am | 26 +- test/test-fwknop.pl | 2970 ++---------------------- test/tests/basic_operations.pl | 187 ++ test/tests/build_security.pl | 145 ++ test/tests/gpg.pl | 217 ++ test/tests/gpg_no_pw.pl | 172 ++ test/tests/perl_FKO_module.pl | 196 ++ test/tests/preliminaries.pl | 73 + test/tests/rijndael.pl | 992 ++++++++ test/tests/rijndael_backwards_compatibility.pl | 98 + test/tests/rijndael_cmd_exec.pl | 21 + test/tests/rijndael_fuzzing.pl | 312 +++ test/tests/rijndael_hmac.pl | 261 +++ test/tests/rijndael_replay_attacks.pl | 39 + 14 files changed, 2911 insertions(+), 2798 deletions(-) commit 44d05a691668b49804555694166f11cf033465ba Author: Michael Rash Date: Thu Mar 7 23:14:48 2013 -0500 interim commit for supporting multiple HMAC digest types (# 45) client/cmd_opts.h | 10 +- client/config_init.c | 75 ++++-- client/fwknop.c | 18 +- client/fwknop_common.h | 7 +- extras/spa-entropy/spa-entropy.pl | 6 +- lib/fko.h | 20 +- lib/fko_context.h | 2 +- lib/fko_funcs.c | 40 ++- lib/fko_hmac.c | 25 +- lib/fko_util.c | 36 +++ lib/fko_util.h | 2 + lib/sha2.h | 2 + perl/FKO/FKO.xs | 6 +- server/access.c | 12 + server/fwknopd_common.h | 1 + test/conf/fwknoprc_default_hmac_base64_key | 5 +- test/fko-wrapper/fko_wrapper.c | 4 +- test/test-fwknop.pl | 378 ++++++++--------------------- 18 files changed, 320 insertions(+), 329 deletions(-) commit 39ca73a245e40f93f144a55be91f53821e75269a Author: Michael Rash Date: Tue Mar 5 23:29:46 2013 -0500 [test suite] added OpenSSL HMAC verification (closes #39) Makefile.am | 2 + client/fwknop.c | 2 + lib/fko_hmac.c | 2 + lib/hmac.c | 2 + test/conf/fwknoprc_hmac_simple_keys | 72 ++++++++++++ test/conf/hmac_simple_keys_access.conf | 6 + test/test-fwknop.pl | 194 +++++++++++++++++++++++++++++---- 7 files changed, 257 insertions(+), 23 deletions(-) commit 053db37c0dd711ff7c189fb84f498af859cb7a4c Author: Franck Joncourt Date: Tue Mar 5 21:01:38 2013 +0100 Added more command line switches in order for the user to be able to specify the Rijndael, Rijndael base64 and HMAC key. client/cmd_opts.h | 6 ++++++ client/config_init.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 61 insertions(+), 3 deletions(-) commit a09392b08debce847f71fa1a87b084d858050bd0 Author: Michael Rash Date: Sun Mar 3 17:56:02 2013 -0500 [test suite] better reporting of test title matching for valgrind coverage test test/test-fwknop.pl | 97 ++++++++++++++++++++++++++++------------------------- 1 file changed, 52 insertions(+), 45 deletions(-) commit 5c182c1722ff328515b06505d075c8b6792bba1b Author: Michael Rash Date: Sun Mar 3 16:21:46 2013 -0500 [test suite] added HMAC dual usage test Makefile.am | 1 + test/conf/hmac_dual_key_usage_access.conf | 11 +++++++++++ test/test-fwknop.pl | 20 ++++++++++++++++++++ 3 files changed, 32 insertions(+) commit e064e39284102908bfd478fe120fb0b5b85279c5 (refs/remotes/web/hmac_header_fixes, refs/remotes/origin/hmac_header_fixes, refs/remotes/ag4ve/hmac_header_fixes, refs/heads/hmac_header_fixes) Merge: 374c573 1dc47f8 Author: Michael Rash Date: Sun Mar 3 14:36:21 2013 -0500 Merge branch 'hmac_header_fixes' into hmac_support commit 1dc47f80d8e33e8d38473870efb2611728d2a22b Author: Michael Rash Date: Sun Mar 3 14:29:08 2013 -0500 Fix byte order warning This commit fixes a byte order warning for both sha1.c and md5.c like so: sha1.c:127:6: warning: #warning Undetermined or unsupported Byte Order... We will try LITTLE_ENDIAN [-Wcpp] Also removed a couple of header includes that appear not be needed. client/fwknop.c | 1 - client/fwknop_common.h | 1 - lib/cipher_funcs.h | 1 - lib/md5.c | 1 + lib/sha1.c | 1 + 5 files changed, 2 insertions(+), 3 deletions(-) commit 38a803fb71d463a3e20227f03d7cff64f85e578b Author: Franck Joncourt Date: Sun Mar 3 18:41:31 2013 +0100 * Added KEY, KEY_BASE64 and HMAC_KEY_BASE64 definitions to the save capability. * Allowed section to be found during an update of fwknoprc even if there are somes spaces before the stanza. * Allowed the user to strike the ENTER key to overwrite the section as it will be done with the 'Y' char. client/config_init.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) commit 374c573c89309c31e875dc1d6738f63d459554ce Merge: d94513e b86e48d Author: Michael Rash Date: Sun Mar 3 00:35:39 2013 -0500 Merge branch 'hmac_header_fixes' into hmac_support commit b86e48dd66c3e7a6160cf932639418d1c2325cd3 Author: Michael Rash Date: Sat Mar 2 23:16:26 2013 -0500 remove a couple of unnecessary header includes client/fwknop.c | 3 --- server/access.c | 1 - server/incoming_spa.c | 1 - 3 files changed, 5 deletions(-) commit d27c3e3b09410101f88db05bdf05dc02fc0403a5 Merge: 8731f02 f9e1ae4 Author: Michael Rash Date: Sat Mar 2 22:41:15 2013 -0500 Merge branch 'hmac_header_fixes' of github.com:mrash/fwknop into hmac_header_fixes commit d94513ee00d64f1686cda7eb5f6a2eb3825776ec Author: Michael Rash Date: Sat Mar 2 22:38:26 2013 -0500 [test suite] started adding HMAC equivalent tests for all existing tests test/test-fwknop.pl | 153 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 153 insertions(+) commit f9e1ae4859ac850ede8e980bb96d64189eb7fefe Merge: 73b1931 c1baa7e Author: Damien Stuart Date: Sat Mar 2 17:22:50 2013 -0500 Merge my working branch 'hmac_support' into hmac_header_fixes commit c1baa7e12f3663ebecb481fe51b8ae92255cebb0 Merge: 6ecf81b 839cc41 Author: Damien Stuart Date: Sat Mar 2 17:08:55 2013 -0500 Merge branch 'hmac_support' of github.com:mrash/fwknop into hmac_support commit 6ecf81b16e601b92f67487cee2ef4c303f733b2e Author: Damien Stuart Date: Sat Mar 2 17:03:20 2013 -0500 First round if refactoring to clean up header dependencies. client/fwknop.c | 28 +++++++++++++++++++++++----- client/fwknop_common.h | 1 + client/utils.h | 3 --- common/common.h | 1 + configure.ac | 2 +- lib/base64.c | 1 + lib/base64.h | 2 -- lib/cipher_funcs.c | 1 + lib/cipher_funcs.h | 2 +- lib/digest.c | 2 ++ lib/digest.h | 10 ---------- lib/fko.h | 15 ++++++--------- lib/fko_common.h | 6 ------ lib/fko_context.h | 4 ++++ lib/fko_encryption.c | 35 +++++++++++++++++++++++++++++++---- lib/fko_hmac.c | 17 +++++++++++++++-- lib/fko_util.c | 25 +------------------------ lib/fko_util.h | 2 -- lib/gpgme_funcs.h | 5 ++++- lib/md5.h | 3 ++- lib/rijndael.c | 1 + lib/rijndael.h | 3 +-- lib/sha1.h | 3 ++- lib/sha2.h | 5 ++++- server/access.c | 1 + server/incoming_spa.c | 1 + server/utils.h | 3 --- 27 files changed, 104 insertions(+), 78 deletions(-) commit 58ba7717e61d1471b86cc4ac070f871ff4f02d15 Author: Michael Rash Date: Sat Mar 2 14:13:47 2013 -0500 [test suite] minor category renaming test/test-fwknop.pl | 294 +++++++++++++++++++++++++++------------------------- 1 file changed, 150 insertions(+), 144 deletions(-) commit 1de684ab167543f14fcf3046086d5b9aacba90d2 Author: Michael Rash Date: Sat Mar 2 11:15:19 2013 -0500 [test suite] minor spacing fix for hmac_access.conf file test/conf/hmac_access.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit e4b6f566192aaebd927046c663f572e1b97d8da4 Author: Michael Rash Date: Sat Mar 2 11:10:48 2013 -0500 [test suite] minor valgrind coverage dir import status message test/test-fwknop.pl | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) commit a00de31f5a73750eee6a46ceb50d300f2432f528 Author: Michael Rash Date: Sat Mar 2 10:47:03 2013 -0500 [test suite] use find_command() for valgrind path test/test-fwknop.pl | 43 +++++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 22 deletions(-) commit 1e01d59c918b7d6e015e9874981109c09ec8aedc Author: Michael Rash Date: Sat Mar 2 10:18:05 2013 -0500 [test suite] added elapsed time display test/test-fwknop.pl | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) commit 8731f02005f50a52482211128a5dd0bb050bfeb4 Merge: 73b1931 839cc41 Author: Michael Rash Date: Fri Mar 1 22:35:19 2013 -0500 Merge branch 'hmac_support' into hmac_header_fixes commit 839cc416039ca10d42f36071587d4b1ad3bd1fbe Author: Michael Rash Date: Fri Mar 1 22:11:22 2013 -0500 remove unused vars for pf/ipfw/ipf firewalls until NAT is supported for them server/fw_util_ipf.c | 9 --------- server/fw_util_ipfw.c | 9 --------- server/fw_util_pf.c | 9 --------- 3 files changed, 27 deletions(-) commit bf94e79a3b85ae1f662b580822dd3d99e2b803fc Merge: 22316b7 bf99082 Author: Michael Rash Date: Fri Mar 1 21:58:08 2013 -0500 merged bf990821ffcb44aba4c82a476e0309b49837ebb7 for #20 commit 73b1931bd874c9c4315825dfc913bf39139f3085 Author: Michael Rash Date: Thu Feb 28 22:25:04 2013 -0500 minor clean up for get_keys() base64 decoded key length client/fwknop.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) commit ffcb77552b44833765020a0c04f5232343c02146 Author: Michael Rash Date: Thu Feb 28 21:47:43 2013 -0500 Remove lib/fko.h dependency on rijndael.h client/config_init.c | 21 --------------------- client/fwknop.c | 11 ++++++++++- lib/cipher_funcs.c | 24 ++++++++++++++++++------ lib/fko.h | 17 ++++++++--------- lib/fko_encryption.c | 5 ++--- lib/fko_funcs.c | 3 +-- lib/fko_util.c | 23 +++++++++++++++++++++++ lib/fko_util.h | 1 + server/access.c | 23 ----------------------- 9 files changed, 63 insertions(+), 65 deletions(-) commit 22316b796cc38824bf699898b6148719204b54f5 Author: Michael Rash Date: Thu Feb 28 21:42:53 2013 -0500 added test/fko-wrapper/ files for the test suite Makefile.am | 3 +++ 1 file changed, 3 insertions(+) commit e38fb835d0622125f514561c9c34f52f1ff54cd7 Author: Franck Joncourt Date: Thu Feb 28 22:53:08 2013 +0100 Added save capability for a specific stanza in fwknoprc. client/config_init.c | 655 +++++++++++++++++++++++++++++++++++++++++++++++-- client/fwknop_common.h | 1 + 2 files changed, 633 insertions(+), 23 deletions(-) commit 9c1b1d531d28dc32cbf7935e4a59d629ad2ac38c Merge: bdb32cf bf99082 Author: Damien Stuart Date: Mon Feb 25 21:46:09 2013 -0500 Merging fixes_for_2.0.4 into hmac_support commit db7f3e2b3c53c27f64663fff5c926238cc7bdea6 Author: Michael Rash Date: Mon Feb 25 16:50:12 2013 -0500 Added fko_set_spa_encryption_mode() multi-call test to fko-wrapper test/fko-wrapper/fko_wrapper.c | 5 +++++ 1 file changed, 5 insertions(+) commit bf990821ffcb44aba4c82a476e0309b49837ebb7 (refs/remotes/origin/fixes_for_2.0.4, refs/remotes/ag4ve/fixes_for_2.0.4) Author: Damien Stuart Date: Sun Feb 24 18:09:13 2013 -0500 Fixed broken configure options for forcing a particular firewall type and path. configure.ac | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) commit 2f1768fcc4c287a3a26d844fafec9197d8ae1db8 Author: Michael Rash Date: Fri Feb 22 20:51:48 2013 -0500 minor CREDITS file formatting update CREDITS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bdb32cf634760bb22d376ea371a0be6951ce0612 Author: Michael Rash Date: Thu Feb 21 22:47:40 2013 -0500 added decryption tests to fko-wrapper test/fko-wrapper/fko_wrapper.c | 96 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 89 insertions(+), 7 deletions(-) commit 6c2b657bfe6991224c665bc4c8e93fdcad8262b7 Author: Michael Rash Date: Thu Feb 21 22:44:33 2013 -0500 [libfko] free dynamically allocated resources for multiple libfko fcn calls lib/fko_decode.c | 25 ++++++++++++++++++++++++- lib/fko_encryption.c | 3 +++ lib/fko_funcs.c | 9 ++++++--- lib/fko_hmac.c | 3 +++ 4 files changed, 36 insertions(+), 4 deletions(-) commit 2b54cb94f540d2db9d8cd4db37e61ed893f1bffb Author: Michael Rash Date: Thu Feb 21 07:36:33 2013 -0500 memory leak bug fix for fko_new() to allow multiple calls without requiring external fko_destroy() call lib/fko_funcs.c | 3 +++ 1 file changed, 3 insertions(+) commit 74fe3c633049b53bdb92f2d65ed589a05accf9c4 Author: Michael Rash Date: Thu Feb 21 07:35:53 2013 -0500 added fko-wrapper memory validation test test/test-fwknop.pl | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 69 insertions(+), 2 deletions(-) commit 3ce7a77df35eb2277a71767deb1dcc22cc8886d8 Author: Michael Rash Date: Thu Feb 21 07:33:52 2013 -0500 added global function call number var for fko-wrapper test/fko-wrapper/fko_wrapper.c | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) commit 52f40fea3cc0a84a0db9dad853b8abbc5bdd78cb Author: Michael Rash Date: Thu Feb 21 07:32:55 2013 -0500 added 'clean' stanza for fko-wrapper Makefile test/fko-wrapper/Makefile | 3 +++ 1 file changed, 3 insertions(+) commit 0ae954cb1769f9b064a84440f5d518457db57da3 Author: Michael Rash Date: Wed Feb 20 23:06:40 2013 -0500 completed fko_wrapper Rijndael encryption usage test/fko-wrapper/Makefile | 2 +- test/fko-wrapper/fko_wrapper.c | 29 +++++++++++++++++++++++++++-- 2 files changed, 28 insertions(+), 3 deletions(-) commit cae795f6fdea27ada3f94e6a23d4e4eb530ea814 Author: Michael Rash Date: Wed Feb 20 22:55:26 2013 -0500 allow encryption routines to be called multiple times for the same context (deallocate memory from previous calls) lib/fko_encryption.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) commit 5b00d1756f590c5003bc2a027faeb3110eaa836c Author: Michael Rash Date: Wed Feb 20 21:20:09 2013 -0500 set fko_ctx_t opaque pointers to NULL client/fwknop.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit c70ad5f12f4684389a895aaf7ec3cf8ef6be5f7b Author: Michael Rash Date: Wed Feb 20 21:05:47 2013 -0500 added fko-wrapper Makefile test/fko-wrapper/Makefile | 3 +++ 1 file changed, 3 insertions(+) commit e4a5b79750faa14224671e8242028e1eaa501b52 Author: Michael Rash Date: Wed Feb 20 21:00:46 2013 -0500 Added fko-wrapper that the test suite will be able to use for valgrind operations The fko_wrapper.c code is designed to call libfko functions multiple times in order to allow valgrind to test re-execution conditions. This ensures that libfko code frees memory from previous calls before leaking memory. test/fko-wrapper/fko_wrapper.c | 74 ++++++++++++++++++++++++++++++++++++++++ test/fko-wrapper/run_valgrind.sh | 3 ++ 2 files changed, 77 insertions(+) commit 33e1c19bb265df2f4b956447e016e3cf4226a8fc Author: Michael Rash Date: Wed Feb 20 20:45:40 2013 -0500 Make sure valgrind is stopped after each test in --enable-valgrind mode, closes #38 This commit uses pgrep + killall (if available) to ensure that valgrind is not running after each test. test/test-fwknop.pl | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) commit a413c6cf94afd1fcd0000f03f75ecd2a904220a9 Author: Michael Rash Date: Tue Feb 19 23:11:01 2013 -0500 Continue atoi() replacement with strtol() wrapper, closes issue #21 This commit completes the conversion to the strtol() wrapper function in order to remove all atoi() calls. In addition, variable max values are enforced using more broadly defined RCHK_* values. client/config_init.c | 37 +++++-------- client/fwknop.c | 2 +- client/http_resolve_host.c | 6 +- client/spa_comm.c | 6 +- lib/fko_decode.c | 2 +- lib/fko_util.c | 6 +- server/access.c | 7 ++- server/config_init.c | 2 +- server/config_init.h | 16 ------ server/fw_util_ipfw.c | 135 +++++++++++++++++++++++++++++++-------------- server/fw_util_iptables.c | 6 +- server/fwknopd.c | 2 +- server/fwknopd_common.h | 24 +++++++- server/incoming_spa.c | 2 +- server/pcap_capture.c | 6 +- 15 files changed, 155 insertions(+), 104 deletions(-) commit 6a475bbe5407b076a3c1425009efbeb93427618e Author: Michael Rash Date: Mon Feb 18 22:22:44 2013 -0500 Continued atoi() replacement with strtol() wrapper (issue #21) This commit replaces a few additional atoi() calls with the strtol() wrapper function, and also fixes a bug where access SOURCE IP/mask combinations would not be accepted when the string length was a long as something like '123.123.123.123/255.255.255.255'. server/access.c | 37 +++++++++++++++++++++++-------------- server/access.h | 4 +++- test/conf/multi_stanzas_access.conf | 2 +- 3 files changed, 27 insertions(+), 16 deletions(-) commit 3f05f81ac68d0845983b4470410f200495e3a401 Author: Michael Rash Date: Mon Feb 18 19:54:50 2013 -0500 memory leak bug fix in fko_set_rand_value() Bug fix for the following error caught by the test suite (in the [Rijndael SPA] [client+server] random SPA port (tcp/22 ssh) test): ==24257== 17 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==24257== at 0x4C2B3F8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==24257== by 0x4E38B9B: fko_set_rand_value (fko_rand_value.c:114) ==24257== by 0x4E37FE0: fko_new (fko_funcs.c:75) ==24257== by 0x10AE52: main (fwknop.c:113) lib/fko_rand_value.c | 6 ++++++ 1 file changed, 6 insertions(+) commit 1afc8db96a0e2cd8abdf2cd5994ab3ab385a4e73 Author: Michael Rash Date: Mon Feb 18 19:32:53 2013 -0500 Added strtol_wrapper() libfko utility function for atoi() replacement (#21) This commit replaces most atoi() calls (which don't report errors) with a strtol() wrapper function for stronger string -> integer conversion validation. client/config_init.c | 75 ++++++++++++++++++++++++---------------------- client/fwknop.c | 20 +++++++++++-- client/http_resolve_host.c | 6 ++-- client/spa_comm.c | 10 +++++-- common/Makefile.am | 2 +- lib/fko.h | 5 ++++ lib/fko_decode.c | 24 +++++++++++---- lib/fko_util.c | 52 +++++++++++++++++++++++++++++++- lib/fko_util.h | 2 ++ server/config_init.c | 38 ++++++++++++++++++----- server/fw_util_iptables.c | 52 +++++++++++++++++++++++++------- server/fwknopd.c | 25 ++++++++++------ server/incoming_spa.c | 15 +++++++++- server/pcap_capture.c | 36 +++++++++++++++++----- server/tcp_server.c | 11 +++++-- 15 files changed, 285 insertions(+), 88 deletions(-) commit 934e6760537b1438358dc5b12ae81543d2104843 Author: Michael Rash Date: Mon Feb 18 19:22:48 2013 -0500 minor cleanup to put --enable-all flags in one place test/test-fwknop.pl | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) commit 500a395cb6577e2d17ff9e23b6de19c9665635a6 Author: Michael Rash Date: Sun Feb 17 21:43:16 2013 -0500 apply const to pf and ipfw firewall function prototypes server/fw_util_ipfw.c | 13 +++++++------ server/fw_util_pf.c | 13 +++++++------ 2 files changed, 14 insertions(+), 12 deletions(-) commit 0b4cbbedfb2a6588243e6a71b354e42f08c257ff Author: Michael Rash Date: Sun Feb 17 21:38:03 2013 -0500 added fwknoprc* files Makefile.am | 6 ++++++ 1 file changed, 6 insertions(+) commit 7735e8ce7a7e4c82718b743bcc3de60c08394eb6 Author: Michael Rash Date: Sun Feb 17 12:02:48 2013 -0500 minor comment typ fix client/fwknop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ff285961e806c06376802e49cedff3b9b087497a Author: Michael Rash Date: Fri Feb 15 07:58:49 2013 -0500 Added --save-args-file and --no-save-args text to fwknop man page doc/fwknop.man.asciidoc | 8 ++++++++ 1 file changed, 8 insertions(+) commit aab3ba3b0cca99fdbd97efd4219990a76d04d7ce Author: Michael Rash Date: Thu Feb 14 22:50:14 2013 -0500 added --save-args-file and corresponding tests to the fwknop client client/cmd_opts.h | 3 +- client/config_init.c | 8 +- client/fwknop.c | 232 +++++++++++++++++++++++++++---------------------- client/fwknop_common.h | 1 + test/test-fwknop.pl | 25 +++++- 5 files changed, 160 insertions(+), 109 deletions(-) commit 280dbbfe103fb52661dcc228d3db47cb031dae85 Author: Michael Rash Date: Tue Feb 12 23:26:08 2013 -0500 added test for client --save-packet argument test/test-fwknop.pl | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) commit ce18de4f841c522e4fcb73dcb04b404d2b2642ad Author: Michael Rash Date: Tue Feb 12 22:39:39 2013 -0500 make libfko pointers constant where possible lib/fko.h | 66 +++++++++++++++++++++-------------------------- lib/fko_encryption.c | 22 +++++++++------- lib/fko_funcs.c | 18 ++++++------- lib/fko_hmac.c | 4 +-- lib/fko_message.c | 2 +- lib/fko_nat_access.c | 2 +- lib/fko_rand_value.c | 2 +- lib/fko_server_auth.c | 2 +- lib/fko_user.c | 16 ++++++------ server/fw_util.h | 13 +++++----- server/fw_util_iptables.c | 52 +++++++++++++++++++++---------------- server/fwknopd.c | 13 +++++----- 12 files changed, 108 insertions(+), 104 deletions(-) commit 4daedde364c0c938e813fb0f5bc05c7ca3a0f0f0 Author: Michael Rash Date: Tue Feb 12 22:18:16 2013 -0500 updated untested function list for Linux systems test/test-coverage/iptables/zero_called_functions | 42 +++-------------------- 1 file changed, 5 insertions(+), 37 deletions(-) commit 67c09c8a1f50dc1fa87cf7e28998579e7ff59136 Author: Michael Rash Date: Tue Feb 12 22:08:42 2013 -0500 Added test-coverage/README file test/test-coverage/README | 15 +++++++++++++++ 1 file changed, 15 insertions(+) commit f14fb4cb766f26f9984fb5019ed177b35fe18757 Author: Michael Rash Date: Tue Feb 12 22:06:35 2013 -0500 use same test execution strategy for --enable-profile-coverage-check as --enable-valgrind test/test-fwknop.pl | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) commit 98ed91a36f5c7278c9a4c0a2fd8d8527dce907b7 Author: Michael Rash Date: Mon Feb 11 23:17:52 2013 -0500 updated ownership determination to use the test suite owner instead of the configure script test/test-fwknop.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 67f92e7647911083d8bc7553c19fcf630235be77 Author: Michael Rash Date: Sun Feb 10 15:04:33 2013 -0500 added the roadmap.org file Makefile.am | 1 + 1 file changed, 1 insertion(+) commit 381487569c4ba0ad5c90e58c9a532977a15acced Author: Michael Rash Date: Sun Feb 10 15:01:06 2013 -0500 added the roadmap.org file to define the upcoming fwknop road map roadmap.org | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) commit b820bbbe4b5fedeb88e7798cfdddec722936c34c Author: Michael Rash Date: Sun Feb 10 14:57:44 2013 -0500 Minor memory leak bug fix in --rotate-digest-cache mode This commit fixes a minor memory leak for the digest cache file path in --rotate-digest-cache mode in the replay_cache_init() function. The leak was caught by valgrind, and a new test was added to the test suite for it. Here is the valgrind warning: ==29021== 21 bytes in 1 blocks are definitely lost in loss record 2 of 2 ==29021== at 0x4C2B3F8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==29021== by 0x1103AA: replay_cache_init (replay_cache.c:96) ==29021== by 0x10BB8C: main (fwknopd.c:254) server/replay_cache.c | 8 +++++++- test/test-fwknop.pl | 52 +++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 57 insertions(+), 3 deletions(-) commit 7face3eec9bbfa8a2df7b96cf078a418cb940e95 Author: Michael Rash Date: Sat Feb 2 22:37:17 2013 -0500 ensure matching test file comparison for valgrind test test/test-fwknop.pl | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) commit 7bfaee9aef7893b08c7cdcbb9af7ae424ff4fbf5 Author: Michael Rash Date: Sat Feb 2 22:06:45 2013 -0500 Make valgrind test fail for new flagged functions In --enable-valgrind mode, this commit adds the ability to compare current test result output with any previous test suite execution. Whenever valgrind flags a new function or if an existing flagged function has a greater number of calls, then the final valgrind test will fail. This allows a greater level of valgrind validation to take place for new code in an automated fashion. For example, if a change to a piece of code introduces a memory handling problem of the sort that valgrind can detect, then the final test will fail like so: # ./test-fwknop.pl --include "complete cycle.*HMAC" --enable-valgrind --test-limit 1 [+] Starting the fwknop test suite... args: --include complete cycle.*HMAC --enable-valgrind --test-limit 1 Saved results from previous run to: output.last/ [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)...pass (1) [valgrind output] [flagged functions] ..............................fail (2) [+] 1/1/2 tests passed/failed/executed The newly flagged functions will be written to the corresponding test file: # cat output/2.test [+] TEST: [valgrind output] [flagged functions]~ [-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: main [-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_spa_data_final [-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: strdup [-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_new [-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_encrypt_spa_data [-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_encode_spa_data [-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_calculate_hmac [-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_set_username [-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_set_rand_value [-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_set_spa_message [-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: set_digest [-] 1.test New and/or greater number of valgrind flagged function calls test/test-fwknop.pl | 214 ++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 159 insertions(+), 55 deletions(-) commit 4824b74d93f3b44a9b233c7bd474c1f0ceaa2ea4 Author: Michael Rash Date: Thu Jan 31 22:19:21 2013 -0500 bug fix for iptables duplicate rules test to account for rules that may have a different time stamp test/test-fwknop.pl | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) commit 6d233a9427622352775a2d59d9b29800eb3a8e3e Author: Michael Rash Date: Thu Jan 31 21:20:04 2013 -0500 make sure test message strings are unique across all tests test/test-fwknop.pl | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) commit c31c924a4541700e6a1a1eb9bd6ce82e1f9e7651 Author: Michael Rash Date: Wed Jan 30 21:13:44 2013 -0500 minor spacing fix lib/sha2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 13018a5c42dfd50345bbd34cbd6e14857086b50e Merge: fa56f95 fcf9f43 Author: Michael Rash Date: Wed Jan 30 18:04:50 2013 -0800 Merge pull request #19 from fjoncourt/hmac_support Fixed gcc warning for the md5 driver. commit fa56f951b422cb42c9be99234df24d0b9c51403b Author: Michael Rash Date: Tue Jan 29 21:57:38 2013 -0500 [test suite] bug fix for 'set_legacy_iv' mode in perl_fko_module_complete_cycle() test/test-fwknop.pl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit f1793a61d6d26378f9be5d662a81d02596d41bc6 Merge: efe6e9f 1a8520d Author: Michael Rash Date: Tue Jan 29 21:52:15 2013 -0500 Merge remote-tracking branch 'fjoncourt/hmac_support' into hmac_support Applied fix from Franck Joncourt for the 'warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]' error in the MD5 digest code. commit fcf9f43c5ba0e11214d31c515854543c21d7bd63 Author: Franck Joncourt Date: Mon Jan 28 21:47:57 2013 +0100 Fixed gcc warnings for the sha2 driver. lib/sha2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit efe6e9f23b32c5376b9696ffd60cb78b683bf761 Author: Michael Rash Date: Sun Jan 27 22:22:52 2013 -0500 more legacy IV mode tests with the perl FKO module test/test-fwknop.pl | 49 ++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 44 insertions(+), 5 deletions(-) commit 4cb139c6744f1c92fe03561c8007eb00c4ddb8ca Author: Michael Rash Date: Sun Jan 27 20:37:48 2013 -0500 added fuzzing test counters with summary output test/test-fwknop.pl | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) commit 2ecb278d8ee3e922647066254d8195afca3e0db4 Author: Michael Rash Date: Sun Jan 27 14:18:25 2013 -0500 added legacy IV tests for perl FKO client -> C server test/test-fwknop.pl | 48 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 42 insertions(+), 6 deletions(-) commit 0109d64e545f5c2d124c2aff4e5691b46fb3ace3 Author: Michael Rash Date: Sun Jan 27 14:03:26 2013 -0500 added encryption_mode() support to perl FKO module perl/FKO/FKO.xs | 21 +++++++++++++++++++++ perl/FKO/lib/FKO.pm | 16 ++++++++++++++++ perl/FKO/lib/FKO_Constants.pl | 23 +++++++++++++++++++++++ test/test-fwknop.pl | 1 + 4 files changed, 61 insertions(+) commit b537c9e451a6b7e97bcf63a76d18b3246a622222 Author: Michael Rash Date: Sun Jan 27 13:30:26 2013 -0500 ensure test/conf/ files are included Makefile.am | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) commit e7eb02f82df2949c1a9092745b771fa8ffaf6723 Author: Michael Rash Date: Sun Jan 27 13:18:29 2013 -0500 Maintain backwards compatibility with old "zero padding" code [libfko] Added the ability to maintain backwards compatibility with the now deprecated "zero padding" strategy in AES mode that was a hold over from the old perl fwknop implementation. This enables the backwards compatiblity tests to continue to pass in the test suite. ChangeLog | 3 +++ lib/cipher_funcs.c | 20 +++++++++-------- lib/fko.h | 1 + server/access.c | 2 ++ test/conf/android_legacy_iv_access.conf | 4 ++++ test/conf/legacy_iv_access.conf | 4 ++++ test/test-fwknop.pl | 38 ++++++++++++++++++--------------- 7 files changed, 46 insertions(+), 26 deletions(-) commit 8a5b700c3007239c81a069b390f0dfc5ce1d8552 Author: Michael Rash Date: Sun Jan 27 10:54:20 2013 -0500 openssl tests to use '-pass file:' method for setting passphrase test/test-fwknop.pl | 105 +++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 87 insertions(+), 18 deletions(-) commit 98c16005da147e4885abb6e95ea3e3ce0d207468 Author: Michael Rash Date: Sun Jan 27 10:53:07 2013 -0500 memset() AES buffers to zero lib/cipher_funcs.c | 5 +++++ 1 file changed, 5 insertions(+) commit 1618dc2a7c2f8c0c5b4808225e579f23778e4b68 Author: Michael Rash Date: Sat Jan 26 20:45:56 2013 -0500 minor typo spelling fix test/conf/fwknoprc_default_hmac_base64_key | 2 +- test/conf/fwknoprc_invalid_base64_key | 2 +- test/conf/fwknoprc_named_key | 2 +- test/conf/fwknoprc_with_default_base64_key | 2 +- test/conf/fwknoprc_with_default_key | 2 +- test/conf/fwknoprc_with_named_key | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) commit 1a8520d659c6488be5eff6c8bad30bf7f01614d3 Author: Franck Joncourt Date: Sat Jan 26 22:23:18 2013 +0100 Fixed gcc warning for the md5 driver. md5.c: In function 'MD5Final': md5.c:166:5: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing] md5.c:167:5: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing] Debian Gnu/Linux on i386 build against 2.0.4 : https://buildd.debian.org/status/fetch.php?pkg=fwknop&arch=i386&ver=2.0.4-1&stamp=1358610541 lib/md5.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 1d35c33d5214345118836146713b8c6fff8d211d Author: Michael Rash Date: Fri Jan 25 21:44:24 2013 -0500 [test suite] added --enable-openssl-checks Added --enable-openssl-checks to send all SPA packets encrypted via libfko through the OpenSSL library to ensure that the libfko usage of AES is always compatible with OpenSSL. This ensures that the fwknop usage of AES is properly implemented as verified by the OpenSSL library, which is a frequently audited high profile crypto engine. If a vulnerability is discovered in OpenSSL and a change is made, then the --enable-openssl-checks mode will allow the test suite to discover this in a automated fashion for fwknop. ChangeLog | 8 ++ lib/cipher_funcs.c | 43 ++++++---- test/test-fwknop.pl | 241 ++++++++++++++++++++++++++++++++++++++++++++++++++-- todo.org | 15 ++++ 4 files changed, 286 insertions(+), 21 deletions(-) commit e6e695bc2efe09634cda917ba33eb296302fc2b5 Author: Michael Rash Date: Tue Jan 22 22:47:40 2013 -0500 minor todo.org updates todo.org | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) commit fbbcae3a0db81336f45b45e3c4698a79f113c393 Author: Michael Rash Date: Tue Jan 22 22:20:54 2013 -0500 [libfko] Don't trundate > 16 byte Rijndael keys Significant bug fix to honor the full encryption key length for user-supplied Rijndael keys > 16 bytes long. Previous to this bug fix, only the first 16 bytes of a key were actually used in the encryption/ decryption process even if the supplied key was longer. The result was a weakening of expected security for users that had keys > 16 bytes, although this is probably not too common. Note that "passphrase" is perhaps technically a better word for "user-supplied key" in this context since Rijndael in CBC mode derives a real encryption/decryption key from the passphrase through a series of applications of md5 against the passphrase and a random salt. This issue was reported by Michael T. Dean. Closes issue #18 on github. CREDITS | 4 +++ ChangeLog | 11 +++++++ lib/cipher_funcs.c | 42 ++++++++++++++------------ lib/rijndael.h | 10 +++---- test/test-fwknop.pl | 85 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 128 insertions(+), 24 deletions(-) commit fde5ec8ed99a37717af756618c7fb36ed62a4b69 Author: Michael Rash Date: Sun Jan 20 22:43:29 2013 -0500 minor todo.org updates todo.org | 5 +++++ 1 file changed, 5 insertions(+) commit 7d82b3ef30b57240d81af443a973be7a92269dbc Author: Michael Rash Date: Sun Jan 20 22:01:29 2013 -0500 minor ChangeLog and todo.org updates for the coming HMAC feature ChangeLog | 4 +++- todo.org | 14 ++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) commit 6c72e7a90849b847fc03bea038a83397340d3d50 Author: Michael Rash Date: Sun Jan 20 18:51:34 2013 -0500 added test for b0a4c045e6862e4359fe6530934f456a2e61703d (ensure iptables rules not duplicated) test/test-fwknop.pl | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) commit fd41308ce55db47ddc7ae54237a55a283526437e Author: Michael Rash Date: Sun Jan 20 15:31:55 2013 -0500 added info for Franck's latest contribution CREDITS | 3 +++ 1 file changed, 3 insertions(+) commit b0a4c045e6862e4359fe6530934f456a2e61703d Merge: 160a9e5 0fda88c Author: Michael Rash Date: Sun Jan 20 15:22:47 2013 -0500 Merge remote-tracking branch 'fjoncourt/master' into hmac_support This merges in code from Franck Joncourt to ensure that duplicate iptables rules are not created for SPA packets that are themselves different but arrive at the same time and that request exactly the same access. This is done by using the 'iptables -C' functionality to determine whether a duplicate rule already exists before adding a new one. commit 160a9e5565ffdec56e528a4412bbf0cbcef7963a Author: Michael Rash Date: Sun Jan 20 14:27:27 2013 -0500 perl FKO module HMAC compatibility lib/fko_funcs.c | 13 +++++++++++-- perl/FKO/FKO.xs | 26 ++++++++++++++++++-------- perl/FKO/lib/FKO.pm | 38 +++++++++++++++++++++++--------------- perl/FKO/lib/FKO_Constants.pl | 18 ++++++++++++++++++ test/test-fwknop.pl | 28 ++++++++++++++-------------- 5 files changed, 84 insertions(+), 39 deletions(-) commit 47f20ea30cc07b1a4b2b3aff6da259b7320f0782 Author: Michael Rash Date: Sat Jan 19 18:36:52 2013 -0500 merged in the fixes_for_2.0.4 branch client/Makefile.am | 2 +- common/Makefile.am | 8 ++++++++ lib/Makefile.am | 15 +++------------ server/Makefile.am | 2 +- 4 files changed, 13 insertions(+), 14 deletions(-) commit fc4825b3310f9a9675ea18fea870904628ae59e8 Author: Michael Rash Date: Sat Jan 19 18:17:29 2013 -0500 added backwards compatibility test for 2.0.4 client->server test/test-fwknop.pl | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) commit 437a05dac66e05e875431d1a705ad19c2a4eac54 Author: Michael Rash Date: Sat Jan 19 16:27:34 2013 -0500 interim commit towards FKO compatibility with HMAC code perl/FKO/FKO.xs | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) commit 307cb84323c0dd699ff2e30e5cee07da933bc352 Author: Michael Rash Date: Fri Jan 18 22:11:32 2013 -0500 port strlen bugfix client/spa_comm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 47ea800889f272fc1d64f85da81659a4aa49b273 Merge: 55fa484 10c1906 Author: Michael Rash Date: Fri Jan 18 18:24:45 2013 -0500 merged in fwknop-2.0.4 changes commit 0fda88cfcac4d99bcb3d0f1e20d405ae1e5b6d9d Author: Franck Joncourt Date: Thu Jan 17 21:46:13 2013 +0100 * Avoid duplicate rules with the same timestamp. server/fw_util_iptables.c | 305 ++++++++++++++++++++++++---------------------- server/fw_util_iptables.h | 10 +- 2 files changed, 165 insertions(+), 150 deletions(-) commit ecc9a62a23faa3688c5b63849e4f12109beffef5 (refs/remotes/fjoncourt/fixes_for_2.0.4) Author: Damien Stuart Date: Sun Jan 13 22:28:34 2013 -0500 Add AM_CPPFLAGS to common/Makefile.am common/Makefile.am | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit b7b4e857be15c2f34ada9d63c988fc3d4debcc6f Author: Damien Stuart Date: Sun Jan 13 22:16:30 2013 -0500 Change to how strlcpy and strlcat are handled Put strlcpy and strlcat object files back in the source group in lib. Moved libfko_util.a to the common directory (though sources remain in lib). Client and server code looks to common dir for libfko-util. This fixes issue with strlcpy showing as undefined symbol when perl FKO module is loaded. client/Makefile.am | 2 +- common/Makefile.am | 6 ++++++ lib/Makefile.am | 11 +---------- server/Makefile.am | 2 +- 4 files changed, 9 insertions(+), 12 deletions(-) commit 10c19063df27f0bc60f86bc1c3498be498f3a0d3 Author: Damien Stuart Date: Sun Dec 23 10:28:30 2012 -0500 Fixed parallel build issue Added explicit dependency directives to Makefile.am to address errors when running a parallel build. lib/Makefile.am | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) commit 516b75f41c738b9e88fa836d93600d6bb23d4f2e Author: Michael Rash Date: Thu Dec 13 21:09:47 2012 -0500 removed openbsd/pkg/ directory extras/openbsd/pkg/DESCR | 14 -------------- extras/openbsd/pkg/PFRAG.shared | 2 -- extras/openbsd/pkg/PLIST | 11 ----------- extras/openbsd/pkg/fwknopd.rc | 9 --------- 4 files changed, 36 deletions(-) commit 0d19065ecc4c4f1a34c85b27302c98bc2e6adfe7 Author: Michael Rash Date: Thu Dec 13 21:07:53 2012 -0500 added fwknop-2.0.4 OpenBSD port from Vlad Glagolev ChangeLog | 4 +++ extras/openbsd/fwknop-2.0.4/Makefile | 46 ++++++++++++++++++++++++++++ extras/openbsd/fwknop-2.0.4/distinfo | 5 +++ extras/openbsd/fwknop-2.0.4/pkg/DESCR | 14 +++++++++ extras/openbsd/fwknop-2.0.4/pkg/PFRAG.shared | 2 ++ extras/openbsd/fwknop-2.0.4/pkg/PLIST | 11 +++++++ extras/openbsd/fwknop-2.0.4/pkg/fwknopd.rc | 9 ++++++ 7 files changed, 91 insertions(+) commit 0e89efb40e3bd94c2a871f54289e35672ab29371 Author: Michael Rash Date: Thu Dec 13 21:05:31 2012 -0500 moved openbsd/* to openbsd/fwknop-2.0.3/ now that Vlad Glagolev has contributed an fwknop-2.0.4 OpenBSD port extras/openbsd/distinfo | 5 --- extras/openbsd/fwknop-2.0.3/Makefile | 46 ++++++++++++++++++++++ extras/openbsd/fwknop-2.0.3/distinfo | 5 +++ .../fwknop-2.0.3/patches/patch-lib_fko_decode_c | 14 +++++++ .../patches/patch-server_replay_cache_c | 27 +++++++++++++ extras/openbsd/patches/patch-lib_fko_decode_c | 14 ------- extras/openbsd/patches/patch-server_replay_cache_c | 27 ------------- 7 files changed, 92 insertions(+), 46 deletions(-) commit 55fa4841f24f13c1db84fa76a02d106298c057ec Merge: 5daaca0 40ac28d Author: Michael Rash Date: Mon Sep 3 22:32:44 2012 -0400 another merge from master commit 5daaca01ea30bec306cdd96085e4efc8e384d082 Merge: b643848 d739331 Author: Michael Rash Date: Fri Aug 31 21:43:55 2012 -0400 merged master 2.0.3 changes commit b643848e057eb72085c9bc690a30fe434944437f Author: Michael Rash Date: Sun Aug 19 22:27:04 2012 -0400 added --hmac-mode to spa-entropy.pl extras/spa-entropy/spa-entropy.pl | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) commit e80a6de5f7dda2fbe0c0f9e4e1df2e951921511b Author: Michael Rash Date: Sun Aug 19 10:43:30 2012 -0400 Memory leak bug fix discovered through the "altered HMAC test" This commit fixes a memory leak caught with valgrind in the "altered HMAC test": [+] fwknop functions (unique view): - 9 : ??? - 4 : main - 4 : pcap_capture - 2 : incoming_spa - 2 : fko_new_with_data - 2 : fko_verify_hmac + 7 : ??? + 2 : pcap_capture + 2 : main 1 : pcap_compile - 1 : strdup - 1 : fko_calculate_hmac - 1 : add_salted_str [+] fwknop functions (with call line numbers): - 9 : ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.1.1) - 4 : main (fwknopd.c:299) - 2 : fko_new_with_data (fko_funcs.c:220) - 2 : pcap_capture (pcap_capture.c:226) - 2 : incoming_spa (incoming_spa.c:378) - 1 : add_salted_str (cipher_funcs.c:298) - 1 : strdup (strdup.c:43) - 1 : fko_verify_hmac (fko_hmac.c:78) - 1 : fko_verify_hmac (fko_hmac.c:92) - 1 : pcap_capture (pcap_capture.c:105) + 7 : ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.1.1) + 2 : main (fwknopd.c:299) 1 : pcap_compile (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.1.1) 1 : pcap_capture (pcap_capture.c:97) - 1 : fko_calculate_hmac (fko_hmac.c:169) + 1 : pcap_capture (pcap_capture.c:105) lib/fko_funcs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 6199180c6971e08fdb52242deaed127c8d4af92c Author: Michael Rash Date: Sat Aug 18 16:29:08 2012 -0400 minor paren's syntax bug fix server/incoming_spa.c | 2 ++ 1 file changed, 2 insertions(+) commit 6392e5891e626393e553eb032405424f5311be21 Merge: 8d6bc05 6de386b Author: Michael Rash Date: Sat Aug 18 16:26:06 2012 -0400 Merge branch 'master' into hmac_support commit 8d6bc052952b9b99f4d0898038df78c946aef64b Merge: 47795d4 38feb8d Author: Michael Rash Date: Fri Aug 17 21:19:52 2012 -0400 merged from master commit 47795d41e29feabe4824b7436d376cd71b56e406 Merge: c374a7d 27ccfe3 Author: Michael Rash Date: Fri Aug 10 22:30:07 2012 -0400 merged from master commit c374a7df27c9baf37e6c0c43b284886588b59d15 Merge: eb5176c e70739d Author: Michael Rash Date: Sun Aug 5 13:26:43 2012 -0400 Merge branch 'master' into hmac_support commit eb5176cf6058fd5bec254767a511665066bf0691 Author: Michael Rash Date: Fri Aug 3 21:20:21 2012 -0400 [test suite] added --enable-all arg test/test-fwknop.pl | 8 ++++++++ 1 file changed, 8 insertions(+) commit f7084721b76df36551c72a5603c91c7488d1da0e Author: Michael Rash Date: Thu Aug 2 23:24:38 2012 -0400 added 'altered HMAC' tests to ensure HMAC verification happens properly test/test-fwknop.pl | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 134 insertions(+) commit 30acf93b727ab5b9c03dd052c59dfc466689edc7 Author: Michael Rash Date: Thu Aug 2 22:55:54 2012 -0400 Memory leak fix for HMAC verification This commit commit fixes a memory leak in the HMAC verification code found with the test suite running in valgrind mode. Here is the './test-fwknop.pl --diff' output showing fko_verify_hmac() removed from the flagged functions list: [+] fwknop functions (unique view): - 8 : ??? - 3 : main - 3 : pcap_capture - 1 : incoming_spa + 7 : ??? + 2 : pcap_capture + 2 : main 1 : pcap_compile - 1 : fko_new_with_data - 1 : strndup - 1 : fko_verify_hmac [+] fwknop functions (with call line numbers): - 8 : ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.1.1) - 3 : main (fwknopd.c:299) - 1 : fko_new_with_data (fko_funcs.c:220) - 1 : pcap_capture (pcap_capture.c:105) - 1 : incoming_spa (incoming_spa.c:376) - 1 : strndup (strndup.c:46) + 7 : ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.1.1) + 2 : main (fwknopd.c:299) 1 : pcap_compile (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.1.1) - 1 : pcap_capture (pcap_capture.c:226) 1 : pcap_capture (pcap_capture.c:97) - 1 : fko_verify_hmac (fko_hmac.c:54) + 1 : pcap_capture (pcap_capture.c:105) lib/fko_hmac.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 3d9e96af564a915096f29c8d779c3c8128269635 Author: Michael Rash Date: Thu Aug 2 22:46:52 2012 -0400 Memory leak fix in client test mode This commit fixes the following memory leak found with the test suite running in valgrind mode: HEAP SUMMARY: in use at exit: 217 bytes in 3 blocks total heap usage: 27 allocs, 24 frees, 5,260 bytes allocated 44 bytes in 1 blocks are definitely lost in loss record 1 of 3 at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x50CB861: strndup (strndup.c:46) by 0x4E3A4D4: fko_verify_hmac (fko_hmac.c:54) by 0x4E394DD: fko_new_with_data (fko_funcs.c:220) by 0x10B3A7: main (fwknop.c:408) 44 bytes in 1 blocks are definitely lost in loss record 2 of 3 at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x50CB801: strdup (strdup.c:43) by 0x4E3A3FC: fko_calculate_hmac (fko_hmac.c:162) by 0x4E3A552: fko_verify_hmac (fko_hmac.c:86) by 0x4E394DD: fko_new_with_data (fko_funcs.c:220) by 0x10B3A7: main (fwknop.c:408) 129 bytes in 1 blocks are definitely lost in loss record 3 of 3 at 0x4C2B7B2: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4E36A03: add_salted_str (cipher_funcs.c:298) by 0x4E3A587: fko_verify_hmac (fko_hmac.c:75) by 0x4E394DD: fko_new_with_data (fko_funcs.c:220) by 0x10B3A7: main (fwknop.c:408) LEAK SUMMARY: definitely lost: 217 bytes in 3 blocks indirectly lost: 0 bytes in 0 blocks possibly lost: 0 bytes in 0 blocks still reachable: 0 bytes in 0 blocks suppressed: 0 bytes in 0 blocks lib/fko_funcs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit cba6478258c32c9106646e1cca62d300b53f6c46 Author: Michael Rash Date: Thu Aug 2 22:29:54 2012 -0400 Memory leak bug fix for rc file parsing of invalid data This commit fixes the following (found with the test suite in valgrind mode): 568 bytes in 1 blocks are still reachable in loss record 1 of 1 at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x50B1C9A: __fopen_internal (iofopen.c:76) by 0x10D0CD: process_rc (config_init.c:516) by 0x10D645: config_init (config_init.c:752) by 0x10AB13: main (fwknop.c:70) client/config_init.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) commit c37047ac93d57ebeec0d58bf2c7120cf67783eba Author: Michael Rash Date: Thu Aug 2 22:00:05 2012 -0400 Memory leak bug fix in --key-gen mode This commit fixes the following memory caught with the test suite in valgrind mode: HEAP SUMMARY: in use at exit: 285 bytes in 4 blocks total heap usage: 11 allocs, 7 frees, 3,179 bytes allocated 5 bytes in 1 blocks are indirectly lost in loss record 1 of 4 at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x50CB801: strdup (strdup.c:43) by 0x4E3A7B2: fko_set_username (fko_user.c:96) by 0x4E39628: fko_new (fko_funcs.c:86) by 0x10AB54: main (fwknop.c:83) 7 bytes in 1 blocks are indirectly lost in loss record 2 of 4 at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4E395D7: fko_new (fko_funcs.c:62) by 0x10AB54: main (fwknop.c:83) 17 bytes in 1 blocks are indirectly lost in loss record 3 of 4 at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4E3A06A: fko_set_rand_value (fko_rand_value.c:114) by 0x4E39605: fko_new (fko_funcs.c:75) by 0x10AB54: main (fwknop.c:83) 285 (256 direct, 29 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 at 0x4C29DB4: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4E395BA: fko_new (fko_funcs.c:46) by 0x10AB54: main (fwknop.c:83) LEAK SUMMARY: definitely lost: 256 bytes in 1 blocks indirectly lost: 29 bytes in 3 blocks possibly lost: 0 bytes in 0 blocks still reachable: 0 bytes in 0 blocks suppressed: 0 bytes in 0 blocks client/fwknop.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) commit b8ed3a60d9a4d2e191f43a11240210672553c5d6 Author: Michael Rash Date: Thu Aug 2 21:56:45 2012 -0400 excluded HMAC random verification from --enable-valgrind mode (too slow for 100 client executions) test/test-fwknop.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 84b9c775c037ec079bb43dcdf7b8e93517937534 Merge: 1528697 7061b7b Author: Michael Rash Date: Wed Aug 1 23:41:00 2012 -0400 Merge branch 'master' into hmac_support commit 1528697aaa7d322c4dd8becd9ca90c2131e54568 Merge: a8bb425 5fd3343 Author: Michael Rash Date: Wed Aug 1 23:05:51 2012 -0400 merged replay prefix and IP resolve tests commit a8bb42569c807becef2bd96238601e6adf5db909 Author: Michael Rash Date: Sun Jul 29 23:35:32 2012 -0400 [test suite] minor compile bug fix test/test-fwknop.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit afc71b7df3d992ed6f3add8760fbd64b46c7cd31 Author: Michael Rash Date: Sun Jul 29 23:31:15 2012 -0400 Replay attack bug fix (encryption prefixes) Ensure that an attacker cannot force a replay attack by intercepting an SPA packet and the replaying it with the base64 version of "Salted__" (for Rindael) or the "hQ" prefix (for GnuPG). This is an important fix. The following comment was added into the fwknopd code: /* Ignore any SPA packets that contain the Rijndael or GnuPG prefixes * since an attacker might have tacked them on to a previously seen * SPA packet in an attempt to get past the replay check. And, we're * no worse off since a legitimate SPA packet that happens to include * a prefix after the outer one is stripped off won't decrypt properly * anyway because libfko would not add a new one. */ lib/cipher_funcs.h | 9 --------- lib/fko.h | 8 ++++++++ server/incoming_spa.c | 14 ++++++++++++++ test/test-fwknop.pl | 30 ++++++++++++++++++++++++++++++ 4 files changed, 52 insertions(+), 9 deletions(-) commit fd30a3491d6201736095846cb45ffaa808d29ee2 Author: Michael Rash Date: Sun Jul 29 21:57:05 2012 -0400 minor variable rename LENGTH -> LEN, STRING_LENGTH -> STR_LEN client/fwknop.c | 2 +- lib/digest.c | 40 ++++++++++----------- lib/digest.h | 10 +++--- lib/fko_decode.c | 12 +++---- lib/fko_digest.c | 20 +++++------ lib/fko_funcs.c | 6 ++-- lib/fko_hmac.c | 16 ++++----- lib/fko_util.c | 10 +++--- lib/hmac.c | 10 +++--- lib/hmac.h | 4 +-- lib/md5.h | 2 +- lib/sha1.h | 4 +-- lib/sha2.c | 106 +++++++++++++++++++++++++++---------------------------- lib/sha2.h | 62 ++++++++++++++++---------------- 14 files changed, 152 insertions(+), 152 deletions(-) commit a9cbd60327374e61791ff4ea8fe50c03981739a0 Author: Michael Rash Date: Sun Jul 29 21:34:08 2012 -0400 [libfko] first HMAC-SHA256 implementation (includes test suite support) lib/cipher_funcs.c | 37 ++++++++++++++++++++ lib/cipher_funcs.h | 1 + lib/fko_context.h | 1 + lib/fko_encryption.c | 22 ++---------- lib/fko_hmac.c | 56 ++++++++++++++++++++++++++++-- lib/fko_util.c | 2 ++ test/conf/fwknoprc_default_hmac_base64_key | 2 +- test/test-fwknop.pl | 26 +++++++++++--- 8 files changed, 119 insertions(+), 28 deletions(-) commit df0f0b7f61c136e32ae51bbd595e576028f47305 Author: Michael Rash Date: Sun Jul 29 21:31:44 2012 -0400 [libfko] minor memory leak fix for user detection (corner case) lib/fko_user.c | 4 ++++ 1 file changed, 4 insertions(+) commit 6d379aba6e9eac17599f99c90b9458f2e6bce006 Author: Michael Rash Date: Sat Jul 28 00:08:30 2012 -0400 [server] replay attack detection memory leak bug fix This commit fixes the following memory leak found with valgrind: 44 bytes in 1 blocks are definitely lost in loss record 2 of 2 at 0x482BE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) by 0x490EA50: strdup (strdup.c:43) by 0x10CD69: incoming_spa (incoming_spa.c:162) by 0x10E000: process_packet (process_packet.c:200) by 0x4862E63: ??? (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1) by 0x4865667: pcap_dispatch (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1) by 0x10DABF: pcap_capture (pcap_capture.c:226) by 0x10A798: main (fwknopd.c:299) server/incoming_spa.c | 4 ++++ 1 file changed, 4 insertions(+) commit b760f4aad3faaa713ca8097414752ba2ad854326 Author: Michael Rash Date: Fri Jul 27 23:59:03 2012 -0400 [test suite] exempted valgrind collection test from --test-limit test/test-fwknop.pl | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) commit c6cef8982a854f4671173964fe18cc82dc38594f Author: Michael Rash Date: Fri Jul 27 23:25:32 2012 -0400 [libfko] validate incoming plaintext lengths lib/fko_encryption.c | 29 +++++++++++++++++++---------- lib/fko_limits.h | 6 +++++- lib/fko_util.c | 11 +++++++++++ lib/fko_util.h | 1 + 4 files changed, 36 insertions(+), 11 deletions(-) commit 482e6f974c4022b15909f648af94f013adcd4580 Author: Michael Rash Date: Fri Jul 27 21:29:26 2012 -0400 added msg_hmac_len and removed additional strlen() calls lib/fko_context.h | 1 + lib/fko_encryption.c | 12 ++++++++++-- lib/fko_funcs.c | 2 +- lib/fko_hmac.c | 8 ++++++-- 4 files changed, 18 insertions(+), 5 deletions(-) commit 10195cf29a41dc64e3cbfc429656618dca55d973 Author: Michael Rash Date: Fri Jul 27 18:16:37 2012 -0400 [libfko] added encrypted_msg_len and replaced additional strlen() calls lib/cipher_funcs.h | 3 +++ lib/fko_context.h | 1 + lib/fko_encryption.c | 51 ++++++++++++++++++++++----------------------------- lib/fko_funcs.c | 17 ++++++++++++++--- 4 files changed, 40 insertions(+), 32 deletions(-) commit a6ea3f6935b84c17fd4dc3db1ec73c57038f8a11 Author: Michael Rash Date: Fri Jul 27 18:08:23 2012 -0400 [test suite] minor bug fix for file existence check test/test-fwknop.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d0cb2c6ad5cd464303faceb9a5aec5ee0d8da810 Author: Michael Rash Date: Fri Jul 27 13:30:29 2012 -0400 [test suite] added 100 key uniqueness test for --key-gen mode test/test-fwknop.pl | 44 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) commit ab52476bfc8d3843a54493ea1bb46fc6009df157 Author: Michael Rash Date: Fri Jul 27 13:05:29 2012 -0400 [test suite] [client] added --key-gen and --key-gen-file tests client/config_init.c | 7 +++++++ client/fwknop.c | 21 ++++++++++++++++++++- test/test-fwknop.pl | 45 +++++++++++++++++++++++++++++---------------- 3 files changed, 56 insertions(+), 17 deletions(-) commit 16348aaccd74281f38a74b40a456984ca002e5cb Author: Michael Rash Date: Fri Jul 27 02:06:58 2012 -0400 replace strlen() call with strnlen() and MAX_SPA_ENCODED_MSG_SIZE bound lib/fko_encode.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 8471d8aae6f835ad91f2cd2ade5e28646c70f59f Author: Michael Rash Date: Fri Jul 27 02:01:43 2012 -0400 semicolon syntax buf fix lib/fko_encode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d561fdd4d7f7847b5ca85f362039b925ca440ed0 Author: Michael Rash Date: Thu Jul 26 18:01:36 2012 -0400 added lib/fko_util.c with basic length checking functions lib/Makefile.am | 6 ++--- lib/fko_decode.c | 3 +-- lib/fko_encode.c | 2 +- lib/fko_encryption.c | 22 +++++++++++++---- lib/fko_util.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++ lib/fko_util.h | 3 +++ 6 files changed, 92 insertions(+), 11 deletions(-) commit bdb6cc0eb12be6744081902a7ddd62da338de6ac Author: Michael Rash Date: Thu Jul 26 15:00:32 2012 -0400 Added digest_len and raw_digest_len fields and replaced strlen() calls lib/fko_context.h | 2 ++ lib/fko_digest.c | 15 ++++++++++----- lib/fko_encryption.c | 4 ++-- 3 files changed, 14 insertions(+), 7 deletions(-) commit 3f05a6d25a74a1ced03574bdf457b84eceb5b546 Author: Michael Rash Date: Thu Jul 26 14:53:45 2012 -0400 [test suite] added sha384 and digest type arg tests test/test-fwknop.pl | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) commit 4f1c5b55a4d9f1ab7c7072b674ebdf7dba4eabc2 Author: Michael Rash Date: Thu Jul 26 12:52:25 2012 -0400 [test suite] added --test-limit argument test/test-fwknop.pl | 6 ++++++ 1 file changed, 6 insertions(+) commit e733f4aa4fa1d4431175f4600a4755ce179bcf72 Author: Michael Rash Date: Thu Jul 26 12:21:24 2012 -0400 have encryption calls use encoded_msg_len lib/fko_encryption.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit 661991b74787711ec49676828427fd305c6bf8bb Author: Michael Rash Date: Thu Jul 26 04:09:06 2012 -0400 complete cycle tests for client-set digest types test/test-fwknop.pl | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) commit 838829f2bb91758d87137d4344aa7a1ad25bc0d3 Author: Michael Rash Date: Thu Jul 26 00:10:28 2012 -0400 added a new encoded_msg_len to cut down on strlen() calls within libfko lib/fko_context.h | 1 + lib/fko_decode.c | 27 +++++++++++++-------------- lib/fko_digest.c | 16 +++++++++++----- lib/fko_encode.c | 5 +++++ lib/fko_encryption.c | 28 ++++++++++++++++++++-------- 5 files changed, 50 insertions(+), 27 deletions(-) commit c51a85523f4153cbade24da7f7d6475a23f83723 Author: Michael Rash Date: Wed Jul 25 23:38:41 2012 -0400 Added valgrind individual test diff results. A new output/valgrind-coverage directory was added to test suite results, and valgrind output is compared in --diff mode using data in this directory. test/test-fwknop.pl | 296 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 180 insertions(+), 116 deletions(-) commit 50436837393efe90e7e627d16c1b7edb88ecfbe0 Author: Michael Rash Date: Tue Jul 24 17:50:17 2012 -0400 [test suite] bug fix after merge to account for new file_find_regex() API test/test-fwknop.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 175374337d12b1935ca8c02e585fa54121cebfc0 Merge: 29fe16d c6b6746 Author: Michael Rash Date: Tue Jul 24 17:10:00 2012 -0400 merged crypto_update after fwknop-2.0.1 merge to crypto_update from master commit c6b674617c096ad7f4180ef8d0b5ad107962040e Merge: 7145cdd 8e26cca Author: Michael Rash Date: Tue Jul 24 16:19:48 2012 -0400 completed merge from master after fwknop-2.0.1 release commit 29fe16d29ff23649a8acd360334c6b5ac83392aa Author: Michael Rash Date: Tue Jul 10 22:16:54 2012 -0400 post-merge fix after merged crypto_update branch changes server/incoming_spa.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit d7c4572521bf0d8b1f822f1c639092dc7bdaf690 Merge: 47e3927 7145cdd Author: Michael Rash Date: Tue Jul 10 22:03:56 2012 -0400 merged test suite changes from the crypto_update branch commit 47e39272edcdd20b226c77c45704041be25a38ad Author: Michael Rash Date: Tue Jul 10 21:44:06 2012 -0400 Make encrypt/decrypt code accept integer key lengths instead of using strlen() Now that encryptions keys and hmac keys may be acquired from /dev/random with --key-gen (and base64 encoded), they may contain NULL bytes. This emphasizes the need to not leverage code that assumes C-style strings when making use of key information. client/fwknop.c | 40 ++++++++++++++++++++++++++++++---------- lib/cipher_funcs.c | 39 +++++++++++++++++++++------------------ lib/cipher_funcs.h | 6 ++++-- lib/fko.h | 35 +++++++++++++++++++++++------------ lib/fko_encryption.c | 21 ++++++++++++--------- lib/fko_funcs.c | 24 +++++++++++++----------- lib/fko_hmac.c | 9 ++++++--- lib/rijndael.c | 4 ++-- lib/rijndael.h | 5 +++-- server/access.c | 36 ++++++++++++++++++++++++++++++++---- server/fwknopd_common.h | 2 ++ server/incoming_spa.c | 34 ++++------------------------------ 12 files changed, 152 insertions(+), 103 deletions(-) commit 7145cdd8a154d086ec3879edfe2d2fcf3cbae64e (refs/remotes/web/crypto_update, refs/remotes/origin/crypto_update, refs/remotes/fjoncourt/crypto_update, refs/remotes/ag4ve/crypto_update, refs/heads/crypto_update) Author: Michael Rash Date: Tue Jul 10 08:30:11 2012 -0400 Merge from master minor bug fix to include default encryption mode When getting raw digest for replay attack detection specify the default encryption mode (which doesn't actually get used when passing a NULL key). server/incoming_spa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e5004dc829f64d15cd5652d49437c3a6ae17d700 Merge: dc8a034 86fde0d Author: Michael Rash Date: Tue Jul 10 08:23:16 2012 -0400 Merge branch 'master' into crypto_update commit dc8a034a4d3a953482bc84a85fe0fe99d8e284e6 Merge: adbc6a8 bc2e41f Author: Michael Rash Date: Sun Jul 8 22:00:13 2012 -0400 merged usage() information from master commit 92e403a242d8d2bf63dc2427caa91085f80d9cba Author: Michael Rash Date: Mon Jul 2 23:50:45 2012 -0400 added initial HMAC-SHA256 support for the client side client/cmd_opts.h | 2 + client/config_init.c | 3 + client/fwknop.c | 159 +++++++++++++++++++++-------- client/fwknop_common.h | 3 + client/getpasswd.c | 4 +- lib/Makefile.am | 4 +- lib/fko.h | 26 ++++- lib/fko_context.h | 2 + lib/fko_encryption.c | 21 +++- lib/fko_error.c | 3 + lib/fko_funcs.c | 59 +++++++++-- lib/fko_hmac.c | 114 +++++++++++++++++++++ lib/fko_state.h | 1 + lib/hmac.c | 80 +++++++++++++++ lib/hmac.h | 54 ++++++++++ server/access.c | 3 + server/fwknopd_common.h | 1 + server/incoming_spa.c | 30 ++++-- test/conf/fwknoprc_default_hmac_base64_key | 72 +++++++++++++ test/conf/fwknoprc_invalid_base64_key | 73 +++++++++++++ test/conf/fwknoprc_named_key | 73 +++++++++++++ test/test-fwknop.pl | 28 ++++- 22 files changed, 741 insertions(+), 74 deletions(-) commit 3095f0ee436540776f185ce7b6a3b7f6e059af45 Author: Michael Rash Date: Wed Jun 27 23:06:17 2012 -0400 Added key generation support with --key-gen Added --key-gen to allow KEY_BASE64 and HMAC_KEY_BASE64 keys to be created from reading random data from /dev/random. These keys can be placed within server access.conf files and corresponding client .fwknoprc files for SPA communications. The HMAC key is not used yet with this commit, but that is coming. client/cmd_opts.h | 6 +- client/config_init.c | 103 +++++++++++++++----- client/fwknop.c | 24 ++++- client/fwknop_common.h | 15 ++- client/getpasswd.c | 8 +- client/utils.c | 23 ++++- client/utils.h | 1 + lib/base64.c | 2 +- lib/cipher_funcs.c | 2 +- lib/cipher_funcs.h | 1 + lib/fko.h | 3 + lib/fko_funcs.c | 35 +++++++ server/access.c | 50 ++++++++++ server/fwknopd_common.h | 2 + server/incoming_spa.c | 17 ++++ server/utils.c | 2 +- server/utils.h | 2 +- test/conf/base64_key_access.conf | 3 + test/conf/fwknoprc_with_default_base64_key | 71 ++++++++++++++ test/conf/fwknoprc_with_default_key | 71 ++++++++++++++ test/conf/fwknoprc_with_named_key | 73 ++++++++++++++ test/test-fwknop.pl | 149 +++++++++++++++++++++++++++++ 22 files changed, 625 insertions(+), 38 deletions(-) commit 20e3e3b6e54688858144e000513b1ae5f3504ed7 Author: Michael Rash Date: Sat Jun 23 15:41:58 2012 -0400 added test for client --show-last functionality test/test-fwknop.pl | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) commit adbc6a8f39e43bed7adc29949ed3c56d06cbefb0 Author: Michael Rash Date: Sat Jun 23 15:13:03 2012 -0400 Bug fix to not force asymmetric gpg decryption fwknopd access stanzas can have both Rijndael and GnuPG keys, so this commit fixes a bug where any gpg info would force only gpg decryption attempts even if a Rijndael key is provided in the stanza. server/access.c | 1 - server/incoming_spa.c | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) commit c6a2680be2b4a61266506847de69ba44c6ad32e1 Author: Michael Rash Date: Sun Jun 17 13:57:06 2012 -0400 added test for invalid SOURCE access lines test/conf/invalid_source_access.conf | 7 +++++++ test/test-fwknop.pl | 15 +++++++++++++++ 2 files changed, 22 insertions(+) commit 5f8e3f4a7d145670594a98802a776a26be66d577 Author: Michael Rash Date: Sun Jun 17 13:42:23 2012 -0400 Bug fix to throw out invalid access.conf SOURCE entries This commit causes fwknopd to exit whenever an invalid SOURCE entry is seen such as ":ANY". Previous to this commit, valgrind threw the following errors with ":ANY" as an access.conf SOURCE entry: Invalid read of size 8 at 0x117695: free_acc_source_list (access.c:512) by 0x1177E3: free_acc_stanza_data (access.c:564) by 0x117C67: free_acc_stanzas (access.c:654) by 0x10E32E: free_configs (config_init.c:106) by 0x10D085: main (fwknopd.c:376) Address 0x5a80658 is 8 bytes inside a block of size 16 free'd at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x116AE0: add_source_mask (access.c:255) by 0x116D57: expand_acc_source (access.c:303) by 0x117A82: expand_acc_ent_lists (access.c:620) by 0x119570: parse_access_file (access.c:1043) by 0x10C77E: main (fwknopd.c:193) Invalid free() / delete / delete[] / realloc() at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x1176A8: free_acc_source_list (access.c:514) by 0x1177E3: free_acc_stanza_data (access.c:564) by 0x117C67: free_acc_stanzas (access.c:654) by 0x10E32E: free_configs (config_init.c:106) by 0x10D085: main (fwknopd.c:376) Address 0x5a80650 is 0 bytes inside a block of size 16 free'd at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x116AE0: add_source_mask (access.c:255) by 0x116D57: expand_acc_source (access.c:303) by 0x117A82: expand_acc_ent_lists (access.c:620) by 0x119570: parse_access_file (access.c:1043) by 0x10C77E: main (fwknopd.c:193) HEAP SUMMARY: in use at exit: 8 bytes in 1 blocks total heap usage: 1,659 allocs, 1,659 frees, 238,310 bytes allocated server/access.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) commit 10d380d1933d9060d8b1a5b3db4f31cea7390396 Author: Michael Rash Date: Thu Jun 14 20:43:57 2012 -0400 Test suite support for function coverage testing via gcov Added --enable-profile-coverage to the configure script to have the fwknop binaries compiled with gcc profiling support in order to see which functions get executed by the test suite via gcov. The last test executed by the test suite under --enable-profile-coverage contains all fwknop functions that were not executed under the test run (function execution totals are cumlative). configure.ac | 14 ++++ test/test-coverage/iptables/zero_called_functions | 79 +++++++++++++++++++++++ test/test-fwknop.pl | 62 +++++++++++++++++- 3 files changed, 154 insertions(+), 1 deletion(-) commit e3761b8bff47600374803443a97493488bc8b4da Merge: 71690a1 fcf40b5 Author: Michael Rash Date: Mon May 28 14:24:02 2012 -0400 merged minor updates from master commit 71690a1de45b273789af4e26a01594e9d5150eff Author: Michael Rash Date: Mon Feb 13 13:56:24 2012 -0500 bug fix to ensure to pick up proper entropy min/max values extras/spa-entropy/spa-entropy.pl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 65cd9b0038c6e92ff4a36aea652b0d65afda897a Author: Michael Rash Date: Mon Feb 13 12:48:58 2012 -0500 updated to local_spa.key from the test suite directory extras/spa-entropy/spa-entropy.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 0c9946160ce241e9a2c3226e7d0dab64b6bb7910 Author: Michael Rash Date: Sun Feb 12 20:52:17 2012 -0500 ensure CBC is the default symmetric encryption mode extras/spa-entropy/spa-entropy.pl | 40 ++++++++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 11 deletions(-) commit 8fd83f5a3f8b1c745b2e932bcaff7f8d850a8b9d Author: Michael Rash Date: Fri Feb 10 15:59:26 2012 -0500 updated docs to reference the default AES encryption mode of CBC doc/fwknop.man.asciidoc | 12 +++++------- doc/fwknopd.man.asciidoc | 10 +++------- 2 files changed, 8 insertions(+), 14 deletions(-) commit de41b0a1ec93fd0e2a913e0c57b495fb2cbbefd1 Author: Michael Rash Date: Fri Feb 10 15:10:19 2012 -0500 bugfix to ensure that incoming SPA data in AES mode is a multiple of the Rjindael blocksize (16) lib/cipher_funcs.c | 4 ++-- lib/fko_encryption.c | 9 +++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) commit 6dbe523052161d8553b09a9dad0890d1e7ec0995 Author: Michael Rash Date: Fri Feb 10 15:09:27 2012 -0500 added test suite support for AES CTR, OFB, CFB, and ECB encryption modes client/config_init.c | 2 +- server/access.c | 2 +- test/conf/cfb_mode_access.conf | 4 +++ test/conf/ctr_mode_access.conf | 4 +++ test/conf/ofb_mode_access.conf | 4 +++ test/test-fwknop.pl | 63 ++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 77 insertions(+), 2 deletions(-) commit 6130099b75bee3984757787269bb1e6d24fd1b1b Author: Michael Rash Date: Fri Feb 10 13:38:30 2012 -0500 minor header addition for spa-entropy.pl extras/spa-entropy/spa-entropy.pl | 8 ++++++++ 1 file changed, 8 insertions(+) commit 79a5265be0404b487cd448a6b6f490bfd7459b2c Author: Michael Rash Date: Thu Feb 9 15:23:07 2012 -0500 updated to not base64 decode encrypted packet data by default (can override with --base64-decode) extras/spa-entropy/spa-entropy.pl | 43 +++++++++++++-------------------------- 1 file changed, 14 insertions(+), 29 deletions(-) commit aeb96c502ef5ae8420689cb583142d342d2f5d49 Author: Michael Rash Date: Thu Feb 9 14:56:18 2012 -0500 added --gpg entropy measurement, added sensible gnuplot yrange calculations extras/spa-entropy/spa-entropy.pl | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) commit 280b8c56f0d73488aab23c0396e63b1a7dbbf072 (refs/heads/spa_entropy) Author: Michael Rash Date: Wed Feb 8 14:29:33 2012 -0500 switched CBC mode test (which is the default Rjindael encryption mode) to ECB mode test/conf/cbc_mode_access.conf | 4 ---- test/conf/ecb_mode_access.conf | 4 ++++ test/test-fwknop.pl | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) commit bcb0fcfc1adc78cc39ebf9d5b89965bda4522016 Author: Michael Rash Date: Wed Feb 8 14:16:42 2012 -0500 Re-worked encryption/decryption handling For SPA packets encrypted with Rjindael, fwknop has always used CBC mode even though ECB mode is mentioned in a couple of places. This change makes more transparent use of block_encrypt() and block_decrypt() to ensure that the appropriate mode is used. The default is CBC mode, but others can be selected as well (-M for the fwknop client, and ENCRYPTION_MODE in access.conf for the fwknopd server). lib/cipher_funcs.c | 66 ++++++++++------------------------------------------ lib/fko.h | 2 +- lib/fko_encryption.c | 36 ++++++++++++++-------------- 3 files changed, 32 insertions(+), 72 deletions(-) commit efcefdfb811859b2d957d5e48cdaf5a43f7b34d3 Author: Michael Rash Date: Wed Feb 8 14:15:36 2012 -0500 update display_ctx() to show the entire plaintext data on one line client/fwknop.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 193e1799e608cb33bb1c4145c1d4812feaaccdd8 Author: Michael Rash Date: Mon Feb 6 15:19:03 2012 -0500 made default openssl encryption mode 'aes-256-ecb' extras/spa-entropy/spa-entropy.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit c68358eabd7b2d1d21d82f35200dcc24f920edc5 Author: Michael Rash Date: Mon Feb 6 15:12:31 2012 -0500 added the ability to encrypt fwknop client plaintext data with openssl extras/spa-entropy/spa-entropy.pl | 379 +++++++++++++++++++++++++++----------- 1 file changed, 273 insertions(+), 106 deletions(-) commit a7cb3bf62b54294a9fa5856c9a90b2c5c9fdcc53 Author: Michael Rash Date: Sun Jan 29 22:07:06 2012 -0500 added spa-entropy/ directory for measuring entropy across SPA packets extras/spa-entropy/spa-entropy.pl | 209 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 209 insertions(+) commit 53a6d72cd2cea4a14bfb3f1b65f5dd50116f6795 Author: Michael Rash Date: Sun Jan 29 17:31:12 2012 -0500 added test suite support for CBC mode Rijndael tcp/22 test lib/cipher_funcs.c | 5 +++-- lib/rijndael.h | 6 +++--- test/conf/cbc_mode_access.conf | 4 ++++ test/test-fwknop.pl | 16 ++++++++++++++++ 4 files changed, 26 insertions(+), 5 deletions(-) commit 4c3d2188a1b94c5d33ac34d348e8d48eac858f00 Author: Michael Rash Date: Tue Jan 24 20:26:21 2012 -0500 Update to make AES encryption modes selectable This is a significant update to allow AES encryption modes to be selected on a per-key basis. For now, only ECB and CBC (recommended) modes are supported. The default is ECB modes in order to maintain backwards compatibility with the older perl version of fwknop and the Crypt::CBC CPAN module. This will likely be changed to use CBC mode by default because of its better security properties. In the access.conf file on the server side, there is a new configuration variable "ENCRYPTION_MODE" that controls the mode for the corresponding AES key. On the client side, a new command line argument "--encryption-mode" controls how the client encrypts SPA packets. client/cmd_opts.h | 4 +++- client/config_init.c | 50 ++++++++++++++++++++++++++++++++++++++++++++---- client/fwknop.c | 31 ++++++++++++++++++++++++++++-- client/fwknop_common.h | 3 ++- doc/fwknop.man.asciidoc | 25 ++++++++++++++++++------ doc/fwknopd.man.asciidoc | 9 +++++++++ lib/cipher_funcs.c | 15 +++++++++------ lib/cipher_funcs.h | 6 ++++-- lib/fko.h | 22 ++++++++++++++++++++- lib/fko_context.h | 1 + lib/fko_encryption.c | 45 +++++++++++++++++++++++++++++++++++++++---- lib/fko_funcs.c | 29 +++++++++++++++++++++++++--- lib/fko_state.h | 3 ++- server/access.c | 43 ++++++++++++++++++++++++++++++++++++++--- server/fwknopd_common.h | 1 + server/incoming_spa.c | 6 ++++-- 16 files changed, 257 insertions(+), 36 deletions(-)