7bfaee9aef
In --enable-valgrind mode, this commit adds the ability to compare current test
result output with any previous test suite execution. Whenever valgrind flags
a new function or if an existing flagged function has a greater number of
calls, then the final valgrind test will fail. This allows a greater level of
valgrind validation to take place for new code in an automated fashion. For
example, if a change to a piece of code introduces a memory handling problem of
the sort that valgrind can detect, then the final test will fail like so:
# ./test-fwknop.pl --include "complete cycle.*HMAC" --enable-valgrind --test-limit 1
[+] Starting the fwknop test suite...
args: --include complete cycle.*HMAC --enable-valgrind --test-limit 1
Saved results from previous run to: output.last/
[Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)...pass (1)
[valgrind output] [flagged functions] ..............................fail (2)
[+] 1/1/2 tests passed/failed/executed
The newly flagged functions will be written to the corresponding test file:
# cat output/2.test
[+] TEST: [valgrind output] [flagged functions]~
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: main
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_spa_data_final
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: strdup
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_new
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_encrypt_spa_data
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_encode_spa_data
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_calculate_hmac
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_set_username
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_set_rand_value
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_set_spa_message
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: set_digest
[-] 1.test New and/or greater number of valgrind flagged function calls
This is the top-level directory for the C version of fwknop.
Additional information and details can be found on the fwknop-c site at
http://devmetrix.org/trac/fwknop-c.
INTRODUCTION
============
This distribution will be a C-based implementation of Michael Rash's
Perl-based "fwknop" programs. For more information on fwknop and what
it is all about, go to http://www.cipherdyne.org/fwknop.
CURRENT STATE
=============
At present, we have an implementation of the Firewall Knock Operator
library; `libfko', as well as the fwknop client and server applications.
The library provides the API and back-end functionality for managing the
Single Packet Authorization (SPA) data that the other fwknop components
employ. It also can be used by other programs that need SPA functonality
(see the `perl' directory for the FKO perl module as an example).
This first version of the C implementation is planned to be compatible
with legacy Perl-based fwknop version 1.9.x. However, it was decided to
start the version number at 2.0 to differentiate it from the current
Perl implementation.
BUILDING fwknop
===============
This distribution uses GNU autoconf for setting up the build. Please see
the `INSTALL' file for the general basics on using autoconf.
There are some "configure" options that are specific to fwknop. They are
(extracted from ./configure --help):
--disable-client Do not build the fwknop client component. The
default is to build the client.
--disable-server Do not build the fwknop server component. The
default is to build the server.
--with-gpgme support for gpg encryption using libgpgme
[default=check]
--with-gpgme-prefix=PFX prefix where GPGME is installed (optional)
--with-gpg=/path/to/gpg Specify path to the gpg executable that gpgme will
use [default=check path]
--with-iptables=/path/to/iptables
Specify path to the iptables executable
[default=check path]
--with-ipfw=/path/to/ipfw
Specify path to the ipfw executable [default=check
path]
--with-sh=/path/to/sh Specify path to the sh executable [default=check
path]
NOTE to those who may be migrating from the Perl version of fwknop
==================================================================
For those of you who are currently using the Perl version and plan to
migrate to this version, there are some things to be aware of:
- Not all of the features and functionality of the Perl-based
fwknop were ported to this implementation. We felt it important
to keep the C version as lean and lightweight as possible. Most
of the omitted feature/functions (like email alerts) can be
accomplished through other means (i.e. use an external script
to monitor log files and alert based on appropriate log messages).
- There are some diffences in the fwknop configuration and access
file directives and values. Some of these are fairly subtle. You
should pay careful attention to the documentation and comments in
those files.
NOTE FOR DEVELOPERS
===================
If you are pulling this distribution from git, you should run the
"autogen.sh" script to generate the autoconf files. If you get errors about
missing directories or files, try running "autogen.sh" again. After that
you can run the "autoreconf -i" when you want to regenerate the configuration.
If, for some reason, autoreconf does not work for you, the "autogen.sh"
script should suffice.
The fwknop and fwknopd man page nroff sources are included in their
respective directorys (client and server). These nroff files are derived
from the asciidoc sources in the 'docs' directory. See the README in docs
for details.