-
Notifications
You must be signed in to change notification settings - Fork 229
/
ShortLog-v2.0
453 lines (449 loc) · 40.6 KB
/
ShortLog-v2.0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
Damien S. Stuart (1):
Refactored configure.ac to use a custom macro for compiler flag checks. Set version to 2.0 (non-release candidate). Minor typo fixes.
Damien Stuart (233):
Initial import.
Initial Makefile and first cut at fwknop.h, the spa_random_number function, and a program for testing the functions.
Added strlcat/cpy functions. Added spa_user function.
Added spa_timestamp function.
Added more source files. Split out libfwknop functions to a static lib. Misc updates.
Added base64 and md5 code.
Added sha256 code.
Added sha1 refactored the access to the digest routines via digest.c. Other misc teaks to format and style of digest code.
Added rijndael code, spa digest and message functions, and a shitload of other changes and tweaks.
Makefile tweak.
More updates to address compatibility issues with the perl version of fwknop.
Total re-arrangement for autoconf/automake implementation.
Another major re-write of the fwknop library.
Re-arrangement of source tree.
Remove files that were stored as sym links.
Putting the reg version of the files back
Updates to allow for building libfko as a shared lib. (make use of libtool).
Added documentation stub.
Made fko.h an include_HEADER for proper distribution.
Tweaks to add some more ctx state tracking.
Minor docs update - Added GPL to info doc.
Added some basic format checking to spa message data and message_type checks when client_timeout is set/unset.
Added fallback for isdigit() if ctype.h is not available.
Added decrypting/decoding/parsing of SPA data.
Added gpl-2.0.texi file to doc/Makefile.am so it is included in the dist.
Code format tweaks. Added a couple more convenience functions.
more checks for configure. omit salt from Rijndael-encrypted data as returned by fko_get_dpa_data.
Update to docs.
Some progress on the libfko doc.
Documentation updates and minor tweaks.
Documentation fixes.
Reorganized libfko doc.
Made the context struct opaque to users of the library. Somewhat major API tweak in that fko_ctx_t is not a pointer type and the fko_new functions take a pointer to that.
Broke these out from fko.h.
Minor tweaks, and fixed one potential memory allocation issue discovered with valgrind.
Updated README
First cut at GPG encrytion support (decryption and doc update are pending).
Fixed a potential bug where the NULL-termination of the base64-encoded data was being lost during process just before rijndael decryption.
Removing files that are auto-generated by the autogen.sh script.
Fixed gpgme check so it would not fail if gpgme was not installed. Setup to allow using --with[out]-gpgme option to configure.
Fixed configure.ac again (I broke it with my last change). Added first cut at gpg decryption routine.
Added fwknop.h to the source list in Makefile.am so it will be included in the distrubution.
Documentation updates and minor tweaks. Made it version 1.10.0 consistent in caonfigure.ac and fko.h.
Make version consistent for real this time.
Fixed flag on gpgme_keylist_next that was forcing only private keys for recipient. Fixed typo in docs.
Added more gpgme-related errors and error checking. Other minor tweaks.
Slightly improved and cleaner GPG error handling (there is still plenty of room for improvement).
Some minor cleanup and tweaks to gpgme code.
Add more compiler conditionals for GPGME support to fix error during compiles on systems without gpgme.
Replaced deprecated gpgme_key_release calls with gpgme_key_unref. Fixed more potential memory leaks.
Split out the source files. Added processing for a couple more command-line options.
Added getpasswd routine for getting a password from the user. A few updates to the lib to accomodate clearing the password after we are done with it. Update the fwknop program to reflect/use some of the new functionality.
Update libfko docs for the gpgme-related error codes and function.
Fixed minor typo
Fixed typo in Makefile.am
Added better autoconf handling of gpgpme. Fixes so libfko will compile under FreeBSD (7.0 release anyway).
Better error checking/message for decription. Fixed typo in docs.
Updated autoconf files and code to support Solaris (ver 10 x86 at least). This includes better type checking and resolving some conflicting names under Solaris.
Tweaked byte order determination for Solaris systems.
Added gpg-home-dir support to libfko and the fwknop program. Added the fko_set_spa_data() function. Documentation updates and other tweaks to support these changes.
Fixed typo in doc
Fixed segfault issue when spa_data_final was called before spa_message was set.
Fixed double-free when destroy was called after a failed gpg encryption/decryption.
Added perl module code to the repository.
Interim check-in of API changes, libfko and fwknop binary now support the updated API. Docs and Perl module are pending.
Tweaks to updated API. Added GPG signature checking and processing functions. Updated Perl module and perldoc for new API and functions.
Updated documentation to reflect API changes and GPG signature functions.
Added the Perl module files to Makefile.am so they will be included in the dist.
Changed fko version to 1.9.12. Made signing GPG-encrypted messages optional.
Made the dist name "fwknop-c" so as not to confuse it with the current "fwknop".
Updates and revisions to accommodate a Windows build.
Updated Makefile.am to add win32 directory to the dist.
Added getopt_long and getlogin capability to the Windows build.
Removed old test code from fwknop client. Other tweaks and enhancements.
Fixed bad variable name after moving the winsock startup code to a the send_spa_packet function.
Implemented sending spa data via TCP or ICMP via SOCK_RAW (unix only so far).
Added sending via tcp (established) conneciton. removed --debug as an option. Some minor code reformatting and refactoring.
Tweak for win32 platform
Yet another tweak for win32.
Tweaks again for win32 build
Brought Error constants in sync with libfko.
Minor updates to non-code-related files. Changed some copyrights to 2009.
Forgot to bump the perl module minor version number.
Added a TODO file
Added the digest types constants to the types and individual export tags.
Added handling of Backspace and Ctrl-U in the Win32 handling of get_passswd.
Tweaks to the win32 build (Visual Studio project configs).
Fixed spa access message validation routine to allow for multiple comma-separated requests in one message.
Tweaks to cover WIN32 build. Added print of error if tcp connect() fails.
Fixed some formatting errors in the POD.
Added SHA384 and SHA512 digests. Tweaks for getting rid of windows warnings. Use recv instead of read on socket. Bumped version to 0.63 (libfko) and 0.23 (FKO perl module).
Forgot to add the files for the updated SHA digests (oops).
Update the VS project file for the new SHA digest files and functions.
Fixed typo (actually a cut-and-paste remnant) in the doc.
Major rearrangement. Renamed directories: "fko" to "lib", "src" to "client". Added "common" and "server" directories. Setup autoconf to allow disabling the server and/or client builds.
Forgot to add the server dir.
Made the configure help message show --disable-xxx as the options for whether or not to build the server or client.
Some minor refactoring of the TIME_OFFSET handling. Other minor code formatting tweaks.
Updates to accommodate the Windows build.
Changed http_resolve_host code to make it work with or without trailing whitespace in returned content. Updated the IP address format and value checking code. Switched back to whatsmyip.com as default IP resolver.
Updated ip,port format and value check.
Fixed another minor typo in the doc
Added fwknop.man.asciidoc to docs and fwknop.8 man page to client (derived from fwknop.man.asciidoc).
Added check for libpcap. More stubbing in on the server code side.
Added more server command-line and config file processing code. Updated autoconf config for new checks and files.
Added override config handling and updated the config_init routines to parse everything in the correct order (i.e. config file, override configs, then command-line).
Minor manpage tweak
More tweaks to config file processing, including simple variable expansion.
Added some more stuff to deal with byte order identification on Solaris 10 x86 systems.
Added perl/legacy distribution (fwknop-1.9.12). Renamed this distribution from fwknop-c to simply fwknop. Made the version 2.0.0-alpha.
Removed the wipe_pw routine as it could result in segfaults when a static key is used.
Added some more (stubbed-in) server code and functions. Minor doc tweak.
Updated pid/lock file handling. Implemetned -K option.
Updates and enhancements to logging functions. Now log_msg writes only to stderr when running in foreground. Default log facility is LOG_DAEMON. Config file options of ENABLE_PACP_PROMISC, HOSTNAME, SYSLOG_IDENTITY, and SYSLOG_FACILITY are processed.
Updated sniffer to be able to handle the linux "any" interface.
Added stubs and some handling for signals. SIGHUP induces the re-reading the configs and restarting the capture loop. SIGTERM and SIGINT simply trigger a graceful exit. Trimmed some more of the configuration options.
Fixed memory leak issue in libfko when fko_new_with_data() was called with a bad key. Added autoconf checks for gdbm with fallback to ndbm for server builds. Added digest cache capability using gdbm (in ndbm compatibility mode) or ndbm for replay detection.
Changed digest cache to use gdbm directly wth fallback to ndbm (still not tested).
Fixed missed MY_DBM_CLOSE call
Fixed minor typo in the POD synopsis (thanks Franck!).
Updated digest cache to store additional information including src ip, created, first_replay, last_replay, and replay count.
Fixed bug in signal handling when libpcap version 1.0 is used. Minor doc update.
The default conf and run directories are captured from the autoconf output. Added post install hook to create the xxx/var/run/fwknop directory (which works, but breaks the "make distcheck" feature of autoconf). Changed order of config processing and set conf struct for some default and overridden parameters so they will be shown properly when -D is used.
Autoconf updates for detecting locally installed program paths and changes to facilitate portability. Also set AM_MAINTAINER_MODE so we are not forced to regen/reconfigure when we change one of the autoconf source files (but we do now need to remember to do it ourselves before making a new dist).
Made local exe checks run only of a server is being built. Removed checks for external progs that may not be needed yet.
Added configure args for specifying specific pathes to the local executables used by fwknopd.
Fixed incorrect variable in configure.ac.
Added check for SPA packet age against the MAX_SPA_PACKET_AGE if ENABLE SPA_PACKET_AGING is set to "Y" in the conf file. Made the digest cache check only of ENABLE_DIGEST_PERSISTENCE is "Y".
Added check for and create of run dir and/or basename of digest_cache (if different from run dir). Added set_locale() call based on LOCALE setting in the conf file.
Added access.conf handling and processing. Added a new acces.conf parameter: RESTRICT_PORTS for specifying 1 or more proto/ports that are explicitly not allowed.
Updated changelog. Made the fwknop.man.asciidoc match the changes made to the fwknopd.8 manpage.
Commented out AM_MAINTAINER_MODE.
Added support for multiple GPG_REMOTE_ID values from access.conf (still need to implement the use of those however). Also, went back to support colons (:) as an optional part of the access.conf parameter name (better to keep backward compatibility).
Added additional sanity checks and clean-up of access.conf processing and functionality. Fixes require source and added check for required username. Added fallback to use GPG_DECRYPT_PW if it was set and the normal KEY failed with a decyption error. Fixed packet count checks to allow a limit of 0 to mean unlimited number of packets.
Bumped working version to 2.0.0-alpha-pre2 to differentiate from the tagged 2.0.0-alpha-pre1. Updated Changelog.
Fixed libfko so gpgme engine is gpg by default. Added functions to libfko to set/get path to gpgme engine. Fixed some memory leaks. Reworkd the get_user_pw routine. Added code in fwknopd to put back the "hQ" string on the front of incoming GPG-encypted message data. Removed the previously add pretty-print routine to configure. Updated configure to check for path to gpg executable. Updated docs accordingly.
Forgot to remove the m4 dir from Makefil.am
Tweaks to eliminate warnings on win32 build of libfko and client.
Updated TODO list (removed items that were compled and/or deprecated).
Added an initial fwknopd.8 man page (and source asciidoc). Added the --locale and --no-locale command-line option support. The set_config_entry function now allows setting a config entry to NULL to clear and free it.
Changed to fix possible double-free bug under some circumstances.
Started firewall rule processing. Added rule initialization. Added some of the initial routines for external command execution with ability to capture stdout, stderr, and exit status.
Minor tweaks to firewall rules processing and external command execution code.
Added the fwknopd.8 man page.
First cut at creating access rules and removing them when they expire (not sure I like this implementation but it is a start).
Very minor comment and code tweaks (mostly just an excuse to test the relocation of the svn server).
Added support for FWKNOP_OUTPUT_ACCESS and NAT_ACCESS modes (still needs testing and tweaking).
Tweaked firewall rule creation code. Added SNAT/MASQUERADE support. Fixed rule processing code so an INPUT rule was not created for NAT request. Still needs more review and testing.
Mostly documentation file updates.
Added support for parsing and processing SPA requests over HTTP. Beefed up verbose logging a bit. Added some more sanity checks on the validity of incoming SPA data before attempting to decode.
Tweak to client usage message output. Added TCP server funcionality to the server (call it a first cut).
More tweaks. Added SIGCHLD handler and code to try to restart the TCP server if it dies for whatever reason.
Some tweaks to the sigchld handling in the server. Other misc minor cleanup.
More updates to take care of warnings on Ubuntu systems (fixes for common sense warnings that should have come up om my Fedora system but didn't).
Start of cleanup for beta release candidate. Removed locale-related code (for now) as it was breaking some things like logging. removed some unimplemented and/or unused parameters and config directives (as well as thier respective documentation references. Added a --rotate-digest-cache command-line arg to force a rename of the digest cache file and start a new one.
More tweaks, clean-up and documentation tweaks for the first release. Made client http-proxy option allow case insensitive match and to take an option :port as part of the argument.
Added support for COMMAND_MSG requests. Also added CMD_EXEC_USER to access.conf to allow for fwknopd to setuid to the specified user before running the command. Other minor tweaks.
Added the GPG signature checking code. Added GPG_REQUIRE_SIG and GPG_IGNORE_SIG_VERIFY_ERROR parameters to access.conf. Implement the checking of GPG signature IDs against the GPG_REOMOTE_ID list.
Updates to TCP server to close the lock file handle, use a non-blocking socket, and detect when the parent fwknop dies so it can exit as well.
Changed the way running external commands are hanlded to address issues with it not working on some systems/configurations. Just using system and popen and fw commands are run with stdout and stderr tied to gether.
Put locale code back in. More cleanup of config directives and options.
More cleanup. Removed the direction field (src, dst, both) from the chain configuration directives. Remove the HOSTNAME parameter as it was not used.
Due to issues and usage restrictions on whatismyip.com, I am making the default resolve_ip_http url www.cipherdyne.org/cgi-bin/myip.
Added .fwknoprc file creation and processing. This allows for saved default and named configuration profiles. Updated fwknop manpage to reflect the new capability. Also cleaned up messages (errors, info) from the program.
Added installation hook to set the perms on the .conf files to 600 during make install. Minot doc tweak.
Fixed bad param name in generated .fwknoprc file.
Fixed bug where named-stanza was not being found when it indeed existed.
Added fwknop.spec for rpm builds. Removed the server post install hook as it breaks make distcheck and rpm builds.
Minor cleanup on the spec file.
Fixed bug where ALLOW_IP of resolve was not overridden by an ALLOW_IP parameter in a named stanza. Removed erroneous invalid parameter from the initially generated .fwknoprc file.
Fixed issues found by the Windows compiler (that I would think would have been flagged by gcc).
Removed unreferenced variables.
Use USERPROFILE instead of HOME for homedir determination on win32 builds.
Fixed autoconf config so libfko and fwknop client are not linked with libpcap and libgdbm. Fixed some issues in the fwknop.spec file.
Fixed another oops in the spec file.
Renamed the legacy perl verison of fwknop.spec to fwkop-legacy.spec to resolve rpmbuild confusion when using the -tx options.
Manpage updates
Added AC_SYS_LARGE_FILE to configure.ac
Modified top-level Makefile.am so the legacy perl stuff is not packaged into the distribution tar file. More cleanup of the fwknopd man page.
Slightly revamped how signals were setup.
Reworked how man pages are generated. Now, man pages in the client and server directory are "fwknop(d).8.in" and a target was added to Makefile.am to create the man pages while doing variable substitutions based on directives specified via the configure script. Minor tweak to fwknop.spec file.
Removed checks for sig verification flag on gpg_sig info related functions.
Reverted last libfko change. Added set verify_sig flag when remote_ids are specified.
Moved force set of verify flag on remote_id value to before decryption phase.
Added the fwknopd_errors.[ch] files which provides the get_errstr() and fwknopd_errstr() functions. The get_errstr() function takes and error_code, tries to determine the type, then calls the appropriate xxx_errstr function to return a description string. Fixed some minor errors in the libfko API docs.
Almost all he conf variables have a default value if they are not there (or set). All the entries in the initial fwknop.conf file are not commented out adn can be override as needed.
Fixed some misplaced dependencies in the fwknop.spec file.
Updated the version number in the win32 config.h copy
Updates and clean-up to address the many compiler warnings when compiled with -Wall. Also some autoconf updates
Per Franck Joncourt - Corrected misspelled word in fwknopd man page and access.conf.
Added check to make sure a firewall program is set.
Removed a debug print statement.
Cleaned out some old commented-out sections configure.ac and fixed an issue where exteranl file checks would fail when running configure in cross-compiler environment. No code changes made.
Added extras directory. Bumped version in autoconf to 1.0.0rc2.
Fixed issue with spaces in in access.conf comma-separated values. Fixed issue with GPG signature check being forced when GPG_REMOTE_ID is set and GPG_REQUIRE_SIG was "N". Updated dependency in the spec file. Updates to ChangeLog.
Added some OpenWRT-related files to the extras directory.
Tweaks to autoconf files.
Updates to accomodate building and compiling on FreeBSD systems.
Oops left out new header for last update.
Uncommented call to check_firewall_rules (left in while debugging freebsd build).
Refactored firewall rule code to separate files by firewall type. Stubbed in ipfw and ipf firewall types. Updated autoconf to set a firewall type and path depending on configure arguments.
Start of addition of access requests via ipfw.
Added rule expire and purge for ipfw. Almost there...
Missed a config file update on the last check-in.
Wrapped #ifdef around a linux-specific chunk.
Made fw_cleanup not remove rules from the expired rule set. Added code to read in any existing expired rules into the rule_map at startup.
Made autoconf print an error message indicating ipf is not supported if it is specified. Changelog updates.
Minor fwknopd man page tweak.
Fixed handling of man page generation in Makefile.am so it works from alternate build directories.
Set pcap non-block mode back on unless it is a freebsd system. Server verbose output no longer shows access key or GPG password.
Tweaks to the fwknop.spec file
Put the usleep back pcap_capture (oops).
Needed to bump libfko revision to 2 do identify as part of newer dist.
Update added HAVE_ERRNO_H 1 to win32/config.h.
Bumped version to rc3 (even though we may go straight to release) and lib rev to 3.
Updated perl module for additional error messages.
Updated the GPL blurb at the top of the source files. Added some missing copyright statements (Thanks to Franck Joncourt).
Added code to zero out rcfile path before setting it. Also added a bounds check to that as well.
Minor comment and documentation tweaks. Add the python directory which contains my first cut at a libfko Python wrapper module.
Added the Fko class code to wrap the _fko wrapper around libfko.
Added pydoc text to the fko python module. Minot tweak to setup.py.
Do not need parens around expression in if statements in python (still learning).
Fixed bug where libfko would segfault if fko_get_spa_data() was called before fko_spa_data_final() was called (and successful). Added include of time.h in fko.h.
Additional docs and classes added to the fko python module. Minor tweak and bumped version in the fwknop.spec file.
Removed unnecessary include.
Adding Max Kastanas's fwknop client app code for Android
Minor update to the android README
Added python/fko.py to Makefile.am so it is also included in distributions. Minor tweak to address compile error on Mac os X.
Fix check and handling of ndbm as an option for the digest cache.
Added a no-digest-cache configure option and capability (though it is not recommended).
Set FD_CLOEXEC on pid file descriptor. Added support for setting the URL for resolving source IP via command-line or the .fwknoprc file.
Added the cmd_opts.h file to server and client's Makefile.am so they are included with make dist.
Merge branch 'master' of https://github.com/mrash/fwknop
Max Kastanas (1):
Codebase of Fwknop client for iOS (iPhone) devices
Michael Rash (210):
Merged in fwknop-c-ubuntu branch changes via:
- Added command line argument processing for:
- Added code to send SPA packet data over a UDP socket. - Added minor validation step to enforce --Destination usage if not running in --Test mode (will extend this validation to include other option).
minor update to not force --Destination in --Version mode
added Id tag expansion
-Added the --get-key option to allow SPA passwords to be read from a file. This feature will be useful for an automated test suite that drives the fwknop C client against an SPA server implementation.
Added the following options:
minor bug fix to anticipate closing newline in a password read from a file via --get-key
updated to concatenate the allow IP and access string for fko_set_spa_message()
updated Copyright to Damien
Minor bug fix to process gpg command line arguments properly when handling the command line.
removed unnecessary initialization of string vars to 0x0 because the earlier memset() takes care of this
added the --save-packet argument so that SPA packet data can be saved to the local filesystem by the fwknop-c client
added --save-packet-append so that SPA packet data can be appended to a file
minor link update for the cipherdyne.org website
minor wording update to match fwknop help to config_init.h for --server-proto option
minor typo fix (gps -> gpg)
bug fix suggested by Damien to allow the recompute of the SPA digest to properly happen when calling spa_digest() with a true value
initial stab at libfko server daemon TODO's
added B64_GPG_PREFIX 'hQ' string for GnuPG prefix handling (similar to the 'Salted__' handling for Rijndael SPA packet encryption
- Added the ability to send SPA packets over valid HTTP requests with the fwknop-c client. - Added support for transmitting SPA packets over IPv6 via TCP and UDP sockets, and also via HTTP. - Added GnuPG 'hQ' base64 encoded prefix handling (this prefix is stripped out of encrypted SPA packet data). - Added hostname resolution support to the fwknop-c client if the SPA server is specified as a hostname instead of an IP address. - Minor bug fix to allow a GnuPG password to be specified via the --get-key functionality.
* Got forward and local NAT modes working with the --nat-access, --nat-local, --nat-port, and --nat-randport options. All NAT modes are now passing the fwknop test suite. * Added the --server-command option to build an SPA packet with a command for the server to execute. * Added the --fw-timeout option for client side timeouts to be specified. * Added the --time-offset-plus and --time-offset-minus options to allow the user to influence the timestamp associated with an SPA packet. * Added the --rand-port option so that the SPA packet destination port can be randomized.
* Added the --show-last and --no-save command line options to show the command line used for the previous fwknop invocation, and to have the fwknop client not save its command line arguments. * Bug fix to force libfko to recalculate the random data embedded in the the SPA packet after a random port is acquired via --rand-port or --nat-rand-port. This is a precaution so that an attacker cannot guess some of the internal SPA data based on the destination port number.
changed the minimum destination SPA port from 1024 to 10,000
minor doc updates
Added the --source-ip argument to build SPA packets with 0.0.0.0 (the fwknopd server can wrap access controls around this)
bugfix to order HTTP request headers properly, updated the user agent for SPA over HTTP to use the options->http_user_agent variable (can be set from the command line)
added the --resolve-ip-http and --user-agent command line args so the fwknop-c client can resolve the external network via http://www.cipherdyne.org/cgi/myip.cgi
updated SPA over HTTP packets to always begin the a slash right after the GET string, updated to print SPA packets over HTTP to stderr in test/verbose mode
updated to handle the fwknop-c version string '2.0.0-alpha' in HTTP tests
Added --List-mode so that identifying strings for tests can be printed on stdout. This is useful to see what is available for --test-include regex's.
Added better --debug output for time differences on incoming SPA packets. This makes it easier to tell when there are problems with time synchronization between the fwknop client and fwknopd server systems.
- Added --http-proxy argument to the fwknop C client. - (Legacy code): Changed HTTP proxy handling to point an SPA packet to an HTTP proxy with -D specifying the end point host and --HTTP-proxy pointing to the proxy host. This fix was suggested by Jonathan Bennett.
added Daniel Lopez, and Jonathan Bennett's proxy fix
added the latest http proxy fixes to the ChangeLog
(Legacy code) Applied patch from Jonthan Bennett to support the usage of the http_proxy environmental variable for sending SPA packets through an HTTP proxy. The patch also adds support for specifying an HTTP proxy user and password via the following syntax:
* (Legacy code) Bug fix to allow the --rand-port argument to function along without an inappropriate check for the --Server-port arg.
minor bug fix to ensure that -R resolution work with --URL=http://www.cipherdyne.org/cgi/clientip.cgi
minor bug fix to not append --Server-port option in --rand-port mode
bumped version to 2.0.0-alpha-pre1
minor update to include the -f arg in the usage() output
Added --packet-limit to fwknopd so that the number of incoming candidate SPA packets can be limited from the command line. When this limit is reached (any packet that contains application layer data and passes the pcap filter is included in the count) then fwknopd exits.
added Id tag expansion
added Id tag expansion
minor spacing fix
added --http-proxy and --no-save-args to usage() output
added --http-proxy argument to the fwknop.8 man page
removed unnecessary --no-save arg since --no-save-args covers it
Added --access-file command line arg to fwknopd so that the path to the access.conf file can be specified from the command line.
added -a arg to fwknopd usage() output
minor update to the fwknop client to use '#define GETOPTS_OPTION_STRING' for getopt() command line arg processing.
* Added a new command line argument "--last-cmd" to run the fwknop client with the same command line arguments as the previous time it was executed. The previous arguments are parsed out of the ~/.fwknop.run file (if it exists). * Bug fix to not send any SPA packet out on the wire if a NULL password/key is provided to the fwknop client. This could happen if the user tried to abort fwknop execution by sending the process a SIGINT while being prompted to enter the password/key for SPA encryption.
(legacy code) (test suite) Bug fix for GnuPG SPA/HTTP tests not pointing to the proper HTTP output file
* Fixed a few minor warnings like the following:
added --last-cmd argument to fwknop(8) man page via the fwknop.man.asciidoc file
added --server-cmd arg to fwknop client man page and help output
bug fix in --packet-limit handling to ensure multi-packet processing when the arg is not used
Added minor validation code to access.conf parsing to ensure that a SOURCE stanza begins with the SOURCE variable and that there is at least one usage of the OPEN_PORTS and KEY variables. The OPEN_PORTS requirement might be relaxed when PERMIT_CLIENT_PORTS handling is added.
bug fix to ensure the --last-cmd re-parsing of command line args via getopt_long() has a reset index
Update to call parse_proto_and_port() before allocating a new port list. This fixes the following stack trace when generating an SPA packet that contains "none/0" for the port list:
updated to call dump_access_list() if -D was given to dump config information
applied patch from Franck to catch a couple of man page typos
Updated to define a default gpg keyring path of /root/.gnupg, and if the GPG_HOME_DIR variable is not defined in the fwknopd.conf file or the access.conf file, then this default will take over.
minor macro update to define the default gpg keyring
minor update to check the gpg keyring path setting in access stanzas only if a decrypt password is specified
- added is_valid_dir() utility function for checking directory stat()/existence (this is used for gpg keyring path validation).
added --fw-list arg to the fwknopd daemon to list all current firewall rules for any running fwknopd process
removed additional wait() call from run_extcmd(), updated --fw-list to just use system() to execute the iptables listing commands
Bug fix for USE_NDBM variable so that client-only builds work. The specific error before the patch along with the command line invocation of the "configure" script appear below:
minor bug fix to account for PATH_SEP being defined as a character instead of a string
minor off-by-one fix for home directory path separator
Removed legacy $Id$ tags from svn
Bug fix for uninitialized variable found with splint static analyzer
Minor rename in support of non-dbm file cache
Added autoconf support for non-dbm file cache.
Updated digest file path for gdbm/ndbm support
Added --pcap-filter to the fwknopd command line
Merge branch 'master' into optional_dbm_support
Implemented linked list cache of SPA digests
Started on code to parse the digest cache file
Added dst IP to tracked SPA data
Added source port and protocol to digest tracking
Added digest file import code
Consolidated replay warnings in a single function
Implemented memory clean up for digest cache list
Added fwknop-2.0.0rc2 openwrt support from Jonathan Bennett
Minor variable cleanup to fix compiler warnings
Added stack protection, PIE, fortify source, etc.
Updated replay warnings to include proto/port info
Update to force base64 check for all SPA data
Update to add any missing iptables jump rules
Renamed ChangeLog -> ChangeLog.old for new ChangeLog handling
Added ChangeLog derived from git commit messages.
Bumped version to fwknop-2.0.0-rc3
added the VERSION file
Bug fix for ./configure args to disable compile time security options
Added -Wall for all gcc warnings during compile
minor commit to fix minor compilations warnings
Minor restructuring to suppress compiler "defined but not used warnings"
Update to suppress additional compiler warning
On FreeBSD disable read-only relocations and immediate binding protections
Fixed a few minor compiler warnings on FreeBSD
On FreeBSD, made gpgme header path inclusion optional
Bug fix to create the digest.cache file at init
Bug fix for missing set existence check on ipfw firewalls
Bug fix for ipfw firewalls to not always require seeing 'Dynamic' rules
Updated ChangeLog with all changes from 2.0.0-rc3
Added version specific ChangeLog, ShortLog, and diffstat files.
bumped version to 2.0.0rc4
removed 2.0.0 branch specific ChangeLog, ShortLog and diffstat files
Disabled read-only relocations and immediate binding compiler protections
Added autoconf check for pf firewalls
PF support on OpenBSD in progress, fwknop --fw-list now works
Added --fw-list info to --help
For PF firewalls implemented a check for an active fwknop anchor
Minor copyright holder update
PF rules are now added to the fwknop anchor
minor comment typo fixes
Added the ability to delete PF rules
Update to make _exp_ string a #define
Check for active_rules > 0 before decrementing
Added read-only relocations and immediate bindings
Replaced all strcpy() calls with strlcpy()
minor typo fix: fwkop -> fwknop
Merge pull request #5 from maxkas/master
Added the fwknop lsof launcher under the extras/ directory
Merge branch 'master' into fwknop-launcher
Added --help usage information
Initial start on a test suite
minor update to account for hardening-check return values
switched --help output to stdout from stderr
minor update to switch to stdout when exiting with success
removed
interim commit to add major functionality to the fwknop test suite
started on basic SPA generation, updated to use LD_LIBRARY_PATH for local libfko instance
minor typo fix
added the test/conf/ directory for config files use by the test suite
minor bugfix to ensure that the proper firewall is used to collect system specs
minor wording update netfilter -> iptables
minor whitespace fixes
minor update to allow fw rules to be dumped before parsing the access.conf file
Added usage of sudo for recompilation test
Added --fw-list-all and --fw-flush
Minor PID string length fix
added client/server interaction test capability
Added --digest-file and --pid-file args
added first complete SPA cycle test
minor removal of whitespace
added replay attack detection test
added rule timeout detection
added Rijndael SPA validity tests
added -P bpf filter test
added -P bpf test for complete SPA cycle over non standard SPA port
added test to validate digest.cache structure
minor whitespace removal
added first GPG complete cycle SPA test
extended packet validity tests in GPG mode
minor update to match include/exclude criteria on the whole test message
added digest cache validation after GPG tests
added LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual command execution easier
minor whitespace removal
update to detect loopback interface
compiler warning fix for sscanf() on freebsd
added 'const' to function prototype vars where possible
Update to print all firewall commands in --verbose mode
Update to ensure libfko.so path is detected properly on OpenBSD
added stack protection detection for OpenBSD systems
minor whitespace removal
update to remove packet direction requirement when sniffing on OpenBSD loopback interfaces
bugfix to return preprocess_spa_data() result properly to calling function
[test-suite] added the ability to run all fwknop tests through valgrind
minor looping criteria update for valgrind tests
updated client SPA verbose message to include the server IP/host
added complete SPA cycle tests for tcp ports 23 and 9418 (git), and for udp 53 dns
Fixed fwknopd memory leak, several other fixes and updates
consolidated several test functions into a single generic_exec() function
added --diff mode to the test suite to compare results from one execution to the next
remove CMD timestamps for --diff mode
This commit fixes two memory leaks and adds a common exit function.
minor test wording consolidation
simplified the client/server interaction code, started on IP filtering tests, added spoof username tests
added IP/subnet match tests, added --Anonymize-results mode
added tests for various access.conf variables
added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd check for ENABLE_IPT_FORWARDING variable before attempting NAT access
bug fix to honor the fwknop client --time-offset-plus and --time-offset-minus options
added test for --test mode in the fwknop client
bug fix to exclude SPA packets with timestamps in the future that are too great (old packets were properly excluded already)
added SPA packet aging tests
Added access stanza expiration feature, multiple access stanza bug fix
memory leak bugfix as a follow up to commit b280f5cde0246cdef33dee3f8be66a2bcef77336
minor newline fix for access.conf output dump
Added FORCE_NAT mode to the access.conf file
minor compile fixes for FreeBSD
minor compiler warning fix on OpenBSD
added CREDITS file, bumped software version, added ChangeLog files
added CREDITS file, bumped software version, added ChangeLog files
Added various files to Makefile.am so that 'make dist' continues to work
change log doc updates
Added the CREDITS file for 'make dist'
minor addition of the CREDITS file for 'make dist'
added local_spa.key file
added local_spa.key file
minor addition of the local_spa.key file for 'make dist'
updated copyright and license statement - fwknop is GPL software
minor wording update subversion -> git
bumped version to 2.0
minor test suite addition to check for linker input file warnings
minor test suite update to look for linker warnings in a more generic way
added FKO_CHECK_COMPILER_ARG_LDFLAGS_ONLY to fix ro-relocations and immediate binding protection compliation warnings on FreeBSD
bumped version to 2.0