Skip to content
This repository
Fetching contributors…

Cannot retrieve contributors at this time

file 452 lines (449 sloc) 41.575 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452
Damien S. Stuart (1):
      Refactored configure.ac to use a custom macro for compiler flag checks. Set version to 2.0 (non-release candidate). Minor typo fixes.

Damien Stuart (233):
      Initial import.
      Initial Makefile and first cut at fwknop.h, the spa_random_number function, and a program for testing the functions.
      Added strlcat/cpy functions. Added spa_user function.
      Added spa_timestamp function.
      Added more source files. Split out libfwknop functions to a static lib. Misc updates.
      Added base64 and md5 code.
      Added sha256 code.
      Added sha1 refactored the access to the digest routines via digest.c. Other misc teaks to format and style of digest code.
      Added rijndael code, spa digest and message functions, and a shitload of other changes and tweaks.
      Makefile tweak.
      More updates to address compatibility issues with the perl version of fwknop.
      Total re-arrangement for autoconf/automake implementation.
      Another major re-write of the fwknop library.
      Re-arrangement of source tree.
      Remove files that were stored as sym links.
      Putting the reg version of the files back
      Updates to allow for building libfko as a shared lib. (make use of libtool).
      Added documentation stub.
      Made fko.h an include_HEADER for proper distribution.
      Tweaks to add some more ctx state tracking.
      Minor docs update - Added GPL to info doc.
      Added some basic format checking to spa message data and message_type checks when client_timeout is set/unset.
      Added fallback for isdigit() if ctype.h is not available.
      Added decrypting/decoding/parsing of SPA data.
      Added gpl-2.0.texi file to doc/Makefile.am so it is included in the dist.
      Code format tweaks. Added a couple more convenience functions.
      more checks for configure. omit salt from Rijndael-encrypted data as returned by fko_get_dpa_data.
      Update to docs.
      Some progress on the libfko doc.
      Documentation updates and minor tweaks.
      Documentation fixes.
      Reorganized libfko doc.
      Made the context struct opaque to users of the library. Somewhat major API tweak in that fko_ctx_t is not a pointer type and the fko_new functions take a pointer to that.
      Broke these out from fko.h.
      Minor tweaks, and fixed one potential memory allocation issue discovered with valgrind.
      Updated README
      First cut at GPG encrytion support (decryption and doc update are pending).
      Fixed a potential bug where the NULL-termination of the base64-encoded data was being lost during process just before rijndael decryption.
      Removing files that are auto-generated by the autogen.sh script.
      Fixed gpgme check so it would not fail if gpgme was not installed. Setup to allow using --with[out]-gpgme option to configure.
      Fixed configure.ac again (I broke it with my last change). Added first cut at gpg decryption routine.
      Added fwknop.h to the source list in Makefile.am so it will be included in the distrubution.
      Documentation updates and minor tweaks. Made it version 1.10.0 consistent in caonfigure.ac and fko.h.
      Make version consistent for real this time.
      Fixed flag on gpgme_keylist_next that was forcing only private keys for recipient. Fixed typo in docs.
      Added more gpgme-related errors and error checking. Other minor tweaks.
      Slightly improved and cleaner GPG error handling (there is still plenty of room for improvement).
      Some minor cleanup and tweaks to gpgme code.
      Add more compiler conditionals for GPGME support to fix error during compiles on systems without gpgme.
      Replaced deprecated gpgme_key_release calls with gpgme_key_unref. Fixed more potential memory leaks.
      Split out the source files. Added processing for a couple more command-line options.
      Added getpasswd routine for getting a password from the user. A few updates to the lib to accomodate clearing the password after we are done with it. Update the fwknop program to reflect/use some of the new functionality.
      Update libfko docs for the gpgme-related error codes and function.
      Fixed minor typo
      Fixed typo in Makefile.am
      Added better autoconf handling of gpgpme. Fixes so libfko will compile under FreeBSD (7.0 release anyway).
      Better error checking/message for decription. Fixed typo in docs.
      Updated autoconf files and code to support Solaris (ver 10 x86 at least). This includes better type checking and resolving some conflicting names under Solaris.
      Tweaked byte order determination for Solaris systems.
      Added gpg-home-dir support to libfko and the fwknop program. Added the fko_set_spa_data() function. Documentation updates and other tweaks to support these changes.
      Fixed typo in doc
      Fixed segfault issue when spa_data_final was called before spa_message was set.
      Fixed double-free when destroy was called after a failed gpg encryption/decryption.
      Added perl module code to the repository.
      Interim check-in of API changes, libfko and fwknop binary now support the updated API. Docs and Perl module are pending.
      Tweaks to updated API. Added GPG signature checking and processing functions. Updated Perl module and perldoc for new API and functions.
      Updated documentation to reflect API changes and GPG signature functions.
      Added the Perl module files to Makefile.am so they will be included in the dist.
      Changed fko version to 1.9.12. Made signing GPG-encrypted messages optional.
      Made the dist name "fwknop-c" so as not to confuse it with the current "fwknop".
      Updates and revisions to accommodate a Windows build.
      Updated Makefile.am to add win32 directory to the dist.
      Added getopt_long and getlogin capability to the Windows build.
      Removed old test code from fwknop client. Other tweaks and enhancements.
      Fixed bad variable name after moving the winsock startup code to a the send_spa_packet function.
      Implemented sending spa data via TCP or ICMP via SOCK_RAW (unix only so far).
      Added sending via tcp (established) conneciton. removed --debug as an option. Some minor code reformatting and refactoring.
      Tweak for win32 platform
      Yet another tweak for win32.
      Tweaks again for win32 build
      Brought Error constants in sync with libfko.
      Minor updates to non-code-related files. Changed some copyrights to 2009.
      Forgot to bump the perl module minor version number.
      Added a TODO file
      Added the digest types constants to the types and individual export tags.
      Added handling of Backspace and Ctrl-U in the Win32 handling of get_passswd.
      Tweaks to the win32 build (Visual Studio project configs).
      Fixed spa access message validation routine to allow for multiple comma-separated requests in one message.
      Tweaks to cover WIN32 build. Added print of error if tcp connect() fails.
      Fixed some formatting errors in the POD.
      Added SHA384 and SHA512 digests. Tweaks for getting rid of windows warnings. Use recv instead of read on socket. Bumped version to 0.63 (libfko) and 0.23 (FKO perl module).
      Forgot to add the files for the updated SHA digests (oops).
      Update the VS project file for the new SHA digest files and functions.
      Fixed typo (actually a cut-and-paste remnant) in the doc.
      Major rearrangement. Renamed directories: "fko" to "lib", "src" to "client". Added "common" and "server" directories. Setup autoconf to allow disabling the server and/or client builds.
      Forgot to add the server dir.
      Made the configure help message show --disable-xxx as the options for whether or not to build the server or client.
      Some minor refactoring of the TIME_OFFSET handling. Other minor code formatting tweaks.
      Updates to accommodate the Windows build.
      Changed http_resolve_host code to make it work with or without trailing whitespace in returned content. Updated the IP address format and value checking code. Switched back to whatsmyip.com as default IP resolver.
      Updated ip,port format and value check.
      Fixed another minor typo in the doc
      Added fwknop.man.asciidoc to docs and fwknop.8 man page to client (derived from fwknop.man.asciidoc).
      Added check for libpcap. More stubbing in on the server code side.
      Added more server command-line and config file processing code. Updated autoconf config for new checks and files.
      Added override config handling and updated the config_init routines to parse everything in the correct order (i.e. config file, override configs, then command-line).
      Minor manpage tweak
      More tweaks to config file processing, including simple variable expansion.
      Added some more stuff to deal with byte order identification on Solaris 10 x86 systems.
      Added perl/legacy distribution (fwknop-1.9.12). Renamed this distribution from fwknop-c to simply fwknop. Made the version 2.0.0-alpha.
      Removed the wipe_pw routine as it could result in segfaults when a static key is used.
      Added some more (stubbed-in) server code and functions. Minor doc tweak.
      Updated pid/lock file handling. Implemetned -K option.
      Updates and enhancements to logging functions. Now log_msg writes only to stderr when running in foreground. Default log facility is LOG_DAEMON. Config file options of ENABLE_PACP_PROMISC, HOSTNAME, SYSLOG_IDENTITY, and SYSLOG_FACILITY are processed.
      Updated sniffer to be able to handle the linux "any" interface.
      Added stubs and some handling for signals. SIGHUP induces the re-reading the configs and restarting the capture loop. SIGTERM and SIGINT simply trigger a graceful exit. Trimmed some more of the configuration options.
      Fixed memory leak issue in libfko when fko_new_with_data() was called with a bad key. Added autoconf checks for gdbm with fallback to ndbm for server builds. Added digest cache capability using gdbm (in ndbm compatibility mode) or ndbm for replay detection.
      Changed digest cache to use gdbm directly wth fallback to ndbm (still not tested).
      Fixed missed MY_DBM_CLOSE call
      Fixed minor typo in the POD synopsis (thanks Franck!).
      Updated digest cache to store additional information including src ip, created, first_replay, last_replay, and replay count.
      Fixed bug in signal handling when libpcap version 1.0 is used. Minor doc update.
      The default conf and run directories are captured from the autoconf output. Added post install hook to create the xxx/var/run/fwknop directory (which works, but breaks the "make distcheck" feature of autoconf). Changed order of config processing and set conf struct for some default and overridden parameters so they will be shown properly when -D is used.
      Autoconf updates for detecting locally installed program paths and changes to facilitate portability. Also set AM_MAINTAINER_MODE so we are not forced to regen/reconfigure when we change one of the autoconf source files (but we do now need to remember to do it ourselves before making a new dist).
      Made local exe checks run only of a server is being built. Removed checks for external progs that may not be needed yet.
      Added configure args for specifying specific pathes to the local executables used by fwknopd.
      Fixed incorrect variable in configure.ac.
      Added check for SPA packet age against the MAX_SPA_PACKET_AGE if ENABLE SPA_PACKET_AGING is set to "Y" in the conf file. Made the digest cache check only of ENABLE_DIGEST_PERSISTENCE is "Y".
      Added check for and create of run dir and/or basename of digest_cache (if different from run dir). Added set_locale() call based on LOCALE setting in the conf file.
      Added access.conf handling and processing. Added a new acces.conf parameter: RESTRICT_PORTS for specifying 1 or more proto/ports that are explicitly not allowed.
      Updated changelog. Made the fwknop.man.asciidoc match the changes made to the fwknopd.8 manpage.
      Commented out AM_MAINTAINER_MODE.
      Added support for multiple GPG_REMOTE_ID values from access.conf (still need to implement the use of those however). Also, went back to support colons (:) as an optional part of the access.conf parameter name (better to keep backward compatibility).
      Added additional sanity checks and clean-up of access.conf processing and functionality. Fixes require source and added check for required username. Added fallback to use GPG_DECRYPT_PW if it was set and the normal KEY failed with a decyption error. Fixed packet count checks to allow a limit of 0 to mean unlimited number of packets.
      Bumped working version to 2.0.0-alpha-pre2 to differentiate from the tagged 2.0.0-alpha-pre1. Updated Changelog.
      Fixed libfko so gpgme engine is gpg by default. Added functions to libfko to set/get path to gpgme engine. Fixed some memory leaks. Reworkd the get_user_pw routine. Added code in fwknopd to put back the "hQ" string on the front of incoming GPG-encypted message data. Removed the previously add pretty-print routine to configure. Updated configure to check for path to gpg executable. Updated docs accordingly.
      Forgot to remove the m4 dir from Makefil.am
      Tweaks to eliminate warnings on win32 build of libfko and client.
      Updated TODO list (removed items that were compled and/or deprecated).
      Added an initial fwknopd.8 man page (and source asciidoc). Added the --locale and --no-locale command-line option support. The set_config_entry function now allows setting a config entry to NULL to clear and free it.
      Changed to fix possible double-free bug under some circumstances.
      Started firewall rule processing. Added rule initialization. Added some of the initial routines for external command execution with ability to capture stdout, stderr, and exit status.
      Minor tweaks to firewall rules processing and external command execution code.
      Added the fwknopd.8 man page.
      First cut at creating access rules and removing them when they expire (not sure I like this implementation but it is a start).
      Very minor comment and code tweaks (mostly just an excuse to test the relocation of the svn server).
      Added support for FWKNOP_OUTPUT_ACCESS and NAT_ACCESS modes (still needs testing and tweaking).
      Tweaked firewall rule creation code. Added SNAT/MASQUERADE support. Fixed rule processing code so an INPUT rule was not created for NAT request. Still needs more review and testing.
      Mostly documentation file updates.
      Added support for parsing and processing SPA requests over HTTP. Beefed up verbose logging a bit. Added some more sanity checks on the validity of incoming SPA data before attempting to decode.
      Tweak to client usage message output. Added TCP server funcionality to the server (call it a first cut).
      More tweaks. Added SIGCHLD handler and code to try to restart the TCP server if it dies for whatever reason.
      Some tweaks to the sigchld handling in the server. Other misc minor cleanup.
      More updates to take care of warnings on Ubuntu systems (fixes for common sense warnings that should have come up om my Fedora system but didn't).
      Start of cleanup for beta release candidate. Removed locale-related code (for now) as it was breaking some things like logging. removed some unimplemented and/or unused parameters and config directives (as well as thier respective documentation references. Added a --rotate-digest-cache command-line arg to force a rename of the digest cache file and start a new one.
      More tweaks, clean-up and documentation tweaks for the first release. Made client http-proxy option allow case insensitive match and to take an option :port as part of the argument.
      Added support for COMMAND_MSG requests. Also added CMD_EXEC_USER to access.conf to allow for fwknopd to setuid to the specified user before running the command. Other minor tweaks.
      Added the GPG signature checking code. Added GPG_REQUIRE_SIG and GPG_IGNORE_SIG_VERIFY_ERROR parameters to access.conf. Implement the checking of GPG signature IDs against the GPG_REOMOTE_ID list.
      Updates to TCP server to close the lock file handle, use a non-blocking socket, and detect when the parent fwknop dies so it can exit as well.
      Changed the way running external commands are hanlded to address issues with it not working on some systems/configurations. Just using system and popen and fw commands are run with stdout and stderr tied to gether.
      Put locale code back in. More cleanup of config directives and options.
      More cleanup. Removed the direction field (src, dst, both) from the chain configuration directives. Remove the HOSTNAME parameter as it was not used.
      Due to issues and usage restrictions on whatismyip.com, I am making the default resolve_ip_http url www.cipherdyne.org/cgi-bin/myip.
      Added .fwknoprc file creation and processing. This allows for saved default and named configuration profiles. Updated fwknop manpage to reflect the new capability. Also cleaned up messages (errors, info) from the program.
      Added installation hook to set the perms on the .conf files to 600 during make install. Minot doc tweak.
      Fixed bad param name in generated .fwknoprc file.
      Fixed bug where named-stanza was not being found when it indeed existed.
      Added fwknop.spec for rpm builds. Removed the server post install hook as it breaks make distcheck and rpm builds.
      Minor cleanup on the spec file.
      Fixed bug where ALLOW_IP of resolve was not overridden by an ALLOW_IP parameter in a named stanza. Removed erroneous invalid parameter from the initially generated .fwknoprc file.
      Fixed issues found by the Windows compiler (that I would think would have been flagged by gcc).
      Removed unreferenced variables.
      Use USERPROFILE instead of HOME for homedir determination on win32 builds.
      Fixed autoconf config so libfko and fwknop client are not linked with libpcap and libgdbm. Fixed some issues in the fwknop.spec file.
      Fixed another oops in the spec file.
      Renamed the legacy perl verison of fwknop.spec to fwkop-legacy.spec to resolve rpmbuild confusion when using the -tx options.
      Manpage updates
      Added AC_SYS_LARGE_FILE to configure.ac
      Modified top-level Makefile.am so the legacy perl stuff is not packaged into the distribution tar file. More cleanup of the fwknopd man page.
      Slightly revamped how signals were setup.
      Reworked how man pages are generated. Now, man pages in the client and server directory are "fwknop(d).8.in" and a target was added to Makefile.am to create the man pages while doing variable substitutions based on directives specified via the configure script. Minor tweak to fwknop.spec file.
      Removed checks for sig verification flag on gpg_sig info related functions.
      Reverted last libfko change. Added set verify_sig flag when remote_ids are specified.
      Moved force set of verify flag on remote_id value to before decryption phase.
      Added the fwknopd_errors.[ch] files which provides the get_errstr() and fwknopd_errstr() functions. The get_errstr() function takes and error_code, tries to determine the type, then calls the appropriate xxx_errstr function to return a description string. Fixed some minor errors in the libfko API docs.
      Almost all he conf variables have a default value if they are not there (or set). All the entries in the initial fwknop.conf file are not commented out adn can be override as needed.
      Fixed some misplaced dependencies in the fwknop.spec file.
      Updated the version number in the win32 config.h copy
      Updates and clean-up to address the many compiler warnings when compiled with -Wall. Also some autoconf updates
      Per Franck Joncourt - Corrected misspelled word in fwknopd man page and access.conf.
      Added check to make sure a firewall program is set.
      Removed a debug print statement.
      Cleaned out some old commented-out sections configure.ac and fixed an issue where exteranl file checks would fail when running configure in cross-compiler environment. No code changes made.
      Added extras directory. Bumped version in autoconf to 1.0.0rc2.
      Fixed issue with spaces in in access.conf comma-separated values. Fixed issue with GPG signature check being forced when GPG_REMOTE_ID is set and GPG_REQUIRE_SIG was "N". Updated dependency in the spec file. Updates to ChangeLog.
      Added some OpenWRT-related files to the extras directory.
      Tweaks to autoconf files.
      Updates to accomodate building and compiling on FreeBSD systems.
      Oops left out new header for last update.
      Uncommented call to check_firewall_rules (left in while debugging freebsd build).
      Refactored firewall rule code to separate files by firewall type. Stubbed in ipfw and ipf firewall types. Updated autoconf to set a firewall type and path depending on configure arguments.
      Start of addition of access requests via ipfw.
      Added rule expire and purge for ipfw. Almost there...
      Missed a config file update on the last check-in.
      Wrapped #ifdef around a linux-specific chunk.
      Made fw_cleanup not remove rules from the expired rule set. Added code to read in any existing expired rules into the rule_map at startup.
      Made autoconf print an error message indicating ipf is not supported if it is specified. Changelog updates.
      Minor fwknopd man page tweak.
      Fixed handling of man page generation in Makefile.am so it works from alternate build directories.
      Set pcap non-block mode back on unless it is a freebsd system. Server verbose output no longer shows access key or GPG password.
      Tweaks to the fwknop.spec file
      Put the usleep back pcap_capture (oops).
      Needed to bump libfko revision to 2 do identify as part of newer dist.
      Update added HAVE_ERRNO_H 1 to win32/config.h.
      Bumped version to rc3 (even though we may go straight to release) and lib rev to 3.
      Updated perl module for additional error messages.
      Updated the GPL blurb at the top of the source files. Added some missing copyright statements (Thanks to Franck Joncourt).
      Added code to zero out rcfile path before setting it. Also added a bounds check to that as well.
      Minor comment and documentation tweaks. Add the python directory which contains my first cut at a libfko Python wrapper module.
      Added the Fko class code to wrap the _fko wrapper around libfko.
      Added pydoc text to the fko python module. Minot tweak to setup.py.
      Do not need parens around expression in if statements in python (still learning).
      Fixed bug where libfko would segfault if fko_get_spa_data() was called before fko_spa_data_final() was called (and successful). Added include of time.h in fko.h.
      Additional docs and classes added to the fko python module. Minor tweak and bumped version in the fwknop.spec file.
      Removed unnecessary include.
      Adding Max Kastanas's fwknop client app code for Android
      Minor update to the android README
      Added python/fko.py to Makefile.am so it is also included in distributions. Minor tweak to address compile error on Mac os X.
      Fix check and handling of ndbm as an option for the digest cache.
      Added a no-digest-cache configure option and capability (though it is not recommended).
      Set FD_CLOEXEC on pid file descriptor. Added support for setting the URL for resolving source IP via command-line or the .fwknoprc file.
      Added the cmd_opts.h file to server and client's Makefile.am so they are included with make dist.
      Merge branch 'master' of https://github.com/mrash/fwknop

Max Kastanas (1):
      Codebase of Fwknop client for iOS (iPhone) devices

Michael Rash (210):
      Merged in fwknop-c-ubuntu branch changes via:
      - Added command line argument processing for:
      - Added code to send SPA packet data over a UDP socket. - Added minor validation step to enforce --Destination usage if not running in --Test mode (will extend this validation to include other option).
      minor update to not force --Destination in --Version mode
      added Id tag expansion
      -Added the --get-key option to allow SPA passwords to be read from a file. This feature will be useful for an automated test suite that drives the fwknop C client against an SPA server implementation.
      Added the following options:
      minor bug fix to anticipate closing newline in a password read from a file via --get-key
      updated to concatenate the allow IP and access string for fko_set_spa_message()
      updated Copyright to Damien
      Minor bug fix to process gpg command line arguments properly when handling the command line.
      removed unnecessary initialization of string vars to 0x0 because the earlier memset() takes care of this
      added the --save-packet argument so that SPA packet data can be saved to the local filesystem by the fwknop-c client
      added --save-packet-append so that SPA packet data can be appended to a file
      minor link update for the cipherdyne.org website
      minor wording update to match fwknop help to config_init.h for --server-proto option
      minor typo fix (gps -> gpg)
      bug fix suggested by Damien to allow the recompute of the SPA digest to properly happen when calling spa_digest() with a true value
      initial stab at libfko server daemon TODO's
      added B64_GPG_PREFIX 'hQ' string for GnuPG prefix handling (similar to the 'Salted__' handling for Rijndael SPA packet encryption
      - Added the ability to send SPA packets over valid HTTP requests with the fwknop-c client. - Added support for transmitting SPA packets over IPv6 via TCP and UDP sockets, and also via HTTP. - Added GnuPG 'hQ' base64 encoded prefix handling (this prefix is stripped out of encrypted SPA packet data). - Added hostname resolution support to the fwknop-c client if the SPA server is specified as a hostname instead of an IP address. - Minor bug fix to allow a GnuPG password to be specified via the --get-key functionality.
      * Got forward and local NAT modes working with the --nat-access, --nat-local, --nat-port, and --nat-randport options. All NAT modes are now passing the fwknop test suite. * Added the --server-command option to build an SPA packet with a command for the server to execute. * Added the --fw-timeout option for client side timeouts to be specified. * Added the --time-offset-plus and --time-offset-minus options to allow the user to influence the timestamp associated with an SPA packet. * Added the --rand-port option so that the SPA packet destination port can be randomized.
      * Added the --show-last and --no-save command line options to show the command line used for the previous fwknop invocation, and to have the fwknop client not save its command line arguments. * Bug fix to force libfko to recalculate the random data embedded in the the SPA packet after a random port is acquired via --rand-port or --nat-rand-port. This is a precaution so that an attacker cannot guess some of the internal SPA data based on the destination port number.
      changed the minimum destination SPA port from 1024 to 10,000
      minor doc updates
      Added the --source-ip argument to build SPA packets with 0.0.0.0 (the fwknopd server can wrap access controls around this)
      bugfix to order HTTP request headers properly, updated the user agent for SPA over HTTP to use the options->http_user_agent variable (can be set from the command line)
      added the --resolve-ip-http and --user-agent command line args so the fwknop-c client can resolve the external network via http://www.cipherdyne.org/cgi/myip.cgi
      updated SPA over HTTP packets to always begin the a slash right after the GET string, updated to print SPA packets over HTTP to stderr in test/verbose mode
      updated to handle the fwknop-c version string '2.0.0-alpha' in HTTP tests
      Added --List-mode so that identifying strings for tests can be printed on stdout. This is useful to see what is available for --test-include regex's.
      Added better --debug output for time differences on incoming SPA packets. This makes it easier to tell when there are problems with time synchronization between the fwknop client and fwknopd server systems.
      - Added --http-proxy argument to the fwknop C client. - (Legacy code): Changed HTTP proxy handling to point an SPA packet to an HTTP proxy with -D specifying the end point host and --HTTP-proxy pointing to the proxy host. This fix was suggested by Jonathan Bennett.
      added Daniel Lopez, and Jonathan Bennett's proxy fix
      added the latest http proxy fixes to the ChangeLog
      (Legacy code) Applied patch from Jonthan Bennett to support the usage of the http_proxy environmental variable for sending SPA packets through an HTTP proxy. The patch also adds support for specifying an HTTP proxy user and password via the following syntax:
      * (Legacy code) Bug fix to allow the --rand-port argument to function along without an inappropriate check for the --Server-port arg.
      minor bug fix to ensure that -R resolution work with --URL=http://www.cipherdyne.org/cgi/clientip.cgi
      minor bug fix to not append --Server-port option in --rand-port mode
      bumped version to 2.0.0-alpha-pre1
      minor update to include the -f arg in the usage() output
      Added --packet-limit to fwknopd so that the number of incoming candidate SPA packets can be limited from the command line. When this limit is reached (any packet that contains application layer data and passes the pcap filter is included in the count) then fwknopd exits.
      added Id tag expansion
      added Id tag expansion
      minor spacing fix
      added --http-proxy and --no-save-args to usage() output
      added --http-proxy argument to the fwknop.8 man page
      removed unnecessary --no-save arg since --no-save-args covers it
      Added --access-file command line arg to fwknopd so that the path to the access.conf file can be specified from the command line.
      added -a arg to fwknopd usage() output
      minor update to the fwknop client to use '#define GETOPTS_OPTION_STRING' for getopt() command line arg processing.
      * Added a new command line argument "--last-cmd" to run the fwknop client with the same command line arguments as the previous time it was executed. The previous arguments are parsed out of the ~/.fwknop.run file (if it exists). * Bug fix to not send any SPA packet out on the wire if a NULL password/key is provided to the fwknop client. This could happen if the user tried to abort fwknop execution by sending the process a SIGINT while being prompted to enter the password/key for SPA encryption.
      (legacy code) (test suite) Bug fix for GnuPG SPA/HTTP tests not pointing to the proper HTTP output file
      * Fixed a few minor warnings like the following:
      added --last-cmd argument to fwknop(8) man page via the fwknop.man.asciidoc file
      added --server-cmd arg to fwknop client man page and help output
      bug fix in --packet-limit handling to ensure multi-packet processing when the arg is not used
      Added minor validation code to access.conf parsing to ensure that a SOURCE stanza begins with the SOURCE variable and that there is at least one usage of the OPEN_PORTS and KEY variables. The OPEN_PORTS requirement might be relaxed when PERMIT_CLIENT_PORTS handling is added.
      bug fix to ensure the --last-cmd re-parsing of command line args via getopt_long() has a reset index
      Update to call parse_proto_and_port() before allocating a new port list. This fixes the following stack trace when generating an SPA packet that contains "none/0" for the port list:
      updated to call dump_access_list() if -D was given to dump config information
      applied patch from Franck to catch a couple of man page typos
      Updated to define a default gpg keyring path of /root/.gnupg, and if the GPG_HOME_DIR variable is not defined in the fwknopd.conf file or the access.conf file, then this default will take over.
      minor macro update to define the default gpg keyring
      minor update to check the gpg keyring path setting in access stanzas only if a decrypt password is specified
      - added is_valid_dir() utility function for checking directory stat()/existence (this is used for gpg keyring path validation).
      added --fw-list arg to the fwknopd daemon to list all current firewall rules for any running fwknopd process
      removed additional wait() call from run_extcmd(), updated --fw-list to just use system() to execute the iptables listing commands
      Bug fix for USE_NDBM variable so that client-only builds work. The specific error before the patch along with the command line invocation of the "configure" script appear below:
      minor bug fix to account for PATH_SEP being defined as a character instead of a string
      minor off-by-one fix for home directory path separator
      Removed legacy $Id$ tags from svn
      Bug fix for uninitialized variable found with splint static analyzer
      Minor rename in support of non-dbm file cache
      Added autoconf support for non-dbm file cache.
      Updated digest file path for gdbm/ndbm support
      Added --pcap-filter to the fwknopd command line
      Merge branch 'master' into optional_dbm_support
      Implemented linked list cache of SPA digests
      Started on code to parse the digest cache file
      Added dst IP to tracked SPA data
      Added source port and protocol to digest tracking
      Added digest file import code
      Consolidated replay warnings in a single function
      Implemented memory clean up for digest cache list
      Added fwknop-2.0.0rc2 openwrt support from Jonathan Bennett
      Minor variable cleanup to fix compiler warnings
      Added stack protection, PIE, fortify source, etc.
      Updated replay warnings to include proto/port info
      Update to force base64 check for all SPA data
      Update to add any missing iptables jump rules
      Renamed ChangeLog -> ChangeLog.old for new ChangeLog handling
      Added ChangeLog derived from git commit messages.
      Bumped version to fwknop-2.0.0-rc3
      added the VERSION file
      Bug fix for ./configure args to disable compile time security options
      Added -Wall for all gcc warnings during compile
      minor commit to fix minor compilations warnings
      Minor restructuring to suppress compiler "defined but not used warnings"
      Update to suppress additional compiler warning
      On FreeBSD disable read-only relocations and immediate binding protections
      Fixed a few minor compiler warnings on FreeBSD
      On FreeBSD, made gpgme header path inclusion optional
      Bug fix to create the digest.cache file at init
      Bug fix for missing set existence check on ipfw firewalls
      Bug fix for ipfw firewalls to not always require seeing 'Dynamic' rules
      Updated ChangeLog with all changes from 2.0.0-rc3
      Added version specific ChangeLog, ShortLog, and diffstat files.
      bumped version to 2.0.0rc4
      removed 2.0.0 branch specific ChangeLog, ShortLog and diffstat files
      Disabled read-only relocations and immediate binding compiler protections
      Added autoconf check for pf firewalls
      PF support on OpenBSD in progress, fwknop --fw-list now works
      Added --fw-list info to --help
      For PF firewalls implemented a check for an active fwknop anchor
      Minor copyright holder update
      PF rules are now added to the fwknop anchor
      minor comment typo fixes
      Added the ability to delete PF rules
      Update to make _exp_ string a #define
      Check for active_rules > 0 before decrementing
      Added read-only relocations and immediate bindings
      Replaced all strcpy() calls with strlcpy()
      minor typo fix: fwkop -> fwknop
      Merge pull request #5 from maxkas/master
      Added the fwknop lsof launcher under the extras/ directory
      Merge branch 'master' into fwknop-launcher
      Added --help usage information
      Initial start on a test suite
      minor update to account for hardening-check return values
      switched --help output to stdout from stderr
      minor update to switch to stdout when exiting with success
      removed
      interim commit to add major functionality to the fwknop test suite
      started on basic SPA generation, updated to use LD_LIBRARY_PATH for local libfko instance
      minor typo fix
      added the test/conf/ directory for config files use by the test suite
      minor bugfix to ensure that the proper firewall is used to collect system specs
      minor wording update netfilter -> iptables
      minor whitespace fixes
      minor update to allow fw rules to be dumped before parsing the access.conf file
      Added usage of sudo for recompilation test
      Added --fw-list-all and --fw-flush
      Minor PID string length fix
      added client/server interaction test capability
      Added --digest-file and --pid-file args
      added first complete SPA cycle test
      minor removal of whitespace
      added replay attack detection test
      added rule timeout detection
      added Rijndael SPA validity tests
      added -P bpf filter test
      added -P bpf test for complete SPA cycle over non standard SPA port
      added test to validate digest.cache structure
      minor whitespace removal
      added first GPG complete cycle SPA test
      extended packet validity tests in GPG mode
      minor update to match include/exclude criteria on the whole test message
      added digest cache validation after GPG tests
      added LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual command execution easier
      minor whitespace removal
      update to detect loopback interface
      compiler warning fix for sscanf() on freebsd
      added 'const' to function prototype vars where possible
      Update to print all firewall commands in --verbose mode
      Update to ensure libfko.so path is detected properly on OpenBSD
      added stack protection detection for OpenBSD systems
      minor whitespace removal
      update to remove packet direction requirement when sniffing on OpenBSD loopback interfaces
      bugfix to return preprocess_spa_data() result properly to calling function
      [test-suite] added the ability to run all fwknop tests through valgrind
      minor looping criteria update for valgrind tests
      updated client SPA verbose message to include the server IP/host
      added complete SPA cycle tests for tcp ports 23 and 9418 (git), and for udp 53 dns
      Fixed fwknopd memory leak, several other fixes and updates
      consolidated several test functions into a single generic_exec() function
      added --diff mode to the test suite to compare results from one execution to the next
      remove CMD timestamps for --diff mode
      This commit fixes two memory leaks and adds a common exit function.
      minor test wording consolidation
      simplified the client/server interaction code, started on IP filtering tests, added spoof username tests
      added IP/subnet match tests, added --Anonymize-results mode
      added tests for various access.conf variables
      added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd check for ENABLE_IPT_FORWARDING variable before attempting NAT access
      bug fix to honor the fwknop client --time-offset-plus and --time-offset-minus options
      added test for --test mode in the fwknop client
      bug fix to exclude SPA packets with timestamps in the future that are too great (old packets were properly excluded already)
      added SPA packet aging tests
      Added access stanza expiration feature, multiple access stanza bug fix
      memory leak bugfix as a follow up to commit b280f5cde0246cdef33dee3f8be66a2bcef77336
      minor newline fix for access.conf output dump
      Added FORCE_NAT mode to the access.conf file
      minor compile fixes for FreeBSD
      minor compiler warning fix on OpenBSD
      added CREDITS file, bumped software version, added ChangeLog files
      added CREDITS file, bumped software version, added ChangeLog files
      Added various files to Makefile.am so that 'make dist' continues to work
      change log doc updates
      Added the CREDITS file for 'make dist'
      minor addition of the CREDITS file for 'make dist'
      added local_spa.key file
      added local_spa.key file
      minor addition of the local_spa.key file for 'make dist'
      updated copyright and license statement - fwknop is GPL software
      minor wording update subversion -> git
      bumped version to 2.0
      minor test suite addition to check for linker input file warnings
      minor test suite update to look for linker warnings in a more generic way
      added FKO_CHECK_COMPILER_ARG_LDFLAGS_ONLY to fix ro-relocations and immediate binding protection compliation warnings on FreeBSD
      bumped version to 2.0
Something went wrong with that request. Please try again.