Permalink
Commits on Nov 11, 2011
  1. minor test wording consolidation

    mrash committed Nov 11, 2011
  2. This commit fixes two memory leaks and adds a common exit function.

    mrash committed Nov 11, 2011
    The two memory leaks were found with the test suite running in
    --enable-valgrind mode - here are the relevant error messages:
    
    For fwknopd server GPG clean up:
    
    ==345== 9 bytes in 1 blocks are definitely lost in loss record 2 of 2
    ==345==   at 0x4C2815C: malloc (vg_replace_malloc.c:236)
    ==345==   by 0x52F6B81: strdup (strdup.c:43)
    ==345==   by 0x10FA57: add_string_list_ent (access.c:308)
    ==345==   by 0x110513: parse_access_file (access.c:387)
    ==345==   by 0x10B5FB: main (fwknopd.c:193)
    
    For fwknop client rc file processing:
    
    ==8045== 568 bytes in 1 blocks are still reachable in loss record 12 of 12
    ==8045==    at 0x4C2815C: malloc (vg_replace_malloc.c:236)
    ==8045==    by 0x50A53AA: __fopen_internal (iofopen.c:76)
    ==8045==    by 0x10C3FF: process_rc (config_init.c:446)
    ==8045==    by 0x10C8F6: config_init (config_init.c:671)
    ==8045==    by 0x10AC9E: main (fwknop.c:62)
    
    There is also a new clean_exit() function that makes it easier to ensure that
    resources are deallocated upon existing.
Commits on Nov 6, 2011
Commits on Nov 5, 2011
Commits on Nov 4, 2011
  1. Fixed fwknopd memory leak, several other fixes and updates

    mrash committed Nov 4, 2011
    This commit does several things.  First, a memory leak in fwknopd has been
    fixed by ensuring to free access.conf stanzas.  This bug was found with the
    new test suite running in --enable-valgrind mode.  Here is what some of the
    valgrind output looked like to find the leak:
    
    ==19217== 11 bytes in 1 blocks are indirectly lost in loss record 3 of 5
    ==19217==    at 0x4C2815C: malloc (vg_replace_malloc.c:236)
    ==19217==    by 0x52F6B81: strdup (strdup.c:43)
    ==19217==    by 0x10FC8B: add_acc_string (access.c:49)
    ==19217==    by 0x1105C8: parse_access_file (access.c:756)
    ==19217==    by 0x10B79B: main (fwknopd.c:194)
    ==19217==
    ==19217== 16 bytes in 1 blocks are indirectly lost in loss record 4 of 5
    ==19217==    at 0x4C27480: calloc (vg_replace_malloc.c:467)
    ==19217==    by 0x10FEC0: add_source_mask (access.c:88)
    ==19217==    by 0x110100: expand_acc_source (access.c:191)
    ==19217==    by 0x1104B0: parse_access_file (access.c:500)
    ==19217==    by 0x10B79B: main (fwknopd.c:194)
    ==19217==
    ==19217== 183 (152 direct, 31 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
    ==19217==    at 0x4C27480: calloc (vg_replace_malloc.c:467)
    ==19217==    by 0x1103E4: parse_access_file (access.c:551)
    ==19217==    by 0x10B79B: main (fwknopd.c:194)
    ==19217==
    ==19217== LEAK SUMMARY:
    ==19217==    definitely lost: 152 bytes in 1 blocks
    ==19217==    indirectly lost: 31 bytes in 3 blocks
    ==19217==      possibly lost: 0 bytes in 0 blocks
    ==19217==    still reachable: 8 bytes in 1 blocks
    ==19217==         suppressed: 0 bytes in 0 blocks
    
    Second, this commit changes how fwknopd acquires packet data with
    pcap_dispatch() - packets are now processed within the callback function
    process_packet() that is provided to pcap_dispatch(), the global packet
    counter is incremented by the return value from pcap_dispatch() (since this is
    the number of packets processed per pcap loop), and there are two new
    fwknopd.conf variables PCAP_DISPATCH_COUNT and PCAP_LOOP_SLEEP to control the
    number of packets that pcap_dispatch() should process per loop and the number
    of microseconds that fwknopd should sleep per loop respectively.  Without this
    change, it was fairly easy to cause fwknopd to miss packets by creating bursts
    of packets that would all be processed one at time with the usleep() delay
    between each.  For fwknopd deployed on a busy network and with a permissive
    pcap filter (i.e. something other than the default that causes fwknopd to look
    at, say, TCP ACK's), this change should help.
    
    Third, the criteria that a packet must reach before data copying into the
    buffer designed for SPA processing has been tightened.  A packet less than
    /greater than the minimum/maximum expected sizes is ignored before data is
    copied, and the base64 check is done as well.
Commits on Oct 31, 2011
Commits on Oct 30, 2011
Commits on Oct 29, 2011
  1. update to remove packet direction requirement when sniffing on OpenBS…

    mrash committed Oct 29, 2011
    …D loopback interfaces
  2. minor whitespace removal

    mrash committed Oct 29, 2011
Commits on Oct 28, 2011
  1. Update to print all firewall commands in --verbose mode

    mrash committed Oct 28, 2011
    This commit makes it easier to determine exactly which commands fwknopd
    runs in --verbose mode when interacting with the underlying firewall.
    This commit also adds --verbose --verbose mode to the test suite.
Commits on Oct 26, 2011
  1. added 'const' to function prototype vars where possible

    mrash committed Oct 26, 2011
    Added the 'const' qualifier to function prototype variables where possible.
    In addition, reduced some functions to file-scope with 'static' where possible.
    
    Also made a few minor changes to remove extra whitespace, and fixed a bug
    in create_fwknoprc() to ensure the new fwknoprc filehandle is closed.
Commits on Oct 25, 2011
  1. compiler warning fix for sscanf() on freebsd

    mrash committed Oct 25, 2011
    This commit fixes the following gcc warning on freebsd systems:
    
    replay_cache.c: In function 'replay_file_cache_init':
    replay_cache.c:312: warning: format '%ld' expects type 'long int *', but argument 9 has type 'time_t *'
  2. minor whitespace removal

    mrash committed Oct 25, 2011
Commits on Oct 23, 2011
  1. added LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual c…

    mrash committed Oct 23, 2011
    …ommand execution easier
Commits on Oct 22, 2011
  1. minor whitespace removal

    mrash committed Oct 22, 2011
  2. added -P bpf filter test

    mrash committed Oct 22, 2011
  3. added Rijndael SPA validity tests

    mrash committed Oct 22, 2011
  4. added rule timeout detection

    mrash committed Oct 22, 2011
  5. added replay attack detection test

    mrash committed Oct 22, 2011
  6. minor removal of whitespace

    mrash committed Oct 22, 2011
Commits on Oct 21, 2011
  1. Added --digest-file and --pid-file args

    mrash committed Oct 21, 2011
    Added --digest-file and --pid-file args so that the user can easily alter
    these paths from the command line.