Having extra '/run' subdirectory hardcoded into paths used for options 'digest-file', 'pid-file', 'run-dir' is counterintuitive and can lead to bogus directory layouts when 'localstatedir' differs from the default value. For example, if 'localstatedir' is set to '/run', which is a common and recommended substitute for /var/run in many distros nowadays, then fwknop files will be placed under /run/run/fwknop. This changeset removes extra '/run' subdirectory from all relevant paths by changing DEF_RUN_DIR. Default value of 'localstatedir' is changed to '/var/run' so users who relied on the previous behaviour won't have to bother changing anything. This is tested and works. Gentoo have this patch applied since 2.6.0.
Bug fix to ensure that a User-Agent string can be specified when the fwknop client uses wget via SSL to resolve the external IP address. This closes issue #134 on github reported by Barry Allard. The fwknop now uses the wget '-U' option to specify the User-Agent string with a default of "Fwknop/<version>". In addition, a new command line argument "--use-wget-user-agent" to allow the default wget User-Agent string to apply instead.
External IP resolution via '-R' (or '--resolve-ip-http') is now done via SSL by default. The IP resolution URL is now 'https://www.cipherdyne.org/cgi-gin/myip';, and a warning is generated in '-R' mode whenever a non-HTTPS URL is specified (it is safer just to use the default). The fwknop client leverages 'wget' for this operation since that is cleaner than having fwknop link against an SSL library.
This is a significant commit to add the ability to leverage libfko fault injections from both the fwknop client and server command lines via a new option '--fault-injection-tag <tag name>'. This option is used by the test suite with the tests/fault_injection.pl tests.
This commit adds a lot of test coverage support as guided by gcov + lcov. Also added the --no-ipt-check-support option to fwknopd (this is only useful in practice on older Linux distros where 'iptables -C' is not available, but it helps with test coverage).
- [server] When GnuPG is used, the default now is to require that incoming SPA packets are signed by a key listed in GPG_REMOTE_ID for each access.conf stanza. In other words, the usage of GPG_REQUIRE_SIG is no longer necessary in order to authenticate SPA packets via the GnuPG signature. Verification of GnuPG signatures can be disabled with a new access.conf variable GPG_DISABLE_SIG, but this is NOT a recommended configuration. - [client+server] Add --gpg-exe command line argument and GPG_EXE config variable to ~/.fwknoprc and the access.conf file so that the path to GnuPG can be changed from the default /usr/bin/gpg path.
… 'bytes' Suggested doc update to fwknop man pages to accurately describe the usage of digits instead of bytes for SPA random data. About 53 bits of entropy are actually used, although this is in addition to the 64-bit random salt in for key derivation used by PBKDF1 in Rjindael CBC mode.
This commit completes the addition of generalized NAT (both DNAT and SNAT) capabilities to access.conf stanzas.
This commit bumps the fwknop version to 2.5 and sets the libfko version to 2.0 to signal incompatibility with older libfko versions. Backwards compatibility is maintained in SPA packet construction, but function prototypes in libfko-2.0 are no longer compatible with older versions. This commit also returns non-zero exit status under 'fwknopd --status' if there is no existing fwknopd process. This is better than always exiting with a zero status regardless of whether fwknopd is already running or not, and adds a level of scriptability to --status usage. This change was suggested by George Herlin.
…riable in GPG mode
This change brings similar functionality to the client as the GPG_ALLOW_NO_PW keyword in the server access.conf file. Although this option is less likely to be used than the analogous server functionality, it stands to reason that the client should offer this feature. The test suite has also been updated to not use the --get-key option for the 'no password' GPG tests.