Update to 1.3.4

Makefile.am

@@ -142,6 +142,7 @@ axa_libaxa_la_CFLAGS = \
 	${libcrypto_CFLAGS} \
 	${libpcap_CFLAGS} \
 	${libwdns_CFLAGS} \
+	${libprotobuf_c_CFLAGS} \
 	${libnmsg_CFLAGS} \
 	${strlcpy_CFLAGS} \
 	${yajl_CFLAGS}
@@ -220,6 +221,7 @@ sratunnel_sratunnel_LDADD = \
 
 sratunnel_sratunnel_CFLAGS = \
 	${AM_CFLAGS} \
+	${libprotobuf_c_CFLAGS} \
 	${libnmsg_CFLAGS} \
 	${libssl_CFLAGS} \
 	${libcrypto_CFLAGS} \
@@ -265,7 +267,7 @@ EXTRA_DIST += \
 	sratunnel/README
 
 if HAVE_DOXYGEN
-stamp-html: $(DOXYGEN_INPUT_FILES) $(top_builddir)/Doxyfile $(top_srcdir)/DoxygenLayout.xml $(include_HEADERS) $(nobase_include_HEADERS)
+stamp-html: $(DOXYGEN_INPUT) $(top_builddir)/Doxyfile $(top_srcdir)/DoxygenLayout.xml $(include_HEADERS) $(nobase_include_HEADERS)
 	$(AM_V_GEN) $(DOXYGEN)
 	@touch $@
 html-local: stamp-html

README.md

@@ -28,7 +28,7 @@ or more SIE channels:
     network.
  * `radtunnel`: RAD Tunnel. A tool that copies RAD data to the local network.
  * `libaxa`: C API middleware for the AXA protocol including connection and 
-    encapsulation/decapsulation
+    encapsulation/decapsulation.
 
 The `sratool` program is the reference implementation of the AXA protocol. It is
 intended primarily as a protocol demonstration and debugging interface, although
@@ -117,9 +117,9 @@ After satisfying the above, build with something like:
 `./autogen.sh` followed by `./configure` and `make`
 
 To generate the API documentation (including an HTMLized version of this
-document): `./make doc`. The html documentation will be in `html` and can be
-rendered in any modern browser. Something like `$ open html/index.html`
-should get you started.
+document): `make doc`. The HTML documentation will be in the `html` directory
+and can be rendered in any modern browser. Something like `open
+html/index.html` should get you started.
 
 Finally, to give the AXA suite a home, `sudo make install`.
 
@@ -144,7 +144,7 @@ The binary packages of AXA and its dependencies are available from
 used instead of building from source on Debian-based systems.
 
 On a clean Debian install, the following brings in everything "external"
-that is needed and then install all of thw AXA tools and `libaxa`:
+that is needed and then install all of the AXA tools and `libaxa`:
 
 ~~~
 # apt-get install build-essential autoconf libpcap-dev      \
@@ -238,7 +238,7 @@ To setup TLS access for SRA and/or RAD, you need to do the following:
  4. Retrieve and install the AXA server certificate. This is the equivalent of
     when you SSH to a new host for the first time and receive the "Are you
     sure you want to continue connecting (yes/no)?" message. This can be done
-    bu connecting to either SRA or RAD since they both share the same TLS
+    by connecting to either SRA or RAD since they both share the same TLS
     certificate:
 
         # axa_server_cert -s sra.sie-remote.net,1021
@@ -577,7 +577,7 @@ provisions to detect or recover from duplicate, out-of-order, lost, or
 partially lost data. AXA data can be lost before encapsulation in AXA protocol 
 messages or packets.
 
-For most uses, a protocol such as ssh is used below the AXA layer and above TCP
+For most uses, a protocol such as SSH is used below the AXA layer and above TCP
 to provide authentication, confidentiality, and integrity.
 
 The AXA protocol consists of a pair of streams of messages between a "client" 
@@ -600,14 +600,14 @@ unadorned TCP through the loop-back interface or use a UNIX domain socket.
 The AXA protocol assumes this is safe.
 
 Between separate computers, the AXA protocol can use UNIX pipes to the `stdin` 
-and `stdout` streams provided by the ssh command or the functions of an ssh 
-library such as `libssh2` (ssh must identify and authenticate the client and 
+and `stdout` streams provided by the ssh command or the functions of an SSH 
+library such as `libssh2` (SSH must identify and authenticate the client and 
 server to each other) or the TLS library.
 
 The AXA client starts by waiting for an `AXA_P_OP_HELLO` message from the 
 server. Over a local stream, the client then sends an `AXA_P_OP_USER` message 
 to tell the server which parameters to use. When `ssh` is used, the user name 
-is provided by the ssh protocol.
+is provided by the SSH protocol.
 
 ### AXA message header
 
@@ -639,27 +639,27 @@ response from the server, or data from the server. The universe of opcodes is
 discussed below.
 
 For a detailed discussions of the AXA protocol message types, see the doxygen
-generated page for `protocol.h`
+generated page for `protocol.h`.
 
 ### AXA protocol specification quick reference
 
 The following is an AXA protocol quick reference chart intended for application
 developers building `axalib` programs.
 
  * OPCODE: The canonical name of the operation code as defined by 
-`axalib/protocol.h`
+`axalib/protocol.h`.
  * VAL: The numerical value of the opcode.
- * SENT BY: Who can send the message
+ * SENT BY: Who can send the message.
  * TAG: Boolean value indicating if header tag must be valid or non-zero,
-as described above
- * DESCRIPTION: Short blurb describing opcode
+as described above.
+ * DESCRIPTION: Short blurb describing opcode.
 
 | OPCODE              | VAL | SENT BY         | TAG   | DESCRIPTION            |
 | ------------------- |----:|----------------:| -----:|----------------------------------------------------------------------------------------------:|
 | `AXA_P_OP_NOP`      | 0   | CLIENT / SERVER | NO    | carries no data, is intended only to ensure that the TCP connection is still up               |
 | `AXA_P_OP_HELLO`    | 1   | SERVER          | NO    | helps the client choose a compatible AXA protocol version                                     |
 | `AXA_P_OP_OK`       | 2   | SERVER          | YES   | indicates the success of the preceding client request with the same tag                      |
-| `AXA_P_OP_ERROR`    | 3   | SERVER          | YES   | indicates the failure of a preceeing client request with the same tag                        |
+| `AXA_P_OP_ERROR`    | 3   | SERVER          | YES   | indicates the failure of a preceding client request with the same tag                        |
 | `AXA_P_OP_MISSED`   | 4   | SERVER          | NO    | carries details about data or packet loss due to rate limiting or network congestion          |
 | `AXA_P_OP_WHIT`     | 5   | SERVER (SRA)    | YES   | reports a "watch hit" or packet or NMSG message that matched an SRA watch with the same tag   |
 | `AXA_P_OP_WLIST`    | 6   | SERVER (SRA)    | YES   | reports a current watch in response to `AXA_P_OP_WGET` from the client referenced by tag      |

axa/axa.h

@@ -261,7 +261,7 @@ extern char *axa_strndup(const char *s, size_t len);
  *  A vasprintf() wrapper that crashes immediately (via #AXA_ASSERT()) on
  *  vasprintf failures. When you're done with it, bufp should be freed.
  *
- *  \param[out] bufp a pointer to the newly minted and formated string
+ *  \param[out] bufp a pointer to the newly minted and formatted string
  *  \param[in] p the format string
  *  \param[in] args a var args list
  */
@@ -271,7 +271,7 @@ extern void axa_vasprintf(char **bufp, const char *p, va_list args);
  *  An asprintf() wrapper that crashes immediately (via #AXA_ASSERT()) on
  *  asprintf failures. When you're done with it, bufp should be	freed.
  *
- *  \param[out] bufp a pointer to the newly minted and formated string
+ *  \param[out] bufp a pointer to the newly minted and formatted string
  *  \param[in] p the format string
  *  \param[in] ... a var args list
  */

axa/socket.h

@@ -262,7 +262,7 @@ extern bool axa_get_srvr(axa_emsg_t *emsg, const char *addr_port,
  *
  *  \param[out] emsg if something goes wrong, this will contain the reason
  *  \param[in] s socket or fd
- *  \param[in] label descriptive labal for s such as an address
+ *  \param[in] label descriptive label for s such as an address
  *  \param[in] bufsize non-zero to set the SO_RCVBUF and SO_SNDBUF sizes
  *  \param[in] nonblock boolean, if true, set O_NONBLOCK
  *

axa/wire.h

@@ -155,8 +155,8 @@ extern const char *axa_op_to_str(char *buf, size_t buf_len, axa_p_op_t op);
  *  "unknown option type #n".
  *
  *  \param[out] buf will hold the option type string
- *  \param[in] buf_len length of buf (should be #AXA_P_OP_STRLEN)
- *  \param[in] op the option type to look up
+ *  \param[in] buflen length of buf (should be #AXA_P_OP_STRLEN)
+ *  \param[in] opt the option type to look up
  *
  *  \return buf
  */
@@ -232,7 +232,7 @@ typedef enum {
  *  \param[out] emsg the reason if the return value is false
  *  \param[in] hdr AXA protocol header (will be filled in)
  *  \param[in] label label for error message
- *  \param[dir] dir direction of header for error message
+ *  \param[in] dir direction of header for error message
  *
  *  \return bool header is ok
  */

axalib/dns_walk.c

@@ -1,5 +1,5 @@
 /*
- * Advanced Exchange Access (AXA) semanatics for DNS packets and fields.
+ * Advanced Exchange Access (AXA) semantics for DNS packets and fields.
  *
  *  Copyright (c) 2014-2016 by Farsight Security, Inc.
  *

axalib/emsg.c

@@ -432,7 +432,6 @@ axa_vlog_msg(axa_syslog_type_t type, bool fatal, const char *p, va_list args)
 		strcpy(&buf[buf_len-sizeof("...")], "...");
 	if (fatal)
 		strlcat(buf, FMSG, sizeof(buf));
-	buf_len = strlen(buf);
 
 	/* keep stderr and stdout straight despite syslog output
 	 * to stdout or stderr */
@@ -463,7 +462,7 @@ axa_vlog_msg(axa_syslog_type_t type, bool fatal, const char *p, va_list args)
 }
 
 /*
- * Generate an erorr message string in a buffer, if we have a buffer.
+ * Generate an error message string in a buffer, if we have a buffer.
  * Log or print the message if there is no buffer
  */
 void

axalib/fields.c

@@ -1,5 +1,5 @@
 /*
- * Advanced Exchange Access (AXA) semanatics for nmsg fields
+ * Advanced Exchange Access (AXA) semantics for nmsg fields
  *
  *  Copyright (c) 2014-2016 by Farsight Security, Inc.
  *

axalib/json.c

@@ -870,7 +870,7 @@ axa_body_to_json(axa_emsg_t *emsg, nmsg_input_t nmsg_input, axa_p_hdr_t *hdr, ax
 
 #else /* HAVE_YAJL */
 axa_json_res_t
-axa_body_to_json(__attribtue__((__unused__)) axa_emsg_t *emsg,
+axa_body_to_json(__attribute__((__unused__)) axa_emsg_t *emsg,
 		 __attribute__((__unused__)) nmsg_input_t nmsg_input,
 		 __attribute__((__unused__)) axa_p_hdr_t *hdr,
 		 __attribute__((__unused__)) axa_p_body_t *body,

axalib/socket.c

@@ -356,7 +356,7 @@ axa_get_srvr(axa_emsg_t *emsg, const char *addr_port,
 			return (false);
 		}
 	}
-	if (passive && strcmp(host, "*") == 0)
+	if (passive && host && strcmp(host, "*") == 0)
 		host = NULL;
 	if (port == NULL) {
 		axa_pemsg(emsg, "missing port in \"%s\"", addr_port);

axalib/strbuf.c

@@ -50,6 +50,7 @@ axa_strbuf_append(struct axa_strbuf *sb, const char *fmt, ...) {
 	ssize_t avail, needed;
 	int status;
 	va_list args, args_copy;
+	void *ptr;
 
 	/* allocate a data buffer if necessary */
 	if (sb->data == NULL) {
@@ -79,7 +80,6 @@ axa_strbuf_append(struct axa_strbuf *sb, const char *fmt, ...) {
 	if (needed > avail) {
 		size_t offset;
 		ssize_t new_bufsz = 2 * sb->bufsz;
-		void *ptr = sb->data;
 
 		offset = sb->pos - sb->data;
 
@@ -130,7 +130,7 @@ axa_strbuf_clip(struct axa_strbuf *sb, size_t n_elems)
 
 axa_strbuf_res_t
 axa_strbuf_reset(struct axa_strbuf *sb) {
-	void *ptr = sb->data;
+	void *ptr;
 
 	ptr = realloc(sb->data, DEFAULT_STRBUF_ALLOC_SZ);
 	if (ptr == NULL) {

axalib/tls.c

@@ -1,7 +1,7 @@
 /*
  * TLS transport
  *
- *  Copyright (c) 2015 by Farsight Security, Inc.
+ *  Copyright (c) 2015-2016 by Farsight Security, Inc.
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -564,9 +564,10 @@ axa_tls_parse(axa_emsg_t *emsg,
 			  spec, *cert_filep, strerror(errno));
 	} else if (0 <= stat(*key_filep, &sb)) {
 		return (true);
+	} else {
+		axa_pemsg(emsg, "\"%s\" %s: %s",
+			  spec, *key_filep, strerror(errno));
 	}
-	axa_pemsg(emsg, "\"%s\" %s: %s",
-		  spec, *key_filep, strerror(errno));
 
 	/* If that failed,
 	 * look in the certs directory if neither file name is a path. */
@@ -587,9 +588,10 @@ axa_tls_parse(axa_emsg_t *emsg,
 			  spec, *cert_filep, strerror(errno));
 	} else if (0 <= stat(*key_filep, &sb)) {
 		return (true);
+	} else {
+		axa_pemsg(emsg, "\"%s\" %s: %s",
+			  spec, *key_filep, strerror(errno));
 	}
-	axa_pemsg(emsg, "\"%s\" %s: %s",
-		  spec, *key_filep, strerror(errno));
 
 	free(*addrp);
 	*addrp = NULL;

axalib/trie.c

@@ -5,7 +5,7 @@
  * domain names including wildcards.
  *
  * Searches are lock-free.
- * Additions and deletions use a single mutex.  Searchers must occassionally
+ * Additions and deletions use a single mutex.  Searchers must occasionally
  * get that lock to reduce their reference counts on old data.
  *
  * IP addresses are kept in host byte order.
@@ -101,7 +101,7 @@ axa_tval_delete(trie_roots_t *roots, tval_list_t **tval_listp, tval_t tval)
 
 /* Expand one of the two value lists of a trie node.
  *	lock_free=true if we are working on a value list in an existing trie
- *	    node or other list used by the searchers and so must accomodate
+ *	    node or other list used by the searchers and so must accommodate
  *	    the lock-free reading by the searchers.
  */
 static void
@@ -385,7 +385,7 @@ axa_trie_to_watch(axa_p_watch_t *w, const trie_node_t *node,
 /*
  * Add a watch list entry to one of the two watch lists of a node.
  *	lock_free=true if we are working on a watch list in an existing trie
- *	    node or other list used by the searchers and so must accomodate
+ *	    node or other list used by the searchers and so must accommodate
  *	    the lock-free reading by the searchers.
  */
 static trie_node_t *

axalib/wire.c

@@ -675,6 +675,9 @@ axa_ipdg_parse(const uint8_t *pkt_data, size_t caplen, axa_p_ch_t ch,
 	uint uh_ulen;
 	nmsg_res res;
 
+	/* quell static analyzer complaints when dg.proto_network is AF_INET6 */
+	ip_hdr.ip_len = 0;
+
 	memset(dst_su, 0, sizeof(*dst_su));
 	memset(src_su, 0, sizeof(*src_su));
 	if (cmt_len > 0)
@@ -960,7 +963,7 @@ axa_p_to_str(char *buf0, size_t buf_len,    /* should be AXA_P_STRLEN */
 			if (print_op)
 				axa_buf_print(&buf, &buf_len, " ");
 			axa_buf_print(&buf, &buf_len,
-				      "unrecogized type %d", body->opt.type);
+				      "unrecognized type %d", body->opt.type);
 			break;
 #pragma clang diagnostic pop
 		}
@@ -1469,8 +1472,6 @@ ck_opt(axa_emsg_t *emsg, axa_p_op_t op, const axa_p_opt_t *opt, size_t opt_len)
 
 	AXA_ASSERT(opt_len >= sizeof(axa_p_opt_t) - sizeof(opt->u));
 
-	val_len = opt_len - (sizeof(axa_p_opt_t) - sizeof(opt->u));
-
 	switch ((axa_p_opt_type_t)opt->type) {
 	case AXA_P_OPT_TRACE:
 		val_len = sizeof(opt->u.trace);
@@ -2153,7 +2154,6 @@ axa_send_save(axa_io_t *io, size_t done, const axa_p_hdr_t *hdr,
 		/* Some or all of the second chunk of body was not sent.
 		 * Save the unsent part. */
 		memcpy(p, ((uint8_t *)b2)+(b2_len-chunk), chunk);
-		p += chunk;
 	}
 }
 

cert_tools/axa_link_certs.in

@@ -1,4 +1,4 @@
-#! /bin/sh -e
+#! /bin/bash -e
 
 # set -e in case we are run using `sh axa_link_certs`
 set -e
@@ -14,12 +14,21 @@ CERTS_DIR=
 ME=`basename $0`
 USAGE="$ME: [-xL] [-S certsdir]"
 
+# Function to get absolute path of a relative directory
+# Sourced from: http://stackoverflow.com/a/17577143/1380985
+function myreadlink() {
+(
+    cd $(dirname $1)
+    echo $PWD/$(basename $1)
+)
+}
+
 while getopts "xDLS:" c; do
     case $c in
 	x) set -x; DEBUG=-x; XARGS_DEBUG=-t;;
 	D) DELETE=yes;;
 	L) NOLINK=yes;;
-	S) CERTS_DIR="$OPTARG";;
+	S) CERTS_DIR=$(myreadlink $OPTARG);;
 	*) echo "$USAGE" 1>&2; exit 1;;
     esac
 done
@@ -174,7 +183,7 @@ fi
 
 
 # remove old hash links (including files) from the target directory
-find . -maxdepth 1 -name '*.[0-9]'  | xargs $XARGS_DEBUG rm
+find . -maxdepth 1 -name '*.[0-9]'  | xargs $XARGS_DEBUG rm -f
 
 # Link certificate files (but not keys) from @CONFDIR@/certs.
 SRCS=.