[fwknop.git] / ChangeLog.git

commit f7e84da340a8f154edc27bcac9bb576bf35c220b (HEAD, refs/heads/master)
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Aug 18 15:03:04 2012 -0400

    fwknop-2.0.2 release

 ChangeLog    |    2 +-
 VERSION      |    2 +-
 configure.ac |    2 +-
 todo.org     |    6 ++++++
 4 files changed, 9 insertions(+), 3 deletions(-)

commit 38feb8d7b953ad1b2e4e2ff23d6b8113a6b1bcff (refs/remotes/origin/master)
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Aug 17 21:02:24 2012 -0400

    Better --resolve-url handling
    
    Chop any trailing '/' char, be more careful about handling incoming large HTTP
    responses, print the HTTP request and response in --verbose --verbose mode.

 client/http_resolve_host.c |   22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

commit 760162a40a0796b25a9dba1e00e2e171d3505986
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Aug 16 22:30:09 2012 -0400

    ipfw active/expire test bug fix (atoi() for config vars)

 server/config_init.c |    8 ++++----
 test/test-fwknop.pl  |    3 +--
 2 files changed, 5 insertions(+), 6 deletions(-)

commit 2c55773bdbcf473fac1cec6a4c0765a9b38a9db2
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Aug 16 22:19:39 2012 -0400

    added test/conf/ipfw_active_expire_equal_fwknopd.conf file

 Makefile.am |    1 +
 1 file changed, 1 insertion(+)

commit 3afd1aa762f1aa66bef9cdf875aea4b8bb23e567
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Aug 16 22:16:36 2012 -0400

    [server] ipfw active/expire sets cannot be the same

 test/conf/ipfw_active_expire_equal_fwknopd.conf |    6 +++
 test/test-fwknop.pl                             |   55 ++++++++++++++++++-----
 todo.org                                        |    7 +--
 3 files changed, 53 insertions(+), 15 deletions(-)

commit fda5759b2b045aaa96ee1fa6d14fb3c17fe0fd01
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Aug 16 21:18:11 2012 -0400

    todo.org notes update

 todo.org |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

commit 3af8e4c51769495a702a28bd630abf37162ada6c
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Aug 15 22:49:29 2012 -0400

    [client] Added cipherdyne.com backup check in -R mode.
    
    Added backup check against a cipherdyne.com 'myip' cgi instance in -R mode if
    the normal check against cipherdyne.org fails.

 ChangeLog                  |    2 +
 client/fwknop.c            |    2 +
 client/fwknop_common.h     |    3 +-
 client/http_resolve_host.c |  225 ++++++++++++++++++++++++--------------------
 4 files changed, 131 insertions(+), 101 deletions(-)

commit a646a024d98f660f32991baa532bcbae1eceec60
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Aug 15 22:46:49 2012 -0400

    added 'Pragma: no-cache' header

 extras/myip/myip.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

commit 419fbafa0442caa1e9bd071bf4b178082fcc4a54
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Aug 14 22:52:24 2012 -0400

    added extras/myip/myip.c

 Makefile.am |    1 +
 1 file changed, 1 insertion(+)

commit 37950df66f40e04cb428519f313f4697a198de45
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Aug 14 22:35:02 2012 -0400

    bumped version to fwknop-2.0.2-pre3

 VERSION      |    2 +-
 configure.ac |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit c272339707229fa23d65e303d2ef7b163d855ec6
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Aug 14 22:34:03 2012 -0400

    todo.org notes update

 todo.org |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

commit 7ae45ecad109ebf9dc21c2d8a966e05b6c5c5b78
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Aug 14 22:31:03 2012 -0400

    Added GPG_ALLOW_NO_PW to the fwknopd man page

 doc/fwknopd.man.asciidoc |   10 ++++++++++
 1 file changed, 10 insertions(+)

commit 66187a22af035425ded6df60dbf9f50cdab53938
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Aug 14 22:21:34 2012 -0400

    minor defensive fko_destroy() calls in two error condition blocks

 server/incoming_spa.c |    4 ++++
 1 file changed, 4 insertions(+)

commit dfe6679c5750b577ae3e923ecbd140d935628864
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Aug 14 21:51:00 2012 -0400

    Added the extras/myip/ directory for client IP resolution code
    
    The myip.c file is deployed at http://www.cipherdyne.org/cgi-bin/myip
    for fwknop client IP resolution.

 extras/myip/myip.c |   22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

commit 385396b845c87997ce5b3506ae9e56c0184007a6
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Aug 13 22:53:29 2012 -0400

    Added --enable-distcheck for 'make distcheck' verification

 test/test-fwknop.pl |   28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

commit 863838d0ba54c666150d98c643c7cc0456404e18
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Aug 13 22:39:03 2012 -0400

    [server] Preserve any existing config files in /etc/fwknop/
    
    Updated the 'make install' step to not overwrite any existing config files in
    /etc/fwknop/ and instead install new copies from the source tree at
    /etc/fwknop/fwknopd.conf.inst and /etc/fwknop/access.conf.inst

 ChangeLog                |    5 +-
 ChangeLog.git            |  313 ++++++++++++++++++++++++++++++++++++++++++++++
 Makefile.am              |   41 +++++-
 server/Makefile.am       |    3 +-
 server/access.conf.inst  |    1 +
 server/fwknopd.conf.inst |    1 +
 todo.org                 |    8 ++
 7 files changed, 366 insertions(+), 6 deletions(-)

commit 8fafd4b80bf215da311dc2b53f33b0e4cd269944
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Aug 12 19:57:11 2012 -0400

    [server] 'make install' permissions fix
    
    Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files.
    Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.

 ChangeLog   |    2 ++
 Makefile.am |    3 +++
 todo.org    |    5 +++--
 3 files changed, 8 insertions(+), 2 deletions(-)

commit 543de16613b89723ef1350df3e59df126586800e
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Aug 12 15:44:13 2012 -0400

    [server] iptables 'comment' match check
    
    Implemented a new check to ensure that the iptables 'comment' match exists to
    ensure the proper environment for fwknopd operations.  This check is controlled
    by the new ENABLE_IPT_COMMENT_CHECK variable, and was suggested by Hank
    Leininger.

 CREDITS                   |    5 +++
 ChangeLog                 |    4 +++
 server/cmd_opts.h         |    1 +
 server/config_init.c      |    6 ++++
 server/fw_util.h          |    1 +
 server/fw_util_iptables.c |   75 ++++++++++++++++++++++++++++++++++++++++++++-
 server/fw_util_iptables.h |    1 +
 server/fwknopd.conf       |    9 ++++++
 server/fwknopd_common.h   |   26 ++++++++--------
 todo.org                  |    5 ++-
 10 files changed, 119 insertions(+), 14 deletions(-)

commit a087b11887ff4fffb4057198e559d448b016ac0e
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Aug 12 15:23:38 2012 -0400

    todo update

 todo.org |    8 ++++++++
 1 file changed, 8 insertions(+)

commit a686d96d444ab739742e31967153b2bf02b62f0d
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Aug 12 09:29:51 2012 -0400

    Added todo.org org mode file
    
    The todo.org mode file was built with vim and the VimOrganizer project:
    
    https://github.com/hsitz/VimOrganizer

 Makefile.am |    1 +
 todo.org    |   10 ++++++++++
 2 files changed, 11 insertions(+)

commit dc23c640bb2f757a2121ea0a83d18648dcaec32f (tag: refs/tags/fwknop-2.0.2-pre2)
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Aug 11 09:33:54 2012 -0400

    added gpg_no_pw_access.conf file for no password gpg tests

 Makefile.am |    1 +
 1 file changed, 1 insertion(+)

commit 72229b5f46084e9cfca36bb2e1ba23c4b7f09b66
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Aug 11 09:21:49 2012 -0400

    bumped version to fwknop-2.0.2-pre2

 VERSION      |    2 +-
 configure.ac |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 27ccfe35d36c7ba1d94734fb21a46c77aaf30719
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Aug 10 21:52:09 2012 -0400

    [server] Added GPG_ALLOW_NO_PW variable and associated test suite support
    
    For GPG mode, added a new access.conf variable "GPG_ALLOW_NO_PW" to make it
    possible to leverage a server-side GPG key pair that has no associated
    password.  This comes in handy when a system requires the user to leverage
    gpg-agent / pinentry which can present a problem in automated environments as
    required by the fwknopd server.  Now, it might seem like a problem to remove
    the passphrase from a GPG key pair, but it's important to note that simply
    doing this is little worse than storing the passphrase in the clear on disk
    anyway in the access.conf file.  Further, this link help provides additional
    detail:
    
    http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-use-gnupg-in-an-automated-environment

 ChangeLog                              |   23 +++++
 Makefile.am                            |   12 ++-
 server/access.c                        |   13 +++
 server/incoming_spa.c                  |    2 +-
 test/conf/client-gpg-no-pw/pubring.gpg |  Bin 0 -> 2480 bytes
 test/conf/client-gpg-no-pw/secring.gpg |  Bin 0 -> 1274 bytes
 test/conf/client-gpg-no-pw/trustdb.gpg |  Bin 0 -> 1360 bytes
 test/conf/gpg_no_pw_access.conf        |    7 ++
 test/conf/server-gpg-no-pw/pubring.gpg |  Bin 0 -> 2480 bytes
 test/conf/server-gpg-no-pw/secring.gpg |  Bin 0 -> 1276 bytes
 test/conf/server-gpg-no-pw/trustdb.gpg |  Bin 0 -> 1360 bytes
 test/test-fwknop.pl                    |  176 ++++++++++++++++++++++++++++++++
 12 files changed, 229 insertions(+), 4 deletions(-)

commit 0af3bd0ee10768f6838aafe9fdc66187e5be9ee4
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Aug 10 21:48:02 2012 -0400

    [server] Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT
    
    Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT for ipfw firewalls to emulate
    the corresponding functionality that is implemented for iptables firewalls.
    
    Bug fix for ipfw firewalls to ensure that if the ipfw expire set is zero, then
    do not disable this set whenever the FLUSH_IPFW* variables are enabled.
    
    These changes were suggested by Jonathan Schulz.

 server/cmd_opts.h       |    2 +
 server/config_init.c    |   26 +++++++++++-
 server/fw_util_ipfw.c   |   46 ++++++++++++--------
 server/fwknopd.conf     |  108 ++++++++++++++++++++++++++---------------------
 server/fwknopd_common.h |    4 ++
 5 files changed, 121 insertions(+), 65 deletions(-)

commit c6f3fde5371c1be48d8e1bc7e17dde89e19d02fc
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Aug 10 21:43:49 2012 -0400

    bug fix to implement FLUSH_IPT_AT_INIT and FLUSH_IPT_AT_EXIT functionality

 server/fw_util_iptables.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

commit fbdae500641b4ab46bc54dbf2e509eae2625dc44
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Aug 8 21:27:33 2012 -0400

    added Geoff Carstairs for the FORCE_NAT idea

 CREDITS |    7 +++++++
 1 file changed, 7 insertions(+)

commit fd3044012843dfcaa9ab4f9030c70732f29a3b90
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Aug 5 14:07:42 2012 -0400

    added Aldan Beaubien for reporting the Morpheus NULL IP problem

 CREDITS |    5 +++++
 1 file changed, 5 insertions(+)

commit e70739d2117a229e842d3a1bc43f1cf2a6fab46e
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Aug 5 13:05:55 2012 -0400

    minor whitespace update

 server/fw_util_ipfw.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

commit f6ac4484c95f443dfce9c6b7dafbff8126ade9ad
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Aug 5 13:05:30 2012 -0400

    minor memset value update 0 -> 0x0 to conform to other memset() calls

 client/http_resolve_host.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

commit 4cde31584fb9afed499b5951b7ae88b7765808c3 (tag: refs/tags/fwknop-2.0.2-pre1)
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Aug 3 22:16:22 2012 -0400

    bumped version to 2.0.2-pre1

 VERSION                      |    2 +-
 android/project/jni/config.h |    6 +++---
 configure.ac                 |    2 +-
 fwknop.spec                  |    2 +-
 iphone/Classes/config.h      |    6 +++---
 lib/fko.h                    |    2 +-
 6 files changed, 10 insertions(+), 10 deletions(-)

commit 79a947603a7c2bc4636d33834ca0b9fdd033a894
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Aug 3 22:08:14 2012 -0400

    added changes for the 2.0.2 release (so far)

 ChangeLog |   38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

commit 29512bd8ec16f47db568694ec172075412ca115d
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Aug 3 21:49:03 2012 -0400

    [client] -R http recv() read until close (Jonathan Schulz)
    
    Applied patch from Jonathan Schulz to ensure that the fwknop client reads all
    data from a remote webserver when resolving the client IP address in -R mode.
    Jonathan indicated that some webservers would transfer HTTP headers and data
    separately, and a single recv() would therefore fail to get the necessary IP
    information.

 client/http_resolve_host.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

commit 7c1db891061dba5cdc29fb8cfe0c88e0a4a408dd
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Aug 3 21:30:24 2012 -0400

    minor white space fix tabs->spaces

 client/http_resolve_host.c |   82 ++++++++++++++++++++++----------------------
 1 file changed, 41 insertions(+), 41 deletions(-)

commit 7061b7bd3ecb1de6ae151b6b85af9251d46e32c6
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Aug 1 23:40:34 2012 -0400

    added Jonathan Schulz

 CREDITS |    4 ++++
 1 file changed, 4 insertions(+)

commit 84e036f95b6b239c95c696b884c3989fc30af338
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Aug 1 23:27:34 2012 -0400

    Change HTTP connection type to 'close' in -R mode
    
    Applied patch from Jonathan Schulz to change the HTTP connection type to
    'close' for the client in -R mode.

 client/http_resolve_host.c |    2 +-
 client/spa_comm.c          |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 5fd3343ca9ae8cce9e39d8a4ccb0efb41ae78128
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Aug 1 22:30:02 2012 -0400

    added client IP resolution test with complete SPA->SSH cycle

 test/test-fwknop.pl |   39 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 36 insertions(+), 3 deletions(-)

commit 016098a2543126f2fa01b3f4057646f0ad2842c5
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Jul 29 23:31:15 2012 -0400

    Replay attack bug fix (encryption prefixes)
    
    Ensure that an attacker cannot force a replay attack by intercepting an
    SPA packet and the replaying it with the base64 version of "Salted__"
    (for Rindael) or the "hQ" prefix (for GnuPG).  This is an important fix.
    The following comment was added into the fwknopd code:
    
    /* Ignore any SPA packets that contain the Rijndael or GnuPG prefixes
     * since an attacker might have tacked them on to a previously seen
     * SPA packet in an attempt to get past the replay check.  And, we're
     * no worse off since a legitimate SPA packet that happens to include
     * a prefix after the outer one is stripped off won't decrypt properly
     * anyway because libfko would not add a new one.
    */
    
    Conflicts:
    
        lib/cipher_funcs.h

 lib/cipher_funcs.h    |    6 ------
 lib/fko.h             |    8 ++++++++
 server/incoming_spa.c |   14 ++++++++++++++
 test/test-fwknop.pl   |   48 +++++++++++++++++++++++++++++++++++++++++++++---
 4 files changed, 67 insertions(+), 9 deletions(-)

commit c0e53482fa766f1c89d18931e35ebca6297f8018
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Jul 29 21:31:44 2012 -0400

    [libfko] minor memory leak fix for user detection (corner case)

 lib/fko_user.c |    4 ++++
 1 file changed, 4 insertions(+)

commit 060fbb607f25ea2cd511d4cd548dc419d8eb3884
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Jul 28 00:08:30 2012 -0400

    [server] replay attack detection memory leak bug fix
    
    This commit fixes the following memory leak found with valgrind:
    
    44 bytes in 1 blocks are definitely lost in loss record 2 of 2
       at 0x482BE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
       by 0x490EA50: strdup (strdup.c:43)
       by 0x10CD69: incoming_spa (incoming_spa.c:162)
       by 0x10E000: process_packet (process_packet.c:200)
       by 0x4862E63: ??? (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
       by 0x4865667: pcap_dispatch (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
       by 0x10DABF: pcap_capture (pcap_capture.c:226)
       by 0x10A798: main (fwknopd.c:299)

 server/incoming_spa.c |    4 ++++
 1 file changed, 4 insertions(+)