1 fwknop-2.0.2 (08/18/2012):
2 - [server] For GPG mode, added a new access.conf variable
3 "GPG_ALLOW_NO_PW" to make it possible to leverage a server-side GPG key
4 pair that has no associated password. This comes in handy when a system
5 requires the user to leverage gpg-agent / pinentry which can present a
6 problem in automated environments as required by the fwknopd server.
7 Now, it might seem like a problem to remove the passphrase from a GPG
8 key pair, but it's important to note that simply doing this is little
9 worse than storing the passphrase in the clear on disk anyway in the
10 access.conf file. Further, this link helps provide additional detail:
12 http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-use-gnupg-in-an-automated-environment
14 - [client] In IP resolution mode (-R) changed HTTP connection type to
15 'close' since there is no need for connection persistence, and indeed the
16 client expects to just get the IP and the connection to be closed.
17 Jonathan Schulz submitted a patch for this.
18 - [client] Bug fix to ensure that all data is read via recv() from a
19 remote webserver IP resolution mode (-R). Previously IP resolution
20 could fail if HTTP headers were transferred separately from the data
21 (for whatever reason). Jonathan Schulz submitted a patch for this.
22 - [client] Added backup check against a cipherdyne.com 'myip' cgi instance
23 in -R mode if the normal check against cipherdyne.org fails.
24 - [server] Bug fix to implement FLUSH_IPT_AT_INIT and FLUSH_IPT_AT_EXIT
25 functionality. These are enabled by default, and now iptables rules
26 added by fwknopd can be made persistant by setting these variables to
27 "N" in the fwknopd.conf file (this is not a recommended setting
29 [server] Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT for ipfw
30 firewalls to emulate the corresponding functionality that is implemented
31 for iptables firewalls. This was suggested by Jonathan Schulz.
32 - [server] Replay attack bug fix to ensure that an attacker cannot force a
33 replay attack by intercepting an SPA packet and the replaying it with the
34 base64 version of "Salted__" (for Rindael) or the "hQ" prefix (for
35 GnuPG). This is an important fix. The following comment was added into
38 /* Ignore any SPA packets that contain the Rijndael or GnuPG prefixes
39 * since an attacker might have tacked them on to a previously seen
40 * SPA packet in an attempt to get past the replay check. And, we're
41 * no worse off since a legitimate SPA packet that happens to include
42 * a prefix after the outer one is stripped off won't decrypt properly
43 * anyway because libfko would not add a new one.
46 - [server] Fixed a memory leak bug in the replay attack detection code.
47 The leak was found with the test suite in --enable-valgrind mode, and
48 here is the valgrind trace that exposed it:
50 44 bytes in 1 blocks are definitely lost in loss record 2 of 2
51 at 0x482BE68: malloc (in
52 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
53 by 0x490EA50: strdup (strdup.c:43)
54 by 0x10CD69: incoming_spa (incoming_spa.c:162)
55 by 0x10E000: process_packet (process_packet.c:200)
56 by 0x4862E63: ??? (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
57 by 0x4865667: pcap_dispatch (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
58 by 0x10DABF: pcap_capture (pcap_capture.c:226)
59 by 0x10A798: main (fwknopd.c:299)
61 - [test suite] Added GPG tests for keyrings that have no associated
63 - [server] Implemented a new check to ensure that the iptables 'comment'
64 match exists to ensure the proper environment for fwknopd operations.
65 This check is controlled by the new ENABLE_IPT_COMMENT_CHECK variable,
66 and was suggested by Hank Leininger.
67 - [server] 'make install' fix to ensure restrictive permissions on the
68 /etc/fwknop/ directory and /etc/fwknop/* files. Also updated the 'make
69 install' step to not overwrite any existing config files in /etc/fwknop/
70 and instead install new copies from the source tree at
71 /etc/fwknop/fwknopd.conf.inst and /etc/fwknop/access.conf.inst
73 fwknop-2.0.1 (07/23/2012):
74 - [server] Bug fix where the same encryption key used for two stanzas in
75 the access.conf file would result in access requests that matched the
76 second stanza to always be treated as a replay attack. This has been
77 fixed for the fwknop-2.0.1 release, and was reported by Andy Rowland. Now
78 the fwknopd server computes the SHA256 digest of raw incoming payload
79 data before decryption, and compares this against all previous hashes.
80 Previous to this commit, fwknopd would add a new hash to the replay
81 digest list right after the first access.conf stanza match, so when SPA
82 packet data matched the second access.conf stanza a matching replay
83 digest would already be there.
84 - [server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in
85 microseconds). This was supposed to be the default anyway, but C
86 Anthony Risinger reported a bug where fwknopd was consuming more
87 resources than necessary, and the cause was PCAP_LOOP_SLEEP set by
88 default to 1/100th of a second - this has been fixed.
89 - [libfko] Added SPA message validation calls to fko decoding routines to
90 help ensure that SPA messages conform to expected values.
91 - Bug fix for PF firewalls: updated the PF anchor check to not rely on
92 listing the PF policy - fwknopd now uses 'pfctl -s Anchor' instead.
93 - [test suite] Added parsing of valgrind output to produce a listing of
94 functions that have been flagged - this assists in the development
95 process to ensure that fwknop is not leaking memory.
96 - [test suite] Bug fix on Mac OS X systems to account for libfko.dylib path
97 instead of libfko.so. This fixes the existence check for libfko.
98 - [test suite] Added tests for --nat-local mode.
99 - [client] Fixed several minor memory leaks caught by valgrind.
100 - [libfko] Minor gcc warning fix: fko_decode.c:43:17: warning: variable
101 ‘edata_size’ set but not used [-Wunused-but-set-variable].
102 - Updated fwknopd init script for Debian systems (contributed by Franck
105 fwknop-2.0 (01/02/2012):
106 - This is the first production release that has been completely re-written
107 in C. This brings Single Packet Authorization functionality to all sorts
108 of machines from embedded devices to large systems. iptables, ipfw, and
109 pf firewalls are supported by the fwknopd daemon, and the fwknop client
110 is known to work on most major *NIX environments, the iPhone and Android
111 operating systems, and Cygwin under Windows.
112 - Added FORCE_NAT mode to the access.conf file so that for any valid SPA
113 packet, force the requested connection to be NAT'd through to the
114 specified (usually internal) IP and port value. This is useful if there
115 are multiple internal systems running a service such as SSHD, and you
116 want to give transparent access to only one internal system for each
117 stanza in the access.conf file. This way, multiple external users can
118 each directly access only one internal system per SPA key.
119 - Added two new access.conf variables are added "ACCESS_EXPIRE" and
120 "ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without
121 having to modify the access.conf file and restart fwknopd.
122 - Added a new feature to allow an access stanza that matches the SPA source
123 address to not automatically short circuit other stanzas if there is an
124 error (such as when there are multiple encryption keys involved and an
125 incoming SPA packet is meant for, say, the second stanza and the first
126 therefore doesn't allow proper decryption).
127 - Bug fix to exclude SPA packets with timestamps in the future that are too
128 great (old packets were properly excluded already).
129 - Bug fix to honor the fwknop client --time-offset-plus and
130 --time-offset-minus options
131 - Added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd
132 check for ENABLE_IPT_FORWARDING variable before attempting NAT access.
133 - [test suite] Added --diff mode to compare results from one execution to
projects / fwknop.git / blob