2 - Major release of new functionality - HMAC authenticated encryption
3 support in the encrypt-then-authenticate model for SPA communications.
4 Supported HMAC digests include MD5, SHA1, SHA256, SHA384, and SHA512.
5 The default is HMAC-SHA256 when an HMAC is used. The HMAC mode is
6 supported for both Rijndael and GPG encrypted SPA packet data, and
7 provides a significant security benefit for the fwknopd server since the
8 HMAC verification is more simplisitic than decryption operations. This
9 is particularly true for GPG. Beyond this, HMAC authenticated
10 encryption in the encrypt-then-authenticate mode does not suffer from
11 things like CBC-mode padding oracle attacks (see the Vaudenay attack and
12 the more recent "Lucky 13" attack against SSL).
13 - [libfko] Significant bug fix to honor the full encryption key length for
14 user-supplied Rijndael keys > 16 bytes long. Previous to this fix,
15 only the first 16 bytes of a key were actually used in the encryption/
16 decryption process even if the supplied key was longer. The result was
17 a weakening of expected security for users that had keys > 16 bytes,
18 although this is probably not too common. Note that "passphrase" is
19 perhaps technically a better word for "user-supplied key" in this
20 context since the actual key is generated with the PBKDF1 key derivation
21 algorithm. This issue was reported by Michael T. Dean. Closes issue #18
23 - [libfko] Added the ability to maintain backwards compatibility with the
24 now deprecated "zero padding" key derivation strategy in AES mode that
25 was a hold over from the old perl fwknop implementation. This is NOT
26 compliant with PBKDF1 and is only brought forward into fwknop-2.5 for
27 backwards compatibility. Future versions of fwknop will remove this
28 code altogether since PBKDF1 is now implemented.
29 - [test suite] Added --enable-openssl-checks to send all SPA packets
30 encrypted via libfko through the OpenSSL library to ensure that the
31 libfko usage of AES is always compatible with OpenSSL. This ensures
32 that the fwknop usage of AES is properly implemented as verified by the
33 OpenSSL library, which is a frequently audited high profile crypto
34 engine. If a vulnerability is discovered in OpenSSL and a change is
35 made, then the --enable-openssl-checks mode will allow the test suite to
36 discover this in a automated fashion for fwknop.
37 - The fwknop project is using Coverity for source code validation (in
38 addition to other tools such as the CLANG static analyzer). Many bugs
39 have been fixed in this release that were discovered by Coverity. These
40 bugs spanned multiple classes of problems from memory leaks, improper use
41 of sizeof(), potential double-free conditions, and more. Full details on
42 these fixes are available in the git history. Any open source project
43 that is written in a language supported by Coverity would benefit highly
45 - [test suite] Changed how the test suite interacts with the fwknop client
46 and server by looking for indications that SPA packets are actually
47 received. This is done by first waiting for 'main event loop' in fwknopd
48 log output to ensure that fwknopd is ready to receive packets, sending
49 the SPA packet(s), and then watching for for 'SPA Packet from IP' in
50 fwknopd output. This is an improvement over the previous strategy that
51 was only based on timeout values since it works identically regardless of
52 whether fwknop is being run under valgrind or when the test suite is run
53 on an embedded system with very limited resources. Another check is run
54 for fwknopd receiving the SIGTERM signal to shutdown via 'fwknopd -K',
55 and that failing, the test suite manually kills the process (though this
56 should be rarely needed). This change was implemented based on
57 discussions with George Herlin.
58 - (Franck Joncourt) Added support for resolving hostnames in various NAT
59 modes (fixes issue #43 in github).
60 - (Franck Joncourt) Bug fix in the client for resolving hostnames in '-P
61 icmp' mode (fixes issue #64).
62 - (Franck Joncourt) Added support for saving fwknop client command line
63 arguments via a new options --save-rc-stanza.
64 - (Franck Joncourt) Added log module support for the client.
65 - [client] Bug fix for --nat-rand-port mode to ensure that the port to be
66 NAT'd is properly defined so that the fwknopd server will NAT
67 connnections to this port instead of applying the NAT operation to the
68 port that is to be accessed via -A. This change also prints the
69 randomly assigned port to stdout regardless of whether --verbose mode is
70 used (since if not then the user will have no idea which port is
71 actually going to be NAT'd on the fwknopd side).
72 - (Vlad Glagolev) Submitted an OpenBSD port for fwknop-2.0.4, and this has
73 been checked in under the extras/openbsd/fwknop-2.0.4 directory.
74 - (Shawn Wilson) Added better SPA source IP logging for various fwknopd
75 logging messages. This helps to make it more clear why certain SPA
76 packets are rejected from some systems.
77 - [client] Added --get-hmac-key to allow HMAC keys to be acquried from the
78 specified file similarly to the --get-key option. This is a convenience
79 only, and the fwknop rc file feature should be used instead since it is
82 fwknop-2.0.4 (12/09/2012):
83 - [client] Misc fixes and the addition of save_args and last command
84 (.fwknop.last) support on the Windows platform.
85 - [client] Fixed bug in username determination code where a valid value
86 could be overrwritten in certain circumstances.
87 - [server] Added upstart config at extras/upstart/fwknop.conf. This
88 allows the fwknopd to easily be managed with upstart via commands like
89 "service fwknop start" and "service fwknop stop".
90 - [server] (Vlad Glagolev) Submitted a patch to fix ndbm/gdbm usage when
91 --disable-file-cache is used for the autoconf configure script. This
92 functionality was broken in be4193d734850fe60f14a26b547525ea0b9ce1e9
93 through improper handling of #define macros from --disable-file-cache.
94 - [server] (Vlad Glagolev) Submitted a patch to fix command exec mode
95 under SPA message type validity test. Support for command exec mode was
96 also added to the test suite.
97 - (Vlad Glagolev) Submitted an OpenBSD port for fwknop-2.0.3, and this has
98 been checked in under the extras/openbsd/ directory.
99 - [server] Bug fix to allow GPG_ALLOW_NO_PW to result in not also having
100 to specify a Rijndael key.
101 - [Android] Added new .properties files to allow the fwknop client to
102 build and function properly on the latest Android release (4.1.2).
103 - [client] Added '-P udpraw' to allow the client to send SPA packets over
104 UDP with a spoofed source IP address. This is in addition to the
105 original 'tcpraw' and 'icmp' protocols that also support a spoofed
107 - [libfko] Bug fix to check b64_decode() return value to ensure that
108 non-base64 encoded data is never used. Even though other validation
109 routines checked decoded results, it is important to discard invalid
110 data as early as possible. Note too that such invalid data would only
111 be provided to b64_decode() after proper decryption, so the client must
112 provide authentic SPA data.
113 - [libfko] Added validation of NAT access strings in the various NAT
115 - [libfko] Restricted usernames embedded in SPA packets to be
116 alpha-numeric along with "-" chars.
117 - [client] (Franck Joncourt) Contributed a patch to allow the fwknop
118 client to be stopped during the password entry prompt with Ctrl-C before
119 any SPA packet is sent on the wire.
120 - [client+server] Applied patch from Franck Joncourt to remove unnecessary
121 chmod() call when creating client rc file and server replay cache file.
122 The permissions are now set appropriately via open(), and at the same
123 time this patch fixes a potential race condition since the previous code
124 used fopen() followed by chmod().
125 - [server] Bug fix to accept SPA packets over ICMP if the fwknop client
126 is executed with '-P icmp' and the user has the required privileges.
127 - [test suite] Applied patch from Franck Joncourt to have the perl FKO
128 module link against libfko in the local directory (if it exists) so that
129 it doesn't have to have libfko completely installed in the /usr/lib/
130 directory. This allows the test suite to run FKO tests without
132 - [test suite] Significant update to include a set of fuzzing SPA packets
133 that are built using a patched version of libfko. These packets are
134 located in the test/fuzzing/bogus_spa_packets file, and are designed to
135 ensure proper validation of SPA packet data. This validation is
136 performed in --enable-perl-module-checks mode via the perl FKO module.
137 - [client] Added --icmp-type and --icmp-code arguments so the user can
138 control the icmp type/code combination for spoofed SPA packets ('-P
140 - [client] Updated default TTL value to 64 for spoofed SPA packets. This
141 is closer to more OS default TTL values than the previous 255.
142 - Updated build CFLAGS and LDFLAGS to conform to the Debian
143 hardening-includes file for PIE support (e.g. '-fPIE' for CFLAGS and
144 '-fPIE -pie' for LDFLAGS).
145 - [test suite] For GnuPG tests that require a passphrase associated with
146 a gpg key, added a pinentry check to see if the local gpg engine
147 requires it. If so, the gpg test that require a key are excluded since.
148 - [server] Added a new '--pcap-file <file>' option to allow pcap files to
149 be processed directly by fwknopd instead of sniffing an interface. This
150 feature is mostly intended for debugging purposes.
151 - [server] Added chain_exists() check to SPA rule creation so that if any
152 of the fwknop chains are deleted out from under fwknopd they will be
153 recreated on the fly. This mitigates scenarios where fwknopd might be
154 started before a system level firewall policy is applied due to init
155 script ordering, or if an iptables policy is re-applied without
158 fwknop-2.0.3 (09/03/2012):
159 - [server] Fernando Arnaboldi from IOActive found several DoS/code
160 execution vulnerabilities for malicious fwknop clients that manage to
161 get past the authentication stage (so a such a client must be in
162 possession of a valid access.conf encryption key). These vulnerabilities
163 manifested themselves in the handling of malformed access requests, and
164 both the fwknopd server code along with libfko now perform stronger input
165 validation of access request data. These vulnerabilities affect
166 pre-2.0.3 fwknop releases.
167 - [server] Fernando Arnaboldi from IOActive found a condition in which
168 the server did not properly validate allow IP addresses from malicious
169 authenticated clients. This has been fixed with stronger allow IP
171 - [client+server] Fernando Arnaboldi from IOActive found that strict
172 filesystem permissions for various fwknop files are not verified. Added
173 warnings whenever permissions are not strict enough, and ensured that
174 files created by the fwknop client and server are only set to user
176 - [client] Fernando Arnaboldi from IOActive found a local buffer overflow
177 in --last processing with a maliciously constructed ~/.fwknop.run file.
178 This has been fixed with proper validation of .fwknop.run arguments.
179 - [server] Fernando Arnaboldi from IOActive found several conditions in
180 which the server did not properly throw out maliciously constructed
181 variables in the access.conf file. This has been fixed along with new
182 fuzzing tests in the test suite.
183 - [test suite] Added a new fuzzing capability to ensure proper server-side
184 input validation. Fuzzing data is constructed with modified fwknop
185 client code that is designed to emulate malicious behavior.
186 - Fixed RPM builds by including the $(DESTDIR) prefix for uninstall-local
187 and install-exec-hook stages in Makefile.am.
189 fwknop-2.0.2 (08/18/2012):
190 - [server] For GPG mode, added a new access.conf variable
191 "GPG_ALLOW_NO_PW" to make it possible to leverage a server-side GPG key
192 pair that has no associated password. This comes in handy when a system
193 requires the user to leverage gpg-agent / pinentry which can present a
194 problem in automated environments as required by the fwknopd server.
195 Now, it might seem like a problem to remove the passphrase from a GPG
196 key pair, but it's important to note that simply doing this is little
197 worse than storing the passphrase in the clear on disk anyway in the
198 access.conf file. Further, this link helps provide additional detail:
200 http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-use-gnupg-in-an-automated-environment
202 - [client] In IP resolution mode (-R) changed HTTP connection type to
203 'close' since there is no need for connection persistence, and indeed the
204 client expects to just get the IP and the connection to be closed.
205 Jonathan Schulz submitted a patch for this.
206 - [client] Bug fix to ensure that all data is read via recv() from a
207 remote webserver IP resolution mode (-R). Previously IP resolution
208 could fail if HTTP headers were transferred separately from the data
209 (for whatever reason). Jonathan Schulz submitted a patch for this.
210 - [client] Added backup check against a cipherdyne.com 'myip' cgi instance
211 in -R mode if the normal check against cipherdyne.org fails.
212 - [server] Bug fix to implement FLUSH_IPT_AT_INIT and FLUSH_IPT_AT_EXIT
213 functionality. These are enabled by default, and now iptables rules
214 added by fwknopd can be made persistent by setting these variables to
215 "N" in the fwknopd.conf file (this is not a recommended setting
217 [server] Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT for ipfw
218 firewalls to emulate the corresponding functionality that is implemented
219 for iptables firewalls. This was suggested by Jonathan Schulz.
220 - [server] Replay attack bug fix to ensure that an attacker cannot force a
221 replay attack by intercepting an SPA packet and the replaying it with the
222 base64 version of "Salted__" (for Rijndael) or the "hQ" prefix (for
223 GnuPG). This is an important fix. The following comment was added into
226 /* Ignore any SPA packets that contain the Rijndael or GnuPG prefixes
227 * since an attacker might have tacked them on to a previously seen
228 * SPA packet in an attempt to get past the replay check. And, we're
229 * no worse off since a legitimate SPA packet that happens to include
230 * a prefix after the outer one is stripped off won't decrypt properly
231 * anyway because libfko would not add a new one.
234 - [server] Fixed a memory leak bug in the replay attack detection code.
235 The leak was found with the test suite in --enable-valgrind mode, and
236 here is the valgrind trace that exposed it:
238 44 bytes in 1 blocks are definitely lost in loss record 2 of 2
239 at 0x482BE68: malloc (in
240 /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
241 by 0x490EA50: strdup (strdup.c:43)
242 by 0x10CD69: incoming_spa (incoming_spa.c:162)
243 by 0x10E000: process_packet (process_packet.c:200)
244 by 0x4862E63: ??? (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
245 by 0x4865667: pcap_dispatch (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
246 by 0x10DABF: pcap_capture (pcap_capture.c:226)
247 by 0x10A798: main (fwknopd.c:299)
249 - [test suite] Added GPG tests for keyrings that have no associated
251 - [server] Implemented a new check to ensure that the iptables 'comment'
252 match exists to ensure the proper environment for fwknopd operations.
253 This check is controlled by the new ENABLE_IPT_COMMENT_CHECK variable,
254 and was suggested by Hank Leininger.
255 - [server] 'make install' fix to ensure restrictive permissions on the
256 /etc/fwknop/ directory and /etc/fwknop/* files. Also updated the 'make
257 install' step to not overwrite any existing config files in /etc/fwknop/
258 and instead install new copies from the source tree at
259 /etc/fwknop/fwknopd.conf.inst and /etc/fwknop/access.conf.inst
261 fwknop-2.0.1 (07/23/2012):
262 - [server] Bug fix where the same encryption key used for two stanzas in
263 the access.conf file would result in access requests that matched the
264 second stanza to always be treated as a replay attack. This has been
265 fixed for the fwknop-2.0.1 release, and was reported by Andy Rowland. Now
266 the fwknopd server computes the SHA256 digest of raw incoming payload
267 data before decryption, and compares this against all previous hashes.
268 Previous to this commit, fwknopd would add a new hash to the replay
269 digest list right after the first access.conf stanza match, so when SPA
270 packet data matched the second access.conf stanza a matching replay
271 digest would already be there.
272 - [server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in
273 microseconds). This was supposed to be the default anyway, but C
274 Anthony Risinger reported a bug where fwknopd was consuming more
275 resources than necessary, and the cause was PCAP_LOOP_SLEEP set by
276 default to 1/100th of a second - this has been fixed.
277 - [libfko] Added SPA message validation calls to fko decoding routines to
278 help ensure that SPA messages conform to expected values.
279 - Bug fix for PF firewalls: updated the PF anchor check to not rely on
280 listing the PF policy - fwknopd now uses 'pfctl -s Anchor' instead.
281 - [test suite] Added parsing of valgrind output to produce a listing of
282 functions that have been flagged - this assists in the development
283 process to ensure that fwknop is not leaking memory.
284 - [test suite] Bug fix on Mac OS X systems to account for libfko.dylib path
285 instead of libfko.so. This fixes the existence check for libfko.
286 - [test suite] Added tests for --nat-local mode.
287 - [client] Fixed several minor memory leaks caught by valgrind.
288 - [libfko] Minor gcc warning fix: fko_decode.c:43:17: warning: variable
289 'edata_size' set but not used [-Wunused-but-set-variable].
290 - Updated fwknopd init script for Debian systems (contributed by Franck
293 fwknop-2.0 (01/02/2012):
294 - This is the first production release that has been completely re-written
295 in C. This brings Single Packet Authorization functionality to all sorts
296 of machines from embedded devices to large systems. iptables, ipfw, and
297 pf firewalls are supported by the fwknopd daemon, and the fwknop client
298 is known to work on most major *NIX environments, the iPhone and Android
299 operating systems, and Cygwin under Windows.
300 - Added FORCE_NAT mode to the access.conf file so that for any valid SPA
301 packet, force the requested connection to be NAT'd through to the
302 specified (usually internal) IP and port value. This is useful if there
303 are multiple internal systems running a service such as SSHD, and you
304 want to give transparent access to only one internal system for each
305 stanza in the access.conf file. This way, multiple external users can
306 each directly access only one internal system per SPA key.
307 - Added two new access.conf variables are added "ACCESS_EXPIRE" and
308 "ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without
309 having to modify the access.conf file and restart fwknopd.
310 - Added a new feature to allow an access stanza that matches the SPA source
311 address to not automatically short circuit other stanzas if there is an
312 error (such as when there are multiple encryption keys involved and an
313 incoming SPA packet is meant for, say, the second stanza and the first
314 therefore doesn't allow proper decryption).
315 - Bug fix to exclude SPA packets with timestamps in the future that are too
316 great (old packets were properly excluded already).
317 - Bug fix to honor the fwknop client --time-offset-plus and
318 --time-offset-minus options
319 - Added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd
320 check for ENABLE_IPT_FORWARDING variable before attempting NAT access.
321 - [test suite] Added --diff mode to compare results from one execution to
projects / fwknop.git / blob