fwknop.git
22 months agofile permissions and client buffer overflow fix
Michael Rash [Thu, 30 Aug 2012 02:21:43 +0000]
file permissions and client buffer overflow fix

- [client+server] Fernando Arnaboldi from IOActive found that strict
filesystem permissions for various fwknop files are not verified.  Added
warnings whenever permissions are not strict enough, and ensured that
files created by the fwknop client and server are only set to user
read/write.
- [client] Fernando Arnaboldi from IOActive found a local buffer overflow
in --last processing with a maliciously constructed ~/.fwknop.run file.
This has been fixed with proper validation of .fwknop.run arguments.

22 months agoAdded Ctrl-C and --disable-gpg notes
Michael Rash [Wed, 29 Aug 2012 01:28:57 +0000]
Added Ctrl-C and --disable-gpg notes

22 months agomigrated TODO tasks to the todo.org file
Michael Rash [Tue, 28 Aug 2012 02:30:27 +0000]
migrated TODO tasks to the todo.org file

22 months agominor ChangeLog update for the RPM build change
Michael Rash [Tue, 28 Aug 2012 01:20:02 +0000]
minor ChangeLog update for the RPM build change

22 months agoAdded $DESTDIR prefix in uninstall-local and install-exec-hook to fix RPM builds
Michael Rash [Tue, 28 Aug 2012 01:16:59 +0000]
Added $DESTDIR prefix in uninstall-local and install-exec-hook to fix RPM builds

23 months agoadded encryption mode flags for each access stanza
Michael Rash [Sun, 26 Aug 2012 19:47:24 +0000]
added encryption mode flags for each access stanza

23 months agoconsolidatd fuzzing functions within a single 'fuzzer' function
Michael Rash [Sun, 26 Aug 2012 19:46:54 +0000]
consolidatd fuzzing functions within a single 'fuzzer' function

23 months ago[server] Stronger IP validation based on a bug found by Fernando Arnaboldi from IOActive
Michael Rash [Sun, 26 Aug 2012 03:08:55 +0000]
[server] Stronger IP validation based on a bug found by Fernando Arnaboldi from IOActive

This commit fixes a condition in which the server did not properly validate
allow IP addresses from malicious authenticated clients.  This has been fixed
with stronger allow IP validation.

23 months ago(Fernando Arnaboldi, IOActive) Found and fixed several DoS/code execution vulns for...
Michael Rash [Sat, 25 Aug 2012 02:12:19 +0000]
(Fernando Arnaboldi, IOActive) Found and fixed several DoS/code execution vulns for authenticated clients

- [server] Fernando Arnaboldi from IOActive found several DoS/code
execution vulnerabilities for malicious fwknop clients that manage to
get past the authentication stage (so a such a client must be in
possession of a valid access.conf encryption key).  These vulnerbilities
manifested themselves in the handling of malformed access requests, and
both the fwknopd server code along with libfko now perform stronger input
validation of access request data.  These vulnerabilities affect
pre-2.0.3 fwknop releases.
- [test suite] Added a new fuzzing capability to ensure proper server-side
input validation.  Fuzzing data is constructed with modified fwknop
client code that is designed to emulate malicious behavior.

23 months agominor paren's syntax bug fix
Michael Rash [Sat, 18 Aug 2012 20:30:34 +0000]
minor paren's syntax bug fix

23 months agoupdated ChangeLog.git file for the fwknop-2.0.2 release fwknop-2.0.2
Michael Rash [Sat, 18 Aug 2012 19:10:05 +0000]
updated ChangeLog.git file for the fwknop-2.0.2 release

23 months agofwknop-2.0.2 release
Michael Rash [Sat, 18 Aug 2012 19:03:04 +0000]
fwknop-2.0.2 release

23 months agoBetter --resolve-url handling
Michael Rash [Sat, 18 Aug 2012 01:02:24 +0000]
Better --resolve-url handling

Chop any trailing '/' char, be more careful about handling incoming large HTTP
responses, print the HTTP request and response in --verbose --verbose mode.

23 months agoipfw active/expire test bug fix (atoi() for config vars)
Michael Rash [Fri, 17 Aug 2012 02:30:09 +0000]
ipfw active/expire test bug fix (atoi() for config vars)

23 months agoadded test/conf/ipfw_active_expire_equal_fwknopd.conf file
Michael Rash [Fri, 17 Aug 2012 02:19:39 +0000]
added test/conf/ipfw_active_expire_equal_fwknopd.conf file

23 months ago[server] ipfw active/expire sets cannot be the same
Michael Rash [Fri, 17 Aug 2012 02:16:36 +0000]
[server] ipfw active/expire sets cannot be the same

23 months agotodo.org notes update
Michael Rash [Fri, 17 Aug 2012 01:18:11 +0000]
todo.org notes update

23 months ago[client] Added cipherdyne.com backup check in -R mode.
Michael Rash [Thu, 16 Aug 2012 02:49:29 +0000]
[client] Added cipherdyne.com backup check in -R mode.

Added backup check against a cipherdyne.com 'myip' cgi instance in -R mode if
the normal check against cipherdyne.org fails.

23 months agoadded 'Pragma: no-cache' header
Michael Rash [Thu, 16 Aug 2012 02:46:49 +0000]
added 'Pragma: no-cache' header

23 months agoadded extras/myip/myip.c
Michael Rash [Wed, 15 Aug 2012 02:52:24 +0000]
added extras/myip/myip.c

23 months agobumped version to fwknop-2.0.2-pre3
Michael Rash [Wed, 15 Aug 2012 02:35:02 +0000]
bumped version to fwknop-2.0.2-pre3

23 months agotodo.org notes update
Michael Rash [Wed, 15 Aug 2012 02:34:03 +0000]
todo.org notes update

23 months agoAdded GPG_ALLOW_NO_PW to the fwknopd man page
Michael Rash [Wed, 15 Aug 2012 02:31:03 +0000]
Added GPG_ALLOW_NO_PW to the fwknopd man page

23 months agominor defensive fko_destroy() calls in two error condition blocks
Michael Rash [Wed, 15 Aug 2012 02:21:34 +0000]
minor defensive fko_destroy() calls in two error condition blocks

23 months agoAdded the extras/myip/ directory for client IP resolution code
Michael Rash [Wed, 15 Aug 2012 01:51:00 +0000]
Added the extras/myip/ directory for client IP resolution code

The myip.c file is deployed at http://www.cipherdyne.org/cgi-bin/myip
for fwknop client IP resolution.

23 months agoAdded --enable-distcheck for 'make distcheck' verification
Michael Rash [Tue, 14 Aug 2012 02:53:29 +0000]
Added --enable-distcheck for 'make distcheck' verification

23 months ago[server] Preserve any existing config files in /etc/fwknop/
Michael Rash [Tue, 14 Aug 2012 02:39:03 +0000]
[server] Preserve any existing config files in /etc/fwknop/

Updated the 'make install' step to not overwrite any existing config files in
/etc/fwknop/ and instead install new copies from the source tree at
/etc/fwknop/fwknopd.conf.inst and /etc/fwknop/access.conf.inst

23 months ago[server] 'make install' permissions fix
Michael Rash [Sun, 12 Aug 2012 23:57:11 +0000]
[server] 'make install' permissions fix

Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files.
Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.

23 months ago[server] iptables 'comment' match check
Michael Rash [Sun, 12 Aug 2012 19:44:13 +0000]
[server] iptables 'comment' match check

Implemented a new check to ensure that the iptables 'comment' match exists to
ensure the proper environment for fwknopd operations.  This check is controlled
by the new ENABLE_IPT_COMMENT_CHECK variable, and was suggested by Hank
Leininger.

23 months agotodo update
Michael Rash [Sun, 12 Aug 2012 19:23:38 +0000]
todo update

23 months agoAdded todo.org org mode file
Michael Rash [Sun, 12 Aug 2012 13:29:51 +0000]
Added todo.org org mode file

The todo.org mode file was built with vim and the VimOrganizer project:

https://github.com/hsitz/VimOrganizer

23 months agoadded gpg_no_pw_access.conf file for no password gpg tests fwknop-2.0.2-pre2
Michael Rash [Sat, 11 Aug 2012 13:33:54 +0000]
added gpg_no_pw_access.conf file for no password gpg tests

23 months agobumped version to fwknop-2.0.2-pre2
Michael Rash [Sat, 11 Aug 2012 13:21:49 +0000]
bumped version to fwknop-2.0.2-pre2

23 months ago[server] Added GPG_ALLOW_NO_PW variable and associated test suite support
Michael Rash [Sat, 11 Aug 2012 01:52:09 +0000]
[server] Added GPG_ALLOW_NO_PW variable and associated test suite support

For GPG mode, added a new access.conf variable "GPG_ALLOW_NO_PW" to make it
possible to leverage a server-side GPG key pair that has no associated
password.  This comes in handy when a system requires the user to leverage
gpg-agent / pinentry which can present a problem in automated environments as
required by the fwknopd server.  Now, it might seem like a problem to remove
the passphrase from a GPG key pair, but it's important to note that simply
doing this is little worse than storing the passphrase in the clear on disk
anyway in the access.conf file.  Further, this link help provides additional
detail:

http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-use-gnupg-in-an-automated-environment

23 months ago[server] Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT
Michael Rash [Sat, 11 Aug 2012 01:48:02 +0000]
[server] Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT

Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT for ipfw firewalls to emulate
the corresponding functionality that is implemented for iptables firewalls.

Bug fix for ipfw firewalls to ensure that if the ipfw expire set is zero, then
do not disable this set whenever the FLUSH_IPFW* variables are enabled.

These changes were suggested by Jonathan Schulz.

23 months agobug fix to implement FLUSH_IPT_AT_INIT and FLUSH_IPT_AT_EXIT functionality
Michael Rash [Sat, 11 Aug 2012 01:43:49 +0000]
bug fix to implement FLUSH_IPT_AT_INIT and FLUSH_IPT_AT_EXIT functionality

23 months agoadded Geoff Carstairs for the FORCE_NAT idea
Michael Rash [Thu, 9 Aug 2012 01:27:33 +0000]
added Geoff Carstairs for the FORCE_NAT idea

23 months agoadded Aldan Beaubien for reporting the Morpheus NULL IP problem
Michael Rash [Sun, 5 Aug 2012 18:07:42 +0000]
added Aldan Beaubien for reporting the Morpheus NULL IP problem

23 months agominor whitespace update
Michael Rash [Sun, 5 Aug 2012 17:05:55 +0000]
minor whitespace update

23 months agominor memset value update 0 -> 0x0 to conform to other memset() calls
Michael Rash [Sun, 5 Aug 2012 17:05:30 +0000]
minor memset value update 0 -> 0x0 to conform to other memset() calls

23 months agobumped version to 2.0.2-pre1 fwknop-2.0.2-pre1
Michael Rash [Sat, 4 Aug 2012 02:16:22 +0000]
bumped version to 2.0.2-pre1

23 months agoadded changes for the 2.0.2 release (so far)
Michael Rash [Sat, 4 Aug 2012 02:08:14 +0000]
added changes for the 2.0.2 release (so far)

23 months ago[client] -R http recv() read until close (Jonathan Schulz)
Michael Rash [Sat, 4 Aug 2012 01:49:03 +0000]
[client] -R http recv() read until close (Jonathan Schulz)

Applied patch from Jonathan Schulz to ensure that the fwknop client reads all
data from a remote webserver when resolving the client IP address in -R mode.
Jonathan indicated that some webservers would transfer HTTP headers and data
separately, and a single recv() would therefore fail to get the necessary IP
information.

23 months agominor white space fix tabs->spaces
Michael Rash [Sat, 4 Aug 2012 01:30:24 +0000]
minor white space fix tabs->spaces

23 months agoadded Jonathan Schulz
Michael Rash [Thu, 2 Aug 2012 03:40:34 +0000]
added Jonathan Schulz

23 months agoChange HTTP connection type to 'close' in -R mode
Michael Rash [Thu, 2 Aug 2012 03:27:34 +0000]
Change HTTP connection type to 'close' in -R mode

Applied patch from Jonathan Schulz to change the HTTP connection type to
'close' for the client in -R mode.

23 months agoadded client IP resolution test with complete SPA->SSH cycle
Michael Rash [Thu, 2 Aug 2012 02:30:02 +0000]
added client IP resolution test with complete SPA->SSH cycle

23 months agoReplay attack bug fix (encryption prefixes)
Michael Rash [Mon, 30 Jul 2012 03:31:15 +0000]
Replay attack bug fix (encryption prefixes)

Ensure that an attacker cannot force a replay attack by intercepting an
SPA packet and the replaying it with the base64 version of "Salted__"
(for Rindael) or the "hQ" prefix (for GnuPG).  This is an important fix.
The following comment was added into the fwknopd code:

/* Ignore any SPA packets that contain the Rijndael or GnuPG prefixes
 * since an attacker might have tacked them on to a previously seen
 * SPA packet in an attempt to get past the replay check.  And, we're
 * no worse off since a legitimate SPA packet that happens to include
 * a prefix after the outer one is stripped off won't decrypt properly
 * anyway because libfko would not add a new one.
*/

Conflicts:

lib/cipher_funcs.h

23 months ago[libfko] minor memory leak fix for user detection (corner case)
Michael Rash [Mon, 30 Jul 2012 01:31:44 +0000]
[libfko] minor memory leak fix for user detection (corner case)

23 months ago[server] replay attack detection memory leak bug fix
Michael Rash [Sat, 28 Jul 2012 04:08:30 +0000]
[server] replay attack detection memory leak bug fix

This commit fixes the following memory leak found with valgrind:

44 bytes in 1 blocks are definitely lost in loss record 2 of 2
   at 0x482BE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
   by 0x490EA50: strdup (strdup.c:43)
   by 0x10CD69: incoming_spa (incoming_spa.c:162)
   by 0x10E000: process_packet (process_packet.c:200)
   by 0x4862E63: ??? (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
   by 0x4865667: pcap_dispatch (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
   by 0x10DABF: pcap_capture (pcap_capture.c:226)
   by 0x10A798: main (fwknopd.c:299)

2 years agoremoved diffstat and ShortLog from 'make dist' target
Michael Rash [Tue, 24 Jul 2012 02:53:38 +0000]
removed diffstat and ShortLog from 'make dist' target

2 years agobumped version to 2.0.1
Michael Rash [Tue, 24 Jul 2012 02:40:47 +0000]
bumped version to 2.0.1

2 years agobumped version to fwknop-2.0.1
Michael Rash [Tue, 24 Jul 2012 01:58:14 +0000]
bumped version to fwknop-2.0.1

2 years agoremoved diffstat and ShortLog files in favor of ChangeLog.git for each release
Michael Rash [Tue, 24 Jul 2012 01:54:49 +0000]
removed diffstat and ShortLog files in favor of ChangeLog.git for each release

2 years agoupdated Debian init script (contributed by Franck Joncourt)
Michael Rash [Tue, 24 Jul 2012 01:49:25 +0000]
updated Debian init script (contributed by Franck Joncourt)

2 years agoadd test/conf/local_nat_fwknopd.conf for 'make dist' fwknop-2.0.1-pre5
Michael Rash [Tue, 24 Jul 2012 01:32:24 +0000]
add test/conf/local_nat_fwknopd.conf for 'make dist'

2 years agobumped version to fwknop-2.0.1-pre5
Michael Rash [Tue, 24 Jul 2012 01:24:29 +0000]
bumped version to fwknop-2.0.1-pre5

2 years ago[client] fix memory leak when unable to open --get-key file
Michael Rash [Tue, 24 Jul 2012 01:23:23 +0000]
[client] fix memory leak when unable to open --get-key file

2 years agoPCAP_LOOP_SLEEP bug fix to 1/10th of a second
Michael Rash [Tue, 24 Jul 2012 01:13:30 +0000]
PCAP_LOOP_SLEEP bug fix to 1/10th of a second

[server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in
microseconds).  This was supposed to be the default anyway, but C
Anthony Risinger reported a bug where fwknopd was consuming more
resources than necessary, and the cause was PCAP_LOOP_SLEEP set by
default to 1/100th of a second - this has been fixed.

2 years agoreplace strlen() calls with strnlen() and appropriate maximums
Michael Rash [Mon, 23 Jul 2012 03:13:39 +0000]
replace strlen() calls with strnlen() and appropriate maximums

2 years agouse LOGNAME env var before cuserid() since we're already looking for SPOOF_USER
Michael Rash [Mon, 23 Jul 2012 03:13:01 +0000]
use LOGNAME env var before cuserid() since we're already looking for SPOOF_USER

2 years ago[client] Fixed several minor memory leaks caught by valgrind
Michael Rash [Mon, 23 Jul 2012 03:09:32 +0000]
[client] Fixed several minor memory leaks caught by valgrind

This commit fixes memory leaks like the following in the fwknop client:

HEAP SUMMARY:
    in use at exit: 300 bytes in 11 blocks
  total heap usage: 100 allocs, 89 frees, 16,583 bytes allocated

16 bytes in 1 blocks are indirectly lost in loss record 1 of 11
   at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
   by 0x5C3D63E: ???
   by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
   by 0x508938E: cuserid (cuserid.c:37)
   by 0x4E3983A: fko_set_username (fko_user.c:65)
   by 0x4E38D5C: fko_new (fko_funcs.c:84)
   by 0x10A824: main (fwknop.c:75)

16 bytes in 1 blocks are indirectly lost in loss record 2 of 11
   at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
   by 0x5C3D658: ???
   by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
   by 0x508938E: cuserid (cuserid.c:37)
   by 0x4E3983A: fko_set_username (fko_user.c:65)
   by 0x4E38D5C: fko_new (fko_funcs.c:84)
   by 0x10A824: main (fwknop.c:75)

16 bytes in 1 blocks are indirectly lost in loss record 3 of 11
   at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
   by 0x5C3D672: ???
   by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
   by 0x508938E: cuserid (cuserid.c:37)
   by 0x4E3983A: fko_set_username (fko_user.c:65)
   by 0x4E38D5C: fko_new (fko_funcs.c:84)
   by 0x10A824: main (fwknop.c:75)

16 bytes in 1 blocks are indirectly lost in loss record 4 of 11
   at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
   by 0x5C3D68C: ???
   by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
   by 0x508938E: cuserid (cuserid.c:37)
   by 0x4E3983A: fko_set_username (fko_user.c:65)
   by 0x4E38D5C: fko_new (fko_funcs.c:84)
   by 0x10A824: main (fwknop.c:75)

2 years agoBetter SPA message validation upon SPA decrypt/decode.
Michael Rash [Sat, 21 Jul 2012 19:32:15 +0000]
Better SPA message validation upon SPA decrypt/decode.

Added SPA message validation calls to fko decoding routines to help
ensure that SPA messages conform to expected values.

2 years ago[test suite] minor filename update -> use config files for fwknopd in a hash
Michael Rash [Sat, 21 Jul 2012 01:16:13 +0000]
[test suite] minor filename update -> use config files for fwknopd in a hash

2 years agoImplemented server-side bounds checking on inccoming SPA data.
Michael Rash [Fri, 20 Jul 2012 02:34:45 +0000]
Implemented server-side bounds checking on inccoming SPA data.

Enhanced the libfko decoding routine to include bounds checking on decrypted
SPA data.  This includes verifying the number of fields within incoming SPA
data (colon separated) along with verifying string lengths of each field.

2 years agoadded some integer bounds checking for fwknopd.conf variables
Michael Rash [Thu, 19 Jul 2012 03:20:09 +0000]
added some integer bounds checking for fwknopd.conf variables

2 years agominor update to print FORCE_NAT settings when access stanzas are printed
Michael Rash [Thu, 19 Jul 2012 03:17:27 +0000]
minor update to print FORCE_NAT settings when access stanzas are printed

2 years agominor pcap_capture update to not call atoi() against PCAP_LOOP_SLEEP for every sleep...
Michael Rash [Thu, 19 Jul 2012 03:00:58 +0000]
minor pcap_capture update to not call atoi() against PCAP_LOOP_SLEEP for every sleep interval

2 years ago[test suite] minor hostname bugfix to get 'local NAT' test to work
Michael Rash [Thu, 19 Jul 2012 02:55:56 +0000]
[test suite] minor hostname bugfix to get 'local NAT' test to work

2 years ago[test suite] better fwknopd is running check
Michael Rash [Thu, 19 Jul 2012 02:32:16 +0000]
[test suite] better fwknopd is running check

2 years agoMerge branch 'master' of github.com:mrash/fwknop
Michael Rash [Wed, 18 Jul 2012 02:20:36 +0000]
Merge branch 'master' of github.com:mrash/fwknop

2 years ago[test suite] file_find_regex() postive vs. negative match styles
Michael Rash [Wed, 18 Jul 2012 01:55:13 +0000]
[test suite] file_find_regex() postive vs. negative match styles

Positive match style requires all regex's to be found, whereas negative match
style only requires seeing one regex.

2 years agoEnsure that INPUT rules are added in --nat-local mode
Michael Rash [Wed, 18 Jul 2012 01:50:29 +0000]
Ensure that INPUT rules are added in --nat-local mode

This change ensures that INPUT rules are added when the fwknop client is used to
request access to a local service with --nat-local mode.

2 years agominor file_find_regex() logging prefix update
Michael Rash [Tue, 17 Jul 2012 02:05:15 +0000]
minor file_find_regex() logging prefix update

2 years ago[test suite] added local_nat_fwknopd.conf file for local NAT tests
Michael Rash [Tue, 17 Jul 2012 01:43:28 +0000]
[test suite] added local_nat_fwknopd.conf file for local NAT tests

2 years agoAdd INPUT ACCEPT rule for --nat-local connections
Michael Rash [Mon, 16 Jul 2012 01:32:14 +0000]
Add INPUT ACCEPT rule for --nat-local connections

When using the --nat-local argument on the fwknop client command line, the
fwknopd server needs to add an INPUT ACCEPT rule for the requested access
since the incoming connection is destined for a local socket.  Added test
suite support to test --nat-local access.

[test suite] Minor bug fix to ensure that all file_find_regex() calls return
true if all regex's are matched and false if any regex does not match data in
the specified file.

2 years agoForgot to update the VERSION file. fwknop-2.0.1-pre4
Damien Stuart [Sun, 15 Jul 2012 02:10:37 +0000]
Forgot to update the VERSION file.

2 years agoBumped version to 2.0.1-pre4
Damien Stuart [Sun, 15 Jul 2012 00:54:05 +0000]
Bumped version to 2.0.1-pre4

2 years agoAdded tweaks to ipfw command for Mac OS X
Damien Stuart [Sat, 14 Jul 2012 22:22:42 +0000]
Added tweaks to ipfw command for Mac OS X

2 years agoMerge branch 'master' of ssh://github.com/mrash/fwknop
Damien Stuart [Sat, 14 Jul 2012 14:14:05 +0000]
Merge branch 'master' of ssh://github.com/mrash/fwknop

2 years agoAdded gpg validity check. Tweak to rpm spec file.
Damien Stuart [Sat, 14 Jul 2012 14:13:26 +0000]
Added gpg validity check. Tweak to rpm spec file.

2 years agobumped version to fwknop-2.0.1-pre3 fwknop-2.0.1-pre3
Michael Rash [Fri, 13 Jul 2012 02:19:41 +0000]
bumped version to fwknop-2.0.1-pre3

2 years agoadded libfko.dylib test suite fix note to the ChangeLog
Michael Rash [Fri, 13 Jul 2012 02:18:39 +0000]
added libfko.dylib test suite fix note to the ChangeLog

2 years ago[test suite] Bug fix to account for libfko.dylib extension
Michael Rash [Fri, 13 Jul 2012 02:11:35 +0000]
[test suite] Bug fix to account for libfko.dylib extension

Richard Haas reported the test suite failing on Mac OS X systems with the
existence check for the libfko library.  Damien Stuart advised that the library
has a different extention '.dylib' on Mac OS X, so this change accounts for the
difference.

2 years agobumped version to 2.0.1-pre2 fwknop-2.0.1-pre2
Michael Rash [Tue, 10 Jul 2012 02:58:35 +0000]
bumped version to 2.0.1-pre2

2 years agoadded valgrind parsing note
Michael Rash [Tue, 10 Jul 2012 02:39:13 +0000]
added valgrind parsing note

2 years ago[test suite] minor directory path bug fix for --diff mode
Michael Rash [Tue, 10 Jul 2012 02:05:57 +0000]
[test suite] minor directory path bug fix for --diff mode

2 years agoswitched back to older ChangeLog format which is more readable fwknop-2.0.1-pre1
Michael Rash [Tue, 10 Jul 2012 01:29:49 +0000]
switched back to older ChangeLog format which is more readable

2 years agobumped version to 2.0.1-pre1
Michael Rash [Mon, 9 Jul 2012 20:32:10 +0000]
bumped version to 2.0.1-pre1

2 years agoadded dual_key_usage_access.conf to Makefile.am for 'make dist' target
Michael Rash [Mon, 9 Jul 2012 20:30:26 +0000]
added dual_key_usage_access.conf to Makefile.am for 'make dist' target

2 years agoadded unique function names to --enable-valgrind suspect functions test
Michael Rash [Mon, 9 Jul 2012 01:21:36 +0000]
added unique function names to --enable-valgrind suspect functions test

2 years agoadded new test in --enable-valgrind mode to collect suspect functions
Michael Rash [Sun, 8 Jul 2012 19:30:35 +0000]
added new test in --enable-valgrind mode to collect suspect functions

2 years agoOnly cache replay digests for SPA packets that decrypt
Michael Rash [Sun, 8 Jul 2012 12:36:30 +0000]
Only cache replay digests for SPA packets that decrypt

This change ensures that we only cache replay digests for those SPA packets
that actually decrypt.  Not doing this would have allowed an attacker to
potentially fill up digest cache space with digests for garbage packets.

2 years agoAdded a test for a dual-usage key in access.conf
Michael Rash [Sun, 8 Jul 2012 12:35:50 +0000]
Added a test for a dual-usage key in access.conf

2 years agoBug fix for multi-stanza key use and replay attack detection
Michael Rash [Sun, 8 Jul 2012 01:31:30 +0000]
Bug fix for multi-stanza key use and replay attack detection

This commit fixes a bug where the same encryption key used for two stanzas in
the access.conf file would result in access requests that matched the second
stanza to always be treated as a replay attack.  This has been fixed for
the fwknop-2.0.1 release, and was reported by Andy Rowland.  Now the fwknopd
server computes the SHA256 digest of raw incoming payload data before
decryption, and compares this against all previous hashes.  Previous to this
commit, fwknopd would add a new hash to the replay digest list right after
the first access.conf stanza match, so when SPA packet data matched the
second access.conf stanza a matching replay digest would already be there.

2 years agogcc warning fix fox: fko_decode.c:43:17: warning: variable ‘edata_size’ set but not...
Michael Rash [Mon, 28 May 2012 18:22:33 +0000]
gcc warning fix fox: fko_decode.c:43:17: warning: variable ‘edata_size’ set but not used [-Wunused-but-set-variable]

2 years agoupdated PF anchor check to not rely on listing the PF policy
Michael Rash [Mon, 28 May 2012 18:19:52 +0000]
updated PF anchor check to not rely on listing the PF policy

2 years agoadded Ted Wynnychenko for OpenBSD PF testing
Michael Rash [Mon, 28 May 2012 18:18:34 +0000]
added Ted Wynnychenko for OpenBSD PF testing

2 years agoconvert Rijndael blocksize values '16' to use RIJNDAEL_BLOCKSIZE macro
Michael Rash [Sun, 15 Jan 2012 20:57:45 +0000]
convert Rijndael blocksize values '16' to use RIJNDAEL_BLOCKSIZE macro

2 years agoadded --stat output to ChangeLog fwknop-2.0 fwknop-2.0
Michael Rash [Mon, 2 Jan 2012 23:35:41 +0000]
added --stat output to ChangeLog