Skip to content


Subversion checkout URL

You can clone with
Download ZIP
100644 101 lines (95 sloc) 6.323 kB
79a9476 @mrash added changes for the 2.0.2 release (so far)
1 fwknop-2.0.2 (08//2012):
2 - [client] In IP resolution mode (-R) changed HTTP connection type to
3 'close' since there is no need for connection persistence, and indeed the
4 client expects to just get the IP and the connection to be closed.
5 Jonathan Schulz submitted a patch for this.
6 - [client] Bug fix to ensure that all data is read via recv() from a
7 remote webserver IP resolution mode (-R). Previously IP resolution
8 could fail if HTTP headers were transferred separately from the data
9 (for whatever reason). Jonathan Schulz submitted a patch for this.
10 - [server] Replay attack bug fix to ensure that an attacker cannot force a
11 replay attack by intercepting an SPA packet and the replaying it with the
12 base64 version of "Salted__" (for Rindael) or the "hQ" prefix (for
13 GnuPG). This is an important fix. The following comment was added into
14 the fwknopd code:
16 /* Ignore any SPA packets that contain the Rijndael or GnuPG prefixes
17 * since an attacker might have tacked them on to a previously seen
18 * SPA packet in an attempt to get past the replay check. And, we're
19 * no worse off since a legitimate SPA packet that happens to include
20 * a prefix after the outer one is stripped off won't decrypt properly
21 * anyway because libfko would not add a new one.
22 */
24 - [server] Fixed a memory leak bug in the replay attack detection code.
25 The leak was found with the test suite in --enable-valgrind mode, and
26 here is the valgrind trace that exposed it:
28 44 bytes in 1 blocks are definitely lost in loss record 2 of 2
29 at 0x482BE68: malloc (in
30 /usr/lib/valgrind/
31 by 0x490EA50: strdup (strdup.c:43)
32 by 0x10CD69: incoming_spa (incoming_spa.c:162)
33 by 0x10E000: process_packet (process_packet.c:200)
34 by 0x4862E63: ??? (in /usr/lib/i386-linux-gnu/
35 by 0x4865667: pcap_dispatch (in /usr/lib/i386-linux-gnu/
36 by 0x10DABF: pcap_capture (pcap_capture.c:226)
37 by 0x10A798: main (fwknopd.c:299)
cab2ea9 @mrash bumped version to 2.0.1
39 fwknop-2.0.1 (07/23/2012):
5387242 @mrash PCAP_LOOP_SLEEP bug fix to 1/10th of a second
40 - [server] Bug fix where the same encryption key used for two stanzas in
e2c34d4 @mrash switched back to older ChangeLog format which is more readable
41 the access.conf file would result in access requests that matched the
42 second stanza to always be treated as a replay attack. This has been
43 fixed for the fwknop-2.0.1 release, and was reported by Andy Rowland. Now
44 the fwknopd server computes the SHA256 digest of raw incoming payload
45 data before decryption, and compares this against all previous hashes.
46 Previous to this commit, fwknopd would add a new hash to the replay
47 digest list right after the first access.conf stanza match, so when SPA
48 packet data matched the second access.conf stanza a matching replay
49 digest would already be there.
5387242 @mrash PCAP_LOOP_SLEEP bug fix to 1/10th of a second
50 - [server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in
51 microseconds). This was supposed to be the default anyway, but C
52 Anthony Risinger reported a bug where fwknopd was consuming more
53 resources than necessary, and the cause was PCAP_LOOP_SLEEP set by
54 default to 1/100th of a second - this has been fixed.
55 - [libfko] Added SPA message validation calls to fko decoding routines to
56 help ensure that SPA messages conform to expected values.
e2c34d4 @mrash switched back to older ChangeLog format which is more readable
57 - Bug fix for PF firewalls: updated the PF anchor check to not rely on
5ef07c7 @mrash Better SPA message validation upon SPA decrypt/decode.
58 listing the PF policy - fwknopd now uses 'pfctl -s Anchor' instead.
2f9368b @mrash added valgrind parsing note
59 - [test suite] Added parsing of valgrind output to produce a listing of
60 functions that have been flagged - this assists in the development
61 process to ensure that fwknop is not leaking memory.
3b26157 @mrash added libfko.dylib test suite fix note to the ChangeLog
62 - [test suite] Bug fix on Mac OS X systems to account for libfko.dylib path
63 instead of This fixes the existence check for libfko.
6c73e16 @mrash Ensure that INPUT rules are added in --nat-local mode
64 - [test suite] Added tests for --nat-local mode.
049545b @mrash [client] Fixed several minor memory leaks caught by valgrind
65 - [client] Fixed several minor memory leaks caught by valgrind.
5387242 @mrash PCAP_LOOP_SLEEP bug fix to 1/10th of a second
66 - [libfko] Minor gcc warning fix: fko_decode.c:43:17: warning: variable
67 ‘edata_size’ set but not used [-Wunused-but-set-variable].
3c533de @mrash updated Debian init script (contributed by Franck Joncourt)
68 - Updated fwknopd init script for Debian systems (contributed by Franck
69 Joncourt).
e2c34d4 @mrash switched back to older ChangeLog format which is more readable
71 fwknop-2.0 (01/02/2012):
72 - This is the first production release that has been completely re-written
73 in C. This brings Single Packet Authorization functionality to all sorts
74 of machines from embedded devices to large systems. iptables, ipfw, and
75 pf firewalls are supported by the fwknopd daemon, and the fwknop client
76 is known to work on most major *NIX environments, the iPhone and Android
77 operating systems, and Cygwin under Windows.
78 - Added FORCE_NAT mode to the access.conf file so that for any valid SPA
79 packet, force the requested connection to be NAT'd through to the
80 specified (usually internal) IP and port value. This is useful if there
81 are multiple internal systems running a service such as SSHD, and you
82 want to give transparent access to only one internal system for each
83 stanza in the access.conf file. This way, multiple external users can
84 each directly access only one internal system per SPA key.
85 - Added two new access.conf variables are added "ACCESS_EXPIRE" and
86 "ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without
87 having to modify the access.conf file and restart fwknopd.
88 - Added a new feature to allow an access stanza that matches the SPA source
89 address to not automatically short circuit other stanzas if there is an
90 error (such as when there are multiple encryption keys involved and an
91 incoming SPA packet is meant for, say, the second stanza and the first
92 therefore doesn't allow proper decryption).
93 - Bug fix to exclude SPA packets with timestamps in the future that are too
94 great (old packets were properly excluded already).
95 - Bug fix to honor the fwknop client --time-offset-plus and
96 --time-offset-minus options
97 - Added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd
98 check for ENABLE_IPT_FORWARDING variable before attempting NAT access.
99 - [test suite] Added --diff mode to compare results from one execution to
100 the next.
Something went wrong with that request. Please try again.