Skip to content


Subversion checkout URL

You can clone with
Download ZIP
100644 180 lines (171 sloc) 8.71 KB
c354afb @mrash minor todo reorganization
2 This bucket is for completed tasks.
e6e695b @mrash minor updates
3 ** Rijndael keys are limited to 16 characters (#18)
4 :CLOSED: <2013-01-22 Tue>
5 :<2013-01-20 Sun>
6 Michael T. Dean reported that fwknop-2.x code limits Rijndael keys to 16
7 chars whereas it should accept keys up to RIJNDAEL_MAX_KEYSIZE chars in
8 length (32 chars).
3c11b26 @mrash fwknop-2.0.4 released
9 ** Release fwknop-2.0.4
10 :CLOSED: <2012-12-09 Sun>
5a2150e @mrash [test suite] minor update to not look for lib/.libs/ in --enable-reco…
11 ** [test suite] Remove lib check for test suite when running in --enable-recompile mode
12 :CLOSED: <2012-11-15 Thu>
13 When creating a release tarball under 'make dist', the test suite performs
14 a check for existing lib/ directory even under --enable-recompile.
23eefbd @mrash added MIPS compilation bug for tracking
15 ** Fix MIPS compilation error
c354afb @mrash minor todo reorganization
16 :CLOSED: <2012-11-09 Fri>
23eefbd @mrash added MIPS compilation bug for tracking
17 Franck Joncourt reported the following bug compiling fwknop MIPS via
c354afb @mrash minor todo reorganization
20 libtool: link: gcc -g -O2 -Wformat -Werror=format-security -Wall -g -O2
21 -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wall -fstack-protector-all
22 -fstack-protector -fPIE -pie -D_FORTIFY_SOURCE=2 -Wl,-z -Wl,relro -Wl,-z
23 -Wl,now -o .libs/fwknop fwknop-fwknop.o fwknop-config_init.o
24 fwknop-spa_comm.o fwknop-utils.o fwknop-http_resolve_host.o
23eefbd @mrash added MIPS compilation bug for tracking
25 fwknop-getpasswd.o ../lib/.libs/
c354afb @mrash minor todo reorganization
26 /usr/bin/ld: fwknop-fwknop.o: relocation R_MIPS_26 against `getenv' can not
23eefbd @mrash added MIPS compilation bug for tracking
27 be used when making a shared object; recompile with -fPIC
28 fwknop-fwknop.o: could not read symbols: Bad value
29 collect2: ld returned 1 exit status
30 make[4]: *** [fwknop] Error 1
31 make[4]: Leaving directory
32 `/build/buildd2-fwknop_2.0.3-1-mips-MZ2TL7/fwknop-2.0.3/client'
33 make[3]: *** [all-recursive] Error 1
34 make[3]: Leaving directory
35 `/build/buildd2-fwknop_2.0.3-1-mips-MZ2TL7/fwknop-2.0.3'
36 make[2]: *** [all] Error 2
37 make[2]: Leaving directory
38 `/build/buildd2-fwknop_2.0.3-1-mips-MZ2TL7/fwknop-2.0.3'
39 make[1]: *** [override_dh_auto_build] Error 2
40 make[1]: Leaving directory
41 `/build/buildd2-fwknop_2.0.3-1-mips-MZ2TL7/fwknop-2.0.3'
42 make: *** [build-arch] Error 2
3663069 @mrash Additional todo tasks
44 Update: the problem appears to be caused by manually specifying the CFLAGS
45 variable while not also specifying the LDFLAGS variable.
c354afb @mrash minor todo reorganization
47 :<2012-11-09 Fri> This issue has been fixed through the Debian build
48 process, and Franck has indicated that no changes are required within
49 fwknop.
51 ** [client] Update to not send SPA packet if Ctrl-C is used
52 :CLOSED: <2012-11-08 Thu>
53 The client currently sends an SPA packet when an encryption key is
54 requested but the user tries to exit out with Ctrl-C.
55 - Completed by Franck Joncourt.
56 ** [server] Add the ability to process pcap files offline
57 :CLOSED: <2012-11-08 Thu>
58 Leverage pcap_open_offline() to process pcap files from disk instead of
59 sniffing the network live.
60 - Added a new '--pcap-file <file>' option for this purpose.
61 ** Add --disable-gpg arg to the autoconf configure script
62 :CLOSED: <2012-10-31 Wed>
63 There needs to be a way to easily disable libgpgme usage even if it is
64 installed - this could be done with a new --disable-gpg argument to the
65 configure script.
66 - Added --disable-gpg to the autoconf configure script (via
67 ** [client] Add --icmp-type and --icmp-code args
68 :CLOSED: <2012-10-11 Thu>
69 For SPA packets sent over ICMP via raw socket, allow the user to specify
70 the ICMP type and code.
71 ** [server] For Ubuntu systems, have fwknopd managed by upstart
72 :CLOSED: <2012-09-27 Thu>
73 fwknopd can benefit from upstart management and monitoring on Ubuntu
74 systems.
75 - Added the extras/upstart/fwknop.conf file so that standard upstart
76 commands like "service fwknop start" can be issued.
77 ** [server] ipfw active/expire sets cannot be the same
78 :CLOSED: <2012-08-16 Thu>
79 Add a check to ensure that active and expire sets are not the same value in
80 fwknopd.conf, and add a corresponding test in the test suite.
81 ** Release fwknop-2.0.2
82 :CLOSED: <2012-08-18 Sat>
83 Make the fwknop-2.0.2 release.
84 ** Release fwknop-2.0.3
85 :CLOSED: <2012-09-03 Mon>
86 Make the fwknop-2.0.3 release.
87 ** Update fwknopd man page for GPG_ALLOW_NO_PW
88 :CLOSED: <2012-08-14 Tue>
89 ** Preserve existing configs under 'make install'
90 :CLOSED: <2012-08-13 Mon>
91 - The current 'make install' behavior overwrites any existing fwknopd config
92 files from a previous installation.
93 - Updated to install fwknopd.conf -> /etc/fwknop/fwknopd.conf.inst if the
94 fwknopd.conf file already exists, and similarly for the access.conf
95 file.
96 ** fwknopd iptables comment match detection
97 :CLOSED: <2012-08-12 Sun>
98 Hank Leininger suggested that fwknopd do better detection for the iptables
99 comment match since it is required for the expiration of SPA rules.
100 ** Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files
101 :CLOSED: <2012-08-12 Sun>
102 Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.
103 ** [server] access.c parsing: allow no KEY variable if GPG keys are used.
104 :CLOSED: <2012-10-02 Tue>
105 The access.c parsing code currently throws an error if there is not KEY
106 variable in an access stanza even if GPG_ALLOW_NO_PW is set.
7d82b3e @mrash minor ChangeLog and updates for the coming HMAC feature
108 This bucket is for tasks that are currently being worked on.
109 ** [test suite] SPA packet fuzzer
110 Add a series of patches to the fwknop client that break how it produces SPA
111 data in subtle ways in order to ensure proper validation by fwknopd.
c354afb @mrash minor todo reorganization
112 * TODO
113 This bucket is for new tasks.
e6e695b @mrash minor updates
114 ** Handle Rijndael keys with a trailing zero char
115 :<2013-01-21 Mon>
1d35c33 @mrash [test suite] added --enable-openssl-checks
117 fwknop should maintain compatibility with OpenSSL in its usage of Rijndael
118 in CBC mode. As of fwknop-2.0.4, backwards compatibility is maintained
119 with the older perl versions, and this implies that '0' chars are tacked
120 onto the end of user-supplied passphrases for those that are less than 16
121 bytes long. When trying to decrypt SPA packets with OpenSSL, this results
122 in the following error for passphrases < 16 bytes:
124 bad decrypt
125 140636380620448:error:06065064:digital envelope
126 routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
128 For SPA packets encrypted with a passphrase > 16 bytes, OpenSSL is able to
129 decrypt them properly.
7d82b3e @mrash minor ChangeLog and updates for the coming HMAC feature
131 ** Update all docs to include HMAC information (#17)
132 :<2013-01-20 Sun>
133 ** Add HMAC support to the perl FKO module (#16)
134 :<2013-01-20 Sun>
31c3100 @mrash minor gcc warnings todo note for OpenBSD
135 ** Fix gcc warnings on OpenBSD
136 :<2012-11-14 Wed>
137 Current fwknop code issues compilation warnings like the following on
138 OpenBSD: /root/src/fwknop-2.0.3/server/utils.c:117: warning: sprintf() is often misused, please use snprintf()
c354afb @mrash minor todo reorganization
139 ** [server] Add PF NAT support for OpenBSD systems
140 fwknopd already supports various NAT modes on iptables, but it should be
141 extended to support NAT on PF firewalls.
23eefbd @mrash added MIPS compilation bug for tracking
142 ** [server] Add access variable to require particular IP's even when REQUIRE_SOURCE is used
143 The SOURCE variable only applies to the IP header. Add analogous filtering
144 for the allow IP that is encrypted within an SPA payload.
145 ** [client] Fix 'Could not set destination IP.' in hostname resolution in '-P icmp' mode
146 It seems that hostname resolution is not working when SPA packets are
147 spoofed. Here is the command line to trigger the problem:
148 # fwknop -A tcp/22 -a -D <host> --verbose --verbose -P icmp --icmp-type 8 --icmp-code 0 -Q
f7e84da @mrash fwknop-2.0.2 release
149 ** Add 'enable' to ipfw active set at init time
150 Currently fwknopd does not do a check to ensure that the active set is
151 enabled at init time ('ipfw set enable 1').
c272339 @mrash notes update
152 ** Update fwknopd man page to include IPFW* vars
153 None of the ipfw variables are currently documented in the fwknopd man
154 page.
155 ** Use assert() in various places
156 Use assert() to validate expected values wherever possible.
fda5759 @mrash notes update
157 ** [server] Include files for access.conf
a686d96 @mrash Added org mode file
158 Hank Leininger suggested that the main access.conf file have an option to
159 include other files in which access stanzas can be specified. This makes
160 it easy to wrap additional controls around access information particularly
161 in multi-user environments.
fda5759 @mrash notes update
162 ** [test suite] backwards compatibility tests
163 The test suite should have the ability to test backwards compatibility
164 between fwknop versions.
098ae41 @mrash migrated TODO tasks to the file
165 ** For Linux/Unix - a GNOME or KDE GUI app for the fwknop client.
166 Although there is currently a functioning web proxy that can serve as a
167 UI via a browser, it would be nice to have native GNOME and KDE GUI
168 wrappers for the fwknop client.
169 ** For Windows - VB and/or C# class wrappers around libfko.dll
170 Extend Windows support with VB and/or C# class wrappers around the
171 libfko.dll
172 ** Ruby bindings to libfko
173 Perl and Python bindings already exist for libfko, so add Ruby to this list
174 as well.
4c852c1 @mrash [todo] client/server tests
175 ** [test suite] client/server only tests
176 When only the client or server is being installed on a system, the test
177 suite should be able to run only the relevant tests.
7d82b3e @mrash minor ChangeLog and updates for the coming HMAC feature
178 ** Implement SPA over IPv6 (#1)
3663069 @mrash Additional todo tasks
179 It is important to eventually fully support SPA over IPv6.
Something went wrong with that request. Please try again.