Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 216 lines (185 sloc) 10.537 kb
bcba9d6 Michael Rash added CREDITS file, bumped software version, added ChangeLog files
authored
1 Jonathan Bennett
2 - Contributed OpenWRT support - see the extras/openwrt/ directory.
3
4 Sebastien Jeanquier
5 - Assisted with getting fwknop included in BackTrack Linux - the choice
bfdbb8f Michael Rash Updated authorship and copyright information
authored
6 distro for pentration testers.
bcba9d6 Michael Rash added CREDITS file, bumped software version, added ChangeLog files
authored
7
8 Ozmart
9 - Suggested the idea for setting an access stanza expiration time.
10 - Suggested the abiliy to have certain incoming connections automatically
11 NAT'd through to specific internal systems. The result was the FORCE_NAT
12 mode.
13 - Assisted with getting fwknop running under the Pentoo Linux distro.
14
15 Max Kastanas
16 - Contributed both an Android and an iPhone fwknop client port - see the
17 top level android/ and iphone/ directories.
5c26c0a Michael Rash added Ted Wynnychenko for OpenBSD PF testing
authored
18
19 Ted Wynnychenko
20 - Helped test fwknop PF support on OpenBSD.
ba3b7d1 Michael Rash Bug fix for multi-stanza key use and replay attack detection
authored
21
22 Andy Rowland
23 - Reported a bug where the same encryption key used for two stanzas in the
24 access.conf file would result in access requests that matched the second
25 stanza to always be treated as a replay attack. This has been fixed for
26 the fwknop-2.0.1 release.
5387242 Michael Rash PCAP_LOOP_SLEEP bug fix to 1/10th of a second
authored
27
28 C Anthony Risinger
29 - Caught a bug where the default PCAP_LOOP_SLEEP value was 1/100th of a
30 second instead of the intended default of 1/10th of a second.
3c533de Michael Rash updated Debian init script (contributed by Franck Joncourt)
authored
31
32 Franck Joncourt
33 - fwknop Debian package maintainer.
34 - Contributed a new Debian init script.
67f5d1f Michael Rash Applied perl FKO module libfko path patch from Franck Joncourt
authored
35 - Contributed a patch to have the perl FKO module link against libfko in
36 the local directory (if it exists) so that it doesn't have to have libfko
37 completely installed in /usr/lib/. This allows the test suite to run FKO
38 tests without installing libfko.
627035f Michael Rash Patch from Franck Joncourt for setting permissions via open()
authored
39 - Contributed a patch to remove unnecessary chmod() call when creating
40 client rc file and server replay cache file. The permissions are now set
41 appropriately via open(), and at the same time this patch fixes a
42 potential race condition since the previous code used fopen() followed by
43 chmod().
03b222d Michael Rash [client] (Franck Joncourt) Fixed Ctrl-C problem where SPA packets were s...
authored
44 - Contributed a patch to allow the fwknop client to be stopped with Ctrl-C
45 before sending an SPA packet on the wire.
fd41308 Michael Rash added info for Franck's latest contribution
authored
46 - Contributed a patch to ensure that duplicate iptables rules are not
47 created even for different SPA packets that arrive at the same time and
48 request the same access.
77c876c Michael Rash credits and changelog updates
authored
49 - Added support for resolving hostnames in various NAT modes (fixes issue
50 #43 in github).
892ee15 Michael Rash ChangeLog and credits updates for Franck
authored
51 - Bug fix in the client for resolving hostnames in '-P icmp' mode (fixes
52 issue #64).
77c876c Michael Rash credits and changelog updates
authored
53 - Added support for saving fwknop client command line arguments via a new
66399fe Michael Rash Merge remote-tracking branch 'fjoncourt/master'
authored
54 option --save-rc-stanza.
892ee15 Michael Rash ChangeLog and credits updates for Franck
authored
55 - Added log module support for the client.
66399fe Michael Rash Merge remote-tracking branch 'fjoncourt/master'
authored
56 - Added the ability to read a passphrase from STDIN and also from a file
57 descriptor via --fd (closes #74).
7061b7b Michael Rash added Jonathan Schulz
authored
58
59 Jonathan Schulz
60 - Submitted patches to change HTTP connection type to 'close' for -R mode
61 in the client and fix a bug for recv() calls against returned HTTP data.
fd30440 Michael Rash added Aldan Beaubien for reporting the Morpheus NULL IP problem
authored
62
63 Aldan Beaubien
64 - Reported an issue with the Morpheus client sending SPA packets with NULL
65 IP addresses, and code was added to fwknopd to better validate incoming
66 SPA data as a result of this report.
fbdae50 Michael Rash added Geoff Carstairs for the FORCE_NAT idea
authored
67
68 Geoff Carstairs
69 - Suggested a way to redirect valid connection requests to a specific
70 internal service via NAT, configurable by each stanza in access.conf.
71 This allows for better access control for multple users requiring access
72 to multiple internal systems, in a manner that is transparent to the
73 user. The result was the FORCE_NAT mode.
543de16 Michael Rash [server] iptables 'comment' match check
authored
74
75 Hank Leininger
45e29f6 Michael Rash minor edit to credits file for Hank Leininger
authored
76 - Contributed a patch to greatly extend libfko error code descriptions at
77 various places in order to give much better information on what certain
78 error conditions mean. Closes #98.
79 - Suggested the ability to read a passphrase from STDIN and via a new --fd
80 command line argument (github #74) to allow things like:
81 $ gpg -d passphrasefile.pgp | fwknop -R -n myserver
543de16 Michael Rash [server] iptables 'comment' match check
authored
82 - For iptables firewalls, suggested a check for the 'comment' match to
83 ensure the local environment will properly support fwknopd operations.
84 The result is the new ENABLE_IPT_COMMENT_CHECK functionality.
d46ba1c Michael Rash (Fernando Arnaboldi, IOActive) Found and fixed several DoS/code executio...
authored
85
86 Fernando Arnaboldi (IOActive)
87 - Found important buffer overflow conditions for authenticated SPA clients
88 in the fwknopd server (pre-2.0.3). These findings enabled fixes to be
89 developed along with a new fuzzing capability in the test suite.
f4c16bc Michael Rash [server] Stronger IP validation based on a bug found by Fernando Arnabol...
authored
90 - Found a condition in which an overly long IP from malicious authenticated
91 clients is not properly validated by the fwknopd server (pre-2.0.3).
e2c0ac4 Michael Rash [server] Strong access.conf validation
authored
92 - Found a local buffer overflow in --last processing with a maliciously
93 constructed ~/.fwknop.run file. This has been fixed with proper
94 validation of .fwknop.run arguments.
95 - Found several conditions in which the server did not properly throw out
96 maliciously constructed variables in the access.conf file. This has been
97 fixed along with new fuzzing tests in the test suite.
591416e Michael Rash [server] bug fix in --disable-file-cache mode
authored
98
99 Vlad Glagolev
100 - Submitted a patch to fix ndbm/gdbm usage when --disable-file-cache is
101 used for the autoconf configure script. This functionality was broken in
102 be4193d734850fe60f14a26b547525ea0b9ce1e9 through improper handling of
103 #define macros from --disable-file-cache.
f8374c8 Michael Rash [server] (Vlad Glagolev) Submitted a patch to fix command exec mode
authored
104 - Submitted a patch to fix command exec mode under SPA message type
105 validity test. Support for command exec mode was also added to the test
106 suite.
05eb197 Michael Rash added the OpenBSD port from Vlad
authored
107 - Submitted an OpenBSD port for fwknop-2.0.3, and this has been checked in
108 under extras/openbsd/.
6f356a9 Michael Rash Added Sean Greven for his FreeBSD port
authored
109
110 Sean Greven
111 - Created a port of fwknop for FreeBSD:
2f1768f Michael Rash minor CREDITS file formatting update
authored
112 http://portsmon.freebsd.org/portoverview.py?category=security&portname=fwknop
fbbcae3 Michael Rash [libfko] Don't trundate > 16 byte Rijndael keys
authored
113
114 Michael T. Dean
115 - Reported the Rijndael key truncation issue for user-supplied keys
116 (passphrases) greater than 16 bytes long.
77c876c Michael Rash credits and changelog updates
authored
117
118 George Herlin
119 - Proposed a verification approach to test suite operations, and the result
120 was implemented in a61939c005e2b09d6800e2171f607c9d1948f022. This makes
121 test suite operate equivalently regardless of whether valgrind is used or
122 whether fwknop is being tested on an embedded system with very limited
123 resources.
39115c6 Michael Rash added Ruhsam Bernhard to the credits file
authored
124
125 Ruhsam Bernhard
126 - Reported an issue where the message size test would result in long
127 command mode SPA packets not decrypting properly because only GPG decrypt
128 attempts were made. This issue was fixed in
129 7e784df3870373f055a2f0f8d818829501bcb1c0.
5804e15 Michael Rash Merge remote-tracking branch 'ag4ve/master'
authored
130
131 Shawn Wilson
132 - Added better SPA source IP logging for various fwknopd logging messages.
133 This helps to make it more clear why certain SPA packets are rejected
134 from some systems.
7cb23c7 Michael Rash [server] added check to ensure any existing fwknop jump rule is not dupl...
authored
135
136 Dan Lauber
137 - Suggested a check for fwknopd to ensure that the jump rule on systems
138 running iptables is not duplicated if it already exists.
6706c53 Michael Rash [libfko] HMAC comparison timing bug fix
authored
139
140 Ryman
141 - Reported a timing attack bug in the HMAC comparison operation (#85) and
1c8d247 Michael Rash ChangeLog update to mention the constant_runtime_cmp() change
authored
142 suggested a fix derived from yaSSL:
6706c53 Michael Rash [libfko] HMAC comparison timing bug fix
authored
143 http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg320402.html
66399fe Michael Rash Merge remote-tracking branch 'fjoncourt/master'
authored
144
ffeb285 Michael Rash [libfko] handle endian detection on PPC (and other) systems
authored
145 Blair Zajac
4d167cd Michael Rash credit Blair and Tim with MacPorts and Homebrew maintainer status
authored
146 - MacPorts fwknop package maintainer for Mac OS X systems.
ffeb285 Michael Rash [libfko] handle endian detection on PPC (and other) systems
authored
147 - Contributed patches to handle endian issues on PPC systems.
148 - Reported an issue where strndup() is not available on some PPC systems
149 and the fix is to use the local lib/fko_util.c implementation similarly
150 to Windows builds.
5e3ec3b Michael Rash [client] in '-M legacy' mode truncate the key to 16 bytes
authored
151 - Suggested throwing an error in '-M legacy' mode to warn users about the
152 inability of older fwknopd daemons to handle Rijndael keys > 16 bytes.
153 Any release after and including 2.5 does not have this limitation.
83952fc Michael Rash added Radostan Riedel's AppArmor policy note
authored
154
155 Radostan Riedel
156 - Contributed an AppArmor policy that is known to work on Debian and Ubuntu
157 systems. The policy file is available in extras/apparmor.
158
3a2c33c Michael Rash Added Les Aker to credits file
authored
159 Les Aker
160 - Reported an issue with Arch Linux that resulted in fwknopd hanging for a
161 pcap_dispatch() packet count of zero when using libpcap-1.5.1. This
162 issue was tracked on github as issue #110, and the default packet count
163 is now set at 100 as a result.
551b243 Michael Rash (Marek Wrzosek) Update docs to reflect random 'digits' use instead of 'b...
authored
164
165 Marek Wrzosek
166 - Suggested doc update to fwknop man pages to accurately describe the usage
167 of digits instead of bytes for SPA random data. About 53 bits of entropy
168 are actually used, although this is in addition to the 64-bit random salt
169 in for key derivation used by PBKDF1 in Rjindael CBC mode.
170 - Various excellent feedback on crypto design, including the need to remove
171 the GPG_IGNORE_SIG_VERIFY_ERROR mode.
a347be3 Michael Rash merged android4.4_support branch
authored
172
8dfd576 Michael Rash added Gerry Reno
authored
173 Gerry Reno
174 - Updated the Android client to be compatible with Android-4.4.
175 - Provided guidance on Android client issues along with testing candidate
176 patches to update various things - this work is being tracked in the
177 android4.4_support branch.
aae72a9 Michael Rash firewalld support from Gerry Reno
authored
178 - Implemented support for firewalld in the fwknopd daemon running on RHEL 7
179 and CentOS 7 systems. This is a major addition to handle yet another
180 firewall architecture.
4d167cd Michael Rash credit Blair and Tim with MacPorts and Homebrew maintainer status
authored
181
182 Tim Heckman
183 - Homebrew fwknop package maintainer for Mac OS X systems.
184 - Suggested that fwknop support nftables when it is integrated into the
185 mainline Linux kernel.
74428ad Michael Rash [server] Bug fix for PF firewalls without ALTQ support on FreeBSD.
authored
186
187 Barry Allard
188 - Reported bug in PF support on FreeBSD systems where ALTQ is not available
189 would cause new PF rules to not be added (github issue #121).
50434c5 Michael Rash Use the fwknop User-Agent for wget SSL external IP resolutions
authored
190 - Suggested the abiliy to specify the HTTP User-Agent when wget is used to
191 resolve the external IP via SSL (github issue #134).
00a057a Michael Rash ChangeLog update for FCS bug fix
authored
192
193 Bill Stubbs
194 - Submitted a patch to fix a bug where fwknopd could not handle Ethernet
195 frames that include the Frame Check Sequence (FCS) header. This header is
196 four bytes long, and is placed at the end of each Ethernet frame.
197 Normally the FCS header is not visible to libpcap, but some card/driver
198 combinations result in it being included. Bill noticed this on the
199 following platform:
200 BeagleBone Black rev C running 3.8.13-bone50 #1 SMP Tue May 13
201 13:24:52 UTC 2014 armv7l GNU/Linux
c5c263c Michael Rash add Grant Pannell
authored
202
203 Grant Pannell
204 - Submitted a patch to add a new access.conf variable "DESTINATION" in
205 order to define the destination address for which an SPA packet will be
206 accepted. The string "ANY" is also accepted if a valid SPA packet should
207 be honored to any destination IP. Similarly to the "SOURCE" variable,
208 networks should be specified in CIDR notation (e.g. "192.168.10.0/24"),
209 and individual IP addresses can be specified as well. Also, multiple IP's
210 and/or networks can be defined as a comma separated list (e.g.
211 "192.168.10.0/24,10.1.1.123").
1ce8004 Michael Rash [server] Bug fix to not include pcap.h in --enable-udp-server mode
authored
212
213 Alexander Kozhevnikov
214 - Reported a bug when fwknop is compiled with --enable-udp-server where
215 the server was including pcap.h
Something went wrong with that request. Please try again.