Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 227 lines (195 sloc) 11.131 kB
bcba9d6 @mrash added CREDITS file, bumped software version, added ChangeLog files
authored
1 Jonathan Bennett
2 - Contributed OpenWRT support - see the extras/openwrt/ directory.
ceb1713 @mrash add --key-gen option to fwknopd (suggested by Jonathan Bennett)
authored
3 - Suggested the addition of the --key-gen option to fwknopd.
29defca @mrash (Jonathan Bennett) added console-qr.sh script to create QR codes from…
authored
4 - Contributed the console-qr.sh script (in extras/console-qr/) to create
5 QR codes from fwknopd access.conf keys.
e252075 @mrash update CREDITS file to include Fwknop2
authored
6 - Wrote a new fwknop client for Android called "Fwknop2" - see:
7 https://f-droid.org/repository/browse/?fdid=org.cipherdyne.fwknop2
bcba9d6 @mrash added CREDITS file, bumped software version, added ChangeLog files
authored
8
9 Sebastien Jeanquier
10 - Assisted with getting fwknop included in BackTrack Linux - the choice
bfdbb8f @mrash Updated authorship and copyright information
authored
11 distro for pentration testers.
bcba9d6 @mrash added CREDITS file, bumped software version, added ChangeLog files
authored
12
13 Ozmart
14 - Suggested the idea for setting an access stanza expiration time.
15 - Suggested the abiliy to have certain incoming connections automatically
16 NAT'd through to specific internal systems. The result was the FORCE_NAT
17 mode.
18 - Assisted with getting fwknop running under the Pentoo Linux distro.
19
20 Max Kastanas
21 - Contributed both an Android and an iPhone fwknop client port - see the
22 top level android/ and iphone/ directories.
5c26c0a @mrash added Ted Wynnychenko for OpenBSD PF testing
authored
23
24 Ted Wynnychenko
25 - Helped test fwknop PF support on OpenBSD.
ba3b7d1 @mrash Bug fix for multi-stanza key use and replay attack detection
authored
26
27 Andy Rowland
28 - Reported a bug where the same encryption key used for two stanzas in the
29 access.conf file would result in access requests that matched the second
30 stanza to always be treated as a replay attack. This has been fixed for
31 the fwknop-2.0.1 release.
5387242 @mrash PCAP_LOOP_SLEEP bug fix to 1/10th of a second
authored
32
33 C Anthony Risinger
34 - Caught a bug where the default PCAP_LOOP_SLEEP value was 1/100th of a
35 second instead of the intended default of 1/10th of a second.
3c533de @mrash updated Debian init script (contributed by Franck Joncourt)
authored
36
37 Franck Joncourt
38 - fwknop Debian package maintainer.
39 - Contributed a new Debian init script.
67f5d1f @mrash Applied perl FKO module libfko path patch from Franck Joncourt
authored
40 - Contributed a patch to have the perl FKO module link against libfko in
41 the local directory (if it exists) so that it doesn't have to have libfko
42 completely installed in /usr/lib/. This allows the test suite to run FKO
43 tests without installing libfko.
627035f @mrash Patch from Franck Joncourt for setting permissions via open()
authored
44 - Contributed a patch to remove unnecessary chmod() call when creating
45 client rc file and server replay cache file. The permissions are now set
46 appropriately via open(), and at the same time this patch fixes a
47 potential race condition since the previous code used fopen() followed by
48 chmod().
03b222d @mrash [client] (Franck Joncourt) Fixed Ctrl-C problem where SPA packets wer…
authored
49 - Contributed a patch to allow the fwknop client to be stopped with Ctrl-C
50 before sending an SPA packet on the wire.
fd41308 @mrash added info for Franck's latest contribution
authored
51 - Contributed a patch to ensure that duplicate iptables rules are not
52 created even for different SPA packets that arrive at the same time and
53 request the same access.
77c876c @mrash credits and changelog updates
authored
54 - Added support for resolving hostnames in various NAT modes (fixes issue
55 #43 in github).
892ee15 @mrash ChangeLog and credits updates for Franck
authored
56 - Bug fix in the client for resolving hostnames in '-P icmp' mode (fixes
57 issue #64).
77c876c @mrash credits and changelog updates
authored
58 - Added support for saving fwknop client command line arguments via a new
66399fe @mrash Merge remote-tracking branch 'fjoncourt/master'
authored
59 option --save-rc-stanza.
892ee15 @mrash ChangeLog and credits updates for Franck
authored
60 - Added log module support for the client.
66399fe @mrash Merge remote-tracking branch 'fjoncourt/master'
authored
61 - Added the ability to read a passphrase from STDIN and also from a file
62 descriptor via --fd (closes #74).
0ecc2d2 @mrash minor docs update
authored
63 - Added libfko unit tests via the CUnit framework.
7061b7b @mrash added Jonathan Schulz
authored
64
65 Jonathan Schulz
66 - Submitted patches to change HTTP connection type to 'close' for -R mode
67 in the client and fix a bug for recv() calls against returned HTTP data.
fd30440 @mrash added Aldan Beaubien for reporting the Morpheus NULL IP problem
authored
68
69 Aldan Beaubien
70 - Reported an issue with the Morpheus client sending SPA packets with NULL
71 IP addresses, and code was added to fwknopd to better validate incoming
72 SPA data as a result of this report.
fbdae50 @mrash added Geoff Carstairs for the FORCE_NAT idea
authored
73
74 Geoff Carstairs
75 - Suggested a way to redirect valid connection requests to a specific
76 internal service via NAT, configurable by each stanza in access.conf.
77 This allows for better access control for multple users requiring access
78 to multiple internal systems, in a manner that is transparent to the
79 user. The result was the FORCE_NAT mode.
543de16 @mrash [server] iptables 'comment' match check
authored
80
81 Hank Leininger
45e29f6 @mrash minor edit to credits file for Hank Leininger
authored
82 - Contributed a patch to greatly extend libfko error code descriptions at
83 various places in order to give much better information on what certain
84 error conditions mean. Closes #98.
85 - Suggested the ability to read a passphrase from STDIN and via a new --fd
86 command line argument (github #74) to allow things like:
87 $ gpg -d passphrasefile.pgp | fwknop -R -n myserver
543de16 @mrash [server] iptables 'comment' match check
authored
88 - For iptables firewalls, suggested a check for the 'comment' match to
89 ensure the local environment will properly support fwknopd operations.
90 The result is the new ENABLE_IPT_COMMENT_CHECK functionality.
d46ba1c @mrash (Fernando Arnaboldi, IOActive) Found and fixed several DoS/code execu…
authored
91
92 Fernando Arnaboldi (IOActive)
93 - Found important buffer overflow conditions for authenticated SPA clients
94 in the fwknopd server (pre-2.0.3). These findings enabled fixes to be
95 developed along with a new fuzzing capability in the test suite.
f4c16bc @mrash [server] Stronger IP validation based on a bug found by Fernando Arna…
authored
96 - Found a condition in which an overly long IP from malicious authenticated
97 clients is not properly validated by the fwknopd server (pre-2.0.3).
e2c0ac4 @mrash [server] Strong access.conf validation
authored
98 - Found a local buffer overflow in --last processing with a maliciously
99 constructed ~/.fwknop.run file. This has been fixed with proper
100 validation of .fwknop.run arguments.
101 - Found several conditions in which the server did not properly throw out
102 maliciously constructed variables in the access.conf file. This has been
103 fixed along with new fuzzing tests in the test suite.
591416e @mrash [server] bug fix in --disable-file-cache mode
authored
104
105 Vlad Glagolev
106 - Submitted a patch to fix ndbm/gdbm usage when --disable-file-cache is
107 used for the autoconf configure script. This functionality was broken in
108 be4193d734850fe60f14a26b547525ea0b9ce1e9 through improper handling of
109 #define macros from --disable-file-cache.
f8374c8 @mrash [server] (Vlad Glagolev) Submitted a patch to fix command exec mode
authored
110 - Submitted a patch to fix command exec mode under SPA message type
111 validity test. Support for command exec mode was also added to the test
112 suite.
05eb197 @mrash added the OpenBSD port from Vlad
authored
113 - Submitted an OpenBSD port for fwknop-2.0.3, and this has been checked in
114 under extras/openbsd/.
6f356a9 @mrash Added Sean Greven for his FreeBSD port
authored
115
116 Sean Greven
117 - Created a port of fwknop for FreeBSD:
2f1768f @mrash minor CREDITS file formatting update
authored
118 http://portsmon.freebsd.org/portoverview.py?category=security&portname=fwknop
fbbcae3 @mrash [libfko] Don't trundate > 16 byte Rijndael keys
authored
119
120 Michael T. Dean
121 - Reported the Rijndael key truncation issue for user-supplied keys
122 (passphrases) greater than 16 bytes long.
77c876c @mrash credits and changelog updates
authored
123
124 George Herlin
125 - Proposed a verification approach to test suite operations, and the result
126 was implemented in a61939c005e2b09d6800e2171f607c9d1948f022. This makes
127 test suite operate equivalently regardless of whether valgrind is used or
128 whether fwknop is being tested on an embedded system with very limited
129 resources.
39115c6 @mrash added Ruhsam Bernhard to the credits file
authored
130
131 Ruhsam Bernhard
132 - Reported an issue where the message size test would result in long
133 command mode SPA packets not decrypting properly because only GPG decrypt
134 attempts were made. This issue was fixed in
135 7e784df3870373f055a2f0f8d818829501bcb1c0.
5804e15 @mrash Merge remote-tracking branch 'ag4ve/master'
authored
136
137 Shawn Wilson
138 - Added better SPA source IP logging for various fwknopd logging messages.
139 This helps to make it more clear why certain SPA packets are rejected
140 from some systems.
7cb23c7 @mrash [server] added check to ensure any existing fwknop jump rule is not d…
authored
141
142 Dan Lauber
143 - Suggested a check for fwknopd to ensure that the jump rule on systems
144 running iptables is not duplicated if it already exists.
6706c53 @mrash [libfko] HMAC comparison timing bug fix
authored
145
146 Ryman
147 - Reported a timing attack bug in the HMAC comparison operation (#85) and
1c8d247 @mrash ChangeLog update to mention the constant_runtime_cmp() change
authored
148 suggested a fix derived from yaSSL:
6706c53 @mrash [libfko] HMAC comparison timing bug fix
authored
149 http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg320402.html
66399fe @mrash Merge remote-tracking branch 'fjoncourt/master'
authored
150
ffeb285 @mrash [libfko] handle endian detection on PPC (and other) systems
authored
151 Blair Zajac
4d167cd @mrash credit Blair and Tim with MacPorts and Homebrew maintainer status
authored
152 - MacPorts fwknop package maintainer for Mac OS X systems.
ffeb285 @mrash [libfko] handle endian detection on PPC (and other) systems
authored
153 - Contributed patches to handle endian issues on PPC systems.
154 - Reported an issue where strndup() is not available on some PPC systems
155 and the fix is to use the local lib/fko_util.c implementation similarly
156 to Windows builds.
5e3ec3b @mrash [client] in '-M legacy' mode truncate the key to 16 bytes
authored
157 - Suggested throwing an error in '-M legacy' mode to warn users about the
158 inability of older fwknopd daemons to handle Rijndael keys > 16 bytes.
159 Any release after and including 2.5 does not have this limitation.
83952fc @mrash added Radostan Riedel's AppArmor policy note
authored
160
161 Radostan Riedel
162 - Contributed an AppArmor policy that is known to work on Debian and Ubuntu
163 systems. The policy file is available in extras/apparmor.
164
3a2c33c @mrash Added Les Aker to credits file
authored
165 Les Aker
166 - Reported an issue with Arch Linux that resulted in fwknopd hanging for a
167 pcap_dispatch() packet count of zero when using libpcap-1.5.1. This
168 issue was tracked on github as issue #110, and the default packet count
169 is now set at 100 as a result.
551b243 @mrash (Marek Wrzosek) Update docs to reflect random 'digits' use instead of…
authored
170
171 Marek Wrzosek
172 - Suggested doc update to fwknop man pages to accurately describe the usage
173 of digits instead of bytes for SPA random data. About 53 bits of entropy
174 are actually used, although this is in addition to the 64-bit random salt
175 in for key derivation used by PBKDF1 in Rjindael CBC mode.
176 - Various excellent feedback on crypto design, including the need to remove
177 the GPG_IGNORE_SIG_VERIFY_ERROR mode.
a347be3 @mrash merged android4.4_support branch
authored
178
8dfd576 @mrash added Gerry Reno
authored
179 Gerry Reno
180 - Updated the Android client to be compatible with Android-4.4.
181 - Provided guidance on Android client issues along with testing candidate
182 patches to update various things - this work is being tracked in the
183 android4.4_support branch.
aae72a9 @mrash firewalld support from Gerry Reno
authored
184 - Implemented support for firewalld in the fwknopd daemon running on RHEL 7
185 and CentOS 7 systems. This is a major addition to handle yet another
186 firewall architecture.
4d167cd @mrash credit Blair and Tim with MacPorts and Homebrew maintainer status
authored
187
188 Tim Heckman
189 - Homebrew fwknop package maintainer for Mac OS X systems.
190 - Suggested that fwknop support nftables when it is integrated into the
191 mainline Linux kernel.
74428ad @mrash [server] Bug fix for PF firewalls without ALTQ support on FreeBSD.
authored
192
193 Barry Allard
194 - Reported bug in PF support on FreeBSD systems where ALTQ is not available
195 would cause new PF rules to not be added (github issue #121).
50434c5 @mrash Use the fwknop User-Agent for wget SSL external IP resolutions
authored
196 - Suggested the abiliy to specify the HTTP User-Agent when wget is used to
197 resolve the external IP via SSL (github issue #134).
00a057a @mrash ChangeLog update for FCS bug fix
authored
198
199 Bill Stubbs
200 - Submitted a patch to fix a bug where fwknopd could not handle Ethernet
201 frames that include the Frame Check Sequence (FCS) header. This header is
202 four bytes long, and is placed at the end of each Ethernet frame.
203 Normally the FCS header is not visible to libpcap, but some card/driver
204 combinations result in it being included. Bill noticed this on the
205 following platform:
206 BeagleBone Black rev C running 3.8.13-bone50 #1 SMP Tue May 13
207 13:24:52 UTC 2014 armv7l GNU/Linux
c5c263c @mrash add Grant Pannell
authored
208
209 Grant Pannell
210 - Submitted a patch to add a new access.conf variable "DESTINATION" in
211 order to define the destination address for which an SPA packet will be
212 accepted. The string "ANY" is also accepted if a valid SPA packet should
213 be honored to any destination IP. Similarly to the "SOURCE" variable,
214 networks should be specified in CIDR notation (e.g. "192.168.10.0/24"),
215 and individual IP addresses can be specified as well. Also, multiple IP's
216 and/or networks can be defined as a comma separated list (e.g.
217 "192.168.10.0/24,10.1.1.123").
1ce8004 @mrash [server] Bug fix to not include pcap.h in --enable-udp-server mode
authored
218
219 Alexander Kozhevnikov
220 - Reported a bug when fwknop is compiled with --enable-udp-server where
221 the server was including pcap.h
0ecc2d2 @mrash minor docs update
authored
222
223 Dan Brooks
224 - Contributed a patch for the Android client app to add the definition of
225 custom server udp port. This is similiar to the --server-port argument
226 offered by the main fwknop client.
Something went wrong with that request. Please try again.