Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

61 lines (59 sloc) 4.067 kb
fwknop-2.0.1 (07//2012):
- [server] Bug fix where the same encryption key used for two stanzas in
the access.conf file would result in access requests that matched the
second stanza to always be treated as a replay attack. This has been
fixed for the fwknop-2.0.1 release, and was reported by Andy Rowland. Now
the fwknopd server computes the SHA256 digest of raw incoming payload
data before decryption, and compares this against all previous hashes.
Previous to this commit, fwknopd would add a new hash to the replay
digest list right after the first access.conf stanza match, so when SPA
packet data matched the second access.conf stanza a matching replay
digest would already be there.
- [server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in
microseconds). This was supposed to be the default anyway, but C
Anthony Risinger reported a bug where fwknopd was consuming more
resources than necessary, and the cause was PCAP_LOOP_SLEEP set by
default to 1/100th of a second - this has been fixed.
- [libfko] Added SPA message validation calls to fko decoding routines to
help ensure that SPA messages conform to expected values.
- Bug fix for PF firewalls: updated the PF anchor check to not rely on
listing the PF policy - fwknopd now uses 'pfctl -s Anchor' instead.
- [test suite] Added parsing of valgrind output to produce a listing of
functions that have been flagged - this assists in the development
process to ensure that fwknop is not leaking memory.
- [test suite] Bug fix on Mac OS X systems to account for libfko.dylib path
instead of libfko.so. This fixes the existence check for libfko.
- [test suite] Added tests for --nat-local mode.
- [client] Fixed several minor memory leaks caught by valgrind.
- [libfko] Minor gcc warning fix: fko_decode.c:43:17: warning: variable
‘edata_size’ set but not used [-Wunused-but-set-variable].
fwknop-2.0 (01/02/2012):
- This is the first production release that has been completely re-written
in C. This brings Single Packet Authorization functionality to all sorts
of machines from embedded devices to large systems. iptables, ipfw, and
pf firewalls are supported by the fwknopd daemon, and the fwknop client
is known to work on most major *NIX environments, the iPhone and Android
operating systems, and Cygwin under Windows.
- Added FORCE_NAT mode to the access.conf file so that for any valid SPA
packet, force the requested connection to be NAT'd through to the
specified (usually internal) IP and port value. This is useful if there
are multiple internal systems running a service such as SSHD, and you
want to give transparent access to only one internal system for each
stanza in the access.conf file. This way, multiple external users can
each directly access only one internal system per SPA key.
- Added two new access.conf variables are added "ACCESS_EXPIRE" and
"ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without
having to modify the access.conf file and restart fwknopd.
- Added a new feature to allow an access stanza that matches the SPA source
address to not automatically short circuit other stanzas if there is an
error (such as when there are multiple encryption keys involved and an
incoming SPA packet is meant for, say, the second stanza and the first
therefore doesn't allow proper decryption).
- Bug fix to exclude SPA packets with timestamps in the future that are too
great (old packets were properly excluded already).
- Bug fix to honor the fwknop client --time-offset-plus and
--time-offset-minus options
- Added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd
check for ENABLE_IPT_FORWARDING variable before attempting NAT access.
- [test suite] Added --diff mode to compare results from one execution to
the next.
Jump to Line
Something went wrong with that request. Please try again.