Skip to content
Commits on Jul 10, 2012
  1. Merge from master minor bug fix to include default encryption mode

    committed
    When getting raw digest for replay attack detection specify the default
    encryption mode (which doesn't actually get used when passing a NULL key).
  2. bumped version to 2.0.1-pre2

    committed
  3. added valgrind parsing note

    committed
Commits on Jul 9, 2012
  1. bumped version to 2.0.1-pre1

    committed
Commits on Jul 8, 2012
  1. Only cache replay digests for SPA packets that decrypt

    committed
    This change ensures that we only cache replay digests for those SPA packets
    that actually decrypt.  Not doing this would have allowed an attacker to
    potentially fill up digest cache space with digests for garbage packets.
  2. Bug fix for multi-stanza key use and replay attack detection

    committed
    This commit fixes a bug where the same encryption key used for two stanzas in
    the access.conf file would result in access requests that matched the second
    stanza to always be treated as a replay attack.  This has been fixed for
    the fwknop-2.0.1 release, and was reported by Andy Rowland.  Now the fwknopd
    server computes the SHA256 digest of raw incoming payload data before
    decryption, and compares this against all previous hashes.  Previous to this
    commit, fwknopd would add a new hash to the replay digest list right after
    the first access.conf stanza match, so when SPA packet data matched the
    second access.conf stanza a matching replay digest would already be there.
Commits on Jun 23, 2012
  1. Bug fix to not force asymmetric gpg decryption

    committed
    fwknopd access stanzas can have both Rijndael and GnuPG keys, so this
    commit fixes a bug where any gpg info would force only gpg decryption
    attempts even if a Rijndael key is provided in the stanza.
Commits on Jun 17, 2012
  1. Bug fix to throw out invalid access.conf SOURCE entries

    committed
    This commit causes fwknopd to exit whenever an invalid SOURCE entry is seen
    such as ":ANY".  Previous to this commit, valgrind threw the following errors
    with ":ANY" as an access.conf SOURCE entry:
    
    Invalid read of size 8
       at 0x117695: free_acc_source_list (access.c:512)
       by 0x1177E3: free_acc_stanza_data (access.c:564)
       by 0x117C67: free_acc_stanzas (access.c:654)
       by 0x10E32E: free_configs (config_init.c:106)
       by 0x10D085: main (fwknopd.c:376)
     Address 0x5a80658 is 8 bytes inside a block of size 16 free'd
       at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
       by 0x116AE0: add_source_mask (access.c:255)
       by 0x116D57: expand_acc_source (access.c:303)
       by 0x117A82: expand_acc_ent_lists (access.c:620)
       by 0x119570: parse_access_file (access.c:1043)
       by 0x10C77E: main (fwknopd.c:193)
    
    Invalid free() / delete / delete[] / realloc()
       at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
       by 0x1176A8: free_acc_source_list (access.c:514)
       by 0x1177E3: free_acc_stanza_data (access.c:564)
       by 0x117C67: free_acc_stanzas (access.c:654)
       by 0x10E32E: free_configs (config_init.c:106)
       by 0x10D085: main (fwknopd.c:376)
     Address 0x5a80650 is 0 bytes inside a block of size 16 free'd
       at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
       by 0x116AE0: add_source_mask (access.c:255)
       by 0x116D57: expand_acc_source (access.c:303)
       by 0x117A82: expand_acc_ent_lists (access.c:620)
       by 0x119570: parse_access_file (access.c:1043)
       by 0x10C77E: main (fwknopd.c:193)
    
    HEAP SUMMARY:
        in use at exit: 8 bytes in 1 blocks
      total heap usage: 1,659 allocs, 1,659 frees, 238,310 bytes allocated
Commits on Jun 15, 2012
  1. Test suite support for function coverage testing via gcov

    committed
    Added --enable-profile-coverage to the configure script to have the fwknop
    binaries compiled with gcc profiling support in order to see which functions
    get executed by the test suite via gcov.  The last test executed by the test
    suite under --enable-profile-coverage contains all fwknop functions that
    were not executed under the test run (function execution totals are
    cumlative).
Commits on May 28, 2012
  1. merged minor updates from master

    committed
  2. gcc warning fix fox: fko_decode.c:43:17: warning: variable ‘edata_siz…

    committed
    …e’ set but not used [-Wunused-but-set-variable]
Commits on Feb 13, 2012
Commits on Feb 10, 2012
  1. bugfix to ensure that incoming SPA data in AES mode is a multiple of …

    committed
    …the Rjindael blocksize (16)
Commits on Feb 9, 2012
  1. updated to not base64 decode encrypted packet data by default (can ov…

    committed
    …erride with --base64-decode)
Commits on Feb 8, 2012
  1. Re-worked encryption/decryption handling

    committed
    For SPA packets encrypted with Rjindael, fwknop has always used CBC mode
    even though ECB mode is mentioned in a couple of places.  This change makes
    more transparent use of block_encrypt() and block_decrypt() to ensure that
    the appropriate mode is used.  The default is CBC mode, but others can be
    selected as well (-M <mode> for the fwknop client, and ENCRYPTION_MODE in
    access.conf for the fwknopd server).
Commits on Feb 6, 2012
Something went wrong with that request. Please try again.