Permalink
Commits on Aug 4, 2012
  1. bumped version to 2.0.2-pre1

    committed Aug 4, 2012
  2. [client] -R http recv() read until close (Jonathan Schulz)

    Applied patch from Jonathan Schulz to ensure that the fwknop client reads all
    data from a remote webserver when resolving the client IP address in -R mode.
    Jonathan indicated that some webservers would transfer HTTP headers and data
    separately, and a single recv() would therefore fail to get the necessary IP
    information.
    committed Aug 4, 2012
Commits on Aug 2, 2012
  1. added Jonathan Schulz

    committed Aug 2, 2012
  2. Change HTTP connection type to 'close' in -R mode

    Applied patch from Jonathan Schulz to change the HTTP connection type to
    'close' for the client in -R mode.
    committed Aug 2, 2012
  3. Replay attack bug fix (encryption prefixes)

    Ensure that an attacker cannot force a replay attack by intercepting an
    SPA packet and the replaying it with the base64 version of "Salted__"
    (for Rindael) or the "hQ" prefix (for GnuPG).  This is an important fix.
    The following comment was added into the fwknopd code:
    
    /* Ignore any SPA packets that contain the Rijndael or GnuPG prefixes
     * since an attacker might have tacked them on to a previously seen
     * SPA packet in an attempt to get past the replay check.  And, we're
     * no worse off since a legitimate SPA packet that happens to include
     * a prefix after the outer one is stripped off won't decrypt properly
     * anyway because libfko would not add a new one.
    */
    
    Conflicts:
    
    	lib/cipher_funcs.h
    committed Jul 30, 2012
Commits on Jul 31, 2012
  1. [server] replay attack detection memory leak bug fix

    This commit fixes the following memory leak found with valgrind:
    
    44 bytes in 1 blocks are definitely lost in loss record 2 of 2
       at 0x482BE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
       by 0x490EA50: strdup (strdup.c:43)
       by 0x10CD69: incoming_spa (incoming_spa.c:162)
       by 0x10E000: process_packet (process_packet.c:200)
       by 0x4862E63: ??? (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
       by 0x4865667: pcap_dispatch (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
       by 0x10DABF: pcap_capture (pcap_capture.c:226)
       by 0x10A798: main (fwknopd.c:299)
    committed Jul 28, 2012
Commits on Jul 24, 2012
  1. bumped version to 2.0.1

    committed Jul 24, 2012
  2. bumped version to fwknop-2.0.1

    committed Jul 24, 2012
  3. PCAP_LOOP_SLEEP bug fix to 1/10th of a second

    [server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in
    microseconds).  This was supposed to be the default anyway, but C
    Anthony Risinger reported a bug where fwknopd was consuming more
    resources than necessary, and the cause was PCAP_LOOP_SLEEP set by
    default to 1/100th of a second - this has been fixed.
    committed Jul 24, 2012
Commits on Jul 23, 2012
  1. [client] Fixed several minor memory leaks caught by valgrind

    This commit fixes memory leaks like the following in the fwknop client:
    
    HEAP SUMMARY:
        in use at exit: 300 bytes in 11 blocks
      total heap usage: 100 allocs, 89 frees, 16,583 bytes allocated
    
    16 bytes in 1 blocks are indirectly lost in loss record 1 of 11
       at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
       by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
       by 0x5C3D63E: ???
       by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
       by 0x508938E: cuserid (cuserid.c:37)
       by 0x4E3983A: fko_set_username (fko_user.c:65)
       by 0x4E38D5C: fko_new (fko_funcs.c:84)
       by 0x10A824: main (fwknop.c:75)
    
    16 bytes in 1 blocks are indirectly lost in loss record 2 of 11
       at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
       by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
       by 0x5C3D658: ???
       by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
       by 0x508938E: cuserid (cuserid.c:37)
       by 0x4E3983A: fko_set_username (fko_user.c:65)
       by 0x4E38D5C: fko_new (fko_funcs.c:84)
       by 0x10A824: main (fwknop.c:75)
    
    16 bytes in 1 blocks are indirectly lost in loss record 3 of 11
       at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
       by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
       by 0x5C3D672: ???
       by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
       by 0x508938E: cuserid (cuserid.c:37)
       by 0x4E3983A: fko_set_username (fko_user.c:65)
       by 0x4E38D5C: fko_new (fko_funcs.c:84)
       by 0x10A824: main (fwknop.c:75)
    
    16 bytes in 1 blocks are indirectly lost in loss record 4 of 11
       at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
       by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
       by 0x5C3D68C: ???
       by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
       by 0x508938E: cuserid (cuserid.c:37)
       by 0x4E3983A: fko_set_username (fko_user.c:65)
       by 0x4E38D5C: fko_new (fko_funcs.c:84)
       by 0x10A824: main (fwknop.c:75)
    committed Jul 23, 2012
Commits on Jul 21, 2012
  1. Better SPA message validation upon SPA decrypt/decode.

    Added SPA message validation calls to fko decoding routines to help
    ensure that SPA messages conform to expected values.
    committed Jul 21, 2012
Commits on Jul 20, 2012
  1. Implemented server-side bounds checking on inccoming SPA data.

    Enhanced the libfko decoding routine to include bounds checking on decrypted
    SPA data.  This includes verifying the number of fields within incoming SPA
    data (colon separated) along with verifying string lengths of each field.
    committed Jul 20, 2012
Commits on Jul 19, 2012
  1. minor pcap_capture update to not call atoi() against PCAP_LOOP_SLEEP …

    …for every sleep interval
    committed Jul 19, 2012
Commits on Jul 18, 2012
  1. [test suite] file_find_regex() postive vs. negative match styles

    Positive match style requires all regex's to be found, whereas negative match
    style only requires seeing one regex.
    committed Jul 18, 2012
  2. Ensure that INPUT rules are added in --nat-local mode

    This change ensures that INPUT rules are added when the fwknop client is used to
    request access to a local service with --nat-local mode.
    committed Jul 18, 2012
Commits on Jul 17, 2012