Skip to content
Commits on Aug 11, 2012
  1. [server] Added GPG_ALLOW_NO_PW variable and associated test suite sup…

    …port
    
    For GPG mode, added a new access.conf variable "GPG_ALLOW_NO_PW" to make it
    possible to leverage a server-side GPG key pair that has no associated
    password.  This comes in handy when a system requires the user to leverage
    gpg-agent / pinentry which can present a problem in automated environments as
    required by the fwknopd server.  Now, it might seem like a problem to remove
    the passphrase from a GPG key pair, but it's important to note that simply
    doing this is little worse than storing the passphrase in the clear on disk
    anyway in the access.conf file.  Further, this link help provides additional
    detail:
    
    http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-use-gnupg-in-an-automated-environment
    committed Aug 10, 2012
  2. [server] Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT

    Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT for ipfw firewalls to emulate
    the corresponding functionality that is implemented for iptables firewalls.
    
    Bug fix for ipfw firewalls to ensure that if the ipfw expire set is zero, then
    do not disable this set whenever the FLUSH_IPFW* variables are enabled.
    
    These changes were suggested by Jonathan Schulz.
    committed Aug 10, 2012
Commits on Aug 9, 2012
Commits on Aug 5, 2012
  1. minor whitespace update

    committed Aug 5, 2012
Commits on Aug 4, 2012
  1. bumped version to 2.0.2-pre1

    committed Aug 3, 2012
  2. [client] -R http recv() read until close (Jonathan Schulz)

    Applied patch from Jonathan Schulz to ensure that the fwknop client reads all
    data from a remote webserver when resolving the client IP address in -R mode.
    Jonathan indicated that some webservers would transfer HTTP headers and data
    separately, and a single recv() would therefore fail to get the necessary IP
    information.
    committed Aug 3, 2012
Commits on Aug 2, 2012
  1. added Jonathan Schulz

    committed Aug 1, 2012
  2. Change HTTP connection type to 'close' in -R mode

    Applied patch from Jonathan Schulz to change the HTTP connection type to
    'close' for the client in -R mode.
    committed Aug 1, 2012
  3. Replay attack bug fix (encryption prefixes)

    Ensure that an attacker cannot force a replay attack by intercepting an
    SPA packet and the replaying it with the base64 version of "Salted__"
    (for Rindael) or the "hQ" prefix (for GnuPG).  This is an important fix.
    The following comment was added into the fwknopd code:
    
    /* Ignore any SPA packets that contain the Rijndael or GnuPG prefixes
     * since an attacker might have tacked them on to a previously seen
     * SPA packet in an attempt to get past the replay check.  And, we're
     * no worse off since a legitimate SPA packet that happens to include
     * a prefix after the outer one is stripped off won't decrypt properly
     * anyway because libfko would not add a new one.
    */
    
    Conflicts:
    
    	lib/cipher_funcs.h
    committed Jul 29, 2012
Commits on Jul 31, 2012
  1. [server] replay attack detection memory leak bug fix

    This commit fixes the following memory leak found with valgrind:
    
    44 bytes in 1 blocks are definitely lost in loss record 2 of 2
       at 0x482BE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
       by 0x490EA50: strdup (strdup.c:43)
       by 0x10CD69: incoming_spa (incoming_spa.c:162)
       by 0x10E000: process_packet (process_packet.c:200)
       by 0x4862E63: ??? (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
       by 0x4865667: pcap_dispatch (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
       by 0x10DABF: pcap_capture (pcap_capture.c:226)
       by 0x10A798: main (fwknopd.c:299)
    committed Jul 28, 2012
Commits on Jul 24, 2012
  1. bumped version to 2.0.1

    committed Jul 23, 2012
  2. bumped version to fwknop-2.0.1

    committed Jul 23, 2012
  3. PCAP_LOOP_SLEEP bug fix to 1/10th of a second

    [server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in
    microseconds).  This was supposed to be the default anyway, but C
    Anthony Risinger reported a bug where fwknopd was consuming more
    resources than necessary, and the cause was PCAP_LOOP_SLEEP set by
    default to 1/100th of a second - this has been fixed.
    committed Jul 23, 2012
Commits on Jul 23, 2012
  1. [client] Fixed several minor memory leaks caught by valgrind

    This commit fixes memory leaks like the following in the fwknop client:
    
    HEAP SUMMARY:
        in use at exit: 300 bytes in 11 blocks
      total heap usage: 100 allocs, 89 frees, 16,583 bytes allocated
    
    16 bytes in 1 blocks are indirectly lost in loss record 1 of 11
       at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
       by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
       by 0x5C3D63E: ???
       by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
       by 0x508938E: cuserid (cuserid.c:37)
       by 0x4E3983A: fko_set_username (fko_user.c:65)
       by 0x4E38D5C: fko_new (fko_funcs.c:84)
       by 0x10A824: main (fwknop.c:75)
    
    16 bytes in 1 blocks are indirectly lost in loss record 2 of 11
       at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
       by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
       by 0x5C3D658: ???
       by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
       by 0x508938E: cuserid (cuserid.c:37)
       by 0x4E3983A: fko_set_username (fko_user.c:65)
       by 0x4E38D5C: fko_new (fko_funcs.c:84)
       by 0x10A824: main (fwknop.c:75)
    
    16 bytes in 1 blocks are indirectly lost in loss record 3 of 11
       at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
       by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
       by 0x5C3D672: ???
       by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
       by 0x508938E: cuserid (cuserid.c:37)
       by 0x4E3983A: fko_set_username (fko_user.c:65)
       by 0x4E38D5C: fko_new (fko_funcs.c:84)
       by 0x10A824: main (fwknop.c:75)
    
    16 bytes in 1 blocks are indirectly lost in loss record 4 of 11
       at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
       by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
       by 0x5C3D68C: ???
       by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
       by 0x508938E: cuserid (cuserid.c:37)
       by 0x4E3983A: fko_set_username (fko_user.c:65)
       by 0x4E38D5C: fko_new (fko_funcs.c:84)
       by 0x10A824: main (fwknop.c:75)
    committed Jul 22, 2012
Commits on Jul 21, 2012
  1. Better SPA message validation upon SPA decrypt/decode.

    Added SPA message validation calls to fko decoding routines to help
    ensure that SPA messages conform to expected values.
    committed Jul 21, 2012
Commits on Jul 20, 2012
  1. Implemented server-side bounds checking on inccoming SPA data.

    Enhanced the libfko decoding routine to include bounds checking on decrypted
    SPA data.  This includes verifying the number of fields within incoming SPA
    data (colon separated) along with verifying string lengths of each field.
    committed Jul 19, 2012
Commits on Jul 19, 2012
Something went wrong with that request. Please try again.