By default, fwknopd will now exit if the interface that it is sniffing goes down (patch contributed by Github user 'sgh7'). If this happens, it is expected that the native process monitoring feature in things like systemd or upstart will restart fwknopd. However, if fwknopd is not being monitored by systemd, upstart, or anything else, this behavior can be disabled with the EXIT_AT_INTF_DOWN variable in the fwknopd.conf file. If disabled, fwknopd will try to recover when a downed interface comes back up.
… fwknopd access.conf keys
Bug fix to ensure that a User-Agent string can be specified when the fwknop client uses wget via SSL to resolve the external IP address. This closes issue #134 on github reported by Barry Allard. The fwknop now uses the wget '-U' option to specify the User-Agent string with a default of "Fwknop/<version>". In addition, a new command line argument "--use-wget-user-agent" to allow the default wget User-Agent string to apply instead.
With this commit PF rules are added correctly regardless of whether ALTQ support is available or not. Thanks to Barry Allard for discovering and reporting this issue. Closes issue #121 on github.
… 'bytes' Suggested doc update to fwknop man pages to accurately describe the usage of digits instead of bytes for SPA random data. About 53 bits of entropy are actually used, although this is in addition to the 64-bit random salt in for key derivation used by PBKDF1 in Rjindael CBC mode.
…nopd -h exec fails" This reverts commit f55b89c. Damien recommended not having 'make install' run ldconfig since it breaks an RPM build of fwknop, and most package managers should be doing this step anyway.
This change helps to maintain backwards compatibility with older fwknopd daemons that cannot handle Rijndael keys greater than 16 bytes. Blair Zajac suggested printing a warning in '-M legacy' mode when keys are attempted > 16 bytes long, and this warning is included in this commit.
…exec fails This commit makes sure that if running 'fwknop -h' or 'fwknopd -h' appears to fail then run ldconfig under the 'make install' step. George Herlin reported that on some systems ldconfig was not automatically getting executed via the autoconf Makefile config, and since fwknop/fwknopd depend on a shared library (libfko), ldconfig needs to be executed by 'make install' if it wasn't already done.
Blair Zajac contributed a patch to handle endian detection on PPC systems and issue a compile time error if it cannot be determined. This commit affects the BYTEORDER macro.
Ryman reported a timing attack bug in the HMAC comparison operation (#85) and suggested a fix derived from YaSSL: http://email@example.com/msg320402.html
…uplicated at init
Significant bug fix to honor the full encryption key length for user-supplied Rijndael keys > 16 bytes long. Previous to this bug fix, only the first 16 bytes of a key were actually used in the encryption/ decryption process even if the supplied key was longer. The result was a weakening of expected security for users that had keys > 16 bytes, although this is probably not too common. Note that "passphrase" is perhaps technically a better word for "user-supplied key" in this context since Rijndael in CBC mode derives a real encryption/decryption key from the passphrase through a series of applications of md5 against the passphrase and a random salt. This issue was reported by Michael T. Dean. Closes issue #18 on github.