fwknop Changelog

New in version 2.6.0

January 14th, 2014
  • (Radostan Riedel) Added an AppArmor policy for fwknopd that is known to work on Debian and Ubuntu systems. The policy file is available at extras/apparmor/usr.sbin/fwknopd.
  • [libfko] Nikolay Kolev reported a build issue with Mac OS X Mavericks where local fwknop copies of strlcat() and strlcpy() were conflicting with those that already ship with OS X 10.9. Closes #108 on github.
  • [libfko] (Franck Joncourt) Consolidated FKO context dumping function into lib/fko_util.c. In addition to adding a shared utility function for printing an FKO context, this change also makes the FKO context output slightly easier to parse by printing each FKO attribute on a single line (this change affected the printing of the final SPA packet data). The test suite has been updated to account for this change as well.
  • [libfko] Bug fix to not attempt SPA packet decryption with GnuPG without an fko object with encryption_mode set to FKO_ENC_MODE_ASYMMETRIC. This bug was caught with valgrind validation against the perl FKO extension together with the set of SPA fuzzing packets in test/fuzzing/fuzzing_spa_packets. Note that this bug cannot be triggered via fwknopd because additional checks are made within fwknopd itself to force FKO_ENC_MODE_ASYMMETRIC whenever an access.conf stanza contains GPG key information. This fix strengthens libfko itself to independently require that the usage of fko objects without GPG key information does not result in attempted GPG decryption operations. Hence this fix applies mostly to third party usage of libfko
  • i.e. stock installations of fwknopd are not affected. As always, it is recommended to use HMAC authenticated encryption whenever possible even for GPG modes since this also provides a work around even for libfko prior to this fix.
  • [Android] (Gerry Reno) Updated the Android client to be compatible with Android-4.4.
  • [Android] Added HMAC support (currently optional).
  • [server] Updated pcap_dispatch() default packet count from zero to 100. This change was made to ensure backwards compatibility with older versions of libpcap per the pcap_dispatch() man page, and also because some of a report from Les Aker of an unexpected crash on Arch Linux with libpcap-1.5.1 that is fixed by this change (closes #110).
  • [server] Bug fix for SPA NAT modes on iptables firewalls to ensure that custom fwknop chains are re-created if they get deleted out from under the running fwknopd instance.
  • [server] Added FORCE_SNAT to the access.conf file so that per-access stanza SNAT criteria can be specified for SPA access.
  • [test suite] added --gdb-test to allow a previously executed fwknop or fwknopd command to be sent through gdb with the same command line args as the test suite used. This is for convenience to rapidly allow gdb to be launched when investigating fwknop/fwknopd problems.
  • [client] (Franck Joncourt) Added --stanza-list argument to show the stanza names from ~/.fwknoprc.
  • [libfko] (Hank Leininger) Contributed a patch to greatly extend libfko error code descriptions at various places in order to give much better information on what certain error conditions mean. Closes #98.
  • [test suite] Added the ability to run perl FKO module built-in tests in the t/ directory underneath the CPAN Test::Valgrind module. This allows valgrind memory checks to be applied to libfko functions via the perl FKO module (and hence rapid prototyping can be combined with memory leak detection). A check is made to see whether the Test::Valgrind module has been installed, and --enable-valgrind is also required (or --enable-all) on the test-fwknop.pl command line.

New in version 2.5.1 (July 29th, 2013)

  • A bugfix in the fwknop client to reset terminal settings to orignal values after entering keys via stdin.
  • A bugfix in the fwknopd daemon to not print a PID file existence warning.
  • A test suite bugfix to not run an iptables Rijndael HMAC test on non-Linux systems.

New in version 2.5 (July 26th, 2013)

  • This version added support for HMAC SHA-256 authenticated encryption in the encrypt-then-authenticate model.
  • Many bugs discovered by the Coverity static analyzer were fixed.
  • OpenSSL compatibility tests were added to the test suite.
  • Client stanza saving ability was added for the ~/.fwknoprc file, simplifying fwknop client usage.
  • The ability to automatically generate both Rijndael and HMAC keys with --key-gen was added.

New in version 2.0.4 (December 10th, 2012)

  • On the server side, this release adds a chain_exists() check to SPA rule creation so that if any of the fwknop chains are deleted out from under fwknopd, they will be recreated on the fly.
  • It adds new SPA packet fuzzing capability to the test suite to assist in validation of SPA operations.
  • It adds upstart config for systems running the upstart daemon.
  • An OpenBSD ndbm/gdbm usage bugfix.
  • ICMP type/code client command line arguments have been added for when SPA packets are sent over ICMP.

New in version 2.0.3 (September 8th, 2012)

  • Several DoS/code execution vulnerabilities for malicious fwknop clients that manage to get past the authentication stage (so such clients must possess a valid encryption key) have been fixed.
  • Permissions and ownership checks have been added to all files consumed by the fwknop client and server.
  • RPM builds have been fixed by including the $(DESTDIR) prefix for uninstall-local and install-exec-hook stages in Makefile.am.

New in version 2.0.2 (August 21st, 2012)

  • Better handling of GnuPG for SPA packet decryption on the server side (accounts for no passphrase gpg keys when gpg-agent or pinentry are otherwise required).
  • A bugfix in SPA packet replay detection code.
  • A check for the existence of the iptables 'comment' match when the serve is deployed on Linux.
  • Several other bugfixes.

New in version 2.0 (January 4th, 2012)

  • This is the production release of the fwknop C rewrite.
  • It brings Single Packet Authorization to three different Open Source firewalls (iptables, ipfw, and pf), embedded systems, and mobile devices.
  • The fwknopd server runs on Linux, Mac OS X, FreeBSD, and OpenBSD.
  • The client runs on all of these platforms as well as Android, the iPhone, and Cygwin under Windows.
  • In addition, the client is portable, and can be compiled as a native Windows binary.

New in version 2.0 RC5 (December 15th, 2011)

  • This version adds OpenBSD PF support, adds a new FORCE_NAT mode to transparently force authenticated connections to specified internal systems, adds a comprehensive test suite, and adds the ability to automatically expire SPA keys.
  • Several memory handling bugfixes were made.

New in version 1.9.12 (September 9th, 2009)

  • The FKO module that is part of the libfko library was fully integrated for all SPA routines: encryption/decryption, digest calculation, replay attack detection, etc.
  • The ability to recover from interface error conditions was added, such as when fwknopd sniffs a ppp interface (say, associated with a VPN) that goes away and then is recreated.
  • The fwknop client was updated to include the SPA destination before DNS resolution when sending an SPA packet over an HTTP request.