ChangeLog updates
This commit is contained in:
Michael Rash
parent
641866deff
commit
b2117e6fe7
47
ChangeLog
47
ChangeLog
@ -1,16 +1,26 @@
|
|||||||
fwknop-2.6.3 (05//2014):
|
fwknop-2.6.3 (05//2014):
|
||||||
- [server] Bug fix to handle SPA packets over HTTP by making sure to honor
|
- Integrated the 'libfiu' fault injection library available from
|
||||||
the ENABLE_SPA_OVER_HTTP fwknopd.conf variable and to properly account
|
http://blitiri.com.ar/p/libfiu/ This feature is disabled by default,
|
||||||
for SPA packet lengths when delivered via HTTP.
|
and requires the --enable-libfiu-support argument to the 'configure'
|
||||||
- [server] Add --test mode to instruct fwknopd to acquire and process
|
script in order to enable it. With fwknop compiled against libfiu, fault
|
||||||
SPA packets, but not manipulate firewall rules or execute commands that
|
injections are done at various locations within the fwknop sources and
|
||||||
are provided by SPA clients. This option is mostly useful for the fuzzing
|
the test suite verifies that the faults are properly handled at run time
|
||||||
tests in the test suite to ensure broad code coverage under adverse
|
via test/fko-wrapper/fko_fault_injection.c. In addition, the libfiu tool
|
||||||
conditions.
|
'fiu-run' is used against the fwknop binaries to ensure they handle
|
||||||
- [server] Bug fix for PF firewalls without ALTQ support on FreeBSD. With
|
faults that libfiu introduces into libc functions. For example, fiu-run
|
||||||
this fix it doesn't matter whether ALTQ support is available or not.
|
can force malloc() to fail even without huge memory pressure on the
|
||||||
Thanks to Barry Allard for discovering and reporting this issue.
|
local system, and the test suite ensures the fwknop binaries properly
|
||||||
Closes issue #121 on github.
|
handle this.
|
||||||
|
- [test suite] Integrated a new python fuzzer for fwknop SPA packets (see
|
||||||
|
test/spa_fuzzing.py). This greatly extends the ability of the test suite
|
||||||
|
to validate libfko operations since SPA fuzzing packets are sent through
|
||||||
|
libfko routines directly (indendepently of encryption and
|
||||||
|
authentication) with a special 'configure' option
|
||||||
|
--enable-fuzzing-interfaces. The python fuzzer generates over 300K SPA
|
||||||
|
packets, and when used by the test suite consumes about 400MB of disk.
|
||||||
|
For reference, to use both the libfiu fault injection feature mentioned
|
||||||
|
above and the python fuzzer, use the --enable-complete option to the
|
||||||
|
test suite.
|
||||||
- [server] Add a new GPG_FINGERPRINT_ID variable to the access.conf file
|
- [server] Add a new GPG_FINGERPRINT_ID variable to the access.conf file
|
||||||
so that full GnuPG fingerprints can be required for incoming SPA packets
|
so that full GnuPG fingerprints can be required for incoming SPA packets
|
||||||
in addition to the appreviated GnuPG signatures listed in GPG_REMOTE_ID.
|
in addition to the appreviated GnuPG signatures listed in GPG_REMOTE_ID.
|
||||||
@ -23,6 +33,10 @@ fwknop-2.6.3 (05//2014):
|
|||||||
signatures are to be verified for incoming SPA packets. Signature
|
signatures are to be verified for incoming SPA packets. Signature
|
||||||
verification is the default, and can only be disabled with
|
verification is the default, and can only be disabled with
|
||||||
GPG_DISABLE_SIG but this is NOT recommended.
|
GPG_DISABLE_SIG but this is NOT recommended.
|
||||||
|
- [server] Bug fix for PF firewalls without ALTQ support on FreeBSD. With
|
||||||
|
this fix it doesn't matter whether ALTQ support is available or not.
|
||||||
|
Thanks to Barry Allard for discovering and reporting this issue.
|
||||||
|
Closes issue #121 on github.
|
||||||
- [server] Bug fix discovered with the libfiu fault injection tag
|
- [server] Bug fix discovered with the libfiu fault injection tag
|
||||||
"fko_get_username_init" combined with valgrind analysis. This bug is
|
"fko_get_username_init" combined with valgrind analysis. This bug is
|
||||||
only triggered after a valid authenticated and decrypted SPA packet is
|
only triggered after a valid authenticated and decrypted SPA packet is
|
||||||
@ -37,6 +51,15 @@ fwknop-2.6.3 (05//2014):
|
|||||||
==11181== Uninitialised value was created by a stack allocation
|
==11181== Uninitialised value was created by a stack allocation
|
||||||
==11181== at 0x113476: incoming_spa (incoming_spa.c:294)
|
==11181== at 0x113476: incoming_spa (incoming_spa.c:294)
|
||||||
|
|
||||||
|
- [server] Bug fix to handle SPA packets over HTTP by making sure to honor
|
||||||
|
the ENABLE_SPA_OVER_HTTP fwknopd.conf variable and to properly account
|
||||||
|
for SPA packet lengths when delivered via HTTP.
|
||||||
|
- [server] Add --test mode to instruct fwknopd to acquire and process
|
||||||
|
SPA packets, but not manipulate firewall rules or execute commands that
|
||||||
|
are provided by SPA clients. This option is mostly useful for the fuzzing
|
||||||
|
tests in the test suite to ensure broad code coverage under adverse
|
||||||
|
conditions.
|
||||||
|
|
||||||
fwknop-2.6.2 (04/28/2014):
|
fwknop-2.6.2 (04/28/2014):
|
||||||
- [libfko] fix double free bug in SPA parser discovered with the new
|
- [libfko] fix double free bug in SPA parser discovered with the new
|
||||||
python SPA payload fuzzer (see the 'spa_encoding_fuzzing' branch which
|
python SPA payload fuzzer (see the 'spa_encoding_fuzzing' branch which
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user