f55b89c867
This commit makes sure that if running 'fwknop -h' or 'fwknopd -h' appears to fail then run ldconfig under the 'make install' step. George Herlin reported that on some systems ldconfig was not automatically getting executed via the autoconf Makefile config, and since fwknop/fwknopd depend on a shared library (libfko), ldconfig needs to be executed by 'make install' if it wasn't already done.
152 lines
7.0 KiB
Plaintext
152 lines
7.0 KiB
Plaintext
Jonathan Bennett
|
|
- Contributed OpenWRT support - see the extras/openwrt/ directory.
|
|
|
|
Sebastien Jeanquier
|
|
- Assisted with getting fwknop included in BackTrack Linux - the choice
|
|
distro for pentation testers.
|
|
|
|
Ozmart
|
|
- Suggested the idea for setting an access stanza expiration time.
|
|
- Suggested the abiliy to have certain incoming connections automatically
|
|
NAT'd through to specific internal systems. The result was the FORCE_NAT
|
|
mode.
|
|
- Assisted with getting fwknop running under the Pentoo Linux distro.
|
|
|
|
Max Kastanas
|
|
- Contributed both an Android and an iPhone fwknop client port - see the
|
|
top level android/ and iphone/ directories.
|
|
|
|
Ted Wynnychenko
|
|
- Helped test fwknop PF support on OpenBSD.
|
|
|
|
Andy Rowland
|
|
- Reported a bug where the same encryption key used for two stanzas in the
|
|
access.conf file would result in access requests that matched the second
|
|
stanza to always be treated as a replay attack. This has been fixed for
|
|
the fwknop-2.0.1 release.
|
|
|
|
C Anthony Risinger
|
|
- Caught a bug where the default PCAP_LOOP_SLEEP value was 1/100th of a
|
|
second instead of the intended default of 1/10th of a second.
|
|
|
|
Franck Joncourt
|
|
- fwknop Debian package maintainer.
|
|
- Contributed a new Debian init script.
|
|
- Contributed a patch to have the perl FKO module link against libfko in
|
|
the local directory (if it exists) so that it doesn't have to have libfko
|
|
completely installed in /usr/lib/. This allows the test suite to run FKO
|
|
tests without installing libfko.
|
|
- Contributed a patch to remove unnecessary chmod() call when creating
|
|
client rc file and server replay cache file. The permissions are now set
|
|
appropriately via open(), and at the same time this patch fixes a
|
|
potential race condition since the previous code used fopen() followed by
|
|
chmod().
|
|
- Contributed a patch to allow the fwknop client to be stopped with Ctrl-C
|
|
before sending an SPA packet on the wire.
|
|
- Contributed a patch to ensure that duplicate iptables rules are not
|
|
created even for different SPA packets that arrive at the same time and
|
|
request the same access.
|
|
- Added support for resolving hostnames in various NAT modes (fixes issue
|
|
#43 in github).
|
|
- Bug fix in the client for resolving hostnames in '-P icmp' mode (fixes
|
|
issue #64).
|
|
- Added support for saving fwknop client command line arguments via a new
|
|
option --save-rc-stanza.
|
|
- Added log module support for the client.
|
|
- Added the ability to read a passphrase from STDIN and also from a file
|
|
descriptor via --fd (closes #74).
|
|
|
|
Jonathan Schulz
|
|
- Submitted patches to change HTTP connection type to 'close' for -R mode
|
|
in the client and fix a bug for recv() calls against returned HTTP data.
|
|
|
|
Aldan Beaubien
|
|
- Reported an issue with the Morpheus client sending SPA packets with NULL
|
|
IP addresses, and code was added to fwknopd to better validate incoming
|
|
SPA data as a result of this report.
|
|
|
|
Geoff Carstairs
|
|
- Suggested a way to redirect valid connection requests to a specific
|
|
internal service via NAT, configurable by each stanza in access.conf.
|
|
This allows for better access control for multple users requiring access
|
|
to multiple internal systems, in a manner that is transparent to the
|
|
user. The result was the FORCE_NAT mode.
|
|
|
|
Hank Leininger
|
|
- For iptables firewalls, suggested a check for the 'comment' match to
|
|
ensure the local environment will properly support fwknopd operations.
|
|
The result is the new ENABLE_IPT_COMMENT_CHECK functionality.
|
|
|
|
Fernando Arnaboldi (IOActive)
|
|
- Found important buffer overflow conditions for authenticated SPA clients
|
|
in the fwknopd server (pre-2.0.3). These findings enabled fixes to be
|
|
developed along with a new fuzzing capability in the test suite.
|
|
- Found a condition in which an overly long IP from malicious authenticated
|
|
clients is not properly validated by the fwknopd server (pre-2.0.3).
|
|
- Found a local buffer overflow in --last processing with a maliciously
|
|
constructed ~/.fwknop.run file. This has been fixed with proper
|
|
validation of .fwknop.run arguments.
|
|
- Found several conditions in which the server did not properly throw out
|
|
maliciously constructed variables in the access.conf file. This has been
|
|
fixed along with new fuzzing tests in the test suite.
|
|
|
|
Vlad Glagolev
|
|
- Submitted a patch to fix ndbm/gdbm usage when --disable-file-cache is
|
|
used for the autoconf configure script. This functionality was broken in
|
|
be4193d734850fe60f14a26b547525ea0b9ce1e9 through improper handling of
|
|
#define macros from --disable-file-cache.
|
|
- Submitted a patch to fix command exec mode under SPA message type
|
|
validity test. Support for command exec mode was also added to the test
|
|
suite.
|
|
- Submitted an OpenBSD port for fwknop-2.0.3, and this has been checked in
|
|
under extras/openbsd/.
|
|
|
|
Sean Greven
|
|
- Created a port of fwknop for FreeBSD:
|
|
http://portsmon.freebsd.org/portoverview.py?category=security&portname=fwknop
|
|
|
|
Michael T. Dean
|
|
- Reported the Rijndael key truncation issue for user-supplied keys
|
|
(passphrases) greater than 16 bytes long.
|
|
|
|
George Herlin
|
|
- Proposed a verification approach to test suite operations, and the result
|
|
was implemented in a61939c005e2b09d6800e2171f607c9d1948f022. This makes
|
|
test suite operate equivalently regardless of whether valgrind is used or
|
|
whether fwknop is being tested on an embedded system with very limited
|
|
resources.
|
|
- Suggested that 'make install' run ldconfig since on some systems it
|
|
appears that ldconfig is not automatically run via the autoconf generated
|
|
Makefile configs.
|
|
|
|
Ruhsam Bernhard
|
|
- Reported an issue where the message size test would result in long
|
|
command mode SPA packets not decrypting properly because only GPG decrypt
|
|
attempts were made. This issue was fixed in
|
|
7e784df3870373f055a2f0f8d818829501bcb1c0.
|
|
|
|
Shawn Wilson
|
|
- Added better SPA source IP logging for various fwknopd logging messages.
|
|
This helps to make it more clear why certain SPA packets are rejected
|
|
from some systems.
|
|
|
|
Dan Lauber
|
|
- Suggested a check for fwknopd to ensure that the jump rule on systems
|
|
running iptables is not duplicated if it already exists.
|
|
|
|
Ryman
|
|
- Reported a timing attack bug in the HMAC comparison operation (#85) and
|
|
suggested a fix derived from yaSSL:
|
|
http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg320402.html
|
|
|
|
hlein
|
|
- Suggested the ability to read a passphrase from STDIN and via a new --fd
|
|
command line argument (github #74) to allow things like:
|
|
$ gpg -d passphrasefile.pgp | fwknop -R -n myserver
|
|
|
|
Blair Zajac
|
|
- Contributed patches to handle endian issues on PPC systems.
|
|
- Reported an issue where strndup() is not available on some PPC systems
|
|
and the fix is to use the local lib/fko_util.c implementation similarly
|
|
to Windows builds.
|