127 lines
5.9 KiB
Plaintext
127 lines
5.9 KiB
Plaintext
Jonathan Bennett
|
|
- Contributed OpenWRT support - see the extras/openwrt/ directory.
|
|
|
|
Sebastien Jeanquier
|
|
- Assisted with getting fwknop included in BackTrack Linux - the choice
|
|
distro for pentation testers.
|
|
|
|
Ozmart
|
|
- Suggested the idea for setting an access stanza expiration time.
|
|
- Suggested the abiliy to have certain incoming connections automatically
|
|
NAT'd through to specific internal systems. The result was the FORCE_NAT
|
|
mode.
|
|
- Assisted with getting fwknop running under the Pentoo Linux distro.
|
|
|
|
Max Kastanas
|
|
- Contributed both an Android and an iPhone fwknop client port - see the
|
|
top level android/ and iphone/ directories.
|
|
|
|
Ted Wynnychenko
|
|
- Helped test fwknop PF support on OpenBSD.
|
|
|
|
Andy Rowland
|
|
- Reported a bug where the same encryption key used for two stanzas in the
|
|
access.conf file would result in access requests that matched the second
|
|
stanza to always be treated as a replay attack. This has been fixed for
|
|
the fwknop-2.0.1 release.
|
|
|
|
C Anthony Risinger
|
|
- Caught a bug where the default PCAP_LOOP_SLEEP value was 1/100th of a
|
|
second instead of the intended default of 1/10th of a second.
|
|
|
|
Franck Joncourt
|
|
- fwknop Debian package maintainer.
|
|
- Contributed a new Debian init script.
|
|
- Contributed a patch to have the perl FKO module link against libfko in
|
|
the local directory (if it exists) so that it doesn't have to have libfko
|
|
completely installed in /usr/lib/. This allows the test suite to run FKO
|
|
tests without installing libfko.
|
|
- Contributed a patch to remove unnecessary chmod() call when creating
|
|
client rc file and server replay cache file. The permissions are now set
|
|
appropriately via open(), and at the same time this patch fixes a
|
|
potential race condition since the previous code used fopen() followed by
|
|
chmod().
|
|
- Contributed a patch to allow the fwknop client to be stopped with Ctrl-C
|
|
before sending an SPA packet on the wire.
|
|
- Contributed a patch to ensure that duplicate iptables rules are not
|
|
created even for different SPA packets that arrive at the same time and
|
|
request the same access.
|
|
- Added support for resolving hostnames in various NAT modes (fixes issue
|
|
#43 in github).
|
|
- Bug fix in the client for resolving hostnames in '-P icmp' mode (fixes
|
|
issue #64).
|
|
- Added support for saving fwknop client command line arguments via a new
|
|
options --save-rc-stanza.
|
|
- Added log module support for the client.
|
|
|
|
Jonathan Schulz
|
|
- Submitted patches to change HTTP connection type to 'close' for -R mode
|
|
in the client and fix a bug for recv() calls against returned HTTP data.
|
|
|
|
Aldan Beaubien
|
|
- Reported an issue with the Morpheus client sending SPA packets with NULL
|
|
IP addresses, and code was added to fwknopd to better validate incoming
|
|
SPA data as a result of this report.
|
|
|
|
Geoff Carstairs
|
|
- Suggested a way to redirect valid connection requests to a specific
|
|
internal service via NAT, configurable by each stanza in access.conf.
|
|
This allows for better access control for multple users requiring access
|
|
to multiple internal systems, in a manner that is transparent to the
|
|
user. The result was the FORCE_NAT mode.
|
|
|
|
Hank Leininger
|
|
- For iptables firewalls, suggested a check for the 'comment' match to
|
|
ensure the local environment will properly support fwknopd operations.
|
|
The result is the new ENABLE_IPT_COMMENT_CHECK functionality.
|
|
|
|
Fernando Arnaboldi (IOActive)
|
|
- Found important buffer overflow conditions for authenticated SPA clients
|
|
in the fwknopd server (pre-2.0.3). These findings enabled fixes to be
|
|
developed along with a new fuzzing capability in the test suite.
|
|
- Found a condition in which an overly long IP from malicious authenticated
|
|
clients is not properly validated by the fwknopd server (pre-2.0.3).
|
|
- Found a local buffer overflow in --last processing with a maliciously
|
|
constructed ~/.fwknop.run file. This has been fixed with proper
|
|
validation of .fwknop.run arguments.
|
|
- Found several conditions in which the server did not properly throw out
|
|
maliciously constructed variables in the access.conf file. This has been
|
|
fixed along with new fuzzing tests in the test suite.
|
|
|
|
Vlad Glagolev
|
|
- Submitted a patch to fix ndbm/gdbm usage when --disable-file-cache is
|
|
used for the autoconf configure script. This functionality was broken in
|
|
be4193d734850fe60f14a26b547525ea0b9ce1e9 through improper handling of
|
|
#define macros from --disable-file-cache.
|
|
- Submitted a patch to fix command exec mode under SPA message type
|
|
validity test. Support for command exec mode was also added to the test
|
|
suite.
|
|
- Submitted an OpenBSD port for fwknop-2.0.3, and this has been checked in
|
|
under extras/openbsd/.
|
|
|
|
Sean Greven
|
|
- Created a port of fwknop for FreeBSD:
|
|
http://portsmon.freebsd.org/portoverview.py?category=security&portname=fwknop
|
|
|
|
Michael T. Dean
|
|
- Reported the Rijndael key truncation issue for user-supplied keys
|
|
(passphrases) greater than 16 bytes long.
|
|
|
|
George Herlin
|
|
- Proposed a verification approach to test suite operations, and the result
|
|
was implemented in a61939c005e2b09d6800e2171f607c9d1948f022. This makes
|
|
test suite operate equivalently regardless of whether valgrind is used or
|
|
whether fwknop is being tested on an embedded system with very limited
|
|
resources.
|
|
|
|
Ruhsam Bernhard
|
|
- Reported an issue where the message size test would result in long
|
|
command mode SPA packets not decrypting properly because only GPG decrypt
|
|
attempts were made. This issue was fixed in
|
|
7e784df3870373f055a2f0f8d818829501bcb1c0.
|
|
|
|
Shawn Wilson
|
|
- Added better SPA source IP logging for various fwknopd logging messages.
|
|
This helps to make it more clear why certain SPA packets are rejected
|
|
from some systems.
|