1d35c33d52
Added --enable-openssl-checks to send all SPA packets encrypted via libfko through the OpenSSL library to ensure that the libfko usage of AES is always compatible with OpenSSL. This ensures that the fwknop usage of AES is properly implemented as verified by the OpenSSL library, which is a frequently audited high profile crypto engine. If a vulnerability is discovered in OpenSSL and a change is made, then the --enable-openssl-checks mode will allow the test suite to discover this in a automated fashion for fwknop.
180 lines
8.7 KiB
Org Mode
180 lines
8.7 KiB
Org Mode
* COMPLETED
|
|
This bucket is for completed tasks.
|
|
** Rijndael keys are limited to 16 characters (#18)
|
|
:CLOSED: <2013-01-22 Tue>
|
|
:<2013-01-20 Sun>
|
|
Michael T. Dean reported that fwknop-2.x code limits Rijndael keys to 16
|
|
chars whereas it should accept keys up to RIJNDAEL_MAX_KEYSIZE chars in
|
|
length (32 chars).
|
|
** Release fwknop-2.0.4
|
|
:CLOSED: <2012-12-09 Sun>
|
|
** [test suite] Remove lib check for test suite when running in --enable-recompile mode
|
|
:CLOSED: <2012-11-15 Thu>
|
|
When creating a release tarball under 'make dist', the test suite performs
|
|
a check for existing lib/ directory even under --enable-recompile.
|
|
** Fix MIPS compilation error
|
|
:CLOSED: <2012-11-09 Fri>
|
|
Franck Joncourt reported the following bug compiling fwknop MIPS via
|
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689064
|
|
|
|
libtool: link: gcc -g -O2 -Wformat -Werror=format-security -Wall -g -O2
|
|
-Wl,-z -Wl,relro -Wl,-z -Wl,now -Wall -fstack-protector-all
|
|
-fstack-protector -fPIE -pie -D_FORTIFY_SOURCE=2 -Wl,-z -Wl,relro -Wl,-z
|
|
-Wl,now -o .libs/fwknop fwknop-fwknop.o fwknop-config_init.o
|
|
fwknop-spa_comm.o fwknop-utils.o fwknop-http_resolve_host.o
|
|
fwknop-getpasswd.o ../lib/.libs/libfko.so
|
|
/usr/bin/ld: fwknop-fwknop.o: relocation R_MIPS_26 against `getenv' can not
|
|
be used when making a shared object; recompile with -fPIC
|
|
fwknop-fwknop.o: could not read symbols: Bad value
|
|
collect2: ld returned 1 exit status
|
|
make[4]: *** [fwknop] Error 1
|
|
make[4]: Leaving directory
|
|
`/build/buildd2-fwknop_2.0.3-1-mips-MZ2TL7/fwknop-2.0.3/client'
|
|
make[3]: *** [all-recursive] Error 1
|
|
make[3]: Leaving directory
|
|
`/build/buildd2-fwknop_2.0.3-1-mips-MZ2TL7/fwknop-2.0.3'
|
|
make[2]: *** [all] Error 2
|
|
make[2]: Leaving directory
|
|
`/build/buildd2-fwknop_2.0.3-1-mips-MZ2TL7/fwknop-2.0.3'
|
|
make[1]: *** [override_dh_auto_build] Error 2
|
|
make[1]: Leaving directory
|
|
`/build/buildd2-fwknop_2.0.3-1-mips-MZ2TL7/fwknop-2.0.3'
|
|
make: *** [build-arch] Error 2
|
|
|
|
Update: the problem appears to be caused by manually specifying the CFLAGS
|
|
variable while not also specifying the LDFLAGS variable.
|
|
|
|
:<2012-11-09 Fri> This issue has been fixed through the Debian build
|
|
process, and Franck has indicated that no changes are required within
|
|
fwknop.
|
|
|
|
** [client] Update to not send SPA packet if Ctrl-C is used
|
|
:CLOSED: <2012-11-08 Thu>
|
|
The client currently sends an SPA packet when an encryption key is
|
|
requested but the user tries to exit out with Ctrl-C.
|
|
- Completed by Franck Joncourt.
|
|
** [server] Add the ability to process pcap files offline
|
|
:CLOSED: <2012-11-08 Thu>
|
|
Leverage pcap_open_offline() to process pcap files from disk instead of
|
|
sniffing the network live.
|
|
- Added a new '--pcap-file <file>' option for this purpose.
|
|
** Add --disable-gpg arg to the autoconf configure script
|
|
:CLOSED: <2012-10-31 Wed>
|
|
There needs to be a way to easily disable libgpgme usage even if it is
|
|
installed - this could be done with a new --disable-gpg argument to the
|
|
configure script.
|
|
- Added --disable-gpg to the autoconf configure script (via configure.ac)
|
|
** [client] Add --icmp-type and --icmp-code args
|
|
:CLOSED: <2012-10-11 Thu>
|
|
For SPA packets sent over ICMP via raw socket, allow the user to specify
|
|
the ICMP type and code.
|
|
** [server] For Ubuntu systems, have fwknopd managed by upstart
|
|
:CLOSED: <2012-09-27 Thu>
|
|
fwknopd can benefit from upstart management and monitoring on Ubuntu
|
|
systems.
|
|
- Added the extras/upstart/fwknop.conf file so that standard upstart
|
|
commands like "service fwknop start" can be issued.
|
|
** [server] ipfw active/expire sets cannot be the same
|
|
:CLOSED: <2012-08-16 Thu>
|
|
Add a check to ensure that active and expire sets are not the same value in
|
|
fwknopd.conf, and add a corresponding test in the test suite.
|
|
** Release fwknop-2.0.2
|
|
:CLOSED: <2012-08-18 Sat>
|
|
Make the fwknop-2.0.2 release.
|
|
** Release fwknop-2.0.3
|
|
:CLOSED: <2012-09-03 Mon>
|
|
Make the fwknop-2.0.3 release.
|
|
** Update fwknopd man page for GPG_ALLOW_NO_PW
|
|
:CLOSED: <2012-08-14 Tue>
|
|
** Preserve existing configs under 'make install'
|
|
:CLOSED: <2012-08-13 Mon>
|
|
- The current 'make install' behavior overwrites any existing fwknopd config
|
|
files from a previous installation.
|
|
- Updated to install fwknopd.conf -> /etc/fwknop/fwknopd.conf.inst if the
|
|
fwknopd.conf file already exists, and similarly for the access.conf
|
|
file.
|
|
** fwknopd iptables comment match detection
|
|
:CLOSED: <2012-08-12 Sun>
|
|
Hank Leininger suggested that fwknopd do better detection for the iptables
|
|
comment match since it is required for the expiration of SPA rules.
|
|
** Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files
|
|
:CLOSED: <2012-08-12 Sun>
|
|
Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.
|
|
** [server] access.c parsing: allow no KEY variable if GPG keys are used.
|
|
:CLOSED: <2012-10-02 Tue>
|
|
The access.c parsing code currently throws an error if there is not KEY
|
|
variable in an access stanza even if GPG_ALLOW_NO_PW is set.
|
|
* IN PROGRESS
|
|
This bucket is for tasks that are currently being worked on.
|
|
** [test suite] SPA packet fuzzer
|
|
Add a series of patches to the fwknop client that break how it produces SPA
|
|
data in subtle ways in order to ensure proper validation by fwknopd.
|
|
* TODO
|
|
This bucket is for new tasks.
|
|
** Handle Rijndael keys with a trailing zero char
|
|
:<2013-01-21 Mon>
|
|
|
|
fwknop should maintain compatibility with OpenSSL in its usage of Rijndael
|
|
in CBC mode. As of fwknop-2.0.4, backwards compatibility is maintained
|
|
with the older perl versions, and this implies that '0' chars are tacked
|
|
onto the end of user-supplied passphrases for those that are less than 16
|
|
bytes long. When trying to decrypt SPA packets with OpenSSL, this results
|
|
in the following error for passphrases < 16 bytes:
|
|
|
|
bad decrypt
|
|
140636380620448:error:06065064:digital envelope
|
|
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
|
|
|
|
For SPA packets encrypted with a passphrase > 16 bytes, OpenSSL is able to
|
|
decrypt them properly.
|
|
|
|
** Update all docs to include HMAC information (#17)
|
|
:<2013-01-20 Sun>
|
|
** Add HMAC support to the perl FKO module (#16)
|
|
:<2013-01-20 Sun>
|
|
** Fix gcc warnings on OpenBSD
|
|
:<2012-11-14 Wed>
|
|
Current fwknop code issues compilation warnings like the following on
|
|
OpenBSD: /root/src/fwknop-2.0.3/server/utils.c:117: warning: sprintf() is often misused, please use snprintf()
|
|
** [server] Add PF NAT support for OpenBSD systems
|
|
fwknopd already supports various NAT modes on iptables, but it should be
|
|
extended to support NAT on PF firewalls.
|
|
** [server] Add access variable to require particular IP's even when REQUIRE_SOURCE is used
|
|
The SOURCE variable only applies to the IP header. Add analogous filtering
|
|
for the allow IP that is encrypted within an SPA payload.
|
|
** [client] Fix 'Could not set destination IP.' in hostname resolution in '-P icmp' mode
|
|
It seems that hostname resolution is not working when SPA packets are
|
|
spoofed. Here is the command line to trigger the problem:
|
|
# fwknop -A tcp/22 -a 127.0.0.2 -D <host> --verbose --verbose -P icmp --icmp-type 8 --icmp-code 0 -Q 1.2.3.4
|
|
** Add 'enable' to ipfw active set at init time
|
|
Currently fwknopd does not do a check to ensure that the active set is
|
|
enabled at init time ('ipfw set enable 1').
|
|
** Update fwknopd man page to include IPFW* vars
|
|
None of the ipfw variables are currently documented in the fwknopd man
|
|
page.
|
|
** Use assert() in various places
|
|
Use assert() to validate expected values wherever possible.
|
|
** [server] Include files for access.conf
|
|
Hank Leininger suggested that the main access.conf file have an option to
|
|
include other files in which access stanzas can be specified. This makes
|
|
it easy to wrap additional controls around access information particularly
|
|
in multi-user environments.
|
|
** [test suite] backwards compatibility tests
|
|
The test suite should have the ability to test backwards compatibility
|
|
between fwknop versions.
|
|
** For Linux/Unix - a GNOME or KDE GUI app for the fwknop client.
|
|
Although there is currently a functioning web proxy that can serve as a
|
|
UI via a browser, it would be nice to have native GNOME and KDE GUI
|
|
wrappers for the fwknop client.
|
|
** For Windows - VB and/or C# class wrappers around libfko.dll
|
|
Extend Windows support with VB and/or C# class wrappers around the
|
|
libfko.dll
|
|
** Ruby bindings to libfko
|
|
Perl and Python bindings already exist for libfko, so add Ruby to this list
|
|
as well.
|
|
** [test suite] client/server only tests
|
|
When only the client or server is being installed on a system, the test
|
|
suite should be able to run only the relevant tests.
|
|
** Implement SPA over IPv6 (#1)
|
|
It is important to eventually fully support SPA over IPv6.
|