client/fwknop.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fixed uninitialized variable

client/config_init.c | 23 14 + 9 - 0 !
client/config_init.h | 23 14 + 9 - 0 !
client/fwknop.c | 23 14 + 9 - 0 !
client/fwknop.h | 23 14 + 9 - 0 !
client/fwknop_common.h | 23 14 + 9 - 0 !
client/getpasswd.c | 23 14 + 9 - 0 !
client/getpasswd.h | 23 14 + 9 - 0 !
client/http_resolve_host.c | 23 14 + 9 - 0 !
client/spa_comm.c | 23 14 + 9 - 0 !
client/spa_comm.h | 23 14 + 9 - 0 !
client/utils.c | 23 14 + 9 - 0 !
client/utils.h | 23 14 + 9 - 0 !
common/common.h | 23 14 + 9 - 0 !
common/netinet_common.h | 23 15 + 8 - 0 !
lib/base64.c | 24 16 + 8 - 0 !
lib/base64.h | 23 15 + 8 - 0 !
lib/cipher_funcs.c | 23 15 + 8 - 0 !
lib/cipher_funcs.h | 23 15 + 8 - 0 !
lib/digest.c | 25 16 + 9 - 0 !
lib/digest.h | 23 15 + 8 - 0 !
lib/fko.h | 23 14 + 9 - 0 !
lib/fko_client_timeout.c | 23 14 + 9 - 0 !
lib/fko_common.h | 23 14 + 9 - 0 !
lib/fko_context.h | 23 14 + 9 - 0 !
lib/fko_decode.c | 23 14 + 9 - 0 !
lib/fko_digest.c | 23 14 + 9 - 0 !
lib/fko_encode.c | 23 14 + 9 - 0 !
lib/fko_encryption.c | 23 14 + 9 - 0 !
lib/fko_error.c | 23 14 + 9 - 0 !
lib/fko_funcs.c | 23 14 + 9 - 0 !
lib/fko_limits.h | 25 14 + 11 - 0 !
lib/fko_message.c | 23 14 + 9 - 0 !
lib/fko_nat_access.c | 23 14 + 9 - 0 !
lib/fko_rand_value.c | 23 14 + 9 - 0 !
lib/fko_server_auth.c | 23 14 + 9 - 0 !
lib/fko_state.h | 23 14 + 9 - 0 !
lib/fko_timestamp.c | 23 14 + 9 - 0 !
lib/fko_user.c | 23 14 + 9 - 0 !
lib/fko_util.h | 23 14 + 9 - 0 !
lib/gpgme_funcs.c | 23 14 + 9 - 0 !
lib/gpgme_funcs.h | 23 15 + 8 - 0 !
lib/md5.c | 17 5 + 12 - 0 !
lib/md5.h | 23 14 + 9 - 0 !
lib/rijndael.c | 38 24 + 14 - 0 !
lib/rijndael.h | 40 25 + 15 - 0 !
lib/sha1.h | 30 17 + 13 - 0 !
lib/sha2.c | 15 10 + 5 - 0 !
lib/sha2.h | 14 9 + 5 - 0 !
lib/strlcat.c | 15 10 + 5 - 0 !
lib/strlcpy.c | 15 10 + 5 - 0 !
server/access.c | 23 14 + 9 - 0 !
server/access.h | 23 14 + 9 - 0 !
server/config_init.c | 23 14 + 9 - 0 !
server/config_init.h | 23 14 + 9 - 0 !
server/extcmd.c | 23 14 + 9 - 0 !
server/extcmd.h | 23 14 + 9 - 0 !
server/fw_util.c | 23 14 + 9 - 0 !
server/fw_util.h | 23 14 + 9 - 0 !
server/fw_util_ipf.c | 23 14 + 9 - 0 !
server/fw_util_ipf.h | 23 14 + 9 - 0 !
server/fw_util_ipfw.c | 23 14 + 9 - 0 !
server/fw_util_ipfw.h | 23 14 + 9 - 0 !
server/fw_util_iptables.c | 23 14 + 9 - 0 !
server/fw_util_iptables.h | 23 14 + 9 - 0 !
server/fwknopd.c | 23 14 + 9 - 0 !
server/fwknopd.h | 23 14 + 9 - 0 !
server/fwknopd_common.h | 23 14 + 9 - 0 !
server/fwknopd_errors.c | 23 14 + 9 - 0 !
server/fwknopd_errors.h | 23 14 + 9 - 0 !
server/incoming_spa.c | 23 14 + 9 - 0 !
server/incoming_spa.h | 23 14 + 9 - 0 !
server/log_msg.c | 23 14 + 9 - 0 !
server/log_msg.h | 23 14 + 9 - 0 !
server/pcap_capture.c | 23 14 + 9 - 0 !
server/pcap_capture.h | 23 14 + 9 - 0 !
server/process_packet.c | 23 14 + 9 - 0 !
server/process_packet.h | 23 14 + 9 - 0 !
server/replay_dbm.c | 23 14 + 9 - 0 !
server/replay_dbm.h | 23 14 + 9 - 0 !
server/sig_handler.c | 23 14 + 9 - 0 !
server/sig_handler.h | 23 14 + 9 - 0 !
server/tcp_server.c | 23 14 + 9 - 0 !
server/tcp_server.h | 23 14 + 9 - 0 !
server/utils.c | 23 14 + 9 - 0 !
server/utils.h | 23 14 + 9 - 0 !
85 files changed, 1198 insertions(+), 762 deletions(-)

 fix copyright/licence issues

lib/fko_message.c | 30 15 + 15 - 0 !
lib/fko_message.h | 58 58 + 0 - 0 !
server/access.c | 89 74 + 15 - 0 !
server/access.h | 4 3 + 1 - 0 !
server/fw_util_iptables.c | 3 2 + 1 - 0 !
5 files changed, 152 insertions(+), 32 deletions(-)

 [patch] (fernando arnaboldi, ioactive) found and fixed several
 DoS/code execution vulns for authenticated clients

- [server] Fernando Arnaboldi from IOActive found several DoS/code
execution vulnerabilities for malicious fwknop clients that manage to
get past the authentication stage (so a such a client must be in
possession of a valid access.conf encryption key).  These vulnerbilities
manifested themselves in the handling of malformed access requests, and
both the fwknopd server code along with libfko now perform stronger input
validation of access request data.  These vulnerabilities affect
pre-2.0.3 fwknop releases.

lib/fko_limits.h | 3 3 + 0 - 0 !
lib/fko_message.c | 16 12 + 4 - 0 !
2 files changed, 15 insertions(+), 4 deletions(-)

 [patch] [server] stronger ip validation based on a bug found by
 Fernando Arnaboldi from IOActive

This commit fixes a condition in which the server did not properly validate
allow IP addresses from malicious authenticated clients.  This has been fixed
with stronger allow IP validation.

client/config_init.c | 15 12 + 3 - 0 !
client/fwknop.c | 18 16 + 2 - 0 !
client/utils.c | 74 72 + 2 - 0 !
client/utils.h | 12 12 + 0 - 0 !
configure.ac | 2 1 + 1 - 0 !
server/access.c | 2 2 + 0 - 0 !
server/config_init.c | 2 2 + 0 - 0 !
server/fwknopd.c | 2 2 + 0 - 0 !
server/utils.c | 80 79 + 1 - 0 !
server/utils.h | 2 2 + 0 - 0 !
10 files changed, 200 insertions(+), 9 deletions(-)

 [patch] file permissions and client buffer overflow fix

- [client+server] Fernando Arnaboldi from IOActive found that strict
filesystem permissions for various fwknop files are not verified.  Added
warnings whenever permissions are not strict enough, and ensured that
files created by the fwknop client and server are only set to user
read/write.
- [client] Fernando Arnaboldi from IOActive found a local buffer overflow
in --last processing with a maliciously constructed ~/.fwknop.run file.
This has been fixed with proper validation of .fwknop.run arguments.