1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
2010-08-28 Damien Stuart <dstuart@dstuart.org>
* Version 2.0.0rc2
* Added support for access requests using ipfw.
* Added platform-related ifdefs around platform-specific code.
* Stubbed in ipf and pf firewall program support (not operational
yet).
* Updates to accomodate compiling on FreeBSD-basded systems.
2010-07-21 Damien Stuart <dstuart@dstuart.org>
* Added extras directory to source distribution as a holder for extra
and/or contributed files. This initially includes startup (init)
scripts for various platforms.
2010-07-20 Michael Rash <mbr@cipherdyne.org>
Release fwknop 2.0.0rc1
* Tagged fwknop-2.0.0rc1 release.
2010-07-18 Damien Stuart <dstuart@dstuart.org>
* Added default fallback values for all fwknopd.conf parameters and set
all entries in the initially deployed version of fwknopd.conf to be
commented out.
* Yet another round of code cleanup in preparation for the release of
2.0.0rc1.
2010-07-13 Michael Rash <mbr@cipherdyne.org>
* Added the --fw-list option to the server to list current fwknop-related
firewall rules.
* Added fallback to default keyring path if GPG_HOME_DIR is not set in the
config file or specified on the command-line.
* Added is_valdi_dir() function for validating directory paths specified
via .conf file or command-line option.
2010-07-11 Damien Stuart <dstuart@dstuart.org>
* Added the fwknop_errors.[ch] files that provide error code processing
functions that consolidate the various sub-system error codes and
provide the correct string representation of the corresponding errors.
* More documentation tweaks.
2010-07-07 Damien Stuart <dstuart@dstuart.org>
* Reworked how external commands are executed (due to problems encountered
when running in the background on some platforms).
* TCP Server child process no longer holds on to the lock file handle, and
it also will shut itself down if the parent fwknopd process goes away.
* Changed the client to use cipherdyne.org for resolving external IP as
the whatismyip.com site has restrictions that could impede proper client
invocations using this feature.
* Removed the direction fields (src and dst) from the fwknop iptables chain
definition parameters in the fwknopd.conf file.
* Added RC file support for the client. Now fwknop client can use a
.fwknoprc file for saved, named command-line profiles.
* Improved clarity in log message output.
* Added fknwop.spec file for building binary RPM packages.
* Fixed how autoconf was setting up shared library dependencies for the
server and client components.
2010-06-28 Damien Stuart <dstuart@dstuart.org>
* Added COMMAND_MSG support.
2010-06-28 Damien Stuart <dstuart@dstuart.org>
* Added COMMAND_MSG support.
* Added ability to run Command messages as a specified user.
* Added code to complete GPG signature processing and validation. This
included the addition of the GPG_REQUIRE_SIG and the
GPG_IGNORE_SIG_VERIFY_ERROR access.conf parameters.
* Implemented the checking signatures against the GPG_REMOTE_ID list.
2010-06-23 Damien Stuart <dstuart@dstuart.org>
* Added the TCP server functionality.
* Added support for receiving and processing SPA data sent via HTTP
request.
* Added more specific data format and SPA validation checks before
attempting decrypt/decode.
* Lots of code cleanup in preparation for candidate release.
* Brough documentation in sync with functionality.
2010-06-15 Damien Stuart <dstuart@dstuart.org>
* Finished up first cut support for all firewall rules/modes including
Forwarding, DNAT, and SNAT.
2010-05-16 Damien Stuart <dstuart@dstuart.org>
* Added the intial firewall rules creation and expiry/removal code for
simple access requests.
2010-02-09 Damien Stuart <dstuart@dstuart.org>
* Created initial fwknopd.8 man page.
* Added --locale and --no-locale options.
* Allow using internal set_config_entry function to set NULL values
to configuration options to clear and free them.
2010-02-05 Damien Stuart <dstuart@dstuart.org>
* Updated libfko to set gpgme to use of gpg (vice gpg2) by default.
* Added fko_set_gpg_exe and fko_get_gpg_exe function for getting or
setting the path to gpg. Updated docs accordingly.
* Fixed some potential memory leak issues in libfko and fwknopd.
* Reworked the get_user_pw routines to accomodate use of gpg-agent and not
prompting for a password when GPG is used without signing.
* Fixed bug where the 'hQ' prefix was removed by the client, but not put
back by the server.
* Added check for (and ability to override) the path to gpg to the
configure script.
* Reverted/removed the pretty-print routines from the configure script as
the changes caused more issues than they were worth.
2010-01-30 Damien Stuart <dstuart@dstuart.org>
* Set working version to 2.0.0-alpha-pre2.
* Added additional sanity checks and clean-up of access.conf processing
and functionality.
* Fixed REQUIRE_SOURCE and added check for REQUIRE_USERNAME.
* Added fallback to use GPG_DECRYPT_PW if it was set and the normal KEY
failed with a decyption error.
* Fixed packet count checks to allow a limit of 0 to mean unlimited
number of packets.
* Minor libfko documentation updates.
2010-01-02 Michael Rash <mbr@cipherdyne.org>
* Added a new command line argument "--last-cmd" to run the fwknop client
with the same command line arguments as the previous time it was
executed. The previous arguments are parsed out of the ~/.fwknop.run
file (if it exists).
* Bug fix to not send any SPA packet out on the wire if a NULL password/key
is provided to the fwknop client. This could happen if the user tried to
abort fwknop execution by sending the process a SIGINT while being
prompted to enter the password/key for SPA encryption.
2010-01-03 Damien Stuart <dstuart@dstuart.org>
* Added access.conf file, parsing, and processing.
* Added a new acces.conf parameter, RESTRICT_PORTS for specifying 1 or
more proto/ports that are explicitly not allowed.
* Upon startup, fwknopd will now create the path to the configured run
direcory and/or the basename of the digest cache file if they do not
already exist.
2010-01-02 Michael Rash <mbr@cipherdyne.org>
* Added --packet-limit to fwknopd so that the number of incoming candidate
SPA packets can be limited from the command line. When this limit is
reached (any packet that contains application layer data and passes the
pcap filter is included in the count) then fwknopd exits.
2009-12-28 Damien Stuart <dstuart@dstuart.org>
* Updated autoconf to look for local external executables like iptables,
ipfw, sendmail, mail, and sh in the PATH and set corresponding
definitions in config.h (only if the server is being built).
* Added ability to set the path to the executables listed above via
"--with-xx=<path>" arguments to configure. The arg will force the
given value whether it exists or not (though it will issue a warning
if the path does not exist).
2009-11-01 Michael Rash <mbr@cipherdyne.org>
* (Legacy code) Applied patch from Jonthan Bennett to support the usage of
the http_proxy environmental variable for sending SPA packets through an
HTTP proxy. The patch also adds support for specifying an HTTP proxy
user and password via the following syntax:
'http://username:password@proxy.com:port' or
'http://username:password@proxy.com'
* (Legacy code) Bug fix to allow the --rand-port argument to function along
without an inappropriate check for the --Server-port arg.
2009-10-27 Michael Rash <mbr@cipherdyne.org>
* Added --http-proxy argument to the fwknop C client so that SPA packets
can be sent through HTTP proxies.
* (Legacy code) Changed HTTP proxy handling to point an SPA packet to
an HTTP proxy with -D specifying the end point host and --HTTP-proxy
pointing to the proxy host. This fix was suggested by Jonathan Bennett.
2009-08-02 Damien Stuart <dstuart@dstuart.org>
* Tweaks to digest code - added SHA384 and SHA512 to supported digests.
* Updated autoconf files to account or new headers and types recently added.
* Bumped libfko version to 0.63 and perl FKO module version to 0.23.
2009-07-26 Michael Rash <mbr@cipherdyne.org>
* Implemented -s command line argument on the fwknop client command line
so that the IP "0.0.0.0" can be sent within an SPA packet. The fwknopd
server can wrap access requirements around this IP.
* Initial public release of fwknop-c-0.62.
2009-07-23 Michael Rash <mbr@cipherdyne.org>
* Added the --show-last and --no-save command line options to show the
command line used for the previous fwknop invocation, and to have the
fwknop client not save its command line arguments.
* Bug fix to force libfko to recalculate the random data embedded in the
the SPA packet after a random port is acquired via --rand-port or
--nat-rand-port. This is a precaution so that an attacker cannot guess
some of the internal SPA data based on the destination port number.
2009-07-21 Michael Rash <mbr@cipherdyne.org>
* Got forward and local NAT modes working with the --nat-access,
--nat-local, --nat-port, and --nat-randport options. All NAT modes
are now passing the fwknop test suite.
* Added the --server-command option to build an SPA packet with a command
for the server to execute.
* Added the --fw-timeout option for client side timeouts to be specified.
* Added the --time-offset-plus and --time-offset-minus options to allow
the user to influence the timestamp associated with an SPA packet.
* Added the --rand-port option so that the SPA packet destination port can
be randomized.
2009-07-16 Michael Rash <mbr@cipherdyne.org>
* Added the ability to send SPA packets over valid HTTP requests with
the fwknop-c client.
* Added support for transmitting SPA packets over IPv6 via TCP and UDP
sockets, and also via HTTP.
* Added GnuPG 'hQ' base64 encoded prefix handling (this prefix is
stripped out of encrypted SPA packet data).
* Added hostname resolution support to the fwknop-c client if the SPA
server is specified as a hostname instead of an IP address.
2008-05-24 Damien Stuart <dstuart@dstuart.org>
* Added win32 direcory with Visual Studio 2008 solution and project files
for building on the Windows platform.
2008-12-21 Damien Stuart <dstuart@dstuart.org>
Build 0.0.0 alpha
* autogen.sh: created.
* autoconf/automake: Initial configuration created.
Copyright 2009, Damien Stuart
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
