[prev in list] [next in list] [prev in thread] [next in thread]
List: fwknop-discuss
Subject: [Fwknop-discuss] fwknop-2.0.1 release
From: Michael Rash <michael.rash () gmail ! com>
Date: 2012-07-24 4:25:08
Message-ID: CAA9wn8kUiX1Kez-_F69=aRe75BRhmFy5E6=b3Jo13Z7v3Yr2Hg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi all,
fwknop-2.0.1 has been released:
http://www.cipherdyne.org/fwknop/download/
Here is the ChangeLog:
- [server] Bug fix where the same encryption key used for two stanzas i=
n
the access.conf file would result in access requests that matched the
second stanza to always be treated as a replay attack. This has been
fixed for the fwknop-2.0.1 release, and was reported by Andy Rowland.
Now
the fwknopd server computes the SHA256 digest of raw incoming payload
data before decryption, and compares this against all previous hashes=
.
Previous to this commit, fwknopd would add a new hash to the replay
digest list right after the first access.conf stanza match, so when
SPA
packet data matched the second access.conf stanza a matching replay
digest would already be there.
- [server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in
microseconds). This was supposed to be the default anyway, but C
Anthony Risinger reported a bug where fwknopd was consuming more
resources than necessary, and the cause was PCAP_LOOP_SLEEP set by
default to 1/100th of a second - this has been fixed.
- [libfko] Added SPA message validation calls to fko decoding routines
to
help ensure that SPA messages conform to expected values.
- Bug fix for PF firewalls: updated the PF anchor check to not rely on
listing the PF policy - fwknopd now uses 'pfctl -s Anchor' instead.
- [test suite] Added parsing of valgrind output to produce a listing of
functions that have been flagged - this assists in the development
process to ensure that fwknop is not leaking memory.
- [test suite] Bug fix on Mac OS X systems to account for libfko.dylib
path
instead of libfko.so. This fixes the existence check for libfko.
- [test suite] Added tests for --nat-local mode.
- [client] Fixed several minor memory leaks caught by valgrind.
- [libfko] Minor gcc warning fix: fko_decode.c:43:17: warning: variable
=91edata_size=92 set but not used [-Wunused-but-set-variable].
- Updated fwknopd init script for Debian systems (contributed by
Joncourt).
Please let me know if there are any issues.
Thanks,
--Mike
[Attachment #5 (text/html)]
<br>Hi all,<br><br>fwknop-2.0.1 has been released:<br><br><a \
href="http://www.cipherdyne.org/fwknop/download/">http://www.cipherdyne.org/fwknop/download/</a><br><br>Here \
is the ChangeLog:<br><br> - [server] Bug fix where the same encryption key used \
for two stanzas in<br> the access.conf file would result in access requests that \
matched the<br> second stanza to always be treated as a replay attack. This has \
been<br> fixed for the fwknop-2.0.1 release, and was reported by Andy Rowland. \
Now<br> the fwknopd server computes the SHA256 digest of raw incoming payload<br> \
data before decryption, and compares this against all previous hashes.<br> \
Previous to this commit, fwknopd would add a new hash to the replay<br> digest list \
right after the first access.conf stanza match, so when SPA<br> packet data \
matched the second access.conf stanza a matching replay<br> digest would already \
be there.<br> - [server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second \
(in<br> microseconds). This was supposed to be the default anyway, but C<br> \
Anthony Risinger reported a bug where fwknopd was consuming more<br> resources \
than necessary, and the cause was PCAP_LOOP_SLEEP set by<br> default to 1/100th of a \
second - this has been fixed.<br> - [libfko] Added SPA message validation calls to \
fko decoding routines to<br> help ensure that SPA messages conform to expected \
values.<br> - Bug fix for PF firewalls: updated the PF anchor check to not rely \
on<br> listing the PF policy - fwknopd now uses 'pfctl -s Anchor' \
instead.<br> - [test suite] Added parsing of valgrind output to produce a listing \
of<br> functions that have been flagged - this assists in the development<br> \
process to ensure that fwknop is not leaking memory.<br> - [test suite] Bug fix on \
Mac OS X systems to account for libfko.dylib path<br> instead of libfko.so. \
This fixes the existence check for libfko.<br> - [test suite] Added tests for \
--nat-local mode.<br>
- [client] Fixed several minor memory leaks caught by valgrind.<br> - [libfko] \
Minor gcc warning fix: fko_decode.c:43:17: warning: variable<br> ‘edata_size’ \
set but not used [-Wunused-but-set-variable].<br> - Updated fwknopd init script \
for Debian systems (contributed by<br>
Joncourt).<br><br>Please let me know if there are any \
issues.<br><br>Thanks,<br><br>--Mike<br>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic