'[Fwknop-discuss] fwknop-2.0.2 released'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwknop-discuss
Subject:    [Fwknop-discuss] fwknop-2.0.2 released
From:       Michael Rash <mbr () cipherdyne ! org>
Date:       2012-08-18 19:36:12
Message-ID: 20120818193612.GA7744 () cipherdyne ! org
[Download RAW message or body]

Hi all,

fwknop-2.0.2 has been released:

http://www.cipherdyne.org/fwknop/download/

There are a couple of new features and a few bug fixes - here is the
ChangeLog and please let me know if there are any issues:

    - [server] For GPG mode, added a new access.conf variable
      "GPG_ALLOW_NO_PW" to make it possible to leverage a server-side GPG key
      pair that has no associated password.  This comes in handy when a system
      requires the user to leverage gpg-agent / pinentry which can present a
      problem in automated environments as required by the fwknopd server.
      Now, it might seem like a problem to remove the passphrase from a GPG
      key pair, but it's important to note that simply doing this is little
      worse than storing the passphrase in the clear on disk anyway in the
      access.conf file.  Further, this link helps provide additional detail:

      http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-use-gnupg-in-an-automated-environment

    - [client] In IP resolution mode (-R) changed HTTP connection type to
      'close' since there is no need for connection persistence, and indeed the
      client expects to just get the IP and the connection to be closed.
      Jonathan Schulz submitted a patch for this.
    - [client] Bug fix to ensure that all data is read via recv() from a
      remote webserver IP resolution mode (-R).  Previously IP resolution
      could fail if HTTP headers were transferred separately from the data
      (for whatever reason).  Jonathan Schulz submitted a patch for this.
    - [client] Added backup check against a cipherdyne.com 'myip' cgi instance
      in -R mode if the normal check against cipherdyne.org fails.
    - [server] Bug fix to implement FLUSH_IPT_AT_INIT and FLUSH_IPT_AT_EXIT
      functionality.  These are enabled by default, and now iptables rules
      added by fwknopd can be made persistant by setting these variables to
      "N" in the fwknopd.conf file (this is not a recommended setting
      however).
      [server] Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT for ipfw
      firewalls to emulate the corresponding functionality that is implemented
      for iptables firewalls.  This was suggested by Jonathan Schulz.
    - [server] Replay attack bug fix to ensure that an attacker cannot force a
      replay attack by intercepting an SPA packet and the replaying it with the
      base64 version of "Salted__" (for Rindael) or the "hQ" prefix (for
      GnuPG).  This is an important fix.  The following comment was added into
      the fwknopd code:

      /* Ignore any SPA packets that contain the Rijndael or GnuPG prefixes
       * since an attacker might have tacked them on to a previously seen
       * SPA packet in an attempt to get past the replay check.  And, we're
       * no worse off since a legitimate SPA packet that happens to include
       * a prefix after the outer one is stripped off won't decrypt properly
       * anyway because libfko would not add a new one.
      */

    - [server] Fixed a memory leak bug in the replay attack detection code.
      The leak was found with the test suite in --enable-valgrind mode, and
      here is the valgrind trace that exposed it:

      44 bytes in 1 blocks are definitely lost in loss record 2 of 2
         at 0x482BE68: malloc (in
         /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
         by 0x490EA50: strdup (strdup.c:43)
         by 0x10CD69: incoming_spa (incoming_spa.c:162)
         by 0x10E000: process_packet (process_packet.c:200)
         by 0x4862E63: ??? (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
         by 0x4865667: pcap_dispatch (in /usr/lib/i386-linux-gnu/libpcap.so.1.1.1)
         by 0x10DABF: pcap_capture (pcap_capture.c:226)
         by 0x10A798: main (fwknopd.c:299)

    - [test suite] Added GPG tests for keyrings that have no associated
      passphrases.
    - [server] Implemented a new check to ensure that the iptables 'comment'
      match exists to ensure the proper environment for fwknopd operations.
      This check is controlled by the new ENABLE_IPT_COMMENT_CHECK variable,
      and was suggested by Hank Leininger.
    - [server] 'make install' fix to ensure restrictive permissions on the
      /etc/fwknop/ directory and /etc/fwknop/* files.  Also updated the 'make
      install' step to not overwrite any existing config files in /etc/fwknop/
      and instead install new copies from the source tree at
      /etc/fwknop/fwknopd.conf.inst and /etc/fwknop/access.conf.inst

Thanks,

--Mike

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic