From: Michael Rash <mbr@ci...> - 2008-03-13 14:00:44
Hi all -
fwknop-1.9.2 is available for download:
Here is the ChangeLog:
- Crypt::CBC adds the string "Salted__" to the beginning of the encrypted
text (at least for how fwknop interfaces with Crypt::CBC), so the fwknop
client was updated to delete the encoded version of this string
"U2FsdGVkX1" before sending a Rijndael-encrypted SPA packet on the wire.
The fwknopd server will add this string back in before decrypting. This
makes it harder to write an IDS signature that looks for fwknop traffic;
e.g. look for the default prefix string "U2FsdGVkX1" over UDP port 62201,
which would work for fwknop clients < 1.9.2 (as long as the port number
is not changed with --Server-port).
- Added more granular source IP and allowed IP tests so that access to
particular internal IP addresses can be excluded in --Forward-access
mode. A new keyword "INTERNAL_NET_ACCESS" is now parsed from the
access.conf file in order to implemented these restrictions.
- (SPAPICT Group) Added BLACKLIST functionality to allow source IP
addresses to easily be excluded from the authentication process.
- (Grant Ferley) Submitted patch to handle SIGCHLD in IPTables::ChainMgr.
- (Grant Ferley) Submitted patch to handle Linux "cooked" interfaces for
packet capture (e.g. PPPoE interfaces).
- (SPAPICT Group) Applied modified version of the client-defined access
timeout patches submitted by the PICT SPA Group. There are two new
message types to facilitate client timeouts; one for normal access mode,
and the other for the FORWARD access mode. In the access.conf file,
there is also a new variable "PERMIT_CLIENT_TIMEOUT" to allow each
SOURCE stanza to allow client-defined timeouts or not.
- (SPAPICT Group) Submitted patches to include support for the SHA1 digest
algorithm for SPA packet replay attack detection. I modified these
patches for maximum configurability (see the --digest-alg argument on
the fwknop command line), and the ability to use the SHA256 algorithm as
well. The default path to the /var/log/fwknop/md5sums file has been
changed to /var/log/fwknop/digest.cache, and the default digest
algorithm is now SHA256 (but this is tunable via the DIGEST_TYPE
variable in the fwknop.conf file).
- Added the Digest::SHA perl module in support of the SHA1 and SHA256
digest algorithms for replay attack detection and SPA message integrity.
- Added full packet hex dumps (including packet headers) to fwknopd in
--debug --verbose mode. This is to help diagnose packet sniffing issues
over the loopback interface on Mac OS X (first reported by Sebastien
- (Test suite) Bugfix to ensure that the FWKNOP_DIR variable is set to the
local output/ directory in several of the test config files in the
- (Test suite) Added several tests for configurable digest algorithms in
support for the SHA256, SHA1, and MD5 digest changes made by the SPAPICT
- Updated the fwknop client to always call encode_base64() with the string
to encode along with a second null-string argument to force all encoded
data to not include line breaks.
- Bugfix in install.pl to not test for the iptable command on non-Linux
systems, and to not test for the ipfw command on systems that are Linux.
- (Test suite) Updated to include the /proc/config.gz file so that the
kernel config can be reviewed (not all Netfilter hooks are necessarily
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F