|
| 1 | +Jonathan Bennett |
| 2 | + - Major contributor. |
| 3 | + - Contributed OpenWRT support - see the extras/openwrt/ directory. |
| 4 | + - Suggested the addition of the --key-gen option to fwknopd. |
| 5 | + - Contributed the console-qr.sh script (in extras/console-qr/) to create |
| 6 | + QR codes from fwknopd access.conf keys. |
| 7 | + - Wrote a new fwknop client for Android called "Fwknop2" - see: |
| 8 | + https://f-droid.org/repository/browse/?fdid=org.cipherdyne.fwknop2 |
| 9 | + - Developed the access.conf %include and %include_folder directives. |
| 10 | + - Developed a cross-platform UI for the fwknop client. This UI runs on |
| 11 | + Linux, Windows, and Mac OS X. |
| 12 | + |
| 13 | +Sebastien Jeanquier |
| 14 | + - Assisted with getting fwknop included in BackTrack Linux - the choice |
| 15 | + distro for pentration testers. |
| 16 | + |
| 17 | +Ozmart |
| 18 | + - Suggested the idea for setting an access stanza expiration time. |
| 19 | + - Suggested the abiliy to have certain incoming connections automatically |
| 20 | + NAT'd through to specific internal systems. The result was the FORCE_NAT |
| 21 | + mode. |
| 22 | + - Assisted with getting fwknop running under the Pentoo Linux distro. |
| 23 | + |
| 24 | +Max Kastanas |
| 25 | + - Contributed both an Android and an iPhone fwknop client port - see the |
| 26 | + top level android/ and iphone/ directories. |
| 27 | + |
| 28 | +Ted Wynnychenko |
| 29 | + - Helped test fwknop PF support on OpenBSD. |
| 30 | + |
| 31 | +Andy Rowland |
| 32 | + - Reported a bug where the same encryption key used for two stanzas in the |
| 33 | + access.conf file would result in access requests that matched the second |
| 34 | + stanza to always be treated as a replay attack. This has been fixed for |
| 35 | + the fwknop-2.0.1 release. |
| 36 | + |
| 37 | +C Anthony Risinger |
| 38 | + - Caught a bug where the default PCAP_LOOP_SLEEP value was 1/100th of a |
| 39 | + second instead of the intended default of 1/10th of a second. |
| 40 | + |
| 41 | +Franck Joncourt |
| 42 | + - fwknop Debian package maintainer. |
| 43 | + - Contributed a new Debian init script. |
| 44 | + - Contributed a patch to have the perl FKO module link against libfko in |
| 45 | + the local directory (if it exists) so that it doesn't have to have libfko |
| 46 | + completely installed in /usr/lib/. This allows the test suite to run FKO |
| 47 | + tests without installing libfko. |
| 48 | + - Contributed a patch to remove unnecessary chmod() call when creating |
| 49 | + client rc file and server replay cache file. The permissions are now set |
| 50 | + appropriately via open(), and at the same time this patch fixes a |
| 51 | + potential race condition since the previous code used fopen() followed by |
| 52 | + chmod(). |
| 53 | + - Contributed a patch to allow the fwknop client to be stopped with Ctrl-C |
| 54 | + before sending an SPA packet on the wire. |
| 55 | + - Contributed a patch to ensure that duplicate iptables rules are not |
| 56 | + created even for different SPA packets that arrive at the same time and |
| 57 | + request the same access. |
| 58 | + - Added support for resolving hostnames in various NAT modes (fixes issue |
| 59 | + #43 in github). |
| 60 | + - Bug fix in the client for resolving hostnames in '-P icmp' mode (fixes |
| 61 | + issue #64). |
| 62 | + - Added support for saving fwknop client command line arguments via a new |
| 63 | + option --save-rc-stanza. |
| 64 | + - Added log module support for the client. |
| 65 | + - Added the ability to read a passphrase from STDIN and also from a file |
| 66 | + descriptor via --fd (closes #74). |
| 67 | + - Added libfko unit tests via the CUnit framework. |
| 68 | + |
| 69 | +Jonathan Schulz |
| 70 | + - Submitted patches to change HTTP connection type to 'close' for -R mode |
| 71 | + in the client and fix a bug for recv() calls against returned HTTP data. |
| 72 | + |
| 73 | +Aldan Beaubien |
| 74 | + - Reported an issue with the Morpheus client sending SPA packets with NULL |
| 75 | + IP addresses, and code was added to fwknopd to better validate incoming |
| 76 | + SPA data as a result of this report. |
| 77 | + |
| 78 | +Geoff Carstairs |
| 79 | + - Suggested a way to redirect valid connection requests to a specific |
| 80 | + internal service via NAT, configurable by each stanza in access.conf. |
| 81 | + This allows for better access control for multple users requiring access |
| 82 | + to multiple internal systems, in a manner that is transparent to the |
| 83 | + user. The result was the FORCE_NAT mode. |
| 84 | + |
| 85 | +Hank Leininger |
| 86 | + - Contributed a patch to greatly extend libfko error code descriptions at |
| 87 | + various places in order to give much better information on what certain |
| 88 | + error conditions mean. Closes #98. |
| 89 | + - Suggested the ability to read a passphrase from STDIN and via a new --fd |
| 90 | + command line argument (github #74) to allow things like: |
| 91 | + $ gpg -d passphrasefile.pgp | fwknop -R -n myserver |
| 92 | + - For iptables firewalls, suggested a check for the 'comment' match to |
| 93 | + ensure the local environment will properly support fwknopd operations. |
| 94 | + The result is the new ENABLE_IPT_COMMENT_CHECK functionality. |
| 95 | + |
| 96 | +Fernando Arnaboldi (IOActive) |
| 97 | + - Found important buffer overflow conditions for authenticated SPA clients |
| 98 | + in the fwknopd server (pre-2.0.3). These findings enabled fixes to be |
| 99 | + developed along with a new fuzzing capability in the test suite. |
| 100 | + - Found a condition in which an overly long IP from malicious authenticated |
| 101 | + clients is not properly validated by the fwknopd server (pre-2.0.3). |
| 102 | + - Found a local buffer overflow in --last processing with a maliciously |
| 103 | + constructed ~/.fwknop.run file. This has been fixed with proper |
| 104 | + validation of .fwknop.run arguments. |
| 105 | + - Found several conditions in which the server did not properly throw out |
| 106 | + maliciously constructed variables in the access.conf file. This has been |
| 107 | + fixed along with new fuzzing tests in the test suite. |
| 108 | + |
| 109 | +Vlad Glagolev |
| 110 | + - Submitted a patch to fix ndbm/gdbm usage when --disable-file-cache is |
| 111 | + used for the autoconf configure script. This functionality was broken in |
| 112 | + be4193d734850fe60f14a26b547525ea0b9ce1e9 through improper handling of |
| 113 | + #define macros from --disable-file-cache. |
| 114 | + - Submitted a patch to fix command exec mode under SPA message type |
| 115 | + validity test. Support for command exec mode was also added to the test |
| 116 | + suite. |
| 117 | + - Submitted an OpenBSD port for fwknop-2.0.3, and this has been checked in |
| 118 | + under extras/openbsd/. |
| 119 | + - Added client timeouts for open/close command cycles for fwknop-2.6.8. |
| 120 | + |
| 121 | +Sean Greven |
| 122 | + - Created a port of fwknop for FreeBSD: |
| 123 | + http://portsmon.freebsd.org/portoverview.py?category=security&portname=fwknop |
| 124 | + |
| 125 | +Michael T. Dean |
| 126 | + - Reported the Rijndael key truncation issue for user-supplied keys |
| 127 | + (passphrases) greater than 16 bytes long. |
| 128 | + |
| 129 | +George Herlin |
| 130 | + - Proposed a verification approach to test suite operations, and the result |
| 131 | + was implemented in a61939c005e2b09d6800e2171f607c9d1948f022. This makes |
| 132 | + test suite operate equivalently regardless of whether valgrind is used or |
| 133 | + whether fwknop is being tested on an embedded system with very limited |
| 134 | + resources. |
| 135 | + |
| 136 | +Ruhsam Bernhard |
| 137 | + - Reported an issue where the message size test would result in long |
| 138 | + command mode SPA packets not decrypting properly because only GPG decrypt |
| 139 | + attempts were made. This issue was fixed in |
| 140 | + 7e784df3870373f055a2f0f8d818829501bcb1c0. |
| 141 | + |
| 142 | +Shawn Wilson |
| 143 | + - Added better SPA source IP logging for various fwknopd logging messages. |
| 144 | + This helps to make it more clear why certain SPA packets are rejected |
| 145 | + from some systems. |
| 146 | + |
| 147 | +Dan Lauber |
| 148 | + - Suggested a check for fwknopd to ensure that the jump rule on systems |
| 149 | + running iptables is not duplicated if it already exists. |
| 150 | + |
| 151 | +Ryman |
| 152 | + - Reported a timing attack bug in the HMAC comparison operation (#85) and |
| 153 | + suggested a fix derived from yaSSL: |
| 154 | + http://www.mail-archive.com/ [email protected]/msg320402.html |
| 155 | + |
| 156 | +Blair Zajac |
| 157 | + - MacPorts fwknop package maintainer for Mac OS X systems. |
| 158 | + - Contributed patches to handle endian issues on PPC systems. |
| 159 | + - Reported an issue where strndup() is not available on some PPC systems |
| 160 | + and the fix is to use the local lib/fko_util.c implementation similarly |
| 161 | + to Windows builds. |
| 162 | + - Suggested throwing an error in '-M legacy' mode to warn users about the |
| 163 | + inability of older fwknopd daemons to handle Rijndael keys > 16 bytes. |
| 164 | + Any release after and including 2.5 does not have this limitation. |
| 165 | + |
| 166 | +Radostan Riedel |
| 167 | + - Contributed an AppArmor policy that is known to work on Debian and Ubuntu |
| 168 | + systems. The policy file is available in extras/apparmor. |
| 169 | + |
| 170 | +Les Aker |
| 171 | + - Reported an issue with Arch Linux that resulted in fwknopd hanging for a |
| 172 | + pcap_dispatch() packet count of zero when using libpcap-1.5.1. This |
| 173 | + issue was tracked on github as issue #110, and the default packet count |
| 174 | + is now set at 100 as a result. |
| 175 | + |
| 176 | +Marek Wrzosek |
| 177 | + - Suggested doc update to fwknop man pages to accurately describe the usage |
| 178 | + of digits instead of bytes for SPA random data. About 53 bits of entropy |
| 179 | + are actually used, although this is in addition to the 64-bit random salt |
| 180 | + in for key derivation used by PBKDF1 in Rjindael CBC mode. |
| 181 | + - Various excellent feedback on crypto design, including the need to remove |
| 182 | + the GPG_IGNORE_SIG_VERIFY_ERROR mode. |
| 183 | + |
| 184 | +Gerry Reno |
| 185 | + - Updated the Android client to be compatible with Android-4.4. |
| 186 | + - Provided guidance on Android client issues along with testing candidate |
| 187 | + patches to update various things - this work is being tracked in the |
| 188 | + android4.4_support branch. |
| 189 | + - Implemented support for firewalld in the fwknopd daemon running on RHEL 7 |
| 190 | + and CentOS 7 systems. This is a major addition to handle yet another |
| 191 | + firewall architecture. |
| 192 | + |
| 193 | +Tim Heckman |
| 194 | + - Homebrew fwknop package maintainer for Mac OS X systems. |
| 195 | + - Suggested that fwknop support nftables when it is integrated into the |
| 196 | + mainline Linux kernel. |
| 197 | + |
| 198 | +Barry Allard |
| 199 | + - Reported bug in PF support on FreeBSD systems where ALTQ is not available |
| 200 | + would cause new PF rules to not be added (github issue #121). |
| 201 | + - Suggested the abiliy to specify the HTTP User-Agent when wget is used to |
| 202 | + resolve the external IP via SSL (github issue #134). |
| 203 | + |
| 204 | +Bill Stubbs |
| 205 | + - Submitted a patch to fix a bug where fwknopd could not handle Ethernet |
| 206 | + frames that include the Frame Check Sequence (FCS) header. This header is |
| 207 | + four bytes long, and is placed at the end of each Ethernet frame. |
| 208 | + Normally the FCS header is not visible to libpcap, but some card/driver |
| 209 | + combinations result in it being included. Bill noticed this on the |
| 210 | + following platform: |
| 211 | + BeagleBone Black rev C running 3.8.13-bone50 #1 SMP Tue May 13 |
| 212 | + 13:24:52 UTC 2014 armv7l GNU/Linux |
| 213 | + |
| 214 | +Grant Pannell |
| 215 | + - Submitted a patch to add a new access.conf variable "DESTINATION" in |
| 216 | + order to define the destination address for which an SPA packet will be |
| 217 | + accepted. The string "ANY" is also accepted if a valid SPA packet should |
| 218 | + be honored to any destination IP. Similarly to the "SOURCE" variable, |
| 219 | + networks should be specified in CIDR notation (e.g. "192.168.10.0/24"), |
| 220 | + and individual IP addresses can be specified as well. Also, multiple IP's |
| 221 | + and/or networks can be defined as a comma separated list (e.g. |
| 222 | + "192.168.10.0/24,10.1.1.123"). |
| 223 | + |
| 224 | +Alexander Kozhevnikov |
| 225 | + - Reported a bug when fwknop is compiled with --enable-udp-server where |
| 226 | + the server was including pcap.h |
| 227 | + |
| 228 | +Dan Brooks |
| 229 | + - Contributed a patch for the Android client app to add the definition of |
| 230 | + custom server udp port. This is similar to the --server-port argument |
| 231 | + offered by the main fwknop client. |
| 232 | + |
| 233 | +Github user 'sgh7': |
| 234 | + - Contributed a patch to have fwknopd exit if the interface it is sniffing |
| 235 | + on goes down. If this happens, it is expected that the native process |
| 236 | + monitoring feature in things like systemd or upstart will restart |
| 237 | + fwknopd. |
0 commit comments