root/fwknop/tags/fwknop-1.9.2/ChangeLog.svn

------------------------------------------------------------------------
r1029 | mbr | 2008-03-12 08:05:04 -0400 (Wed, 12 Mar 2008) | 1 line
Changed paths:
   A /fwknop/branches/fwknop-1.9.2 (from /fwknop/trunk:1028)

created fwknop-1.9.2 branch
------------------------------------------------------------------------
r1028 | mbr | 2008-03-12 07:55:44 -0400 (Wed, 12 Mar 2008) | 1 line
Changed paths:
   M /fwknop/trunk/VERSION
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknopd
   M /fwknop/trunk/knoptm
   M /fwknop/trunk/knopwatchd.c
   M /fwknop/trunk/packaging/fwknop.spec
   M /fwknop/trunk/test/fwknop_test.pl

bumped version to 1.9.2
------------------------------------------------------------------------
r1027 | mbr | 2008-03-12 07:54:14 -0400 (Wed, 12 Mar 2008) | 7 lines
Changed paths:
   M /fwknop/trunk/ChangeLog
   M /fwknop/trunk/fwknop.conf
   M /fwknop/trunk/fwknopd
   A /fwknop/trunk/test/conf/blacklist_fwknop.conf
   M /fwknop/trunk/test/conf/default_fwknop.conf
   A /fwknop/trunk/test/conf/excluded_net_access.conf
   M /fwknop/trunk/test/conf/forward_chain_fwknop.conf
   A /fwknop/trunk/test/conf/forward_internal_ip_access.conf
   M /fwknop/trunk/test/conf/gpg_access.conf
   M /fwknop/trunk/test/conf/md5_fwknop.conf
   M /fwknop/trunk/test/conf/multi_source_access.conf
   M /fwknop/trunk/test/conf/no_loopback_ip_match_access.conf
   M /fwknop/trunk/test/conf/no_promisc_fwknop.conf
   M /fwknop/trunk/test/conf/output_access.conf
   M /fwknop/trunk/test/conf/output_chain_fwknop.conf
   M /fwknop/trunk/test/conf/pcap_file_fwknop.conf
   M /fwknop/trunk/test/conf/sha1_fwknop.conf
   M /fwknop/trunk/test/conf/sha256_fwknop.conf
   M /fwknop/trunk/test/conf/spa_aging_fwknop.conf
   M /fwknop/trunk/test/fwknop_test.pl

- Added more granular source IP and allowed IP tests so that access to
particular internal IP addresses can be excluded in --Forward-access
mode.  A new keyword "INTERNAL_NET_ACCESS" is now parsed from the
access.conf file in order to implemented these restrictions.
- (SPAPICT Group) Added BLACKLIST functionality to allow source IP
addresses to easily be excluded from the authentication process.

------------------------------------------------------------------------
r1026 | mbr | 2008-03-02 02:40:01 -0500 (Sun, 02 Mar 2008) | 10 lines
Changed paths:
   M /fwknop/trunk/ChangeLog
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknopd

- Crypt::CBC adds the string "Salted__" to the beginning of the encrypted
text (at least for how fwknop interfaces with Crypt::CBC), so the fwknop
client was updated to delete the encoded version of this string
"U2FsdGVkX1" before sending a Rijndael-encrypted SPA packet on the wire.
The fwknopd server will add this string back in before decrypting.  This
makes it harder to write an IDS signature that looks for fwknop traffic;
e.g. look for the default prefix string "U2FsdGVkX1" over UDP port 62201,
which would work for fwknop clients < 1.9.2 (as long as the port number
is not changed with --Server-port).

------------------------------------------------------------------------
r1025 | mbr | 2008-03-01 23:22:49 -0500 (Sat, 01 Mar 2008) | 4 lines
Changed paths:
   M /fwknop/trunk/ChangeLog
   M /fwknop/trunk/fwknop

- Updated the fwknop client to always call encode_base64() with the string
to encode along with a second null-string argument to force all encoded
data to not include line breaks.

------------------------------------------------------------------------
r1024 | mbr | 2008-03-01 22:14:55 -0500 (Sat, 01 Mar 2008) | 1 line
Changed paths:
   M /fwknop/trunk/fwknop

minor SPA message format comment update
------------------------------------------------------------------------
r1023 | mbr | 2008-03-01 18:10:29 -0500 (Sat, 01 Mar 2008) | 1 line
Changed paths:
   M /fwknop/trunk/TODO

add Firefox SPA extension task (this was suggested by Sean at Shmoocon, 2008)
------------------------------------------------------------------------
r1022 | mbr | 2008-03-01 14:11:49 -0500 (Sat, 01 Mar 2008) | 1 line
Changed paths:
   M /fwknop/trunk/TODO

Added XML config task
------------------------------------------------------------------------
r1021 | mbr | 2008-03-01 13:54:32 -0500 (Sat, 01 Mar 2008) | 1 line
Changed paths:
   M /fwknop/trunk/ChangeLog

minor update for PPPoE interfaces
------------------------------------------------------------------------
r1019 | mbr | 2008-02-26 22:19:31 -0500 (Tue, 26 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/VERSION
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknopd
   M /fwknop/trunk/knoptm
   M /fwknop/trunk/knopwatchd.c
   M /fwknop/trunk/test/fwknop_test.pl

bumped version to 1.9.2-pre8
------------------------------------------------------------------------
r1018 | mbr | 2008-02-26 22:19:12 -0500 (Tue, 26 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/ChangeLog

1.9.2 addition
------------------------------------------------------------------------
r1017 | mbr | 2008-02-26 22:17:57 -0500 (Tue, 26 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/test/fwknop_test.pl

updated to include /proc/config.gz info since not all Netfilter hooks may be compiled in
------------------------------------------------------------------------
r1016 | mbr | 2008-02-26 22:15:14 -0500 (Tue, 26 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/CREDITS

additions for Dave and Sebastien
------------------------------------------------------------------------
r1015 | mbr | 2008-02-26 22:15:00 -0500 (Tue, 26 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/fwknopd

updated to not die() if the local PREROUTING or FORWARD chains don't appear to exist
------------------------------------------------------------------------
r1014 | mbr | 2008-02-24 13:19:13 -0500 (Sun, 24 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/TODO

removed SHA1 task
------------------------------------------------------------------------
r1012 | mbr | 2008-02-24 13:14:45 -0500 (Sun, 24 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/VERSION
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknopd
   M /fwknop/trunk/knoptm
   M /fwknop/trunk/knopwatchd.c
   M /fwknop/trunk/test/fwknop_test.pl

1.9.2-pre7
------------------------------------------------------------------------
r1011 | mbr | 2008-02-24 13:13:33 -0500 (Sun, 24 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/test/conf/client_timeout_access.conf
   M /fwknop/trunk/test/conf/gpg_access.conf
   M /fwknop/trunk/test/conf/md5_fwknop.conf
   M /fwknop/trunk/test/conf/multi_source_access.conf
   M /fwknop/trunk/test/conf/no_loopback_ip_match_access.conf
   M /fwknop/trunk/test/conf/no_promisc_fwknop.conf
   M /fwknop/trunk/test/conf/output_access.conf
   M /fwknop/trunk/test/conf/output_chain_fwknop.conf
   M /fwknop/trunk/test/conf/sha1_fwknop.conf
   M /fwknop/trunk/test/conf/sha256_fwknop.conf
   M /fwknop/trunk/test/conf/spa_aging_fwknop.conf

added Id tag expansion
------------------------------------------------------------------------
r1010 | mbr | 2008-02-24 12:51:04 -0500 (Sun, 24 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/ChangeLog

minor 1.9.2 addition
------------------------------------------------------------------------
r1009 | mbr | 2008-02-24 12:50:36 -0500 (Sun, 24 Feb 2008) | 19 lines
Changed paths:
   M /fwknop/trunk/ChangeLog
   A /fwknop/trunk/Digest-SHA
   A /fwknop/trunk/Digest-SHA/Changes
   A /fwknop/trunk/Digest-SHA/MANIFEST
   A /fwknop/trunk/Digest-SHA/META.yml
   A /fwknop/trunk/Digest-SHA/Makefile.PL
   A /fwknop/trunk/Digest-SHA/README
   A /fwknop/trunk/Digest-SHA/SHA.pm
   A /fwknop/trunk/Digest-SHA/SHA.xs
   A /fwknop/trunk/Digest-SHA/VERSION
   A /fwknop/trunk/Digest-SHA/examples
   A /fwknop/trunk/Digest-SHA/examples/dups
   A /fwknop/trunk/Digest-SHA/shasum
   A /fwknop/trunk/Digest-SHA/src
   A /fwknop/trunk/Digest-SHA/src/hmac.c
   A /fwknop/trunk/Digest-SHA/src/hmac.h
   A /fwknop/trunk/Digest-SHA/src/hmacxtra.c
   A /fwknop/trunk/Digest-SHA/src/sha.c
   A /fwknop/trunk/Digest-SHA/src/sha.h
   A /fwknop/trunk/Digest-SHA/src/sha64bit.c
   A /fwknop/trunk/Digest-SHA/src/sha64bit.h
   A /fwknop/trunk/Digest-SHA/src/shaxtra.c
   A /fwknop/trunk/Digest-SHA/t
   A /fwknop/trunk/Digest-SHA/t/allfcns.t
   A /fwknop/trunk/Digest-SHA/t/base64.t
   A /fwknop/trunk/Digest-SHA/t/bitbuf.t
   A /fwknop/trunk/Digest-SHA/t/dumpload.t
   A /fwknop/trunk/Digest-SHA/t/fips198.t
   A /fwknop/trunk/Digest-SHA/t/gg.t
   A /fwknop/trunk/Digest-SHA/t/gglong.t
   A /fwknop/trunk/Digest-SHA/t/hmacsha.t
   A /fwknop/trunk/Digest-SHA/t/ireland.t
   A /fwknop/trunk/Digest-SHA/t/methods.t
   A /fwknop/trunk/Digest-SHA/t/nistbit.t
   A /fwknop/trunk/Digest-SHA/t/nistbyte.t
   A /fwknop/trunk/Digest-SHA/t/pod.t
   A /fwknop/trunk/Digest-SHA/t/podcover.t
   A /fwknop/trunk/Digest-SHA/t/rfc2202.t
   A /fwknop/trunk/Digest-SHA/t/sha1.t
   A /fwknop/trunk/Digest-SHA/t/sha224.t
   A /fwknop/trunk/Digest-SHA/t/sha256.t
   A /fwknop/trunk/Digest-SHA/t/sha384.t
   A /fwknop/trunk/Digest-SHA/t/sha512.t
   A /fwknop/trunk/Digest-SHA/t/woodbury.t
   A /fwknop/trunk/Digest-SHA/typemap
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknop.8
   M /fwknop/trunk/fwknop.conf
   M /fwknop/trunk/fwknopd
   M /fwknop/trunk/install.pl
   M /fwknop/trunk/test/conf/default_fwknop.conf
   M /fwknop/trunk/test/conf/forward_chain_fwknop.conf
   A /fwknop/trunk/test/conf/md5_fwknop.conf
   M /fwknop/trunk/test/conf/no_promisc_fwknop.conf
   M /fwknop/trunk/test/conf/output_chain_fwknop.conf
   M /fwknop/trunk/test/conf/pcap_file_fwknop.conf
   A /fwknop/trunk/test/conf/sha1_fwknop.conf
   A /fwknop/trunk/test/conf/sha256_fwknop.conf
   M /fwknop/trunk/test/conf/spa_aging_fwknop.conf
   M /fwknop/trunk/test/fwknop_test.pl

This is a major commit to add support for the usage of multiple digest
algorithm for replay attack detection and for message integrity.

- (SPAPICT Group) Submitted patches to include support for the SHA1 digest
algorithm for SPA packet replay attack detection.  I modified these
patches for maximum configurability (see the --digest-alg argument on
the fwknop command line), and the ability to use the SHA256 algorithm as
well.  The default path to the /var/log/fwknop/md5sums file has been
changed to /var/log/fwknop/digest.cache, and the default digest
algorithm is now SHA256 (but this is tunable via the DIGEST_TYPE
variable in the fwknop.conf file).
- Added the Digest::SHA perl module in support of the SHA1 and SHA256
digest algorithms for replay attack detection and SPA message integrity.
- (Test suite) Added several tests for configurable digest algorithms in
support for the SHA256, SHA1, and MD5 digest changes made by the SPAPICT
Group.
- Bugfix in install.pl to not test for the iptable command on non-Linux
systems, and to not test for the ipfw command on systems that are Linux.

------------------------------------------------------------------------
r1008 | mbr | 2008-02-24 09:18:28 -0500 (Sun, 24 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/CREDITS

spelling fix for one of the SPAPICT developers
------------------------------------------------------------------------
r1007 | mbr | 2008-02-23 01:03:16 -0500 (Sat, 23 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/CREDITS

added the SPAPICT team
------------------------------------------------------------------------
r1006 | mbr | 2008-02-17 01:03:27 -0500 (Sun, 17 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknopd

minor usage update
------------------------------------------------------------------------
r1004 | mbr | 2008-02-09 23:49:04 -0500 (Sat, 09 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/VERSION
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknopd
   M /fwknop/trunk/knoptm
   M /fwknop/trunk/knopwatchd.c
   M /fwknop/trunk/test/fwknop_test.pl

1.9.2-pre6
------------------------------------------------------------------------
r1003 | mbr | 2008-02-09 18:25:20 -0500 (Sat, 09 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/fwknopd

updated to be slightly more general about stripping off the first four bytes of SPA packets over loopback on *BSD systems
------------------------------------------------------------------------
r1001 | mbr | 2008-02-02 18:22:10 -0500 (Sat, 02 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/VERSION
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknopd
   M /fwknop/trunk/knoptm
   M /fwknop/trunk/knopwatchd.c
   M /fwknop/trunk/test/fwknop_test.pl

version 1.9.2-pre5
------------------------------------------------------------------------
r1000 | mbr | 2008-02-02 18:21:40 -0500 (Sat, 02 Feb 2008) | 7 lines
Changed paths:
   M /fwknop/trunk/ChangeLog
   M /fwknop/trunk/TODO
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknopd
   A /fwknop/trunk/test/conf/client_timeout_access.conf
   M /fwknop/trunk/test/fwknop_test.pl

- Applied modified version of the client-defined access timeout patches
submitted by the PICT SPA Group.  There are two new message types to
facilitate client timeouts; one for normal access mode, and the other 
for the FORWARD access mode.  In the access.conf file, there is also a
new variable "PERMIT_CLIENT_TIMEOUT" to allow each SOURCE stanza to 
allow client-defined timeouts or not.

------------------------------------------------------------------------
r999 | mbr | 2008-02-02 16:04:57 -0500 (Sat, 02 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/test/fwknop_test.pl

Added --debug flag to fwknop client command line
------------------------------------------------------------------------
r998 | mbr | 2008-02-02 15:18:19 -0500 (Sat, 02 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/fwknopd
   M /fwknop/trunk/knoptm

minor update to print knoptm line format
------------------------------------------------------------------------
r996 | mbr | 2008-02-02 14:22:23 -0500 (Sat, 02 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/ChangeLog
   M /fwknop/trunk/VERSION
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknopd
   M /fwknop/trunk/knoptm
   M /fwknop/trunk/knopwatchd.c
   M /fwknop/trunk/test/fwknop_test.pl

version to 1.9.2-pre4
------------------------------------------------------------------------
r995 | mbr | 2008-02-02 14:22:06 -0500 (Sat, 02 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/CREDITS

added Grant Ferley
------------------------------------------------------------------------
r993 | mbr | 2008-02-02 14:16:53 -0500 (Sat, 02 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/VERSION
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknopd
   M /fwknop/trunk/knoptm
   M /fwknop/trunk/knopwatchd.c
   M /fwknop/trunk/test/fwknop_test.pl

1.9.2-pre3
------------------------------------------------------------------------
r992 | mbr | 2008-02-02 14:16:09 -0500 (Sat, 02 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/fwknop.h

increased max mail command size
------------------------------------------------------------------------
r991 | mbr | 2008-02-02 14:04:54 -0500 (Sat, 02 Feb 2008) | 5 lines
Changed paths:
   M /fwknop/trunk/ChangeLog
   M /fwknop/trunk/fwknopd

- (Grant Ferley) Submitted patch to handle Linux "cooked" interfaces for
packet capture (e.g. rp-pppoe interfaces).
- Updated to use popen() for external command execution instead of system()
(in most places anyway).

------------------------------------------------------------------------
r990 | mbr | 2008-02-02 14:01:21 -0500 (Sat, 02 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/IPTables-ChainMgr/VERSION
   M /fwknop/trunk/IPTables-ChainMgr/lib/IPTables/ChainMgr.pm

bumped version to 0.6
------------------------------------------------------------------------
r989 | mbr | 2008-02-02 14:00:40 -0500 (Sat, 02 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/IPTables-ChainMgr/lib/IPTables/ChainMgr.pm

(Grant Ferley) applied patch to move to a fork() and exec() model for executing the iptables binary, and sigchld signals are now handled
------------------------------------------------------------------------
r988 | mbr | 2008-02-02 13:29:31 -0500 (Sat, 02 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/install.pl

minor bugfix to not print directory warnings if they already exist
------------------------------------------------------------------------
r987 | mbr | 2008-02-02 13:16:41 -0500 (Sat, 02 Feb 2008) | 1 line
Changed paths:
   M /fwknop/trunk/test/conf/output_chain_fwknop.conf
   M /fwknop/trunk/test/conf/pcap_file_fwknop.conf
   M /fwknop/trunk/test/conf/spa_aging_fwknop.conf

(test suite) bugfix to point FWKNOP_DIR to the local output/ directory
------------------------------------------------------------------------
r985 | mbr | 2008-01-27 20:45:46 -0500 (Sun, 27 Jan 2008) | 5 lines
Changed paths:
   M /fwknop/trunk/ChangeLog
   M /fwknop/trunk/VERSION
   M /fwknop/trunk/fwknop
   M /fwknop/trunk/fwknopd
   M /fwknop/trunk/knoptm
   M /fwknop/trunk/knopwatchd.c
   M /fwknop/trunk/test/fwknop_test.pl

- Added full packet hex dumps (including packet headers) to fwknopd in
--debug --verbose mode.  This is to help diagnose packet sniffing issues
over the loopback interface on Mac OS X (first reported by Sebastien
Jeanquier).

------------------------------------------------------------------------
r984 | mbr | 2008-01-26 21:19:44 -0500 (Sat, 26 Jan 2008) | 1 line
Changed paths:
   M /fwknop/trunk/packaging/fwknop.spec

merged -r 978:981 file:///home/mbr/svn/fwknop_repos/fwknop/branches/fwknop-1.9.1 to pick up fwknop.spec date change
------------------------------------------------------------------------