Release Notes: A double free bug in the libfko SPA parser discovered with a new Python SPA payload fuzzer was fixed.
Release Notes: When SPA packets are built with GnuPG, the fwknopd daemon now requires a valid GnuPG signature by default, and a new variable GPG_DISABLE_SIG was added for backwards compatibility (but using this is not a recommended configuration). A bug was fixed in fwknopd for a memory in SPA packet decryption when GnuPG is used. A new code coverage mode was added to the test suite to interface with the 'lcov' tool. Several other minor bugs were fixed.
Release Notes: This release adds HMAC support to the Android client, adds an AppArmor policy for the fwknop daemon, adds support for building on Mac OS X "Mavericks", and adds a new Valgrind test mode via the CPAN Test::Valgrind module. A few bugs were fixed with dealing with GnuPG encryption modes in the fwknopd daemon, and the fwknop project has a Coverity defect score of zero.
Release Notes: A bugfix in the fwknop client to reset terminal settings to orignal values after entering keys via stdin. A bugfix in the fwknopd daemon to not print a PID file existence warning. A test suite bugfix to not run an iptables Rijndael HMAC test on non-Linux systems.
Release Notes: This release added support for HMAC SHA-256 authenticated encryption in the encrypt-then-authenticate model. Many bugs discovered by the Coverity static analyzer were fixed. OpenSSL compatibility tests were added to the test suite. Client stanza saving ability was added for the ~/.fwknoprc file, simplifying fwknop client usage. The ability to automatically generate both Rijndael and HMAC keys with --key-gen was added.
Release Notes: On the server side, this release adds a chain_exists() check to SPA rule creation so that if any of the fwknop chains are deleted out from under fwknopd, they will be recreated on the fly. It adds new SPA packet fuzzing capability to the test suite to assist in validation of SPA operations. It adds upstart config for systems running the upstart daemon. An OpenBSD ndbm/gdbm usage bugfix. ICMP type/code client command line arguments have been added for when SPA packets are sent over ICMP.
Release Notes: Several DoS/code execution vulnerabilities for malicious fwknop clients that manage to get past the authentication stage (so such clients must possess a valid encryption key) have been fixed. Permissions and ownership checks have been added to all files consumed by the fwknop client and server. RPM builds have been fixed by including the $(DESTDIR) prefix for uninstall-local and install-exec-hook stages in Makefile.am.
Release Notes: Better handling of GnuPG for SPA packet decryption on the server side (accounts for no passphrase gpg keys when gpg-agent or pinentry are otherwise required). A bugfix in SPA packet replay detection code. A check for the existence of the iptables 'comment' match when the serve is deployed on Linux. Several other bugfixes.
Release Notes: This is the production release of the fwknop C rewrite. It brings Single Packet Authorization to three different Open Source firewalls (iptables, ipfw, and pf), embedded systems, and mobile devices. The fwknopd server runs on Linux, Mac OS X, FreeBSD, and OpenBSD. The client runs on all of these platforms as well as Android, the iPhone, and Cygwin under Windows. In addition, the client is portable, and can be compiled as a native Windows binary.
Release Notes: This release adds OpenBSD PF support, adds a new FORCE_NAT mode to transparently force authenticated connections to specified internal systems, adds a comprehensive test suite, and adds the ability to automatically expire SPA keys. Several memory handling bugfixes were made.