fwknop-2.6.11 (12/09/2019):

- [server] (Amin Massad) Fixed two bugs in PF handling code - one for
  indefinitely repeating error messages "Did not find expire comment in
  rules list 0" in rule deletion code, and the second where min_exp was
  not computed correctly for min_exp equal to zero. See github issue mrash#295.
- [server] Add ALLOW_ANY_USER_AGENT for ENABLE_SPA_OVER_HTTP mode so that
  fwknopd will accept any User-Agent string coming from the client. By
  default this is disabled, so only SPA packets with a User-Agent string
  that begins with 'Fwknop' will be accepted. Just set this variable to
  'Y' to override this. Then, on the fwknop client command line, use the
  --user-agent option to specify any desired User-Agent string. This
  feature was added to close issue mrash#296 reported by github user
  @fishcreek.

fwknop-2.6.10 (08/06/2018):

    - [server] Add MAX_FW_TIMEOUT to access.conf stanzas to allow a maximum
      number of seconds for client-specified timeouts in SPA packets. This
      fixes issue mrash#226 which was spotted by Jeremiah Rothschild.
    - [server] Bug fix in CMD_EXEC mode to make sure to call exit() upon any
      error from execvpe(). Without this fix, additional fwknopd processes
      would be started upon a user specifying a command without the necessary
      permissions. This bug was reported by Stephen Isard.
    - [build] Jérémie Courrèges-Anglas and Ingo Feinerer contributed a patch
      to fix endian detection on OpenBSD systems based on information
      contained here: https://www.opengroup.org/austin/docs/austin_514.txt
    - [client/server] (Michael Stair) Added client and server infrastructure
      written in Erlang. See the erlang/ directory.

fwknop-2.6.9 release

fwknop-2.6.9 (06/08/2016):
    - (Jonathan Bennett) Added support for the SHA3 "Keccak" algorithm
      (specifically SHA3_256 and SHA3_512) for SPA HMAC and digest checking.
      Enabling SHA3 from the fwknop client command line is done with the '-m'
      option for the embedded SPA digest, or with the --hmac-digest-type
      argument for the HMAC. On the server side, SHA3_256 or SHA3_512 can be
      required for incoming SPA packet HMAC'c via the HMAC_DIGEST_TYPE
      configuration variable in access.conf stanzas. The SHA3 implementation
      is from, Keyak and Ketje Teams, namely, Guido Bertoni, Joan Daemen,
      Michael Peeters, Gilles Van Assche and Ronny Van Keer - see:
      http://keyak.noekeon.org/
    - (Damien Stuart) Added support for libnetfilter_queue so that fwknopd can
      acquire SPA packets via the NFQ target. This feature is enabled with a
      new command line switch '--enable-nfq-capture' for the configure script,
      and libpcap is not required in this mode. In support of capturing SPA
      packets via the NFQ target, new configuration variables have been added
      to the fwknopd.conf file: ENABLE_NFQ_CAPTURE, NFQ_INTERFACE, NFQ_PORT,
      NFQ_TABLE, NFQ_CHAIN, NFQ_QUEUE_NUMBER, and NFQ_LOOP_SLEEP.
    - (Vlad Glagolev) Added support for deriving the source IP from the
      X-Forwarded-For HTTP header when SPA packets are sent over HTTP
      connections.
    - Bug fix in command open/close cycle feature to ensure that the first
      successful match on a valid incoming SPA packet finishes all access.conf
      stanza processing. That is, no other stanzas should be looked at after
      the first match, and this is consistent with other SPA modes (such as
      basic access requests). This bug was reported by Jonathan Bennett.
    - (Jonathan Bennett) Various fixes and enhancements to the test suite to
      extend code coverage to new code, ensure valgrind bytes lost detection
      works for amount of memory less than 10 bytes, better timing strategy
      for fwknop client/server interactions, and more.

 - (Jonathan Bennett) Added support for the SHA3 "Keccak" algorithm

      (specifically SHA3_256 and SHA3_512) for SPA HMAC and digest checking.
      Enabling SHA3 from the fwknop client command line is done with the '-m'
      option for the embedded SPA digest, or with the --hmac-digest-type
      argument for the HMAC. On the server side, SHA3_256 or SHA3_512 can be
      required for incoming SPA packet HMAC'c via the HMAC_DIGEST_TYPE
      configuration variable in access.conf stanzas. The SHA3 implementation
      is from, Keyak and Ketje Teams, namely, Guido Bertoni, Joan Daemen,
      Michael Peeters, Gilles Van Assche and Ronny Van Keer - see:
      http://keyak.noekeon.org/
    - (Vlad Glagolev) Added support for deriving the source IP from the
      X-Forwarded-For HTTP header when SPA packets are sent over HTTP
      connections.
    - Bug fix in command open/close cycle feature to ensure that the first
      successful match on a valid incoming SPA packet finishes all access.conf
      stanza processing. That is, no other stanzas should be looked at after
      the first match, and this is consistent with other SPA modes (such as
      basic access requests). This bug was reported by Jonathan Bennett.
    - (Jonathan Bennett) Various fixes and enhancements to the test suite to
      extend code coverage to new code, ensure valgrind bytes lost detection
      works for amount of memory less than 10 bytes, better timing strategy
      for fwknop client/server interactions, and more.

fwknop-2.6.8 (12/23/2015):

    - [server] Added a major new feature that allows fwknopd to easily
      integrate with third-party devices and software. This done through the
      addition of a generic "command open" and "command close" capability, and
      a set of variable substitutions are supported such as '$SRC', '$PORT',
      and '$PROTO'. This feature is designed to allow the user to switch out
      the default firewall - iptables, firewalld, ipfw, or PF - for something
      complete different. For example, here is a write-up on using this feature
      to integrate SPA operations with ipset:

        https://cipherdyne.org/blog/2015/12/single-packet-authorization-and-third-party-devices.html

    - [server] (Jonathan Bennett) Added new access.conf directives
      '%include <file>' and '%include_folder <directory>'. This allows more
      access stanzas to be defined in other locations in the filesystem, and
      this can be adventageous in some scenarios by letting non-privledged
      users define their own encryption and authentication keys for SPA
      operations. This way, users do not need write access to the main
      /etc/fwknop/access.conf file to change keys around or define new ones.
    - [server] Bug fix to not send the TCP server a TERM signal even when it is
      not running when fwknopd receives a HUP signal.
    - [libfko] Bug fix for a crash that could be triggered in
      fko_set_username() when a username that is 64 chars or longer is
      specified. This crash cannot be triggered in fwknopd even if an SPA
      packet contains such a username however due to additional protections in
      the SPA decoding routines. Further, this bug does not apply to the main
      fwknop client either because the maximal username size is truncated down
      below 64 bytes. Hence, this bug only applies to client-side software that
      is directly using libfko calling the fko_set_username() function.
    - [test suite] Code coverage is now at 90.7% counted by lines. The complete
      coverage report for the 2.6.8 release is available here:

        https://www.cipherdyne.org/fwknop/lcov-results/

tagged fwknop-2.6.7 release

tagged fwknop-2.6.7-pre1

tagged fwknop-2.6.6

duplicate 2.6.5 tag to make github tarball downloads work properly

duplicate 2.6.4 tag to make github tarball downloads work properly