Bug fix for --nat-rand-port mode to ensure that the port to be
NAT'd is properly defined so that the fwknopd server will NAT
connnections to this port instead of applying the NAT operation to the
port that is to be accessed via -A. This change also prints the
randomly assigned port to stdout regardless of whether --verbose mode is
used (since it not then the user will have no idea which port is
actually going to be NAT'd on the fwknopd side).
This is a fairly significant commit that lays the groundwork for getting
selectable HMAC modes working for both the client and server. One libfko API
change was required so that the hmac_type is passed into fko_new_with_data().
This allows the server to set the hmac_type via access.conf stanzas. The
effort in this commit will be extended to allow HMAC MD5, SHA1, and SHA512
also function properly.
The fko_wrapper.c code is designed to call libfko functions multiple times in
order to allow valgrind to test re-execution conditions. This ensures that
libfko code frees memory from previous calls before leaking memory.
This commit replaces a few additional atoi() calls with the strtol() wrapper
function, and also fixes a bug where access SOURCE IP/mask combinations would
not be accepted when the string length was a long as something like
'123.123.123.123/255.255.255.255'.
This commit fixes a minor memory leak for the digest cache file path in
--rotate-digest-cache mode in the replay_cache_init() function. The leak was
caught by valgrind, and a new test was added to the test suite for it. Here
is the valgrind warning:
==29021== 21 bytes in 1 blocks are definitely lost in loss record 2 of 2
==29021== at 0x4C2B3F8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29021== by 0x1103AA: replay_cache_init (replay_cache.c:96)
==29021== by 0x10BB8C: main (fwknopd.c:254)
In --enable-valgrind mode, this commit adds the ability to compare current test
result output with any previous test suite execution. Whenever valgrind flags
a new function or if an existing flagged function has a greater number of
calls, then the final valgrind test will fail. This allows a greater level of
valgrind validation to take place for new code in an automated fashion. For
example, if a change to a piece of code introduces a memory handling problem of
the sort that valgrind can detect, then the final test will fail like so:
# ./test-fwknop.pl --include "complete cycle.*HMAC" --enable-valgrind --test-limit 1
[+] Starting the fwknop test suite...
args: --include complete cycle.*HMAC --enable-valgrind --test-limit 1
Saved results from previous run to: output.last/
[Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)...pass (1)
[valgrind output] [flagged functions] ..............................fail (2)
[+] 1/1/2 tests passed/failed/executed
The newly flagged functions will be written to the corresponding test file:
# cat output/2.test
[+] TEST: [valgrind output] [flagged functions]~
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: main
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_spa_data_final
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: strdup
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_new
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_encrypt_spa_data
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_encode_spa_data
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_calculate_hmac
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_set_username
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_set_rand_value
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: fko_set_spa_message
[-] 1.test (client) '[+] TEST: [Rijndael SPA] [client+server] complete cycle + HMAC (tcp/22 ssh)' --> NEW valgrind flagged function: set_digest
[-] 1.test New and/or greater number of valgrind flagged function calls
