Within the access loop always call fko_destroy() right up front whenever
ctx != NULL to ensure a clean slate each time through the loop regardless of
what state may have been reached the previous time through the loop.
From the config file comments:
This variable controls whether fwknopd is permitted to sniff SPA packets
regardless of whether they are received on the sniffing interface or sent
from the sniffing interface. In the later case, this can be useful to have
fwknopd sniff SPA packets that are forwarded through a system and destined
for a different network. If the sniffing interface is the egress interface
for such packets, then this variable will need to be set to "Y" in order for
fwknopd to see them. The default is "N" so that fwknopd only looks for SPA
packets that are received on the sniffin
PCAP_ANY_DIRECTION N;
Bug fix to ensure to release memory when invalid access stanza dates are set
and fwknopd has to exit. This leak was caught with the test suite in
--enable-valgrind mode based on the following output:
==31947== 568 bytes in 1 blocks are still reachable in loss record 1 of 1
==31947== at 0x4C2CD7B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31947== by 0x52EE42A: __fopen_internal (iofopen.c:73)
==31947== by 0x1116A2: parse_access_file (access.c:909)
==31947== by 0x10BAD5: main (fwknopd.c:194)
These are simple logic fixes that would not have impacted run time to address
the following warnings generated by the CLANG static analyzer:
incoming_spa.c:433:17: warning: Value stored to 'attempted_decrypt' is never read
attempted_decrypt = 1;
^ ~
incoming_spa.c:647:13: warning: Value stored to 'acc' is never read
acc = acc->next;
^ ~~~~~~~~~
Significant merge from Franck Joncourt to add the ability to save command line
args to ~/.fwknoprc stanzas. This merge is in support of #4.
Conflicts:
lib/fko_util.c
lib/fko_util.h
This change allows SPA clients to include long messages in command mode and
generally allows decryption operations to dictate success/failure instead of
SPA packet length to gate decryption attempts. Closes#40.
This is a fairly significant commit that lays the groundwork for getting
selectable HMAC modes working for both the client and server. One libfko API
change was required so that the hmac_type is passed into fko_new_with_data().
This allows the server to set the hmac_type via access.conf stanzas. The
effort in this commit will be extended to allow HMAC MD5, SHA1, and SHA512
also function properly.
This commit completes the conversion to the strtol() wrapper function in order
to remove all atoi() calls. In addition, variable max values are enforced
using more broadly defined RCHK_* values.
This commit replaces a few additional atoi() calls with the strtol() wrapper
function, and also fixes a bug where access SOURCE IP/mask combinations would
not be accepted when the string length was a long as something like
'123.123.123.123/255.255.255.255'.
