[libfko] Added the ability to maintain backwards compatibility with the
now deprecated "zero padding" strategy in AES mode that was a hold over
from the old perl fwknop implementation. This enables the backwards
compatiblity tests to continue to pass in the test suite.
Added --enable-openssl-checks to send all SPA packets encrypted via libfko
through the OpenSSL library to ensure that the libfko usage of AES is always
compatible with OpenSSL. This ensures that the fwknop usage of AES is properly
implemented as verified by the OpenSSL library, which is a frequently audited
high profile crypto engine. If a vulnerability is discovered in OpenSSL and a
change is made, then the --enable-openssl-checks mode will allow the test suite
to discover this in a automated fashion for fwknop.
Significant bug fix to honor the full encryption key length for
user-supplied Rijndael keys > 16 bytes long. Previous to this bug fix,
only the first 16 bytes of a key were actually used in the encryption/
decryption process even if the supplied key was longer. The result was
a weakening of expected security for users that had keys > 16 bytes,
although this is probably not too common. Note that "passphrase" is
perhaps technically a better word for "user-supplied key" in this
context since Rijndael in CBC mode derives a real encryption/decryption
key from the passphrase through a series of applications of md5 against
the passphrase and a random salt. This issue was reported by Michael T.
Dean. Closes issue #18 on github.
Added a few backwards compatibility tests for versions of fwknop going back to
2.0, and also added a compatibility test for an SPA packet produced by Android
4.2.1.
Added a new '--pcap-file <file>' option to allow pcap files to
be processed directly by fwknopd instead of sniffing an interface. This
feature is mostly intended for debugging purposes.
This commit adds the ability to generate SPA packets that are valid except for
the last encoding step before encryption. This is independent of supplying
invalid data for SPA packet fields. To invoke the test suite in this mode,
do something like:
# ./test-fwknop.pl --enable-perl-module-pkt-gen --fuzzing-test-tag "encoded_colon1_missing" --fuzzing-class encoding
This assumes that lib/fko_encode.c has been patched to subvert the encoding
step itself before encryption. In this case, the first colon after the random
value is removed.
