This is a fairly significant commit that lays the groundwork for getting
selectable HMAC modes working for both the client and server. One libfko API
change was required so that the hmac_type is passed into fko_new_with_data().
This allows the server to set the hmac_type via access.conf stanzas. The
effort in this commit will be extended to allow HMAC MD5, SHA1, and SHA512
also function properly.
This commit fixes a byte order warning for both sha1.c and md5.c like so:
sha1.c:127:6: warning: #warning Undetermined or unsupported Byte Order... We will try LITTLE_ENDIAN [-Wcpp]
Also removed a couple of header includes that appear not be needed.
This commit completes the conversion to the strtol() wrapper function in order
to remove all atoi() calls. In addition, variable max values are enforced
using more broadly defined RCHK_* values.
This commit replaces most atoi() calls (which don't report errors) with a strtol()
wrapper function for stronger string -> integer conversion validation.
[client+server] Applied patch from Franck Joncourt to remove unnecessary
chmod() call when creating client rc file and server replay cache file.
The permissions are now set appropriately via open(), and at the same
time this patch fixes a potential race condition since the previous code
used fopen() followed by chmod().
- [client+server] Fernando Arnaboldi from IOActive found that strict
filesystem permissions for various fwknop files are not verified. Added
warnings whenever permissions are not strict enough, and ensured that
files created by the fwknop client and server are only set to user
read/write.
- [client] Fernando Arnaboldi from IOActive found a local buffer overflow
in --last processing with a maliciously constructed ~/.fwknop.run file.
This has been fixed with proper validation of .fwknop.run arguments.
This commit fixes the following memory caught with the test suite in valgrind
mode:
HEAP SUMMARY:
in use at exit: 285 bytes in 4 blocks
total heap usage: 11 allocs, 7 frees, 3,179 bytes allocated
5 bytes in 1 blocks are indirectly lost in loss record 1 of 4
at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x50CB801: strdup (strdup.c:43)
by 0x4E3A7B2: fko_set_username (fko_user.c:96)
by 0x4E39628: fko_new (fko_funcs.c:86)
by 0x10AB54: main (fwknop.c:83)
7 bytes in 1 blocks are indirectly lost in loss record 2 of 4
at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4E395D7: fko_new (fko_funcs.c:62)
by 0x10AB54: main (fwknop.c:83)
17 bytes in 1 blocks are indirectly lost in loss record 3 of 4
at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4E3A06A: fko_set_rand_value (fko_rand_value.c:114)
by 0x4E39605: fko_new (fko_funcs.c:75)
by 0x10AB54: main (fwknop.c:83)
285 (256 direct, 29 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4
at 0x4C29DB4: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4E395BA: fko_new (fko_funcs.c:46)
by 0x10AB54: main (fwknop.c:83)
LEAK SUMMARY:
definitely lost: 256 bytes in 1 blocks
indirectly lost: 29 bytes in 3 blocks
possibly lost: 0 bytes in 0 blocks
still reachable: 0 bytes in 0 blocks
suppressed: 0 bytes in 0 blocks
This commit fixes memory leaks like the following in the fwknop client:
HEAP SUMMARY:
in use at exit: 300 bytes in 11 blocks
total heap usage: 100 allocs, 89 frees, 16,583 bytes allocated
16 bytes in 1 blocks are indirectly lost in loss record 1 of 11
at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
by 0x5C3D63E: ???
by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
by 0x508938E: cuserid (cuserid.c:37)
by 0x4E3983A: fko_set_username (fko_user.c:65)
by 0x4E38D5C: fko_new (fko_funcs.c:84)
by 0x10A824: main (fwknop.c:75)
16 bytes in 1 blocks are indirectly lost in loss record 2 of 11
at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
by 0x5C3D658: ???
by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
by 0x508938E: cuserid (cuserid.c:37)
by 0x4E3983A: fko_set_username (fko_user.c:65)
by 0x4E38D5C: fko_new (fko_funcs.c:84)
by 0x10A824: main (fwknop.c:75)
16 bytes in 1 blocks are indirectly lost in loss record 3 of 11
at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
by 0x5C3D672: ???
by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
by 0x508938E: cuserid (cuserid.c:37)
by 0x4E3983A: fko_set_username (fko_user.c:65)
by 0x4E38D5C: fko_new (fko_funcs.c:84)
by 0x10A824: main (fwknop.c:75)
16 bytes in 1 blocks are indirectly lost in loss record 4 of 11
at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x5146C59: __nss_lookup_function (nsswitch.c:456)
by 0x5C3D68C: ???
by 0x50FF3FC: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:256)
by 0x508938E: cuserid (cuserid.c:37)
by 0x4E3983A: fko_set_username (fko_user.c:65)
by 0x4E38D5C: fko_new (fko_funcs.c:84)
by 0x10A824: main (fwknop.c:75)
When using the --nat-local argument on the fwknop client command line, the
fwknopd server needs to add an INPUT ACCEPT rule for the requested access
since the incoming connection is destined for a local socket. Added test
suite support to test --nat-local access.
[test suite] Minor bug fix to ensure that all file_find_regex() calls return
true if all regex's are matched and false if any regex does not match data in
the specified file.
Now that encryptions keys and hmac keys may be acquired from /dev/random with
--key-gen (and base64 encoded), they may contain NULL bytes. This emphasizes
the need to not leverage code that assumes C-style strings when making use of
key information.
Added --key-gen to allow KEY_BASE64 and HMAC_KEY_BASE64 keys to be created from
reading random data from /dev/random. These keys can be placed within server
access.conf files and corresponding client .fwknoprc files for SPA
communications. The HMAC key is not used yet with this commit, but that is
coming.
This is a significant update to allow AES encryption modes to be selected on a
per-key basis. For now, only ECB and CBC (recommended) modes are supported.
The default is ECB modes in order to maintain backwards compatibility with the
older perl version of fwknop and the Crypt::CBC CPAN module. This will likely
be changed to use CBC mode by default because of its better security
properties.
In the access.conf file on the server side, there is a new configuration
variable "ENCRYPTION_MODE" that controls the mode for the corresponding AES
key. On the client side, a new command line argument "--encryption-mode"
controls how the client encrypts SPA packets.
The two memory leaks were found with the test suite running in
--enable-valgrind mode - here are the relevant error messages:
For fwknopd server GPG clean up:
==345== 9 bytes in 1 blocks are definitely lost in loss record 2 of 2
==345== at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==345== by 0x52F6B81: strdup (strdup.c:43)
==345== by 0x10FA57: add_string_list_ent (access.c:308)
==345== by 0x110513: parse_access_file (access.c:387)
==345== by 0x10B5FB: main (fwknopd.c:193)
For fwknop client rc file processing:
==8045== 568 bytes in 1 blocks are still reachable in loss record 12 of 12
==8045== at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==8045== by 0x50A53AA: __fopen_internal (iofopen.c:76)
==8045== by 0x10C3FF: process_rc (config_init.c:446)
==8045== by 0x10C8F6: config_init (config_init.c:671)
==8045== by 0x10AC9E: main (fwknop.c:62)
There is also a new clean_exit() function that makes it easier to ensure that
resources are deallocated upon existing.
Added the 'const' qualifier to function prototype variables where possible.
In addition, reduced some functions to file-scope with 'static' where possible.
Also made a few minor changes to remove extra whitespace, and fixed a bug
in create_fwknoprc() to ensure the new fwknoprc filehandle is closed.
In the save_args() function the args_str_len variable was being used before
being initialized as reported via the splint static code analysis tool. Here
is the splint output that found this bug:
client/fwknop.c:650:13: Variable args_str_len used before definition
An rvalue is used that may not be initialized to a value on some execution
path. (Use -usedef to inhibit warning)
