This commit replaces the separately implemented client/server
is_base64() check with a single libfko function, and libfko itself now
uses it as well before prepending Rijndael or GnuPG base64 encoded
prefixes.
This commit fixes a crash if the replay digest init() routine fails - fwknopd
attempted to make use of replay tracking anyway. The crash was discovered
during testing fwknopd with an AppArmor enforce policy deployed. The
following stack trace shows the crash (taken before the previous static
function commit):
Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:31
31 ../sysdeps/x86_64/multiarch/../strlen.S: No such file or directory.
(gdb) where
#0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:31
#1 0x00007f59cabd8b26 in add_replay_file_cache (opts=opts@entry=0x7fff3eaa0bb0, digest=digest@entry=0x0) at replay_cache.c:516
#2 0x00007f59cabd8cf5 in add_replay (opts=opts@entry=0x7fff3eaa0bb0, digest=digest@entry=0x0) at replay_cache.c:472
#3 0x00007f59cabd62eb in incoming_spa (opts=0x7fff3eaa0bb0) at incoming_spa.c:536
#4 0x00007f59ca56164e in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
#5 0x00007f59cabd7175 in pcap_capture (opts=opts@entry=0x7fff3eaa0bb0) at pcap_capture.c:269
#6 0x00007f59cabd3d4d in main (argc=5, argv=0x7fff3eaa1458) at fwknopd.c:314
This commit fixes a crash at init time in fwknopd if an improperly formatted
IPT_INPUT_ACCESS variable is used in fwknopd.conf file. fwknopd should not
try to delete chains with a bogus IPT_INPUT_ACCESS variable, and valgrind
verifies that this change does not introduce any memory leaks (see the
'invalid iptables INPUT spec' tests run in --enable-valgrind mode).
This commit updates fwknopd to test for the existance of the iptables '-C'
rule checking functionality since older versions of iptables don't have this.
If it isn't offered by the installed version of iptables, then revert to parsing
fwknop chains to see if iptables rules already exist before adding new rules (to
avoid duplicates).
This commit bumps the fwknop version to 2.5 and sets the libfko version to 2.0 to
signal incompatibility with older libfko versions. Backwards compatibility is
maintained in SPA packet construction, but function prototypes in libfko-2.0 are
no longer compatible with older versions.
This commit also returns non-zero exit status under 'fwknopd --status' if there
is no existing fwknopd process. This is better than always exiting with a zero
status regardless of whether fwknopd is already running or not, and adds a level
of scriptability to --status usage. This change was suggested by George Herlin.
The client --test mode decrypts SPA packet data as a final step, but get_keys()
was being called to re-acquire the encryption/HMAC keys. This commit reuses
the same keys that were supplied for SPA packet encryption/authentication
because the most important code to test is not get_keys() but rather libfko
encryption/decryption/authentication operations.
