Added --key-gen to allow KEY_BASE64 and HMAC_KEY_BASE64 keys to be created from
reading random data from /dev/random. These keys can be placed within server
access.conf files and corresponding client .fwknoprc files for SPA
communications. The HMAC key is not used yet with this commit, but that is
coming.
fwknopd access stanzas can have both Rijndael and GnuPG keys, so this
commit fixes a bug where any gpg info would force only gpg decryption
attempts even if a Rijndael key is provided in the stanza.
This commit causes fwknopd to exit whenever an invalid SOURCE entry is seen
such as ":ANY". Previous to this commit, valgrind threw the following errors
with ":ANY" as an access.conf SOURCE entry:
Invalid read of size 8
at 0x117695: free_acc_source_list (access.c:512)
by 0x1177E3: free_acc_stanza_data (access.c:564)
by 0x117C67: free_acc_stanzas (access.c:654)
by 0x10E32E: free_configs (config_init.c:106)
by 0x10D085: main (fwknopd.c:376)
Address 0x5a80658 is 8 bytes inside a block of size 16 free'd
at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x116AE0: add_source_mask (access.c:255)
by 0x116D57: expand_acc_source (access.c:303)
by 0x117A82: expand_acc_ent_lists (access.c:620)
by 0x119570: parse_access_file (access.c:1043)
by 0x10C77E: main (fwknopd.c:193)
Invalid free() / delete / delete[] / realloc()
at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x1176A8: free_acc_source_list (access.c:514)
by 0x1177E3: free_acc_stanza_data (access.c:564)
by 0x117C67: free_acc_stanzas (access.c:654)
by 0x10E32E: free_configs (config_init.c:106)
by 0x10D085: main (fwknopd.c:376)
Address 0x5a80650 is 0 bytes inside a block of size 16 free'd
at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x116AE0: add_source_mask (access.c:255)
by 0x116D57: expand_acc_source (access.c:303)
by 0x117A82: expand_acc_ent_lists (access.c:620)
by 0x119570: parse_access_file (access.c:1043)
by 0x10C77E: main (fwknopd.c:193)
HEAP SUMMARY:
in use at exit: 8 bytes in 1 blocks
total heap usage: 1,659 allocs, 1,659 frees, 238,310 bytes allocated
Added --enable-profile-coverage to the configure script to have the fwknop
binaries compiled with gcc profiling support in order to see which functions
get executed by the test suite via gcov. The last test executed by the test
suite under --enable-profile-coverage contains all fwknop functions that
were not executed under the test run (function execution totals are
cumlative).
For SPA packets encrypted with Rjindael, fwknop has always used CBC mode
even though ECB mode is mentioned in a couple of places. This change makes
more transparent use of block_encrypt() and block_decrypt() to ensure that
the appropriate mode is used. The default is CBC mode, but others can be
selected as well (-M <mode> for the fwknop client, and ENCRYPTION_MODE in
access.conf for the fwknopd server).
This is a significant update to allow AES encryption modes to be selected on a
per-key basis. For now, only ECB and CBC (recommended) modes are supported.
The default is ECB modes in order to maintain backwards compatibility with the
older perl version of fwknop and the Crypt::CBC CPAN module. This will likely
be changed to use CBC mode by default because of its better security
properties.
In the access.conf file on the server side, there is a new configuration
variable "ENCRYPTION_MODE" that controls the mode for the corresponding AES
key. On the client side, a new command line argument "--encryption-mode"
controls how the client encrypts SPA packets.
