From the config file comments:
This variable controls whether fwknopd is permitted to sniff SPA packets
regardless of whether they are received on the sniffing interface or sent
from the sniffing interface. In the later case, this can be useful to have
fwknopd sniff SPA packets that are forwarded through a system and destined
for a different network. If the sniffing interface is the egress interface
for such packets, then this variable will need to be set to "Y" in order for
fwknopd to see them. The default is "N" so that fwknopd only looks for SPA
packets that are received on the sniffin
PCAP_ANY_DIRECTION N;
Bug fix to ensure to release memory when invalid access stanza dates are set
and fwknopd has to exit. This leak was caught with the test suite in
--enable-valgrind mode based on the following output:
==31947== 568 bytes in 1 blocks are still reachable in loss record 1 of 1
==31947== at 0x4C2CD7B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31947== by 0x52EE42A: __fopen_internal (iofopen.c:73)
==31947== by 0x1116A2: parse_access_file (access.c:909)
==31947== by 0x10BAD5: main (fwknopd.c:194)
These are simple logic fixes that would not have impacted run time to address
the following warnings generated by the CLANG static analyzer:
incoming_spa.c:433:17: warning: Value stored to 'attempted_decrypt' is never read
attempted_decrypt = 1;
^ ~
incoming_spa.c:647:13: warning: Value stored to 'acc' is never read
acc = acc->next;
^ ~~~~~~~~~
Significant merge from Franck Joncourt to add the ability to save command line
args to ~/.fwknoprc stanzas. This merge is in support of #4.
Conflicts:
lib/fko_util.c
lib/fko_util.h
This change allows SPA clients to include long messages in command mode and
generally allows decryption operations to dictate success/failure instead of
SPA packet length to gate decryption attempts. Closes#40.
This is a fairly significant commit that lays the groundwork for getting
selectable HMAC modes working for both the client and server. One libfko API
change was required so that the hmac_type is passed into fko_new_with_data().
This allows the server to set the hmac_type via access.conf stanzas. The
effort in this commit will be extended to allow HMAC MD5, SHA1, and SHA512
also function properly.
This commit completes the conversion to the strtol() wrapper function in order
to remove all atoi() calls. In addition, variable max values are enforced
using more broadly defined RCHK_* values.
This commit replaces a few additional atoi() calls with the strtol() wrapper
function, and also fixes a bug where access SOURCE IP/mask combinations would
not be accepted when the string length was a long as something like
'123.123.123.123/255.255.255.255'.
This commit replaces most atoi() calls (which don't report errors) with a strtol()
wrapper function for stronger string -> integer conversion validation.
This commit fixes a minor memory leak for the digest cache file path in
--rotate-digest-cache mode in the replay_cache_init() function. The leak was
caught by valgrind, and a new test was added to the test suite for it. Here
is the valgrind warning:
==29021== 21 bytes in 1 blocks are definitely lost in loss record 2 of 2
==29021== at 0x4C2B3F8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29021== by 0x1103AA: replay_cache_init (replay_cache.c:96)
==29021== by 0x10BB8C: main (fwknopd.c:254)
[libfko] Added the ability to maintain backwards compatibility with the
now deprecated "zero padding" strategy in AES mode that was a hold over
from the old perl fwknop implementation. This enables the backwards
compatiblity tests to continue to pass in the test suite.
This merges in code from Franck Joncourt to ensure that duplicate iptables
rules are not created for SPA packets that are themselves different but arrive
at the same time and that request exactly the same access. This is done by
using the 'iptables -C' functionality to determine whether a duplicate rule
already exists before adding a new one.
When setting --pcap-file mode from the command line some versions of libpcap
do not appear to allow non-blocking mode to be set and throw the following
error:
[*] Error setting pcap nonblocking to 0:
This commit ignores the non-blocking setting in --pcap-file mode.
Added chain_exists() check to SPA rule creation so that if any
of the fwknop chains are deleted out from under fwknopd they will be
recreated on the fly. This mitigates scenarios where fwknopd might be
started before a system level firewall policy is applied due to init
script ordering, or if an iptables policy is re-applied without
restarting fwknopd.
Added a new '--pcap-file <file>' option to allow pcap files to
be processed directly by fwknopd instead of sniffing an interface. This
feature is mostly intended for debugging purposes.
[client+server] Applied patch from Franck Joncourt to remove unnecessary
chmod() call when creating client rc file and server replay cache file.
The permissions are now set appropriately via open(), and at the same
time this patch fixes a potential race condition since the previous code
used fopen() followed by chmod().