Suggested doc update to fwknop man pages to accurately describe the usage
of digits instead of bytes for SPA random data. About 53 bits of entropy
are actually used, although this is in addition to the 64-bit random salt
in for key derivation used by PBKDF1 in Rjindael CBC mode.
Integer lengths that are negative are never valid. This commit also
extends the fuzzing capabilities of the test/fko-wrapper code to
validate libfko calls with negative length arguments, and one crash
scenario with a negative length for the encryption key was found (and
fixed) this way.
Under Android-4.4 this commit fixes the following warning:
[exec] jni/./fwknop/fwknop_client.c: In function 'Java_com_max2idea_android_fwknop_Fwknop_sendSPAPacket':
[exec] jni/./fwknop/fwknop_client.c:181:5: error: format not a string literal and no format arguments [-Werror=format-security]
[exec] cc1: some warnings being treated as errors
Updated pcap_dispatch() default packet count from zero to 100.
This change was made to ensure backwards compatibility with older
versions of libpcap per the pcap_dispatch() man page, and also because
some of a report from Les Aker of an unexpected crash on Arch Linux with
libpcap-1.5.1 that is fixed by this change (closes#110).
This commit adds a new pcap file to the test suite with an SPA packet after
99 other garbage packets. This can be used for pcap_dispatch() testing,
though this is not meant to be super instensive - it is just to ensure that
if a PCAP_DISPATCH_COUNT of, say, 10 is selected that the SPA is still seen
by fwknopd. This commit is in support of #110.
This change sends SIGKILL to fwknopd under -K if SIGTERM does not do the job
first. This can be necessary in some cases if libpcap does not properly handle
a packet count of zero in pcap_dispatch() (see github issue #110). On a side
note, the default packet dispatch count of zero will likely be changed because
of that issue too.
This change moves the fuzzing_spa_packets file from the test/fuzzing/
directory into the perl FKO extension t/ directory and is now referenced
directly by the t/04_fuzzing.t test file. The test suite itself also uses
this file for fuzzing tests as well, but having the FKO built-in tests
enables Test::Valgrind memory checks so it is useful to have this included
in the FKO sources. (When the FKO module is submitted to CPAN, it should
not depend on non-local files, but it's ok for the test suite to reference
the ../perl/FKO/t/ directory.)
[libfko] Bug fix to not attempt SPA packet decryption with GnuPG without
an fko object with encryption_mode set to FKO_ENC_MODE_ASYMMETRIC. This
bug was caught with valgrind validation against the perl FKO extension
together with the set of SPA fuzzing packets in
test/fuzzing/fuzzing_spa_packets. Note that this bug cannot be
triggered via fwknopd because additional checks are made within fwknopd
itself to force FKO_ENC_MODE_ASYMMETRIC whenever an access.conf stanza
contains GPG key information. This fix strengthens libfko itself to
independently require that the usage of fko objects without GPG key
information does not result in attempted GPG decryption operations. Hence
this fix applies mostly to third party usage of libfko - i.e. stock
installations of fwknopd are not affected. As always, it is recommended to
use HMAC authenticated encryption whenever possible even for GPG modes since
this also provides a work around even for libfko prior to this fix.
