Characters should be casted as unsigned before use in functions from
<ctype.h>. Otherwise the compiler treats 8-bit characters (eg UTF-8) as
negative values (since it expects signed integers) and they no longer
match the comparison tables. Worse, the character 0xff gets interpreted
as -1 (like EOF). In turn, it helps to explicitly cast the result as a
signed integer, since this is what is expected. Characters in the range
0x80-0xff do keep their original values.
See the manual page for ctype(3) for more details (eg from NetBSD)
This commit fixes a double free condition discovered through the new
python SPA payload fuzzer. This bug could be triggered in fwknopd with
a malicious SPA payload but only when GnuPG is used. When Rijndael is
used for SPA packet encryption, this bug cannot be triggered due to an
length/format check towards the end of _rijndael_decrypt(). It should
be noted that only a person in possession of the correct encryption and
authentication GnuPG keys could trigger this bug.
This commit implements more rigorous SPA packet field count validation
that takes into account expected field counts for each SPA message type.
Two new libfko error codes have been added in support of this, and the
corresponding changes made in the perl and python modules.
This commit updates all authorship and copyright information to include a
standard header that references the AUTHORS and CREDITS file. This standard
header was written by the Debian legal team at the request of Franck Joncourt.
This commit is a follow up to Ryman's report (#85) of a potential timing attack
that could be leveraged against fwknop when strncmp() is used to compare HMAC
digests. All strncmp() calls that do similar things have been replaced with a
new constant_runtime_cmp() function that mitigates this problem.
This commit completes the conversion to the strtol() wrapper function in order
to remove all atoi() calls. In addition, variable max values are enforced
using more broadly defined RCHK_* values.
This commit replaces most atoi() calls (which don't report errors) with a strtol()
wrapper function for stronger string -> integer conversion validation.
Bug fix to check b64_decode() return value to ensure that
non-base64 encoded data is never used. Even though other validation
routines checked decoded results, it is important to discard invalid
data as early as possible. Note too that such invalid data would only
be provided to b64_decode() after proper decryption, so the client must
provide authentic SPA data.
Added validation of NAT access strings in the various NAT modes in libfko.
This applies to both the client and server, and test suite support was added
as well.
(Vlad Glagolev) Submitted a patch to fix command exec mode
under SPA message type validity test. Support for command exec mode was
also added to the test suite.
Enhanced the libfko decoding routine to include bounds checking on decrypted
SPA data. This includes verifying the number of fields within incoming SPA
data (colon separated) along with verifying string lengths of each field.
Added the 'const' qualifier to function prototype variables where possible.
In addition, reduced some functions to file-scope with 'static' where possible.
Also made a few minor changes to remove extra whitespace, and fixed a bug
in create_fwknoprc() to ensure the new fwknoprc filehandle is closed.
