-fwknop-2.0.4 (09/20/2012):
+fwknop-2.0.4 (11//2012):
- [server] Added upstart config at extras/upstart/fwknop.conf. This
allows the fwknopd to easily be managed with upstart via commands like
"service fwknop start" and "service fwknop stop".
UDP with a spoofed source IP address. This is in addition to the
original 'tcpraw' and 'icmp' protocols that also support a spoofed
source IP.
+ - [libfko] Bug fix to check b64_decode() return value to ensure that
+ non-base64 encoded data is never used. Even though other validation
+ routines checked decoded results, it is important to discard invalid
+ data as early as possible. Note too that such invalid data would only
+ be provided to b64_decode() after proper decryption, so the client must
+ provide authentic SPA data.
- [libfko] Added validation of NAT access strings in the various NAT
modes.
- [libfko] Restricted usernames embedded in SPA packets to be
return(FKO_ERROR_MEMORY_ALLOCATION);
}
- b64_decode(tbuf, (unsigned char*)ctx->username);
+ if(b64_decode(tbuf, (unsigned char*)ctx->username) < 0)
+ {
+ free(tbuf);
+ return(FKO_ERROR_INVALID_DATA);
+ }
if(validate_username(ctx->username) != FKO_SUCCESS)
{
free(tbuf);
return(FKO_ERROR_MEMORY_ALLOCATION);
}
- b64_decode(tbuf, (unsigned char*)ctx->message);
+ if(b64_decode(tbuf, (unsigned char*)ctx->message) < 0)
+ {
+ free(tbuf);
+ return(FKO_ERROR_INVALID_DATA);
+ }
if(ctx->message_type == FKO_COMMAND_MSG)
{
return(FKO_ERROR_MEMORY_ALLOCATION);
}
- b64_decode(tbuf, (unsigned char*)ctx->nat_access);
+ if(b64_decode(tbuf, (unsigned char*)ctx->nat_access) < 0)
+ {
+ free(tbuf);
+ return(FKO_ERROR_INVALID_DATA);
+ }
if(validate_nat_access_msg(ctx->nat_access) != FKO_SUCCESS)
{
return(FKO_ERROR_MEMORY_ALLOCATION);
}
- b64_decode(tbuf, (unsigned char*)ctx->server_auth);
+ if(b64_decode(tbuf, (unsigned char*)ctx->server_auth) < 0)
+ {
+ free(tbuf);
+ return(FKO_ERROR_INVALID_DATA);
+ }
/* At this point we should be done.
*/
return(FKO_ERROR_MEMORY_ALLOCATION);
}
- b64_decode(tbuf, (unsigned char*)ctx->server_auth);
+ if(b64_decode(tbuf, (unsigned char*)ctx->server_auth) < 0)
+ {
+ free(tbuf);
+ return(FKO_ERROR_INVALID_DATA);
+ }
ndx += t_size + 1;
}
if(cipher == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
- cipher_len = b64_decode(ctx->encrypted_msg, cipher);
+ if((cipher_len = b64_decode(ctx->encrypted_msg, cipher)) < 0)
+ return(FKO_ERROR_INVALID_DATA);
/* Create a bucket for the plaintext data and decrypt the message
* data into it.
if(cipher == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
- cipher_len = b64_decode(ctx->encrypted_msg, cipher);
+ if((cipher_len = b64_decode(ctx->encrypted_msg, cipher)) < 0)
+ return(FKO_ERROR_INVALID_DATA);
/* Create a bucket for the plaintext data and decrypt the message
* data into it.
projects / fwknop.git / commitdiff