This change ensures that we only cache replay digests for those SPA packets that actually decrypt. Not doing this would have allowed an attacker to potentially fill up digest cache space with digests for garbage packets.
This commit fixes a bug where the same encryption key used for two stanzas in the access.conf file would result in access requests that matched the second stanza to always be treated as a replay attack. This has been fixed for the fwknop-2.0.1 release, and was reported by Andy Rowland. Now the fwknopd server computes the SHA256 digest of raw incoming payload data before decryption, and compares this against all previous hashes. Previous to this commit, fwknopd would add a new hash to the replay digest list right after the first access.conf stanza match, so when SPA packet data matched the second access.conf stanza a matching replay digest would already be there.
…e’ set but not used [-Wunused-but-set-variable]
…mmediate binding protection compliation warnings on FreeBSD
Set version to 2.0 (non-release candidate). Minor typo fixes.