When getting raw digest for replay attack detection specify the default
encryption mode (which doesn't actually get used when passing a NULL key).

This change ensures that we only cache replay digests for those SPA packets
that actually decrypt.  Not doing this would have allowed an attacker to
potentially fill up digest cache space with digests for garbage packets.

This commit fixes a bug where the same encryption key used for two stanzas in
the access.conf file would result in access requests that matched the second
stanza to always be treated as a replay attack.  This has been fixed for
the fwknop-2.0.1 release, and was reported by Andy Rowland.  Now the fwknopd
server computes the SHA256 digest of raw incoming payload data before
decryption, and compares this against all previous hashes.  Previous to this
commit, fwknopd would add a new hash to the replay digest list right after
the first access.conf stanza match, so when SPA packet data matched the
second access.conf stanza a matching replay digest would already be there.

fwknopd access stanzas can have both Rijndael and GnuPG keys, so this
commit fixes a bug where any gpg info would force only gpg decryption
attempts even if a Rijndael key is provided in the stanza.

This commit causes fwknopd to exit whenever an invalid SOURCE entry is seen
such as ":ANY".  Previous to this commit, valgrind threw the following errors
with ":ANY" as an access.conf SOURCE entry:

Invalid read of size 8
   at 0x117695: free_acc_source_list (access.c:512)
   by 0x1177E3: free_acc_stanza_data (access.c:564)
   by 0x117C67: free_acc_stanzas (access.c:654)
   by 0x10E32E: free_configs (config_init.c:106)
   by 0x10D085: main (fwknopd.c:376)
 Address 0x5a80658 is 8 bytes inside a block of size 16 free'd
   at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x116AE0: add_source_mask (access.c:255)
   by 0x116D57: expand_acc_source (access.c:303)
   by 0x117A82: expand_acc_ent_lists (access.c:620)
   by 0x119570: parse_access_file (access.c:1043)
   by 0x10C77E: main (fwknopd.c:193)

Invalid free() / delete / delete[] / realloc()
   at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x1176A8: free_acc_source_list (access.c:514)
   by 0x1177E3: free_acc_stanza_data (access.c:564)
   by 0x117C67: free_acc_stanzas (access.c:654)
   by 0x10E32E: free_configs (config_init.c:106)
   by 0x10D085: main (fwknopd.c:376)
 Address 0x5a80650 is 0 bytes inside a block of size 16 free'd
   at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x116AE0: add_source_mask (access.c:255)
   by 0x116D57: expand_acc_source (access.c:303)
   by 0x117A82: expand_acc_ent_lists (access.c:620)
   by 0x119570: parse_access_file (access.c:1043)
   by 0x10C77E: main (fwknopd.c:193)

HEAP SUMMARY:
    in use at exit: 8 bytes in 1 blocks
  total heap usage: 1,659 allocs, 1,659 frees, 238,310 bytes allocated

Added --enable-profile-coverage to the configure script to have the fwknop
binaries compiled with gcc profiling support in order to see which functions
get executed by the test suite via gcov.  The last test executed by the test
suite under --enable-profile-coverage contains all fwknop functions that
were not executed under the test run (function execution totals are
cumlative).

gcc warning fix fox: fko_decode.c:43:17: warning: variable ‘edata_size’ set but not used [-Wunused-but-set-variable]

For SPA packets encrypted with Rjindael, fwknop has always used CBC mode
even though ECB mode is mentioned in a couple of places.  This change makes
more transparent use of block_encrypt() and block_decrypt() to ensure that
the appropriate mode is used.  The default is CBC mode, but others can be
selected as well (-M <mode> for the fwknop client, and ENCRYPTION_MODE in
access.conf for the fwknopd server).

This is a significant update to allow AES encryption modes to be selected on a
per-key basis.  For now, only ECB and CBC (recommended) modes are supported.
The default is ECB modes in order to maintain backwards compatibility with the
older perl version of fwknop and the Crypt::CBC CPAN module.  This will likely
be changed to use CBC mode by default because of its better security
properties.

In the access.conf file on the server side, there is a new configuration
variable "ENCRYPTION_MODE" that controls the mode for the corresponding AES
key.  On the client side, a new command line argument "--encryption-mode"
controls how the client encrypts SPA packets.