[client+server] Applied patch from Franck Joncourt to remove unnecessary
chmod() call when creating client rc file and server replay cache file.
The permissions are now set appropriately via open(), and at the same
time this patch fixes a potential race condition since the previous code
used fopen() followed by chmod().
Added validation of NAT access strings in the various NAT modes in libfko.
This applies to both the client and server, and test suite support was added
as well.
Applied patch from Franck Joncourt to have the perl FKO module link
against libfko in the local directory (if it exists) so that it doesn't
have to have libfko completely installed in /usr/lib/. This allows the
test suite to run FKO tests without installing libfko.
Added the ability to the test suite to compile, install, and run some
basic tests against the perl FKO module.
- [client] Added '-P udpraw' to allow the client to send SPA packets over
UDP with a spoofed source IP address. This is in addition to the
original 'tcpraw' and 'icmp' protocols that also support a spoofed
source IP.
- [server] Bug fix to accept SPA packets over ICMP if the fwknop client
is executed with '-P icmp' and the user has the required privileges.
This change allows fwknopd to write syslog messages to traditional syslog files
while running under upstart. Not forking into the background resulted in
messages meant for syslog were captured under /var/log/upstart/fwknop.log.
For the upstart config make sure only start fwknopd after a non-loopback
network interface is brought up. Also added a commented post-start script
to send an email whenever fwknopd is (re)started.
fwknop can be easily managed with upstart with the addition of this config.
Here is an example:
# service fwknop start
fwknop start/running, process 4269
(Vlad Glagolev) Submitted a patch to fix command exec mode
under SPA message type validity test. Support for command exec mode was
also added to the test suite.
Applied patch from Vlad Glagolev to fix ndbm/gdbm usage when --disable-file-cache
is used for the autoconf configure script. This functionality was broken in
be4193d734 through improper handling of #define
macros from --disable-file-cache.
Fernando Arnaboldi from IOActive found several conditions in
which the server did not properly throw out maliciously constructed
variables in the access.conf file. This has been fixed along with new
fuzzing tests in the test suite.
