Added --disable-gpg to the autoconf ./configure script
via configure.ac. This makes it easy to not have fwknop/fwknopd
link against libgpgme even if it is installed on the local system.
The Debian hardening-includes package sets CFLAGS and LDFLAGS as follows for PIE support:
_HARDENED_PIE_CFLAGS := -fPIE
_HARDENED_PIE_LDFLAGS := -fPIE -pie
The configure.ac file has been updated to conform to the above.
Bug fix to check b64_decode() return value to ensure that
non-base64 encoded data is never used. Even though other validation
routines checked decoded results, it is important to discard invalid
data as early as possible. Note too that such invalid data would only
be provided to b64_decode() after proper decryption, so the client must
provide authentic SPA data.
This commit adds the ability to generate SPA packets that are valid except for
the last encoding step before encryption. This is independent of supplying
invalid data for SPA packet fields. To invoke the test suite in this mode,
do something like:
# ./test-fwknop.pl --enable-perl-module-pkt-gen --fuzzing-test-tag "encoded_colon1_missing" --fuzzing-class encoding
This assumes that lib/fko_encode.c has been patched to subvert the encoding
step itself before encryption. In this case, the first colon after the random
value is removed.
[client+server] Applied patch from Franck Joncourt to remove unnecessary
chmod() call when creating client rc file and server replay cache file.
The permissions are now set appropriately via open(), and at the same
time this patch fixes a potential race condition since the previous code
used fopen() followed by chmod().
Added validation of NAT access strings in the various NAT modes in libfko.
This applies to both the client and server, and test suite support was added
as well.
