'dual_key_access' => "$conf_dir/dual_key_usage_access.conf",
'gpg_access' => "$conf_dir/gpg_access.conf",
'gpg_no_pw_access' => "$conf_dir/gpg_no_pw_access.conf",
+ 'tcp_server' => "$conf_dir/tcp_server_fwknopd.conf",
+ 'tcp_pcap_filter' => "$conf_dir/tcp_pcap_filter_fwknopd.conf",
+ 'icmp_pcap_filter' => "$conf_dir/icmp_pcap_filter_fwknopd.conf",
'open_ports_access' => "$conf_dir/open_ports_access.conf",
'multi_gpg_access' => "$conf_dir/multi_gpg_access.conf",
+ 'multi_gpg_no_pw_access' => "$conf_dir/multi_gpg_no_pw_access.conf",
'multi_stanza_access' => "$conf_dir/multi_stanzas_access.conf",
'broken_keys_access' => "$conf_dir/multi_stanzas_with_broken_keys.conf",
+ 'ecb_mode_access' => "$conf_dir/ecb_mode_access.conf",
+ 'ctr_mode_access' => "$conf_dir/ctr_mode_access.conf",
+ 'cfb_mode_access' => "$conf_dir/cfb_mode_access.conf",
+ 'ofb_mode_access' => "$conf_dir/ofb_mode_access.conf",
'open_ports_mismatch' => "$conf_dir/mismatch_open_ports_access.conf",
'require_user_access' => "$conf_dir/require_user_access.conf",
'user_mismatch_access' => "$conf_dir/mismatch_user_access.conf",
'multi_src_access' => "$conf_dir/multi_source_match_access.conf",
'ip_src_match' => "$conf_dir/ip_source_match_access.conf",
'subnet_src_match' => "$conf_dir/ip_source_match_access.conf",
+ 'rc_file_def_key' => "$conf_dir/fwknoprc_with_default_key",
+ 'rc_file_def_b64_key' => "$conf_dir/fwknoprc_with_default_base64_key",
+ 'rc_file_named_key' => "$conf_dir/fwknoprc_named_key",
+ 'rc_file_invalid_b64_key' => "$conf_dir/fwknoprc_invalid_base64_key",
+ 'rc_file_hmac_b64_key' => "$conf_dir/fwknoprc_default_hmac_base64_key",
+ 'base64_key_access' => "$conf_dir/base64_key_access.conf",
'disable_aging' => "$conf_dir/disable_aging_fwknopd.conf",
+ 'disable_aging_nat' => "$conf_dir/disable_aging_nat_fwknopd.conf",
'fuzz_source' => "$conf_dir/fuzzing_source_access.conf",
'fuzz_open_ports' => "$conf_dir/fuzzing_open_ports_access.conf",
'fuzz_restrict_ports' => "$conf_dir/fuzzing_restrict_ports_access.conf",
my $non_std_spa_port = 12345;
my $spoof_user = 'testuser';
+
+my $valgrind_cov_dir = 'valgrind-coverage';
++
+ my $spoof_ip = '1.2.3.4';
+ my $perl_mod_fko_dir = 'FKO';
+ my $cmd_exec_test_file = '/tmp/fwknoptest';
+ my $default_key = 'fwknoptest';
#================== end config ===================
my $passed = 0;
my $anonymize_results = 0;
my $curr_test_file = "$output_dir/init";
my $tarfile = 'test_fwknop.tar.gz';
+my $key_gen_file = "$output_dir/key_gen";
+ my $fuzzing_pkts_file = 'fuzzing/fuzzing_spa_packets';
+ my $fuzzing_pkts_append = 0;
+ my $fuzzing_key = 'testtest';
+ my $fuzzing_num_pkts = 0;
+ my $fuzzing_test_tag = '';
+ my $fuzzing_class = 'bogus data';
+ my %fuzzing_spa_packets = ();
+ my $total_fuzzing_pkts = 0;
my $server_test_file = '';
my $use_valgrind = 0;
my $valgrind_str = '';
my $enable_all = 0;
my $saved_last_results = 0;
my $diff_mode = 0;
+ my $fko_obj = ();
my $enable_recompilation_warnings_check = 0;
+my $enable_profile_coverage_check = 0;
my $enable_make_distcheck = 0;
+ my $enable_perl_module_checks = 0;
+ my $enable_perl_module_fuzzing_spa_pkt_generation = 0;
my $sudo_path = '';
+my $gcov_path = '';
+ my $killall_path = '';
+ my $pinentry_fail = 0;
my $platform = '';
my $help = 0;
my $YES = 1;
'include=s' => \$test_include, ### synonym
'test-exclude=s' => \$test_exclude,
'exclude=s' => \$test_exclude, ### synonym
+ 'enable-perl-module-checks' => \$enable_perl_module_checks,
+ 'enable-perl-module-pkt-generation' => \$enable_perl_module_fuzzing_spa_pkt_generation,
+ 'fuzzing-pkts-file=s' => \$fuzzing_pkts_file,
+ 'fuzzing-pkts-append' => \$fuzzing_pkts_append,
+ 'fuzzing-test-tag=s' => \$fuzzing_test_tag,
+ 'fuzzing-class=s' => \$fuzzing_class,
'enable-recompile-check' => \$enable_recompilation_warnings_check,
+ 'enable-profile-coverage-check' => \$enable_profile_coverage_check,
'enable-ip-resolve' => \$enable_client_ip_resolve_test,
'enable-distcheck' => \$enable_make_distcheck,
- 'enable-all' => \$enable_all,
'List-mode' => \$list_mode,
+ 'test-limit=i' => \$test_limit,
'enable-valgrind' => \$use_valgrind,
+ 'enable-all' => \$enable_all,
'valgrind-path=s' => \$valgrindCmd,
'output-dir=s' => \$output_dir,
'diff' => \$diff_mode,
'server_conf' => $cf{'nat'},
'fatal' => $NO
},
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client+server',
+ 'detail' => 'ECB mode (tcp/22 ssh)',
+ 'err_msg' => 'could not complete SPA cycle',
+ 'function' => \&spa_cycle,
+ 'cmdline' => "$default_client_args -M ecb",
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'def'} -a $cf{'ecb_mode_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'server_negative_output_matches' => [qr/Decryption\sfailed/i],
+ 'fw_rule_created' => $NEW_RULE_REQUIRED,
+ 'fw_rule_removed' => $NEW_RULE_REMOVED,
+ 'fatal' => $NO
+ },
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client+server',
+ 'detail' => 'CFB mode (tcp/22 ssh)',
+ 'err_msg' => 'could not complete SPA cycle',
+ 'function' => \&spa_cycle,
+ 'cmdline' => "$default_client_args -M cfb",
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'def'} -a $cf{'cfb_mode_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'server_negative_output_matches' => [qr/Decryption\sfailed/i],
+ 'fw_rule_created' => $NEW_RULE_REQUIRED,
+ 'fw_rule_removed' => $NEW_RULE_REMOVED,
+ 'fatal' => $NO
+ },
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client+server',
+ 'detail' => 'CTR mode (tcp/22 ssh)',
+ 'err_msg' => 'could not complete SPA cycle',
+ 'function' => \&spa_cycle,
+ 'cmdline' => "$default_client_args -M ctr",
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'def'} -a $cf{'ctr_mode_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'server_negative_output_matches' => [qr/Decryption\sfailed/i],
+ 'fw_rule_created' => $NEW_RULE_REQUIRED,
+ 'fw_rule_removed' => $NEW_RULE_REMOVED,
+ 'fatal' => $NO
+ },
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client+server',
+ 'detail' => 'OFB mode (tcp/22 ssh)',
+ 'err_msg' => 'could not complete SPA cycle',
+ 'function' => \&spa_cycle,
+ 'cmdline' => "$default_client_args -M ofb",
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'def'} -a $cf{'ofb_mode_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'server_negative_output_matches' => [qr/Decryption\sfailed/i],
+ 'fw_rule_created' => $NEW_RULE_REQUIRED,
+ 'fw_rule_removed' => $NEW_RULE_REMOVED,
+ 'fatal' => $NO
+ },
+
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client+server',
+ 'detail' => 'mode mismatch (tcp/22 ssh)',
+ 'err_msg' => 'server accepted mismatch enc mode',
+ 'function' => \&spa_cycle,
+ 'cmdline' => "$default_client_args -M ecb",
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'def'} -a $cf{'def_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'server_positive_output_matches' => [qr/Decryption\sfailed/i],
+ 'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
+ 'fatal' => $NO
+ },
+ ### --pcap-file
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client+server',
+ 'detail' => '--pcap-file processing',
+ 'err_msg' => 'could not complete SPA cycle',
+ 'function' => \&process_pcap_file_directly,
+ 'cmdline' => '',
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd $default_server_conf_args " .
+ "--pcap-file $replay_pcap_file --foreground --verbose --verbose " .
+ "--verbose",
+ 'server_positive_output_matches' => [qr/Replay\sdetected/i,
+ qr/candidate\sSPA/, qr/0x0000\:\s+2b/],
+ 'fw_rule_created' => $NEW_RULE_REQUIRED,
+ 'fw_rule_removed' => $NEW_RULE_REMOVED,
+ 'fatal' => $NO
+ },
+
{
'category' => 'Rijndael SPA',
'subcategory' => 'client+server',
'fatal' => $NO
},
+ ### command execution tests
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client+server',
+ 'detail' => 'command execution',
+ 'err_msg' => 'could not complete SPA cycle',
+ 'function' => \&spa_cmd_exec_cycle,
+ 'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ qq|$fwknopCmd --server-cmd "echo fwknoptest > $cmd_exec_test_file" | .
+ "-a $fake_ip -D $loopback_ip --get-key $local_key_file " .
+ "--verbose --verbose",
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'def'} -a $cf{'cmd_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
+ 'fatal' => $NO
+ },
+
{
'category' => 'Rijndael SPA',
+ 'subcategory' => 'client+server',
+ 'detail' => 'replay detection (Rijndael prefix)',
+ 'err_msg' => 'could not detect replay attack',
+ 'function' => \&replay_detection,
+ 'pkt_prefix' => 'U2FsdGVkX1',
+ 'cmdline' => $default_client_args,
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd $default_server_conf_args $intf_str",
+ 'fatal' => $NO
+ },
+ {
+ 'category' => 'Rijndael SPA',
'subcategory' => 'server',
'detail' => 'digest cache structure',
'err_msg' => 'improper digest cache structure',
--enable-recompile - Recompile fwknop sources and look for
compilation warnings.
--enable-valgrind - Run every test underneath valgrind.
+ --enable-ip-resolve - Enable client IP resolution (-R) test -
+ this requires internet access.
+ --enable-distcheck - Enable 'make dist' check.
+ --enable-perl-module-checks - Run a series of tests against libfko via
+ the perl FKO module.
+ --enable-perl-module-pkt-gen - Generate a series of fuzzing packets via
+ the perl FKO module (assumes a patched
+ libfko code to accept fuzzing values). The
+ generated packets are placed in:
+ $fuzzing_pkts_file
+ --enable-all - Enable tests that aren't enabled by
+ default, except that --enable-valgrind
+ must also be set if valgrind mode is
+ desired.
+ --fuzzing-pkts-file <file> - Specify path to fuzzing packet file.
+ --fuzzing-pkts-append - When generating new fuzzing packets,
+ append them to the fuzzing packets file.
--List - List test names.
+ --test-limit=<num> - Limit the number of tests that will run.
--loopback-intf=<intf> - Specify loopback interface name (default
depends on the OS where the test suite
is executed).
projects / fwknop.git / commitdiff