[test suite] added HMAC key tests
authorMichael Rash <mbr@cipherdyne.org>
Wed, 13 Mar 2013 02:18:43 +0000 (22:18 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Wed, 13 Mar 2013 02:18:43 +0000 (22:18 -0400)
25 files changed:
test/conf/fwknoprc_hmac_md5_key [new file with mode: 0644]
test/conf/fwknoprc_hmac_md5_long_key [new file with mode: 0644]
test/conf/fwknoprc_hmac_md5_short_key [new file with mode: 0644]
test/conf/fwknoprc_hmac_sha1_key [new file with mode: 0644]
test/conf/fwknoprc_hmac_sha1_long_key [new file with mode: 0644]
test/conf/fwknoprc_hmac_sha1_short_key [new file with mode: 0644]
test/conf/fwknoprc_hmac_sha256_key [new file with mode: 0644]
test/conf/fwknoprc_hmac_sha256_long_key [new file with mode: 0644]
test/conf/fwknoprc_hmac_sha256_short_key [new file with mode: 0644]
test/conf/fwknoprc_hmac_sha384_key [new file with mode: 0644]
test/conf/fwknoprc_hmac_sha384_long_key [new file with mode: 0644]
test/conf/fwknoprc_hmac_sha384_short_key [new file with mode: 0644]
test/conf/hmac_md5_access.conf
test/conf/hmac_md5_long_key_access.conf [new file with mode: 0644]
test/conf/hmac_md5_short_key_access.conf [new file with mode: 0644]
test/conf/hmac_sha1_long_key_access.conf [new file with mode: 0644]
test/conf/hmac_sha1_short_key_access.conf [new file with mode: 0644]
test/conf/hmac_sha256_access.conf [new file with mode: 0644]
test/conf/hmac_sha256_long_key_access.conf [new file with mode: 0644]
test/conf/hmac_sha256_short_key_access.conf [new file with mode: 0644]
test/conf/hmac_sha384_access.conf
test/conf/hmac_sha384_long_key_access.conf [new file with mode: 0644]
test/conf/hmac_sha384_short_key_access.conf [new file with mode: 0644]
test/test-fwknop.pl
test/tests/rijndael_hmac.pl

diff --git a/test/conf/fwknoprc_hmac_md5_key b/test/conf/fwknoprc_hmac_md5_key
new file mode 100644 (file)
index 0000000..307103e
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    md5
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64     sVwJFvtWp7/IkTsKfcRbKQ==
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/fwknoprc_hmac_md5_long_key b/test/conf/fwknoprc_hmac_md5_long_key
new file mode 100644 (file)
index 0000000..45014f2
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    md5
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64     d6F/uWTZmjqYorNkEKWl3TnVUiRNTCFijv3RclV+p8K0T5mU3co9Lz/hlDU/RxwFXLdDQGWEzRTk7O+8G59aVOEHUIME95KdrALQf2z4sLjsrNzOZdjfZVYRpcp1rYRsAdJmeT7K0G5B2WKmI8t6srwPVQJty9CDn6pAqqg6Oek=
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/fwknoprc_hmac_md5_short_key b/test/conf/fwknoprc_hmac_md5_short_key
new file mode 100644 (file)
index 0000000..f7c3d05
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    md5
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    QQBwGf0bkZmBUA==
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/fwknoprc_hmac_sha1_key b/test/conf/fwknoprc_hmac_sha1_key
new file mode 100644 (file)
index 0000000..314996f
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    sha1
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    QQBwGf0bkZmBUA==
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/fwknoprc_hmac_sha1_long_key b/test/conf/fwknoprc_hmac_sha1_long_key
new file mode 100644 (file)
index 0000000..229b261
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    sha1
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64     d6F/uWTZmjqYorNkEKWl3TnVUiRNTCFijv3RclV+p8K0T5mU3co9Lz/hlDU/RxwFXLdDQGWEzRTk7O+8G59aVOEHUIME95KdrALQf2z4sLjsrNzOZdjfZVYRpcp1rYRsAdJmeT7K0G5B2WKmI8t6srwPVQJty9CDn6pAqqg6Oek=
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/fwknoprc_hmac_sha1_short_key b/test/conf/fwknoprc_hmac_sha1_short_key
new file mode 100644 (file)
index 0000000..314996f
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    sha1
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    QQBwGf0bkZmBUA==
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/fwknoprc_hmac_sha256_key b/test/conf/fwknoprc_hmac_sha256_key
new file mode 100644 (file)
index 0000000..7f657a3
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    sha256
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    d6F/uWTZmjqYorNkEKWl3TnVUiRNTCFijv3RclV+p8K0T5mU3co9Lz/hlDU/RxwFXLdDQGWEzRTk7O+8G59aVOEHUIME95KdrALQf2z4sLjsrNzOZdjfZVYRpcp1rYRsAdJmeT7K0G5B2WKmI8t6srwPVQJty9CDn6pAqqg6Oek=
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/fwknoprc_hmac_sha256_long_key b/test/conf/fwknoprc_hmac_sha256_long_key
new file mode 100644 (file)
index 0000000..7f657a3
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    sha256
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    d6F/uWTZmjqYorNkEKWl3TnVUiRNTCFijv3RclV+p8K0T5mU3co9Lz/hlDU/RxwFXLdDQGWEzRTk7O+8G59aVOEHUIME95KdrALQf2z4sLjsrNzOZdjfZVYRpcp1rYRsAdJmeT7K0G5B2WKmI8t6srwPVQJty9CDn6pAqqg6Oek=
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/fwknoprc_hmac_sha256_short_key b/test/conf/fwknoprc_hmac_sha256_short_key
new file mode 100644 (file)
index 0000000..7f657a3
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    sha256
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    d6F/uWTZmjqYorNkEKWl3TnVUiRNTCFijv3RclV+p8K0T5mU3co9Lz/hlDU/RxwFXLdDQGWEzRTk7O+8G59aVOEHUIME95KdrALQf2z4sLjsrNzOZdjfZVYRpcp1rYRsAdJmeT7K0G5B2WKmI8t6srwPVQJty9CDn6pAqqg6Oek=
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/fwknoprc_hmac_sha384_key b/test/conf/fwknoprc_hmac_sha384_key
new file mode 100644 (file)
index 0000000..06ed114
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    sha384
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    4BzQKdhUpy3ijTbjQmrrl4sMX0cOFqUz+Yq/ET3dDuzS1OH7omsFzra649fLuTLEGQy8u9Mt7XKscMIvv6MqmARI892r0U57QYtKWlilbzJhLNKhF6+vpBKC+6ArZD/OzFUHB/oREch8I8QR/nCCpxrzjca5BN/KAdAOi3xvX1Q=
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/fwknoprc_hmac_sha384_long_key b/test/conf/fwknoprc_hmac_sha384_long_key
new file mode 100644 (file)
index 0000000..c68f212
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    sha384
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    QrsLAq6NWmPKBiDF4dwfAUDz7XsTz7lgVNFyBsRhDzgBc9HCN6j5s1NaLu7D2gG7AcawOwt3GHtwmbcQqY2I5FkgrCg4rfO4kIj9w835WGka5RgXovbcGTO06MWOcijsB6WS9FRlZNENMLKPM2KjKjtYMxrZrAYjOrLmKYd5EPI=
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
diff --git a/test/conf/fwknoprc_hmac_sha384_short_key b/test/conf/fwknoprc_hmac_sha384_short_key
new file mode 100644 (file)
index 0000000..7da41f0
--- /dev/null
@@ -0,0 +1,73 @@
+# .fwknoprc
+##############################################################################
+#
+# Firewall Knock Operator (fwknop) client rc file.
+#
+# This file contains user-specific fwknop client configuration default
+# and named parameter sets for specific invocations of the fwknop client.
+#
+# Each section (or stanza) is identified and started by a line in this
+# file that contains a single identifier surrounded by square brackets.
+#
+# The parameters within the stanza typicaly match corresponding client 
+# command-line parameters.
+#
+# The first one should always be `[default]' as it defines the global
+# default settings for the user. These override the program defaults
+# for these parameter.  If a named stanza is used, its entries will
+# override any of the default.  Command-line options will trump them
+# all.
+#
+# Subsequent stanzas will have only the overriding and destination
+# specific parameters.
+#
+# Lines starting with `#' and empty lines are ignored.
+#
+# See the fwknop.8 man page for a complete list of valid parameters
+# and their values.
+#
+##############################################################################
+#
+# We start with the 'default' stanza.  Uncomment and edit for your
+# preferences.  The client will use its build-in default for those items
+# that are commented out.
+#
+[default]
+
+#DIGEST_TYPE         sha256
+#FW_TIMEOUT          30
+#SPA_SERVER_PORT     62201
+#SPA_SERVER_PROTO    udp
+#ALLOW_IP            <ip addr>
+#SPOOF_USER          <username>
+#SPOOF_SOURCE_IP     <IPaddr>
+#TIME_OFFSET         0
+#USE_GPG             N
+#GPG_HOMEDIR         /path/to/.gnupg
+#GPG_SIGNER          <signer ID>
+#GPG_RECIPIENT       <recipient ID>
+HMAC_DIGEST_TYPE    sha384
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    QQBwGf0bkZmBUA==
+
+# User-provided named stanzas:
+
+# Example for a destination server of 192.168.1.20 to open access to 
+# SSH for an IP that is resoved externally, and one with a NAT request
+# for a specific source IP that maps port 8088 on the server
+# to port 88 on 192.168.1.55 with timeout.
+#
+#[myssh]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/22
+#ALLOW_IP            resolve
+#
+#[mynatreq]
+#SPA_SERVER          192.168.1.20
+#ACCESS              tcp/8088
+#ALLOW_IP            10.21.2.6
+#NAT_ACCESS          192.168.1.55,88
+#CLIENT_TIMEOUT      60
+#
+
+###EOF###
index bad0bb0..e1df6b1 100644 (file)
@@ -1,5 +1,5 @@
 SOURCE: ANY;
 KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
-HMAC_KEY_BASE64:    Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+HMAC_KEY_BASE64:    sVwJFvtWp7/IkTsKfcRbKQ==
 HMAC_DIGEST_TYPE    md5;
 FW_ACCESS_TIMEOUT:  3;
diff --git a/test/conf/hmac_md5_long_key_access.conf b/test/conf/hmac_md5_long_key_access.conf
new file mode 100644 (file)
index 0000000..59f59ed
--- /dev/null
@@ -0,0 +1,5 @@
+SOURCE: ANY;
+KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    d6F/uWTZmjqYorNkEKWl3TnVUiRNTCFijv3RclV+p8K0T5mU3co9Lz/hlDU/RxwFXLdDQGWEzRTk7O+8G59aVOEHUIME95KdrALQf2z4sLjsrNzOZdjfZVYRpcp1rYRsAdJmeT7K0G5B2WKmI8t6srwPVQJty9CDn6pAqqg6Oek=
+HMAC_DIGEST_TYPE:   md5;
+FW_ACCESS_TIMEOUT:  3;
diff --git a/test/conf/hmac_md5_short_key_access.conf b/test/conf/hmac_md5_short_key_access.conf
new file mode 100644 (file)
index 0000000..36d9f5a
--- /dev/null
@@ -0,0 +1,5 @@
+SOURCE: ANY;
+KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    QQBwGf0bkZmBUA==
+HMAC_DIGEST_TYPE    md5;
+FW_ACCESS_TIMEOUT:  3;
diff --git a/test/conf/hmac_sha1_long_key_access.conf b/test/conf/hmac_sha1_long_key_access.conf
new file mode 100644 (file)
index 0000000..f2f4c5a
--- /dev/null
@@ -0,0 +1,5 @@
+SOURCE: ANY;
+KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    d6F/uWTZmjqYorNkEKWl3TnVUiRNTCFijv3RclV+p8K0T5mU3co9Lz/hlDU/RxwFXLdDQGWEzRTk7O+8G59aVOEHUIME95KdrALQf2z4sLjsrNzOZdjfZVYRpcp1rYRsAdJmeT7K0G5B2WKmI8t6srwPVQJty9CDn6pAqqg6Oek=
+HMAC_DIGEST_TYPE:   sha1;
+FW_ACCESS_TIMEOUT:  3;
diff --git a/test/conf/hmac_sha1_short_key_access.conf b/test/conf/hmac_sha1_short_key_access.conf
new file mode 100644 (file)
index 0000000..76000dd
--- /dev/null
@@ -0,0 +1,5 @@
+SOURCE: ANY;
+KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    QQBwGf0bkZmBUA==
+HMAC_DIGEST_TYPE:   sha1;
+FW_ACCESS_TIMEOUT:  3;
diff --git a/test/conf/hmac_sha256_access.conf b/test/conf/hmac_sha256_access.conf
new file mode 100644 (file)
index 0000000..a1d4770
--- /dev/null
@@ -0,0 +1,5 @@
+SOURCE: ANY;
+KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    d6F/uWTZmjqYorNkEKWl3TnVUiRNTCFijv3RclV+p8K0T5mU3co9Lz/hlDU/RxwFXLdDQGWEzRTk7O+8G59aVOEHUIME95KdrALQf2z4sLjsrNzOZdjfZVYRpcp1rYRsAdJmeT7K0G5B2WKmI8t6srwPVQJty9CDn6pAqqg6Oek=
+HMAC_DIGEST_TYPE:   sha256;
+FW_ACCESS_TIMEOUT:  3;
diff --git a/test/conf/hmac_sha256_long_key_access.conf b/test/conf/hmac_sha256_long_key_access.conf
new file mode 100644 (file)
index 0000000..a1d4770
--- /dev/null
@@ -0,0 +1,5 @@
+SOURCE: ANY;
+KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    d6F/uWTZmjqYorNkEKWl3TnVUiRNTCFijv3RclV+p8K0T5mU3co9Lz/hlDU/RxwFXLdDQGWEzRTk7O+8G59aVOEHUIME95KdrALQf2z4sLjsrNzOZdjfZVYRpcp1rYRsAdJmeT7K0G5B2WKmI8t6srwPVQJty9CDn6pAqqg6Oek=
+HMAC_DIGEST_TYPE:   sha256;
+FW_ACCESS_TIMEOUT:  3;
diff --git a/test/conf/hmac_sha256_short_key_access.conf b/test/conf/hmac_sha256_short_key_access.conf
new file mode 100644 (file)
index 0000000..a1d4770
--- /dev/null
@@ -0,0 +1,5 @@
+SOURCE: ANY;
+KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    d6F/uWTZmjqYorNkEKWl3TnVUiRNTCFijv3RclV+p8K0T5mU3co9Lz/hlDU/RxwFXLdDQGWEzRTk7O+8G59aVOEHUIME95KdrALQf2z4sLjsrNzOZdjfZVYRpcp1rYRsAdJmeT7K0G5B2WKmI8t6srwPVQJty9CDn6pAqqg6Oek=
+HMAC_DIGEST_TYPE:   sha256;
+FW_ACCESS_TIMEOUT:  3;
index b41baff..b491b65 100644 (file)
@@ -1,5 +1,5 @@
 SOURCE: ANY;
 KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
-HMAC_KEY_BASE64:    Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+HMAC_KEY_BASE64:    4BzQKdhUpy3ijTbjQmrrl4sMX0cOFqUz+Yq/ET3dDuzS1OH7omsFzra649fLuTLEGQy8u9Mt7XKscMIvv6MqmARI892r0U57QYtKWlilbzJhLNKhF6+vpBKC+6ArZD/OzFUHB/oREch8I8QR/nCCpxrzjca5BN/KAdAOi3xvX1Q=
 HMAC_DIGEST_TYPE:   sha384;
 FW_ACCESS_TIMEOUT:  3;
diff --git a/test/conf/hmac_sha384_long_key_access.conf b/test/conf/hmac_sha384_long_key_access.conf
new file mode 100644 (file)
index 0000000..a1f5287
--- /dev/null
@@ -0,0 +1,5 @@
+SOURCE: ANY;
+KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    QrsLAq6NWmPKBiDF4dwfAUDz7XsTz7lgVNFyBsRhDzgBc9HCN6j5s1NaLu7D2gG7AcawOwt3GHtwmbcQqY2I5FkgrCg4rfO4kIj9w835WGka5RgXovbcGTO06MWOcijsB6WS9FRlZNENMLKPM2KjKjtYMxrZrAYjOrLmKYd5EPI=
+HMAC_DIGEST_TYPE:   sha384;
+FW_ACCESS_TIMEOUT:  3;
diff --git a/test/conf/hmac_sha384_short_key_access.conf b/test/conf/hmac_sha384_short_key_access.conf
new file mode 100644 (file)
index 0000000..04e3a21
--- /dev/null
@@ -0,0 +1,5 @@
+SOURCE: ANY;
+KEY_BASE64:         wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64:    QQBwGf0bkZmBUA==
+HMAC_DIGEST_TYPE:   sha384;
+FW_ACCESS_TIMEOUT:  3;
index 6891199..edc17ef 100755 (executable)
@@ -25,69 +25,95 @@ our $gpg_client_home_dir = "$conf_dir/client-gpg";
 our $gpg_client_home_dir_no_pw = "$conf_dir/client-gpg-no-pw";
 our $replay_pcap_file = "$conf_dir/spa_replay.pcap";
 
-our $lib_dir        = '../lib/.libs';
+our $lib_dir = '../lib/.libs';
+
 our %cf = (
-    'nat'                     => "$conf_dir/nat_fwknopd.conf",
-    'def'                     => "$conf_dir/default_fwknopd.conf",
-    'def_access'              => "$conf_dir/default_access.conf",
-    'hmac_access'             => "$conf_dir/hmac_access.conf",
-    'hmac_md5_access'         => "$conf_dir/hmac_md5_access.conf",
-    'hmac_sha1_access'        => "$conf_dir/hmac_sha1_access.conf",
-    'hmac_sha384_access'      => "$conf_dir/hmac_sha384_access.conf",
-    'hmac_sha512_access'      => "$conf_dir/hmac_sha512_access.conf",
-    'hmac_simple_keys_access' => "$conf_dir/hmac_simple_keys_access.conf",
-    'hmac_invalid_type_access' => "$conf_dir/hmac_invalid_type_access.conf",
-    'exp_access'              => "$conf_dir/expired_stanza_access.conf",
-    'future_exp_access'       => "$conf_dir/future_expired_stanza_access.conf",
-    'exp_epoch_access'        => "$conf_dir/expired_epoch_stanza_access.conf",
-    'invalid_exp_access'      => "$conf_dir/invalid_expire_access.conf",
-    'force_nat_access'        => "$conf_dir/force_nat_access.conf",
-    'cmd_access'              => "$conf_dir/cmd_access.conf",
-    'local_nat'               => "$conf_dir/local_nat_fwknopd.conf",
-    'ipfw_active_expire'      => "$conf_dir/ipfw_active_expire_equal_fwknopd.conf",
-    'android_access'          => "$conf_dir/android_access.conf",
-    'android_legacy_iv_access' => "$conf_dir/android_legacy_iv_access.conf",
-    'dual_key_access'         => "$conf_dir/dual_key_usage_access.conf",
-    'hmac_dual_key_access'    => "$conf_dir/hmac_dual_key_usage_access.conf",
-    'gpg_access'              => "$conf_dir/gpg_access.conf",
-    'legacy_iv_access'        => "$conf_dir/legacy_iv_access.conf",
-    'gpg_no_pw_access'        => "$conf_dir/gpg_no_pw_access.conf",
-    'tcp_server'              => "$conf_dir/tcp_server_fwknopd.conf",
-    'tcp_pcap_filter'         => "$conf_dir/tcp_pcap_filter_fwknopd.conf",
-    'icmp_pcap_filter'        => "$conf_dir/icmp_pcap_filter_fwknopd.conf",
-    'open_ports_access'       => "$conf_dir/open_ports_access.conf",
-    'multi_gpg_access'        => "$conf_dir/multi_gpg_access.conf",
-    'multi_gpg_no_pw_access'  => "$conf_dir/multi_gpg_no_pw_access.conf",
-    'multi_stanza_access'     => "$conf_dir/multi_stanzas_access.conf",
-    'broken_keys_access'      => "$conf_dir/multi_stanzas_with_broken_keys.conf",
-    'ecb_mode_access'         => "$conf_dir/ecb_mode_access.conf",
-    'ctr_mode_access'         => "$conf_dir/ctr_mode_access.conf",
-    'cfb_mode_access'         => "$conf_dir/cfb_mode_access.conf",
-    'ofb_mode_access'         => "$conf_dir/ofb_mode_access.conf",
-    'open_ports_mismatch'     => "$conf_dir/mismatch_open_ports_access.conf",
-    'require_user_access'     => "$conf_dir/require_user_access.conf",
-    'user_mismatch_access'    => "$conf_dir/mismatch_user_access.conf",
-    'require_src_access'      => "$conf_dir/require_src_access.conf",
-    'invalid_src_access'      => "$conf_dir/invalid_source_access.conf",
-    'no_src_match'            => "$conf_dir/no_source_match_access.conf",
-    'no_subnet_match'         => "$conf_dir/no_subnet_source_match_access.conf",
-    'no_multi_src'            => "$conf_dir/no_multi_source_match_access.conf",
-    'multi_src_access'        => "$conf_dir/multi_source_match_access.conf",
-    'ip_src_match'            => "$conf_dir/ip_source_match_access.conf",
-    'subnet_src_match'        => "$conf_dir/ip_source_match_access.conf",
-    'rc_def_key'              => "$conf_dir/fwknoprc_with_default_key",
-    'rc_def_b64_key'          => "$conf_dir/fwknoprc_with_default_base64_key",
-    'rc_named_key'            => "$conf_dir/fwknoprc_named_key",
-    'rc_invalid_b64_key'      => "$conf_dir/fwknoprc_invalid_base64_key",
-    'rc_hmac_b64_key'         => "$conf_dir/fwknoprc_default_hmac_base64_key",
-    'rc_hmac_simple_key'      => "$conf_dir/fwknoprc_hmac_simple_keys",
-    'rc_hmac_invalid_type'    => "$conf_dir/fwknoprc_hmac_invalid_type",
-    'base64_key_access'       => "$conf_dir/base64_key_access.conf",
-    'disable_aging'           => "$conf_dir/disable_aging_fwknopd.conf",
-    'disable_aging_nat'       => "$conf_dir/disable_aging_nat_fwknopd.conf",
-    'fuzz_source'             => "$conf_dir/fuzzing_source_access.conf",
-    'fuzz_open_ports'         => "$conf_dir/fuzzing_open_ports_access.conf",
-    'fuzz_restrict_ports'     => "$conf_dir/fuzzing_restrict_ports_access.conf",
+    'nat'                          => "$conf_dir/nat_fwknopd.conf",
+    'def'                          => "$conf_dir/default_fwknopd.conf",
+    'def_access'                   => "$conf_dir/default_access.conf",
+    'hmac_access'                  => "$conf_dir/hmac_access.conf",
+    'hmac_md5_access'              => "$conf_dir/hmac_md5_access.conf",
+    'hmac_md5_short_key_access'    => "$conf_dir/hmac_md5_short_key_access.conf",
+    'hmac_md5_long_key_access'     => "$conf_dir/hmac_md5_long_key_access.conf",
+    'hmac_sha1_access'             => "$conf_dir/hmac_sha1_access.conf",
+    'hmac_sha1_short_key_access'   => "$conf_dir/hmac_sha1_short_key_access.conf",
+    'hmac_sha1_long_key_access'    => "$conf_dir/hmac_sha1_long_key_access.conf",
+    'hmac_sha256_access'           => "$conf_dir/hmac_sha256_access.conf",
+    'hmac_sha256_short_key_access' => "$conf_dir/hmac_sha256_short_key_access.conf",
+    'hmac_sha256_long_key_access'  => "$conf_dir/hmac_sha256_long_key_access.conf",
+    'hmac_sha384_access'           => "$conf_dir/hmac_sha384_access.conf",
+    'hmac_sha384_short_key_access' => "$conf_dir/hmac_sha384_short_key_access.conf",
+    'hmac_sha384_long_key_access'  => "$conf_dir/hmac_sha384_long_key_access.conf",
+    'hmac_sha512_access'           => "$conf_dir/hmac_sha512_access.conf",
+    'hmac_sha512_short_key_access' => "$conf_dir/hmac_sha512_short_key_access.conf",
+    'hmac_simple_keys_access'      => "$conf_dir/hmac_simple_keys_access.conf",
+    'hmac_invalid_type_access'     => "$conf_dir/hmac_invalid_type_access.conf",
+    'exp_access'                   => "$conf_dir/expired_stanza_access.conf",
+    'future_exp_access'            => "$conf_dir/future_expired_stanza_access.conf",
+    'exp_epoch_access'             => "$conf_dir/expired_epoch_stanza_access.conf",
+    'invalid_exp_access'           => "$conf_dir/invalid_expire_access.conf",
+    'force_nat_access'             => "$conf_dir/force_nat_access.conf",
+    'cmd_access'                   => "$conf_dir/cmd_access.conf",
+    'local_nat'                    => "$conf_dir/local_nat_fwknopd.conf",
+    'ipfw_active_expire'           => "$conf_dir/ipfw_active_expire_equal_fwknopd.conf",
+    'android_access'               => "$conf_dir/android_access.conf",
+    'android_legacy_iv_access'     => "$conf_dir/android_legacy_iv_access.conf",
+    'dual_key_access'              => "$conf_dir/dual_key_usage_access.conf",
+    'hmac_dual_key_access'         => "$conf_dir/hmac_dual_key_usage_access.conf",
+    'gpg_access'                   => "$conf_dir/gpg_access.conf",
+    'legacy_iv_access'             => "$conf_dir/legacy_iv_access.conf",
+    'gpg_no_pw_access'             => "$conf_dir/gpg_no_pw_access.conf",
+    'tcp_server'                   => "$conf_dir/tcp_server_fwknopd.conf",
+    'tcp_pcap_filter'              => "$conf_dir/tcp_pcap_filter_fwknopd.conf",
+    'icmp_pcap_filter'             => "$conf_dir/icmp_pcap_filter_fwknopd.conf",
+    'open_ports_access'            => "$conf_dir/open_ports_access.conf",
+    'multi_gpg_access'             => "$conf_dir/multi_gpg_access.conf",
+    'multi_gpg_no_pw_access'       => "$conf_dir/multi_gpg_no_pw_access.conf",
+    'multi_stanza_access'          => "$conf_dir/multi_stanzas_access.conf",
+    'broken_keys_access'           => "$conf_dir/multi_stanzas_with_broken_keys.conf",
+    'ecb_mode_access'              => "$conf_dir/ecb_mode_access.conf",
+    'ctr_mode_access'              => "$conf_dir/ctr_mode_access.conf",
+    'cfb_mode_access'              => "$conf_dir/cfb_mode_access.conf",
+    'ofb_mode_access'              => "$conf_dir/ofb_mode_access.conf",
+    'open_ports_mismatch'          => "$conf_dir/mismatch_open_ports_access.conf",
+    'require_user_access'          => "$conf_dir/require_user_access.conf",
+    'user_mismatch_access'         => "$conf_dir/mismatch_user_access.conf",
+    'require_src_access'           => "$conf_dir/require_src_access.conf",
+    'invalid_src_access'           => "$conf_dir/invalid_source_access.conf",
+    'no_src_match'                 => "$conf_dir/no_source_match_access.conf",
+    'no_subnet_match'              => "$conf_dir/no_subnet_source_match_access.conf",
+    'no_multi_src'                 => "$conf_dir/no_multi_source_match_access.conf",
+    'multi_src_access'             => "$conf_dir/multi_source_match_access.conf",
+    'ip_src_match'                 => "$conf_dir/ip_source_match_access.conf",
+    'subnet_src_match'             => "$conf_dir/ip_source_match_access.conf",
+    'rc_def_key'                   => "$conf_dir/fwknoprc_with_default_key",
+    'rc_def_b64_key'               => "$conf_dir/fwknoprc_with_default_base64_key",
+    'rc_named_key'                 => "$conf_dir/fwknoprc_named_key",
+    'rc_invalid_b64_key'           => "$conf_dir/fwknoprc_invalid_base64_key",
+    'rc_hmac_b64_key'              => "$conf_dir/fwknoprc_default_hmac_base64_key",
+    'rc_hmac_simple_key'           => "$conf_dir/fwknoprc_hmac_simple_keys",
+    'rc_hmac_invalid_type'         => "$conf_dir/fwknoprc_hmac_invalid_type",
+    'rc_hmac_invalid_type'         => "$conf_dir/fwknoprc_hmac_invalid_type",
+    'rc_hmac_md5_key'              => "$conf_dir/fwknoprc_hmac_md5_key",
+    'rc_hmac_md5_short_key'        => "$conf_dir/fwknoprc_hmac_md5_short_key",
+    'rc_hmac_md5_long_key'         => "$conf_dir/fwknoprc_hmac_md5_long_key",
+    'rc_hmac_sha1_key'             => "$conf_dir/fwknoprc_hmac_sha1_key",
+    'rc_hmac_sha1_short_key'       => "$conf_dir/fwknoprc_hmac_sha1_short_key",
+    'rc_hmac_sha1_long_key'        => "$conf_dir/fwknoprc_hmac_sha1_long_key",
+    'rc_hmac_sha256_key'           => "$conf_dir/fwknoprc_hmac_sha256_key",
+    'rc_hmac_sha256_short_key'     => "$conf_dir/fwknoprc_hmac_sha256_short_key",
+    'rc_hmac_sha256_long_key'      => "$conf_dir/fwknoprc_hmac_sha256_long_key",
+    'rc_hmac_sha384_key'           => "$conf_dir/fwknoprc_hmac_sha384_key",
+    'rc_hmac_sha384_short_key'     => "$conf_dir/fwknoprc_hmac_sha384_short_key",
+    'rc_hmac_sha384_long_key'      => "$conf_dir/fwknoprc_hmac_sha384_long_key",
+    'rc_hmac_sha512_key'           => "$conf_dir/fwknoprc_hmac_sha512_key",
+    'rc_hmac_sha512_short_key'     => "$conf_dir/fwknoprc_hmac_sha512_short_key",
+    'base64_key_access'            => "$conf_dir/base64_key_access.conf",
+    'disable_aging'                => "$conf_dir/disable_aging_fwknopd.conf",
+    'disable_aging_nat'            => "$conf_dir/disable_aging_nat_fwknopd.conf",
+    'fuzz_source'                  => "$conf_dir/fuzzing_source_access.conf",
+    'fuzz_open_ports'              => "$conf_dir/fuzzing_open_ports_access.conf",
+    'fuzz_restrict_ports'          => "$conf_dir/fuzzing_restrict_ports_access.conf",
 );
 
 our $default_digest_file = "$run_dir/digest.cache";
@@ -4138,12 +4164,25 @@ sub validate_test_hashes() {
         $msg .= " [$test_hr->{'subcategory'}]" if $test_hr->{'subcategory'};
         $msg .= " $test_hr->{'detail'}";
         if (defined $uniq_test_msgs{$msg}) {
-            die "[*] Duplicate test message: $msg\n";
+            die "[*] Duplicate test message: $msg";
         } else {
             $uniq_test_msgs{$msg} = '';
         }
     }
 
+    ### if 'key_file' is defined, then ensure the client command line
+    ### references the same file
+    for my $test_hr (@tests) {
+        my $msg = "[$test_hr->{'category'}]";
+        $msg .= " [$test_hr->{'subcategory'}]" if $test_hr->{'subcategory'};
+        $msg .= " $test_hr->{'detail'}";
+        if ($test_hr->{'key_file'}) {
+            unless ($test_hr->{'cmdline'} =~ /\s$test_hr->{'key_file'}\b/) {
+                die "[*] 'key_file' value not matched in " .
+                    "client command line for: $msg";
+            }
+        }
+    }
 
     return;
 }
index f6e7fd1..e677916 100644 (file)
         'subcategory' => 'client+server',
         'detail'   => 'complete cycle MD5 (tcp/22 ssh)',
         'function' => \&spa_cycle,
-        'cmdline'  => "$default_client_hmac_args --hmac-digest-type md5",
+        'cmdline'  => "$default_client_args_no_get_key --rc-file " .
+            "$cf{'rc_hmac_md5_key'} --hmac-digest-type md5",
         'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
             "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_md5_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'fw_rule_created' => $NEW_RULE_REQUIRED,
         'fw_rule_removed' => $NEW_RULE_REMOVED,
-        'key_file' => $cf{'rc_hmac_b64_key'},
+        'key_file' => $cf{'rc_hmac_md5_key'},
         'fatal'    => $NO
     },
     {
         'category' => 'Rijndael+HMAC',
         'subcategory' => 'client+server',
+        'detail'   => 'complete cycle MD5 (short key)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args_no_get_key --rc-file " .
+            "$cf{'rc_hmac_md5_short_key'} --hmac-digest-type md5",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_md5_short_key_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_md5_short_key'},
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle MD5 (long key)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args_no_get_key --rc-file " .
+            "$cf{'rc_hmac_md5_long_key'} --hmac-digest-type md5",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_md5_long_key_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_md5_long_key'},
+        'fatal'    => $NO
+    },
+
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
         'detail'   => 'complete cycle SHA1 (tcp/22 ssh)',
         'function' => \&spa_cycle,
         'cmdline'  => "$default_client_hmac_args --hmac-digest-type sha1",
     {
         'category' => 'Rijndael+HMAC',
         'subcategory' => 'client+server',
+        'detail'   => 'complete cycle SHA1 (short key)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args_no_get_key --rc-file " .
+            "$cf{'rc_hmac_sha1_short_key'} --hmac-digest-type sha1",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha1_short_key_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_sha1_short_key'},
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle SHA1 (long key)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args_no_get_key --rc-file " .
+            "$cf{'rc_hmac_sha1_long_key'} --hmac-digest-type sha1",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha1_long_key_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_sha1_long_key'},
+        'fatal'    => $NO
+    },
+
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
         'detail'   => 'complete cycle SHA256 (tcp/22 ssh)',
         'function' => \&spa_cycle,
         'cmdline'  => "$default_client_hmac_args --hmac-digest-type sha256",
     {
         'category' => 'Rijndael+HMAC',
         'subcategory' => 'client+server',
+        'detail'   => 'complete cycle SHA256 (short key)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args_no_get_key --rc-file " .
+            "$cf{'rc_hmac_sha256_short_key'} --hmac-digest-type sha256",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha256_short_key_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_sha256_short_key'},
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle SHA256 (long key)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args_no_get_key --rc-file " .
+            "$cf{'rc_hmac_sha256_long_key'} --hmac-digest-type sha256",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha256_long_key_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_sha256_long_key'},
+        'fatal'    => $NO
+    },
+
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
         'detail'   => 'complete cycle SHA384 (tcp/22 ssh)',
         'function' => \&spa_cycle,
         'cmdline'  => "$default_client_hmac_args --hmac-digest-type sha384",
         'key_file' => $cf{'rc_hmac_b64_key'},
         'fatal'    => $NO
     },
+
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle SHA384 (short key)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args_no_get_key --rc-file " .
+            "$cf{'rc_hmac_sha384_short_key'} --hmac-digest-type sha384",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha384_short_key_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_sha384_short_key'},
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle SHA384 (long key)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args_no_get_key --rc-file " .
+            "$cf{'rc_hmac_sha384_long_key'} --hmac-digest-type sha384",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha384_long_key_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_sha384_long_key'},
+        'fatal'    => $NO
+    },
+
     {
         'category' => 'Rijndael+HMAC',
         'subcategory' => 'client+server',
         'detail'   => 'complete cycle SHA512 (tcp/22 ssh)',
         'function' => \&spa_cycle,
-        'cmdline'  => "$default_client_hmac_args --hmac-digest-type sha512",
+        'cmdline'  => "$default_client_args_no_get_key --rc-file " .
+            "$cf{'rc_hmac_sha512_key'} --hmac-digest-type sha512",
         'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
             "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha512_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'fw_rule_created' => $NEW_RULE_REQUIRED,
         'fw_rule_removed' => $NEW_RULE_REMOVED,
-        'key_file' => $cf{'rc_hmac_b64_key'},
+        'key_file' => $cf{'rc_hmac_sha512_key'},
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle SHA512 (short key)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args_no_get_key --rc-file " .
+            "$cf{'rc_hmac_sha512_short_key'} --hmac-digest-type sha512",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha512_short_key_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_sha512_short_key'},
         'fatal'    => $NO
     },
+
     {
         'category' => 'Rijndael+HMAC',
         'subcategory' => 'client',