[test suite] added GPG password required HMAC tests, added --disable-valgrind argument
authorMichael Rash <mbr@cipherdyne.org>
Wed, 24 Apr 2013 01:56:41 +0000 (21:56 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Wed, 24 Apr 2013 01:56:41 +0000 (21:56 -0400)
test/conf/fwknoprc_gpg_hmac_key [new file with mode: 0644]
test/conf/gpg_hmac_access.conf [new file with mode: 0644]
test/test-fwknop.pl
test/tests/gpg_hmac.pl [new file with mode: 0644]

diff --git a/test/conf/fwknoprc_gpg_hmac_key b/test/conf/fwknoprc_gpg_hmac_key
new file mode 100644 (file)
index 0000000..142912f
--- /dev/null
@@ -0,0 +1,3 @@
+[default]
+HMAC_DIGEST_TYPE    sha256
+HMAC_KEY_BASE64     Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
diff --git a/test/conf/gpg_hmac_access.conf b/test/conf/gpg_hmac_access.conf
new file mode 100644 (file)
index 0000000..aa16258
--- /dev/null
@@ -0,0 +1,8 @@
+SOURCE: ANY;
+FW_ACCESS_TIMEOUT:  3;
+HMAC_DIGEST_TYPE:   sha256
+HMAC_KEY_BASE64:    Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+GPG_HOME_DIR: conf/server-gpg;
+GPG_DECRYPT_ID: 361BBAD4;
+GPG_DECRYPT_PW: fwknoptest;
+GPG_REMOTE_ID: 6A3FAD56;
index 4de7c14..4184dc1 100755 (executable)
@@ -70,6 +70,7 @@ our %cf = (
     'dual_key_access'              => "$conf_dir/dual_key_usage_access.conf",
     'hmac_dual_key_access'         => "$conf_dir/hmac_dual_key_usage_access.conf",
     'gpg_access'                   => "$conf_dir/gpg_access.conf",
+    'gpg_hmac_access'              => "$conf_dir/gpg_hmac_access.conf",
     'legacy_iv_access'             => "$conf_dir/legacy_iv_access.conf",
     'gpg_no_pw_access'             => "$conf_dir/gpg_no_pw_access.conf",
     'gpg_no_pw_hmac_access'        => "$conf_dir/gpg_no_pw_hmac_access.conf",
@@ -103,6 +104,7 @@ our %cf = (
     'rc_invalid_b64_key'           => "$conf_dir/fwknoprc_invalid_base64_key",
     'rc_hmac_b64_key'              => "$conf_dir/fwknoprc_default_hmac_base64_key",
     'rc_hmac_b64_key2'             => "$conf_dir/fwknoprc_hmac_key2",
+    'rc_gpg_hmac_b64_key'          => "$conf_dir/fwknoprc_gpg_hmac_key",
     'rc_hmac_simple_key'           => "$conf_dir/fwknoprc_hmac_simple_keys",
     'rc_hmac_invalid_type'         => "$conf_dir/fwknoprc_hmac_invalid_type",
     'rc_hmac_invalid_type'         => "$conf_dir/fwknoprc_hmac_invalid_type",
@@ -178,6 +180,7 @@ my @test_files = (
     "$tests_dir/gpg_no_pw.pl",
     "$tests_dir/gpg_no_pw_hmac.pl",
     "$tests_dir/gpg.pl",
+    "$tests_dir/gpg_hmac.pl",
 );
 #================== end config ===================
 
@@ -194,6 +197,7 @@ our @rijndael_fuzzing        = ();  ### from tests/rijndael_fuzzing.pl
 our @gpg_no_pw               = ();  ### from tests/gpg_now_pw.pl
 our @gpg_no_pw_hmac          = ();  ### from tests/gpg_now_pw_hmac.pl
 our @gpg                     = ();  ### from tests/gpg.pl
+our @gpg_hmac                = ();  ### from tests/gpg_hmac.pl
 our @perl_FKO_module         = ();  ### from tests/perl_FKO_module.pl
 our @python_fko              = ();  ### from tests/python_fko.pl
 our @rijndael_backwards_compatibility = ();  ### from tests/rijndael_backwards_compatibility.pl
@@ -228,6 +232,7 @@ my %fuzzing_spa_packets = ();
 my $total_fuzzing_pkts = 0;
 my $server_test_file  = '';
 my $enable_valgrind = 0;
+my $disable_valgrind = 0;
 our $valgrind_str = '';
 my %prev_valgrind_cov = ();
 my %prev_valgrind_file_titles = ();
@@ -326,6 +331,7 @@ exit 1 unless GetOptions(
     'List-mode'         => \$list_mode,
     'test-limit=i'      => \$test_limit,
     'enable-valgrind'   => \$enable_valgrind,
+    'disable-valgrind'  => \$disable_valgrind,
     'enable-all'        => \$enable_all,
     'valgrind-path=s'   => \$valgrind_path,
     ### can set the following to "output.last/valgrind-coverage" if
@@ -350,6 +356,8 @@ if ($enable_all) {
     $enable_openssl_compatibility_tests = 1;
 }
 
+$enable_valgrind = 0 if $disable_valgrind;
+
 ### create an anonymized tar file of test suite results that can be
 ### emailed around to assist in debugging fwknop communications
 exit &anonymize_results() if $anonymize_results;
@@ -415,6 +423,11 @@ our $default_server_gpg_args_no_pw = "LD_LIBRARY_PATH=$lib_dir " .
     "-a $cf{'gpg_no_pw_access'} $intf_str " .
     "-d $default_digest_file -p $default_pid_file";
 
+our $default_server_gpg_args_hmac = "LD_LIBRARY_PATH=$lib_dir " .
+    "$valgrind_str $fwknopdCmd -c $cf{'def'} " .
+    "-a $cf{'gpg_hmac_access'} $intf_str " .
+    "-d $default_digest_file -p $default_pid_file";
+
 our $default_server_gpg_args_no_pw_hmac = "LD_LIBRARY_PATH=$lib_dir " .
     "$valgrind_str $fwknopdCmd -c $cf{'def'} " .
     "-a $cf{'gpg_no_pw_hmac_access'} $intf_str " .
@@ -466,6 +479,7 @@ my @tests = (
     @gpg_no_pw,
     @gpg_no_pw_hmac,
     @gpg,
+    @gpg_hmac,
 );
 
 my %test_keys = (
@@ -1113,10 +1127,10 @@ sub client_send_spa_packet() {
 
         if ($is_hmac_type and $hmac_key) {
             my $enc_mode = $ENC_RIJNDAEL;
-            $enc_mode = $ENC_GPG if $test_hr->{'msg'} =~ /GPG\s/;
+            $enc_mode = $ENC_GPG if $test_hr->{'msg'} =~ /GPG/;
             unless (&openssl_hmac_verification($encrypted_msg,
                     $encoded_msg, '', $hmac_key, $b64_decode_key,
-                    $hmac_digest, $hmac_mode)) {
+                    $hmac_digest, $hmac_mode, $enc_mode)) {
                 $rv = 0;
             }
         }
@@ -4197,9 +4211,13 @@ sub openssl_hmac_verification() {
         $hmac_key = $tmp_key;
     }
 
+    my $enc_mode_str = 'Rijndael';
+    $enc_mode_str = 'GPG' if $enc_mode == $ENC_GPG;
+
     &write_test_file("[+] OpenSSL HMAC $hmac_mode verification, (encoded msg: " .
         "$encoded_msg) (access: $access_msg), hmac_key: $tmp_key, " .
-        "encrypted+encoded msg: $encrypted_msg, hmac_digest: $hmac_digest\n",
+        "encrypted+encoded msg: $encrypted_msg, hmac_digest: $hmac_digest, " .
+        "enc_mode: $enc_mode_str\n",
         $curr_test_file);
 
     if ($hmac_key =~ /\s/ and not $openssl_hmac_hexkey_supported) {
@@ -4227,7 +4245,7 @@ sub openssl_hmac_verification() {
     }
 
     ### transform encrypted message into the format that openssl expects
-    if ($enc_mode) {
+    if ($enc_mode == $ENC_RIJNDAEL) {
         $enc_msg_without_hmac = 'U2FsdGVkX1' . $enc_msg_without_hmac
             unless $enc_msg_without_hmac =~ /^U2FsdGVkX1/;
     } else {
@@ -5549,6 +5567,9 @@ sub usage() {
     --enable-recompile             - Recompile fwknop sources and look for
                                      compilation warnings.
     --enable-valgrind              - Run every test underneath valgrind.
+    --disable-valgrind             - Disable valgrind mode (useful sometimes
+                                     when --enable-all is used to have
+                                     everything except for valgrind enabled).
     --enable-ip-resolve            - Enable client IP resolution (-R) test -
                                      this requires internet access.
     --enable-distcheck             - Enable 'make dist' check.
diff --git a/test/tests/gpg_hmac.pl b/test/tests/gpg_hmac.pl
new file mode 100644 (file)
index 0000000..a786e6f
--- /dev/null
@@ -0,0 +1,124 @@
+@gpg_hmac = (
+
+    ### GPG testing (with passwords associated with keys) - first check to
+    ### see if pinentry is required and disable remaining GPG tests if so
+    {
+        'category' => 'GPG+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'pinentry not required',
+        'function' => \&gpg_pinentry_check,
+        'cmdline'  => $default_client_gpg_args,
+        'fatal'    => $NO
+    },
+
+    ### no password GPG testing
+    {
+        'category' => 'GPG+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle (tcp/22 ssh)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_gpg_args "
+            . "--rc-file $cf{'rc_gpg_hmac_b64_key'}",
+        'fwknopd_cmdline'  => $default_server_gpg_args_hmac,
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_gpg_hmac_b64_key'},
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'GPG+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle (tcp/23 telnet)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopCmd -A tcp/23 -a $fake_ip -D $loopback_ip --get-key " .
+            "$local_key_file --verbose --verbose " .
+            "--gpg-recipient-key $gpg_server_key " .
+            "--gpg-signer-key $gpg_client_key " .
+            "--gpg-home-dir $gpg_client_home_dir " .
+            "--rc-file $cf{'rc_gpg_hmac_b64_key'}",
+        'fwknopd_cmdline'  => $default_server_gpg_args_hmac,
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_gpg_hmac_b64_key'},
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'GPG+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle (tcp/9418 git)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopCmd -A tcp/9418 -a $fake_ip -D $loopback_ip --get-key " .
+            "$local_key_file --verbose --verbose " .
+            "--gpg-recipient-key $gpg_server_key " .
+            "--gpg-signer-key $gpg_client_key " .
+            "--gpg-home-dir $gpg_client_home_dir " .
+            "--rc-file $cf{'rc_gpg_hmac_b64_key'}",
+        'fwknopd_cmdline'  => $default_server_gpg_args_hmac,
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_gpg_hmac_b64_key'},
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'GPG+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle (tcp/60001 git)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopCmd -A tcp/60001 -a $fake_ip -D $loopback_ip --get-key " .
+            "$local_key_file --verbose --verbose " .
+            "--gpg-recipient-key $gpg_server_key " .
+            "--gpg-signer-key $gpg_client_key " .
+            "--gpg-home-dir $gpg_client_home_dir " .
+            "--rc-file $cf{'rc_gpg_hmac_b64_key'}",
+        'fwknopd_cmdline'  => $default_server_gpg_args_hmac,
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_gpg_hmac_b64_key'},
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'GPG+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle (udp/53 dns)',
+        'function' => \&spa_cycle,
+        'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopCmd -A udp/53 -a $fake_ip -D $loopback_ip --get-key " .
+            "$local_key_file --verbose --verbose " .
+            "--gpg-recipient-key $gpg_server_key " .
+            "--gpg-signer-key $gpg_client_key " .
+            "--gpg-home-dir $gpg_client_home_dir " .
+            "--rc-file $cf{'rc_gpg_hmac_b64_key'}",
+        'fwknopd_cmdline'  => $default_server_gpg_args_hmac,
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_gpg_hmac_b64_key'},
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'GPG+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'replay attack detection',
+        'function' => \&replay_detection,
+        'cmdline'  => "$default_client_gpg_args "
+            . "--rc-file $cf{'rc_gpg_hmac_b64_key'}",
+        'fwknopd_cmdline'  => $default_server_gpg_args_hmac,
+        'key_file' => $cf{'rc_gpg_hmac_b64_key'},
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'GPG+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'detect replay #1 (GnuPG prefix)',
+        'function' => \&replay_detection,
+        'pkt_prefix' => 'hQ',
+        'cmdline'  => "$default_client_gpg_args " .
+            "--gpg-home-dir $gpg_client_home_dir " .
+            "--rc-file $cf{'rc_gpg_hmac_b64_key'}",
+        'fwknopd_cmdline'  => $default_server_gpg_args_hmac,
+        'replay_positive_output_matches' => [qr/Data\sis\snot\sa\svalid\sSPA\smessage\sformat/],
+        'fatal'    => $NO
+    },
+);