added test suite support for AES CTR, OFB, CFB, and ECB encryption modes
authorMichael Rash <mbr@cipherdyne.org>
Fri, 10 Feb 2012 20:09:27 +0000 (15:09 -0500)
committerMichael Rash <mbr@cipherdyne.org>
Fri, 10 Feb 2012 20:09:27 +0000 (15:09 -0500)
client/config_init.c
server/access.c
test/conf/cfb_mode_access.conf [new file with mode: 0644]
test/conf/ctr_mode_access.conf [new file with mode: 0644]
test/conf/ofb_mode_access.conf [new file with mode: 0644]
test/test-fwknop.pl

index e97ea0e..2632abd 100644 (file)
@@ -64,7 +64,7 @@ enc_mode_strtoint(const char *enc_mode_str)
     else if(strcasecmp(enc_mode_str, "cfb") == 0)
         return(FKO_ENC_MODE_CFB);
     else if(strcasecmp(enc_mode_str, "pcbc") == 0)
-        return(FKO_ENC_MODE_PCBC);
+        return(-1); /* not supported yet */
     else if(strcasecmp(enc_mode_str, "ofb") == 0)
         return(FKO_ENC_MODE_OFB);
     else if(strcasecmp(enc_mode_str, "ctr") == 0)
index 15a6088..331a805 100644 (file)
@@ -144,7 +144,7 @@ enc_mode_strtoint(const char *enc_mode_str)
     else if(strcasecmp(enc_mode_str, "cfb") == 0)
         return(FKO_ENC_MODE_CFB);
     else if(strcasecmp(enc_mode_str, "pcbc") == 0)
-        return(FKO_ENC_MODE_PCBC);
+        return(-1);  /* not supported yet */
     else if(strcasecmp(enc_mode_str, "ofb") == 0)
         return(FKO_ENC_MODE_OFB);
     else if(strcasecmp(enc_mode_str, "ctr") == 0)
diff --git a/test/conf/cfb_mode_access.conf b/test/conf/cfb_mode_access.conf
new file mode 100644 (file)
index 0000000..9230298
--- /dev/null
@@ -0,0 +1,4 @@
+SOURCE: ANY;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;
+ENCRYPTION_MODE: CFB;
diff --git a/test/conf/ctr_mode_access.conf b/test/conf/ctr_mode_access.conf
new file mode 100644 (file)
index 0000000..ba4e393
--- /dev/null
@@ -0,0 +1,4 @@
+SOURCE: ANY;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;
+ENCRYPTION_MODE: CTR;
diff --git a/test/conf/ofb_mode_access.conf b/test/conf/ofb_mode_access.conf
new file mode 100644 (file)
index 0000000..2ebc238
--- /dev/null
@@ -0,0 +1,4 @@
+SOURCE: ANY;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;
+ENCRYPTION_MODE: OFB;
index e48ae2e..a5f0ab2 100755 (executable)
@@ -23,6 +23,9 @@ my $nat_conf            = "$conf_dir/nat_fwknopd.conf";
 my $default_conf        = "$conf_dir/default_fwknopd.conf";
 my $default_access_conf = "$conf_dir/default_access.conf";
 my $ecb_mode_access_conf = "$conf_dir/ecb_mode_access.conf";
+my $ctr_mode_access_conf = "$conf_dir/ctr_mode_access.conf";
+my $cfb_mode_access_conf = "$conf_dir/cfb_mode_access.conf";
+my $ofb_mode_access_conf = "$conf_dir/ofb_mode_access.conf";
 my $expired_access_conf = "$conf_dir/expired_stanza_access.conf";
 my $future_expired_access_conf = "$conf_dir/future_expired_stanza_access.conf";
 my $expired_epoch_access_conf = "$conf_dir/expired_epoch_stanza_access.conf";
@@ -938,6 +941,66 @@ my @tests = (
         'fw_rule_removed' => $NEW_RULE_REMOVED,
         'fatal'    => $NO
     },
+    {
+        'category' => 'Rijndael SPA',
+        'subcategory' => 'client+server',
+        'detail'   => 'CFB mode (tcp/22 ssh)',
+        'err_msg'  => 'could not complete SPA cycle',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args -M cfb",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $default_conf -a $cfb_mode_access_conf " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'server_negative_output_matches' => [qr/Decryption\sfailed/i],
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'Rijndael SPA',
+        'subcategory' => 'client+server',
+        'detail'   => 'CTR mode (tcp/22 ssh)',
+        'err_msg'  => 'could not complete SPA cycle',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args -M ctr",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $default_conf -a $ctr_mode_access_conf " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'server_negative_output_matches' => [qr/Decryption\sfailed/i],
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'fatal'    => $NO
+    },
+    {
+        'category' => 'Rijndael SPA',
+        'subcategory' => 'client+server',
+        'detail'   => 'OFB mode (tcp/22 ssh)',
+        'err_msg'  => 'could not complete SPA cycle',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args -M ofb",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $default_conf -a $ofb_mode_access_conf " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'server_negative_output_matches' => [qr/Decryption\sfailed/i],
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'fatal'    => $NO
+    },
+
+    {
+        'category' => 'Rijndael SPA',
+        'subcategory' => 'client+server',
+        'detail'   => 'mode mismatch (tcp/22 ssh)',
+        'err_msg'  => 'server accepted mismatch enc mode',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$default_client_args -M ecb",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $default_conf -a $default_access_conf " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'server_positive_output_matches' => [qr/Decryption\sfailed/i],
+        'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
+        'fatal'    => $NO
+    },
 
     {
         'category' => 'Rijndael SPA',