'cmd_access' => "$conf_dir/cmd_access.conf",
'local_nat' => "$conf_dir/local_nat_fwknopd.conf",
'ipfw_active_expire' => "$conf_dir/ipfw_active_expire_equal_fwknopd.conf",
+ 'android_access' => "$conf_dir/android_access.conf",
'dual_key_access' => "$conf_dir/dual_key_usage_access.conf",
'gpg_access' => "$conf_dir/gpg_access.conf",
'gpg_no_pw_access' => "$conf_dir/gpg_no_pw_access.conf",
my $spoof_ip = '1.2.3.4';
my $perl_mod_fko_dir = 'FKO';
my $cmd_exec_test_file = '/tmp/fwknoptest';
+my $default_key = 'fwknoptest';
#================== end config ===================
my $passed = 0;
my $diff_dir2 = '';
my $loopback_intf = '';
my $anonymize_results = 0;
-my $current_test_file = "$output_dir/init";
+my $curr_test_file = "$output_dir/init";
my $tarfile = 'test_fwknop.tar.gz';
my $fuzzing_pkts_file = 'fuzzing/fuzzing_spa_packets';
my $fuzzing_pkts_append = 0;
'positive_output_matches' => [qr/could\snot\sopen/i],
'exec_err' => $YES,
'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
- "$fwknopCmd -A tcp/22 -s $fake_ip " .
+ "$fwknopCmd -A tcp/22 -a $fake_ip " .
"-D $loopback_ip --get-key not/there",
'fatal' => $YES
},
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
'fatal' => $NO
},
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client+server',
+ 'detail' => 'allow -s (tcp/22 ssh)',
+ 'err_msg' => 'could not complete SPA cycle',
+ 'no_ip_check' => 1,
+ 'function' => \&spa_cycle,
+ 'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopCmd -A tcp/22 -s -D $loopback_ip --get-key " .
+ "$local_key_file --verbose --verbose",
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd $default_server_conf_args $intf_str",
+ 'fw_rule_created' => $NEW_RULE_REQUIRED,
+ 'fw_rule_removed' => $NEW_RULE_REMOVED,
+ 'fatal' => $NO
+ },
{
'category' => 'Rijndael SPA',
'fatal' => $NO
},
+ ### backwards compatibility tests
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client->server backwards compatibility',
+ 'detail' => 'v2.0',
+ 'err_msg' => 'backwards compatibility failed',
+ 'function' => \&backwards_compatibility,
+ 'no_ip_check' => 1,
+ 'pkt' =>
+ '9ptGrLs8kVGVludcXFy17opvThEYzTeaT7RVlCN66W/G9QZs9BBevEQ0xxI8eCn' .
+ 'KPDM+Bu9g0XwmCEVxxg+4jwBwtbCxVt9t5aSR29EVWZ6UAOwLkunK3t4FYBy1tL' .
+ '55krFt+1B2TtNSAH005kyDEZEOIGoY9Q/iU',
+ 'server_positive_output_matches' => [qr/Removed\srule/],
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'def_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'fatal' => $NO
+ },
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client->server backwards compatibility',
+ 'detail' => 'v2.0.1',
+ 'err_msg' => 'backwards compatibility failed',
+ 'function' => \&backwards_compatibility,
+ 'no_ip_check' => 1,
+ 'pkt' =>
+ '+uAD6hlS2BHuaCtVKIGyIsB/4U8USqcP9o4aT6FvBuPKORwTV8byyzv6bzZYINs4' .
+ 'Voq3QvBbIwkXJ63/oU+XxvP5R+DBLEnh3e/NHPFK6NB0WT2dujVyVxwBfvvWjIqW' .
+ 'Hhro2tH34nqfTRIpevfLTMx7r+N8ZQ4V8',
+ 'server_positive_output_matches' => [qr/Removed\srule/],
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'def_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'fatal' => $NO
+ },
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client->server backwards compatibility',
+ 'detail' => 'v2.0.2',
+ 'err_msg' => 'backwards compatibility failed',
+ 'function' => \&backwards_compatibility,
+ 'no_ip_check' => 1,
+ 'pkt' =>
+ '+mS70t2A2YmV50KgwDyy6nYLwzQ7AUO8pA/eatm7g9xc83xy1z7VOXeAYrgAOWy' .
+ 'Ksk30QvkwHtPhl7I0oDz1bO+2K2JbDbyc0KBBzVNMLgJcuYgEpOXPkX2XhcTsgQ' .
+ 'Vw2/Va/aUjvEvNPtwuipQS6DLTzOw/qy+/g',
+ 'server_positive_output_matches' => [qr/Removed\srule/],
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'def_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'fatal' => $NO
+ },
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'client->server backwards compatibility',
+ 'detail' => 'v2.0.3',
+ 'err_msg' => 'backwards compatibility failed',
+ 'function' => \&backwards_compatibility,
+ 'pkt' =>
+ '+8OtxmTJPgQmrXZ7hAqTopLBC/thqHNuPHTfR234pFuQOCZUikPe0inHmjfnQFnP' .
+ 'Sop/Iy6v+BCn9D+QD7eT7JI6BIoKp14K+8iNgKaNw1BdfgF1XDulpkNEdyG0fXz5' .
+ 'M+GledHfz2d49aYThoQ2Cr8Iw1ycViawY',
+ 'server_positive_output_matches' => [qr/Removed\srule/],
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'def_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'fatal' => $NO
+ },
+ {
+ 'category' => 'Rijndael SPA',
+ 'subcategory' => 'Android compatibility',
+ 'detail' => 'v4.1.2',
+ 'err_msg' => 'Android compatibility failed',
+ 'function' => \&backwards_compatibility,
+ 'no_ip_check' => 1,
+ 'pkt' =>
+ '+59hIQhS1RlmqYLXNM/hPxtBAQTB5y3UKZq13O+r6qmg+APdQ+HQ' .
+ 'OI7d4QCsp14s8KJpW8qBzZ/n0aZCFCFdZnvdZeJJVboQu4jo' .
+ 'QFKZ8mmKwR/5DIO7k3qrXYGxYP0bnHYsih0HIE6CzSHlBGSf' .
+ 'DJR92YhjYtL4Q',
+ 'server_positive_output_matches' => [qr/Removed\srule/],
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'android_access'} " .
+ "-d $default_digest_file -p $default_pid_file $intf_str",
+ 'fatal' => $NO
+ },
+
### fuzzing tests
{
'category' => 'Rijndael SPA',
'detail' => 'client FKO -> C server',
'err_msg' => 'invalid SPA packet data',
'function' => \&perl_fko_module_client_compatibility,
+ 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+ "$fwknopdCmd $default_server_conf_args $intf_str",
+ 'fw_rule_created' => $NEW_RULE_REQUIRED,
+ 'fw_rule_removed' => $NEW_RULE_REMOVED,
'fatal' => $NO
},
&dots_print($msg);
$executed++;
- $current_test_file = "$output_dir/$executed.test";
- $server_test_file = "$output_dir/${executed}_fwknopd.test";
+ $curr_test_file = "$output_dir/$executed.test";
+ $server_test_file = "$output_dir/${executed}_fwknopd.test";
- &write_test_file("[+] TEST: $msg\n", $current_test_file);
+ &write_test_file("[+] TEST: $msg\n", $curr_test_file);
$test_hr->{'msg'} = $msg;
if (&{$test_hr->{'function'}}($test_hr)) {
&logr("pass ($executed)\n");
### 'make clean' as root
unless (&run_cmd('make clean', $cmd_out_tmp,
- "test/$current_test_file")) {
+ "test/$curr_test_file")) {
chdir $curr_pwd or die $!;
return 0;
}
unless $username;
unless (&run_cmd("$sudo_path -u $username make",
- $cmd_out_tmp, "test/$current_test_file")) {
+ $cmd_out_tmp, "test/$curr_test_file")) {
unless (&run_cmd('make', $cmd_out_tmp,
- "test/$current_test_file")) {
+ "test/$curr_test_file")) {
chdir $curr_pwd or die $!;
return 0;
}
} else {
unless (&run_cmd('make', $cmd_out_tmp,
- "test/$current_test_file")) {
+ "test/$curr_test_file")) {
chdir $curr_pwd or die $!;
return 0;
}
### look for compilation warnings - something like:
### warning: ‘test’ is used uninitialized in this function
if (&file_find_regex([qr/\swarning:\s/, qr/gcc\:.*\sunused/],
- $MATCH_ANY, "test/$current_test_file")) {
+ $MATCH_ANY, "test/$curr_test_file")) {
chdir $curr_pwd or die $!;
return 0;
}
### the new binaries should exist
unless (-e $fwknopCmd and -x $fwknopCmd) {
&write_test_file("[-] $fwknopCmd does not exist or not executable.\n",
- $current_test_file);
+ $curr_test_file);
}
unless (-e $fwknopdCmd and -x $fwknopdCmd) {
&write_test_file("[-] $fwknopdCmd does not exist or not executable.\n",
- $current_test_file);
+ $curr_test_file);
}
return 1;
### 'make clean' as root
return 0 unless &run_cmd('make -C .. distcheck',
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
### look for compilation warnings - something like:
### warning: ‘test’ is used uninitialized in this function
return 1 if &file_find_regex([qr/archives\sready\sfor\sdistribution/],
- $MATCH_ALL, $current_test_file);
+ $MATCH_ALL, $curr_test_file);
return 0;
}
unless (-e '../VERSION') {
&write_test_file("[-] ../VERSION file does not exist.\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
if ($line =~ /(\d.*\d)/) {
my $version = $1;
return 0 unless &run_cmd($test_hr->{'cmdline'},
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
return 1 if &file_find_regex([qr/$version/],
- $MATCH_ALL, $current_test_file);
+ $MATCH_ALL, $curr_test_file);
}
return 0;
}
sub client_send_spa_packet() {
my $test_hr = shift;
- &write_key('fwknoptest', $local_key_file);
+ &write_key($default_key, $local_key_file);
return 0 unless &run_cmd($test_hr->{'cmdline'},
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
return 0 unless &file_find_regex([qr/final\spacked/i],
- $MATCH_ALL, $current_test_file);
+ $MATCH_ALL, $curr_test_file);
return 1;
}
my $rv = &spa_cycle($test_hr);
unless (&file_find_regex([qr/Username:\s*$spoof_user/],
- $MATCH_ALL, $current_test_file)) {
+ $MATCH_ALL, $curr_test_file)) {
$rv = 0;
}
chdir '../perl/FKO' or die $!;
&run_cmd("make clean", $cmd_out_tmp,
- "../../test/$current_test_file");
+ "../../test/$curr_test_file");
&run_cmd("perl Makefile.PL PREFIX=../../test/$perl_mod_fko_dir " .
"LIB=../../test/$perl_mod_fko_dir", $cmd_out_tmp,
- "../../test/$current_test_file");
+ "../../test/$curr_test_file");
&run_cmd('make', $cmd_out_tmp,
- "../../test/$current_test_file");
+ "../../test/$curr_test_file");
&run_cmd('make install', $cmd_out_tmp,
- "../../test/$current_test_file");
+ "../../test/$curr_test_file");
chdir $curr_pwd or die $!;
eval { require FKO };
if ($@) {
&write_test_file("[-] could not 'require FKO' module: $@\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
### disable remaining perl module checks
$fko_obj->destroy();
} else {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
### disable remaining perl module checks
push @tests_to_exclude, qr/perl FKO module/;
$fko_obj->destroy();
} else {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
### disable remaining perl module checks
push @tests_to_exclude, qr/perl FKO module/;
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
if ($version) {
&write_test_file("[+] got version(): $version\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] could not get version()\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
if ($rand_value) {
&write_test_file("[+] got rand_value(): $rand_value\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] could not get rand_value()\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
if ($username) {
&write_test_file("[+] got username(): $username\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] could not get username()\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
if ($status == FKO->FKO_SUCCESS and $fko_obj->username() eq $user) {
&write_test_file("[+] get/set username(): $user\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] could not get/set username(): $user " .
FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
}
if ($status == FKO->FKO_SUCCESS and $fko_obj->username() eq $fuzzing_user) {
&write_test_file("[-] libfko allowed fuzzing username(): $fuzzing_user " .
FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
} else {
&write_test_file("[+] libfko threw out fuzzing username(): $fuzzing_user\n",
- $current_test_file);
+ $curr_test_file);
}
}
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
if ($curr_time) {
&write_test_file("[+] got current timestamp(): $curr_time\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] could not get timestamp()\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
if (abs($spa_timestamp - $curr_time) < (abs($offset) + 10)) {
&write_test_file("[+] set valid timestamp() offset: $offset\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] timestamp() offset: $offset not accepted.\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
}
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
if ($status == FKO->FKO_SUCCESS and $fko_obj->spa_client_timeout() == $valid_timeout) {
&write_test_file("[+] got spa_client_timeout(): $valid_timeout\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] could not get spa_client_timeout()\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
if ($status == FKO->FKO_SUCCESS) {
&write_test_file("[-] libfko allowed fuzzing spa_client_timeout(): $fuzzing_client_timeout " .
FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
} else {
&write_test_file("[+] libfko rejected fuzzing spa_client_timeout(): $fuzzing_client_timeout\n",
- $current_test_file);
+ $curr_test_file);
}
}
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
if ($msg_type > -1) {
&write_test_file("[+] got default spa_message_type(): $msg_type\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] could not get default spa_message_type()\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
if ($status == FKO->FKO_SUCCESS and $fko_obj->spa_message_type() == $type) {
&write_test_file("[+] get/set spa_message_type(): $type\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] could not get/set spa_message_type(): $type " .
FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
last;
}
if ($status == FKO->FKO_SUCCESS) {
&write_test_file("[-] libfko allowed fuzzing spa_message_type(): $fuzzing_type " .
FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
} else {
&write_test_file("[+] libfko rejected fuzzing spa_message_type(): $fuzzing_type\n",
- $current_test_file);
+ $curr_test_file);
}
}
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
if ($status == FKO->FKO_SUCCESS and $fko_obj->spa_message() eq $msg) {
&write_test_file("[+] get/set spa_message(): $msg\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] could not get/set spa_message(): $msg " .
FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
last;
}
&write_test_file("[-] libfko allowed fuzzing " .
"spa_message(): $fuzzing_msg, got: " . $fko_obj->spa_message() . ' ' .
FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
} else {
&write_test_file("[+] libfko rejected fuzzing spa_message(): $fuzzing_msg\n",
- $current_test_file);
+ $curr_test_file);
}
}
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
if ($status == FKO->FKO_SUCCESS and $fko_obj->spa_nat_access() eq $msg) {
&write_test_file("[+] get/set spa_nat_access(): $msg\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] could not get/set spa_nat_access(): $msg " .
FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
last;
}
&write_test_file("[-] libfko allowed fuzzing " .
"spa_nat_access(): $fuzzing_msg, got: " . $fko_obj->spa_nat_access() . ' ' .
FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
} else {
&write_test_file("[+] libfko rejected fuzzing spa_nat_access(): $fuzzing_msg\n",
- $current_test_file);
+ $curr_test_file);
}
}
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
if ($status == FKO->FKO_SUCCESS and $fko_obj->spa_message() eq $msg) {
&write_test_file("[+] get/set spa_message(): $msg\n",
- $current_test_file);
+ $curr_test_file);
} else {
&write_test_file("[-] could not get/set spa_message(): $msg " .
FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
last;
}
&write_test_file("[-] libfko allowed fuzzing " .
"spa_message(): $fuzzing_msg, got: " . $fko_obj->spa_message() . ' ' .
FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
} else {
&write_test_file("[+] libfko rejected fuzzing spa_message(): $fuzzing_msg\n",
- $current_test_file);
+ $curr_test_file);
}
}
&write_test_file("[+] msg: $msg, user: $user, " .
"digest type: $digest_type, key: $key\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj = FKO->new();
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
$fko_obj = FKO->new();
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
$fko_obj->spa_data($encrypted_msg);
if ($msg ne $fko_obj->spa_message()) {
&write_test_file("[-] $msg encrypt/decrypt mismatch\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
&write_test_file("[+] msg: $msg, user: $user, " .
"digest type: $digest_type, key: $key\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj = FKO->new();
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
if ($msg ne $fko_obj->spa_message()) {
&write_test_file("[-] $msg encrypt/decrypt mismatch\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
### we expect that a patch has been applied to libfko to allow
### fuzzing data
&write_test_file("[-] Bogus user: $user triggered a libfko error\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj->destroy();
$rv = 0;
next USER;
$fuzzing_str =~ s/[^\x20-\x7e]{1,}/(NA)/g;
push @fuzzing_pkts, $fuzzing_str;
- &write_test_file("$fuzzing_str\n", $current_test_file);
+ &write_test_file("$fuzzing_str\n", $curr_test_file);
$fko_obj->destroy();
}
### we expect that a patch has been applied to libfko to allow
### fuzzing data
&write_test_file("[-] Bogus access_msg: $msg triggered a libfko error\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj->destroy();
$rv = 0;
next MSG;
$fuzzing_str =~ s/[^\x20-\x7e]{1,}/(NA)/g;
push @fuzzing_pkts, $fuzzing_str;
- &write_test_file("$fuzzing_str\n", $current_test_file);
+ &write_test_file("$fuzzing_str\n", $curr_test_file);
$fko_obj->destroy();
}
### we expect that a patch has been applied to libfko to allow
### fuzzing data
&write_test_file("[-] Bogus NAT_access_msg: $nat_msg triggered a libfko error\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj->destroy();
$rv = 0;
next NAT_MSG;
$fuzzing_str =~ s/[^\x20-\x7e]{1,}/(NA)/g;
push @fuzzing_pkts, $fuzzing_str;
- &write_test_file("$fuzzing_str\n", $current_test_file);
+ &write_test_file("$fuzzing_str\n", $curr_test_file);
$fko_obj->destroy();
}
### we expect that a patch has been applied to libfko to allow
### fuzzing data
&write_test_file("[-] Bogus cmd_msg: $msg triggered a libfko error\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj->destroy();
$rv = 0;
next CMD;
$fuzzing_str =~ s/[^\x20-\x7e]{1,}/(NA)/g;
push @fuzzing_pkts, $fuzzing_str;
- &write_test_file("$fuzzing_str\n", $current_test_file);
+ &write_test_file("$fuzzing_str\n", $curr_test_file);
$fko_obj->destroy();
}
### we expect that a patch has been applied to libfko to allow
### fuzzing data
&write_test_file("[-] Bogus msg_type: $type triggered a libfko error\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj->destroy();
$rv = 0;
next TYPE;
$fuzzing_str =~ s/[^\x20-\x7e]{1,}/(NA)/g;
push @fuzzing_pkts, $fuzzing_str;
- &write_test_file("$fuzzing_str\n", $current_test_file);
+ &write_test_file("$fuzzing_str\n", $curr_test_file);
$fko_obj->destroy();
}
my $status = $fko_obj->username($user);
if ($status != FKO->FKO_SUCCESS) {
&write_test_file("[-] Invalid_encoding user: $user triggered a libfko error\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj->destroy();
$rv = 0;
next USER;
$fuzzing_str =~ s/[^\x20-\x7e]{1,}/(NA)/g;
push @fuzzing_pkts, $fuzzing_str;
- &write_test_file("$fuzzing_str\n", $current_test_file);
+ &write_test_file("$fuzzing_str\n", $curr_test_file);
$fko_obj->destroy();
}
### we expect that a patch has been applied to libfko to allow
### fuzzing data
&write_test_file("[-] Invalid_encoding access_msg: $msg triggered a libfko error\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj->destroy();
$rv = 0;
next MSG;
$fuzzing_str =~ s/[^\x20-\x7e]{1,}/(NA)/g;
push @fuzzing_pkts, $fuzzing_str;
- &write_test_file("$fuzzing_str\n", $current_test_file);
+ &write_test_file("$fuzzing_str\n", $curr_test_file);
$fko_obj->destroy();
}
### we expect that a patch has been applied to libfko to allow
### fuzzing data
&write_test_file("[-] Invalid_encoding NAT_access_msg: $nat_msg triggered a libfko error\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj->destroy();
$rv = 0;
next NAT_MSG;
$fuzzing_str =~ s/[^\x20-\x7e]{1,}/(NA)/g;
push @fuzzing_pkts, $fuzzing_str;
- &write_test_file("$fuzzing_str\n", $current_test_file);
+ &write_test_file("$fuzzing_str\n", $curr_test_file);
$fko_obj->destroy();
}
### we expect that a patch has been applied to libfko to allow
### fuzzing data
&write_test_file("[-] Invalid_encoding cmd_msg: $msg triggered a libfko error\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj->destroy();
$rv = 0;
next CMD;
$fuzzing_str =~ s/[^\x20-\x7e]{1,}/(NA)/g;
push @fuzzing_pkts, $fuzzing_str;
- &write_test_file("$fuzzing_str\n", $current_test_file);
+ &write_test_file("$fuzzing_str\n", $curr_test_file);
$fko_obj->destroy();
}
### we expect that a patch has been applied to libfko to allow
### fuzzing data
&write_test_file("[-] Invalid_encoding msg_type: $type triggered a libfko error\n",
- $current_test_file);
+ $curr_test_file);
$fko_obj->destroy();
$rv = 0;
next TYPE;
$fuzzing_str =~ s/[^\x20-\x7e]{1,}/(NA)/g;
push @fuzzing_pkts, $fuzzing_str;
- &write_test_file("$fuzzing_str\n", $current_test_file);
+ &write_test_file("$fuzzing_str\n", $curr_test_file);
$fko_obj->destroy();
}
$fko_obj = FKO->new();
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
$fko_obj->spa_data($encrypted_spa_pkt);
if ($status == FKO->FKO_SUCCESS) {
&write_test_file("[-] Accepted fuzzing $field $field_val SPA packet.\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
} else {
&write_test_file("[+] Rejected fuzzing $field $field_val SPA packet.\n",
- $current_test_file);
+ $curr_test_file);
}
$fko_obj->destroy();
sub perl_fko_module_client_compatibility() {
my $test_hr = shift;
- my $rv = 1;
-
$fko_obj = FKO->new();
unless ($fko_obj) {
&write_test_file("[-] error FKO->new(): " . FKO::error_str() . "\n",
- $current_test_file);
+ $curr_test_file);
return 0;
}
+ $fko_obj->spa_message("$fake_ip,tcp/22");
+ $fko_obj->spa_message_type(FKO->FKO_ACCESS_MSG);
+ $fko_obj->spa_data_final($default_key);
+ my $spa_pkt = $fko_obj->spa_data();
$fko_obj->destroy();
+ my @packets = (
+ {
+ 'proto' => 'udp',
+ 'port' => $default_spa_port,
+ 'dst_ip' => $loopback_ip,
+ 'data' => $spa_pkt,
+ },
+ );
+
+ my ($rv, $server_was_stopped, $fw_rule_created, $fw_rule_removed)
+ = &client_server_interaction($test_hr, \@packets, $USE_PREDEF_PKTS);
+
+ $rv = 0 unless $server_was_stopped;
+
+ if ($fw_rule_created) {
+ &write_test_file("[+] new fw rule created.\n", $curr_test_file);
+ } else {
+ &write_test_file("[-] new fw rule not created.\n", $curr_test_file);
+ $rv = 0;
+ }
+
+ if ($test_hr->{'server_positive_output_matches'}) {
+ $rv = 0 unless &file_find_regex(
+ $test_hr->{'server_positive_output_matches'},
+ $MATCH_ALL, $server_test_file);
+ }
+
return $rv;
}
return 0 unless &spa_cycle($test_hr);
- my $spa_pkt = &get_spa_packet_from_file($current_test_file);
+ my $spa_pkt = &get_spa_packet_from_file($curr_test_file);
unless ($spa_pkt) {
&write_test_file("[-] could not get SPA packet " .
- "from file: $current_test_file\n",
- $current_test_file);
+ "from file: $curr_test_file\n",
+ $curr_test_file);
return 0;
}
my $test_hr = shift;
my $rv = 1;
- &run_cmd("file $default_digest_file", $cmd_out_tmp, $current_test_file);
+ &run_cmd("file $default_digest_file", $cmd_out_tmp, $curr_test_file);
if (&file_find_regex([qr/ASCII/i], $MATCH_ALL, $cmd_out_tmp)) {
next unless /\S/;
unless (m|^\S+\s+\d+\s+$ip_re\s+\d+\s+$ip_re\s+\d+\s+\d+|) {
&write_test_file("[-] invalid digest.cache line: $_",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
last;
}
close F;
} elsif (&file_find_regex([qr/dbm/i], $MATCH_ALL, $cmd_out_tmp)) {
&write_test_file("[+] DBM digest file format, " .
- "assuming this is valid.\n", $current_test_file);
+ "assuming this is valid.\n", $curr_test_file);
} else {
### don't know what kind of file the digest.cache is
&write_test_file("[-] unrecognized file type for " .
- "$default_digest_file.\n", $current_test_file);
+ "$default_digest_file.\n", $curr_test_file);
$rv = 0;
}
if ($rv) {
&write_test_file("[+] valid digest.cache structure.\n",
- $current_test_file);
+ $curr_test_file);
}
return $rv;
unless (&client_send_spa_packet($test_hr)) {
&write_test_file("[-] fwknop client execution error.\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
- my $spa_pkt = &get_spa_packet_from_file($current_test_file);
+ my $spa_pkt = &get_spa_packet_from_file($curr_test_file);
unless ($spa_pkt) {
&write_test_file("[-] could not get SPA packet " .
- "from file: $current_test_file\n", $current_test_file);
+ "from file: $curr_test_file\n", $curr_test_file);
return 0;
}
unless (&client_send_spa_packet($test_hr)) {
&write_test_file("[-] fwknop client execution error.\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
- my $spa_pkt = &get_spa_packet_from_file($current_test_file);
+ my $spa_pkt = &get_spa_packet_from_file($curr_test_file);
unless ($spa_pkt) {
&write_test_file("[-] could not get SPA packet " .
- "from file: $current_test_file\n", $current_test_file);
+ "from file: $curr_test_file\n", $curr_test_file);
return 0;
}
return $rv;
}
+sub backwards_compatibility() {
+ my $test_hr = shift;
+
+ my $rv = 1;
+ my $server_was_stopped = 0;
+ my $fw_rule_created = 0;
+ my $fw_rule_removed = 0;
+
+ my @packets = (
+ {
+ 'proto' => 'udp',
+ 'port' => $default_spa_port,
+ 'dst_ip' => $loopback_ip,
+ 'data' => $test_hr->{'pkt'},
+ },
+ );
+
+ ($rv, $server_was_stopped, $fw_rule_created, $fw_rule_removed)
+ = &client_server_interaction($test_hr, \@packets, $USE_PREDEF_PKTS);
+
+ $rv = 0 unless $server_was_stopped;
+
+ if ($fw_rule_created) {
+ &write_test_file("[+] new fw rule created.\n", $curr_test_file);
+ } else {
+ &write_test_file("[-] new fw rule not created.\n", $curr_test_file);
+ $rv = 0;
+ }
+
+ if ($test_hr->{'server_positive_output_matches'}) {
+ $rv = 0 unless &file_find_regex(
+ $test_hr->{'server_positive_output_matches'},
+ $MATCH_ALL, $server_test_file);
+ }
+
+ return $rv;
+}
+
sub process_pcap_file_directly() {
my $test_hr = shift;
$rv = 0 unless $server_was_stopped;
if ($fw_rule_created) {
- &write_test_file("[-] new fw rule created.\n", $current_test_file);
+ &write_test_file("[-] new fw rule created.\n", $curr_test_file);
$rv = 0;
} else {
- &write_test_file("[+] new fw rule not created.\n", $current_test_file);
+ &write_test_file("[+] new fw rule not created.\n", $curr_test_file);
}
if ($test_hr->{'server_positive_output_matches'}) {
unless (&client_send_spa_packet($test_hr)) {
&write_test_file("[-] fwknop client execution error.\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
- my $spa_pkt = &get_spa_packet_from_file($current_test_file);
+ my $spa_pkt = &get_spa_packet_from_file($curr_test_file);
unless ($spa_pkt) {
&write_test_file("[-] could not get SPA packet " .
- "from file: $current_test_file\n", $current_test_file);
+ "from file: $curr_test_file\n", $curr_test_file);
return 0;
}
$rv = 0 unless $server_was_stopped;
if ($fw_rule_created) {
- &write_test_file("[-] new fw rule created.\n", $current_test_file);
+ &write_test_file("[-] new fw rule created.\n", $curr_test_file);
$rv = 0;
} else {
- &write_test_file("[+] new fw rule not created.\n", $current_test_file);
+ &write_test_file("[+] new fw rule not created.\n", $curr_test_file);
}
unless (&file_find_regex([qr/Error\screating\sfko\scontext/],
unless (&client_send_spa_packet($test_hr)) {
&write_test_file("[-] fwknop client execution error.\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
- my $spa_pkt = &get_spa_packet_from_file($current_test_file);
+ my $spa_pkt = &get_spa_packet_from_file($curr_test_file);
unless ($spa_pkt) {
&write_test_file("[-] could not get SPA packet " .
- "from file: $current_test_file\n", $current_test_file);
+ "from file: $curr_test_file\n", $curr_test_file);
return 0;
}
$rv = 0 unless $server_was_stopped;
if ($fw_rule_created) {
- &write_test_file("[-] new fw rule created.\n", $current_test_file);
+ &write_test_file("[-] new fw rule created.\n", $curr_test_file);
$rv = 0;
} else {
- &write_test_file("[+] new fw rule not created.\n", $current_test_file);
+ &write_test_file("[+] new fw rule not created.\n", $curr_test_file);
}
unless (&file_find_regex([qr/Error\screating\sfko\scontext/],
unless (&client_send_spa_packet($test_hr)) {
&write_test_file("[-] fwknop client execution error.\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
- my $spa_pkt = &get_spa_packet_from_file($current_test_file);
+ my $spa_pkt = &get_spa_packet_from_file($curr_test_file);
unless ($spa_pkt) {
&write_test_file("[-] could not get SPA packet " .
- "from file: $current_test_file\n", $current_test_file);
+ "from file: $curr_test_file\n", $curr_test_file);
return 0;
}
$rv = 0 unless $server_was_stopped;
if ($fw_rule_created) {
- &write_test_file("[-] new fw rule created.\n", $current_test_file);
+ &write_test_file("[-] new fw rule created.\n", $curr_test_file);
$rv = 0;
} else {
- &write_test_file("[+] new fw rule not created.\n", $current_test_file);
+ &write_test_file("[+] new fw rule not created.\n", $curr_test_file);
}
unless (&file_find_regex([qr/Error\screating\sfko\scontext/],
if ($spa_client_flag == $USE_CLIENT) {
unless (&client_send_spa_packet($test_hr)) {
&write_test_file("[-] fwknop client execution error.\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
}
} elsif ($spa_client_flag == $USE_PREDEF_PKTS) {
my $ctr = 0;
while (not &is_fw_rule_active($test_hr)) {
&write_test_file("[-] new fw rule does not exist.\n",
- $current_test_file);
+ $curr_test_file);
$ctr++;
last if $ctr == 3;
sleep 1;
sleep 3; ### allow time for rule time out.
if (&is_fw_rule_active($test_hr)) {
&write_test_file("[-] new fw rule not timed out.\n",
- $current_test_file);
+ $curr_test_file);
$rv = 0;
} else {
&write_test_file("[+] new fw rule timed out.\n",
- $current_test_file);
+ $curr_test_file);
$fw_rule_removed = 1;
}
}
}
} else {
&write_test_file("[-] server is not running.\n",
- $current_test_file);
+ $curr_test_file);
$server_was_stopped = 0;
}
sub send_packets() {
my $pkts_ar = shift;
- open F, ">> $current_test_file" or die $!;
+ open F, ">> $curr_test_file" or die $!;
print F "[+] send_packets(): Sending the following packets...\n";
print F Dumper $pkts_ar;
close F;
my $rv = 1;
my $exec_rv = &run_cmd($test_hr->{'cmdline'},
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
if ($test_hr->{'exec_err'} eq $YES) {
$rv = 0 if $exec_rv;
if ($test_hr->{'positive_output_matches'}) {
$rv = 0 unless &file_find_regex(
$test_hr->{'positive_output_matches'},
- $MATCH_ALL, $current_test_file);
+ $MATCH_ALL, $curr_test_file);
}
if ($test_hr->{'negative_output_matches'}) {
$rv = 0 if &file_find_regex(
$test_hr->{'negative_output_matches'},
- $MATCH_ANY, $current_test_file);
+ $MATCH_ANY, $curr_test_file);
}
return $rv;
my $test_hr = shift;
return 0 unless -e $test_hr->{'binary'};
&run_cmd("./hardening-check $test_hr->{'binary'}",
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
return 1 if &file_find_regex([qr/Position\sIndependent.*:\syes/i],
- $MATCH_ALL, $current_test_file);
+ $MATCH_ALL, $curr_test_file);
return 0;
}
my $test_hr = shift;
return 0 unless -e $test_hr->{'binary'};
&run_cmd("./hardening-check $test_hr->{'binary'}",
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
return 1 if &file_find_regex([qr/Stack\sprotected.*:\syes/i],
- $MATCH_ALL, $current_test_file);
+ $MATCH_ALL, $curr_test_file);
return 0;
}
my $test_hr = shift;
return 0 unless -e $test_hr->{'binary'};
&run_cmd("./hardening-check $test_hr->{'binary'}",
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
return 1 if &file_find_regex([qr/Fortify\sSource\sfunctions:\syes/i],
- $MATCH_ALL, $current_test_file);
+ $MATCH_ALL, $curr_test_file);
return 0;
}
my $test_hr = shift;
return 0 unless -e $test_hr->{'binary'};
&run_cmd("./hardening-check $test_hr->{'binary'}",
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
return 1 if &file_find_regex([qr/Read.only\srelocations:\syes/i],
- $MATCH_ALL, $current_test_file);
+ $MATCH_ALL, $curr_test_file);
return 0;
}
my $test_hr = shift;
return 0 unless -e $test_hr->{'binary'};
&run_cmd("./hardening-check $test_hr->{'binary'}",
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
return 1 if &file_find_regex([qr/Immediate\sbinding:\syes/i],
- $MATCH_ALL, $current_test_file);
+ $MATCH_ALL, $curr_test_file);
return 0;
}
&run_cmd("LD_LIBRARY_PATH=$lib_dir $valgrind_str $fwknopdCmd " .
"$default_server_conf_args --fw-list-all",
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
my $have_gpgme = 0;
'ls -l /usr/lib/*fko*',
'ls -l /usr/local/lib/*fko*',
) {
- &run_cmd($cmd, $cmd_out_tmp, $current_test_file);
+ &run_cmd($cmd, $cmd_out_tmp, $curr_test_file);
if ($cmd =~ /^ldd/) {
$have_gpgme++ if &file_find_regex([qr/gpgme/],
my $ctr = 0;
while (&run_cmd("ps axuww | grep LD_LIBRARY_PATH | " .
"grep valgrind |grep -v perl | grep -v grep",
- $cmd_out_tmp, $current_test_file)) {
+ $cmd_out_tmp, $curr_test_file)) {
$ctr++;
last if $ctr == 5;
sleep 1;
}
sub dump_pids() {
- open C, ">> $current_test_file"
- or die "[*] Could not open $current_test_file: $!";
+ open C, ">> $curr_test_file"
+ or die "[*] Could not open $curr_test_file: $!";
print C "\n" . localtime() . " [+] PID dump:\n";
close C;
&run_cmd("ps auxww | grep knop |grep -v grep",
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
return;
}
close F;
}
- open F, ">> $current_test_file" or die $!;
+ open F, ">> $curr_test_file" or die $!;
for my $type ('client', 'server') {
print F "\n[+] fwknop $type functions (unique view):\n";
next unless defined $valgrind_flagged_fcns_unique{$type};
if ($test_hr->{'no_ip_check'}) {
return 1 if &run_cmd("LD_LIBRARY_PATH=$lib_dir $fwknopdCmd " .
qq{$conf_args --fw-list | grep -v "# DISABLED" |grep _exp_},
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
} else {
return 1 if &run_cmd("LD_LIBRARY_PATH=$lib_dir $fwknopdCmd " .
qq{$conf_args --fw-list | grep -v "# DISABLED" |grep $fake_ip |grep _exp_},
- $cmd_out_tmp, $current_test_file);
+ $cmd_out_tmp, $curr_test_file);
}
return 0;
sleep 2 if $use_valgrind;
&run_cmd("LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "--status", $cmd_out_tmp, $current_test_file);
+ "--status", $cmd_out_tmp, $curr_test_file);
return 1 if &file_find_regex([qr/Detected\sfwknopd\sis\srunning/i],
$MATCH_ALL, $cmd_out_tmp);
sub stop_fwknopd() {
&run_cmd("LD_LIBRARY_PATH=$lib_dir $fwknopdCmd " .
- "$default_server_conf_args -K", $cmd_out_tmp, $current_test_file);
+ "$default_server_conf_args -K", $cmd_out_tmp, $curr_test_file);
if ($use_valgrind) {
&time_for_valgrind();
projects / fwknop.git / commitdiff