[test suite] get hmac iptables duplicated and sha512 long key tests to pass
authorMichael Rash <mbr@cipherdyne.org>
Thu, 11 Apr 2013 03:31:58 +0000 (23:31 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Thu, 11 Apr 2013 03:31:58 +0000 (23:31 -0400)
client/fwknop.c
test/test-fwknop.pl
test/tests/rijndael_hmac.pl

index c845701..f76b5bf 100644 (file)
@@ -1152,7 +1152,8 @@ get_keys(fko_ctx_t ctx, fko_cli_options_t *options,
             (unsigned char *) options->hmac_key);
         if(*hmac_key_len > MAX_KEY_LEN || *hmac_key_len < 0)
         {
-            fprintf(stderr, "[*] Invalid decoded key length: '%d', must be in [0,%d]",
+            fprintf(stderr,
+                    "[*] Invalid decoded key length: '%d', must be in [0,%d]\n",
                     *hmac_key_len, MAX_KEY_LEN);
             clean_exit(ctx, options, EXIT_FAILURE);
         }
index 3219972..8da5acd 100755 (executable)
@@ -21,6 +21,7 @@ our $conf_dir       = 'conf';
 my $run_dir         = 'run';
 my $cmd_out_tmp     = 'cmd.out';
 my $server_cmd_tmp  = 'server_cmd.out';
+my $openssl_cmd_tmp = 'openssl_cmd.out';
 my $data_tmp        = 'data.tmp';
 my $key_tmp         = 'key.tmp';
 my $enc_save_tmp    = 'openssl_save.enc';
@@ -989,8 +990,7 @@ sub client_send_spa_packet() {
     $rv = 0 unless &file_find_regex([qr/final\spacked/i],
         $MATCH_ALL, $curr_test_file);
 
-    if ($enable_openssl_compatibility_tests
-            and $test_hr->{'detail'} !~ /iptables.*not\sduplicated/) {
+    if ($enable_openssl_compatibility_tests) {
 
         ### extract the SPA packet from the cmd tmp file before
         ### openssl command execution overwrites it
@@ -3916,6 +3916,11 @@ sub client_server_interaction() {
         $server_was_stopped = 0;
     }
 
+    &write_test_file("[.] client_server_interaction() rv: $rv, " .
+        "server_was_stopped: $server_was_stopped, " .
+        "fw_rule_created: $fw_rule_created, fw_rule_removed: $fw_rule_removed\n",
+        $curr_test_file);
+
     return ($rv, $server_was_stopped, $fw_rule_created, $fw_rule_removed);
 }
 
@@ -4172,7 +4177,7 @@ sub openssl_hmac_verification() {
 
     $openssl_hmac_cmd .= " | $base64_path" if $base64_path;
 
-    unless (&run_cmd($openssl_hmac_cmd, $cmd_out_tmp, $curr_test_file)) {
+    unless (&run_cmd($openssl_hmac_cmd, $openssl_cmd_tmp, $curr_test_file)) {
         &write_test_file("[-] Could not run openssl command: '$openssl_hmac_cmd'\n",
             $curr_test_file);
         $openssl_hmac_failure_ctr++;
@@ -4181,7 +4186,7 @@ sub openssl_hmac_verification() {
 
     ### for HMAC SHA512 this output will span two lines
     my $openssl_hmac_line = '';
-    open F, "< $cmd_out_tmp" or die $!;
+    open F, "< $openssl_cmd_tmp" or die $!;
     while (<F>) {
         $openssl_hmac_line .= $_;
         chomp $openssl_hmac_line;
@@ -4256,7 +4261,7 @@ sub openssl_enc_verification() {
 
     $rv = &run_cmd("$openssl_path enc -d -a -aes-256-cbc " .
         "-pass file:$key_tmp -in $data_tmp",
-        $cmd_out_tmp, $curr_test_file);
+        $openssl_cmd_tmp, $curr_test_file);
 
     if ($rv) {
         if ($rv_flag == $REQUIRE_FAILURE) {
@@ -4269,7 +4274,7 @@ sub openssl_enc_verification() {
             ### a valid access message
             my $decrypted_msg = '';
             my $decrypted_access_msg = '';
-            open F, "< $cmd_out_tmp" or die $!;
+            open F, "< $openssl_cmd_tmp" or die $!;
             while (<F>) {
                 if (/^(?:\S+?\:){5}(\S+?)\:/) {
                     $decrypted_access_msg = $1;
@@ -4307,7 +4312,7 @@ sub openssl_enc_verification() {
             my $decrypted_msg = '';
             my $decrypted_access_msg = '';
             my $decoded_msg = '';
-            open F, "< $cmd_out_tmp" or die $!;
+            open F, "< $openssl_cmd_tmp" or die $!;
             while (<F>) {
                 if (/^(?:\S+?\:){5}(\S+?)\:/) {
                     $decrypted_access_msg = $1;
@@ -4344,7 +4349,7 @@ sub openssl_enc_verification() {
                 unless (&run_cmd("$openssl_path enc " .
                         "-e -a -aes-256-cbc -pass file:$key_tmp -in " .
                         "$data_tmp -out $enc_save_tmp",
-                        $cmd_out_tmp, $curr_test_file)) {
+                        $openssl_cmd_tmp, $curr_test_file)) {
 
                     &write_test_file("[-] OpenSSL could not re-encrypt\n",
                         $curr_test_file);
index 5f95917..b31c686 100644 (file)
         'category' => 'Rijndael+HMAC',
         'subcategory' => 'client+server',
         'detail'   => 'complete cycle SHA512 (long key)',
-        'function' => \&spa_cycle,
+        'function' => \&generic_exec,
         'cmdline'  => "$default_client_args_no_get_key --rc-file " .
             "$cf{'rc_hmac_sha512_long_key'} --hmac-digest-type sha512",
-        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
-            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha512_long_key_access'} " .
-            "-d $default_digest_file -p $default_pid_file $intf_str",
-        'fw_rule_created' => $NEW_RULE_REQUIRED,
-        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
         'key_file' => $cf{'rc_hmac_sha512_long_key'},
+        'positive_output_matches' => [qr/Invalid\sdecoded\skey\slength/],
+        'exec_err' => $YES,
         'fatal'    => $NO
     },
 
         'function' => \&iptables_rules_not_duplicated,
         'cmdline'  => "$default_client_hmac_args --test",
         'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
-            "$fwknopdCmd -c $cf{'local_nat'} -a $cf{'hmac_access'} " .
+            "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'server_negative_output_matches' => [qr/^2\s+ACCEPT\s.*$fake_ip/],
         'key_file' => $cf{'rc_hmac_b64_key'},