From 0c19e5170a9ec5d2f0dfd943e05df514eb26684b Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Mon, 10 Jun 2013 21:16:33 -0400 Subject: [PATCH] [test suite] added backwards compatibility tests with a dual usage key in access.conf --- Makefile.am | 1 + test/conf/dual_key_legacy_iv_access.conf | 10 +++++ test/test-fwknop.pl | 13 +++++++ .../tests/rijndael_backwards_compatibility.pl | 37 +++++++++++++++++++ 4 files changed, 61 insertions(+) create mode 100644 test/conf/dual_key_legacy_iv_access.conf diff --git a/Makefile.am b/Makefile.am index 3c9d150c..10bfdcce 100644 --- a/Makefile.am +++ b/Makefile.am @@ -134,6 +134,7 @@ EXTRA_DIST = \ test/conf/disable_aging_fwknopd.conf \ test/conf/disable_aging_nat_fwknopd.conf \ test/conf/dual_key_usage_access.conf \ + test/conf/dual_key_legacy_iv_access.conf \ test/conf/ecb_mode_access.conf \ test/conf/expired_epoch_stanza_access.conf \ test/conf/expired_stanza_access.conf \ diff --git a/test/conf/dual_key_legacy_iv_access.conf b/test/conf/dual_key_legacy_iv_access.conf new file mode 100644 index 00000000..6d6024eb --- /dev/null +++ b/test/conf/dual_key_legacy_iv_access.conf @@ -0,0 +1,10 @@ +SOURCE ANY +KEY fwknoptest +OPEN_PORTS tcp/22 +FW_ACCESS_TIMEOUT 2 + +SOURCE ANY +KEY fwknoptest +OPEN_PORTS tcp/22 +FW_ACCESS_TIMEOUT 3 +ENCRYPTION_MODE legacy diff --git a/test/test-fwknop.pl b/test/test-fwknop.pl index 001bf83b..86f05941 100755 --- a/test/test-fwknop.pl +++ b/test/test-fwknop.pl @@ -77,6 +77,7 @@ our %cf = ( 'android_access' => "$conf_dir/android_access.conf", 'android_legacy_iv_access' => "$conf_dir/android_legacy_iv_access.conf", 'dual_key_access' => "$conf_dir/dual_key_usage_access.conf", + 'dual_key_legacy_iv_access' => "$conf_dir/dual_key_legacy_iv_access.conf", 'hmac_dual_key_access' => "$conf_dir/hmac_dual_key_usage_access.conf", 'gpg_access' => "$conf_dir/gpg_access.conf", 'gpg_hmac_access' => "$conf_dir/gpg_hmac_access.conf", @@ -674,6 +675,12 @@ sub run_test() { $test_hr->{'msg'} = $msg; + if ($test_hr->{'mv_and_restore_replay_cache'}) { + unlink "${default_digest_file}.mv" + if -e "${default_digest_file}.mv"; + move $default_digest_file, "${default_digest_file}.mv"; + } + if (&{$test_hr->{'function'}}($test_hr)) { &logr("pass ($executed)\n"); $passed++; @@ -686,6 +693,11 @@ sub run_test() { } } + if ($test_hr->{'mv_and_restore_replay_cache'}) { + unlink $default_digest_file if -e $default_digest_file; + move "${default_digest_file}.mv", $default_digest_file; + } + if ($enable_valgrind and &is_valgrind_running()) { if ($killall_path and $pgrep_path) { for my $cmd ('memcheck', 'valgrind') { @@ -4996,6 +5008,7 @@ sub validate_test_hashes() { 'insert_rule_before_exec' => $OPTIONAL, 'insert_rule_while_running' => $OPTIONAL, 'search_for_rule_after_exit' => $OPTIONAL, + 'mv_and_restore_replay_cache' => $OPTIONAL, 'server_positive_output_matches' => $OPTIONAL, 'server_negative_output_matches' => $OPTIONAL, 'replay_positive_output_matches' => $OPTIONAL, diff --git a/test/tests/rijndael_backwards_compatibility.pl b/test/tests/rijndael_backwards_compatibility.pl index 5031dda5..57063fea 100644 --- a/test/tests/rijndael_backwards_compatibility.pl +++ b/test/tests/rijndael_backwards_compatibility.pl @@ -71,6 +71,25 @@ 'fw_rule_removed' => $NEW_RULE_REMOVED, 'fatal' => $NO }, + { + 'category' => 'Rijndael', + 'subcategory' => 'client->server backwards compat.', + 'detail' => 'v2.0.3 dual keys', + 'function' => \&backwards_compatibility, + 'pkt' => + '+8OtxmTJPgQmrXZ7hAqTopLBC/thqHNuPHTfR234pFuQOCZUikPe0inHmjfnQFnP' . + 'Sop/Iy6v+BCn9D+QD7eT7JI6BIoKp14K+8iNgKaNw1BdfgF1XDulpkNEdyG0fXz5' . + 'M+GledHfz2d49aYThoQ2Cr8Iw1ycViawY', + 'server_positive_output_matches' => [qr/with expire time/], + 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " . + "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'dual_key_legacy_iv_access'} " . + "-d $default_digest_file -p $default_pid_file $intf_str", + 'fw_rule_created' => $NEW_RULE_REQUIRED, + 'fw_rule_removed' => $NEW_RULE_REMOVED, + 'mv_and_restore_replay_cache' => $YES, + 'fatal' => $NO + }, + { 'category' => 'Rijndael', 'subcategory' => 'client->server backwards compatibility', @@ -88,6 +107,24 @@ 'fw_rule_removed' => $NEW_RULE_REMOVED, 'fatal' => $NO }, + { + 'category' => 'Rijndael', + 'subcategory' => 'client->server backwards compat.', + 'detail' => 'v2.0.4 dual keys', + 'function' => \&backwards_compatibility, + 'pkt' => + '8Xm8U5vQ03T88UTCWbwO3t/aL6euZ8IgVbNdDVz3Bn6HkTcBqxcME95U/G3bCH' . + 'vQznpnGb05Md4ZgexHZGzZdSwsP8iVtcZdsgCBfeO4Eqs8OaSMjJVF8SQ+Jmhu' . + 'XZMcWgMsIzhpprJ7JX41DrWd0OtBnE3rVwsN0', + 'server_positive_output_matches' => [qr/with expire time/], + 'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " . + "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'dual_key_legacy_iv_access'} " . + "-d $default_digest_file -p $default_pid_file $intf_str", + 'fw_rule_created' => $NEW_RULE_REQUIRED, + 'fw_rule_removed' => $NEW_RULE_REMOVED, + 'mv_and_restore_replay_cache' => $YES, + 'fatal' => $NO + }, ### This test helps with backwards compatibility for the corner ### case where an SPA client pre-2.5 uses a password longer than 16 chars