Merge branch 'master' of https://github.com/mrash/fwknop

client/http_resolve_host.c

@@ -31,7 +31,6 @@
 */
 #include "fwknop_common.h"
 #include "utils.h"
-#include <sys/wait.h>
 
 #include <errno.h>
 
@@ -43,6 +42,7 @@
     #include <sys/socket.h>
   #endif
   #include <netdb.h>
+  #include <sys/wait.h>
 #endif
 
 struct url

test/afl/README

@@ -1,60 +0,0 @@
-
-The fwknop project supports various fuzzing strategies, and one of the most
-important is usage of the 'American Fuzzy Lop' (AFL) fuzzer written by Michal
-Zalewski (see: https://code.google.com/p/american-fuzzy-lop/). Because AFL is
-not designed to handle encryption schemes (see the README included in the AFL
-sources for more information on this), a special --enable-afl-fuzzing command
-line switch is available to the fwknop autoconf configure script. This argument
-allows encryption and base64 encoding to be bypassed when feeding SPA packet
-data to fwknopd via stdin. It is the feature that enables AFL fuzzing.
-
-This directory contains enabling scripts in order to make it easy to fuzz
-fwknop with AFL. It is assumed that AFL is installed and in your path. The
-files are in this directory are organized as follows:
-
-afl-fuzzing.in   - Directory for initial AFL test case(s).
-afl-fuzzing.out  - Directory for AFL results after a fuzzing run.
-
-afl-compile.sh   - Script to compile fwknop underneath afl-gcc.
-afl-fuzzing.in   - AFL input directory which contains input test cases.
-afl-fuzzing.out  - AFL output directory.
-afl-run.sh       - Script to invoke AFL with proper command line arguments to
-                   fwknopd for fuzzing enablement.
-
-For gcov code coverage only:
-
-afl-compile-code-coverage.sh    - Compile fwknop with code coverage support.
-afl-gen-code-coverage.sh        - Generate code coverage report after running
-                                  afl-run.sh (and with coverage support
-                                  compiled in)
-
-Here is an example of what fwknopd produces when compiled for AFL support when
-a dummy SPA packet is provided in non-encoded/encrypted form via fwknopd's
-stdin:
-
-$ ./fwknopd-stdin-test.sh
-+ SPA_PKT=1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA
-+ LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t
-+ echo -n 1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA
-Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
-SPA Field Values:
-=================
-   Random Value: 1716411011200157
-       Username: root
-      Timestamp: 1397329899
-    FKO Version: 2.0.1
-   Message Type: 1 (Access msg)
- Message String: 127.0.0.2,tcp/22
-     Nat Access: <NULL>
-    Server Auth: <NULL>
- Client Timeout: 0
-    Digest Type: 3 (SHA256)
-      HMAC Type: 0 (None)
-Encryption Type: 1 (Rijndael)
-Encryption Mode: 2 (CBC)
-   Encoded Data: 1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22
-SPA Data Digest: AAAAA
-           HMAC: <NULL>
- Final SPA Data: 200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA
-
-SPA packet decode: Success

test/afl/README

@@ -0,0 +1 @@
+README.md

test/afl/README.md

@@ -0,0 +1,131 @@
+
+# Fuzzing fwknop With American Fuzzy Lop (AFL)
+
+## Quick Start
+
+To get going with AFL fuzzing against fwknop:
+
+    $ ./compile/afl-compile.sh
+    $ ./fuzzing-wrappers/spa-pkts.sh
+
+Fuzzing results will be placed in fuzzing-output/server-conf.out/. For more
+information, read on.
+
+## Introduction
+
+The fwknop project supports various fuzzing strategies, and one of the most
+important is usage of the 'American Fuzzy Lop' (AFL) fuzzer written by Michal
+Zalewski (see: [http://lcamtuf.coredump.cx/afl/]). Because AFL is not designed to
+handle encryption schemes (see the README included in the AFL sources for more
+information on this), a special *--enable-afl-fuzzing* command line switch is
+available in the fwknop autoconf configure script. This argument allows
+encryption and base64 encoding to be bypassed when feeding SPA packet data to
+fwknopd via stdin. It is this feature that enables AFL fuzzing, and is analogous
+to the *libpng-nocrc.patch* patch included in the AFL sources. The corresponding
+commit that enables this functionality in fwknop is aaa44656bcfcb705d80768a7b9aa0d45a0e55e21
+(see: [https://github.com/mrash/fwknop/commit/aaa44656bcfcb705d80768a7b9aa0d45a0e55e21])
+
+One exception to the need for compiling fwknop wtih *--enable-afl-fuzzing* is
+when using AFL to fuzz the fwknoprc file that is leveraged by the fwknop client.
+In this case, fwknop should not be compiled with
+*--enable-afl-fuzzing* (use the *compile/afl-compile-no-enable-arg.sh* script)
+since the fwknoprc file parsing routines are fuzzed instead of the SPA packet
+encoding/decoding cycles.
+
+## AFL Wrappers
+
+The top level directory contains enabling scripts in order to make it easy to
+fuzz fwknop with AFL. It is assumed that AFL is installed and in your path. The
+files are in this directory are organized as follows:
+
+ * *fuzzing-wrappers/*
+
+  Directory that contains wrapper scripts for running AFL against fwknop. All
+  interaction with AFL should be done with these scripts, and they should be executed
+  from the test/afl/ directory, e.g. "./fuzzing-wrappers/client-rc.sh".
+
+  There are four areas in fwknop that are fuzzed:
+    1. SPA packet encoding/decoding (*./fuzzing-wrappers/spa-pkts.sh*)
+    2. server access.conf parsing (*./fuzzing-wrappers/server-access.sh*)
+    3. server fwknopd.conf parsing (*./fuzzing-wrappers/server-conf.sh*)
+    4. client fwknoprc file parsing. (*./fuzzing-wrappers/client-rc.sh*)
+
+ * *fuzzing-wrappers/helpers/*
+
+  Directory for helper scripts that are used by the fuzzing wrappers to ensure
+  that fwknop is compiled properly for AFL support and is ready for fuzzing cycles.
+
+ * *test-cases/*
+
+  Directory for ALF test cases used by the wrapper scripts.
+
+ * *compile/*
+
+  Directory for compilation scripts to ensure fwknop is compiled underneath afl-gcc.
+
+ * *fuzzing-output/*
+
+  Results directory that is made underneath an AFL fuzzing cycle.
+
+## Complete Example
+
+To fuzz the SPA packet encoding/decoding routines, the *fuzzing-wrappers/spa-pkts.sh*
+script will kick things off. This assumes that fwknop has been compiled with AFL
+support with the *compile/afl-compile.sh* script:
+
+    $ ./fuzzing-wrappers/spa-pkts.sh
+    ...
+    + LD_LIBRARY_PATH=../../lib/.libs afl-fuzz -t 1000 -i test-cases/spa-pkts -o fuzzing-output/spa-pkts.out ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t
+    afl-fuzz 0.64b (Nov 22 2014 13:04:11) by <lcamtuf@google.com>
+    [+] You have 1 CPU cores and 2 runnable tasks (utilization: 200%).
+    [*] Checking core_pattern...
+    [*] Setting up output directories...
+    [+] Output directory exists but deemed OK to reuse.
+    [*] Deleting old session data...
+    [+] Output dir cleanup successful.
+    [*] Scanning 'test-cases/spa-pkts'...
+    [*] Creating hard links for all input files...
+    [*] Validating target binary...
+    [*] Attempting dry run with 'id:000000,orig:spa.start'...
+    [*] Spinning up the fork server...
+    [+] All right - fork server is up.
+    ...
+
+Then the familiar AFL status screen is displayed:
+
+![alt text][AFL-status-screen]
+
+[AFL-status-screen]: https://github.com/mrash/fwknop/raw/master/test/afl/AFL_status_screen.png "AFL Fuzzing SPA Packets"
+
+## SPA Packet Helper Script
+
+Here is an example of what fwknopd produces when compiled for AFL support when
+a dummy SPA packet is provided in non-encoded/encrypted from via fwknopd's
+stdin. This uses the *fwknopd-stdin-test.sh* helper script:
+
+    $ ./fuzzing-wrappers/helpers/fwknopd-stdin-test.sh
+    + SPA_PKT=1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA
+    + LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t
+    + echo -n 1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA
+    Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
+    SPA Field Values:
+    =================
+       Random Value: 1716411011200157
+           Username: root
+          Timestamp: 1397329899
+        FKO Version: 2.0.1
+       Message Type: 1 (Access msg)
+     Message String: 127.0.0.2,tcp/22
+         Nat Access: <NULL>
+        Server Auth: <NULL>
+     Client Timeout: 0
+        Digest Type: 3 (SHA256)
+          HMAC Type: 0 (None)
+    Encryption Type: 1 (Rijndael)
+    Encryption Mode: 2 (CBC)
+       Encoded Data: 1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22
+    SPA Data Digest: AAAAA
+               HMAC: <NULL>
+     Final SPA Data: 200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA
+
+    SPA packet decode: Success

test/afl/afl-compile-code-coverage.sh

@@ -1,9 +0,0 @@
-#!/bin/sh -x
-
-cd ..
-./rm-coverage-files.sh
-cd afl
-
-./afl-compile.sh --enable-profile-coverage
-
-exit

test/afl/compile/afl-compile-code-coverage.sh

@@ -0,0 +1,9 @@
+#!/bin/sh -x
+
+cd ..
+./rm-coverage-files.sh
+cd afl
+
+./compile/afl-compile.sh --enable-profile-coverage
+
+exit $?

test/afl/compile/afl-compile-no-enable-arg.sh

@@ -0,0 +1,10 @@
+#!/bin/sh -x
+
+# this is for the fuzzing-wrappers/client-rc.sh script
+
+cd ../../
+CC=afl-gcc ./extras/apparmor/configure_args.sh $@
+make clean
+make
+cd test/afl
+exit $?

test/afl/compile/afl-compile.sh

@@ -5,4 +5,4 @@ CC=afl-gcc ./extras/apparmor/configure_args.sh --enable-afl-fuzzing $@
 make clean
 make
 cd test/afl
-exit
+exit $?

test/afl/compile/afl-gen-code-coverage.sh

@@ -10,4 +10,4 @@ cd afl
 
 echo "[+] Code coverage available in the $RESULTS_DIR/ directory"
 
-exit
+exit $?

test/afl/fuzzing-wrappers/client-rc.sh

@@ -15,8 +15,9 @@ TS=`date +"%m%d%y%H%M%S"`
 mkdir $OUT_DIR
 
 ### make sure the client can handle the rc file
-./fuzzing-wrappers/fwknop-rc-test.sh || exit
+./fuzzing-wrappers/helpers/fwknop-rc-test.sh || \
+    { echo "[*] Client rc file fuzzing requires compilation with ./compile/afl-compile-no-enable-args.sh"; exit 1; }
 
 LD_LIBRARY_PATH=$LIB_DIR afl-fuzz -t 1000 -i $IN_DIR -o $OUT_DIR -f $OUT_DIR/fwknoprc $CLIENT --rc-file $OUT_DIR/fwknoprc -T -a 1.1.1.1 -n testhost.com
 
-exit
+exit $?

test/afl/fuzzing-wrappers/fwknop-rc-test.sh

@@ -1,3 +0,0 @@
-#!/bin/sh -x
-
-LD_LIBRARY_PATH=../../lib/.libs ../../client/.libs/fwknop --rc-file test-cases/client-rc/fwknoprc -T -a 1.1.1.1 -n testhost.com

test/afl/fuzzing-wrappers/fwknopd-parse-access.sh

@@ -1,3 +0,0 @@
-#!/bin/sh -x
-
-LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t --exit-parse-config -D

test/afl/fuzzing-wrappers/fwknopd-parse-conf.sh

@@ -1,3 +0,0 @@
-#!/bin/sh -x
-
-LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c test-cases/server-conf/fwknopd.conf -a ../conf/default_access.conf -A -f -t --exit-parse-config -D

test/afl/fuzzing-wrappers/helpers/fwknop-rc-hangs.sh

@@ -0,0 +1,11 @@
+#!/bin/sh -x
+
+HANG_DIR="fuzzing-output/client-rc.out/hangs"
+HELPER_SH="fuzzing-wrappers/helpers/fwknop-rc-test.sh"
+
+for f in `find $HANG_DIR -name 'id*'`
+do
+    ./$HELPER_SH $f
+done
+
+exit $?

test/afl/fuzzing-wrappers/helpers/fwknop-rc-test.sh

@@ -0,0 +1,12 @@
+#!/bin/sh -x
+
+RC_FILE="test-cases/client-rc/fwknoprc"
+
+if [ $@ ]
+then
+    RC_FILE=$@
+fi
+
+LD_LIBRARY_PATH=../../lib/.libs ../../client/.libs/fwknop --rc-file $RC_FILE -T -a 1.1.1.1 -n testhost.com
+
+exit $?

test/afl/fuzzing-wrappers/helpers/fwknopd-parse-access-hangs.sh

@@ -0,0 +1,11 @@
+#!/bin/sh -x
+
+HANG_DIR="fuzzing-output/server-access.out/hangs"
+HELPER_SH="fuzzing-wrappers/helpers/fwknopd-parse-access.sh"
+
+for f in `find $HANG_DIR -name 'id*'`
+do
+    ./$HELPER_SH $f
+done
+
+exit $?

test/afl/fuzzing-wrappers/helpers/fwknopd-parse-access.sh

@@ -0,0 +1,12 @@
+#!/bin/sh -x
+
+ACCESS_FILE="../conf/default_access.conf"
+
+if [ $@ ]
+then
+    ACCESS_FILE=$@
+fi
+
+LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c ../conf/ipt_snat_fwknopd.conf -a $ACCESS_FILE -A -f -t --exit-parse-config -D
+
+exit $?

test/afl/fuzzing-wrappers/helpers/fwknopd-parse-conf-hangs.sh

@@ -0,0 +1,11 @@
+#!/bin/sh -x
+
+HANG_DIR="fuzzing-output/server-conf.out/hangs"
+HELPER_SH="fuzzing-wrappers/helpers/fwknopd-parse-conf.sh"
+
+for f in `find $HANG_DIR -name 'id*'`
+do
+    ./$HELPER_SH $f
+done
+
+exit $?

test/afl/fuzzing-wrappers/helpers/fwknopd-parse-conf.sh

@@ -0,0 +1,12 @@
+#!/bin/sh -x
+
+FWKNOPD_CONF_FILE="test-cases/server-conf/fwknopd.conf"
+
+if [ $@ ]
+then
+    FWKNOPD_CONF_FILE=$@
+fi
+
+LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c $FWKNOPD_CONF_FILE -a ../conf/default_access.conf -A -f -t --exit-parse-config -D
+
+exit $?

test/afl/fuzzing-wrappers/helpers/fwknopd-stdin-hangs.sh

@@ -0,0 +1,11 @@
+#!/bin/sh -x
+
+HANG_DIR="fuzzing-output/spa-pkts.out/hangs"
+HELPER_SH="fuzzing-wrappers/helpers/fwknopd-stdin-test.sh"
+
+for f in `find $HANG_DIR -name 'id*'`
+do
+    ./$HELPER_SH $f
+done
+
+exit $?

test/afl/fuzzing-wrappers/helpers/fwknopd-stdin-test.sh

@@ -1,6 +1,7 @@
 #!/bin/sh -x
 
 SPA_PKT="1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA"
-#SPA_PKT="1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:A"
 
 echo -n $SPA_PKT | LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t
+
+exit $?

test/afl/fuzzing-wrappers/server-access.sh

@@ -15,8 +15,8 @@ TS=`date +"%m%d%y%H%M%S"`
 mkdir $OUT_DIR
 
 ### make sure that parsing the access.conf file works
-./fuzzing-wrappers/fwknopd-parse-access.sh || exit
+./fuzzing-wrappers/helpers/fwknopd-parse-access.sh || exit $?
 
-LD_LIBRARY_PATH=$LIB_DIR afl-fuzz -t 1000 -i $IN_DIR -o $OUT_DIR -f $OUT_DIR/afl_access.conf $SERVER -c ../conf/default_fwknopd.conf -a $OUT_DIR/afl_access.conf -A -f -t --exit-parse-config -D
+LD_LIBRARY_PATH=$LIB_DIR afl-fuzz -t 1000 -i $IN_DIR -o $OUT_DIR -f $OUT_DIR/afl_access.conf $SERVER -c ../conf/ipt_snat_fwknopd.conf -a $OUT_DIR/afl_access.conf -A -f -t --exit-parse-config -D
 
-exit
+exit $?

test/afl/fuzzing-wrappers/server-conf.sh

@@ -15,8 +15,8 @@ TS=`date +"%m%d%y%H%M%S"`
 mkdir $OUT_DIR
 
 ### make sure that parsing the fwknopd.conf file works
-./fuzzing-wrappers/fwknopd-parse-conf.sh || exit
+./fuzzing-wrappers/helpers/fwknopd-parse-conf.sh || exit $?
 
 LD_LIBRARY_PATH=$LIB_DIR afl-fuzz -t 1000 -i $IN_DIR -o $OUT_DIR -f $OUT_DIR/afl_fwknopd.conf $SERVER -c $OUT_DIR/afl_fwknopd.conf -a $OUT_DIR/afl_access.conf -A -f -t --exit-parse-config -D
 
-exit
+exit $?

test/afl/fuzzing-wrappers/spa-pkts.sh

@@ -15,8 +15,8 @@ TS=`date +"%m%d%y%H%M%S"`
 mkdir $OUT_DIR
 
 ### make sure that a basic SPA packet to stdin in fwknopd -A mode works
-./fuzzing-wrappers/fwknopd-stdin-test.sh || exit
+./fuzzing-wrappers/helpers/fwknopd-stdin-test.sh || exit $?
 
 LD_LIBRARY_PATH=$LIB_DIR afl-fuzz -t 1000 -i $IN_DIR -o $OUT_DIR $SERVER -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t
 
-exit
+exit $?

test/afl/test-cases/server-access/access.conf

@@ -9,8 +9,9 @@ FW_ACCESS_TIMEOUT           2
 
 SOURCE                      ANY
 KEY                         test3
-ACCESS_EXPIRE               3-10-01;  ### comment
-OPEN_PORTS                  tcp/80
+ACCESS_EXPIRE               03/10/2014;  ### comment
+OPEN_PORTS                  tcp/22;
+RESTRICT_PORTS              udp/6001, tcp/45, tcp/80, tcp/12345
 FW_ACCESS_TIMEOUT           3
 ENCRYPTION_MODE             legacy
 
@@ -20,26 +21,27 @@ REQUIRE_USERNAME            nouser
 KEY                         test4
 OPEN_PORTS                  tcp/80
 FORCE_NAT                   192.168.1.123 22
+FORCE_SNAT                  33.3.3.3
 
-SOURCE                      ANY
-KEY                         test5
-HMAC_KEY                    test6
-OPEN_PORTS                  tcp/80
-RESTRICT_PORTS              tcp/34
+SOURCE                      1.2.3.4
+KEY_BASE64                  wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64             Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+OPEN_PORTS                  tcp/80;  ### also appears in RESTRICT_PORTS
+RESTRICT_PORTS              udp/6001, tcp/22, tcp/80, tcp/12345
 FW_ACCESS_TIMEOUT           3
 ENABLE_CMD_EXEC             Y
 
 SOURCE                  ANY
 KEY                     fwknoptest
 FW_ACCESS_TIMEOUT       3
-GPG_HOME_DIR            conf/server-gpg
-GPG_DECRYPT_ID          361BBAD4
-GPG_DECRYPT_PW          fwknoptest
+GPG_HOME_DIR            ../conf/server-gpg
+GPG_DECRYPT_ID          12341234, DEADBEEF, 361BBAD4, 43214321
+GPG_DECRYPT_PW          fwknoptest, testtest
 GPG_REMOTE_ID           6A3FAD56
 
 SOURCE                      ANY
 FW_ACCESS_TIMEOUT           3
-GPG_HOME_DIR                conf/server-gpg-no-pw
+GPG_HOME_DIR                ../conf/server-gpg-no-pw
 GPG_DECRYPT_ID              361BBAD4
 GPG_ALLOW_NO_PW             Y
 GPG_FINGERPRINT_ID          00CC95F05BC146B6AC4038C9E36F443C6A3FAD56