From 295a6a0d1489e8f80bd96dbf2488708c557803bf Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Fri, 17 Jul 2015 21:28:02 -0700 Subject: [PATCH] [server] fix is_digits() logic and add tests --- server/fw_util_firewalld.c | 7 ++++++- server/fw_util_ipfw.c | 7 ++++++- server/fw_util_iptables.c | 7 ++++++- server/fw_util_pf.c | 7 ++++++- test/tests/rijndael_hmac.pl | 36 ++++++++++++++++++++++++++++++++++++ 5 files changed, 60 insertions(+), 4 deletions(-) diff --git a/server/fw_util_firewalld.c b/server/fw_util_firewalld.c index ce59bfc2..9d8c4c5b 100644 --- a/server/fw_util_firewalld.c +++ b/server/fw_util_firewalld.c @@ -1486,7 +1486,12 @@ rm_expired_rules(const fko_srv_options_t * const opts, strlcpy(exp_str, ndx, sizeof(exp_str)); chop_spaces(exp_str); if(!is_digits(exp_str)) - break; + { + /* go to the next rule if it exists + */ + ndx = strstr(tmp_mark, EXPIRE_COMMENT_PREFIX); + continue; + } rule_exp = (time_t)atoll(exp_str); diff --git a/server/fw_util_ipfw.c b/server/fw_util_ipfw.c index 449f458e..1cde108d 100644 --- a/server/fw_util_ipfw.c +++ b/server/fw_util_ipfw.c @@ -683,7 +683,12 @@ check_firewall_rules(const fko_srv_options_t * const opts) strlcpy(exp_str, ndx, sizeof(exp_str)); chop_spaces(exp_str); if(!is_digits(exp_str)) - break; + { + /* go to the next rule if it exists + */ + ndx = strstr(tmp_mark, EXPIRE_COMMENT_PREFIX); + continue; + } rule_exp = (time_t)atoll(exp_str); diff --git a/server/fw_util_iptables.c b/server/fw_util_iptables.c index 19497c33..c349e2ad 100644 --- a/server/fw_util_iptables.c +++ b/server/fw_util_iptables.c @@ -1472,7 +1472,12 @@ rm_expired_rules(const fko_srv_options_t * const opts, strlcpy(exp_str, ndx, sizeof(exp_str)); chop_spaces(exp_str); if(!is_digits(exp_str)) - break; + { + /* go to the next rule if it exists + */ + ndx = strstr(tmp_mark, EXPIRE_COMMENT_PREFIX); + continue; + } rule_exp = (time_t)atoll(exp_str); diff --git a/server/fw_util_pf.c b/server/fw_util_pf.c index e6951dd9..1a47b975 100644 --- a/server/fw_util_pf.c +++ b/server/fw_util_pf.c @@ -407,7 +407,12 @@ check_firewall_rules(const fko_srv_options_t * const opts) strlcpy(exp_str, ndx, sizeof(exp_str)); chop_spaces(exp_str); if(!is_digits(exp_str)) - break; + { + /* go to the next rule if it exists + */ + ndx = strstr(tmp_mark, EXPIRE_COMMENT_PREFIX); + continue; + } rule_exp = (time_t)atoll(exp_str); diff --git a/test/tests/rijndael_hmac.pl b/test/tests/rijndael_hmac.pl index b09f760e..ce07456d 100644 --- a/test/tests/rijndael_hmac.pl +++ b/test/tests/rijndael_hmac.pl @@ -231,6 +231,42 @@ 'key_file' => $cf{'rc_hmac_b64_key'}, 'client_cycles_per_server_instance' => 3, }, + { + 'category' => 'Rijndael+HMAC', + 'subcategory' => 'client+server', + 'detail' => 'invalid _exp_ prefix', + 'function' => \&spa_cycle, + 'cmdline' => $default_client_hmac_args, + 'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " . + "-d $default_digest_file -p $default_pid_file " . + "$intf_str --no-ipt-check-support --no-firewd-check-support", + 'fw_rule_created' => $NEW_RULE_REQUIRED, + 'fw_rule_removed' => $NEW_RULE_REMOVED, + 'key_file' => $cf{'rc_hmac_b64_key'}, + 'insert_duplicate_rule_while_running' => $YES, + 'fw_dupe_rule_args' => [ + "-A FWKNOP_INPUT -p 6 -s $fake_ip -d 0.0.0.0/0 " . + "--dport 22 -m comment --comment _exp_NNN -j ACCEPT" + ], + }, + { + 'category' => 'Rijndael+HMAC', + 'subcategory' => 'client+server', + 'detail' => 'invalid _exp_ prefix (2)', + 'function' => \&spa_cycle, + 'cmdline' => $default_client_hmac_args, + 'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " . + "-d $default_digest_file -p $default_pid_file $intf_str", + 'fw_rule_created' => $NEW_RULE_REQUIRED, + 'fw_rule_removed' => $NEW_RULE_REMOVED, + 'key_file' => $cf{'rc_hmac_b64_key'}, + 'insert_duplicate_rule_while_running' => $YES, + 'fw_dupe_rule_args' => [ + "-A FWKNOP_INPUT -p 6 -s $fake_ip -d 0.0.0.0/0 " . + "--dport 22 -m comment --comment _exp_NNN -j ACCEPT" + ], + }, + { 'category' => 'Rijndael+HMAC', 'subcategory' => 'client+server',