DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[server] ipfw active/expire sets cannot be the same

Browse Source
This commit is contained in:
Michael Rash 2012-08-16 22:16:36 -04:00
parent fda5759b2b
commit 3afd1aa762
3 changed files with 53 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
test/conf/ipfw_active_expire_equal_fwknopd.conf Normal file
View File

@ -0,0 +1,6 @@
#
# The default fwknopd.conf contains only comments since defaults are defined in
# code and modified via the config file
#
IPFW_ACTIVE_SET_NUM 1;
IPFW_EXPIRE_SET_NUM 1;

55
test/test-fwknop.pl
View File

@ -30,6 +30,7 @@ my %cf = (
'invalid_exp_access' => "$conf_dir/invalid_expire_access.conf", 'invalid_exp_access' => "$conf_dir/invalid_expire_access.conf",
'force_nat_access' => "$conf_dir/force_nat_access.conf", 'force_nat_access' => "$conf_dir/force_nat_access.conf",
'local_nat' => "$conf_dir/local_nat_fwknopd.conf", 'local_nat' => "$conf_dir/local_nat_fwknopd.conf",
'ipfw_active_expire' => "$conf_dir/ipfw_active_expire_equal_fwknopd.conf",
'dual_key_access' => "$conf_dir/dual_key_usage_access.conf", 'dual_key_access' => "$conf_dir/dual_key_usage_access.conf",
'gpg_access' => "$conf_dir/gpg_access.conf", 'gpg_access' => "$conf_dir/gpg_access.conf",
'gpg_no_pw_access' => "$conf_dir/gpg_no_pw_access.conf", 'gpg_no_pw_access' => "$conf_dir/gpg_no_pw_access.conf",
@ -110,6 +111,10 @@ my $NEW_RULE_REMOVED = 1;
my $REQUIRE_NO_NEW_REMOVED = 2; my $REQUIRE_NO_NEW_REMOVED = 2;
my $MATCH_ANY = 1; my $MATCH_ANY = 1;
my $MATCH_ALL = 2; my $MATCH_ALL = 2;
my $LINUX = 1;
my $FREEBSD = 2;
my $MACOSX = 3;
my $OPENBSD = 4;
my $ip_re = qr|(?:[0-2]?\d{1,2}\.){3}[0-2]?\d{1,2}|; ### IPv4 my $ip_re = qr|(?:[0-2]?\d{1,2}\.){3}[0-2]?\d{1,2}|; ### IPv4
@ -1158,6 +1163,22 @@ my @tests = (
'fatal' => $NO 'fatal' => $NO
}, },
{
'category' => 'Rijndael SPA',
'subcategory' => 'server',
'detail' => 'ipfw active/expire sets not equal',
'err_msg' => 'allowed active/expire sets to be the same',
'function' => \&spa_cycle,
'cmdline' => $default_client_args,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
"$fwknopdCmd -c $cf{'ipfw_active_expire'} -a $cf{'def_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str",
'server_positive_output_matches' => [qr/Cannot\sset\sidentical\sipfw\sactive\sand\sexpire\ssets/],
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
'fatal' => $NO
},
{ {
'category' => 'Rijndael SPA', 'category' => 'Rijndael SPA',
'subcategory' => 'client+server', 'subcategory' => 'client+server',
@ -1644,7 +1665,7 @@ sub process_include_exclude() {
if (@tests_to_include) { if (@tests_to_include) {
my $found = 0; my $found = 0;
for my $test (@tests_to_include) { for my $test (@tests_to_include) {
if ($msg =~ /$test/ or ($use_valgrind if ($msg =~ $test or ($use_valgrind
and $msg =~ /valgrind\soutput/)) { and $msg =~ /valgrind\soutput/)) {
$found = 1; $found = 1;
last; last;
@ -1655,7 +1676,7 @@ sub process_include_exclude() {
if (@tests_to_exclude) { if (@tests_to_exclude) {
my $found = 0; my $found = 0;
for my $test (@tests_to_exclude) { for my $test (@tests_to_exclude) {
if ($msg =~ /$test/) { if ($msg =~ $test) {
$found = 1; $found = 1;
last; last;
} }
@ -2589,7 +2610,7 @@ sub specs() {
### all three of fwknop/fwknopd/libfko must link against gpgme in order ### all three of fwknop/fwknopd/libfko must link against gpgme in order
### to enable gpg tests ### to enable gpg tests
unless ($have_gpgme == 3) { unless ($have_gpgme == 3) {
push @tests_to_exclude, "GPG"; push @tests_to_exclude, qr/GPG/;
} }
return 1; return 1;
@ -2820,10 +2841,14 @@ sub init() {
} }
if ($test_include) { if ($test_include) {
@tests_to_include = split /\s*,\s*/, $test_include; for my $re (split /\s*,\s*/, $test_include) {
push @tests_to_include, qr/$re/;
}
} }
if ($test_exclude) { if ($test_exclude) {
@tests_to_exclude = split /\s*,\s*/, $test_exclude; for my $re (split /\s*,\s*/, $test_exclude) {
push @tests_to_exclude, qr/$re/;
}
} }
### make sure no fwknopd instance is currently running ### make sure no fwknopd instance is currently running
@ -2831,35 +2856,41 @@ sub init() {
if &is_fwknopd_running(); if &is_fwknopd_running();
unless ($enable_recompilation_warnings_check) { unless ($enable_recompilation_warnings_check) {
push @tests_to_exclude, 'recompilation'; push @tests_to_exclude, qr/recompilation/;
} }
unless ($enable_make_distcheck) { unless ($enable_make_distcheck) {
push @tests_to_exclude, 'distcheck'; push @tests_to_exclude, qr/distcheck/;
} }
unless ($enable_client_ip_resolve_test) { unless ($enable_client_ip_resolve_test) {
push @tests_to_exclude, 'IP resolve'; push @tests_to_exclude, qr/IP resolve/;
} }
$sudo_path = &find_command('sudo'); $sudo_path = &find_command('sudo');
unless ((&find_command('cc') or &find_command('gcc')) and &find_command('make')) { unless ((&find_command('cc') or &find_command('gcc')) and &find_command('make')) {
### disable compilation checks ### disable compilation checks
push @tests_to_exclude, 'recompilation'; push @tests_to_exclude, qr/recompilation/;
} }
open UNAME, "uname |" or die "[*] Could not execute uname: $!"; open UNAME, "uname |" or die "[*] Could not execute uname: $!";
while (<UNAME>) { while (<UNAME>) {
if (/linux/i) { if (/linux/i) {
$platform = 'linux'; $platform = $LINUX;
last;
} elsif (/freebsd/i) {
$platform = $FREEBSD;
last; last;
} }
} }
close UNAME; close UNAME;
unless ($platform eq 'linux') { unless ($platform eq $LINUX) {
push @tests_to_exclude, 'NAT'; push @tests_to_exclude, qr/NAT/;
}
unless ($platform eq $FREEBSD or $platform eq $MACOSX) {
push @tests_to_exclude, qr|active/expire sets|;
} }
if (-e $default_digest_file) { if (-e $default_digest_file) {

7
todo.org
View File

@ -2,6 +2,10 @@
This is the main todo org mode file for the fwknop project This is the main todo org mode file for the fwknop project
** COMPLETED ** COMPLETED
This bucket is for completed tasks. This bucket is for completed tasks.
*** [server] ipfw active/expire sets cannot be the same
:CLOSED: <2012-08-16 Thu>
Add a check to ensure that active and expire sets are not the same value in
fwknopd.conf, and add a corresponding test in the test suite.
*** Update fwknopd man page for GPG_ALLOW_NO_PW *** Update fwknopd man page for GPG_ALLOW_NO_PW
:CLOSED: <2012-08-14 Tue> :CLOSED: <2012-08-14 Tue>
*** Preserve existing configs under 'make install' *** Preserve existing configs under 'make install'
@ -34,9 +38,6 @@
** [test suite] Remove lib check for test suite when running in --enable-recompile mode ** [test suite] Remove lib check for test suite when running in --enable-recompile mode
When creating a release tarball under 'make dist', the test suite performs When creating a release tarball under 'make dist', the test suite performs
a check for existing lib/ directory even under --enable-recompile. a check for existing lib/ directory even under --enable-recompile.
** [server] ipfw active/expire sets cannot be the same
Add a check to ensure that active and expire sets are not the same value in
fwknopd.conf, and add a corresponding test in the test suite.
** [test suite] SPA packet fuzzer ** [test suite] SPA packet fuzzer
Add a series of patches to the fwknop client that break how it produces SPA Add a series of patches to the fwknop client that break how it produces SPA
data in subtle ways in order to ensure proper validation by fwknopd. data in subtle ways in order to ensure proper validation by fwknopd.