diff --git a/client/config_init.c b/client/config_init.c index b2b736f8..42a633a4 100644 --- a/client/config_init.c +++ b/client/config_init.c @@ -1360,6 +1360,9 @@ validate_options(fko_cli_options_t *options) if(options->use_hmac && options->hmac_type == FKO_HMAC_UNKNOWN) options->hmac_type = FKO_DEFAULT_HMAC_MODE; + if(options->key_gen && options->hmac_type == FKO_HMAC_UNKNOWN) + options->hmac_type = FKO_DEFAULT_HMAC_MODE; + return; } @@ -1491,7 +1494,7 @@ config_init(fko_cli_options_t *options, int argc, char **argv) strlcpy(options->get_key_file, optarg, sizeof(options->get_key_file)); cli_arg_bitmask |= FWKNOP_CLI_ARG_BM(FWKNOP_CLI_ARG_KEY_FILE); break; - case GET_HMAC_KEY: + case GET_HMAC_KEY: strlcpy(options->get_hmac_key_file, optarg, sizeof(options->get_hmac_key_file)); options->use_hmac = 1; diff --git a/client/fwknop.c b/client/fwknop.c index 7e22c2c7..3711526e 100644 --- a/client/fwknop.c +++ b/client/fwknop.c @@ -205,10 +205,19 @@ main(int argc, char **argv) */ if(options.key_gen) { - fko_key_gen(options.key_base64, options.key_len, + memset(options.key_base64, 0x00, MAX_B64_KEY_LEN+1); + memset(options.hmac_key_base64, 0x00, MAX_B64_KEY_LEN+1); + + res = fko_key_gen(options.key_base64, options.key_len, options.hmac_key_base64, options.hmac_key_len, options.hmac_type); + if(res != FKO_SUCCESS) + { + errmsg("fko_key_gen", res); + return(EXIT_FAILURE); + } + if(options.key_gen_file[0] != '\0') { if ((key_gen_file_ptr = fopen(options.key_gen_file, "w")) == NULL) diff --git a/lib/fko_funcs.c b/lib/fko_funcs.c index a44761c3..c6c3a4d5 100644 --- a/lib/fko_funcs.c +++ b/lib/fko_funcs.c @@ -381,6 +381,7 @@ fko_key_gen(char * const key_base64, const int key_len, unsigned char hmac_key[SHA512_BLOCK_LEN]; int klen = key_len; int hmac_klen = hmac_key_len; + int b64_len = 0; if(key_len == FKO_DEFAULT_KEY_LEN) klen = RIJNDAEL_MAX_KEYSIZE; @@ -409,8 +410,13 @@ fko_key_gen(char * const key_base64, const int key_len, get_random_data(key, klen); get_random_data(hmac_key, hmac_klen); - b64_encode(key, key_base64, klen); - b64_encode(hmac_key, hmac_key_base64, hmac_klen); + b64_len = b64_encode(key, key_base64, klen); + if(b64_len < klen) + return(FKO_ERROR_INVALID_DATA); + + b64_len = b64_encode(hmac_key, hmac_key_base64, hmac_klen); + if(b64_len < hmac_klen) + return(FKO_ERROR_INVALID_DATA); return(FKO_SUCCESS); } diff --git a/test/test-fwknop.pl b/test/test-fwknop.pl index 384ffa29..08eec66b 100755 --- a/test/test-fwknop.pl +++ b/test/test-fwknop.pl @@ -346,6 +346,7 @@ exit 1 unless GetOptions( ### can set the following to "output.last/valgrind-coverage" if ### a full test suite run has already been executed with --enable-valgrind 'valgrind-prev-cov-dir=s' => \$previous_valgrind_coverage_dir, + 'openssl-path=s' => \$openssl_path, 'output-dir=s' => \$output_dir, 'diff' => \$diff_mode, 'diff-dir1=s' => \$diff_dir1, @@ -4307,8 +4308,11 @@ sub key_gen_uniqueness() { my %rijndael_keys = (); my %hmac_keys = (); + my $rv = 1; + ### collect key information my $found_dup = 0; + for (my $i=0; $i < $uniq_keys; $i++) { open CMD, "$test_hr->{'cmdline'} | " or die $!; while () { @@ -4324,7 +4328,12 @@ sub key_gen_uniqueness() { last if $found_dup; } - return ! $found_dup; + $rv = 0 if $found_dup; + + $rv = 0 unless keys %rijndael_keys == $uniq_keys; + $rv = 0 unless keys %hmac_keys == $uniq_keys; + + return $rv; } ### check for PIE @@ -5062,11 +5071,11 @@ sub init() { } if ($enable_openssl_compatibility_tests) { - $openssl_path = &find_command('openssl'); + $openssl_path = &find_command('openssl') unless $openssl_path; if ($openssl_path) { require MIME::Base64; MIME::Base64->import(qw(encode_base64 decode_base64)); - $base64_path = &find_command('base64'); + $base64_path = &find_command('base64') unless $base64_path; ### check for hmac openssl support &openssl_hmac_style_check(); @@ -5079,7 +5088,7 @@ sub init() { } if ($enable_valgrind) { - $valgrind_path = &find_command('valgrind'); + $valgrind_path = &find_command('valgrind') unless $valgrind_path; unless ($valgrind_path) { print "[-] --enable-valgrind mode requested ", "but valgrind not found, disabling.\n"; @@ -5123,7 +5132,7 @@ sub init() { die "[*] The python test script: $python_script doesn't exist ", "or is not executable." unless -e $python_script and -x $python_script; - $python_path = &find_command('python'); + $python_path = &find_command('python') unless $python_path; unless ($python_path) { push @tests_to_exclude, qr/python fko extension/ } @@ -5142,16 +5151,16 @@ sub init() { push @tests_to_exclude, qr/perl FKO module.*FUZZING/; } - $sudo_path = &find_command('sudo'); - $killall_path = &find_command('killall'); - $pgrep_path = &find_command('pgrep'); + $sudo_path = &find_command('sudo') unless $sudo_path; + $killall_path = &find_command('killall') unless $killall_path; + $pgrep_path = &find_command('pgrep') unless $pgrep_path; unless ((&find_command('cc') or &find_command('gcc')) and &find_command('make')) { ### disable compilation checks push @tests_to_exclude, qr/recompilation/; } - $gcov_path = &find_command('gcov'); + $gcov_path = &find_command('gcov') unless $gcov_path; if ($gcov_path) { if ($enable_profile_coverage_check) { diff --git a/test/tests/rijndael.pl b/test/tests/rijndael.pl index c79692c4..a319bb71 100644 --- a/test/tests/rijndael.pl +++ b/test/tests/rijndael.pl @@ -325,7 +325,8 @@ 'function' => \&generic_exec, 'cmdline' => "LD_LIBRARY_PATH=$lib_dir " . "$valgrind_str $fwknopCmd --key-gen", - 'positive_output_matches' => [qr/BASE64/, qw/HMAC/, qw/KEY/], + 'positive_output_matches' => [qr/^KEY_BASE64\:?\s\S{10}/, + qw/HMAC_KEY_BASE64\:?\s\S{10}/], 'fatal' => $NO }, {