DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[test suite] added GPG password required HMAC tests, added --disable-valgrind argument

Browse Source
This commit is contained in:
Michael Rash 2013-04-23 21:56:41 -04:00
parent 4ea683678b
commit 5e82adbf3f
4 changed files with 160 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
test/conf/fwknoprc_gpg_hmac_key Normal file
View File

@ -0,0 +1,3 @@
[default]
HMAC_DIGEST_TYPE sha256
HMAC_KEY_BASE64 Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==

8
test/conf/gpg_hmac_access.conf Normal file
View File

@ -0,0 +1,8 @@
SOURCE: ANY;
FW_ACCESS_TIMEOUT: 3;
HMAC_DIGEST_TYPE: sha256
HMAC_KEY_BASE64: Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
GPG_HOME_DIR: conf/server-gpg;
GPG_DECRYPT_ID: 361BBAD4;
GPG_DECRYPT_PW: fwknoptest;
GPG_REMOTE_ID: 6A3FAD56;

29
test/test-fwknop.pl
View File

@ -70,6 +70,7 @@ our %cf = (
'dual_key_access' => "$conf_dir/dual_key_usage_access.conf",
'hmac_dual_key_access' => "$conf_dir/hmac_dual_key_usage_access.conf",
'gpg_access' => "$conf_dir/gpg_access.conf",
'gpg_hmac_access' => "$conf_dir/gpg_hmac_access.conf",
'legacy_iv_access' => "$conf_dir/legacy_iv_access.conf",
'gpg_no_pw_access' => "$conf_dir/gpg_no_pw_access.conf",
'gpg_no_pw_hmac_access' => "$conf_dir/gpg_no_pw_hmac_access.conf",
@ -103,6 +104,7 @@ our %cf = (
'rc_invalid_b64_key' => "$conf_dir/fwknoprc_invalid_base64_key",
'rc_hmac_b64_key' => "$conf_dir/fwknoprc_default_hmac_base64_key",
'rc_hmac_b64_key2' => "$conf_dir/fwknoprc_hmac_key2",
'rc_gpg_hmac_b64_key' => "$conf_dir/fwknoprc_gpg_hmac_key",
'rc_hmac_simple_key' => "$conf_dir/fwknoprc_hmac_simple_keys",
'rc_hmac_invalid_type' => "$conf_dir/fwknoprc_hmac_invalid_type",
'rc_hmac_invalid_type' => "$conf_dir/fwknoprc_hmac_invalid_type",
@ -178,6 +180,7 @@ my @test_files = (
"$tests_dir/gpg_no_pw.pl",
"$tests_dir/gpg_no_pw_hmac.pl",
"$tests_dir/gpg.pl",
"$tests_dir/gpg_hmac.pl",
);
#================== end config ===================
@ -194,6 +197,7 @@ our @rijndael_fuzzing = (); ### from tests/rijndael_fuzzing.pl
our @gpg_no_pw = (); ### from tests/gpg_now_pw.pl
our @gpg_no_pw_hmac = (); ### from tests/gpg_now_pw_hmac.pl
our @gpg = (); ### from tests/gpg.pl
our @gpg_hmac = (); ### from tests/gpg_hmac.pl
our @perl_FKO_module = (); ### from tests/perl_FKO_module.pl
our @python_fko = (); ### from tests/python_fko.pl
our @rijndael_backwards_compatibility = (); ### from tests/rijndael_backwards_compatibility.pl
@ -228,6 +232,7 @@ my %fuzzing_spa_packets = ();
my $total_fuzzing_pkts = 0;
my $server_test_file = '';
my $enable_valgrind = 0;
my $disable_valgrind = 0;
our $valgrind_str = '';
my %prev_valgrind_cov = ();
my %prev_valgrind_file_titles = ();
@ -326,6 +331,7 @@ exit 1 unless GetOptions(
'List-mode' => \$list_mode,
'test-limit=i' => \$test_limit,
'enable-valgrind' => \$enable_valgrind,
'disable-valgrind' => \$disable_valgrind,
'enable-all' => \$enable_all,
'valgrind-path=s' => \$valgrind_path,
### can set the following to "output.last/valgrind-coverage" if
@ -350,6 +356,8 @@ if ($enable_all) {
$enable_openssl_compatibility_tests = 1;
}
$enable_valgrind = 0 if $disable_valgrind;
### create an anonymized tar file of test suite results that can be
### emailed around to assist in debugging fwknop communications
exit &anonymize_results() if $anonymize_results;
@ -415,6 +423,11 @@ our $default_server_gpg_args_no_pw = "LD_LIBRARY_PATH=$lib_dir " .
"-a $cf{'gpg_no_pw_access'} $intf_str " .
"-d $default_digest_file -p $default_pid_file";
our $default_server_gpg_args_hmac = "LD_LIBRARY_PATH=$lib_dir " .
"$valgrind_str $fwknopdCmd -c $cf{'def'} " .
"-a $cf{'gpg_hmac_access'} $intf_str " .
"-d $default_digest_file -p $default_pid_file";
our $default_server_gpg_args_no_pw_hmac = "LD_LIBRARY_PATH=$lib_dir " .
"$valgrind_str $fwknopdCmd -c $cf{'def'} " .
"-a $cf{'gpg_no_pw_hmac_access'} $intf_str " .
@ -466,6 +479,7 @@ my @tests = (
@gpg_no_pw,
@gpg_no_pw_hmac,
@gpg,
@gpg_hmac,
);
my %test_keys = (
@ -1113,10 +1127,10 @@ sub client_send_spa_packet() {
if ($is_hmac_type and $hmac_key) {
my $enc_mode = $ENC_RIJNDAEL;
$enc_mode = $ENC_GPG if $test_hr->{'msg'} =~ /GPG\s/;
$enc_mode = $ENC_GPG if $test_hr->{'msg'} =~ /GPG/;
unless (&openssl_hmac_verification($encrypted_msg,
$encoded_msg, '', $hmac_key, $b64_decode_key,
$hmac_digest, $hmac_mode)) {
$hmac_digest, $hmac_mode, $enc_mode)) {
$rv = 0;
}
}
@ -4197,9 +4211,13 @@ sub openssl_hmac_verification() {
$hmac_key = $tmp_key;
}
my $enc_mode_str = 'Rijndael';
$enc_mode_str = 'GPG' if $enc_mode == $ENC_GPG;
&write_test_file("[+] OpenSSL HMAC $hmac_mode verification, (encoded msg: " .
"$encoded_msg) (access: $access_msg), hmac_key: $tmp_key, " .
"encrypted+encoded msg: $encrypted_msg, hmac_digest: $hmac_digest\n",
"encrypted+encoded msg: $encrypted_msg, hmac_digest: $hmac_digest, " .
"enc_mode: $enc_mode_str\n",
$curr_test_file);
if ($hmac_key =~ /\s/ and not $openssl_hmac_hexkey_supported) {
@ -4227,7 +4245,7 @@ sub openssl_hmac_verification() {
}
### transform encrypted message into the format that openssl expects
if ($enc_mode) {
if ($enc_mode == $ENC_RIJNDAEL) {
$enc_msg_without_hmac = 'U2FsdGVkX1' . $enc_msg_without_hmac
unless $enc_msg_without_hmac =~ /^U2FsdGVkX1/;
} else {
@ -5549,6 +5567,9 @@ sub usage() {
--enable-recompile - Recompile fwknop sources and look for
compilation warnings.
--enable-valgrind - Run every test underneath valgrind.
--disable-valgrind - Disable valgrind mode (useful sometimes
when --enable-all is used to have
everything except for valgrind enabled).
--enable-ip-resolve - Enable client IP resolution (-R) test -
this requires internet access.
--enable-distcheck - Enable 'make dist' check.

124
test/tests/gpg_hmac.pl Normal file
View File

@ -0,0 +1,124 @@
@gpg_hmac = (
### GPG testing (with passwords associated with keys) - first check to
### see if pinentry is required and disable remaining GPG tests if so
{
'category' => 'GPG+HMAC',
'subcategory' => 'client+server',
'detail' => 'pinentry not required',
'function' => \&gpg_pinentry_check,
'cmdline' => $default_client_gpg_args,
'fatal' => $NO
},
### no password GPG testing
{
'category' => 'GPG+HMAC',
'subcategory' => 'client+server',
'detail' => 'complete cycle (tcp/22 ssh)',
'function' => \&spa_cycle,
'cmdline' => "$default_client_gpg_args "
. "--rc-file $cf{'rc_gpg_hmac_b64_key'}",
'fwknopd_cmdline' => $default_server_gpg_args_hmac,
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
'key_file' => $cf{'rc_gpg_hmac_b64_key'},
'fatal' => $NO
},
{
'category' => 'GPG+HMAC',
'subcategory' => 'client+server',
'detail' => 'complete cycle (tcp/23 telnet)',
'function' => \&spa_cycle,
'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
"$fwknopCmd -A tcp/23 -a $fake_ip -D $loopback_ip --get-key " .
"$local_key_file --verbose --verbose " .
"--gpg-recipient-key $gpg_server_key " .
"--gpg-signer-key $gpg_client_key " .
"--gpg-home-dir $gpg_client_home_dir " .
"--rc-file $cf{'rc_gpg_hmac_b64_key'}",
'fwknopd_cmdline' => $default_server_gpg_args_hmac,
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
'key_file' => $cf{'rc_gpg_hmac_b64_key'},
'fatal' => $NO
},
{
'category' => 'GPG+HMAC',
'subcategory' => 'client+server',
'detail' => 'complete cycle (tcp/9418 git)',
'function' => \&spa_cycle,
'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
"$fwknopCmd -A tcp/9418 -a $fake_ip -D $loopback_ip --get-key " .
"$local_key_file --verbose --verbose " .
"--gpg-recipient-key $gpg_server_key " .
"--gpg-signer-key $gpg_client_key " .
"--gpg-home-dir $gpg_client_home_dir " .
"--rc-file $cf{'rc_gpg_hmac_b64_key'}",
'fwknopd_cmdline' => $default_server_gpg_args_hmac,
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
'key_file' => $cf{'rc_gpg_hmac_b64_key'},
'fatal' => $NO
},
{
'category' => 'GPG+HMAC',
'subcategory' => 'client+server',
'detail' => 'complete cycle (tcp/60001 git)',
'function' => \&spa_cycle,
'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
"$fwknopCmd -A tcp/60001 -a $fake_ip -D $loopback_ip --get-key " .
"$local_key_file --verbose --verbose " .
"--gpg-recipient-key $gpg_server_key " .
"--gpg-signer-key $gpg_client_key " .
"--gpg-home-dir $gpg_client_home_dir " .
"--rc-file $cf{'rc_gpg_hmac_b64_key'}",
'fwknopd_cmdline' => $default_server_gpg_args_hmac,
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
'key_file' => $cf{'rc_gpg_hmac_b64_key'},
'fatal' => $NO
},
{
'category' => 'GPG+HMAC',
'subcategory' => 'client+server',
'detail' => 'complete cycle (udp/53 dns)',
'function' => \&spa_cycle,
'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
"$fwknopCmd -A udp/53 -a $fake_ip -D $loopback_ip --get-key " .
"$local_key_file --verbose --verbose " .
"--gpg-recipient-key $gpg_server_key " .
"--gpg-signer-key $gpg_client_key " .
"--gpg-home-dir $gpg_client_home_dir " .
"--rc-file $cf{'rc_gpg_hmac_b64_key'}",
'fwknopd_cmdline' => $default_server_gpg_args_hmac,
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
'key_file' => $cf{'rc_gpg_hmac_b64_key'},
'fatal' => $NO
},
{
'category' => 'GPG+HMAC',
'subcategory' => 'client+server',
'detail' => 'replay attack detection',
'function' => \&replay_detection,
'cmdline' => "$default_client_gpg_args "
. "--rc-file $cf{'rc_gpg_hmac_b64_key'}",
'fwknopd_cmdline' => $default_server_gpg_args_hmac,
'key_file' => $cf{'rc_gpg_hmac_b64_key'},
'fatal' => $NO
},
{
'category' => 'GPG+HMAC',
'subcategory' => 'client+server',
'detail' => 'detect replay #1 (GnuPG prefix)',
'function' => \&replay_detection,
'pkt_prefix' => 'hQ',
'cmdline' => "$default_client_gpg_args " .
"--gpg-home-dir $gpg_client_home_dir " .
"--rc-file $cf{'rc_gpg_hmac_b64_key'}",
'fwknopd_cmdline' => $default_server_gpg_args_hmac,
'replay_positive_output_matches' => [qr/Data\sis\snot\sa\svalid\sSPA\smessage\sformat/],
'fatal' => $NO
},
);