DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

add --fault-injection-tag support to the client/server/libfko

Browse Source 
This is a significant commit to add the ability to leverage libfko fault
injections from both the fwknop client and server command lines via a
new option '--fault-injection-tag <tag name>'.  This option is used by
the test suite with the tests/fault_injection.pl tests.
This commit is contained in:
Michael Rash 2014-06-05 23:05:49 -04:00
parent 6a0af8ed8e
commit 6d1d66fe03
22 changed files with 717 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
client/cmd_opts.h
View File

@ -61,6 +61,8 @@ enum {
KEY_HMAC,
FD_SET_STDIN,
FD_SET_ALT,
FAULT_INJECTION_TAG,
/* Put GPG-related items below the following line */
GPG_ENCRYPTION = 0x200,
GPG_RECIP_KEY,
@ -96,6 +98,7 @@ static struct option cmd_opts[] =
{"encryption-mode", 1, NULL, ENCRYPTION_MODE},
{"fd", 1, NULL, FD_SET_ALT},
{"fw-timeout", 1, NULL, 'f'},
{"fault-injection-tag", 1, NULL, FAULT_INJECTION_TAG },
{"gpg-encryption", 0, NULL, 'g'},
{"gpg-recipient-key", 1, NULL, GPG_RECIP_KEY },
{"gpg-signer-key", 1, NULL, GPG_SIGNER_KEY },

9
client/config_init.c
View File

@ -1967,6 +1967,15 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
}
add_var_to_bitmask(FWKNOP_CLI_ARG_FW_TIMEOUT, &var_bitmask);
break;
case FAULT_INJECTION_TAG:
#if HAVE_LIBFIU
strlcpy(options->fault_injection_tag, optarg, sizeof(options->fault_injection_tag));
#else
log_msg(LOG_VERBOSITY_ERROR,
"fwknop not compiled with fault injection support.", optarg);
exit(EXIT_FAILURE);
#endif
break;
case 'g':
case GPG_ENCRYPTION:
options->use_gpg = 1;

12
client/fwknop.8.in
View File

@ -2,12 +2,12 @@
.\" Title: fwknop
.\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 05/04/2014
.\" Date: 06/05/2014
.\" Manual: Fwknop Client
.\" Source: Fwknop Client
.\" Language: English
.\"
.TH "FWKNOP" "8" "05/04/2014" "Fwknop Client" "Fwknop Client"
.TH "FWKNOP" "8" "06/05/2014" "Fwknop Client" "Fwknop Client"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -299,6 +299,14 @@ Append the generated packet data to the file specified with the
option\&.
.RE
.PP
\fB\-\-fault\-injection\-tag\fR=\fI<tag>\fR
.RS 4
This option is only used for fault injection testing when
\fBfwknop\fR
is compiled to support the libfiu library (see:
\fIhttp://blitiri\&.com\&.ar/p/libfiu/\fR)\&. Under normal circumstances this option is not used, and any packaged version of fwknop will not have code compiled in so this capability is not enabled at run time\&. It is documented here for completeness\&.
.RE
.PP
\fB\-v, \-\-verbose\fR
.RS 4
Run the

29
client/fwknop.c
View File

@ -59,6 +59,9 @@ static void clean_exit(fko_ctx_t ctx, fko_cli_options_t *opts,
static void zero_buf_wrapper(char *buf, int len);
static int is_hostname_str_with_port(const char *str,
char *hostname, size_t hostname_bufsize, int *port);
#if HAVE_LIBFIU
static void enable_fault_injections(fko_cli_options_t * const opts);
#endif
#define MAX_CMDLINE_ARGS 50 /*!< should be way more than enough */
#define NAT_ACCESS_STR_TEMPLATE "%s,%d" /*!< Template for a nat access string ip,port with sscanf*/
@ -165,6 +168,12 @@ main(int argc, char **argv)
*/
config_init(&options, argc, argv);
#if HAVE_LIBFIU
/* Set any fault injection points early
*/
enable_fault_injections(&options);
#endif
/* Handle previous execution arguments if required
*/
if(prev_exec(&options, argc, argv) != 1)
@ -1310,6 +1319,19 @@ zero_buf_wrapper(char *buf, int len)
return;
}
#if HAVE_LIBFIU
static void
enable_fault_injections(fko_cli_options_t * const opts)
{
if(opts->fault_injection_tag != NULL)
{
fiu_init(0);
fiu_enable(opts->fault_injection_tag, 1, NULL, 0);
}
return;
}
#endif
/* free up memory and exit
*/
static void
@ -1317,6 +1339,13 @@ clean_exit(fko_ctx_t ctx, fko_cli_options_t *opts,
char *key, int *key_len, char *hmac_key, int *hmac_key_len,
unsigned int exit_status)
{
#if HAVE_LIBFIU
if(opts->fault_injection_tag != NULL)
{
fiu_disable(opts->fault_injection_tag);
}
#endif
if(fko_destroy(ctx) == FKO_ERROR_ZERO_OUT_DATA)
log_msg(LOG_VERBOSITY_ERROR,
"[*] Could not zero out sensitive data buffer.");

3
client/fwknop_common.h
View File

@ -102,6 +102,9 @@ typedef struct fko_cli_options
char gpg_signer_key[MAX_GPG_KEY_ID];
char gpg_home_dir[MAX_PATH_LEN];
char gpg_exe[MAX_PATH_LEN];
#if HAVE_LIBFIU
char fault_injection_tag[MAX_FAULT_TAG_LEN];
#endif
/* Encryption keys read from a .fwknoprc stanza
*/

4
common/common.h
View File

@ -148,6 +148,10 @@ enum {
#define MAX_GPG_KEY_ID 128
#define MAX_USERNAME_LEN 30
#if HAVE_LIBFIU
#define MAX_FAULT_TAG_LEN 128
#endif
/* Some convenience macros */
/* Get the number of elements of an array

7
doc/fwknop.man.asciidoc
View File

@ -285,6 +285,13 @@ GENERAL OPTIONS
Append the generated packet data to the file specified with the *-B*
option.
*--fault-injection-tag*='<tag>'::
This option is only used for fault injection testing when *fwknop* is
compiled to support the libfiu library (see: 'http://blitiri.com.ar/p/libfiu/').
Under normal circumstances this option is not used, and any packaged
version of fwknop will not have code compiled in so this capability is not
enabled at run time. It is documented here for completeness.
*-v, --verbose*::
Run the *fwknop* client in verbose mode. This causes *fwknop* to print
some extra information about the current command and the resulting SPA

9
doc/fwknopd.man.asciidoc
View File

@ -78,6 +78,15 @@ COMMAND-LINE OPTIONS
Dump all possible *fwknopd* error codes to stdout and exit. This option is
rarely needed in practice, and was added to assist with test coverage.
*--fault-injection-tag*='<tag>'::
This option is only used for fault injection testing when *fwknop* is
compiled to support the libfiu library (see: 'http://blitiri.com.ar/p/libfiu/').
Under normal circumstances this option is not used, and any packaged
version of fwknop will not have code compiled in so this capability is not
enabled at run time. It is documented here for completeness.
version of fwknop will not have code compiled in to enable this capability
at run time. It is documented here for completeness.
*--fw-list-all*::
List all firewall rules including those that have nothing to do with
*fwknopd*.

11
lib/fko_client_timeout.c
View File

@ -103,6 +103,12 @@ fko_set_spa_client_timeout(fko_ctx_t ctx, const int timeout)
int
fko_get_spa_client_timeout(fko_ctx_t ctx, int *timeout)
{
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_client_timeout_init",
FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
@ -111,6 +117,11 @@ fko_get_spa_client_timeout(fko_ctx_t ctx, int *timeout)
if(timeout == NULL)
return(FKO_ERROR_INVALID_DATA);
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_client_timeout_val",
FKO_ERROR_INVALID_DATA);
#endif
*timeout = ctx->client_timeout;
return(FKO_SUCCESS);

22
lib/fko_funcs.c
View File

@ -461,6 +461,11 @@ fko_base64_decode(const char * const in, unsigned char *out)
int
fko_get_version(fko_ctx_t ctx, char **version)
{
#if HAVE_LIBFIU
fiu_return_on("fko_get_version_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
@ -469,6 +474,10 @@ fko_get_version(fko_ctx_t ctx, char **version)
if(version == NULL)
return(FKO_ERROR_INVALID_DATA);
#if HAVE_LIBFIU
fiu_return_on("fko_get_version_val", FKO_ERROR_INVALID_DATA);
#endif
*version = ctx->version;
return(FKO_SUCCESS);
@ -536,6 +545,11 @@ fko_spa_data_final(fko_ctx_t ctx,
int
fko_get_spa_data(fko_ctx_t ctx, char **spa_data)
{
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_data_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
@ -544,12 +558,20 @@ fko_get_spa_data(fko_ctx_t ctx, char **spa_data)
if(spa_data == NULL)
return(FKO_ERROR_INVALID_DATA);
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_data_val", FKO_ERROR_INVALID_DATA);
#endif
/* We expect to have encrypted data to process. If not, we bail.
*/
if(ctx->encrypted_msg == NULL || ! is_valid_encoded_msg_len(
strnlen(ctx->encrypted_msg, MAX_SPA_ENCODED_MSG_SIZE)))
return(FKO_ERROR_MISSING_ENCODED_DATA);
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_data_encoded", FKO_ERROR_MISSING_ENCODED_DATA);
#endif
*spa_data = ctx->encrypted_msg;
/* Notice we omit the first 10 bytes if Rijndael encryption is

19
lib/fko_message.c
View File

@ -130,6 +130,12 @@ fko_set_spa_message_type(fko_ctx_t ctx, const short msg_type)
int
fko_get_spa_message_type(fko_ctx_t ctx, short *msg_type)
{
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_message_type_init",
FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
@ -138,6 +144,10 @@ fko_get_spa_message_type(fko_ctx_t ctx, short *msg_type)
if(msg_type == NULL)
return(FKO_ERROR_INVALID_DATA);
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_message_type_val", FKO_ERROR_INVALID_DATA);
#endif
*msg_type = ctx->message_type;
return(FKO_SUCCESS);
@ -197,6 +207,11 @@ fko_set_spa_message(fko_ctx_t ctx, const char * const msg)
int
fko_get_spa_message(fko_ctx_t ctx, char **msg)
{
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_message_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
@ -205,6 +220,10 @@ fko_get_spa_message(fko_ctx_t ctx, char **msg)
if(msg == NULL)
return(FKO_ERROR_INVALID_DATA);
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_message_val", FKO_ERROR_INVALID_DATA);
#endif
*msg = ctx->message;
return(FKO_SUCCESS);

21
lib/fko_nat_access.c
View File

@ -38,6 +38,10 @@ fko_set_spa_nat_access(fko_ctx_t ctx, const char * const msg)
{
int res = FKO_SUCCESS;
#if HAVE_LIBFIU
fiu_return_on("fko_set_spa_nat_access_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Context must be initialized.
*/
if(!CTX_INITIALIZED(ctx))
@ -48,12 +52,20 @@ fko_set_spa_nat_access(fko_ctx_t ctx, const char * const msg)
if(msg == NULL || strnlen(msg, MAX_SPA_NAT_ACCESS_SIZE) == 0)
return(FKO_ERROR_INVALID_DATA_NAT_EMPTY);
#if HAVE_LIBFIU
fiu_return_on("fko_set_spa_nat_access_empty", FKO_ERROR_INVALID_DATA_NAT_EMPTY);
#endif
/* --DSS XXX: Bail out for now. But consider just
* truncating in the future...
*/
if(strnlen(msg, MAX_SPA_NAT_ACCESS_SIZE) == MAX_SPA_NAT_ACCESS_SIZE)
return(FKO_ERROR_DATA_TOO_LARGE);
#if HAVE_LIBFIU
fiu_return_on("fko_set_spa_nat_access_large", FKO_ERROR_DATA_TOO_LARGE);
#endif
if((res = validate_nat_access_msg(msg)) != FKO_SUCCESS)
return(res);
@ -92,6 +104,11 @@ fko_set_spa_nat_access(fko_ctx_t ctx, const char * const msg)
int
fko_get_spa_nat_access(fko_ctx_t ctx, char **nat_access)
{
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_nat_access_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
@ -100,6 +117,10 @@ fko_get_spa_nat_access(fko_ctx_t ctx, char **nat_access)
if(nat_access == NULL)
return(FKO_ERROR_INVALID_DATA);
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_nat_access_val", FKO_ERROR_INVALID_DATA);
#endif
*nat_access = ctx->nat_access;
return(FKO_SUCCESS);

12
lib/fko_server_auth.c
View File

@ -42,6 +42,9 @@ fko_set_spa_server_auth(fko_ctx_t ctx, const char * const msg)
*/
//return(FKO_ERROR_UNSUPPORTED_FEATURE);
#if HAVE_LIBFIU
fiu_return_on("fko_set_spa_server_auth_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Context must be initialized.
*/
@ -87,6 +90,11 @@ fko_set_spa_server_auth(fko_ctx_t ctx, const char * const msg)
int
fko_get_spa_server_auth(fko_ctx_t ctx, char **server_auth)
{
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_server_auth_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
@ -95,6 +103,10 @@ fko_get_spa_server_auth(fko_ctx_t ctx, char **server_auth)
if(server_auth == NULL)
return(FKO_ERROR_INVALID_DATA);
#if HAVE_LIBFIU
fiu_return_on("fko_get_spa_server_auth_val", FKO_ERROR_INVALID_DATA);
#endif
*server_auth = ctx->server_auth;
return(FKO_SUCCESS);

9
lib/fko_timestamp.c
View File

@ -69,6 +69,11 @@ fko_set_timestamp(fko_ctx_t ctx, const int offset)
int
fko_get_timestamp(fko_ctx_t ctx, time_t *timestamp)
{
#if HAVE_LIBFIU
fiu_return_on("fko_get_timestamp_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
@ -77,6 +82,10 @@ fko_get_timestamp(fko_ctx_t ctx, time_t *timestamp)
if(timestamp == NULL)
return(FKO_ERROR_INVALID_DATA);
#if HAVE_LIBFIU
fiu_return_on("fko_get_timestamp_val", FKO_ERROR_INVALID_DATA);
#endif
*timestamp = ctx->timestamp;
return(FKO_SUCCESS);

9
lib/fko_user.c
View File

@ -137,6 +137,11 @@ fko_set_username(fko_ctx_t ctx, const char * const spoof_user)
int
fko_get_username(fko_ctx_t ctx, char **username)
{
#if HAVE_LIBFIU
fiu_return_on("fko_get_username_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
@ -145,6 +150,10 @@ fko_get_username(fko_ctx_t ctx, char **username)
if(username == NULL)
return(FKO_ERROR_INVALID_DATA);
#if HAVE_LIBFIU
fiu_return_on("fko_get_username_val", FKO_ERROR_INVALID_DATA);
#endif
*username = ctx->username;
return(FKO_SUCCESS);

5
server/cmd_opts.h
View File

@ -108,7 +108,8 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
"GPG_HOME_DIR",
"GPG_EXE",
"FIREWALL_EXE",
"VERBOSE"
"VERBOSE",
"FAULT_INJECTION_TAG"
};
@ -127,6 +128,7 @@ enum {
SYSLOG_ENABLE,
DUMP_SERVER_ERR_CODES,
EXIT_AFTER_PARSE_CONFIG,
FAULT_INJECTION_TAG,
NOOP /* Just to be a marker for the end */
};
@ -147,6 +149,7 @@ static struct option cmd_opts[] =
{"exit-parse-config", 0, NULL, EXIT_AFTER_PARSE_CONFIG },
{"syslog-enable", 0, NULL, SYSLOG_ENABLE },
{"foreground", 0, NULL, 'f'},
{"fault-injection-tag", 1, NULL, FAULT_INJECTION_TAG},
{"help", 0, NULL, 'h'},
{"interface", 1, NULL, 'i'},
{"kill", 0, NULL, 'K'},

8
server/config_init.c
View File

@ -894,6 +894,14 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
case 'f':
opts->foreground = 1;
break;
case FAULT_INJECTION_TAG:
#if HAVE_LIBFIU
set_config_entry(opts, CONF_FAULT_INJECTION_TAG, optarg);
#else
log_msg(LOG_ERR, "[*] fwknopd not compiled with libfiu support");
clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
#endif
break;
case FW_LIST:
opts->fw_list = 1;
break;

12
server/fwknopd.8.in
View File

@ -2,12 +2,12 @@
.\" Title: fwknopd
.\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 05/08/2014
.\" Date: 06/05/2014
.\" Manual: Fwknop Server
.\" Source: Fwknop Server
.\" Language: English
.\"
.TH "FWKNOPD" "8" "05/08/2014" "Fwknop Server" "Fwknop Server"
.TH "FWKNOPD" "8" "06/05/2014" "Fwknop Server" "Fwknop Server"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -114,6 +114,14 @@ Dump all possible
error codes to stdout and exit\&. This option is rarely needed in practice, and was added to assist with test coverage\&.
.RE
.PP
\fB\-\-fault\-injection\-tag\fR=\fI<tag>\fR
.RS 4
This option is only used for fault injection testing when
\fBfwknop\fR
is compiled to support the libfiu library (see:
\fIhttp://blitiri\&.com\&.ar/p/libfiu/\fR)\&. Under normal circumstances this option is not used, and any packaged version of fwknop will not have code compiled in so this capability is not enabled at run time\&. It is documented here for completeness\&. version of fwknop will not have code compiled in to enable this capability at run time\&. It is documented here for completeness\&.
.RE
.PP
\fB\-\-fw\-list\-all\fR
.RS 4
List all firewall rules including those that have nothing to do with

30
server/fwknopd.c
View File

@ -49,6 +49,10 @@ static void daemonize_process(fko_srv_options_t * const opts);
static int write_pid_file(fko_srv_options_t *opts);
static pid_t get_running_pid(const fko_srv_options_t *opts);
#if HAVE_LIBFIU
static void enable_fault_injections(fko_srv_options_t * const opts);
#endif
int
main(int argc, char **argv)
{
@ -64,6 +68,12 @@ main(int argc, char **argv)
*/
config_init(&opts, argc, argv);
#if HAVE_LIBFIU
/* Set any fault injection points early
*/
enable_fault_injections(&opts);
#endif
/* Process any options that do their thing and exit.
*/
@ -768,9 +778,29 @@ get_running_pid(const fko_srv_options_t *opts)
return(rpid);
}
#if HAVE_LIBFIU
static void
enable_fault_injections(fko_srv_options_t * const opts)
{
if(opts->config[CONF_FAULT_INJECTION_TAG] != NULL)
{
fiu_init(0);
fiu_enable(opts->config[CONF_FAULT_INJECTION_TAG], 1, NULL, 0);
}
return;
}
#endif
void
clean_exit(fko_srv_options_t *opts, unsigned int fw_cleanup_flag, unsigned int exit_status)
{
#if HAVE_LIBFIU
if(opts->config[CONF_FAULT_INJECTION_TAG] != NULL)
{
fiu_disable(opts->config[CONF_FAULT_INJECTION_TAG]);
}
#endif
if(fw_cleanup_flag == FW_CLEANUP)
fw_cleanup(opts);

1
server/fwknopd_common.h
View File

@ -258,6 +258,7 @@ enum {
CONF_GPG_EXE,
CONF_FIREWALL_EXE,
CONF_VERBOSE,
CONF_FAULT_INJECTION_TAG,
NUMBER_OF_CONFIG_ENTRIES /* Marks the end and number of entries */
};

63
test/test-fwknop.pl
View File

@ -739,6 +739,7 @@ my %test_keys = (
'write_rc_file' => $OPTIONAL,
'save_rc_stanza' => $OPTIONAL,
'client_pkt_tries' => $OPTIONAL_NUMERIC,
'max_pkt_tries' => $OPTIONAL_NUMERIC,
'client_popen' => $OPTIONAL,
'disable_valgrind' => $OPTIONAL,
'wrapper_compile' => $OPTIONAL,
@ -1333,6 +1334,58 @@ sub fiu_run_fault_injection() {
return $rv;
}
sub fault_injection_tag() {
my $test_hr = shift;
my $rv = 1;
my $server_was_stopped = 0;
my $fw_rule_created = 0;
my $fw_rule_removed = 0;
if ($test_hr->{'pkt'}
or ($test_hr->{'cmdline'} and $test_hr->{'fwknopd_cmdline'})) {
### we are testing the fwknopd server
if ($test_hr->{'pkt'}) {
my @packets = (
{
'proto' => 'udp',
'port' => $default_spa_port,
'dst_ip' => $loopback_ip,
'data' => $test_hr->{'pkt'},
},
);
($rv, $server_was_stopped, $fw_rule_created, $fw_rule_removed)
= &client_server_interaction($test_hr, \@packets, $USE_PREDEF_PKTS);
} else {
($rv, $server_was_stopped, $fw_rule_created, $fw_rule_removed)
= &client_server_interaction($test_hr, [], $USE_CLIENT);
}
$rv = 0 unless $server_was_stopped;
} else {
### we are testing the fwknop client and expect an error
$rv = not &run_cmd($test_hr->{'cmdline'}, $cmd_out_tmp, $curr_test_file);
if ($test_hr->{'positive_output_matches'}) {
unless (&file_find_regex(
$test_hr->{'positive_output_matches'},
$MATCH_ALL, $APPEND_RESULTS, $curr_test_file)) {
&write_test_file(
"[-] positive_output_matches not met, setting rv=0\n",
$curr_test_file);
$rv = 0;
}
}
}
return $rv;
}
sub fko_wrapper_exec() {
my $test_hr = shift;
@ -5000,6 +5053,10 @@ sub client_server_interaction() {
my $server_was_stopped = 1;
my $fw_rule_created = 1;
my $fw_rule_removed = 0;
my $max_pkt_tries = 10;
$max_pkt_tries = $test_hr->{'max_pkt_tries'}
if $test_hr->{'max_pkt_tries'};
### start fwknopd to monitor for the SPA packet over the loopback interface
my $fwknopd_parent_pid = &start_fwknopd($test_hr);
@ -5059,7 +5116,7 @@ sub client_server_interaction() {
$rv = 0;
}
} elsif ($spa_client_flag == $USE_PREDEF_PKTS) {
&send_packets($pkts_hr);
&send_packets($pkts_hr, $max_pkt_tries);
} elsif ($spa_client_flag == $READ_PKTS_FROM_FILE) {
&send_packets_from_file();
} else {
@ -5243,7 +5300,7 @@ sub send_packets_from_file() {
}
sub send_packets() {
my $pkts_ar = shift;
my ($pkts_ar, $max_tries) = @_;
open F, ">> $curr_test_file" or die $!;
print F "[+] send_packets(): Sending the following packets...\n";
@ -5267,7 +5324,7 @@ sub send_packets() {
&send_all_pkts($pkts_ar);
$tries++;
last if $tries == 10; ### should be plenty of time
last if $tries == $max_tries; ### should be plenty of time
sleep 1;
}
} else {

427
test/tests/fault_injection.pl
View File

@ -60,5 +60,432 @@
'fiu_injection_style' => 'enable_random name=libc/mm/*,probability=0.05',
'fiu_iterations' => 1000
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_new_calloc',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_new_calloc",
'positive_output_matches' => [qr/Unable to allocate memory/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_new_strdup',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_new_strdup",
'positive_output_matches' => [qr/Unable to allocate memory/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_rand_value_init',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_rand_value_init",
'positive_output_matches' => [qr/FKO Context is not initialized/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_rand_value_read',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_rand_value_read",
'positive_output_matches' => [qr/write bytes mismatch/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_rand_value_calloc1',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_rand_value_calloc1",
'positive_output_matches' => [qr/Unable to allocate memory/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_rand_value_calloc2',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_rand_value_calloc2",
'positive_output_matches' => [qr/Unable to allocate memory/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_username_init',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_username_init",
'positive_output_matches' => [qr/FKO Context is not initialized/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_username_strdup2',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_username_strdup2",
'positive_output_matches' => [qr/Unable to allocate memory/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_timestamp_init',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_timestamp_init",
'positive_output_matches' => [qr/FKO Context is not initialized/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_timestamp_val',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_timestamp_val",
'positive_output_matches' => [qr/FKO_ERROR_INVALID_DATA_TIMESTAMP_VALIDFAIL/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag set_spa_digest_type_init',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag set_spa_digest_type_init",
'positive_output_matches' => [qr/FKO Context is not initialized/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag set_spa_digest_type_val',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag set_spa_digest_type_val",
'positive_output_matches' => [qr/FKO_ERROR_INVALID_DATA_ENCODE_DIGEST_VALIDFAIL/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_spa_encryption_type_init',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_spa_encryption_type_init",
'positive_output_matches' => [qr/FKO Context is not initialized/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_spa_encryption_type_val',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_spa_encryption_type_val",
'positive_output_matches' => [qr/FKO_ERROR_INVALID_DATA_ENCRYPT_TYPE_VALIDFAIL/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_spa_encryption_mode_init',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_spa_encryption_mode_init",
'positive_output_matches' => [qr/FKO Context is not initialized/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_spa_encryption_mode_val',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_spa_encryption_mode_val",
'positive_output_matches' => [qr/FKO_ERROR_INVALID_DATA_ENCRYPT_MODE_VALIDFAIL/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_spa_message_type_init',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_spa_message_type_init",
'positive_output_matches' => [qr/FKO Context is not initialized/]
},
{
'category' => 'fault injection',
'subcategory' => 'client',
'detail' => 'tag fko_set_spa_message_type_val',
'function' => \&fault_injection_tag,
'cmdline' => "$default_client_hmac_args " .
"--fault-injection-tag fko_set_spa_message_type_val",
'positive_output_matches' => [qr/FKO_ERROR_INVALID_DATA_MESSAGE_TYPE_VALIDFAIL/]
},
### fwknopd injections
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_username_init',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_username_init",
'server_positive_output_matches' => [qr/FKO Context is not initialized/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_username_val',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_username_val",
'server_positive_output_matches' => [qr/Args contain invalid data/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_timestamp_init',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_timestamp_init",
'server_positive_output_matches' => [qr/FKO Context is not initialized/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_timestamp_val',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_timestamp_val",
'server_positive_output_matches' => [qr/Args contain invalid data/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_spa_message_type_init',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_spa_message_type_init",
'server_positive_output_matches' => [qr/FKO Context is not initialized/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_spa_message_type_val',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_spa_message_type_val",
'server_positive_output_matches' => [qr/Args contain invalid data/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_spa_message_init',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_spa_message_init",
'server_positive_output_matches' => [qr/FKO Context is not initialized/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_spa_message_val',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_spa_message_val",
'server_positive_output_matches' => [qr/Args contain invalid data/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_spa_nat_access_init',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_spa_nat_access_init",
'server_positive_output_matches' => [qr/FKO Context is not initialized/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_spa_nat_access_val',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_spa_nat_access_val",
'server_positive_output_matches' => [qr/Args contain invalid data/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_spa_server_auth_init',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_spa_server_auth_init",
'server_positive_output_matches' => [qr/FKO Context is not initialized/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_spa_server_auth_val',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_spa_server_auth_val",
'server_positive_output_matches' => [qr/Args contain invalid data/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_spa_client_timeout_init',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_spa_client_timeout_init",
'server_positive_output_matches' => [qr/FKO Context is not initialized/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_spa_client_timeout_val',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_spa_client_timeout_val",
'server_positive_output_matches' => [qr/Args contain invalid data/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_version_init',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_version_init",
'server_positive_output_matches' => [qr/FKO Context is not initialized/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag fko_get_version_val',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag fko_get_version_val",
'server_positive_output_matches' => [qr/Args contain invalid data/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag set_spa_digest_type_init',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag set_spa_digest_type_init",
'server_positive_output_matches' => [qr/Error setting digest type for SPA data\: FKO Context/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
{
'category' => 'fault injection',
'subcategory' => 'server',
'detail' => 'tag set_spa_digest_type_val',
'function' => \&fault_injection_tag,
'no_ip_check' => 1,
'client_pkt_tries' => 1,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'disable_aging'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str " .
"--fault-injection-tag set_spa_digest_type_val",
'server_positive_output_matches' => [qr/FKO_ERROR_INVALID_DATA_ENCODE_DIGEST_VALIDFAIL/],
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
},
);