[test suite] added --cmd-verbose to control fwknop command verbosity levels
This commit provides an easy way to control how verbose fwknop command execution will be. For example, fwknopd only calls hex_dump() against SPA packets when --verbose > 2, so invoking the tests suite as follows will result in hex_dump() being included in fwknopd output (see the output/1_fwknopd.test file: ./test-fwknop.pl --include "Rijndael.*complete.*22" --test-limit 1 --cmd-verbose "--verbose --verbose --verbose" [+] candidate SPA packet payload: 0x0000: 39 62 72 51 58 75 7a 4b 57 54 53 67 57 56 35 66 9brQXuzKWTSgWV5f 0x0010: 73 63 78 42 35 78 69 51 65 6c 55 4f 53 78 69 45 scxB5xiQelUOSxiE 0x0020: 51 30 59 6a 41 50 70 31 4f 70 43 62 32 51 4a 4c Q0YjAPp1OpCb2QJL 0x0030: 48 34 42 65 68 64 6d 47 35 49 31 50 36 2f 5a 69 H4BehdmG5I1P6/Zi 0x0040: 6a 34 4b 41 62 34 53 68 6a 59 66 4f 71 2b 46 6c j4KAb4ShjYfOq+Fl 0x0050: 4a 35 52 75 70 33 39 6f 6e 65 42 79 72 51 46 57 J5Rup39oneByrQFW 0x0060: 61 38 6c 37 63 48 6e 38 5a 54 36 59 6e 55 56 47 a8l7cHn8ZT6YnUVG 0x0070: 50 36 6e 53 6f 69 30 61 70 72 32 52 39 62 6b 56 P6nSoi0apr2R9bkV 0x0080: 37 50 61 67 41 61 6b 49 44 63 58 59 44 6b 2f 64 7PagAakIDcXYDk/d 0x0090: 67 51 45 61 37 39 32 6f 30 4d 38 6e 30 30 6e 35 gQEa792o0M8n00n5 0x00a0: 55 U
This commit is contained in:
Michael Rash
parent
cba2873e22
commit
6dd5ab8e35
@ -264,6 +264,7 @@ my $curr_test_file = 'init';
|
||||
my $init_file = $curr_test_file;
|
||||
my $tarfile = 'test_fwknop.tar.gz';
|
||||
our $key_gen_file = "$output_dir/key_gen";
|
||||
our $verbose_str = "--verbose --verbose";
|
||||
my $gdb_test_file = '';
|
||||
my $fuzzing_pkts_file = 'fuzzing/fuzzing_spa_packets';
|
||||
my $fuzzing_pkts_append = 0;
|
||||
@ -391,6 +392,7 @@ exit 1 unless GetOptions(
|
||||
'valgrind-prev-cov-dir=s' => \$previous_valgrind_coverage_dir,
|
||||
'openssl-path=s' => \$openssl_path,
|
||||
'output-dir=s' => \$output_dir,
|
||||
'cmd-verbose=s' => \$verbose_str,
|
||||
'diff' => \$diff_mode,
|
||||
'diff-dir1=s' => \$diff_dir1,
|
||||
'diff-dir2=s' => \$diff_dir2,
|
||||
@ -434,15 +436,15 @@ exit &gdb_test_cmd() if $gdb_test_file;
|
||||
$valgrind_str = "$valgrind_path --leak-check=full " .
|
||||
"--show-reachable=yes --track-origins=yes" if $enable_valgrind;
|
||||
|
||||
our $intf_str = "-i $loopback_intf --foreground --verbose --verbose";
|
||||
our $intf_str = "-i $loopback_intf --foreground $verbose_str";
|
||||
|
||||
our $default_client_args = "$lib_view_str $valgrind_str " .
|
||||
"$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --no-save-args --verbose --verbose";
|
||||
"$local_key_file --no-save-args $verbose_str";
|
||||
|
||||
our $default_client_args_no_get_key = "$lib_view_str " .
|
||||
"$valgrind_str $fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip " .
|
||||
"--no-save-args --verbose --verbose";
|
||||
"--no-save-args $verbose_str";
|
||||
|
||||
our $default_client_args_no_verbose = "$lib_view_str " .
|
||||
"$valgrind_str $fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip " .
|
||||
@ -462,11 +464,11 @@ our $default_client_hmac_args = "$default_client_args_no_get_key " .
|
||||
|
||||
our $client_ip_resolve_args = "$lib_view_str $valgrind_str " .
|
||||
"$fwknopCmd -A tcp/22 -R -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose";
|
||||
"$local_key_file $verbose_str";
|
||||
|
||||
our $client_ip_resolve_hmac_args = "$lib_view_str $valgrind_str " .
|
||||
"$fwknopCmd -A tcp/22 -R -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose";
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str";
|
||||
|
||||
our $default_client_gpg_args = "$default_client_args " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
@ -1741,7 +1743,7 @@ sub iptables_no_flush_init_exit() {
|
||||
my $rv = 1;
|
||||
|
||||
&run_cmd("$lib_view_str $valgrind_str $fwknopdCmd " .
|
||||
"$default_server_conf_args --fw-flush --verbose --verbose",
|
||||
"$default_server_conf_args --fw-flush $verbose_str",
|
||||
$cmd_out_tmp, $curr_test_file);
|
||||
|
||||
if ($test_hr->{'insert_rule_before_exec'}) {
|
||||
@ -1756,7 +1758,7 @@ sub iptables_no_flush_init_exit() {
|
||||
|
||||
if ($test_hr->{'search_for_rule_after_exit'}) {
|
||||
&run_cmd("$lib_view_str $valgrind_str $fwknopdCmd " .
|
||||
"$default_server_conf_args --fw-list --verbose --verbose",
|
||||
"$default_server_conf_args --fw-list $verbose_str",
|
||||
$cmd_out_tmp, $curr_test_file);
|
||||
$rv = 0 unless &file_find_regex([qr/ACCEPT.*$fake_ip\s.*dpt\:1234/],
|
||||
$MATCH_ALL, $APPEND_RESULTS, $curr_test_file);
|
||||
@ -6379,6 +6381,9 @@ sub usage() {
|
||||
--valgrind-prev-cov-dir=<path> - Path to previous valgrind-coverage
|
||||
directory (defaults to:
|
||||
"output.last/valgrind-coverage").
|
||||
--cmd-verbose=<str> - Set the verbosity level of executed fwknop
|
||||
commands, default is:
|
||||
$verbose_str
|
||||
-h --help - Display usage on STDOUT and exit.
|
||||
|
||||
_HELP_
|
||||
|
||||
@ -520,10 +520,10 @@
|
||||
{
|
||||
'category' => 'basic operations',
|
||||
'subcategory' => 'client save rc file',
|
||||
'detail' => '--verbose --verbose',
|
||||
'detail' => $verbose_str,
|
||||
'function' => \&client_rc_file,
|
||||
'cmdline' => "$client_save_rc_args_no_verbose -n default " .
|
||||
"--fw-timeout 1234 --verbose --verbose",
|
||||
"--fw-timeout 1234 $verbose_str",
|
||||
'save_rc_stanza' => [{'name' => 'default',
|
||||
'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}],
|
||||
'positive_output_matches' => [qr/Client\sTimeout:\s1234/],
|
||||
@ -547,7 +547,7 @@
|
||||
'detail' => '--use-hmac --key-gen',
|
||||
'function' => \&client_rc_file,
|
||||
'cmdline' => "$client_save_rc_args_no_verbose -n default " .
|
||||
"--fw-timeout 1234 --verbose --use-hmac --key-gen",
|
||||
"--fw-timeout 1234 $verbose_str --use-hmac --key-gen",
|
||||
'save_rc_stanza' => [{'name' => 'default',
|
||||
'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}],
|
||||
'positive_output_matches' => [qr/Wrote.*HMAC.*keys/],
|
||||
|
||||
@ -135,7 +135,7 @@
|
||||
'detail' => 'complete cycle (tcp/23 telnet)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/23 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir",
|
||||
@ -149,7 +149,7 @@
|
||||
'detail' => 'complete cycle (tcp/9418 git)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/9418 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir",
|
||||
@ -163,7 +163,7 @@
|
||||
'detail' => 'complete cycle (tcp/60001)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/60001 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir",
|
||||
@ -178,7 +178,7 @@
|
||||
'detail' => 'complete cycle (udp/53 dns)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A udp/53 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir",
|
||||
|
||||
@ -55,7 +55,7 @@
|
||||
'detail' => 'complete cycle (tcp/23 telnet)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/23 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir " .
|
||||
@ -71,7 +71,7 @@
|
||||
'detail' => 'complete cycle (tcp/9418 git)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/9418 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir " .
|
||||
@ -87,7 +87,7 @@
|
||||
'detail' => 'complete cycle (tcp/60001 git)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/60001 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir " .
|
||||
@ -103,7 +103,7 @@
|
||||
'detail' => 'complete cycle (udp/53 dns)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A udp/53 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir " .
|
||||
|
||||
@ -66,7 +66,7 @@
|
||||
'detail' => 'complete cycle (tcp/23 telnet)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/23 -a $fake_ip -D $loopback_ip " .
|
||||
"--gpg-no-signing-pw --verbose --verbose " .
|
||||
"--gpg-no-signing-pw $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir_no_pw",
|
||||
@ -80,7 +80,7 @@
|
||||
'detail' => 'complete cycle (tcp/9418 git)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/9418 -a $fake_ip -D $loopback_ip " .
|
||||
"--gpg-no-signing-pw --verbose --verbose " .
|
||||
"--gpg-no-signing-pw $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir_no_pw",
|
||||
@ -94,7 +94,7 @@
|
||||
'detail' => 'complete cycle (tcp/60001)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/60001 -a $fake_ip -D $loopback_ip " .
|
||||
"--gpg-no-signing-pw --verbose --verbose " .
|
||||
"--gpg-no-signing-pw $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir_no_pw",
|
||||
@ -109,7 +109,7 @@
|
||||
'detail' => 'complete cycle (udp/53 dns)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A udp/53 -a $fake_ip -D $loopback_ip " .
|
||||
"--gpg-no-signing-pw --verbose --verbose " .
|
||||
"--gpg-no-signing-pw $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir_no_pw",
|
||||
|
||||
@ -49,7 +49,7 @@
|
||||
'detail' => 'complete cycle (tcp/23 telnet)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/23 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir_no_pw " .
|
||||
@ -65,7 +65,7 @@
|
||||
'detail' => 'complete cycle (tcp/9418 git)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/9418 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir_no_pw " .
|
||||
@ -81,7 +81,7 @@
|
||||
'detail' => 'complete cycle (tcp/60001 git)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/60001 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir_no_pw " .
|
||||
@ -97,7 +97,7 @@
|
||||
'detail' => 'complete cycle (udp/53 dns)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A udp/53 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose " .
|
||||
"$local_key_file $verbose_str " .
|
||||
"--gpg-recipient-key $gpg_server_key " .
|
||||
"--gpg-signer-key $gpg_client_key " .
|
||||
"--gpg-home-dir $gpg_client_home_dir_no_pw " .
|
||||
|
||||
@ -15,7 +15,7 @@
|
||||
'detail' => 'short IP 1.1.1.1 (ssh)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a 1.1.1.1 -D $loopback_ip --get-key " .
|
||||
"$local_key_file --no-save-args --verbose --verbose",
|
||||
"$local_key_file --no-save-args $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
@ -27,7 +27,7 @@
|
||||
'detail' => 'long IP 123.123.123.123 (ssh)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a 123.123.123.123 -D $loopback_ip --get-key " .
|
||||
"$local_key_file --no-save-args --verbose --verbose",
|
||||
"$local_key_file --no-save-args $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
@ -61,7 +61,7 @@
|
||||
'detail' => 'localhost hostname->IP (tcp/22 ssh)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D localhost --get-key " .
|
||||
"$local_key_file --no-save-args --verbose --verbose",
|
||||
"$local_key_file --no-save-args $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
@ -82,8 +82,8 @@
|
||||
'detail' => "--save-packet $tmp_pkt_file",
|
||||
'function' => \&client_save_spa_pkt,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --save-args-file $tmp_args_file --verbose " .
|
||||
"--verbose --save-packet $tmp_pkt_file",
|
||||
"$local_key_file --save-args-file $tmp_args_file $verbose_str " .
|
||||
"--save-packet $tmp_pkt_file",
|
||||
},
|
||||
{
|
||||
'category' => 'Rijndael',
|
||||
@ -91,7 +91,7 @@
|
||||
'detail' => "--last-cmd",
|
||||
'function' => \&generic_exec,
|
||||
'cmdline' => "$fwknopCmd --last-cmd --save-args-file $tmp_args_file " .
|
||||
"--verbose --verbose",
|
||||
"$verbose_str",
|
||||
},
|
||||
|
||||
{
|
||||
@ -253,7 +253,7 @@
|
||||
'detail' => 'dual usage access key (tcp/80 http)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/80 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose",
|
||||
"$local_key_file $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'dual_key_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
### check for the first stanza that does not allow tcp/80 - the
|
||||
@ -570,7 +570,7 @@
|
||||
'detail' => 'mismatch require src (tcp/22 ssh)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -s -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose",
|
||||
"$local_key_file $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'require_src_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'server_positive_output_matches' => [qr/Got\s0.0.0.0\swhen\svalid\ssource\sIP/],
|
||||
@ -583,7 +583,7 @@
|
||||
'no_ip_check' => 1,
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -s -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose",
|
||||
"$local_key_file $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
@ -761,7 +761,7 @@
|
||||
'detail' => "NAT tcp/80 to $internal_nat_host tcp/22",
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/80 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose -N $internal_nat_host:22",
|
||||
"$local_key_file $verbose_str -N $internal_nat_host:22",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'nat'} -a $cf{'def_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'server_positive_output_matches' => [
|
||||
@ -816,7 +816,7 @@
|
||||
'detail' => "local NAT hostname->IP (tcp/22 ssh)",
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D localhost --nat-local " .
|
||||
"--get-key $local_key_file --no-save-args --verbose --verbose",
|
||||
"--get-key $local_key_file --no-save-args $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'local_nat'} -a $cf{'force_nat_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'server_positive_output_matches' => [qr/to\:$force_nat_host\:22/i,
|
||||
@ -882,7 +882,7 @@
|
||||
'detail' => "local NAT non-FORCE_NAT (tcp/22)",
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose --nat-local --nat-port 80",
|
||||
"$local_key_file $verbose_str --nat-local --nat-port 80",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'local_nat'} -a $cf{'def_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'server_positive_output_matches' => [qr/to\:$loopback_ip\:22/i,
|
||||
@ -962,8 +962,7 @@
|
||||
'cmdline' => '',
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'legacy_iv_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file " .
|
||||
"--pcap-file $replay_pcap_file --foreground --verbose --verbose " .
|
||||
"--verbose",
|
||||
"--pcap-file $replay_pcap_file --foreground $verbose_str",
|
||||
'server_positive_output_matches' => [qr/Replay\sdetected/i,
|
||||
qr/candidate\sSPA/, qr/0x0000\:\s+2b/],
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
@ -976,7 +975,7 @@
|
||||
'detail' => 'complete cycle (tcp/23 telnet)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/23 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose",
|
||||
"$local_key_file $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
@ -987,7 +986,7 @@
|
||||
'detail' => 'complete cycle (tcp/9418 git)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/9418 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose",
|
||||
"$local_key_file $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
@ -998,7 +997,7 @@
|
||||
'detail' => 'complete cycle (tcp/60001)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/60001 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose",
|
||||
"$local_key_file $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
@ -1009,7 +1008,7 @@
|
||||
'detail' => 'multi port (tcp/60001,udp/60001)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/60001,udp/60001 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose",
|
||||
"$local_key_file $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
@ -1020,7 +1019,7 @@
|
||||
'detail' => 'multi port (tcp/22,udp/53,tcp/1234)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22,udp/53,tcp/1234 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose",
|
||||
"$local_key_file $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
@ -1032,7 +1031,7 @@
|
||||
'detail' => 'complete cycle (udp/53 dns)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A udp/53 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose",
|
||||
"$local_key_file $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
@ -1069,7 +1068,7 @@
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "SPOOF_USER=$spoof_user LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
||||
"$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --get-key " .
|
||||
"$local_key_file --verbose --verbose",
|
||||
"$local_key_file $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'positive_output_matches' => [qr/Username:\s*$spoof_user/],
|
||||
'server_positive_output_matches' => [qr/Username:\s*$spoof_user/],
|
||||
@ -1110,7 +1109,7 @@
|
||||
'detail' => 'localhost hostname->IP spoofed',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D localhost --get-key " .
|
||||
"$local_key_file --no-save-args --verbose --verbose -Q $spoof_ip",
|
||||
"$local_key_file --no-save-args $verbose_str -Q $spoof_ip",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
'function' => \&spa_cmd_exec_cycle,
|
||||
'cmdline' => qq|$fwknopCmd --server-cmd "echo fwknoptest > $cmd_exec_test_file" | .
|
||||
"-a $fake_ip -D $loopback_ip --get-key $local_key_file " .
|
||||
"--verbose --verbose",
|
||||
"$verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'cmd_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
|
||||
|
||||
@ -221,7 +221,7 @@
|
||||
'detail' => 'short IP 1.1.1.1 (ssh)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a 1.1.1.1 -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
@ -236,7 +236,7 @@
|
||||
'detail' => 'long IP 123.123.123.123 (ssh)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a 123.123.123.123 -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
@ -252,7 +252,7 @@
|
||||
'detail' => 'complete cycle (tcp/23)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/23 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
@ -265,7 +265,7 @@
|
||||
'detail' => 'non-b64 HMAC key (tcp/22 ssh)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key2'} --verbose --verbose",
|
||||
"$cf{'rc_hmac_b64_key2'} $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_no_b64_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
@ -279,7 +279,7 @@
|
||||
'detail' => 'complete cycle (tcp/9418)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/9418 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
@ -292,7 +292,7 @@
|
||||
'detail' => 'complete cycle (tcp/60001)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/60001 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
@ -305,7 +305,7 @@
|
||||
'detail' => 'multi port (tcp/60001,udp/60001)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/60001,udp/60001 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
@ -331,7 +331,7 @@
|
||||
'detail' => 'random SPA port (via rc RAND_PORT)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_rand_port_hmac_b64_key'} --verbose --verbose -r",
|
||||
"$cf{'rc_rand_port_hmac_b64_key'} $verbose_str -r",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str " .
|
||||
qq|-P "udp"|,
|
||||
@ -361,7 +361,7 @@
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "SPOOF_USER=$spoof_user LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
||||
"$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
@ -397,7 +397,7 @@
|
||||
'detail' => "--last-cmd",
|
||||
'function' => \&generic_exec,
|
||||
'cmdline' => "$fwknopCmd --last-cmd --save-args-file $tmp_args_file " .
|
||||
"--verbose --verbose",
|
||||
"$verbose_str",
|
||||
},
|
||||
{
|
||||
'category' => 'Rijndael+HMAC',
|
||||
@ -689,7 +689,7 @@
|
||||
'detail' => 'dual usage access key (tcp/80 http)',
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/80 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_dual_key_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
### check for the first stanza that does not allow tcp/80 - the
|
||||
@ -815,7 +815,7 @@
|
||||
'detail' => "NAT tcp/80 to $internal_nat_host tcp/22",
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/80 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose -N $internal_nat_host:22",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str -N $internal_nat_host:22",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'nat'} -a $cf{'hmac_open_ports_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'server_positive_output_matches' => [
|
||||
@ -876,7 +876,7 @@
|
||||
'detail' => "local NAT non-FORCE_NAT",
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose --nat-local --nat-port 80",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str --nat-local --nat-port 80",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'local_nat'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'server_positive_output_matches' => [qr/to\:$loopback_ip\:22/i,
|
||||
@ -894,7 +894,7 @@
|
||||
'detail' => "local NAT rand port to tcp/22",
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose --nat-local --nat-rand-port",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str --nat-local --nat-rand-port",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'local_nat'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'server_positive_output_matches' => [qr/to\:$loopback_ip\:22/i,
|
||||
@ -910,7 +910,7 @@
|
||||
'detail' => "NAT rand port to tcp/22",
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose --nat-rand-port -N $internal_nat_host",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str --nat-rand-port -N $internal_nat_host",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'nat'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'server_positive_output_matches' => [
|
||||
@ -927,7 +927,7 @@
|
||||
'detail' => "NAT rand port to -N <host>:40001",
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --rc-file " .
|
||||
"$cf{'rc_hmac_b64_key'} --verbose --verbose --nat-rand-port -N $internal_nat_host:40001",
|
||||
"$cf{'rc_hmac_b64_key'} $verbose_str --nat-rand-port -N $internal_nat_host:40001",
|
||||
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'nat'} -a $cf{'hmac_access'} " .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'server_positive_output_matches' => [
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user