DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[test suite] significant test coverage update

Browse Source 
This commit adds a lot of test coverage support as guided by gcov +
lcov.

Also added the --no-ipt-check-support option to fwknopd (this is only
useful in practice on older Linux distros where 'iptables -C' is not
available, but it helps with test coverage).
This commit is contained in:
Michael Rash 2014-04-29 20:54:01 -04:00
parent 40e14fc400
commit 6dde30bc91
12 changed files with 609 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/fwknopd.man.asciidoc
View File

@ -90,6 +90,11 @@ COMMAND-LINE OPTIONS
*-l, --locale*='<locale>'::
Set/override the system default locale setting.
*--no-ipt-check-support*::
Disable the usage of the iptables '-C' option. This is not normally needed,
and is only useful on older Linux distributions where iptables does not
have '-C' support.
*-O, --override-config*='<file>'::
Override config variable values that are normally read from the
'@sysconfdir@/fwknop/fwknopd.conf'' file with values from the specified file. Multiple

2
server/access.c
View File

@ -1317,7 +1317,7 @@ parse_access_file(fko_srv_options_t *opts)
if(strcasecmp(val, "__CHANGEME__") == 0)
{
log_msg(LOG_ERR,
"[*] HMAC_KEY_BASE64 value is not properly set in stanza source '%s' in access file: '%s'",
"[*] HMAC_KEY value is not properly set in stanza source '%s' in access file: '%s'",
curr_acc->source, opts->config[CONF_ACCESS_FILE]);
fclose(file_ptr);
clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);

54
server/cmd_opts.h
View File

@ -120,6 +120,7 @@ enum {
FW_FLUSH,
GPG_HOME_DIR,
GPG_EXE_PATH,
IPT_DISABLE_CHECK_SUPPORT,
PCAP_FILE,
ENABLE_PCAP_ANY_DIRECTION,
ROTATE_DIGEST_CACHE,
@ -135,32 +136,33 @@ enum {
*/
static struct option cmd_opts[] =
{
{"access-file", 1, NULL, 'a'},
{"config-file", 1, NULL, 'c'},
{"packet-limit", 1, NULL, 'C'},
{"digest-file", 1, NULL, 'd'},
{"dump-config", 0, NULL, 'D'},
{"syslog-enable", 0, NULL, SYSLOG_ENABLE },
{"foreground", 0, NULL, 'f'},
{"help", 0, NULL, 'h'},
{"interface", 1, NULL, 'i'},
{"kill", 0, NULL, 'K'},
{"fw-flush", 0, NULL, FW_FLUSH },
{"fw-list", 0, NULL, FW_LIST },
{"fw-list-all", 0, NULL, FW_LIST_ALL },
{"gpg-home-dir", 1, NULL, GPG_HOME_DIR },
{"gpg-exe", 1, NULL, GPG_EXE_PATH },
{"locale", 1, NULL, 'l' },
{"rotate-digest-cache", 0, NULL, ROTATE_DIGEST_CACHE },
{"override-config", 1, NULL, 'O' },
{"pcap-file", 1, NULL, PCAP_FILE },
{"pcap-filter", 1, NULL, 'P'},
{"pcap-any-direction", 0, NULL, ENABLE_PCAP_ANY_DIRECTION },
{"pid-file", 1, NULL, 'p'},
{"restart", 0, NULL, 'R'},
{"status", 0, NULL, 'S'},
{"verbose", 0, NULL, 'v'},
{"version", 0, NULL, 'V'},
{"access-file", 1, NULL, 'a'},
{"config-file", 1, NULL, 'c'},
{"packet-limit", 1, NULL, 'C'},
{"digest-file", 1, NULL, 'd'},
{"dump-config", 0, NULL, 'D'},
{"syslog-enable", 0, NULL, SYSLOG_ENABLE },
{"foreground", 0, NULL, 'f'},
{"help", 0, NULL, 'h'},
{"interface", 1, NULL, 'i'},
{"kill", 0, NULL, 'K'},
{"fw-flush", 0, NULL, FW_FLUSH },
{"fw-list", 0, NULL, FW_LIST },
{"fw-list-all", 0, NULL, FW_LIST_ALL },
{"gpg-home-dir", 1, NULL, GPG_HOME_DIR },
{"gpg-exe", 1, NULL, GPG_EXE_PATH },
{"no-ipt-check-support", 0, NULL, IPT_DISABLE_CHECK_SUPPORT },
{"locale", 1, NULL, 'l' },
{"rotate-digest-cache", 0, NULL, ROTATE_DIGEST_CACHE },
{"override-config", 1, NULL, 'O' },
{"pcap-file", 1, NULL, PCAP_FILE },
{"pcap-filter", 1, NULL, 'P'},
{"pcap-any-direction", 0, NULL, ENABLE_PCAP_ANY_DIRECTION },
{"pid-file", 1, NULL, 'p'},
{"restart", 0, NULL, 'R'},
{"status", 0, NULL, 'S'},
{"verbose", 0, NULL, 'v'},
{"version", 0, NULL, 'V'},
{0, 0, 0, 0}
};

3
server/config_init.c
View File

@ -912,6 +912,9 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
case 'i':
set_config_entry(opts, CONF_PCAP_INTF, optarg);
break;
case IPT_DISABLE_CHECK_SUPPORT:
opts->ipt_disable_check_support = 1;
break;
case 'K':
opts->kill = 1;
break;

5
server/fw_util_iptables.c
View File

@ -890,7 +890,10 @@ fw_initialize(const fko_srv_options_t * const opts)
/* See if iptables offers the '-C' argument (older versions don't). If not,
* then switch to parsing iptables -L output to find rules.
*/
ipt_chk_support(opts);
if(opts->ipt_disable_check_support)
have_ipt_chk_support = 0;
else
ipt_chk_support(opts);
return(res);
}

64
server/fwknopd.8.in
View File

@ -2,12 +2,12 @@
.\" Title: fwknopd
.\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12/14/2013
.\" Date: 04/29/2014
.\" Manual: Fwknop Server
.\" Source: Fwknop Server
.\" Language: English
.\"
.TH "FWKNOPD" "8" "12/14/2013" "Fwknop Server" "Fwknop Server"
.TH "FWKNOPD" "8" "04/29/2014" "Fwknop Server" "Fwknop Server"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -136,6 +136,15 @@ without having to look in the process table\&.
Set/override the system default locale setting\&.
.RE
.PP
\fB\-\-no\-ipt\-check\-support\fR
.RS 4
Disable the usage of the iptables
\fI\-C\fR
option\&. This is not normally needed, and is only useful on older Linux distributions where iptables does not have
\fI\-C\fR
support\&.
.RE
.PP
\fB\-O, \-\-override\-config\fR=\fI<file>\fR
.RS 4
Override config variable values that are normally read from the
@ -357,7 +366,7 @@ is stopped or otherwise exits cleanly\&. The default is \(lqY\(rq\&.
.PP
\fBGPG_HOME_DIR\fR \fI<path>\fR
.RS 4
If GPG keys are used instead of a Rijndael symmetric key, this is the default GPG keys directory\&. Note that each access block in
If GPG keys are used instead of a Rijndael symmetric key, this is the default GPG keys directory\&. Note that each access stanza in
\fI@sysconfdir@/fwknop/access\&.conf\fR
can specify its own GPG directory to override this default\&. If not set here or in an
\fIaccess\&.conf\fR
@ -368,6 +377,13 @@ directory of the user running
(most likely root)\&.
.RE
.PP
GPG_EXE* \fI<path>\fR
.RS 4
Specify the path to GPG, and defaults to
\fI/usr/bin/gpg\fR
if not set\&.
.RE
.PP
\fBLOCALE\fR \fI<locale>\fR
.RS 4
Set the locale (via the LC_ALL variable)\&. This can be set to override the default system locale\&.
@ -556,21 +572,6 @@ file except that it is per access stanza and overrides any value set with \(lqSN
This is similar to the \(lqFORCE_SNAT\(rq variable, except that it is not necessary to also specify an IP address for SNAT rules because the MASQUERADE target is used instead\&.
.RE
.PP
\fBGPG_HOME_DIR\fR \fI<path>\fR
.RS 4
Define the path to the GnuPG directory to be used by the
\fBfwknopd\fR
server\&. If this keyword is not specified within
\fI@sysconfdir@/fwknop/access\&.conf\fR
then
\fBfwknopd\fR
will default to using the
\fI/root/\&.gnupg\fR
directory for the server key(s) for incoming SPA packets handled by the matching
\fIaccess\&.conf\fR
stanza\&.
.RE
.PP
\fBGPG_DECRYPT_ID\fR \fI<keyID>\fR
.RS 4
Define a GnuPG key ID to use for decrypting SPA messages that have been encrypted by an
@ -618,6 +619,31 @@ Define a list of gpg key ID\(cqs that are required to have signed any incoming S
server key\&. This ensures that the verification of the remote user is accomplished via a strong cryptographic mechanism\&. This setting only applies if the \(lqGPG_REQUIRE_SIG\(rq is set to
\fIY\fR\&. Separate multiple entries with a comma\&.
.RE
.PP
\fBGPG_HOME_DIR\fR \fI<path>\fR
.RS 4
Define the path to the GnuPG directory to be used by the
\fBfwknopd\fR
server\&. If this keyword is not specified within
\fI@sysconfdir@/fwknop/access\&.conf\fR
then
\fBfwknopd\fR
will default to using the
\fI/root/\&.gnupg\fR
directory for the server key(s) for incoming SPA packets handled by the matching
\fIaccess\&.conf\fR
stanza\&.
.RE
.PP
\fBGPG_EXE\fR \fI<path>\fR
.RS 4
Define the path to the GnuPG executable\&. If this keyword is not specified within
\fI@sysconfdir@/fwknop/access\&.conf\fR
then
\fBfwknopd\fR
will default to using
\fI/usr/bin/gpg\fR\&.
.RE
.SH "FILES"
.PP
\fB@sysconfdir@/fwknop/fwknopd\&.conf\fR
@ -633,7 +659,7 @@ Defines all knock sequences and access control directives\&.
.sp
\fBfwknopd\fR requires \fIlibfko\fR which is normally included with both source and binary distributions, and is a dedicated library developed by the fwknop project\&.
.sp
For packet sniffing, \fBfwknopd\fR currently requires libpcap, but future versions still remove this as a dependency\&.
For packet sniffing, \fBfwknopd\fR currently requires libpcap, but future versions will (optionally) remove this as a dependency\&.
.sp
For GPG functionality, GnuPG must also be correctly installed and configured along with the libgpgme library\&.
.sp

2
server/fwknopd_common.h
View File

@ -480,6 +480,8 @@ typedef struct fko_srv_options
unsigned char test; /* Test mode flag */
unsigned char verbose; /* Verbose mode flag */
unsigned char ipt_disable_check_support; /* Don't use iptables -C */
/* Flag for permitting SPA packets regardless of directionality test
* w.r.t. the sniffing interface. This can sometimes be useful for SPA
* packets that are sent _through_ a system and fwknopd is sniffing on

2
test/conf/gpg_hmac_access.conf
View File

@ -5,4 +5,4 @@ HMAC_KEY_BASE64 Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzj
GPG_HOME_DIR conf/server-gpg
GPG_DECRYPT_ID 361BBAD4
GPG_DECRYPT_PW fwknoptest
GPG_REMOTE_ID 6A3FAD56
GPG_REMOTE_ID 6A3FAD56, 1234AAAA, 5678BBBB

2
test/conf/gpg_no_pw_hmac_access.conf
View File

@ -5,4 +5,4 @@ HMAC_KEY_BASE64 Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzj
GPG_HOME_DIR conf/server-gpg-no-pw
GPG_DECRYPT_ID 361BBAD4
GPG_ALLOW_NO_PW Y
GPG_REMOTE_ID 6A3FAD56
GPG_REMOTE_ID 6A3FAD56, 1234AAAA, 5678BBBB

11
test/test-fwknop.pl
View File

@ -21,6 +21,7 @@ our $local_hmac_key_file = 'local_hmac_spa.key';
my $output_dir = 'output';
our $conf_dir = 'conf';
my $run_dir = 'run';
our $run_tmp_dir = 'runtmp';
my $cmd_out_tmp = 'cmd.out';
my $server_cmd_tmp = 'server_cmd.out';
my $openssl_cmd_tmp = 'openssl_cmd.out';
@ -5831,7 +5832,8 @@ sub validate_test_hashes() {
### for fwknop/fwknopd commands, prepend LD_LIBRARY_PATH and valgrind args
for my $test_hr (@tests) {
next if $test_hr->{'disable_valgrind'} eq $YES;
if ($test_hr->{'cmdline'} =~ /^$fwknopCmd/) {
if ($test_hr->{'cmdline'} =~ /^$fwknopCmd/
or $test_hr->{'cmdline'} =~ /^$fwknopdCmd/) {
my $str = $lib_view_str;
unless ($test_hr->{'disable_valgrind'} eq $YES) {
$str .= " $valgrind_str";
@ -6113,10 +6115,11 @@ sub preserve_previous_test_run_results() {
mkdir $output_dir or die "[*] Could not mkdir $output_dir: $!";
}
if (-d $run_dir) {
rmtree $run_dir or die $!;
for my $dir ($run_dir, $run_tmp_dir) {
if (-d $dir) {
rmtree $dir or die $!;
}
}
mkdir $run_dir or die "[*] Could not mkdir $run_dir: $!";
for my $dir ($output_dir, $run_dir) {
next if -d $dir;

500
test/tests/basic_operations.pl
View File

@ -1744,6 +1744,88 @@
'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/,
qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/],
},
{
'category' => 'basic operations',
'subcategory' => 'client save rc file',
'detail' => '--key-gen HMAC MD5',
'function' => \&client_rc_file,
'cmdline' => "$client_save_rc_args_no_verbose -n default " .
"--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type MD5",
'save_rc_stanza' => [{'name' => 'default',
'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}],
'positive_output_matches' => [qr/Wrote.*HMAC.*keys/],
'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/,
qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/,
qr/HMAC_DIGEST_TYPE.*MD5/],
},
{
'category' => 'basic operations',
'subcategory' => 'client save rc file',
'detail' => '--key-gen HMAC SHA1',
'function' => \&client_rc_file,
'cmdline' => "$client_save_rc_args_no_verbose -n default " .
"--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type SHA1",
'save_rc_stanza' => [{'name' => 'default',
'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}],
'positive_output_matches' => [qr/Wrote.*HMAC.*keys/],
'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/,
qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/,
qr/HMAC_DIGEST_TYPE.*SHA1/],
},
{
'category' => 'basic operations',
'subcategory' => 'client save rc file',
'detail' => '--key-gen HMAC SHA256',
'function' => \&client_rc_file,
'cmdline' => "$client_save_rc_args_no_verbose -n default " .
"--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type SHA256",
'save_rc_stanza' => [{'name' => 'default',
'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}],
'positive_output_matches' => [qr/Wrote.*HMAC.*keys/],
'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/,
qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/,
qr/HMAC_DIGEST_TYPE.*SHA256/],
},
{
'category' => 'basic operations',
'subcategory' => 'client save rc file',
'detail' => '--key-gen HMAC SHA384',
'function' => \&client_rc_file,
'cmdline' => "$client_save_rc_args_no_verbose -n default " .
"--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type SHA384",
'save_rc_stanza' => [{'name' => 'default',
'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}],
'positive_output_matches' => [qr/Wrote.*HMAC.*keys/],
'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/,
qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/,
qr/HMAC_DIGEST_TYPE.*SHA384/],
},
{
'category' => 'basic operations',
'subcategory' => 'client save rc file',
'detail' => '--key-gen HMAC SHA512',
'function' => \&client_rc_file,
'cmdline' => "$client_save_rc_args_no_verbose -n default " .
"--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type SHA512",
'save_rc_stanza' => [{'name' => 'default',
'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}],
'positive_output_matches' => [qr/Wrote.*HMAC.*keys/],
'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/,
qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/,
qr/HMAC_DIGEST_TYPE.*SHA512/],
},
{
'category' => 'basic operations',
'subcategory' => 'client save rc file',
'detail' => '--key-gen HMAC invalid',
'function' => \&client_rc_file,
'cmdline' => "$client_save_rc_args_no_verbose -n default " .
"--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type invalid",
'save_rc_stanza' => [{'name' => 'default',
'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}],
'exec_err' => $YES,
},
{
'category' => 'basic operations',
'subcategory' => 'client save rc file',
@ -1899,6 +1981,23 @@
'function' => \&generic_exec,
'cmdline' => "$fwknopdCmd $default_server_conf_args --fw-list",
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'list current fw rules (2)',
'function' => \&server_conf_files,
'fwknopd_cmdline' => "$server_rewrite_conf_files --fw-list",
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'FWKNOP_RUN_DIR ' . cwd() . "/$run_tmp_dir" ### test coverage for mkdir
],
'positive_output_matches' => [qr/to\screate/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
@ -1913,6 +2012,69 @@
'function' => \&generic_exec,
'cmdline' => "$fwknopdCmd $default_server_conf_args --fw-flush",
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid -C packet count',
'function' => \&generic_exec,
'exec_err' => $YES,
### add a few additional command line args for test coverage
'cmdline' => "$fwknopdCmd $default_server_conf_args -f " .
"-l somelocale --pcap-any-direction --syslog-enable -C 999999999999",
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'mutually exclusive -K and -R',
'function' => \&generic_exec,
'exec_err' => $YES,
### add a few additional command line args for test coverage
'cmdline' => "$fwknopdCmd $default_server_conf_args -f -K -R"
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'mutually exclusive -D and -R',
'function' => \&generic_exec,
'exec_err' => $YES,
### add a few additional command line args for test coverage
'cmdline' => "$fwknopdCmd $default_server_conf_args -f -D -R"
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid config file path',
'function' => \&generic_exec,
'exec_err' => $YES,
'cmdline' => "$fwknopdCmd -f -c invalid",
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid access.conf file path',
'function' => \&generic_exec,
'exec_err' => $YES,
'cmdline' => "$fwknopdCmd -f -a invalid",
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'GPG invalid --gpg-home-dir path',
'function' => \&generic_exec,
'exec_err' => $YES,
'cmdline' => "$fwknopdCmd $default_server_conf_args -f --gpg-home-dir invalidpath",
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'GPG invalid --gpg-home-dir path (2)',
'function' => \&generic_exec,
'exec_err' => $YES,
'cmdline' => "$fwknopdCmd $default_server_conf_args -f --gpg-home-dir " . 'A'x1200
},
{
'category' => 'basic operations',
@ -2034,6 +2196,311 @@
],
'positive_output_matches' => [qr/not\sfind.*SOURCE/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid VERBOSE var setting',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'VERBOSE -1'
],
'positive_output_matches' => [qr/not\sin\sthe\srange/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => '__CHANGEME__ key (1)',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY __CHANGEME__'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/KEY\s.*not\sproperly/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => '__CHANGEME__ key (2)',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY_BASE64 __CHANGEME__'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/KEY_BASE64\s.*not\sproperly/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'non-base64 key',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY_BASE64 %%%%%%%%%%%%%'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/look\slike\sbase64/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'HMAC key __CHANGEME__ (1)',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest',
'HMAC_KEY __CHANGEME__'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/KEY\s.*not\sproperly/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'HMAC key __CHANGEME__ (2)',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest',
'HMAC_KEY_BASE64 __CHANGEME__'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/KEY_BASE64\s.*not\sproperly/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'HMAC non-base64 key',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest',
'HMAC_KEY_BASE64 %%%%%%%%%%%%%'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/look\slike\sbase64/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'GPG key __CHANGEME__',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'REQUIRE_SOURCE Y',
'KEY testtest',
'GPG_REQUIRE_SIG Y', ### additional test coverage
'GPG_DISABLE_SIG N',
'GPG_IGNORE_SIG_VERIFY_ERROR N',
'GPG_DECRYPT_PW __CHANGEME__'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/PW\s.*not\sproperly/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid FW_ACCESS_TIMEOUT',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest',
'FW_ACCESS_TIMEOUT 999999999999'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/not\sin\srange/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid ENCRYPTION_MODE',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest',
'ENCRYPTION_MODE invalid'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/Unrecognized.*MODE/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid CMD_EXEC_USER',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest',
'CMD_EXEC_USER invalid'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/Unable.*UID/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid iptables IPT_FORWARD_ACCESS',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'IPT_FORWARD_ACCESS invalid'
],
'positive_output_matches' => [qr/ACCESS\sspecification/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid iptables IPT_DNAT_ACCESS',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'IPT_DNAT_ACCESS invalid'
],
'positive_output_matches' => [qr/ACCESS\sspecification/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid iptables IPT_SNAT_ACCESS',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'IPT_SNAT_ACCESS invalid'
],
'positive_output_matches' => [qr/ACCESS\sspecification/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid iptables IPT_SNAT_TRANSLATE_IP',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'ENABLE_IPT_FORWARDING Y',
'ENABLE_IPT_SNAT Y',
'SNAT_TRANSLATE_IP invalid'
],
'positive_output_matches' => [qr/Invalid\sIPv4/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid iptables IPT_MASQUERADE_ACCESS',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'IPT_MASQUERADE_ACCESS invalid'
],
'positive_output_matches' => [qr/ACCESS\sspecification/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid iptables IPT_OUTPUT_ACCESS',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'IPT_OUTPUT_ACCESS invalid'
],
'positive_output_matches' => [qr/ACCESS\sspecification/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid PCAP_LOOP_SLEEP',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'PCAP_LOOP_SLEEP 9999999999999'
],
'positive_output_matches' => [qr/not\sin\sthe\srange/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
@ -2130,6 +2597,22 @@
],
'positive_output_matches' => [qr/Invalid\sIP\smask/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'access SOURCE format (7)',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE 1.1.1.1/',
'KEY testtest'
],
'server_conf_file' => [
'### comment line'
],
'positive_output_matches' => [qr/Missing\smask/],
},
{
'category' => 'basic operations',
@ -2311,7 +2794,22 @@
],
'positive_output_matches' => [qr/invalid\sFORCE_SNAT\sIP/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'iptables FORCE_SNAT format (3)',
'function' => \&server_conf_files,
'fwknopd_cmdline' => $server_rewrite_conf_files,
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'FORCE_SNAT a'
],
'server_conf_file' => [
'ENABLE_IPT_FORWARDING N'
],
'positive_output_matches' => [qr/requires.*enabled/],
},
{
'category' => 'basic operations',

13
test/tests/rijndael_hmac.pl
View File

@ -70,6 +70,19 @@
'fw_rule_removed' => $NEW_RULE_REMOVED,
'key_file' => $cf{'rc_hmac_b64_key'},
},
{
'category' => 'Rijndael+HMAC',
'subcategory' => 'client+server',
'detail' => '--ipt-no-check-support',
'function' => \&spa_cycle,
'cmdline' => $default_client_hmac_args,
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file $intf_str --no-ipt-check-support",
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
'key_file' => $cf{'rc_hmac_b64_key'},
},
{
'category' => 'Rijndael+HMAC',
'subcategory' => 'client+server',