From 6dde30bc91e20d57891e27ecda3aa0116f33d02b Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Tue, 29 Apr 2014 20:54:01 -0400 Subject: [PATCH] [test suite] significant test coverage update This commit adds a lot of test coverage support as guided by gcov + lcov. Also added the --no-ipt-check-support option to fwknopd (this is only useful in practice on older Linux distros where 'iptables -C' is not available, but it helps with test coverage). --- doc/fwknopd.man.asciidoc | 5 + server/access.c | 2 +- server/cmd_opts.h | 54 +-- server/config_init.c | 3 + server/fw_util_iptables.c | 5 +- server/fwknopd.8.in | 64 +++- server/fwknopd_common.h | 2 + test/conf/gpg_hmac_access.conf | 2 +- test/conf/gpg_no_pw_hmac_access.conf | 2 +- test/test-fwknop.pl | 11 +- test/tests/basic_operations.pl | 500 ++++++++++++++++++++++++++- test/tests/rijndael_hmac.pl | 13 + 12 files changed, 609 insertions(+), 54 deletions(-) diff --git a/doc/fwknopd.man.asciidoc b/doc/fwknopd.man.asciidoc index 68aa7062..d2615e8f 100644 --- a/doc/fwknopd.man.asciidoc +++ b/doc/fwknopd.man.asciidoc @@ -90,6 +90,11 @@ COMMAND-LINE OPTIONS *-l, --locale*='':: Set/override the system default locale setting. +*--no-ipt-check-support*:: + Disable the usage of the iptables '-C' option. This is not normally needed, + and is only useful on older Linux distributions where iptables does not + have '-C' support. + *-O, --override-config*='':: Override config variable values that are normally read from the '@sysconfdir@/fwknop/fwknopd.conf'' file with values from the specified file. Multiple diff --git a/server/access.c b/server/access.c index 79255cfb..f2597b04 100644 --- a/server/access.c +++ b/server/access.c @@ -1317,7 +1317,7 @@ parse_access_file(fko_srv_options_t *opts) if(strcasecmp(val, "__CHANGEME__") == 0) { log_msg(LOG_ERR, - "[*] HMAC_KEY_BASE64 value is not properly set in stanza source '%s' in access file: '%s'", + "[*] HMAC_KEY value is not properly set in stanza source '%s' in access file: '%s'", curr_acc->source, opts->config[CONF_ACCESS_FILE]); fclose(file_ptr); clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE); diff --git a/server/cmd_opts.h b/server/cmd_opts.h index 8d1acf71..09c9b033 100644 --- a/server/cmd_opts.h +++ b/server/cmd_opts.h @@ -120,6 +120,7 @@ enum { FW_FLUSH, GPG_HOME_DIR, GPG_EXE_PATH, + IPT_DISABLE_CHECK_SUPPORT, PCAP_FILE, ENABLE_PCAP_ANY_DIRECTION, ROTATE_DIGEST_CACHE, @@ -135,32 +136,33 @@ enum { */ static struct option cmd_opts[] = { - {"access-file", 1, NULL, 'a'}, - {"config-file", 1, NULL, 'c'}, - {"packet-limit", 1, NULL, 'C'}, - {"digest-file", 1, NULL, 'd'}, - {"dump-config", 0, NULL, 'D'}, - {"syslog-enable", 0, NULL, SYSLOG_ENABLE }, - {"foreground", 0, NULL, 'f'}, - {"help", 0, NULL, 'h'}, - {"interface", 1, NULL, 'i'}, - {"kill", 0, NULL, 'K'}, - {"fw-flush", 0, NULL, FW_FLUSH }, - {"fw-list", 0, NULL, FW_LIST }, - {"fw-list-all", 0, NULL, FW_LIST_ALL }, - {"gpg-home-dir", 1, NULL, GPG_HOME_DIR }, - {"gpg-exe", 1, NULL, GPG_EXE_PATH }, - {"locale", 1, NULL, 'l' }, - {"rotate-digest-cache", 0, NULL, ROTATE_DIGEST_CACHE }, - {"override-config", 1, NULL, 'O' }, - {"pcap-file", 1, NULL, PCAP_FILE }, - {"pcap-filter", 1, NULL, 'P'}, - {"pcap-any-direction", 0, NULL, ENABLE_PCAP_ANY_DIRECTION }, - {"pid-file", 1, NULL, 'p'}, - {"restart", 0, NULL, 'R'}, - {"status", 0, NULL, 'S'}, - {"verbose", 0, NULL, 'v'}, - {"version", 0, NULL, 'V'}, + {"access-file", 1, NULL, 'a'}, + {"config-file", 1, NULL, 'c'}, + {"packet-limit", 1, NULL, 'C'}, + {"digest-file", 1, NULL, 'd'}, + {"dump-config", 0, NULL, 'D'}, + {"syslog-enable", 0, NULL, SYSLOG_ENABLE }, + {"foreground", 0, NULL, 'f'}, + {"help", 0, NULL, 'h'}, + {"interface", 1, NULL, 'i'}, + {"kill", 0, NULL, 'K'}, + {"fw-flush", 0, NULL, FW_FLUSH }, + {"fw-list", 0, NULL, FW_LIST }, + {"fw-list-all", 0, NULL, FW_LIST_ALL }, + {"gpg-home-dir", 1, NULL, GPG_HOME_DIR }, + {"gpg-exe", 1, NULL, GPG_EXE_PATH }, + {"no-ipt-check-support", 0, NULL, IPT_DISABLE_CHECK_SUPPORT }, + {"locale", 1, NULL, 'l' }, + {"rotate-digest-cache", 0, NULL, ROTATE_DIGEST_CACHE }, + {"override-config", 1, NULL, 'O' }, + {"pcap-file", 1, NULL, PCAP_FILE }, + {"pcap-filter", 1, NULL, 'P'}, + {"pcap-any-direction", 0, NULL, ENABLE_PCAP_ANY_DIRECTION }, + {"pid-file", 1, NULL, 'p'}, + {"restart", 0, NULL, 'R'}, + {"status", 0, NULL, 'S'}, + {"verbose", 0, NULL, 'v'}, + {"version", 0, NULL, 'V'}, {0, 0, 0, 0} }; diff --git a/server/config_init.c b/server/config_init.c index 41e4153d..27ee391c 100644 --- a/server/config_init.c +++ b/server/config_init.c @@ -912,6 +912,9 @@ config_init(fko_srv_options_t *opts, int argc, char **argv) case 'i': set_config_entry(opts, CONF_PCAP_INTF, optarg); break; + case IPT_DISABLE_CHECK_SUPPORT: + opts->ipt_disable_check_support = 1; + break; case 'K': opts->kill = 1; break; diff --git a/server/fw_util_iptables.c b/server/fw_util_iptables.c index f40ac062..dc8f5df4 100644 --- a/server/fw_util_iptables.c +++ b/server/fw_util_iptables.c @@ -890,7 +890,10 @@ fw_initialize(const fko_srv_options_t * const opts) /* See if iptables offers the '-C' argument (older versions don't). If not, * then switch to parsing iptables -L output to find rules. */ - ipt_chk_support(opts); + if(opts->ipt_disable_check_support) + have_ipt_chk_support = 0; + else + ipt_chk_support(opts); return(res); } diff --git a/server/fwknopd.8.in b/server/fwknopd.8.in index bb41b6f1..4f0908ed 100644 --- a/server/fwknopd.8.in +++ b/server/fwknopd.8.in @@ -2,12 +2,12 @@ .\" Title: fwknopd .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 12/14/2013 +.\" Date: 04/29/2014 .\" Manual: Fwknop Server .\" Source: Fwknop Server .\" Language: English .\" -.TH "FWKNOPD" "8" "12/14/2013" "Fwknop Server" "Fwknop Server" +.TH "FWKNOPD" "8" "04/29/2014" "Fwknop Server" "Fwknop Server" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -136,6 +136,15 @@ without having to look in the process table\&. Set/override the system default locale setting\&. .RE .PP +\fB\-\-no\-ipt\-check\-support\fR +.RS 4 +Disable the usage of the iptables +\fI\-C\fR +option\&. This is not normally needed, and is only useful on older Linux distributions where iptables does not have +\fI\-C\fR +support\&. +.RE +.PP \fB\-O, \-\-override\-config\fR=\fI\fR .RS 4 Override config variable values that are normally read from the @@ -357,7 +366,7 @@ is stopped or otherwise exits cleanly\&. The default is \(lqY\(rq\&. .PP \fBGPG_HOME_DIR\fR \fI\fR .RS 4 -If GPG keys are used instead of a Rijndael symmetric key, this is the default GPG keys directory\&. Note that each access block in +If GPG keys are used instead of a Rijndael symmetric key, this is the default GPG keys directory\&. Note that each access stanza in \fI@sysconfdir@/fwknop/access\&.conf\fR can specify its own GPG directory to override this default\&. If not set here or in an \fIaccess\&.conf\fR @@ -368,6 +377,13 @@ directory of the user running (most likely root)\&. .RE .PP +GPG_EXE* \fI\fR +.RS 4 +Specify the path to GPG, and defaults to +\fI/usr/bin/gpg\fR +if not set\&. +.RE +.PP \fBLOCALE\fR \fI\fR .RS 4 Set the locale (via the LC_ALL variable)\&. This can be set to override the default system locale\&. @@ -556,21 +572,6 @@ file except that it is per access stanza and overrides any value set with \(lqSN This is similar to the \(lqFORCE_SNAT\(rq variable, except that it is not necessary to also specify an IP address for SNAT rules because the MASQUERADE target is used instead\&. .RE .PP -\fBGPG_HOME_DIR\fR \fI\fR -.RS 4 -Define the path to the GnuPG directory to be used by the -\fBfwknopd\fR -server\&. If this keyword is not specified within -\fI@sysconfdir@/fwknop/access\&.conf\fR -then -\fBfwknopd\fR -will default to using the -\fI/root/\&.gnupg\fR -directory for the server key(s) for incoming SPA packets handled by the matching -\fIaccess\&.conf\fR -stanza\&. -.RE -.PP \fBGPG_DECRYPT_ID\fR \fI\fR .RS 4 Define a GnuPG key ID to use for decrypting SPA messages that have been encrypted by an @@ -618,6 +619,31 @@ Define a list of gpg key ID\(cqs that are required to have signed any incoming S server key\&. This ensures that the verification of the remote user is accomplished via a strong cryptographic mechanism\&. This setting only applies if the \(lqGPG_REQUIRE_SIG\(rq is set to \fIY\fR\&. Separate multiple entries with a comma\&. .RE +.PP +\fBGPG_HOME_DIR\fR \fI\fR +.RS 4 +Define the path to the GnuPG directory to be used by the +\fBfwknopd\fR +server\&. If this keyword is not specified within +\fI@sysconfdir@/fwknop/access\&.conf\fR +then +\fBfwknopd\fR +will default to using the +\fI/root/\&.gnupg\fR +directory for the server key(s) for incoming SPA packets handled by the matching +\fIaccess\&.conf\fR +stanza\&. +.RE +.PP +\fBGPG_EXE\fR \fI\fR +.RS 4 +Define the path to the GnuPG executable\&. If this keyword is not specified within +\fI@sysconfdir@/fwknop/access\&.conf\fR +then +\fBfwknopd\fR +will default to using +\fI/usr/bin/gpg\fR\&. +.RE .SH "FILES" .PP \fB@sysconfdir@/fwknop/fwknopd\&.conf\fR @@ -633,7 +659,7 @@ Defines all knock sequences and access control directives\&. .sp \fBfwknopd\fR requires \fIlibfko\fR which is normally included with both source and binary distributions, and is a dedicated library developed by the fwknop project\&. .sp -For packet sniffing, \fBfwknopd\fR currently requires libpcap, but future versions still remove this as a dependency\&. +For packet sniffing, \fBfwknopd\fR currently requires libpcap, but future versions will (optionally) remove this as a dependency\&. .sp For GPG functionality, GnuPG must also be correctly installed and configured along with the libgpgme library\&. .sp diff --git a/server/fwknopd_common.h b/server/fwknopd_common.h index fc8d3202..f78ebbe9 100644 --- a/server/fwknopd_common.h +++ b/server/fwknopd_common.h @@ -480,6 +480,8 @@ typedef struct fko_srv_options unsigned char test; /* Test mode flag */ unsigned char verbose; /* Verbose mode flag */ + unsigned char ipt_disable_check_support; /* Don't use iptables -C */ + /* Flag for permitting SPA packets regardless of directionality test * w.r.t. the sniffing interface. This can sometimes be useful for SPA * packets that are sent _through_ a system and fwknopd is sniffing on diff --git a/test/conf/gpg_hmac_access.conf b/test/conf/gpg_hmac_access.conf index 8ba9ed71..916e98e0 100644 --- a/test/conf/gpg_hmac_access.conf +++ b/test/conf/gpg_hmac_access.conf @@ -5,4 +5,4 @@ HMAC_KEY_BASE64 Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzj GPG_HOME_DIR conf/server-gpg GPG_DECRYPT_ID 361BBAD4 GPG_DECRYPT_PW fwknoptest -GPG_REMOTE_ID 6A3FAD56 +GPG_REMOTE_ID 6A3FAD56, 1234AAAA, 5678BBBB diff --git a/test/conf/gpg_no_pw_hmac_access.conf b/test/conf/gpg_no_pw_hmac_access.conf index 74586335..0ba1918a 100644 --- a/test/conf/gpg_no_pw_hmac_access.conf +++ b/test/conf/gpg_no_pw_hmac_access.conf @@ -5,4 +5,4 @@ HMAC_KEY_BASE64 Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzj GPG_HOME_DIR conf/server-gpg-no-pw GPG_DECRYPT_ID 361BBAD4 GPG_ALLOW_NO_PW Y -GPG_REMOTE_ID 6A3FAD56 +GPG_REMOTE_ID 6A3FAD56, 1234AAAA, 5678BBBB diff --git a/test/test-fwknop.pl b/test/test-fwknop.pl index 391327dc..dab1c748 100755 --- a/test/test-fwknop.pl +++ b/test/test-fwknop.pl @@ -21,6 +21,7 @@ our $local_hmac_key_file = 'local_hmac_spa.key'; my $output_dir = 'output'; our $conf_dir = 'conf'; my $run_dir = 'run'; +our $run_tmp_dir = 'runtmp'; my $cmd_out_tmp = 'cmd.out'; my $server_cmd_tmp = 'server_cmd.out'; my $openssl_cmd_tmp = 'openssl_cmd.out'; @@ -5831,7 +5832,8 @@ sub validate_test_hashes() { ### for fwknop/fwknopd commands, prepend LD_LIBRARY_PATH and valgrind args for my $test_hr (@tests) { next if $test_hr->{'disable_valgrind'} eq $YES; - if ($test_hr->{'cmdline'} =~ /^$fwknopCmd/) { + if ($test_hr->{'cmdline'} =~ /^$fwknopCmd/ + or $test_hr->{'cmdline'} =~ /^$fwknopdCmd/) { my $str = $lib_view_str; unless ($test_hr->{'disable_valgrind'} eq $YES) { $str .= " $valgrind_str"; @@ -6113,10 +6115,11 @@ sub preserve_previous_test_run_results() { mkdir $output_dir or die "[*] Could not mkdir $output_dir: $!"; } - if (-d $run_dir) { - rmtree $run_dir or die $!; + for my $dir ($run_dir, $run_tmp_dir) { + if (-d $dir) { + rmtree $dir or die $!; + } } - mkdir $run_dir or die "[*] Could not mkdir $run_dir: $!"; for my $dir ($output_dir, $run_dir) { next if -d $dir; diff --git a/test/tests/basic_operations.pl b/test/tests/basic_operations.pl index 7e3f52e8..34bf311e 100644 --- a/test/tests/basic_operations.pl +++ b/test/tests/basic_operations.pl @@ -1744,6 +1744,88 @@ 'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/, qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/], }, + { + 'category' => 'basic operations', + 'subcategory' => 'client save rc file', + 'detail' => '--key-gen HMAC MD5', + 'function' => \&client_rc_file, + 'cmdline' => "$client_save_rc_args_no_verbose -n default " . + "--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type MD5", + 'save_rc_stanza' => [{'name' => 'default', + 'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}], + 'positive_output_matches' => [qr/Wrote.*HMAC.*keys/], + 'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/, + qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/, + qr/HMAC_DIGEST_TYPE.*MD5/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'client save rc file', + 'detail' => '--key-gen HMAC SHA1', + 'function' => \&client_rc_file, + 'cmdline' => "$client_save_rc_args_no_verbose -n default " . + "--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type SHA1", + 'save_rc_stanza' => [{'name' => 'default', + 'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}], + 'positive_output_matches' => [qr/Wrote.*HMAC.*keys/], + 'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/, + qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/, + qr/HMAC_DIGEST_TYPE.*SHA1/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'client save rc file', + 'detail' => '--key-gen HMAC SHA256', + 'function' => \&client_rc_file, + 'cmdline' => "$client_save_rc_args_no_verbose -n default " . + "--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type SHA256", + 'save_rc_stanza' => [{'name' => 'default', + 'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}], + 'positive_output_matches' => [qr/Wrote.*HMAC.*keys/], + 'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/, + qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/, + qr/HMAC_DIGEST_TYPE.*SHA256/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'client save rc file', + 'detail' => '--key-gen HMAC SHA384', + 'function' => \&client_rc_file, + 'cmdline' => "$client_save_rc_args_no_verbose -n default " . + "--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type SHA384", + 'save_rc_stanza' => [{'name' => 'default', + 'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}], + 'positive_output_matches' => [qr/Wrote.*HMAC.*keys/], + 'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/, + qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/, + qr/HMAC_DIGEST_TYPE.*SHA384/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'client save rc file', + 'detail' => '--key-gen HMAC SHA512', + 'function' => \&client_rc_file, + 'cmdline' => "$client_save_rc_args_no_verbose -n default " . + "--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type SHA512", + 'save_rc_stanza' => [{'name' => 'default', + 'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}], + 'positive_output_matches' => [qr/Wrote.*HMAC.*keys/], + 'rc_positive_output_matches' => [qr/VERBOSE.*(Y|\d)/, + qr/USE_HMAC.*Y/, qr/KEY_BASE64/, qr/HMAC_KEY_BASE64/, + qr/HMAC_DIGEST_TYPE.*SHA512/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'client save rc file', + 'detail' => '--key-gen HMAC invalid', + 'function' => \&client_rc_file, + 'cmdline' => "$client_save_rc_args_no_verbose -n default " . + "--fw-timeout 1234 $verbose_str --use-hmac --key-gen --hmac-digest-type invalid", + 'save_rc_stanza' => [{'name' => 'default', + 'vars' => {'KEY' => 'testtest', 'FW_TIMEOUT' => '30'}}], + 'exec_err' => $YES, + }, + { 'category' => 'basic operations', 'subcategory' => 'client save rc file', @@ -1899,6 +1981,23 @@ 'function' => \&generic_exec, 'cmdline' => "$fwknopdCmd $default_server_conf_args --fw-list", }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'list current fw rules (2)', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => "$server_rewrite_conf_files --fw-list", + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest' + ], + 'server_conf_file' => [ + 'FWKNOP_RUN_DIR ' . cwd() . "/$run_tmp_dir" ### test coverage for mkdir + ], + 'positive_output_matches' => [qr/to\screate/], + }, + { 'category' => 'basic operations', 'subcategory' => 'server', @@ -1913,6 +2012,69 @@ 'function' => \&generic_exec, 'cmdline' => "$fwknopdCmd $default_server_conf_args --fw-flush", }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid -C packet count', + 'function' => \&generic_exec, + 'exec_err' => $YES, + ### add a few additional command line args for test coverage + 'cmdline' => "$fwknopdCmd $default_server_conf_args -f " . + "-l somelocale --pcap-any-direction --syslog-enable -C 999999999999", + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'mutually exclusive -K and -R', + 'function' => \&generic_exec, + 'exec_err' => $YES, + ### add a few additional command line args for test coverage + 'cmdline' => "$fwknopdCmd $default_server_conf_args -f -K -R" + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'mutually exclusive -D and -R', + 'function' => \&generic_exec, + 'exec_err' => $YES, + ### add a few additional command line args for test coverage + 'cmdline' => "$fwknopdCmd $default_server_conf_args -f -D -R" + }, + + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid config file path', + 'function' => \&generic_exec, + 'exec_err' => $YES, + 'cmdline' => "$fwknopdCmd -f -c invalid", + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid access.conf file path', + 'function' => \&generic_exec, + 'exec_err' => $YES, + 'cmdline' => "$fwknopdCmd -f -a invalid", + }, + + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'GPG invalid --gpg-home-dir path', + 'function' => \&generic_exec, + 'exec_err' => $YES, + 'cmdline' => "$fwknopdCmd $default_server_conf_args -f --gpg-home-dir invalidpath", + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'GPG invalid --gpg-home-dir path (2)', + 'function' => \&generic_exec, + 'exec_err' => $YES, + 'cmdline' => "$fwknopdCmd $default_server_conf_args -f --gpg-home-dir " . 'A'x1200 + }, + { 'category' => 'basic operations', @@ -2034,6 +2196,311 @@ ], 'positive_output_matches' => [qr/not\sfind.*SOURCE/], }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid VERBOSE var setting', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest' + ], + 'server_conf_file' => [ + 'VERBOSE -1' + ], + 'positive_output_matches' => [qr/not\sin\sthe\srange/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => '__CHANGEME__ key (1)', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY __CHANGEME__' + ], + 'server_conf_file' => [ + '### comment' + ], + 'positive_output_matches' => [qr/KEY\s.*not\sproperly/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => '__CHANGEME__ key (2)', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY_BASE64 __CHANGEME__' + ], + 'server_conf_file' => [ + '### comment' + ], + 'positive_output_matches' => [qr/KEY_BASE64\s.*not\sproperly/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'non-base64 key', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY_BASE64 %%%%%%%%%%%%%' + ], + 'server_conf_file' => [ + '### comment' + ], + 'positive_output_matches' => [qr/look\slike\sbase64/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'HMAC key __CHANGEME__ (1)', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest', + 'HMAC_KEY __CHANGEME__' + ], + 'server_conf_file' => [ + '### comment' + ], + 'positive_output_matches' => [qr/KEY\s.*not\sproperly/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'HMAC key __CHANGEME__ (2)', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest', + 'HMAC_KEY_BASE64 __CHANGEME__' + ], + 'server_conf_file' => [ + '### comment' + ], + 'positive_output_matches' => [qr/KEY_BASE64\s.*not\sproperly/], + }, + + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'HMAC non-base64 key', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest', + 'HMAC_KEY_BASE64 %%%%%%%%%%%%%' + ], + 'server_conf_file' => [ + '### comment' + ], + 'positive_output_matches' => [qr/look\slike\sbase64/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'GPG key __CHANGEME__', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'REQUIRE_SOURCE Y', + 'KEY testtest', + 'GPG_REQUIRE_SIG Y', ### additional test coverage + 'GPG_DISABLE_SIG N', + 'GPG_IGNORE_SIG_VERIFY_ERROR N', + 'GPG_DECRYPT_PW __CHANGEME__' + ], + 'server_conf_file' => [ + '### comment' + ], + 'positive_output_matches' => [qr/PW\s.*not\sproperly/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid FW_ACCESS_TIMEOUT', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest', + 'FW_ACCESS_TIMEOUT 999999999999' + ], + 'server_conf_file' => [ + '### comment' + ], + 'positive_output_matches' => [qr/not\sin\srange/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid ENCRYPTION_MODE', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest', + 'ENCRYPTION_MODE invalid' + ], + 'server_conf_file' => [ + '### comment' + ], + 'positive_output_matches' => [qr/Unrecognized.*MODE/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid CMD_EXEC_USER', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest', + 'CMD_EXEC_USER invalid' + ], + 'server_conf_file' => [ + '### comment' + ], + 'positive_output_matches' => [qr/Unable.*UID/], + }, + + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid iptables IPT_FORWARD_ACCESS', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest' + ], + 'server_conf_file' => [ + 'IPT_FORWARD_ACCESS invalid' + ], + 'positive_output_matches' => [qr/ACCESS\sspecification/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid iptables IPT_DNAT_ACCESS', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest' + ], + 'server_conf_file' => [ + 'IPT_DNAT_ACCESS invalid' + ], + 'positive_output_matches' => [qr/ACCESS\sspecification/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid iptables IPT_SNAT_ACCESS', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest' + ], + 'server_conf_file' => [ + 'IPT_SNAT_ACCESS invalid' + ], + 'positive_output_matches' => [qr/ACCESS\sspecification/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid iptables IPT_SNAT_TRANSLATE_IP', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest' + ], + 'server_conf_file' => [ + 'ENABLE_IPT_FORWARDING Y', + 'ENABLE_IPT_SNAT Y', + 'SNAT_TRANSLATE_IP invalid' + ], + 'positive_output_matches' => [qr/Invalid\sIPv4/], + }, + + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid iptables IPT_MASQUERADE_ACCESS', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest' + ], + 'server_conf_file' => [ + 'IPT_MASQUERADE_ACCESS invalid' + ], + 'positive_output_matches' => [qr/ACCESS\sspecification/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid iptables IPT_OUTPUT_ACCESS', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest' + ], + 'server_conf_file' => [ + 'IPT_OUTPUT_ACCESS invalid' + ], + 'positive_output_matches' => [qr/ACCESS\sspecification/], + }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'invalid PCAP_LOOP_SLEEP', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'KEY testtest' + ], + 'server_conf_file' => [ + 'PCAP_LOOP_SLEEP 9999999999999' + ], + 'positive_output_matches' => [qr/not\sin\sthe\srange/], + }, + { 'category' => 'basic operations', 'subcategory' => 'server', @@ -2130,6 +2597,22 @@ ], 'positive_output_matches' => [qr/Invalid\sIP\smask/], }, + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'access SOURCE format (7)', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE 1.1.1.1/', + 'KEY testtest' + ], + 'server_conf_file' => [ + '### comment line' + ], + 'positive_output_matches' => [qr/Missing\smask/], + }, { 'category' => 'basic operations', @@ -2311,7 +2794,22 @@ ], 'positive_output_matches' => [qr/invalid\sFORCE_SNAT\sIP/], }, - + { + 'category' => 'basic operations', + 'subcategory' => 'server', + 'detail' => 'iptables FORCE_SNAT format (3)', + 'function' => \&server_conf_files, + 'fwknopd_cmdline' => $server_rewrite_conf_files, + 'exec_err' => $YES, + 'server_access_file' => [ + 'SOURCE any', + 'FORCE_SNAT a' + ], + 'server_conf_file' => [ + 'ENABLE_IPT_FORWARDING N' + ], + 'positive_output_matches' => [qr/requires.*enabled/], + }, { 'category' => 'basic operations', diff --git a/test/tests/rijndael_hmac.pl b/test/tests/rijndael_hmac.pl index f5241c5a..df7f1e0a 100644 --- a/test/tests/rijndael_hmac.pl +++ b/test/tests/rijndael_hmac.pl @@ -70,6 +70,19 @@ 'fw_rule_removed' => $NEW_RULE_REMOVED, 'key_file' => $cf{'rc_hmac_b64_key'}, }, + { + 'category' => 'Rijndael+HMAC', + 'subcategory' => 'client+server', + 'detail' => '--ipt-no-check-support', + 'function' => \&spa_cycle, + 'cmdline' => $default_client_hmac_args, + 'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " . + "-d $default_digest_file -p $default_pid_file $intf_str --no-ipt-check-support", + 'fw_rule_created' => $NEW_RULE_REQUIRED, + 'fw_rule_removed' => $NEW_RULE_REMOVED, + 'key_file' => $cf{'rc_hmac_b64_key'}, + }, + { 'category' => 'Rijndael+HMAC', 'subcategory' => 'client+server',