[test suite] added afl-cmin scripts, and the main test suite configs are referenced

2015-03-19 22:55:50 -04:00 · 2015-03-19 22:55:50 -04:00 · ab5c000a32
commit ab5c000a32
parent 104aeca978
73 changed files with 378 additions and 9 deletions
--- a/server/config_init.c
+++ b/server/config_init.c
@ -1253,8 +1253,8 @@ usage(void)
      "     --syslog-enable     - Allow messages to be sent to syslog even if the\n"
      "                           foreground mode is set.\n"
      " -V, --version           - Print version number.\n"
-      " -A, --afl-fuzzing       - Run in American Fuzzy Lop (AFL) fuzzing mode\n"
-      "                           plaintext SPA packets are accepted via stdin.\n"
+      " -A, --afl-fuzzing       - Run in American Fuzzy Lop (AFL) fuzzing mode so\n"
+      "                           that plaintext SPA packets are accepted via stdin.\n"
      " -h, --help              - Print this usage message and exit.\n"
      " --dump-serv-err-codes   - List all server error codes (only needed by the\n"
      "                           test suite).\n"
--- a/test/afl/fuzzing-wrappers/helpers/afl-cmin/server-access-cmin.sh
+++ b/test/afl/fuzzing-wrappers/helpers/afl-cmin/server-access-cmin.sh
@ -0,0 +1,19 @@
+#!/bin/sh -x
+
+. ./fuzzing-wrappers/fcns
+
+### generate test corpus directly from the main test suite
+### config files
+CONF_DIR=../conf
+IN_DIR=$CONF_DIR
+OUT_DIR=${IN_DIR}.cmin
+OUT_DIR="test-cases/server-access.cmin"
+FUZZ_FILE=access_tmp.conf
+
+LD_LIBRARY_PATH=../../lib/.libs afl-cmin -i $IN_DIR \
+    -f $FUZZ_FILE -o $OUT_DIR $SERVER \
+    -c $CONF_DIR/ipt_snat_fwknopd.conf \
+    -a $FUZZ_FILE -O $CONF_DIR/override_no_digest_tracking_fwknopd.conf \
+    -A -f -t --exit-parse-config -v -v -v -r `pwd`/run
+
+exit $?
--- a/test/afl/fuzzing-wrappers/helpers/afl-cmin/server-conf-cmin.sh
+++ b/test/afl/fuzzing-wrappers/helpers/afl-cmin/server-conf-cmin.sh
@ -0,0 +1,18 @@
+#!/bin/sh -x
+
+. ./fuzzing-wrappers/fcns
+
+### generate test corpus directly from the main test suite
+### config files
+CONF_DIR=../conf
+IN_DIR=$CONF_DIR
+OUT_DIR="test-cases/server-conf.cmin"
+FUZZ_FILE=fwknopd_conf.tmp
+
+LD_LIBRARY_PATH=../../lib/.libs afl-cmin -i $IN_DIR \
+    -f $FUZZ_FILE -o $OUT_DIR $SERVER \
+    -a $CONF_DIR/default_access.conf \
+    -c $FUZZ_FILE -O $CONF_DIR/override_no_digest_tracking_fwknopd.conf \
+    -A -f -t --exit-parse-config -v -v -v -r `pwd`/run
+
+exit $?
--- a/test/afl/fuzzing-wrappers/helpers/afl-cmin/spa-pkts-cmin.sh
+++ b/test/afl/fuzzing-wrappers/helpers/afl-cmin/spa-pkts-cmin.sh
@ -1,7 +1,12 @@
 #!/bin/sh -x

-TEST_CASES_DIR=test-cases
+. ./fuzzing-wrappers/fcns
+IN_DIR="test-cases/spa-pkts"
+OUT_DIR=${IN_DIR}.cmin
+CONF_DIR=../conf

-LD_LIBRARY_PATH=../../lib/.libs afl-cmin -i $TEST_CASES_DIR/spa-pkts -o $TEST_CASES_DIR/spa-pkts.cmin  ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t
+LD_LIBRARY_PATH=../../lib/.libs afl-cmin -i $IN_DIR \
+    -o ${IN_DIR}.cmin $SERVER -c ../conf/default_fwknopd.conf \
+    -a $CONF_DIR/default_access.conf -A -f -t

 exit $?
--- a/test/afl/fuzzing-wrappers/server-access.sh
+++ b/test/afl/fuzzing-wrappers/server-access.sh
@ -10,6 +10,7 @@ FDIR="server-access.out"
 OUT_DIR="$TOP_DIR/$FDIR"
 PREV_OUT_DIR=''
 IN_DIR="test-cases/server-access"
+FUZZ_FILE=$OUT_DIR/afl_access.conf

 ### build up our afl-fuzz text banner
 TSTR="fwknopd,access.conf"
@ -32,9 +33,9 @@ fi
 ### run afl-fuzz
 LD_LIBRARY_PATH=$LIB_DIR afl-fuzz \
    -T $BANNER -t 1000 -i $IN_DIR \
-    -o $OUT_DIR -f $OUT_DIR/afl_access.conf $SERVER \
+    -o $OUT_DIR -f $FUZZ_FILE $SERVER \
    -c ../conf/ipt_snat_fwknopd.conf \
-    -a $OUT_DIR/afl_access.conf \
+    -a $FUZZ_FILE \
    -O ../conf/override_no_digest_tracking_fwknopd.conf \
    -A -f -t --exit-parse-config -v -v -v -r `pwd`/run

--- a/test/afl/fuzzing-wrappers/server-conf.sh
+++ b/test/afl/fuzzing-wrappers/server-conf.sh
@ -9,7 +9,8 @@
 FDIR="server-conf.out"
 OUT_DIR="$TOP_DIR/$FDIR"
 PREV_OUT_DIR=''
-IN_DIR="test-cases/server-conf"
+IN_DIR="test-cases/server-conf.cmin"
+FUZZ_FILE=$OUT_DIR/afl_fwknopd.conf

 ### build up our afl-fuzz text banner
 TSTR="fwknopd,fwknopd.conf"
@ -30,10 +31,10 @@ fi
 ./fuzzing-wrappers/helpers/fwknopd-parse-conf.sh || exit $?

 LD_LIBRARY_PATH=$LIB_DIR afl-fuzz -T $BANNER -t 1000 -i $IN_DIR \
-    -o $OUT_DIR -f $OUT_DIR/afl_fwknopd.conf $SERVER \
+    -o $OUT_DIR -f $FUZZ_FILE $SERVER \
    -O ../conf/override_no_digest_tracking_fwknopd.conf \
    -a ../conf/default_access.conf \
-    -c $OUT_DIR/afl_fwknopd.conf \
+    -c $FUZZ_FILE \
    -A -f -t --exit-parse-config -v -v -v -r `pwd`/run

 exit $?
--- a/test/afl/test-cases/server-access.cmin/cfb_mode_access.conf
+++ b/test/afl/test-cases/server-access.cmin/cfb_mode_access.conf
@ -0,0 +1,4 @@
+SOURCE               ANY
+KEY                  fwknoptest
+FW_ACCESS_TIMEOUT    3
+ENCRYPTION_MODE      CFB
--- a/test/afl/test-cases/server-access.cmin/cmd_access.conf
+++ b/test/afl/test-cases/server-access.cmin/cmd_access.conf
@ -0,0 +1,4 @@
+SOURCE                   ANY
+KEY                      fwknoptest
+FW_ACCESS_TIMEOUT        3
+ENABLE_CMD_EXEC          Y
--- a/test/afl/test-cases/server-access.cmin/cmd_giduid_access.conf
+++ b/test/afl/test-cases/server-access.cmin/cmd_giduid_access.conf
@ -0,0 +1,6 @@
+SOURCE                  ANY
+KEY                     fwknoptest
+ENABLE_CMD_EXEC         Y
+CMD_EXEC_USER           nobody
+CMD_EXEC_GROUP          nobody
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/cmd_setuid_access.conf
+++ b/test/afl/test-cases/server-access.cmin/cmd_setuid_access.conf
@ -0,0 +1,5 @@
+SOURCE                  ANY
+KEY                     fwknoptest
+ENABLE_CMD_EXEC         Y
+CMD_EXEC_USER           nobody
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/ctr_mode_access.conf
+++ b/test/afl/test-cases/server-access.cmin/ctr_mode_access.conf
@ -0,0 +1,4 @@
+SOURCE                  ANY
+KEY                     fwknoptest
+FW_ACCESS_TIMEOUT       3
+ENCRYPTION_MODE         CTR
--- a/test/afl/test-cases/server-access.cmin/default_fwknopd.conf
+++ b/test/afl/test-cases/server-access.cmin/default_fwknopd.conf
@ -0,0 +1 @@
+# default config - no variables set to allow defaults to be preserved
--- a/test/afl/test-cases/server-access.cmin/dual_key_legacy_iv_access.conf
+++ b/test/afl/test-cases/server-access.cmin/dual_key_legacy_iv_access.conf
@ -0,0 +1,10 @@
+SOURCE              ANY
+KEY                 fwknoptest
+OPEN_PORTS          tcp/22
+FW_ACCESS_TIMEOUT   2
+
+SOURCE              ANY
+KEY                 fwknoptest
+OPEN_PORTS          tcp/22
+FW_ACCESS_TIMEOUT   3
+ENCRYPTION_MODE     legacy
--- a/test/afl/test-cases/server-access.cmin/ecb_mode_access.conf
+++ b/test/afl/test-cases/server-access.cmin/ecb_mode_access.conf
@ -0,0 +1,4 @@
+SOURCE                  ANY
+KEY                     fwknoptest
+FW_ACCESS_TIMEOUT       3
+ENCRYPTION_MODE         ECB
--- a/test/afl/test-cases/server-access.cmin/expired_epoch_stanza_access.conf
+++ b/test/afl/test-cases/server-access.cmin/expired_epoch_stanza_access.conf
@ -0,0 +1,4 @@
+SOURCE                      ANY
+KEY                         fwknoptest
+FW_ACCESS_TIMEOUT           3
+ACCESS_EXPIRE_EPOCH         1111111111;   ### very old
--- a/test/afl/test-cases/server-access.cmin/expired_stanza_access.conf
+++ b/test/afl/test-cases/server-access.cmin/expired_stanza_access.conf
@ -0,0 +1,4 @@
+SOURCE                  ANY
+KEY                     fwknoptest
+FW_ACCESS_TIMEOUT       3
+ACCESS_EXPIRE           3/10/01;   ### very old
--- a/test/afl/test-cases/server-access.cmin/force_nat_access.conf
+++ b/test/afl/test-cases/server-access.cmin/force_nat_access.conf
@ -0,0 +1,4 @@
+SOURCE                  ANY
+KEY                     fwknoptest
+FW_ACCESS_TIMEOUT       3
+FORCE_NAT               192.168.1.123 22
--- a/test/afl/test-cases/server-access.cmin/fuzzing_open_ports_access.conf
+++ b/test/afl/test-cases/server-access.cmin/fuzzing_open_ports_access.conf
@ -0,0 +1,4 @@
+SOURCE              4.3.2.0/24, 127.0.0.0/24, 123.123.123.123/24, 23.43.0.0/16, 10.10.10.10
+OPEN_PORTS          udp/6001, tcp/22, tcp/80, tcp/123453
+KEY                 fwknoptest
+FW_ACCESS_TIMEOUT   3
--- a/test/afl/test-cases/server-access.cmin/fuzzing_restrict_ports_access.conf
+++ b/test/afl/test-cases/server-access.cmin/fuzzing_restrict_ports_access.conf
@ -0,0 +1,5 @@
+SOURCE                  4.3.2.0/24, 127.0.0.0/24, 123.123.123.123/24, 23.43.0.0/16, 10.10.10.10
+OPEN_PORTS              udp/6001, tcp/22, tcp/80, tcp/12345
+RESTRICT_PORTS          AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+KEY                     fwknoptest
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/fuzzing_source_access.conf
+++ b/test/afl/test-cases/server-access.cmin/fuzzing_source_access.conf
@ -0,0 +1,4 @@
+SOURCE                  4.3.2.0/24, 127.0.0.0/24, 123.123.123.1234/24, 23.43.0.0/16, A0.10.10.10
+OPEN_PORTS              udp/6001, tcp/22, tcp/80, tcp/12345
+KEY                     fwknoptest
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/fwknoprc_with_default_key
+++ b/test/afl/test-cases/server-access.cmin/fwknoprc_with_default_key
@ -0,0 +1,2 @@
+[default]
+KEY                 fwknoptest
--- a/test/afl/test-cases/server-access.cmin/gpg_no_sig_no_fpr_access.conf
+++ b/test/afl/test-cases/server-access.cmin/gpg_no_sig_no_fpr_access.conf
@ -0,0 +1,8 @@
+SOURCE                      ANY
+FW_ACCESS_TIMEOUT           3
+#GPG_HOME_DIR                conf/server-gpg-no-pw  ### for code coverage
+GPG_DECRYPT_ID              361BBAD4
+GPG_DISABLE_SIG             Y
+GPG_REQUIRE_SIG             Y
+GPG_ALLOW_NO_PW             Y
+GPG_FINGERPRINT_ID          00CC95F05BC146B6AC4038C9E36F443C6A3FAD56
--- a/test/afl/test-cases/server-access.cmin/hmac_dual_key_usage_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_dual_key_usage_access.conf
@ -0,0 +1,12 @@
+SOURCE                      ANY
+KEY_BASE64                  wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64             Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+OPEN_PORTS                  tcp/22
+FW_ACCESS_TIMEOUT           2
+
+### test comment
+SOURCE                      ANY
+KEY_BASE64                  wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64             Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+OPEN_PORTS                  tcp/80
+FW_ACCESS_TIMEOUT           3
--- a/test/afl/test-cases/server-access.cmin/hmac_equal_keys_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_equal_keys_access.conf
@ -0,0 +1,17 @@
+SOURCE                      ANY
+KEY_BASE64                  wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64             Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+OPEN_PORTS                  tcp/22
+FW_ACCESS_TIMEOUT           2
+
+SOURCE                      ANY
+KEY_BASE64                  wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64             wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+OPEN_PORTS                  tcp/80
+FW_ACCESS_TIMEOUT           3
+
+SOURCE                      ANY
+KEY_BASE64                  wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64             Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+OPEN_PORTS                  tcp/80
+FW_ACCESS_TIMEOUT           3
--- a/test/afl/test-cases/server-access.cmin/hmac_force_masq_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_force_masq_access.conf
@ -0,0 +1,6 @@
+SOURCE                  ANY
+KEY_BASE64              wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64         Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+FW_ACCESS_TIMEOUT       3
+FORCE_NAT               123.4.4.4 22
+FORCE_MASQUERADE        Y
--- a/test/afl/test-cases/server-access.cmin/hmac_force_snat_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_force_snat_access.conf
@ -0,0 +1,6 @@
+SOURCE                  ANY
+KEY_BASE64              wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64         Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+FW_ACCESS_TIMEOUT       3
+FORCE_NAT               123.4.4.4 22
+FORCE_SNAT              33.3.3.3
--- a/test/afl/test-cases/server-access.cmin/hmac_fuzzing_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_fuzzing_access.conf
@ -0,0 +1,5 @@
+SOURCE                  ANY
+KEY                     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+HMAC_KEY                BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
+ENABLE_CMD_EXEC         Y
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/hmac_get_key_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_get_key_access.conf
@ -0,0 +1,4 @@
+SOURCE                  ANY
+KEY                     rijndaelkey
+HMAC_KEY                hmackey
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/hmac_invalid_type_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_invalid_type_access.conf
@ -0,0 +1,5 @@
+SOURCE                      ANY
+KEY_BASE64                  wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64             Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+HMAC_DIGEST_TYPE            invalid
+FW_ACCESS_TIMEOUT           3
--- a/test/afl/test-cases/server-access.cmin/hmac_md5_short_key_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_md5_short_key_access.conf
@ -0,0 +1,5 @@
+SOURCE              ANY
+KEY_BASE64          wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64     QQBwGf0bkZmBUA==
+HMAC_DIGEST_TYPE    md5
+FW_ACCESS_TIMEOUT   3
--- a/test/afl/test-cases/server-access.cmin/hmac_no_b64_cygwin_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_no_b64_cygwin_access.conf
@ -0,0 +1,4 @@
+SOURCE                  ANY
+KEY                     fwknoptest
+HMAC_KEY                test
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/hmac_sha1_short_key_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_sha1_short_key_access.conf
@ -0,0 +1,5 @@
+SOURCE                  ANY
+KEY_BASE64              wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64         QQBwGf0bkZmBUA==
+HMAC_DIGEST_TYPE        sha1
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/hmac_sha384_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_sha384_access.conf
@ -0,0 +1,5 @@
+SOURCE                  ANY
+KEY_BASE64              wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64         4BzQKdhUpy3ijTbjQmrrl4sMX0cOFqUz+Yq/ET3dDuzS1OH7omsFzra649fLuTLEGQy8u9Mt7XKscMIvv6MqmARI892r0U57QYtKWlilbzJhLNKhF6+vpBKC+6ArZD/OzFUHB/oREch8I8QR/nCCpxrzjca5BN/KAdAOi3xvX1Q=
+HMAC_DIGEST_TYPE        sha384
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/hmac_sha512_short_key2_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_sha512_short_key2_access.conf
@ -0,0 +1,5 @@
+SOURCE                  ANY
+KEY_BASE64              dGVzdGtleTE=
+HMAC_KEY_BASE64         dGVzdGtleTI=
+HMAC_DIGEST_TYPE        sha512
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/hmac_simple_keys_access.conf
+++ b/test/afl/test-cases/server-access.cmin/hmac_simple_keys_access.conf
@ -0,0 +1,4 @@
+SOURCE                  ANY
+KEY_BASE64              dGVzdA==
+HMAC_KEY_BASE64         dGVzdHRlc3Q=
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/icmp_pcap_filter_fwknopd.conf
+++ b/test/afl/test-cases/server-access.cmin/icmp_pcap_filter_fwknopd.conf
@ -0,0 +1 @@
+PCAP_FILTER         icmp;
--- a/test/afl/test-cases/server-access.cmin/invalid_expire_access.conf
+++ b/test/afl/test-cases/server-access.cmin/invalid_expire_access.conf
@ -0,0 +1,4 @@
+SOURCE                  ANY
+KEY                     fwknoptest
+FW_ACCESS_TIMEOUT       3
+ACCESS_EXPIRE           3-10-01;  ### / separators required
--- a/test/afl/test-cases/server-access.cmin/invalid_source_access.conf
+++ b/test/afl/test-cases/server-access.cmin/invalid_source_access.conf
@ -0,0 +1,6 @@
+SOURCE                  :ANY
+KEY                     fwknoptest
+FW_ACCESS_TIMEOUT       3
+SOURCE                  ANY
+KEY                     fwknoptest2
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/ip_source_match_access.conf
+++ b/test/afl/test-cases/server-access.cmin/ip_source_match_access.conf
@ -0,0 +1,3 @@
+SOURCE                  127.0.0.1
+KEY                     fwknoptest
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/ipt_custom_nat_chain_fwknopd.conf
+++ b/test/afl/test-cases/server-access.cmin/ipt_custom_nat_chain_fwknopd.conf
@ -0,0 +1,5 @@
+ENABLE_IPT_FORWARDING           Y;
+
+IPT_INPUT_ACCESS        ACCEPT, filter, INPUT, 1, FWKNOP_INPUT_TEST, 1;
+IPT_FORWARD_ACCESS      ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD_TEST, 1;
+IPT_DNAT_ACCESS         DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING_TEST, 1;
--- a/test/afl/test-cases/server-access.cmin/ipt_no_flush_init_or_exit_fwknopd.conf
+++ b/test/afl/test-cases/server-access.cmin/ipt_no_flush_init_or_exit_fwknopd.conf
@ -0,0 +1,2 @@
+FLUSH_IPT_AT_INIT       N;
+FLUSH_IPT_AT_EXIT       N;
--- a/test/afl/test-cases/server-access.cmin/ipt_snat_fwknopd.conf
+++ b/test/afl/test-cases/server-access.cmin/ipt_snat_fwknopd.conf
@ -0,0 +1,3 @@
+ENABLE_IPT_FORWARDING       Y;
+ENABLE_IPT_SNAT             Y;
+SNAT_TRANSLATE_IP           10.1.2.3;
--- a/test/afl/test-cases/server-access.cmin/legacy_iv_long_key2_access.conf
+++ b/test/afl/test-cases/server-access.cmin/legacy_iv_long_key2_access.conf
@ -0,0 +1,4 @@
+SOURCE                  ANY
+KEY                     1234567890123456blah
+FW_ACCESS_TIMEOUT       3
+ENCRYPTION_MODE         legacy
--- a/test/afl/test-cases/server-access.cmin/multi_stanzas_access.conf
+++ b/test/afl/test-cases/server-access.cmin/multi_stanzas_access.conf
@ -0,0 +1,12 @@
+SOURCE                      4.3.2.0/24, 23.43.0.0/16, 10.10.10.10
+KEY                         fwknoptest
+FW_ACCESS_TIMEOUT           3
+SOURCE                      23.43.0.0/16, 123.123.123.123/255.255.255.255, 10.10.10.10
+KEY                         fwknoptest
+FW_ACCESS_TIMEOUT           3
+SOURCE                      4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
+KEY                         fwknoptest
+FW_ACCESS_TIMEOUT           3
+SOURCE                      4.3.2.0/24, 10.10.10.10
+KEY                         fwknoptest
+FW_ACCESS_TIMEOUT           3
--- a/test/afl/test-cases/server-access.cmin/multi_stanzas_with_broken_keys.conf
+++ b/test/afl/test-cases/server-access.cmin/multi_stanzas_with_broken_keys.conf
@ -0,0 +1,15 @@
+SOURCE: 4.3.2.0/24, 23.43.0.0/16, 10.10.10.10;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;
+SOURCE: 23.43.0.0/16, 10.10.10.10;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;
+SOURCE: 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10;
+KEY: badkey123;
+FW_ACCESS_TIMEOUT:  3;
+SOURCE: 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;
+SOURCE: 4.3.2.0/24, 10.10.10.10;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;
--- a/test/afl/test-cases/server-access.cmin/no_multi_source_match_access.conf
+++ b/test/afl/test-cases/server-access.cmin/no_multi_source_match_access.conf
@ -0,0 +1,3 @@
+SOURCE                  4.3.2.0/24, 1.3.4.5, 23.43.0.0/16, 10.10.10.10
+KEY                     fwknoptest
+FW_ACCESS_TIMEOUT       3
--- a/test/afl/test-cases/server-access.cmin/ofb_mode_access.conf
+++ b/test/afl/test-cases/server-access.cmin/ofb_mode_access.conf
@ -0,0 +1,4 @@
+SOURCE                      ANY
+KEY                         fwknoptest
+FW_ACCESS_TIMEOUT           3
+ENCRYPTION_MODE             OFB
--- a/test/afl/test-cases/server-conf.cmin/default_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/default_fwknopd.conf
@ -0,0 +1 @@
+# default config - no variables set to allow defaults to be preserved
--- a/test/afl/test-cases/server-conf.cmin/fwknoprc_gpg_invalid_exe
+++ b/test/afl/test-cases/server-conf.cmin/fwknoprc_gpg_invalid_exe
@ -0,0 +1,4 @@
+[default]
+HMAC_DIGEST_TYPE    sha256
+HMAC_KEY_BASE64     Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+GPG_EXE             /invalid/gpg/path
--- a/test/afl/test-cases/server-conf.cmin/fwknoprc_hmac_defaults
+++ b/test/afl/test-cases/server-conf.cmin/fwknoprc_hmac_defaults
@ -0,0 +1,40 @@
+[default]
+ACCESS                      tcp/22
+SPA_SERVER                  127.0.0.1
+ALLOW_IP                    127.0.0.2
+USE_HMAC                    Y
+HMAC_DIGEST_TYPE            sha256
+KEY_BASE64                  wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64             Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+DIGEST_TYPE                 sha256
+SPA_SERVER_PROTO            udp
+SPA_SERVER_PORT             62201
+SPOOF_USER                  mbrtest
+VERBOSE                     Y
+RESOLVE_IP_HTTP             N
+TIME_OFFSET                 -1s
+ENCRYPTION_MODE             CBC
+USE_GPG                     N
+USE_GPG_AGENT               N
+
+#RAND_PORT
+#SPA_SOURCE_PORT
+#FW_TIMEOUT
+#GPG_RECIPIENT
+#GPG_SIGNER
+#GPG_HOMEDIR
+#GPG_EXE
+#GPG_SIGNING_PW
+#GPG_SIGNING_PW_BASE64
+#GPG_NO_SIGNING_PW
+#SPOOF_SOURCE_IP
+#KEY
+#HMAC_KEY
+#KEY_FILE
+#HMAC_KEY_FILE
+#RESOLVE_URL
+#NAT_ACCESS
+#HTTP_USER_AGENT
+#NAT_LOCAL
+#NAT_RAND_PORT
+#NAT_PORT
--- a/test/afl/test-cases/server-conf.cmin/fwknoprc_hmac_time_offset_days
+++ b/test/afl/test-cases/server-conf.cmin/fwknoprc_hmac_time_offset_days
@ -0,0 +1,18 @@
+[default]
+ACCESS                      tcp/22
+SPA_SERVER                  127.0.0.1
+ALLOW_IP                    127.0.0.2
+USE_HMAC                    Y
+HMAC_DIGEST_TYPE            sha256
+KEY_BASE64                  wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64             Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+DIGEST_TYPE                 sha256
+SPA_SERVER_PROTO            udp
+SPA_SERVER_PORT             62201
+SPOOF_USER                  mbrtest
+VERBOSE                     2
+TIME_OFFSET                 -1D
+ENCRYPTION_MODE             CBC
+USE_GPG                     N
+USE_GPG_AGENT               N
+RESOLVE_IP_HTTP             N
--- a/test/afl/test-cases/server-conf.cmin/fwknoprc_stanza_list
+++ b/test/afl/test-cases/server-conf.cmin/fwknoprc_stanza_list
@ -0,0 +1,8 @@
+[default]
+KEY	testkey
+
+[stanza_1]
+KEY	testkey_1
+
+[stanza_2]
+KEY	testkey_2
--- a/test/afl/test-cases/server-conf.cmin/fwknoprc_with_named_key
+++ b/test/afl/test-cases/server-conf.cmin/fwknoprc_with_named_key
@ -0,0 +1,3 @@
+[default]
+[testssh]
+KEY                 fwknoptest
--- a/test/afl/test-cases/server-conf.cmin/gpg_access.conf
+++ b/test/afl/test-cases/server-conf.cmin/gpg_access.conf
@ -0,0 +1,7 @@
+SOURCE                  ANY
+KEY                     fwknoptest
+FW_ACCESS_TIMEOUT       3
+GPG_HOME_DIR            conf/server-gpg
+GPG_DECRYPT_ID          361BBAD4
+GPG_DECRYPT_PW          fwknoptest
+GPG_REMOTE_ID           6A3FAD56
--- a/test/afl/test-cases/server-conf.cmin/gpg_dirs_orig.tar.gz
+++ b/test/afl/test-cases/server-conf.cmin/gpg_dirs_orig.tar.gz
--- a/test/afl/test-cases/server-conf.cmin/icmp_pcap_filter_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/icmp_pcap_filter_fwknopd.conf
@ -0,0 +1 @@
+PCAP_FILTER         icmp;
--- a/test/afl/test-cases/server-conf.cmin/invalid_ipt_input_chain_3_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/invalid_ipt_input_chain_3_fwknopd.conf
@ -0,0 +1 @@
+IPT_INPUT_ACCESS        ACCEPT, ffilter, INPUT, 1, FWKNOP_INPUT_TEST, 1;
--- a/test/afl/test-cases/server-conf.cmin/invalid_ipt_input_chain_4_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/invalid_ipt_input_chain_4_fwknopd.conf
@ -0,0 +1 @@
+IPT_INPUT_ACCESS        ACCEPT, filter, IINPUT, 1, FWKNOP_INPUT_TEST, 1;
--- a/test/afl/test-cases/server-conf.cmin/invalid_ipt_input_chain_5_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/invalid_ipt_input_chain_5_fwknopd.conf
@ -0,0 +1 @@
+IPT_INPUT_ACCESS        ACCEPT, filter, INPUT, -1, FWKNOP_INPUT_TEST, 1;
--- a/test/afl/test-cases/server-conf.cmin/invalid_ipt_input_chain_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/invalid_ipt_input_chain_fwknopd.conf
@ -0,0 +1 @@
+IPT_INPUT_ACCESS        ACCEPT, filter, INPUT, 1 FWKNOP_INPUT_TEST, 1;
--- a/test/afl/test-cases/server-conf.cmin/ipt_custom_nat_chain_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/ipt_custom_nat_chain_fwknopd.conf
@ -0,0 +1,5 @@
+ENABLE_IPT_FORWARDING           Y;
+
+IPT_INPUT_ACCESS        ACCEPT, filter, INPUT, 1, FWKNOP_INPUT_TEST, 1;
+IPT_FORWARD_ACCESS      ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD_TEST, 1;
+IPT_DNAT_ACCESS         DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING_TEST, 1;
--- a/test/afl/test-cases/server-conf.cmin/ipt_no_flush_init_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/ipt_no_flush_init_fwknopd.conf
@ -0,0 +1 @@
+FLUSH_IPT_AT_INIT       N;
--- a/test/afl/test-cases/server-conf.cmin/ipt_output_chain_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/ipt_output_chain_fwknopd.conf
@ -0,0 +1,2 @@
+ENABLE_IPT_OUTPUT       Y;
+IPT_OUTPUT_ACCESS       ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
--- a/test/afl/test-cases/server-conf.cmin/ipt_snat_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/ipt_snat_fwknopd.conf
@ -0,0 +1,3 @@
+ENABLE_IPT_FORWARDING       Y;
+ENABLE_IPT_SNAT             Y;
+SNAT_TRANSLATE_IP           10.1.2.3;
--- a/test/afl/test-cases/server-conf.cmin/ipt_snat_no_translate_ip_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/ipt_snat_no_translate_ip_fwknopd.conf
@ -0,0 +1,2 @@
+ENABLE_IPT_FORWARDING       Y;
+ENABLE_IPT_SNAT             Y;
--- a/test/afl/test-cases/server-conf.cmin/multi_pkts.pcap
+++ b/test/afl/test-cases/server-conf.cmin/multi_pkts.pcap
--- a/test/afl/test-cases/server-conf.cmin/override2_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/override2_fwknopd.conf
@ -0,0 +1,2 @@
+ENABLE_PCAP_PROMISC     N
+PCAP_FILTER             udp port 1234
--- a/test/afl/test-cases/server-conf.cmin/override_no_digest_tracking_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/override_no_digest_tracking_fwknopd.conf
@ -0,0 +1 @@
+ENABLE_DIGEST_PERSISTENCE       N;
--- a/test/afl/test-cases/server-conf.cmin/spa_over_http.pcap
+++ b/test/afl/test-cases/server-conf.cmin/spa_over_http.pcap
--- a/test/afl/test-cases/server-conf.cmin/spa_over_http_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/spa_over_http_fwknopd.conf
@ -0,0 +1 @@
+ENABLE_SPA_OVER_HTTP        Y;
--- a/test/afl/test-cases/server-conf.cmin/spa_replay.pcap
+++ b/test/afl/test-cases/server-conf.cmin/spa_replay.pcap
--- a/test/afl/test-cases/server-conf.cmin/var_expansion_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/var_expansion_fwknopd.conf
@ -0,0 +1,2 @@
+FWKNOP_RUN_DIR              /var/run
+FWKNOP_PID_FILE             $FWKNOP_RUN_DIR/test.pid
--- a/test/afl/test-cases/server-conf.cmin/var_expansion_invalid_fwknopd.conf
+++ b/test/afl/test-cases/server-conf.cmin/var_expansion_invalid_fwknopd.conf
@ -0,0 +1,2 @@
+FWKNOP_RUN_DIR              /var/run
+FWKNOP_PID_FILE             $FWKNOP_INVALID_VAR/test.pid
				`@ -0,0 +1 @@`
				`# default config - no variables set to allow defaults to be preserved`
				`@ -0,0 +1 @@`
				`IPT_INPUT_ACCESS ACCEPT, ffilter, INPUT, 1, FWKNOP_INPUT_TEST, 1;`
				`@ -0,0 +1 @@`
				`IPT_INPUT_ACCESS ACCEPT, filter, IINPUT, 1, FWKNOP_INPUT_TEST, 1;`
				`@ -0,0 +1 @@`
				`IPT_INPUT_ACCESS ACCEPT, filter, INPUT, -1, FWKNOP_INPUT_TEST, 1;`