From ad512ff6e78e6d4c28bc202b9b6ba379389d139f Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Thu, 13 Mar 2014 00:10:22 -0400 Subject: [PATCH] [test suite] added Rijndael+HMAC SPOOF_SRC fwknoprc file test --- Makefile.am | 1 + client/config_init.c | 8 ++++++ test/conf/fwknoprc_hmac_spoof_src_base64_key | 6 +++++ test/test-fwknop.pl | 1 + test/tests/rijndael_hmac.pl | 28 ++++++++++++++++++++ 5 files changed, 44 insertions(+) create mode 100644 test/conf/fwknoprc_hmac_spoof_src_base64_key diff --git a/Makefile.am b/Makefile.am index 17d9b5f7..098f6124 100644 --- a/Makefile.am +++ b/Makefile.am @@ -196,6 +196,7 @@ EXTRA_DIST = \ test/conf/multi_pkts.pcap \ test/conf/fwknoprc_default_hmac_base64_key \ test/conf/fwknoprc_hmac_nat_rand_base64_key \ + test/conf/fwknoprc_hmac_spoof_src_base64_key \ test/conf/fwknoprc_hmac_key2 \ test/conf/fwknoprc_gpg_hmac_key \ test/conf/fwknoprc_hmac_equal_keys \ diff --git a/client/config_init.c b/client/config_init.c index f8b8695a..de8682c3 100644 --- a/client/config_init.c +++ b/client/config_init.c @@ -1741,6 +1741,14 @@ validate_options(fko_cli_options_t *options) log_msg(LOG_VERBOSITY_ERROR, "Invalid spoof IP"); exit(EXIT_FAILURE); } + if(options->spa_proto != FKO_PROTO_TCP_RAW + && options->spa_proto != FKO_PROTO_UDP_RAW + && options->spa_proto != FKO_PROTO_ICMP) + { + log_msg(LOG_VERBOSITY_ERROR, + "Must set -Q with a spoofed source IP"); + exit(EXIT_FAILURE); + } } if(options->resolve_ip_http || options->spa_proto == FKO_PROTO_HTTP) diff --git a/test/conf/fwknoprc_hmac_spoof_src_base64_key b/test/conf/fwknoprc_hmac_spoof_src_base64_key new file mode 100644 index 00000000..2480807d --- /dev/null +++ b/test/conf/fwknoprc_hmac_spoof_src_base64_key @@ -0,0 +1,6 @@ +[default] +HMAC_DIGEST_TYPE sha256 +KEY_BASE64 wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg= +HMAC_KEY_BASE64 Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg== +SPOOF_SOURCE_IP 3.3.3.3 +SPA_SERVER_PROTO udpraw diff --git a/test/test-fwknop.pl b/test/test-fwknop.pl index 20fa66fd..40750198 100755 --- a/test/test-fwknop.pl +++ b/test/test-fwknop.pl @@ -136,6 +136,7 @@ our %cf = ( 'rc_invalid_b64_key' => "$conf_dir/fwknoprc_invalid_base64_key", 'rc_hmac_b64_key' => "$conf_dir/fwknoprc_default_hmac_base64_key", 'rc_hmac_nat_rand_b64_key' => "$conf_dir/fwknoprc_hmac_nat_rand_base64_key", + 'rc_hmac_spoof_src_b64_key' => "$conf_dir/fwknoprc_hmac_spoof_src_base64_key", 'rc_hmac_sha512_b64_key' => "$conf_dir/fwknoprc_hmac_sha512_base64_key", 'rc_hmac_b64_key2' => "$conf_dir/fwknoprc_hmac_key2", 'rc_rand_port_hmac_b64_key' => "$conf_dir/fwknoprc_rand_port_hmac_base64_key", diff --git a/test/tests/rijndael_hmac.pl b/test/tests/rijndael_hmac.pl index 5b3bd434..f7bd5ffb 100644 --- a/test/tests/rijndael_hmac.pl +++ b/test/tests/rijndael_hmac.pl @@ -412,6 +412,34 @@ 'fw_rule_removed' => $NEW_RULE_REMOVED, 'key_file' => $cf{'rc_hmac_b64_key'}, }, + { + 'category' => 'Rijndael+HMAC', + 'subcategory' => 'client+server', + 'detail' => 'spoof src IP 3.3.3.3 (tcp/22)', + 'function' => \&spa_cycle, + 'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " . + "$fwknopCmd -A tcp/22 -a $fake_ip -P udpraw -Q 3.3.3.3 -D $loopback_ip --rc-file " . + "$cf{'rc_hmac_b64_key'} $verbose_str", + 'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " . + "-d $default_digest_file -p $default_pid_file $intf_str", + 'fw_rule_created' => $NEW_RULE_REQUIRED, + 'fw_rule_removed' => $NEW_RULE_REMOVED, + 'key_file' => $cf{'rc_hmac_b64_key'}, + }, + { + 'category' => 'Rijndael+HMAC', + 'subcategory' => 'client+server', + 'detail' => 'rc file spoof src IP (tcp/22)', + 'function' => \&spa_cycle, + 'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " . + "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --rc-file " . + "$cf{'rc_hmac_spoof_src_b64_key'} $verbose_str", + 'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " . + "-d $default_digest_file -p $default_pid_file $intf_str", + 'fw_rule_created' => $NEW_RULE_REQUIRED, + 'fw_rule_removed' => $NEW_RULE_REMOVED, + 'key_file' => $cf{'rc_hmac_spoof_src_b64_key'}, + }, { 'category' => 'Rijndael+HMAC',