[test suite] get hmac iptables duplicated and sha512 long key tests to pass
This commit is contained in:
Michael Rash
parent
378305a8ab
commit
c112cb4811
@ -1152,7 +1152,8 @@ get_keys(fko_ctx_t ctx, fko_cli_options_t *options,
|
|||||||
(unsigned char *) options->hmac_key);
|
(unsigned char *) options->hmac_key);
|
||||||
if(*hmac_key_len > MAX_KEY_LEN || *hmac_key_len < 0)
|
if(*hmac_key_len > MAX_KEY_LEN || *hmac_key_len < 0)
|
||||||
{
|
{
|
||||||
fprintf(stderr, "[*] Invalid decoded key length: '%d', must be in [0,%d]",
|
fprintf(stderr,
|
||||||
|
"[*] Invalid decoded key length: '%d', must be in [0,%d]\n",
|
||||||
*hmac_key_len, MAX_KEY_LEN);
|
*hmac_key_len, MAX_KEY_LEN);
|
||||||
clean_exit(ctx, options, EXIT_FAILURE);
|
clean_exit(ctx, options, EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -21,6 +21,7 @@ our $conf_dir = 'conf';
|
|||||||
my $run_dir = 'run';
|
my $run_dir = 'run';
|
||||||
my $cmd_out_tmp = 'cmd.out';
|
my $cmd_out_tmp = 'cmd.out';
|
||||||
my $server_cmd_tmp = 'server_cmd.out';
|
my $server_cmd_tmp = 'server_cmd.out';
|
||||||
|
my $openssl_cmd_tmp = 'openssl_cmd.out';
|
||||||
my $data_tmp = 'data.tmp';
|
my $data_tmp = 'data.tmp';
|
||||||
my $key_tmp = 'key.tmp';
|
my $key_tmp = 'key.tmp';
|
||||||
my $enc_save_tmp = 'openssl_save.enc';
|
my $enc_save_tmp = 'openssl_save.enc';
|
||||||
@ -989,8 +990,7 @@ sub client_send_spa_packet() {
|
|||||||
$rv = 0 unless &file_find_regex([qr/final\spacked/i],
|
$rv = 0 unless &file_find_regex([qr/final\spacked/i],
|
||||||
$MATCH_ALL, $curr_test_file);
|
$MATCH_ALL, $curr_test_file);
|
||||||
|
|
||||||
if ($enable_openssl_compatibility_tests
|
if ($enable_openssl_compatibility_tests) {
|
||||||
and $test_hr->{'detail'} !~ /iptables.*not\sduplicated/) {
|
|
||||||
|
|
||||||
### extract the SPA packet from the cmd tmp file before
|
### extract the SPA packet from the cmd tmp file before
|
||||||
### openssl command execution overwrites it
|
### openssl command execution overwrites it
|
||||||
@ -3916,6 +3916,11 @@ sub client_server_interaction() {
|
|||||||
$server_was_stopped = 0;
|
$server_was_stopped = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
&write_test_file("[.] client_server_interaction() rv: $rv, " .
|
||||||
|
"server_was_stopped: $server_was_stopped, " .
|
||||||
|
"fw_rule_created: $fw_rule_created, fw_rule_removed: $fw_rule_removed\n",
|
||||||
|
$curr_test_file);
|
||||||
|
|
||||||
return ($rv, $server_was_stopped, $fw_rule_created, $fw_rule_removed);
|
return ($rv, $server_was_stopped, $fw_rule_created, $fw_rule_removed);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4172,7 +4177,7 @@ sub openssl_hmac_verification() {
|
|||||||
|
|
||||||
$openssl_hmac_cmd .= " | $base64_path" if $base64_path;
|
$openssl_hmac_cmd .= " | $base64_path" if $base64_path;
|
||||||
|
|
||||||
unless (&run_cmd($openssl_hmac_cmd, $cmd_out_tmp, $curr_test_file)) {
|
unless (&run_cmd($openssl_hmac_cmd, $openssl_cmd_tmp, $curr_test_file)) {
|
||||||
&write_test_file("[-] Could not run openssl command: '$openssl_hmac_cmd'\n",
|
&write_test_file("[-] Could not run openssl command: '$openssl_hmac_cmd'\n",
|
||||||
$curr_test_file);
|
$curr_test_file);
|
||||||
$openssl_hmac_failure_ctr++;
|
$openssl_hmac_failure_ctr++;
|
||||||
@ -4181,7 +4186,7 @@ sub openssl_hmac_verification() {
|
|||||||
|
|
||||||
### for HMAC SHA512 this output will span two lines
|
### for HMAC SHA512 this output will span two lines
|
||||||
my $openssl_hmac_line = '';
|
my $openssl_hmac_line = '';
|
||||||
open F, "< $cmd_out_tmp" or die $!;
|
open F, "< $openssl_cmd_tmp" or die $!;
|
||||||
while (<F>) {
|
while (<F>) {
|
||||||
$openssl_hmac_line .= $_;
|
$openssl_hmac_line .= $_;
|
||||||
chomp $openssl_hmac_line;
|
chomp $openssl_hmac_line;
|
||||||
@ -4256,7 +4261,7 @@ sub openssl_enc_verification() {
|
|||||||
|
|
||||||
$rv = &run_cmd("$openssl_path enc -d -a -aes-256-cbc " .
|
$rv = &run_cmd("$openssl_path enc -d -a -aes-256-cbc " .
|
||||||
"-pass file:$key_tmp -in $data_tmp",
|
"-pass file:$key_tmp -in $data_tmp",
|
||||||
$cmd_out_tmp, $curr_test_file);
|
$openssl_cmd_tmp, $curr_test_file);
|
||||||
|
|
||||||
if ($rv) {
|
if ($rv) {
|
||||||
if ($rv_flag == $REQUIRE_FAILURE) {
|
if ($rv_flag == $REQUIRE_FAILURE) {
|
||||||
@ -4269,7 +4274,7 @@ sub openssl_enc_verification() {
|
|||||||
### a valid access message
|
### a valid access message
|
||||||
my $decrypted_msg = '';
|
my $decrypted_msg = '';
|
||||||
my $decrypted_access_msg = '';
|
my $decrypted_access_msg = '';
|
||||||
open F, "< $cmd_out_tmp" or die $!;
|
open F, "< $openssl_cmd_tmp" or die $!;
|
||||||
while (<F>) {
|
while (<F>) {
|
||||||
if (/^(?:\S+?\:){5}(\S+?)\:/) {
|
if (/^(?:\S+?\:){5}(\S+?)\:/) {
|
||||||
$decrypted_access_msg = $1;
|
$decrypted_access_msg = $1;
|
||||||
@ -4307,7 +4312,7 @@ sub openssl_enc_verification() {
|
|||||||
my $decrypted_msg = '';
|
my $decrypted_msg = '';
|
||||||
my $decrypted_access_msg = '';
|
my $decrypted_access_msg = '';
|
||||||
my $decoded_msg = '';
|
my $decoded_msg = '';
|
||||||
open F, "< $cmd_out_tmp" or die $!;
|
open F, "< $openssl_cmd_tmp" or die $!;
|
||||||
while (<F>) {
|
while (<F>) {
|
||||||
if (/^(?:\S+?\:){5}(\S+?)\:/) {
|
if (/^(?:\S+?\:){5}(\S+?)\:/) {
|
||||||
$decrypted_access_msg = $1;
|
$decrypted_access_msg = $1;
|
||||||
@ -4344,7 +4349,7 @@ sub openssl_enc_verification() {
|
|||||||
unless (&run_cmd("$openssl_path enc " .
|
unless (&run_cmd("$openssl_path enc " .
|
||||||
"-e -a -aes-256-cbc -pass file:$key_tmp -in " .
|
"-e -a -aes-256-cbc -pass file:$key_tmp -in " .
|
||||||
"$data_tmp -out $enc_save_tmp",
|
"$data_tmp -out $enc_save_tmp",
|
||||||
$cmd_out_tmp, $curr_test_file)) {
|
$openssl_cmd_tmp, $curr_test_file)) {
|
||||||
|
|
||||||
&write_test_file("[-] OpenSSL could not re-encrypt\n",
|
&write_test_file("[-] OpenSSL could not re-encrypt\n",
|
||||||
$curr_test_file);
|
$curr_test_file);
|
||||||
|
|||||||
@ -435,15 +435,13 @@
|
|||||||
'category' => 'Rijndael+HMAC',
|
'category' => 'Rijndael+HMAC',
|
||||||
'subcategory' => 'client+server',
|
'subcategory' => 'client+server',
|
||||||
'detail' => 'complete cycle SHA512 (long key)',
|
'detail' => 'complete cycle SHA512 (long key)',
|
||||||
'function' => \&spa_cycle,
|
'function' => \&generic_exec,
|
||||||
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
||||||
"$cf{'rc_hmac_sha512_long_key'} --hmac-digest-type sha512",
|
"$cf{'rc_hmac_sha512_long_key'} --hmac-digest-type sha512",
|
||||||
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
|
||||||
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha512_long_key_access'} " .
|
|
||||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
||||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
||||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
||||||
'key_file' => $cf{'rc_hmac_sha512_long_key'},
|
'key_file' => $cf{'rc_hmac_sha512_long_key'},
|
||||||
|
'positive_output_matches' => [qr/Invalid\sdecoded\skey\slength/],
|
||||||
|
'exec_err' => $YES,
|
||||||
'fatal' => $NO
|
'fatal' => $NO
|
||||||
},
|
},
|
||||||
|
|
||||||
@ -727,7 +725,7 @@
|
|||||||
'function' => \&iptables_rules_not_duplicated,
|
'function' => \&iptables_rules_not_duplicated,
|
||||||
'cmdline' => "$default_client_hmac_args --test",
|
'cmdline' => "$default_client_hmac_args --test",
|
||||||
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
||||||
"$fwknopdCmd -c $cf{'local_nat'} -a $cf{'hmac_access'} " .
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
||||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||||
'server_negative_output_matches' => [qr/^2\s+ACCEPT\s.*$fake_ip/],
|
'server_negative_output_matches' => [qr/^2\s+ACCEPT\s.*$fake_ip/],
|
||||||
'key_file' => $cf{'rc_hmac_b64_key'},
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user