DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
1,465 Commits 15 Branches 0 Tags
f3a02b5d2d48005be87ee82ca16615ac14f86cb2
Commit Graph

90 Commits

Author SHA1 Message Date
Michael Rash
873b06b422 [test suite] added portrange bpf filter test 2014-02-07 07:49:50 -05:00
Michael Rash
63a829803e [test suite] added --client-only mode for the test suite 2014-01-17 09:19:13 -05:00
Michael Rash
a347be354d merged android4.4_support branch 2014-01-10 22:46:54 -05:00
Michael Rash
283c72e463 [test suite] run fko-wrapper without valgrind, closes #113 2013-12-29 19:59:16 -05:00
Michael Rash
509dcf93dd [android] added HMAC test along with non-legacy Rijndael test 2013-12-23 23:15:11 -05:00
Michael Rash
aeed8323f7 [test suite] multi-packet pcap test for pcap_dispatch() validation 
This commit adds a new pcap file to the test suite with an SPA packet after
99 other garbage packets.  This can be used for pcap_dispatch() testing,
though this is not meant to be super instensive - it is just to ensure that
if a PCAP_DISPATCH_COUNT of, say, 10 is selected that the SPA is still seen
by fwknopd.  This commit is in support of #110.
 2013-12-10 21:56:20 -06:00
Michael Rash
46b5f2ecaf [server] added the ability to use FORCE_MASQUERADE to access.conf stanzas 2013-12-05 23:00:19 -05:00
Michael Rash
e0114e60c2 [server] Added FORCE_SNAT to access.conf stanzas. 
Added FORCE_SNAT to the access.conf file so that per-access stanza SNAT
criteria can be specified for SPA access.
 2013-12-04 21:52:07 -05:00
Michael Rash
d7aa820e33 [server] Bug fix for SPA NAT modes on iptables firewalls for chain re-creation 
For SPA NAT modes this commit ensures that custom fwknop chains are re-created
if they get deleted out from under the running fwknopd instance.
 2013-12-03 21:42:23 -05:00
Michael Rash
bd73ceb5bd [test suite] added FreeBSD-9.2 and OpenBSD-5.4 compatibility tests 2013-11-27 21:58:13 -05:00
Michael Rash
c382febf3d [client] use libfko is_valid_ipv4_addr() for IP address validation 2013-11-26 23:48:56 -05:00
Michael Rash
6dd5ab8e35 [test suite] added --cmd-verbose to control fwknop command verbosity levels 
This commit provides an easy way to control how verbose fwknop command
execution will be.  For example, fwknopd only calls hex_dump() against
SPA packets when --verbose > 2, so invoking the tests suite as follows
will result in hex_dump() being included in fwknopd output (see the
output/1_fwknopd.test file:

./test-fwknop.pl --include "Rijndael.*complete.*22" --test-limit 1 --cmd-verbose "--verbose --verbose --verbose"

[+] candidate SPA packet payload:

  0x0000:  39 62 72 51 58 75 7a 4b  57 54 53 67 57 56 35 66 9brQXuzKWTSgWV5f
  0x0010:  73 63 78 42 35 78 69 51  65 6c 55 4f 53 78 69 45 scxB5xiQelUOSxiE
  0x0020:  51 30 59 6a 41 50 70 31  4f 70 43 62 32 51 4a 4c Q0YjAPp1OpCb2QJL
  0x0030:  48 34 42 65 68 64 6d 47  35 49 31 50 36 2f 5a 69 H4BehdmG5I1P6/Zi
  0x0040:  6a 34 4b 41 62 34 53 68  6a 59 66 4f 71 2b 46 6c j4KAb4ShjYfOq+Fl
  0x0050:  4a 35 52 75 70 33 39 6f  6e 65 42 79 72 51 46 57 J5Rup39oneByrQFW
  0x0060:  61 38 6c 37 63 48 6e 38  5a 54 36 59 6e 55 56 47 a8l7cHn8ZT6YnUVG
  0x0070:  50 36 6e 53 6f 69 30 61  70 72 32 52 39 62 6b 56 P6nSoi0apr2R9bkV
  0x0080:  37 50 61 67 41 61 6b 49  44 63 58 59 44 6b 2f 64 7PagAakIDcXYDk/d
  0x0090:  67 51 45 61 37 39 32 6f  30 4d 38 6e 30 30 6e 35 gQEa792o0M8n00n5
  0x00a0:  55                                               U
 2013-11-22 23:00:20 -05:00
Michael Rash
28a915c8c8 [test suite] added short and long IP tests (1.1.1.1 and 123.123.123.123) 2013-11-20 23:10:36 -05:00
Michael Rash
8cb5653d5e [test suite] minor update for SNAT tests to not restrict --fw-list search to 127.0.0.2 2013-11-18 22:22:02 -05:00
Michael Rash
a9cc97cd2a [test suite] added tests/code_structure.pl with a test for expected lib/fko.h error code fko_errstr() handling 2013-11-16 23:22:25 -05:00
Michael Rash
cb2fc3abbe [test suite] handle LD_LIBRARY_PATH from the main test-fwknop.pl script 2013-11-14 22:47:13 -05:00
Michael Rash
a6f030412f [test suite] added Rijndael/HMAC compatibility tests for Mac OS X 10.9 2013-11-14 10:37:36 -05:00
Michael Rash
6870e65800 [test suite] minor cleanup to remove uncessary 'fatal' test hash keys 2013-11-14 10:24:58 -05:00
Michael Rash
a98317d367 [test suite] minor negative output match addition for Test::Valgrind test 2013-10-27 15:08:01 -04:00
Michael Rash
55bceaddc8 [test suite] minor wording update for Test::Valgrind test 2013-10-22 23:05:36 -04:00
Michael Rash
e77a02882e [test suite] Add support for Test::Valgrind against the perl FKO module 
When --enable-valgrind is used, this commit adds support for running the
perl FKO built-in tests (in the t/ directory) under the CPAN
Test::Valgrind module.  A check is performed to see whether
Test::Valgrind is install before attempting to use it.  Any 'fko_'
function that shows up under the test output is flagged and causes the
test-suite test to fail.
 2013-10-22 14:11:23 -04:00
Michael Rash
c271f01d00 [test suite] added 'make test' check for FKO perl module 
All built-in tests in the FKO module must pass for this new test to pass.  This commit
is in support of #103
 2013-08-17 23:51:31 -04:00
Michael Rash
be2bb71c74 [test suite] minor bug fix for GPG no password HMAC test rc file 2013-08-10 21:03:07 -04:00
Michael Rash
c04efc20dd [test suite] added Rijndael HMAC digest mismatch tests 2013-08-10 15:45:51 -04:00
Michael Rash
dfc2a06547 [test suite] added Rijndael HMAC + RAND_PORT test 2013-08-10 14:27:10 -04:00
Michael Rash
4775327d98 [test suite] added two GnuPG HMAC SHA512 tests 2013-08-10 13:54:03 -04:00
Michael Rash
05e7d52a5f [client] merged --stanza-list changes from Franck, closes #94 2013-08-08 20:54:07 -04:00
Michael Rash
8c73c7801b [server] send IPT_*_ACCESS vars through basic validation at fwknopd.conf parse time 2013-08-05 00:00:45 -04:00
Michael Rash
131c643cad [server] make IPT_INPUT_ACCESS validation more strict on allowed chars 2013-08-04 23:20:53 -04:00
Michael Rash
870a08c9f5 [test suite] added invalid IPT input chain specification tests 2013-08-04 21:22:35 -04:00
Michael Rash
433b18501c [test suite] additional non-HMAC SNAT tests 2013-08-04 04:51:39 -04:00
Michael Rash
2f7a3f0a8a [test suite] SNAT MASQUERADE test 2013-08-03 20:52:27 -04:00
Michael Rash
0200169dfd [test suite] started on SNAT tests 2013-08-03 13:36:32 -04:00
Franck Joncourt
836921a9ea * Added new test to validate --stanza-list 2013-07-30 22:54:10 +02:00
Michael Rash
694fb39a85 [test suite] Bug fix to not run an iptables Rijndael HMAC test on non-Linux systems 2013-07-25 20:33:19 -04:00
Michael Rash
dac75c0242 [server] restore backwards compatibility for Rijndael keys > 16 bytes in legacy mode by truncating (upgrading recommended of course) 2013-07-14 15:37:24 -04:00
Michael Rash
44aefd1177 [test suite] bug fix to ensure multiple SPA packets are sent for iptables duplicated rules tests 2013-07-13 23:22:58 -04:00
Michael Rash
13626a2a74 [test suite] added tests for KEY synonym GPG_SIGNING_PW 2013-06-19 23:41:37 -04:00
Michael Rash
13173343ee [client] add GPG_ALLOW_NO_SIGNING_PW and --gpg-no-signing-pw 
This change brings similar functionality to the client as the GPG_ALLOW_NO_PW
keyword in the server access.conf file.  Although this option is less likely
to be used than the analogous server functionality, it stands to reason that
the client should offer this feature.  The test suite has also been updated to
not use the --get-key option for the 'no password' GPG tests.
 2013-06-18 22:51:22 -04:00
Michael Rash
b0c9ed52ba [test suite] bug fix for proper replay attack regex searching of test output, added several replay attack tests 2013-06-15 21:20:39 -04:00
Michael Rash
fc8a74131b [test suite] minor OS compatibility test re-order 2013-06-12 23:10:19 -04:00
Michael Rash
12eab497c2 [test suite] added a few OS compatibility tests 2013-06-11 22:01:23 -04:00
Michael Rash
ef8aa2e471 [test suite] minor bug fix to add 'iptables' to custom chain test titles 2013-06-10 22:38:55 -04:00
Michael Rash
f9df2f6eca [test suite] additional --save-rc-stanza tests for vars not printed in fwknop client decode output 2013-06-10 21:18:37 -04:00
Michael Rash
0c19e5170a [test suite] added backwards compatibility tests with a dual usage key in access.conf 2013-06-10 21:16:33 -04:00
Michael Rash
88e1e0e099 [test suite] added tests for setting gpg recipient, signer, and homedir via the client rc file 2013-06-09 15:27:19 -04:00
Michael Rash
7a1bdea514 [server] fix 'Use of untrusted string value' bug found by Coverity 
This commit changes iptables policy parsing to re-use rule_exists() for fwknop
jump rule detection instead of using sscanf() against iptables policy list
output.  Also, fwknop jump rules are now deleted from iptables policies in a
loop to ensure all are removed even if there are duplicates (even though this
should not happen under normal circumstances anyway).
 2013-06-09 14:28:17 -04:00
Michael Rash
66399fed1a Merge remote-tracking branch 'fjoncourt/master' 
Closes #74 - allows a passphrase to be read from STDIN or from a file descriptor
via --fd.
 2013-06-02 22:54:23 -04:00
Michael Rash
164888e075 [test suite] added backwards compatibility test for truncated keys longer > 16 chars 2013-06-02 21:19:19 -04:00
Franck Joncourt
583e1e02c7 Merge remote-tracking branch 'upstream/master' 
Conflicts:
	client/config_init.c
 2013-06-02 21:54:25 +02:00