Commit Graph

1672 Commits

Author SHA1 Message Date
Michael Rash
fed2da3bb0 [test suite] additional valgrind suppression for pcap-file processing 2014-07-03 08:52:48 -04:00
Michael Rash
43b770320a [server] Require sig ID's or fingerprints when sigs are validated
When validating access.conf stanzas make sure that one of
GPG_REMOTE_ID or GPG_FINGERPRINT_ID is specified whenever GnuPG
signatures are to be verified for incoming SPA packets. Signature
verification is the default, and can only be disabled with
GPG_DISABLE_SIG but this is NOT recommended.
2014-06-30 11:52:42 -04:00
Michael Rash
77384a904e [server] add access.conf variable GPG_FINGERPRINT_ID
Add a new GPG_FINGERPRINT_ID variable to the access.conf file
so that full GnuPG fingerprints can be required for incoming SPA packets
in addition to the appreviated GnuPG signatures listed in GPG_REMOTE_ID.
From the test suite, an example fingerprint is

GPG_FINGERPRINT_ID            00CC95F05BC146B6AC4038C9E36F443C6A3FAD56
2014-06-30 11:11:09 -04:00
Michael Rash
11b9732c16 [server] Call clean_exit() from daemon parent process
When becoming a daemon, make sure the fwknopd parent process calls
clean_exit() to release memory before calling exit().
2014-06-30 10:09:39 -04:00
Michael Rash
e41e0f5aaf [test suite] added iptables OUTPUT chain test 2014-06-24 22:54:27 -04:00
Michael Rash
a4615a76b5 [test suite] add Rjindael HMAC --no-ipt-check-support test for udp/53 2014-06-24 18:21:46 -04:00
Michael Rash
125f99aa3b [test suite] updated --gdb mode to run the first found fwknop command from an output/*.test file 2014-06-24 17:50:50 -04:00
Michael Rash
e0001e4a5d [server] call clean_exit() on expand_acc_string_list() error 2014-06-24 17:00:30 -04:00
Michael Rash
189d0ea0bc [server] call clean_exit() on add_acc_string() error 2014-06-24 07:39:06 -04:00
Michael Rash
ff65274e28 [server] make sure clean_exit() is called on any add_acc_b64_string() errs 2014-06-20 17:26:08 -04:00
Michael Rash
fd0805c57a [server] minor memory leak fix for invalid FORCE_NAT var in access.conf
This commit fixes the following leak found by valgrind:

==6241== 568 bytes in 1 blocks are still reachable in loss record 1 of 1
==6241==    at 0x4C2A2DB: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6241==    by 0x551537A: __fopen_internal (iofopen.c:73)
==6241==    by 0x118C8E: parse_access_file (access.c:1143)
==6241==    by 0x10F134: main (fwknopd.c:250)
2014-06-20 16:47:44 -04:00
Michael Rash
74440be653 [server] minor pointer typo fix 2014-06-16 23:08:50 -04:00
Michael Rash
3557158620 [test suite] add valgrind suppressions for libfiu 2014-06-16 17:14:52 -04:00
Michael Rash
389e55ddfc [test suite] consolidate valgrind success/failure criteria into a single function 2014-06-16 17:13:54 -04:00
Michael Rash
55a03f3392 [test suite] added suppressions to fko-wrapper/run_valgrind.sh 2014-06-16 17:12:59 -04:00
Michael Rash
4878607254 [libfko] removed fko_new_strdup() fault injection tag since fko_destroy() isn't called 2014-06-16 17:11:52 -04:00
Michael Rash
054793fd9e [server] check fiu_enable() return value in --fault-injection mode 2014-06-15 09:48:37 -04:00
Michael Rash
34f7ebd082 [test suite] added strtol_wrapper() fault injection tags 2014-06-15 09:41:43 -04:00
Michael Rash
42a20616b4 [libfko] additional fault injection additions with test suite support 2014-06-14 21:27:18 -04:00
Michael Rash
c00a3e7b26 [test suite] additional fault injection tests 2014-06-12 20:29:54 -04:00
Michael Rash
13ca6261b3 [test suite] minor update to not parse crash messages out of crash test output file 2014-06-12 20:29:24 -04:00
Michael Rash
06ce514111 [test suite] add several fault injection tests 2014-06-12 00:02:18 -04:00
Michael Rash
d8b2ae370a [test suite] always run crash check at the end of test run 2014-06-12 00:01:58 -04:00
Michael Rash
e02750e666 [server] skip firewall rules check in --test mode 2014-06-12 00:01:12 -04:00
Michael Rash
410624a858 [libfko] free() temp buffer right after strdup() call, add libfiu fault injection tags 2014-06-12 00:00:40 -04:00
Michael Rash
816962982f [server] clean up fko_destroy() calls in main access stanza loop 2014-06-11 23:59:08 -04:00
Michael Rash
b8ad48eaa9 [test suite] added fiu-run fault injection tests against the fwknopd server 2014-06-10 09:34:48 -04:00
Michael Rash
8d31de7295 [server] skip replay storage in --test mode (since we're not granting access anyway) 2014-06-10 09:32:17 -04:00
Michael Rash
70f70091b1 [server] skip fw initialization and cleanup in --test mode 2014-06-10 09:21:01 -04:00
Michael Rash
4ab677cfe0 [server] minor fwknopd --help output update 2014-06-09 20:40:44 -04:00
Michael Rash
ffde9c3f1a [libfko] bug fix to check strdup() return value
Using the 'fiu-run' fault injection binary, a couple of cases were
turned up with libfko does not properly check the strdup() return value.
This commit fixes these issues, and here is an illustration of the stack
trace for one such issue:

  Core was generated by `../client/.libs/fwknop -A tcp/22 -a 127.0.0.2 -D
  127.0.0.1 --get-key local_spa.'.
  Program terminated with signal 11, Segmentation fault.
  #0  __strnlen_sse2 () at ../sysdeps/x86_64/multiarch/../strnlen.S:34
  34      ../sysdeps/x86_64/multiarch/../strnlen.S: No such file or directory.
  (gdb) where
  #0  __strnlen_sse2 () at ../sysdeps/x86_64/multiarch/../strnlen.S:34
  #1  0x00007effa38189bc in _rijndael_encrypt (enc_key_len=<optimized out>, enc_key=<optimized out>, ctx=0x7effa5945750) at fko_encryption.c:141
  #2  fko_encrypt_spa_data (ctx=0x7effa5945750, enc_key=<optimized out>, enc_key_len=<optimized out>) at fko_encryption.c:605
  #3  0x00007effa381a2d6 in fko_spa_data_final (ctx=0x7effa5945750, enc_key=enc_key@entry=0x7fff3ff4aa10 "fwknoptest", enc_key_len=<optimized out>, hmac_key=hmac_key@entry=0x7fff3ff4aaa0 "", hmac_key_len=0) at fko_funcs.c:489
  #4  0x00007effa405f2fb in main (argc=<optimized out>, argv=<optimized out>) at fwknop.c:449
2014-06-08 23:09:55 -04:00
Michael Rash
989d48b7e9 [test suite] make valgrind suppressions slightly more perscriptive 2014-06-08 20:22:19 -04:00
Michael Rash
7fb2f292bc [test suite] in valgrind mode, make tests fail whenever there are 'definitely' or 'indirectly' lost bytes in memory 2014-06-08 20:20:19 -04:00
Michael Rash
53a1e1bc00 [client] minor bug fix for condition under which fiu_* functions are called for fault injection 2014-06-08 20:19:03 -04:00
Michael Rash
82b05b9530 [libfko] fko_new() bug fix to not leak memory under fko_set_... error conditions
This commit changes how fko_new() deals with FKO context initialization
to not set ctx->initval back to zero (uninitialized) imediately after
calling each fko_set_... function and before checking the fko_set_... return
value.  The reason for this change is that fko_destroy() checks for
context initialization via ctx->initval before calling free() against
any heap allocated context member. So, if fko_set_... returns an error,
fko_destroy() (previous to this commit) would have no opportunity to
free such members.

This bug was found with fault injection testing provided by libfiu
together with valgrind. Specifically the following test suite command
exposes the problem (from the test/ directory):

./test-fwknop.pl --enable-complete --include "fault injection.*libfko"

In the resulting output/2.test file valgrind reports the following:

==27941== LEAK SUMMARY:
==27941==    definitely lost: 264 bytes in 1 blocks
==27941==    indirectly lost: 28 bytes in 3 blocks
==27941==      possibly lost: 0 bytes in 0 blocks
==27941==    still reachable: 1,099 bytes in 12 blocks
==27941==         suppressed: 0 bytes in 0 blocks

After this commit is applied, this changes to:

==7137== LEAK SUMMARY:
==7137==    definitely lost: 0 bytes in 0 blocks
==7137==    indirectly lost: 0 bytes in 0 blocks
==7137==      possibly lost: 0 bytes in 0 blocks
==7137==    still reachable: 1,099 bytes in 12 blocks
==7137==         suppressed: 0 bytes in 0 blocks

Note that 'definitely lost' in valgrind output means there is a real
memory leak that needs to be fixed whereas 'still reachable' is most
likely not a real problem according to:

http://valgrind.org/docs/manual/faq.html#faq.deflost
2014-06-06 21:28:28 -04:00
Michael Rash
dfeecf5c29 [test suite] additional fix for duplicate fault injection tags 2014-06-06 10:31:07 -04:00
Michael Rash
1b4d7f5b19 [test suite] minor fix for duplicate fault injection tags 2014-06-06 10:25:33 -04:00
Michael Rash
6d1d66fe03 add --fault-injection-tag support to the client/server/libfko
This is a significant commit to add the ability to leverage libfko fault
injections from both the fwknop client and server command lines via a
new option '--fault-injection-tag <tag name>'.  This option is used by
the test suite with the tests/fault_injection.pl tests.
2014-06-05 23:05:49 -04:00
Michael Rash
6a0af8ed8e [test suite] added coverage_diff.py
This commit adds support for diff'ing before and after gcov/lcov results
to see when new function/line coverage is added by the test suite.  Here
is an example of its output:

Sun Jun  1 22:28:00 2014 CMD: ./coverage_diff.py
[+] Coverage: /home/mbr/git/fwknop.git/server/config_init.c
[+] new 'fcns' coverage: usage()
[+] new 'lines' coverage: 1015
[+] new 'lines' coverage: 1017
[+] new 'lines' coverage: 1019
[+] new 'lines' coverage: 1059
[+] new 'lines' coverage: 979
[+] Coverage: /home/mbr/git/fwknop.git/server/fw_util_iptables.c
[+] new 'lines' coverage: 560
[+] new 'lines' coverage: 561
2014-06-01 22:30:54 -04:00
Michael Rash
040b7b10a0 [test suite] add shell escape for /usr/include/* wildcard on lcov command line 2014-05-26 23:15:09 -04:00
Michael Rash
2e150d47a7 restore trustdb.gpg files 2014-05-26 23:06:14 -04:00
Michael Rash
2697bd260c [test suite] fix LD_LIBRARY_PATH for fiu-run execution against fko-wrapper binaries 2014-05-26 22:53:44 -04:00
Michael Rash
ed58dcb635 Revert "add gcc '-pg' flag in --enable-profile-coverage mode"
This reverts commit bbe5626566 because -pg
is needed for gprof, not gcov, and valgrind is incompatible with -pg.
2014-05-26 21:28:19 -04:00
Michael Rash
ddaf0134d6 use fiu.h instead of fiu-local.h 2014-05-26 15:54:12 -04:00
Michael Rash
e893ecad21 [test suite] added first test to run fwknop client underneath fiu-run for libc fault injection 2014-05-26 15:09:02 -04:00
Michael Rash
a1f1e4b328 [test suite] in --enable-fuzzing-interfaces mode create fko-wrapper/send_spa_payloads file if it does exist 2014-05-26 14:18:27 -04:00
Michael Rash
237602114f [test suite] minor fko_wrapper comment update 2014-05-26 08:40:26 -04:00
Michael Rash
15aff82980 client/server added libfiu header files in --enable-libfiu-support mode 2014-05-26 08:39:44 -04:00
Michael Rash
55ae7d5095 [test suite] auto-generate fko-wrapper/fuzz_spa_payload file with spa_fuzzing.py if necessary in --enable-complete/--enable-fuzzing-interfaces mode 2014-05-25 22:10:43 -04:00
Michael Rash
23e8dcfddd [test suite] added configure_max_coverage.sh for --enable-complete mode 2014-05-25 16:23:40 -04:00