6dd5ab8e35
This commit provides an easy way to control how verbose fwknop command execution will be. For example, fwknopd only calls hex_dump() against SPA packets when --verbose > 2, so invoking the tests suite as follows will result in hex_dump() being included in fwknopd output (see the output/1_fwknopd.test file: ./test-fwknop.pl --include "Rijndael.*complete.*22" --test-limit 1 --cmd-verbose "--verbose --verbose --verbose" [+] candidate SPA packet payload: 0x0000: 39 62 72 51 58 75 7a 4b 57 54 53 67 57 56 35 66 9brQXuzKWTSgWV5f 0x0010: 73 63 78 42 35 78 69 51 65 6c 55 4f 53 78 69 45 scxB5xiQelUOSxiE 0x0020: 51 30 59 6a 41 50 70 31 4f 70 43 62 32 51 4a 4c Q0YjAPp1OpCb2QJL 0x0030: 48 34 42 65 68 64 6d 47 35 49 31 50 36 2f 5a 69 H4BehdmG5I1P6/Zi 0x0040: 6a 34 4b 41 62 34 53 68 6a 59 66 4f 71 2b 46 6c j4KAb4ShjYfOq+Fl 0x0050: 4a 35 52 75 70 33 39 6f 6e 65 42 79 72 51 46 57 J5Rup39oneByrQFW 0x0060: 61 38 6c 37 63 48 6e 38 5a 54 36 59 6e 55 56 47 a8l7cHn8ZT6YnUVG 0x0070: 50 36 6e 53 6f 69 30 61 70 72 32 52 39 62 6b 56 P6nSoi0apr2R9bkV 0x0080: 37 50 61 67 41 61 6b 49 44 63 58 59 44 6b 2f 64 7PagAakIDcXYDk/d 0x0090: 67 51 45 61 37 39 32 6f 30 4d 38 6e 30 30 6e 35 gQEa792o0M8n00n5 0x00a0: 55 U
202 lines
8.6 KiB
Perl
202 lines
8.6 KiB
Perl
@gpg_no_pw = (
|
|
### no password GPG testing
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle (tcp/22 ssh)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => $default_client_gpg_args_no_pw,
|
|
'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
},
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'multi gpg-IDs (tcp/22 ssh)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => $default_client_gpg_args_no_pw,
|
|
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'def'} " .
|
|
"-a $cf{'multi_gpg_no_pw_access'} $intf_str " .
|
|
"-d $default_digest_file -p $default_pid_file",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
},
|
|
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'iptables - no flush at init',
|
|
'function' => \&iptables_no_flush_init_exit,
|
|
'cmdline' => $default_client_gpg_args_no_pw,
|
|
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'no_flush_init'} " .
|
|
"-a $cf{'multi_gpg_no_pw_access'} $intf_str " .
|
|
"-d $default_digest_file -p $default_pid_file",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
},
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'iptables - no flush at exit',
|
|
'function' => \&iptables_no_flush_init_exit,
|
|
'cmdline' => $default_client_gpg_args_no_pw,
|
|
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'no_flush_exit'} " .
|
|
"-a $cf{'multi_gpg_no_pw_access'} $intf_str " .
|
|
"-d $default_digest_file -p $default_pid_file",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
},
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'iptables - no flush at init or exit',
|
|
'function' => \&iptables_no_flush_init_exit,
|
|
'cmdline' => $default_client_gpg_args_no_pw,
|
|
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'no_flush_init_or_exit'} " .
|
|
"-a $cf{'multi_gpg_no_pw_access'} $intf_str " .
|
|
"-d $default_digest_file -p $default_pid_file",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
},
|
|
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle (tcp/23 telnet)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$fwknopCmd -A tcp/23 -a $fake_ip -D $loopback_ip " .
|
|
"--gpg-no-signing-pw $verbose_str " .
|
|
"--gpg-recipient-key $gpg_server_key " .
|
|
"--gpg-signer-key $gpg_client_key " .
|
|
"--gpg-home-dir $gpg_client_home_dir_no_pw",
|
|
'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
},
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle (tcp/9418 git)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$fwknopCmd -A tcp/9418 -a $fake_ip -D $loopback_ip " .
|
|
"--gpg-no-signing-pw $verbose_str " .
|
|
"--gpg-recipient-key $gpg_server_key " .
|
|
"--gpg-signer-key $gpg_client_key " .
|
|
"--gpg-home-dir $gpg_client_home_dir_no_pw",
|
|
'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
},
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle (tcp/60001)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$fwknopCmd -A tcp/60001 -a $fake_ip -D $loopback_ip " .
|
|
"--gpg-no-signing-pw $verbose_str " .
|
|
"--gpg-recipient-key $gpg_server_key " .
|
|
"--gpg-signer-key $gpg_client_key " .
|
|
"--gpg-home-dir $gpg_client_home_dir_no_pw",
|
|
'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
},
|
|
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle (udp/53 dns)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$fwknopCmd -A udp/53 -a $fake_ip -D $loopback_ip " .
|
|
"--gpg-no-signing-pw $verbose_str " .
|
|
"--gpg-recipient-key $gpg_server_key " .
|
|
"--gpg-signer-key $gpg_client_key " .
|
|
"--gpg-home-dir $gpg_client_home_dir_no_pw",
|
|
'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
},
|
|
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'replay attack detection',
|
|
'function' => \&replay_detection,
|
|
'cmdline' => "$default_client_gpg_args_no_homedir "
|
|
. "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
|
|
'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
|
|
'server_positive_output_matches' => [qr/Replay\sdetected\sfrom\ssource\sIP/],
|
|
},
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'detect replay (Rijndael prefix)',
|
|
'function' => \&replay_detection,
|
|
'pkt_prefix' => 'U2FsdGVkX1',
|
|
'cmdline' => "$default_client_gpg_args_no_homedir "
|
|
. "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
|
|
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
|
'server_positive_output_matches' => [qr/Data\sis\snot\sa\svalid\sSPA\smessage\sformat/],
|
|
},
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'detect replay (GnuPG prefix)',
|
|
'function' => \&replay_detection,
|
|
'pkt_prefix' => 'hQ',
|
|
'cmdline' => "$default_client_gpg_args_no_homedir "
|
|
. "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
|
|
'fwknopd_cmdline' => "$fwknopdCmd $default_server_conf_args $intf_str",
|
|
'server_positive_output_matches' => [qr/Data\sis\snot\sa\svalid\sSPA\smessage\sformat/],
|
|
},
|
|
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'non-base64 altered SPA data',
|
|
'function' => \&altered_non_base64_spa_data,
|
|
'cmdline' => "$default_client_gpg_args_no_homedir "
|
|
. "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
|
|
'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
|
|
},
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'base64 altered SPA data',
|
|
'function' => \&altered_base64_spa_data,
|
|
'cmdline' => "$default_client_gpg_args_no_homedir "
|
|
. "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
|
|
'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
|
|
},
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'appended data to SPA pkt',
|
|
'function' => \&appended_spa_data,
|
|
'cmdline' => "$default_client_gpg_args_no_homedir "
|
|
. "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
|
|
'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
|
|
},
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'prepended data to SPA pkt',
|
|
'function' => \&prepended_spa_data,
|
|
'cmdline' => "$default_client_gpg_args_no_homedir "
|
|
. "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
|
|
'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
|
|
},
|
|
{
|
|
'category' => 'GPG (no pw)',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'spoof username (tcp/22 ssh)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "SPOOF_USER=$spoof_user $default_client_gpg_args_no_homedir "
|
|
. "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
|
|
'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
|
|
'positive_output_matches' => [qr/Username:\s*$spoof_user/],
|
|
'server_positive_output_matches' => [qr/Username:\s*$spoof_user/],
|
|
},
|
|
);
|