408 lines
18 KiB
Perl
408 lines
18 KiB
Perl
@rijndael_hmac = (
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client',
|
|
'detail' => 'rc file HMAC base64 key (tcp/22 ssh)',
|
|
'function' => \&generic_exec,
|
|
'cmdline' => $default_client_hmac_args,
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client',
|
|
'detail' => 'validate HMAC type arg',
|
|
'function' => \&generic_exec,
|
|
'cmdline' => "$default_client_hmac_args --hmac-digest-type invalid",
|
|
'positive_output_matches' => [qr/Invalid\shmac\sdigest\stype/i],
|
|
'exec_err' => $YES,
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client',
|
|
'detail' => 'rc file invalid HMAC type arg',
|
|
'function' => \&generic_exec,
|
|
'cmdline' => "$default_client_args_no_get_key " .
|
|
"--rc-file $cf{'rc_hmac_invalid_type'}",
|
|
'positive_output_matches' => [qr/must\sbe\sone\sof/i],
|
|
'exec_err' => $YES,
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'server',
|
|
'detail' => 'access file invalid HMAC type arg',
|
|
'function' => \&generic_exec,
|
|
'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_invalid_type_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'positive_output_matches' => [qr/must\sbe\sone\sof/i],
|
|
'exec_err' => $YES,
|
|
'fatal' => $NO
|
|
},
|
|
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle (tcp/22 ssh)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => $default_client_hmac_args,
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle simple keys',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key " .
|
|
"--rc-file $cf{'rc_hmac_simple_key'}",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_simple_keys_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_simple_key'},
|
|
'fatal' => $NO
|
|
},
|
|
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'rotate digest file',
|
|
'function' => \&rotate_digest_file,
|
|
'cmdline' => $default_client_hmac_args,
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str --rotate-digest-cache",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client',
|
|
'detail' => "--save-packet $tmp_pkt_file",
|
|
'function' => \&client_save_spa_pkt,
|
|
'cmdline' => "$default_client_hmac_args " .
|
|
"--save-args-file $tmp_args_file " .
|
|
"--save-packet $tmp_pkt_file",
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client',
|
|
'detail' => "--last-cmd",
|
|
'function' => \&generic_exec,
|
|
'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopCmd --last-cmd --save-args-file $tmp_args_file " .
|
|
"--verbose --verbose",
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'permissions check cycle (tcp/22)',
|
|
'function' => \&permissions_check,
|
|
'cmdline' => $default_client_hmac_args,
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd $default_server_hmac_conf_args $intf_str",
|
|
'server_positive_output_matches' => [qr/permissions\sshould\sonly\sbe\suser/],
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'client IP resolve (tcp/22 ssh)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => $client_ip_resolve_hmac_args,
|
|
'no_ip_check' => 1,
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd $default_server_hmac_conf_args $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle MD5 (tcp/22 ssh)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
|
"$cf{'rc_hmac_md5_key'} --hmac-digest-type md5",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_md5_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_md5_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle MD5 (short key)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
|
"$cf{'rc_hmac_md5_short_key'} --hmac-digest-type md5",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_md5_short_key_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_md5_short_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle MD5 (long key)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
|
"$cf{'rc_hmac_md5_long_key'} --hmac-digest-type md5",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_md5_long_key_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_md5_long_key'},
|
|
'fatal' => $NO
|
|
},
|
|
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle SHA1 (tcp/22 ssh)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_hmac_args --hmac-digest-type sha1",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha1_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle SHA1 (short key)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
|
"$cf{'rc_hmac_sha1_short_key'} --hmac-digest-type sha1",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha1_short_key_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_sha1_short_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle SHA1 (long key)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
|
"$cf{'rc_hmac_sha1_long_key'} --hmac-digest-type sha1",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha1_long_key_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_sha1_long_key'},
|
|
'fatal' => $NO
|
|
},
|
|
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle SHA256 (tcp/22 ssh)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_hmac_args --hmac-digest-type sha256",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd $default_server_hmac_conf_args $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle SHA256 (short key)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
|
"$cf{'rc_hmac_sha256_short_key'} --hmac-digest-type sha256",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha256_short_key_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_sha256_short_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle SHA256 (long key)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
|
"$cf{'rc_hmac_sha256_long_key'} --hmac-digest-type sha256",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha256_long_key_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_sha256_long_key'},
|
|
'fatal' => $NO
|
|
},
|
|
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle SHA384 (tcp/22 ssh)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_hmac_args --hmac-digest-type sha384",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha384_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle SHA384 (short key)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
|
"$cf{'rc_hmac_sha384_short_key'} --hmac-digest-type sha384",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha384_short_key_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_sha384_short_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle SHA384 (long key)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
|
"$cf{'rc_hmac_sha384_long_key'} --hmac-digest-type sha384",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha384_long_key_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_sha384_long_key'},
|
|
'fatal' => $NO
|
|
},
|
|
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle SHA512 (tcp/22 ssh)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
|
"$cf{'rc_hmac_sha512_key'} --hmac-digest-type sha512",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha512_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_sha512_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'complete cycle SHA512 (short key)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
|
"$cf{'rc_hmac_sha512_short_key'} --hmac-digest-type sha512",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_sha512_short_key_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_sha512_short_key'},
|
|
'fatal' => $NO
|
|
},
|
|
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client',
|
|
'detail' => 'validate digest type arg',
|
|
'function' => \&generic_exec,
|
|
'cmdline' => "$default_client_hmac_args --hmac-digest-type invaliddigest",
|
|
'positive_output_matches' => [qr/Invalid\shmac\sdigest\stype/i],
|
|
'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'dual usage access key (tcp/80 http)',
|
|
'function' => \&spa_cycle,
|
|
'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopCmd -A tcp/80 -a $fake_ip -D $loopback_ip --rc-file " .
|
|
"$cf{'rc_hmac_b64_key'} --verbose --verbose",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_dual_key_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
### check for the first stanza that does not allow tcp/80 - the
|
|
### second stanza allows this
|
|
'server_positive_output_matches' => [qr/stanza #1\)\sOne\sor\smore\srequested\sprotocol\/ports\swas\sdenied/],
|
|
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
|
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'altered HMAC (tcp/22 ssh)',
|
|
'function' => \&altered_hmac_spa_data, ### alter HMAC itself
|
|
'cmdline' => "$default_client_args_no_get_key " .
|
|
"--rc-file $cf{'rc_hmac_b64_key'}",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
{
|
|
'category' => 'Rijndael+HMAC',
|
|
'subcategory' => 'client+server',
|
|
'detail' => 'altered pkt HMAC (tcp/22 ssh)',
|
|
'function' => \&altered_pkt_hmac_spa_data, ### alter SPA payload
|
|
'cmdline' => "$default_client_args_no_get_key " .
|
|
"--rc-file $cf{'rc_hmac_b64_key'}",
|
|
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
|
|
"$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_access'} " .
|
|
"-d $default_digest_file -p $default_pid_file $intf_str",
|
|
'key_file' => $cf{'rc_hmac_b64_key'},
|
|
'fatal' => $NO
|
|
},
|
|
);
|