Changeset 1260

Timestamp:

09/28/08 22:02:10 (2 months ago)

Author:

mbr

Message:

(Test suite) Added tests for GnuPG version 2 (a check is made to see if
it is installed before these tests are run).

Files:

• fwknop/trunk/ChangeLog (modified) (1 diff)
• fwknop/trunk/fwknopd (modified) (6 diffs)
• fwknop/trunk/test/conf/gpg2_access.conf (added)
• fwknop/trunk/test/conf/gpg2_fwknop.conf (added)
• fwknop/trunk/test/fwknop_test.pl (modified) (6 diffs)

fwknop/trunk/ChangeLog

@@ -50 +50 @@
-    - (Test suite) Added tests for GPG_NO_REQUIRE_PREFIX functionality and for
-      the expected GnuPG prefix.
+    - (Test suite) Added tests for GnuPG version 2 (a check is made to see if
+      it is installed before these tests are run).
-
-fwknop-1.9.7 (08/24/2008):

fwknop/trunk/fwknopd

@@ -3478 +3478 @@
-                } elsif ($line =~ /^\s*GPG_REMOTE_ID:\s*(.*)\s*;/) {
-                    unless ($imported_gpg) {
-                        &check_commands({'gpg' => ''}, {});
-                        require GnuPG::Interface;
-                        print STDERR "[+] GnuPG::Interface::VERSION ",
@@ -3490 +3489 @@
-                } elsif ($line =~ /^\s*GPG_DECRYPT_ID:\s*(.*)\s*;/) {
-                    unless ($imported_gpg) {
-                        &check_commands({'gpg' => ''}, {});
-                        require GnuPG::Interface;
-                        print STDERR "[+] GnuPG::Interface::VERSION ",
@@ -3499 +3497 @@
-                } elsif ($line =~ /^\s*GPG_DECRYPT_PW:\s*(.*)\s*;/) {
-                    unless ($imported_gpg) {
-                        &check_commands({'gpg' => ''}, {});
-                        require GnuPG::Interface;
-                        print STDERR "[+] GnuPG::Interface::VERSION ",
@@ -3508 +3505 @@
-                } elsif ($line =~ /^\s*GPG_HOME_DIR:\s*(\S+)\s*;/) {
-                    unless ($imported_gpg) {
-                        &check_commands({'gpg' => ''}, {});
-                        require GnuPG::Interface;
-                        print STDERR "[+] GnuPG::Interface::VERSION ",
@@ -3920 +3916 @@
-            $access_hr->{'GPG_PATH'} = ''
-                unless defined $access_hr->{'GPG_PATH'};
+            unless ($access_hr->{'GPG_PATH'}) {
+                &check_commands({'gpg' => ''}, {});
+            }
-        }
-        if (defined ($access_hr->{'REQUIRE_AUTH_METHOD'})) {
@@ -4233 +4232 @@
-
-    ### make sure command paths are correct
-
+, 'gpg2' => ''
-
-    if ($fw_del_ip) {

fwknop/trunk/test/fwknop_test.pl

@@ -41 +41 @@
-my $tcpdumpCmd = '/usr/sbin/tcpdump';
-my $gpgCmd     = '/usr/bin/gpg';
+my $gpg2Cmd    = '/usr/bin/gpg2';
-
-my $conf_dir   = 'conf';
@@ -49 +50 @@
-my $default_access_conf   = "$conf_dir/default_access.conf";
-my $default_fwknop_conf   = "$conf_dir/default_fwknop.conf";
+my $gpg2_fwknop_conf      = "$conf_dir/gpg2_fwknop.conf";
-my $fwknop_62203_conf     = "$conf_dir/filter_62203_fwknop.conf";
-my $sha256_fwknop_conf    = "$conf_dir/sha256_fwknop.conf";
@@ -62 +64 @@
-my $rand_port_fwknop_conf = "$conf_dir/rand_port_fwknop.conf";
-my $gpg_access_conf       = "$conf_dir/gpg_access.conf";
+my $gpg2_access_conf      = "$conf_dir/gpg2_access.conf";
-my $gpg_access_no_prefix_conf = "$conf_dir/gpg_access_no_prefix.conf";
-my $no_promisc_fwknop_conf = "$conf_dir/no_promisc_fwknop.conf";
@@ -503 +506 @@
-}
-
+if (-e $gpg2Cmd and -x $gpg2Cmd) {
+    &test_driver('(GnuPG v2) Generating SPA access packet',
+        \&SPA_gpg2_access_packet);
+    &test_driver('(GnuPG v2) Sniffing SPA access packet to acquire access',
+        \&gpg2_sniff_decrypt);
+    &test_driver('(GnuPG v2) Verifying sniffed SPA access packet format',
+        \&spa_access_format);
+    &test_driver('(GnuPG v2) Firewall access rules exist', \&fw_rules_exist);
+    &fw_sleep('(GnuPG v2)');
+    &test_driver('(GnuPG v2) Firewall access rules removed',
+        \&fw_rules_removed);
+    &test_driver('(GnuPG v2) Stopping all running fwknopd processes',
+        \&stop_fwknopd);
+}
+
-### test SPA command execution instead of access requests
-&test_driver('(Command execution) Generating SPA command packet',
@@ -1519 +1537 @@
-}
-
+sub gpg2_sniff_decrypt() {
+
+    if (&run_fwknopd($cache_encrypted_spa_packet,
+            $gpg2_fwknop_conf, $gpg2_access_conf)) {
+
+        ### now that fwknopd has exited, see if the SPA packet was valid
+        open SE, "< $current_test_file"
+            or die "[*] Could not open $current_test_file: $!";
+        while (<SE>) {
+            if (/\[\-\]\s+Key\s+mis\-?match/i) {
+                ### [-] Key mis-match or broken message checksum for SOURCE \
+                ### ANY (# 1 in access.conf)
+                close SE;
+                return &print_errors("[-] Key mis-match");
+            } elsif (/\[\-\]\s+Decrypted.*not\s+conform/i) {
+                ### [-] Decrypted message does not conform to a valid SPA packet
+                close SE;
+                return &print_errors("[-] Invalid SPA packet");
+            }
+        }
+        close SE;
+        return 1;
+    }
+    return &print_errors("[-] Sniff alarm ($sniff_alarm seconds) expired");
+}
+
-sub SPA_sniff_decrypt() {
-    return &sniff_decrypt($default_fwknop_conf);
@@ -2312 +2356 @@
-        "--Include-gpg-prefix",
-        $NO_QUIET);
+}
+
+sub SPA_gpg2_access_packet() {
+    return &get_access_packet("$default_fwknop_args " .
+        "--gpg-home conf/client-gpg --gpg-recip $gpg_server_key " .
+        "--gpg-sign $gpg_client_key --gpg-no-options " .
+        "--gpg-path $gpg2Cmd", $NO_QUIET);
-}
-