Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1489

Timestamp:

06/30/09 08:26:51 (8 months ago)

Author:

mbr

Message:

added --spa-dump-packets mode to fwknopd and used this as the method for acquiring SPA packet digests for the test suite - this ensures the digests always conform to how the fwknopd daemon sees them

Location:

fwknop/trunk

Files:

: 2 modified

fwknopd (modified) (7 diffs)
test/fwknop_test.pl (modified) (35 diffs)

Legend:

: Unmodified
: Added
: Removed

fwknop/trunk/fwknopd

r1488	r1489
128	128	my $fw_data_file = ''; ### legacy port knocking mode
129	129	my $dump_config = 0;
	130	my $spa_dump_packets = '';
130	131
131	132	my $cmdline_locale = '';
…	…
691	692	my ($src_ip, $enc_msg_len, $pkt_data) = @_;
692	693
	694	if ($spa_dump_packets) {
	695	if (&is_base64($pkt_data)) {
	696	print "\nLen: $enc_msg_len, pkt: $pkt_data\n";
	697	} else {
	698	print "\nLine contains non base64 chars, skipping.\n";
	699	return;
	700	}
	701	}
	702
693	703	### first check to see if we have any matching access directives
694	704	### (in access.conf) for $src_ip, and if not we will do _nothing_
…	…
740	750	&fko_destroy_object() if $use_fko_module;
741	751	next SOURCE;
	752	}
	753
	754	if ($spa_dump_packets) {
	755	print " Disk write digest: $digest\n";
	756	for my $key (keys %$msg_hr) {
	757	printf " %20s -> %s\n", $key, $msg_hr->{$key};
	758	}
	759	return;
742	760	}
743	761
…	…
4881	4899	'fwknop_servCmd=s' => \$cmdline_fwknop_serv,
4882	4900	'knoptm-debug-file=s' => \$knoptm_debug_file,
	4901	'spa-dump-packets=s' => \$spa_dump_packets,
4883	4902	'LC_ALL=s' => \$cmdline_locale,
4884	4903	'locale=s' => \$cmdline_locale,
…	…
4988	5007	}
4989	5008	return;
	5009	}
	5010
	5011	sub spa_dump_packets() {
	5012	my $rv = 0;
	5013
	5014	&import_access();
	5015
	5016	print "[+] Reading in encoded/encrypted SPA packets ",
	5017	"from file: $spa_dump_packets\n";
	5018	open F, "< $spa_dump_packets" or
	5019	die "[*] Could not open $spa_dump_packets: $!";
	5020	while (<F>) {
	5021	next unless /\S/;
	5022	chomp;
	5023	&SPA_check_grant_access('127.0.0.1', length($_), $_);
	5024	}
	5025	close F;
	5026	return $rv;
4990	5027	}
4991	5028
…	…
5185	5222	### --Status
5186	5223	exit &status() if $status;
	5224
	5225	### --spa-dump-packets (dumps decrypted SPA packets out on stdout)
	5226	exit &spa_dump_packets() if $spa_dump_packets;
5187	5227
5188	5228	### make sure there is not another fwknopd process already running.
…	…
6037	6077	}
6038	6078	close F;
	6079	}
	6080
	6081	if ($debug) {
	6082	print STDERR localtime() . " [+] digest_store hash: \n",
	6083	Dumper(\%digest_store);
6039	6084	}
6040	6085

fwknop/trunk/test/fwknop_test.pl

r1482	r1489
53	53
54	54	my $knoptm_debug_file = "$output_dir/knoptm.debug";
	55	my $dump_packets_file = "$output_dir/dump_packets"; # for digest calculation
55	56
56	57	my $default_access_conf = "$conf_dir/default_access.conf";
…	…
1555	1556	sub replay_attack() {
1556	1557
1557		&get_access_packet($default_fwknop_args, $NO_QUIET);
	1558	&get_access_packet($default_fwknop_args, $default_fwknop_conf, $NO_QUIET);
1558	1559
1559	1560	### write out the digest to the digest.cache so that we
…	…
1592	1593
1593	1594	### SHA256 is the default anyway
1594		&get_access_packet("$default_fwknop_args --digest-alg sha256", $NO_QUIET);
	1595	&get_access_packet("$default_fwknop_args --digest-alg sha256",
	1596	$sha256_fwknop_conf, $NO_QUIET);
1595	1597
1596	1598	### write out the SHA256 digest to the digest.cache file so that we
…	…
1626	1628	sub replay_attack_sha1() {
1627	1629
1628		&get_access_packet("$default_fwknop_args --digest-alg sha1", $NO_QUIET);
	1630	&get_access_packet("$default_fwknop_args --digest-alg sha1",
	1631	$sha1_fwknop_conf, $NO_QUIET);
1629	1632
1630	1633	### write out the SHA1 digest to the digest.cache so that we
…	…
1660	1663	sub replay_attack_md5() {
1661	1664
1662		&get_access_packet("$default_fwknop_args --digest-alg md5", $NO_QUIET);
	1665	&get_access_packet("$default_fwknop_args --digest-alg md5",
	1666	$md5_fwknop_conf, $NO_QUIET);
1663	1667
1664	1668	### write out the MD5 digest to the digest.cache so that we
…	…
1693	1697
1694	1698	sub non_matching_source_generation() {
1695		return &get_access_packet($default_fwknop_args, $NO_QUIET);
	1699	return &get_access_packet($default_fwknop_args,
	1700	$default_fwknop_conf, $NO_QUIET);
1696	1701	}
1697	1702
…	…
3382	3387	return &get_access_packet("$default_fwknop_args " .
3383	3388	"--gpg-home conf/client-gpg --gpg-recip $gpg_server_key " .
3384		"--gpg-sign $gpg_client_key", $NO_QUIET);
	3389	"--gpg-sign $gpg_client_key", $default_fwknop_conf, $NO_QUIET);
3385	3390	}
3386	3391
…	…
3389	3394	"--gpg-home conf/client-gpg --gpg-recip $gpg_server_key " .
3390	3395	"--gpg-sign $gpg_client_key --Include-gpg-prefix",
3391		$NO_QUIET);
	3396	$default_fwknop_conf, $NO_QUIET);
3392	3397	}
3393	3398
…	…
3396	3401	"--gpg-home conf/client-gpg --gpg-recip $gpg_server_key " .
3397	3402	"--gpg-sign $gpg_client_key --gpg-path $gpg2Cmd",
3398		$NO_QUIET);
	3403	$default_fwknop_conf, $NO_QUIET);
3399	3404	}
3400	3405
…	…
3403	3408	"--gpg-home conf/client-gpg --gpg-recip $gpg_server_key " .
3404	3409	"--gpg-sign $gpg_client_key --gpg-path $gpg2Cmd $http_opt",
3405		$NO_QUIET);
	3410	$default_fwknop_conf, $NO_QUIET);
3406	3411	}
3407	3412
3408	3413	sub SPA_client_timeout_access_packet() {
3409	3414	return &get_access_packet("$default_fwknop_args --fw-timeout 5",
3410		$NO_QUIET);
	3415	$default_fwknop_conf, $NO_QUIET);
3411	3416	}
3412	3417
3413	3418	sub SPA_access_packet_62203() {
3414	3419	return &get_access_packet("$default_fwknop_args $server_port_opt 62203",
3415		$NO_QUIET);
	3420	$default_fwknop_conf, $NO_QUIET);
3416	3421	}
3417	3422
3418	3423	sub SPA_access_packet_plus60min() {
3419	3424	return &get_access_packet("$default_fwknop_args --time-offset-plus 60min",
3420		$NO_QUIET);
	3425	$default_fwknop_conf, $NO_QUIET);
3421	3426	}
3422	3427
3423	3428	sub SPA_access_packet_minus60min() {
3424	3429	return &get_access_packet("$default_fwknop_args --time-offset-minus 60min",
3425		$NO_QUIET);
	3430	$default_fwknop_conf, $NO_QUIET);
3426	3431	}
3427	3432
3428	3433	sub SPA_access_packet_icmp() {
3429	3434	return &get_access_packet("$default_fwknop_args $spoof_proto_opt icmp",
3430		$NO_QUIET);
	3435	$default_fwknop_conf, $NO_QUIET);
3431	3436	}
3432	3437
3433	3438	sub SPA_access_packet_http() {
3434	3439	return &get_access_packet("$default_fwknop_args $http_opt",
3435		$NO_QUIET);
	3440	$default_fwknop_conf, $NO_QUIET);
3436	3441	}
3437	3442
…	…
3439	3444	return &get_access_packet("$default_fwknop_args " .
3440	3445	"--gpg-home conf/client-gpg --gpg-recip $gpg_server_key " .
3441		"--gpg-sign $gpg_client_key $http_opt", $NO_QUIET);
	3446	"--gpg-sign $gpg_client_key $http_opt", $default_fwknop_conf,
	3447	$NO_QUIET);
3442	3448	}
3443	3449
…	…
3445	3451	if ($client_language eq 'C') {
3446	3452	return &get_access_packet("$default_fwknop_args --server-proto tcp",
3447		$NO_QUIET);
	3453	$default_fwknop_conf, $NO_QUIET);
3448	3454	} else {
3449	3455	return &get_access_packet("$default_fwknop_args --TCP-sock",
3450		$NO_QUIET);
	3456	$default_fwknop_conf, $NO_QUIET);
3451	3457	}
3452	3458	}
3453	3459
3454	3460	sub SPA_access_packet() {
3455		return &get_access_packet($default_fwknop_args, $NO_QUIET);
	3461	return &get_access_packet($default_fwknop_args,
	3462	$default_fwknop_conf, $NO_QUIET);
3456	3463	}
3457	3464
…	…
3460	3467	"--get-key $local_key_file -D $localhost -a $allow_src " .
3461	3468	"$test_mode_opt -v --debug $spoof_user_opt $require_user",
3462		$NO_QUIET);
	3469	$default_fwknop_conf, $NO_QUIET);
3463	3470	}
3464	3471
3465	3472	sub SPA_access_packet_salted() {
3466	3473	return &get_access_packet("$default_fwknop_args --Include-salted",
3467		$NO_QUIET);
	3474	$default_fwknop_conf, $NO_QUIET);
3468	3475	}
3469	3476
3470	3477	sub SPA_access_packet_rand_dest_port() {
3471	3478	return &get_access_packet("$default_fwknop_args --rand-port",
3472		$NO_QUIET);
	3479	$default_fwknop_conf, $NO_QUIET);
3473	3480	}
3474	3481
3475	3482	sub SPA_access_packet_no_dash_A() {
3476		return &get_access_packet($fwknop_args_no_dash_A, $NO_QUIET);
	3483	return &get_access_packet($fwknop_args_no_dash_A,
	3484	$default_fwknop_conf, $NO_QUIET);
3477	3485	}
3478	3486
3479	3487	sub SPA_access_packet_md5() {
3480	3488	return &get_access_packet("$default_fwknop_args --digest-alg md5",
3481		$NO_QUIET);
	3489	$default_fwknop_conf, $NO_QUIET);
3482	3490	}
3483	3491
…	…
3486	3494	"$local_key_file -D $localhost -a $allow_src --Test -v " .
3487	3495	qq\|--debug $spoof_user_opt $require_user --Server-cmd "$test_cmd"\|,
3488		$NO_QUIET);
	3496	$default_fwknop_conf, $NO_QUIET);
3489	3497	}
3490	3498
3491	3499	sub SPA_forward_access_packet_client_timeout() {
3492	3500	return &get_access_packet("$default_fwknop_args " .
3493		"--NAT-access 192.168.10.3:55000 --fw-timeout 5", $NO_QUIET);
	3501	"--NAT-access 192.168.10.3:55000 --fw-timeout 5",
	3502	$default_fwknop_conf, $NO_QUIET);
3494	3503	}
3495	3504
3496	3505	sub SPA_forward_access_packet() {
3497	3506	return &get_access_packet("$default_fwknop_args " .
3498		"--NAT-access 192.168.10.3:55000", $NO_QUIET);
	3507	"--NAT-access 192.168.10.3:55000",
	3508	$default_fwknop_conf, $NO_QUIET);
3499	3509	}
3500	3510
3501	3511	sub SPA_forward_access_packet_restricted_IP() {
3502	3512	return &get_access_packet("$default_fwknop_args " .
3503		"--NAT-access 192.168.10.5:55000", $NO_QUIET);
	3513	"--NAT-access 192.168.10.5:55000",
	3514	$default_fwknop_conf, $NO_QUIET);
3504	3515	}
3505	3516
3506	3517	sub SPA_output_access_packet() {
3507		return &get_access_packet($default_fwknop_args, $NO_QUIET);
	3518	return &get_access_packet($default_fwknop_args,
	3519	$default_fwknop_conf, $NO_QUIET);
3508	3520	}
3509	3521
3510	3522	sub SPA_local_nat_access_packet() {
3511	3523	return &get_access_packet("$default_fwknop_args " .
3512		"--NAT-local --NAT-access $localhost:55000", $NO_QUIET);
	3524	"--NAT-local --NAT-access $localhost:55000",
	3525	$default_fwknop_conf, $NO_QUIET);
3513	3526	}
3514	3527
…	…
3516	3529	return &get_access_packet("$default_fwknop_args " .
3517	3530	"--NAT-local --NAT-access $localhost --NAT-rand-port ",
3518		$NO_QUIET);
	3531	$default_fwknop_conf, $NO_QUIET);
3519	3532	}
3520	3533
…	…
3522	3535	return &get_access_packet("$default_fwknop_args " .
3523	3536	"--NAT-local --NAT-access $localhost --NAT-rand-port " .
3524		"--rand-port",
3525		$NO_QUIET);
	3537	"--rand-port", $default_fwknop_conf, $NO_QUIET);
3526	3538	}
3527	3539
…	…
3529	3541	return &get_access_packet("$default_fwknop_args " .
3530	3542	"--NAT-local --NAT-access $localhost:55000 --fw-timeout 5",
3531		$NO_QUIET);
	3543	$default_fwknop_conf, $NO_QUIET);
3532	3544	}
3533	3545
…	…
3536	3548	"$local_key_file -D $localhost -a $allow_src --Test -v " .
3537	3549	qq\|--debug $spoof_user_opt $require_user --Server-cmd "$test_cmd"\|,
3538		$NO_QUIET);
	3550	$default_fwknop_conf, $NO_QUIET);
3539	3551	}
3540	3552
…	…
3542	3554	my $key_copy = $cache_key;
3543	3555	$cache_key = 'short';
3544		my $rv = &get_access_packet($default_fwknop_args, $QUIET);
	3556	my $rv = &get_access_packet($default_fwknop_args,
	3557	$default_fwknop_conf, $QUIET);
3545	3558	$cache_key = $key_copy;
3546	3559	if ($client_language eq 'perl') {
…	…
3554	3567	sub unauthorized_port_request() {
3555	3568	$default_fwknop_args =~ s\|\s$open_ports\s\| tcp/1 \|;
3556		my $rv = &get_access_packet($default_fwknop_args, $NO_QUIET);
	3569	my $rv = &get_access_packet($default_fwknop_args,
	3570	$default_fwknop_conf, $NO_QUIET);
3557	3571	$default_fwknop_args =~ s\|\stcp/1\s\| $open_ports \|;
3558	3572	return $rv;
…	…
3586	3600	sub unauthorized_user() {
3587	3601	$default_fwknop_args =~ s/\s$require_user/ mbr$require_user/;
3588		my $rv = &get_access_packet($default_fwknop_args, $NO_QUIET);
	3602	my $rv = &get_access_packet($default_fwknop_args,
	3603	$default_fwknop_conf, $NO_QUIET);
3589	3604	$default_fwknop_args =~ s/\smbr$require_user/ $require_user/;
3590	3605	return $rv;
…	…
3618	3633
3619	3634	sub truncated_SPA_packet() {
3620		my $rv = &get_access_packet($default_fwknop_args, $NO_QUIET);
	3635	my $rv = &get_access_packet($default_fwknop_args,
	3636	$default_fwknop_conf, $NO_QUIET);
3621	3637	### chop off the last 11 chars
3622	3638	$cache_encrypted_spa_packet =~ s\|.{11}$\|\|;
…	…
3625	3641
3626	3642	sub non_base64_SPA_packet() {
3627		my $rv = &get_access_packet($default_fwknop_args, $NO_QUIET);
	3643	my $rv = &get_access_packet($default_fwknop_args,
	3644	$default_fwknop_conf, $NO_QUIET);
3628	3645	### introduce one non-base64 encoded character "@" at the 11th position
3629	3646	$cache_encrypted_spa_packet =~ s\|(.{10}).\|$1@\|;
…	…
3632	3649
3633	3650	sub append_SPA_packet() {
3634		my $rv = &get_access_packet($default_fwknop_args, $NO_QUIET);
	3651	my $rv = &get_access_packet($default_fwknop_args,
	3652	$default_fwknop_conf, $NO_QUIET);
3635	3653	### append 10 garbage chars
3636	3654	$cache_encrypted_spa_packet .= '1234567890';
…	…
3739	3757	sub source_addr() {
3740	3758	$default_fwknop_args =~ s/\-a\s+$allow_src\s/-a 0.0.0.0 /;
3741		my $rv = &get_access_packet($default_fwknop_args, $NO_QUIET);
	3759	my $rv = &get_access_packet($default_fwknop_args,
	3760	$default_fwknop_conf, $NO_QUIET);
3742	3761	$default_fwknop_args =~ s/\-a\s+0(?:\.0){3}\s/-a $allow_src /;
3743	3762	return $rv;
…	…
3779	3798	for (my $i=0; $i < $NUM_RAND; $i++) {
3780	3799
3781		&get_access_packet($default_fwknop_args, $NO_QUIET);
	3800	&get_access_packet($default_fwknop_args,
	3801	$default_fwknop_conf, $NO_QUIET);
3782	3802
3783	3803	if (defined $packet_cache{$cache_encrypted_spa_packet}) {
…	…
3905	3925	}
3906	3926
3907		&get_packet_data_from_fwknop_output();
	3927	&get_packet_data_from_fwknop_output($default_fwknop_conf);
3908	3928
3909	3929	unless ($cache_encrypted_spa_packet) {
…	…
3914	3934
3915	3935	sub get_access_packet() {
3916		my ($fwknop_cmdline, $output) = @_;
	3936	my ($fwknop_cmdline, $fwknop_conf, $output) = @_;
3917	3937
3918	3938	&write_key();
…	…
3936	3956	}
3937	3957
3938		&get_packet_data_from_fwknop_output();
	3958	&get_packet_data_from_fwknop_output($fwknop_conf);
3939	3959
3940	3960	unless ($cache_encrypted_spa_packet) {
…	…
3962	3982
3963	3983	sub get_packet_data_from_fwknop_output() {
	3984	my $fwknop_conf = shift;
3964	3985
3965	3986	$spa_port = 0;
3966	3987	$cache_encrypted_spa_packet = '';
	3988	$spa_packet_digest = '';
3967	3989
3968	3990	my $found_packet_data = 0;
…	…
3972	3994	while (<F>) {
3973	3995	if ($client_language eq 'perl') {
3974		~~if (/\sDigest:\s+(\S+)/i) {~~
3975		~~$spa_packet_digest = $1;~~
3976		~~next;~~
3977		}
3978	3996	if (/^\s*\[\+\]\s+Packet\s+data:/) {
3979	3997	$found_packet_data = 1;
…	…
3991	4009	}
3992	4010	} else {
3993		~~if (/^\sSPA.\sDigest:\s+(\S+)/) {~~
3994		~~$spa_packet_digest = $1;~~
3995		~~next;~~
3996		}
3997	4011	if (/^\sFinal\s+Packed.\sData:/) {
3998	4012	$found_packet_data = 1;
…	…
4007	4021	}
4008	4022	close F;
	4023
	4024	### now that we have the packet data, feed this data to fwknopd
	4025	### to get the digest that it would calculate
	4026	die "[*] Could not acquire encrypted SPA packet from the fwknop client."
	4027	unless $cache_encrypted_spa_packet;
	4028
	4029	&get_spa_digests_from_fwknopd($fwknop_conf);
	4030
4009	4031	return;
4010	4032	}
…	…
4543	4565
4544	4566	sub fwknopd_test_fko_exists() {
4545		my $cmd = "$fwknopdCmd --test-FKO-exists";
	4567	my $cmd = "$fwknopdCmd -c $default_fwknop_conf --test-FKO-exists";
4546	4568	open C, "$cmd 2>&1 \|" or die "[*] Could not execute $cmd: $!";
4547	4569	while (<C>) {
…	…
4552	4574	}
4553	4575	close C;
	4576	return;
	4577	}
	4578
	4579	sub get_spa_digests_from_fwknopd() {
	4580	my $fwknop_conf = shift;
	4581
	4582	### write the current packet out to the dump packets file
	4583	open F, "> $dump_packets_file" or
	4584	die "[*] Could not open $dump_packets_file: $!";
	4585	print F $cache_encrypted_spa_packet, "\n";
	4586	close F;
	4587
	4588	my $cmd = "$fwknopdCmd -c $fwknop_conf " .
	4589	"-a $default_access_conf --spa-dump-packets $dump_packets_file";
	4590	open C, "$cmd 2>&1 \|" or die "[*] Could not execute $cmd: $!";
	4591	while (<C>) {
	4592	if (/Disk\s+write\s+digest:\s+(\S+)/) {
	4593	$spa_packet_digest = $1;
	4594	last;
	4595	}
	4596	}
	4597	close C;
	4598
4554	4599	return;
4555	4600	}

Context Navigation

Changeset 1489

Legend:

fwknop/trunk/fwknopd

fwknop/trunk/test/fwknop_test.pl

Download in other formats: