diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:46 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:46 +0000 |
commit | 50b37d4a27d3295a29afca2286f1a5a086142cec (patch) | |
tree | 9212f763934ee090ef72d823f559f52ce387f268 /src/tests/keywords/pap | |
parent | Initial commit. (diff) | |
download | freeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.tar.xz freeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.zip |
Adding upstream version 3.2.1+dfsg.upstream/3.2.1+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | src/tests/keywords/pap | 146 | ||||
-rw-r--r-- | src/tests/keywords/pap-ssha2 | 114 |
2 files changed, 260 insertions, 0 deletions
diff --git a/src/tests/keywords/pap b/src/tests/keywords/pap new file mode 100644 index 0000000..a347b7c --- /dev/null +++ b/src/tests/keywords/pap @@ -0,0 +1,146 @@ +# +# PRE: update if +# +update { + reply:Filter-Id := 'filter' + control: !* ANY + request:Tmp-String-0 := "5RNqNl8iYLbkCc7JhR8as4TtDDCX6otuuWtcja8rITUyx9zrnHSe9tTHGmKK" # 60 byte salt +} + +# +# Unencoded Cleartext-Password in password with header +# +update { + control:Password-With-Header := "%{request:User-Password}" +} +pap.authorize +pap.authenticate { + reject = 1 +} +if (reject) { + update reply { + Filter-Id += 'fail 0' + } +} + +update { + control: !* ANY +} + +# +# Base64 encoded Cleartext-Password in password with header +# +update { + Tmp-String-1 := "{clear}%{User-Password}" +} +update { + control:Password-With-Header := "%{base64:&request:Tmp-String-1}" +} +pap.authorize +pap.authenticate { + reject = 1 +} +if (reject) { + update reply { + Filter-Id += 'fail 0' + } +} + +update { + control: !* ANY +} + +# +# Hex encoded SSHA password +# +update { + control:Password-With-Header += "{ssha}%{sha1:%{request:User-Password}%{&request:Tmp-String-0}}%{hex:&request:Tmp-String-0}" +} + +pap.authorize +pap.authenticate { + reject = 1 +} +if (reject) { + update reply { + Filter-Id += 'fail 1' + } +} + +update { + control: !* ANY +} + +# +# Base64 encoded SSHA password +# +update { + control:Tmp-String-1 := "%{sha1:%{request:User-Password}%{&request:Tmp-String-0}}%{hex:&request:Tmp-String-0}" +} + +# To Binary +update { + control:Tmp-Octets-0 := "0x%{control:Tmp-String-1}" +} + +# To Base64 +update { + control:Tmp-String-1 := "%{base64:&control:Tmp-Octets-0}" +} + +update { + control:Password-With-Header += "{ssha}%{control:Tmp-String-1}" +} + +pap.authorize +pap.authenticate { + reject = 1 +} +if (reject) { + update reply { + Filter-Id += 'fail 2' + } +} + +update { + control: !* ANY +} + +# +# Base64 of Base64 encoded SSHA password +# +update { + control:Tmp-String-1 := "%{sha1:%{request:User-Password}%{&request:Tmp-String-0}}%{hex:&request:Tmp-String-0}" +} + +# To Binary +update { + control:Tmp-Octets-0 := "0x%{control:Tmp-String-1}" +} + +# To Base64 +update { + control:Tmp-String-1 := "{ssha}%{base64:&control:Tmp-Octets-0}" +} + +update { + control:Password-With-Header += "%{base64:&control:Tmp-String-1}" +} + +pap.authorize +pap.authenticate { + reject = 1 +} +if (reject) { + update reply { + Filter-Id += 'fail 3' + } +} + +update { + control: !* ANY +} + +update control { + Auth-Type := Accept +} diff --git a/src/tests/keywords/pap-ssha2 b/src/tests/keywords/pap-ssha2 new file mode 100644 index 0000000..a8c9c9b --- /dev/null +++ b/src/tests/keywords/pap-ssha2 @@ -0,0 +1,114 @@ +# +# PRE: update if pap +# + +# +# Skip if the server wasn't built with openssl +# +if ('${feature.tls}' != 'yes') { + update control { + Response-Packet-Type := Access-Accept + } + handled +} + +update { + reply:Filter-Id := 'filter' + control: !* ANY + request:Tmp-String-0 := "5RNqNl8iYLbkCc7JhR8as4TtDDCX6otuuWtcja8rITUyx9zrnHSe9tTHGmKK" # 60 byte salt +} + +# +# Hex encoded SSHA2-512 password +# +update { + control:Password-With-Header += "{ssha512}%{sha512:%{request:User-Password}%{&request:Tmp-String-0}}%{hex:&request:Tmp-String-0}" +} + +pap.authorize +pap.authenticate { + reject = 1 +} +if (reject) { + update reply { + Filter-Id += 'fail 1' + } +} + +update { + control: !* ANY +} + +# +# Base64 encoded SSHA2-512 password +# +update { + control:Tmp-String-1 := "%{sha512:%{request:User-Password}%{&request:Tmp-String-0}}%{hex:&request:Tmp-String-0}" +} + +# To Binary +update { + control:Tmp-Octets-0 := "0x%{control:Tmp-String-1}" +} + +# To Base64 +update { + control:Tmp-String-1 := "%{base64:&control:Tmp-Octets-0}" +} + +update { + control:Password-With-Header += "{ssha512}%{control:Tmp-String-1}" +} + +pap.authorize +pap.authenticate { + reject = 1 +} +if (reject) { + update reply { + Filter-Id += 'fail 2' + } +} + +update { + control: !* ANY +} + +# +# Base64 of Base64 encoded SSHA2-512 password +# +update { + control:Tmp-String-1 := "%{sha512:%{request:User-Password}%{&request:Tmp-String-0}}%{hex:&request:Tmp-String-0}" +} + +# To Binary +update { + control:Tmp-Octets-0 := "0x%{control:Tmp-String-1}" +} + +# To Base64 +update { + control:Tmp-String-1 := "{ssha512}%{base64:&control:Tmp-Octets-0}" +} + +update { + control:Password-With-Header += "%{base64:&control:Tmp-String-1}" +} + +pap.authorize +pap.authenticate { + reject = 1 +} +if (reject) { + update reply { + Filter-Id += 'fail 3' + } +} + +update { + control: !* ANY +} + +update control { + Auth-Type := Accept +} |