summaryrefslogtreecommitdiffstats
path: root/src/tests/modules/yubikey
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-26 10:41:52 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-08-26 10:41:52 +0000
commitde8bf9112695763664912e340b265fa898188460 (patch)
tree9bcd5f8d45fc3b81174d3de8abfd573b68e9d7f6 /src/tests/modules/yubikey
parentAdding debian version 3.2.3+dfsg-2. (diff)
downloadfreeradius-de8bf9112695763664912e340b265fa898188460.tar.xz
freeradius-de8bf9112695763664912e340b265fa898188460.zip
Merging upstream version 3.2.5+dfsg.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/tests/modules/yubikey')
-rw-r--r--src/tests/modules/yubikey/all.mk3
-rw-r--r--src/tests/modules/yubikey/module.conf11
-rw-r--r--src/tests/modules/yubikey/yubikey_auth.attrs11
-rw-r--r--src/tests/modules/yubikey/yubikey_auth.unlang56
-rw-r--r--src/tests/modules/yubikey/yubikey_xlat.attrs11
-rw-r--r--src/tests/modules/yubikey/yubikey_xlat.unlang42
6 files changed, 134 insertions, 0 deletions
diff --git a/src/tests/modules/yubikey/all.mk b/src/tests/modules/yubikey/all.mk
new file mode 100644
index 0000000..b62dbc2
--- /dev/null
+++ b/src/tests/modules/yubikey/all.mk
@@ -0,0 +1,3 @@
+#
+# Test the "yubikey" module xlat
+#
diff --git a/src/tests/modules/yubikey/module.conf b/src/tests/modules/yubikey/module.conf
new file mode 100644
index 0000000..a9549f3
--- /dev/null
+++ b/src/tests/modules/yubikey/module.conf
@@ -0,0 +1,11 @@
+yubikey {
+
+ id_length = 12
+
+ split = yes
+
+ decrypt = yes
+
+ validate = no
+
+}
diff --git a/src/tests/modules/yubikey/yubikey_auth.attrs b/src/tests/modules/yubikey/yubikey_auth.attrs
new file mode 100644
index 0000000..d1fa1de
--- /dev/null
+++ b/src/tests/modules/yubikey/yubikey_auth.attrs
@@ -0,0 +1,11 @@
+#
+# Input packet
+#
+Packet-Type = Access-Request
+User-Name = "bob"
+User-Password = "helloddddgciilcjkjhlifidginuirlhgidcvbfnutjnibldi"
+
+#
+# Expected answer
+#
+Response-Packet-Type == Access-Accept
diff --git a/src/tests/modules/yubikey/yubikey_auth.unlang b/src/tests/modules/yubikey/yubikey_auth.unlang
new file mode 100644
index 0000000..ae9f534
--- /dev/null
+++ b/src/tests/modules/yubikey/yubikey_auth.unlang
@@ -0,0 +1,56 @@
+# Call yubikey module to split OTP from password
+yubikey
+
+if !(&User-Password == 'hello') {
+ test_fail
+}
+if !(&Yubikey-OTP) {
+ test_fail
+}
+if !(&Yubikey-Public-Id == 'ddddgciilcjk') {
+ test_fail
+}
+
+update control {
+ &Yubikey-Counter := 1
+ &Yubikey-Key := 0xb8c56af07ff79b2230e04ab8891784ce
+}
+
+# Call module in authenticate mode to decrypt OTP
+yubikey.authenticate
+
+# Check all the attributes have been created
+if !(&Yubikey-Private-Id == 0x1dfc67f97828) {
+ test_fail
+}
+if !(&Yubikey-Timestamp) {
+ test_fail
+}
+if !(&Yubikey-Counter == 258) {
+ test_fail
+}
+if !(&Yubikey-Random) {
+ test_fail
+}
+
+
+# Increase the known "counter" value to detect a replay attack
+update {
+ &control:Yubikey-Counter := &Yubikey-Counter
+}
+
+yubikey.authenticate {
+ reject = 1
+}
+
+# Replay attack should result in a reject and a suitable module failure
+if !(reject) {
+ test_fail
+}
+debug_all
+
+if !(&Module-Failure-Message == 'yubikey: Replay attack detected! Counter value 258, is lt or eq to last known counter value 258') {
+ test_fail
+}
+
+test_pass
diff --git a/src/tests/modules/yubikey/yubikey_xlat.attrs b/src/tests/modules/yubikey/yubikey_xlat.attrs
new file mode 100644
index 0000000..1cce1c5
--- /dev/null
+++ b/src/tests/modules/yubikey/yubikey_xlat.attrs
@@ -0,0 +1,11 @@
+#
+# Input packet
+#
+Packet-Type = Access-Request
+User-Name = "bob"
+User-Password = "hello"
+
+#
+# Expected answer
+#
+Response-Packet-Type == Access-Accept
diff --git a/src/tests/modules/yubikey/yubikey_xlat.unlang b/src/tests/modules/yubikey/yubikey_xlat.unlang
new file mode 100644
index 0000000..bc17642
--- /dev/null
+++ b/src/tests/modules/yubikey/yubikey_xlat.unlang
@@ -0,0 +1,42 @@
+update {
+ &Tmp-String-0 := 'vvrbuctetdhc'
+ &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}"
+}
+
+if (&Tmp-String-1 != 'ffc1e0d3d260') {
+ test_fail
+}
+
+# Invalid modhex string - not even length
+update {
+ &Tmp-String-0 := 'vvrbuctetdh'
+ &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}"
+}
+
+if (ok) {
+ test_fail
+}
+
+if (&Tmp-String-1 != "") {
+ test_fail
+}
+
+if (&Module-Failure-Message != "Modhex string invalid") {
+ test_fail
+}
+
+# Invalid modhex string - invalid characters
+update {
+ &Tmp-String-0 := 'vxrbmctetdhc'
+ &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}"
+}
+
+if (ok) {
+ test_fail
+}
+
+if (&Tmp-String-1 != "") {
+ test_fail
+}
+
+test_pass