diff options
Diffstat (limited to '')
| -rw-r--r-- | src/tests/modules/yubikey/all.mk | 3 | ||||
| -rw-r--r-- | src/tests/modules/yubikey/module.conf | 11 | ||||
| -rw-r--r-- | src/tests/modules/yubikey/yubikey_auth.attrs | 11 | ||||
| -rw-r--r-- | src/tests/modules/yubikey/yubikey_auth.unlang | 56 | ||||
| -rw-r--r-- | src/tests/modules/yubikey/yubikey_xlat.attrs | 11 | ||||
| -rw-r--r-- | src/tests/modules/yubikey/yubikey_xlat.unlang | 42 |
6 files changed, 134 insertions, 0 deletions
diff --git a/src/tests/modules/yubikey/all.mk b/src/tests/modules/yubikey/all.mk new file mode 100644 index 0000000..b62dbc2 --- /dev/null +++ b/src/tests/modules/yubikey/all.mk @@ -0,0 +1,3 @@ +# +# Test the "yubikey" module xlat +# diff --git a/src/tests/modules/yubikey/module.conf b/src/tests/modules/yubikey/module.conf new file mode 100644 index 0000000..a9549f3 --- /dev/null +++ b/src/tests/modules/yubikey/module.conf @@ -0,0 +1,11 @@ +yubikey { + + id_length = 12 + + split = yes + + decrypt = yes + + validate = no + +} diff --git a/src/tests/modules/yubikey/yubikey_auth.attrs b/src/tests/modules/yubikey/yubikey_auth.attrs new file mode 100644 index 0000000..d1fa1de --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_auth.attrs @@ -0,0 +1,11 @@ +# +# Input packet +# +Packet-Type = Access-Request +User-Name = "bob" +User-Password = "helloddddgciilcjkjhlifidginuirlhgidcvbfnutjnibldi" + +# +# Expected answer +# +Response-Packet-Type == Access-Accept diff --git a/src/tests/modules/yubikey/yubikey_auth.unlang b/src/tests/modules/yubikey/yubikey_auth.unlang new file mode 100644 index 0000000..ae9f534 --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_auth.unlang @@ -0,0 +1,56 @@ +# Call yubikey module to split OTP from password +yubikey + +if !(&User-Password == 'hello') { + test_fail +} +if !(&Yubikey-OTP) { + test_fail +} +if !(&Yubikey-Public-Id == 'ddddgciilcjk') { + test_fail +} + +update control { + &Yubikey-Counter := 1 + &Yubikey-Key := 0xb8c56af07ff79b2230e04ab8891784ce +} + +# Call module in authenticate mode to decrypt OTP +yubikey.authenticate + +# Check all the attributes have been created +if !(&Yubikey-Private-Id == 0x1dfc67f97828) { + test_fail +} +if !(&Yubikey-Timestamp) { + test_fail +} +if !(&Yubikey-Counter == 258) { + test_fail +} +if !(&Yubikey-Random) { + test_fail +} + + +# Increase the known "counter" value to detect a replay attack +update { + &control:Yubikey-Counter := &Yubikey-Counter +} + +yubikey.authenticate { + reject = 1 +} + +# Replay attack should result in a reject and a suitable module failure +if !(reject) { + test_fail +} +debug_all + +if !(&Module-Failure-Message == 'yubikey: Replay attack detected! Counter value 258, is lt or eq to last known counter value 258') { + test_fail +} + +test_pass diff --git a/src/tests/modules/yubikey/yubikey_xlat.attrs b/src/tests/modules/yubikey/yubikey_xlat.attrs new file mode 100644 index 0000000..1cce1c5 --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_xlat.attrs @@ -0,0 +1,11 @@ +# +# Input packet +# +Packet-Type = Access-Request +User-Name = "bob" +User-Password = "hello" + +# +# Expected answer +# +Response-Packet-Type == Access-Accept diff --git a/src/tests/modules/yubikey/yubikey_xlat.unlang b/src/tests/modules/yubikey/yubikey_xlat.unlang new file mode 100644 index 0000000..bc17642 --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_xlat.unlang @@ -0,0 +1,42 @@ +update { + &Tmp-String-0 := 'vvrbuctetdhc' + &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}" +} + +if (&Tmp-String-1 != 'ffc1e0d3d260') { + test_fail +} + +# Invalid modhex string - not even length +update { + &Tmp-String-0 := 'vvrbuctetdh' + &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}" +} + +if (ok) { + test_fail +} + +if (&Tmp-String-1 != "") { + test_fail +} + +if (&Module-Failure-Message != "Modhex string invalid") { + test_fail +} + +# Invalid modhex string - invalid characters +update { + &Tmp-String-0 := 'vxrbmctetdhc' + &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}" +} + +if (ok) { + test_fail +} + +if (&Tmp-String-1 != "") { + test_fail +} + +test_pass |