From de8bf9112695763664912e340b265fa898188460 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 26 Aug 2024 12:41:52 +0200 Subject: Merging upstream version 3.2.5+dfsg. Signed-off-by: Daniel Baumann --- src/tests/modules/yubikey/all.mk | 3 ++ src/tests/modules/yubikey/module.conf | 11 ++++++ src/tests/modules/yubikey/yubikey_auth.attrs | 11 ++++++ src/tests/modules/yubikey/yubikey_auth.unlang | 56 +++++++++++++++++++++++++++ src/tests/modules/yubikey/yubikey_xlat.attrs | 11 ++++++ src/tests/modules/yubikey/yubikey_xlat.unlang | 42 ++++++++++++++++++++ 6 files changed, 134 insertions(+) create mode 100644 src/tests/modules/yubikey/all.mk create mode 100644 src/tests/modules/yubikey/module.conf create mode 100644 src/tests/modules/yubikey/yubikey_auth.attrs create mode 100644 src/tests/modules/yubikey/yubikey_auth.unlang create mode 100644 src/tests/modules/yubikey/yubikey_xlat.attrs create mode 100644 src/tests/modules/yubikey/yubikey_xlat.unlang (limited to 'src/tests/modules/yubikey') diff --git a/src/tests/modules/yubikey/all.mk b/src/tests/modules/yubikey/all.mk new file mode 100644 index 0000000..b62dbc2 --- /dev/null +++ b/src/tests/modules/yubikey/all.mk @@ -0,0 +1,3 @@ +# +# Test the "yubikey" module xlat +# diff --git a/src/tests/modules/yubikey/module.conf b/src/tests/modules/yubikey/module.conf new file mode 100644 index 0000000..a9549f3 --- /dev/null +++ b/src/tests/modules/yubikey/module.conf @@ -0,0 +1,11 @@ +yubikey { + + id_length = 12 + + split = yes + + decrypt = yes + + validate = no + +} diff --git a/src/tests/modules/yubikey/yubikey_auth.attrs b/src/tests/modules/yubikey/yubikey_auth.attrs new file mode 100644 index 0000000..d1fa1de --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_auth.attrs @@ -0,0 +1,11 @@ +# +# Input packet +# +Packet-Type = Access-Request +User-Name = "bob" +User-Password = "helloddddgciilcjkjhlifidginuirlhgidcvbfnutjnibldi" + +# +# Expected answer +# +Response-Packet-Type == Access-Accept diff --git a/src/tests/modules/yubikey/yubikey_auth.unlang b/src/tests/modules/yubikey/yubikey_auth.unlang new file mode 100644 index 0000000..ae9f534 --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_auth.unlang @@ -0,0 +1,56 @@ +# Call yubikey module to split OTP from password +yubikey + +if !(&User-Password == 'hello') { + test_fail +} +if !(&Yubikey-OTP) { + test_fail +} +if !(&Yubikey-Public-Id == 'ddddgciilcjk') { + test_fail +} + +update control { + &Yubikey-Counter := 1 + &Yubikey-Key := 0xb8c56af07ff79b2230e04ab8891784ce +} + +# Call module in authenticate mode to decrypt OTP +yubikey.authenticate + +# Check all the attributes have been created +if !(&Yubikey-Private-Id == 0x1dfc67f97828) { + test_fail +} +if !(&Yubikey-Timestamp) { + test_fail +} +if !(&Yubikey-Counter == 258) { + test_fail +} +if !(&Yubikey-Random) { + test_fail +} + + +# Increase the known "counter" value to detect a replay attack +update { + &control:Yubikey-Counter := &Yubikey-Counter +} + +yubikey.authenticate { + reject = 1 +} + +# Replay attack should result in a reject and a suitable module failure +if !(reject) { + test_fail +} +debug_all + +if !(&Module-Failure-Message == 'yubikey: Replay attack detected! Counter value 258, is lt or eq to last known counter value 258') { + test_fail +} + +test_pass diff --git a/src/tests/modules/yubikey/yubikey_xlat.attrs b/src/tests/modules/yubikey/yubikey_xlat.attrs new file mode 100644 index 0000000..1cce1c5 --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_xlat.attrs @@ -0,0 +1,11 @@ +# +# Input packet +# +Packet-Type = Access-Request +User-Name = "bob" +User-Password = "hello" + +# +# Expected answer +# +Response-Packet-Type == Access-Accept diff --git a/src/tests/modules/yubikey/yubikey_xlat.unlang b/src/tests/modules/yubikey/yubikey_xlat.unlang new file mode 100644 index 0000000..bc17642 --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_xlat.unlang @@ -0,0 +1,42 @@ +update { + &Tmp-String-0 := 'vvrbuctetdhc' + &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}" +} + +if (&Tmp-String-1 != 'ffc1e0d3d260') { + test_fail +} + +# Invalid modhex string - not even length +update { + &Tmp-String-0 := 'vvrbuctetdh' + &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}" +} + +if (ok) { + test_fail +} + +if (&Tmp-String-1 != "") { + test_fail +} + +if (&Module-Failure-Message != "Modhex string invalid") { + test_fail +} + +# Invalid modhex string - invalid characters +update { + &Tmp-String-0 := 'vxrbmctetdhc' + &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}" +} + +if (ok) { + test_fail +} + +if (&Tmp-String-1 != "") { + test_fail +} + +test_pass -- cgit v1.2.3