Use dummy scripts to test mschap ntlm_auth backend

diff --git a/src/tests/modules/mschap/authenticate.conf b/src/tests/modules/mschap/authenticate.conf
index 1f6a6c10a7ea1fe5a7c33fcc2bc2e48c0bf8b49d..0aaf42903deff510ee66b19fc4d531d11ee427cd 100644 (file)
--- a/src/tests/modules/mschap/authenticate.conf
+++ b/src/tests/modules/mschap/authenticate.conf
@@ -3,5 +3,9 @@ authenticate mschap {
 }
 
 authenticate mschap_winbind {
-       mschap
+       mschap_winbind
+}
+
+authenticate mschap_ntlm {
+       mschap_ntlm
 }

diff --git a/src/tests/modules/mschap/dummy_ntlm_auth.sh b/src/tests/modules/mschap/dummy_ntlm_auth.sh
new file mode 100755 (executable)
index 0000000..caadbe4
--- /dev/null
+++ b/src/tests/modules/mschap/dummy_ntlm_auth.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+echo NT_KEY: 000102030405060708090a0b0c0d0e0f

diff --git a/src/tests/modules/mschap/dummy_ntlm_auth_cpw.sh b/src/tests/modules/mschap/dummy_ntlm_auth_cpw.sh
new file mode 100755 (executable)
index 0000000..a8ae869
--- /dev/null
+++ b/src/tests/modules/mschap/dummy_ntlm_auth_cpw.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+#
+#  Dummy script which expects particular inputs mimicing a NT password change using the ntlm_auth helper script
+#
+read username
+if [ "$username" != 'username: john' ]; then
+  echo "Invalid username input: $username"
+  exit 1
+fi
+read domain
+if [ "$domain" != 'nt-domain: example' ]; then
+  echo "Invalid domain input: $domain"
+  exit 1
+fi
+read newpwd
+if [ "$newpwd" != 'new-nt-password-blob: 010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990001020304050607080910111213141516010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990001020304050607080910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989900' ]; then
+  echo "Invalid new NT password input: $newpwd"
+  exit 1
+fi
+read oldhash
+if [ "$oldhash" != 'old-nt-hash-blob: 01020304050607080910111213141516' ]; then
+  echo "Invalid old NT password input: $oldhash"
+  exit 1
+fi
+read newlm
+if [ "$newlm" != 'new-lm-password-blob: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' ]; then
+  echo "Invalid new LM password input: $newlm"
+  exit 1
+fi
+read oldlm
+if [ "$oldlm" != 'old-lm-hash-blob: 00000000000000000000000000000000' ]; then
+  echo "Invalid old LM password input: $oldlm"
+  exit 1
+fi
+read dot
+if [ "$dot" != '.' ]; then
+  echo "Invalid dot input: $dot"
+  exit 1
+fi
+echo "Password-Change: Yes"
+

diff --git a/src/tests/modules/mschap/module.conf b/src/tests/modules/mschap/module.conf
index 96beed0959c1fd8a119993e26b28f8f75a6cd263..3a745c0d79afb244d7099441f0a7a7aa3b80d7b4 100644 (file)
--- a/src/tests/modules/mschap/module.conf
+++ b/src/tests/modules/mschap/module.conf
@@ -39,3 +39,33 @@ mschap mschap_winbind {
        }
 }
 
+#
+#  Instance of mschap configured to use dummy scripts which emulate the output
+#  of real ntlm_auth
+#
+mschap mschap_ntlm {
+
+       ntlm_auth = "$ENV{MODULE_TEST_DIR}/dummy_ntlm_auth.sh --request-nt-key --allow-mschapv2 --username=%{&Stripped-User-Name || &User-Name || 'None'} --challenge=%mschap(Challenge) --nt-response=%mschap(NT-Response)"
+
+       passchange {
+               ntlm_auth = "$ENV{MODULE_TEST_DIR}/dummy_ntlm_auth_cpw.sh"
+               ntlm_auth_username = "username: %mschap(User-Name)"
+               ntlm_auth_domain = "nt-domain: %mschap(NT-Domain)"
+       }
+
+       attributes {
+               username = &User-Name
+               chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge
+               chap_response = &Vendor-Specific.Microsoft.CHAP-Response
+               chap2_response = &Vendor-Specific.Microsoft.CHAP2-Response
+               chap2_success = &Vendor-Specific.Microsoft.CHAP2-Success
+               chap_error = &Vendor-Specific.Microsoft.CHAP-Error
+               chap_mppe_keys = &Vendor-Specific.Microsoft.CHAP-MPPE-Keys
+               mppe_recv_key = &Vendor-Specific.Microsoft.MPPE-Recv-Key
+               mppe_send_key = &Vendor-Specific.Microsoft.MPPE-Send-Key
+               mppe_encryption_policy = &Vendor-Specific.Microsoft.MPPE-Encryption-Policy
+               mppe_encryption_types = &Vendor-Specific.Microsoft.MPPE-Encryption-Types
+               chap2_cpw =  &Vendor-Specific.Microsoft.CHAP2-CPW
+               chap_nt_enc_pw = &Vendor-Specific.Microsoft.CHAP-NT-Enc-PW
+       }
+}

diff --git a/src/tests/modules/mschap/pwdchange_ntlm.attrs b/src/tests/modules/mschap/pwdchange_ntlm.attrs
new file mode 100644 (file)
index 0000000..633c13a
--- /dev/null
+++ b/src/tests/modules/mschap/pwdchange_ntlm.attrs
@@ -0,0 +1,21 @@
+#
+#  Input Packet
+#
+Packet-Type = Access-Request
+User-Name = 'example\john'
+NAS-IP-Address = 127.0.0.1
+Vendor-Specific.Microsoft.CHAP-Challenge := 0x65e2ea00a29bddd36cfbad2d76979ac9
+Vendor-Specific.Microsoft.CHAP2-Response := 0x0000c9cb418bc880211f2d4b0a07dc5424bc00000000000000008002d790cd114ab4b9bd921b8d2d2578d99946ac46be6274
+Vendor-Specific.Microsoft.CHAP2-CPW = 0x07ab010203040506070809101112131415160102030405060708091011121314151600000000000000000102030405060708091011121314151617181920212223240000
+Vendor-Specific.Microsoft.CHAP-NT-Enc-PW = 0x06ab0001010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990001020304050607080910111213141516
+Vendor-Specific.Microsoft.CHAP-NT-Enc-PW = 0x06ab00020102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990001020304050607080910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989900
+Vendor-Specific.Microsoft.CHAP-NT-Enc-PW = 0x06ab000301020304050607080910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989900
+
+#
+#  Expected answer
+#
+Packet-Type == Access-Accept
+Vendor-Specific.Microsoft.CHAP2-Success == 0xab533d41443144323233303643373641393843353643323239423735323137323834374542323039464534
+Vendor-Specific.Microsoft.MPPE-Encryption-Policy == Encryption-Allowed
+Vendor-Specific.Microsoft.MPPE-Encryption-Types == RC4-40or128-bit-Allowed
+

diff --git a/src/tests/modules/mschap/pwdchange_ntlm.unlang b/src/tests/modules/mschap/pwdchange_ntlm.unlang
new file mode 100644 (file)
index 0000000..63430f8
--- /dev/null
+++ b/src/tests/modules/mschap/pwdchange_ntlm.unlang
@@ -0,0 +1,22 @@
+&control.Password.Cleartext := "SuperSecret"
+
+mschap_ntlm
+
+if !(&control.Auth-Type == mschap_ntlm) {
+       test_fail
+}
+
+mschap_ntlm.authenticate
+
+if !(&reply.Vendor-Specific.Microsoft.MPPE-Send-Key) {
+       test_fail
+}
+
+if !(&reply.Vendor-Specific.Microsoft.MPPE-Recv-Key) {
+       test_fail
+}
+
+&reply -= &Vendor-Specific.Microsoft.MPPE-Send-Key
+&reply -= &Vendor-Specific.Microsoft.MPPE-Recv-Key
+
+test_pass