From: Nick Porter <nick@portercomputing.co.uk>
Date: Wed, 13 Mar 2024 20:27:19 +0000 (+0000)
Subject: Use dummy scripts to test mschap ntlm_auth backend
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=222b9ca2ff6e80dc58e28e09366eeeddd453d8f4;p=thirdparty%2Ffreeradius-server.git

Use dummy scripts to test mschap ntlm_auth backend
---

diff --git a/src/tests/modules/mschap/authenticate.conf b/src/tests/modules/mschap/authenticate.conf
index 1f6a6c10a7e..0aaf42903de 100644
--- a/src/tests/modules/mschap/authenticate.conf
+++ b/src/tests/modules/mschap/authenticate.conf
@@ -3,5 +3,9 @@ authenticate mschap {
 }
 
 authenticate mschap_winbind {
-	mschap
+	mschap_winbind
+}
+
+authenticate mschap_ntlm {
+	mschap_ntlm
 }
diff --git a/src/tests/modules/mschap/dummy_ntlm_auth.sh b/src/tests/modules/mschap/dummy_ntlm_auth.sh
new file mode 100755
index 00000000000..caadbe4ba33
--- /dev/null
+++ b/src/tests/modules/mschap/dummy_ntlm_auth.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+echo NT_KEY: 000102030405060708090a0b0c0d0e0f
diff --git a/src/tests/modules/mschap/dummy_ntlm_auth_cpw.sh b/src/tests/modules/mschap/dummy_ntlm_auth_cpw.sh
new file mode 100755
index 00000000000..a8ae8693982
--- /dev/null
+++ b/src/tests/modules/mschap/dummy_ntlm_auth_cpw.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+#
+#  Dummy script which expects particular inputs mimicing a NT password change using the ntlm_auth helper script
+#
+read username
+if [ "$username" != 'username: john' ]; then
+  echo "Invalid username input: $username"
+  exit 1
+fi
+read domain
+if [ "$domain" != 'nt-domain: example' ]; then
+  echo "Invalid domain input: $domain"
+  exit 1
+fi
+read newpwd
+if [ "$newpwd" != 'new-nt-password-blob: 010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990001020304050607080910111213141516010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990001020304050607080910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989900' ]; then
+  echo "Invalid new NT password input: $newpwd"
+  exit 1
+fi
+read oldhash
+if [ "$oldhash" != 'old-nt-hash-blob: 01020304050607080910111213141516' ]; then
+  echo "Invalid old NT password input: $oldhash"
+  exit 1
+fi
+read newlm
+if [ "$newlm" != 'new-lm-password-blob: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' ]; then
+  echo "Invalid new LM password input: $newlm"
+  exit 1
+fi
+read oldlm
+if [ "$oldlm" != 'old-lm-hash-blob: 00000000000000000000000000000000' ]; then
+  echo "Invalid old LM password input: $oldlm"
+  exit 1
+fi
+read dot
+if [ "$dot" != '.' ]; then
+  echo "Invalid dot input: $dot"
+  exit 1
+fi
+echo "Password-Change: Yes"
+
diff --git a/src/tests/modules/mschap/module.conf b/src/tests/modules/mschap/module.conf
index 96beed0959c..3a745c0d79a 100644
--- a/src/tests/modules/mschap/module.conf
+++ b/src/tests/modules/mschap/module.conf
@@ -39,3 +39,33 @@ mschap mschap_winbind {
 	}
 }
 
+#
+#  Instance of mschap configured to use dummy scripts which emulate the output
+#  of real ntlm_auth
+#
+mschap mschap_ntlm {
+
+	ntlm_auth = "$ENV{MODULE_TEST_DIR}/dummy_ntlm_auth.sh --request-nt-key --allow-mschapv2 --username=%{&Stripped-User-Name || &User-Name || 'None'} --challenge=%mschap(Challenge) --nt-response=%mschap(NT-Response)"
+
+	passchange {
+		ntlm_auth = "$ENV{MODULE_TEST_DIR}/dummy_ntlm_auth_cpw.sh"
+		ntlm_auth_username = "username: %mschap(User-Name)"
+		ntlm_auth_domain = "nt-domain: %mschap(NT-Domain)"
+	}
+
+	attributes {
+		username = &User-Name
+		chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge
+		chap_response = &Vendor-Specific.Microsoft.CHAP-Response
+		chap2_response = &Vendor-Specific.Microsoft.CHAP2-Response
+		chap2_success = &Vendor-Specific.Microsoft.CHAP2-Success
+		chap_error = &Vendor-Specific.Microsoft.CHAP-Error
+		chap_mppe_keys = &Vendor-Specific.Microsoft.CHAP-MPPE-Keys
+		mppe_recv_key = &Vendor-Specific.Microsoft.MPPE-Recv-Key
+		mppe_send_key = &Vendor-Specific.Microsoft.MPPE-Send-Key
+		mppe_encryption_policy = &Vendor-Specific.Microsoft.MPPE-Encryption-Policy
+		mppe_encryption_types = &Vendor-Specific.Microsoft.MPPE-Encryption-Types
+		chap2_cpw =  &Vendor-Specific.Microsoft.CHAP2-CPW
+		chap_nt_enc_pw = &Vendor-Specific.Microsoft.CHAP-NT-Enc-PW
+	}
+}
diff --git a/src/tests/modules/mschap/pwdchange_ntlm.attrs b/src/tests/modules/mschap/pwdchange_ntlm.attrs
new file mode 100644
index 00000000000..633c13adab2
--- /dev/null
+++ b/src/tests/modules/mschap/pwdchange_ntlm.attrs
@@ -0,0 +1,21 @@
+#
+#  Input Packet
+#
+Packet-Type = Access-Request
+User-Name = 'example\john'
+NAS-IP-Address = 127.0.0.1
+Vendor-Specific.Microsoft.CHAP-Challenge := 0x65e2ea00a29bddd36cfbad2d76979ac9
+Vendor-Specific.Microsoft.CHAP2-Response := 0x0000c9cb418bc880211f2d4b0a07dc5424bc00000000000000008002d790cd114ab4b9bd921b8d2d2578d99946ac46be6274
+Vendor-Specific.Microsoft.CHAP2-CPW = 0x07ab010203040506070809101112131415160102030405060708091011121314151600000000000000000102030405060708091011121314151617181920212223240000
+Vendor-Specific.Microsoft.CHAP-NT-Enc-PW = 0x06ab0001010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990001020304050607080910111213141516
+Vendor-Specific.Microsoft.CHAP-NT-Enc-PW = 0x06ab00020102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990001020304050607080910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989900
+Vendor-Specific.Microsoft.CHAP-NT-Enc-PW = 0x06ab000301020304050607080910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989900
+
+#
+#  Expected answer
+#
+Packet-Type == Access-Accept
+Vendor-Specific.Microsoft.CHAP2-Success == 0xab533d41443144323233303643373641393843353643323239423735323137323834374542323039464534
+Vendor-Specific.Microsoft.MPPE-Encryption-Policy == Encryption-Allowed
+Vendor-Specific.Microsoft.MPPE-Encryption-Types == RC4-40or128-bit-Allowed
+
diff --git a/src/tests/modules/mschap/pwdchange_ntlm.unlang b/src/tests/modules/mschap/pwdchange_ntlm.unlang
new file mode 100644
index 00000000000..63430f80218
--- /dev/null
+++ b/src/tests/modules/mschap/pwdchange_ntlm.unlang
@@ -0,0 +1,22 @@
+&control.Password.Cleartext := "SuperSecret"
+
+mschap_ntlm
+
+if !(&control.Auth-Type == mschap_ntlm) {
+	test_fail
+}
+
+mschap_ntlm.authenticate
+
+if !(&reply.Vendor-Specific.Microsoft.MPPE-Send-Key) {
+	test_fail
+}
+
+if !(&reply.Vendor-Specific.Microsoft.MPPE-Recv-Key) {
+	test_fail
+}
+
+&reply -= &Vendor-Specific.Microsoft.MPPE-Send-Key
+&reply -= &Vendor-Specific.Microsoft.MPPE-Recv-Key
+
+test_pass