From: Nick Porter Date: Tue, 9 Jan 2024 10:56:47 +0000 (+0000) Subject: Backport yukikey module tests from v4 X-Git-Tag: release_3_2_4~93 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2781231f01009a65969dd560fe7eaf7707dfc1ba;p=thirdparty%2Ffreeradius-server.git Backport yukikey module tests from v4 --- diff --git a/src/tests/modules/yubikey/all.mk b/src/tests/modules/yubikey/all.mk new file mode 100644 index 00000000000..b62dbc2d266 --- /dev/null +++ b/src/tests/modules/yubikey/all.mk @@ -0,0 +1,3 @@ +# +# Test the "yubikey" module xlat +# diff --git a/src/tests/modules/yubikey/module.conf b/src/tests/modules/yubikey/module.conf new file mode 100644 index 00000000000..a9549f3785d --- /dev/null +++ b/src/tests/modules/yubikey/module.conf @@ -0,0 +1,11 @@ +yubikey { + + id_length = 12 + + split = yes + + decrypt = yes + + validate = no + +} diff --git a/src/tests/modules/yubikey/yubikey_auth.attrs b/src/tests/modules/yubikey/yubikey_auth.attrs new file mode 100644 index 00000000000..d1fa1ded92d --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_auth.attrs @@ -0,0 +1,11 @@ +# +# Input packet +# +Packet-Type = Access-Request +User-Name = "bob" +User-Password = "helloddddgciilcjkjhlifidginuirlhgidcvbfnutjnibldi" + +# +# Expected answer +# +Response-Packet-Type == Access-Accept diff --git a/src/tests/modules/yubikey/yubikey_auth.unlang b/src/tests/modules/yubikey/yubikey_auth.unlang new file mode 100644 index 00000000000..ae9f534be40 --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_auth.unlang @@ -0,0 +1,56 @@ +# Call yubikey module to split OTP from password +yubikey + +if !(&User-Password == 'hello') { + test_fail +} +if !(&Yubikey-OTP) { + test_fail +} +if !(&Yubikey-Public-Id == 'ddddgciilcjk') { + test_fail +} + +update control { + &Yubikey-Counter := 1 + &Yubikey-Key := 0xb8c56af07ff79b2230e04ab8891784ce +} + +# Call module in authenticate mode to decrypt OTP +yubikey.authenticate + +# Check all the attributes have been created +if !(&Yubikey-Private-Id == 0x1dfc67f97828) { + test_fail +} +if !(&Yubikey-Timestamp) { + test_fail +} +if !(&Yubikey-Counter == 258) { + test_fail +} +if !(&Yubikey-Random) { + test_fail +} + + +# Increase the known "counter" value to detect a replay attack +update { + &control:Yubikey-Counter := &Yubikey-Counter +} + +yubikey.authenticate { + reject = 1 +} + +# Replay attack should result in a reject and a suitable module failure +if !(reject) { + test_fail +} +debug_all + +if !(&Module-Failure-Message == 'yubikey: Replay attack detected! Counter value 258, is lt or eq to last known counter value 258') { + test_fail +} + +test_pass diff --git a/src/tests/modules/yubikey/yubikey_xlat.attrs b/src/tests/modules/yubikey/yubikey_xlat.attrs new file mode 100644 index 00000000000..1cce1c5bdd5 --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_xlat.attrs @@ -0,0 +1,11 @@ +# +# Input packet +# +Packet-Type = Access-Request +User-Name = "bob" +User-Password = "hello" + +# +# Expected answer +# +Response-Packet-Type == Access-Accept diff --git a/src/tests/modules/yubikey/yubikey_xlat.unlang b/src/tests/modules/yubikey/yubikey_xlat.unlang new file mode 100644 index 00000000000..bc17642172c --- /dev/null +++ b/src/tests/modules/yubikey/yubikey_xlat.unlang @@ -0,0 +1,42 @@ +update { + &Tmp-String-0 := 'vvrbuctetdhc' + &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}" +} + +if (&Tmp-String-1 != 'ffc1e0d3d260') { + test_fail +} + +# Invalid modhex string - not even length +update { + &Tmp-String-0 := 'vvrbuctetdh' + &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}" +} + +if (ok) { + test_fail +} + +if (&Tmp-String-1 != "") { + test_fail +} + +if (&Module-Failure-Message != "Modhex string invalid") { + test_fail +} + +# Invalid modhex string - invalid characters +update { + &Tmp-String-0 := 'vxrbmctetdhc' + &Tmp-String-1 := "%{modhextohex:%{Tmp-String-0}}" +} + +if (ok) { + test_fail +} + +if (&Tmp-String-1 != "") { + test_fail +} + +test_pass