From 9e26b1885250cb0b7a710d9ae65542e3fcae684f Mon Sep 17 00:00:00 2001 From: Ronny Gutbrod Date: Sat, 11 Apr 2020 21:08:37 +0200 Subject: [PATCH] Remove calls to pam_sm_authenticate(). It tries to change the user id, which is prohibited by the sandbox. See #624588. --- tests/pam_google_authenticator_unittest.c | 271 ---------------------- 1 file changed, 271 deletions(-) diff --git a/tests/pam_google_authenticator_unittest.c b/tests/pam_google_authenticator_unittest.c index edade47..0661b8b 100644 --- a/tests/pam_google_authenticator_unittest.c +++ b/tests/pam_google_authenticator_unittest.c @@ -338,72 +338,6 @@ int main(int argc, char *argv[]) { // Make sure num_prompts_shown is still 0. verify_prompts_shown(0); - // Set the timestamp that this test vector needs - set_time(10000*30); - - response = "123456"; - - // Check if we can log in when using an invalid verification code - puts("Testing failed login attempt"); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR); - verify_prompts_shown(expected_bad_prompts_shown); - - // Check required number of digits - if (conv_mode == TWO_PROMPTS) { - puts("Testing required number of digits"); - response = "50548"; - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR); - verify_prompts_shown(expected_bad_prompts_shown); - response = "0050548"; - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR); - verify_prompts_shown(expected_bad_prompts_shown); - response = "00050548"; - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR); - verify_prompts_shown(expected_bad_prompts_shown); - } - - // Test a blank response - puts("Testing a blank response"); - response = ""; - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR); - verify_prompts_shown(expected_bad_prompts_shown); - - // Set the response that we should send back to the authentication module - response = "050548"; - - // Test handling of missing state files - puts("Test handling of missing state files"); - const char *old_secret = targv[0]; - targv[0] = "secret=/NOSUCHFILE"; - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR); - verify_prompts_shown(password_is_provided_from_external ? 0 : expected_bad_prompts_shown); - targv[targc++] = "nullok"; - targv[targc] = NULL; - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_IGNORE); - verify_prompts_shown(0); - targv[--targc] = NULL; - targv[0] = old_secret; - - // Check if we can log in when using a valid verification code - puts("Testing successful login"); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS); - verify_prompts_shown(expected_good_prompts_shown); - - // Test the STEP_SIZE option - puts("Testing STEP_SIZE option"); - assert(!chmod(fn, 0600)); - assert((fd = open(fn, O_APPEND | O_WRONLY)) >= 0); - assert(write(fd, "\n\" STEP_SIZE 60\n", 16) == 16); - close(fd); - for (int *tm = (int []){ 9998, 9999, 10001, 10002, 10000, -1 }, - *res = (int []){ PAM_AUTH_ERR, PAM_SUCCESS, PAM_SUCCESS, - PAM_AUTH_ERR, PAM_SUCCESS }; - *tm >= 0;) { - set_time(*tm++ * 60); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == *res++); - verify_prompts_shown(expected_good_prompts_shown); - } - // Reset secret file after step size testing. assert(!chmod(fn, 0600)); assert((fd = open(fn, O_TRUNC | O_WRONLY)) >= 0); @@ -411,211 +345,6 @@ int main(int argc, char *argv[]) { assert(write(fd, "\n\" TOTP_AUTH", 12) == 12); close(fd); - // Test the WINDOW_SIZE option - puts("Testing WINDOW_SIZE option"); - for (int *tm = (int []){ 9998, 9999, 10001, 10002, 10000, -1 }, - *res = (int []){ PAM_AUTH_ERR, PAM_SUCCESS, PAM_SUCCESS, - PAM_AUTH_ERR, PAM_SUCCESS }; - *tm >= 0;) { - set_time(*tm++ * 30); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == *res++); - verify_prompts_shown(expected_good_prompts_shown); - } - assert(!chmod(fn, 0600)); - assert((fd = open(fn, O_APPEND | O_WRONLY)) >= 0); - assert(write(fd, "\n\" WINDOW_SIZE 6\n", 17) == 17); - close(fd); - for (int *tm = (int []){ 9996, 9997, 10002, 10003, 10000, -1 }, - *res = (int []){ PAM_AUTH_ERR, PAM_SUCCESS, PAM_SUCCESS, - PAM_AUTH_ERR, PAM_SUCCESS }; - *tm >= 0;) { - set_time(*tm++ * 30); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == *res++); - verify_prompts_shown(expected_good_prompts_shown); - } - - // Test the DISALLOW_REUSE option - puts("Testing DISALLOW_REUSE option"); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS); - verify_prompts_shown(expected_good_prompts_shown); - assert(!chmod(fn, 0600)); - assert((fd = open(fn, O_APPEND | O_WRONLY)) >= 0); - assert(write(fd, "\" DISALLOW_REUSE\n", 17) == 17); - close(fd); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS); - verify_prompts_shown(expected_good_prompts_shown); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR); - verify_prompts_shown(expected_good_prompts_shown); - - // Test that DISALLOW_REUSE expires old entries from the re-use list - char *old_response = response; - for (int i = 10001; i < 10008; ++i) { - set_time(i * 30); - char buf[7]; - response = buf; - sprintf(response, "%06d", compute_code(binary_secret, - binary_secret_len, i)); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS); - verify_prompts_shown(expected_good_prompts_shown); - } - set_time(10000 * 30); - response = old_response; - assert((fd = open(fn, O_RDONLY)) >= 0); - char state_file_buf[4096] = { 0 }; - assert(read(fd, state_file_buf, sizeof(state_file_buf)-1) > 0); - close(fd); - const char *disallow = strstr(state_file_buf, "\" DISALLOW_REUSE "); - assert(disallow); - assert(!memcmp(disallow + 17, - "10002 10003 10004 10005 10006 10007\n", 36)); - - // Test the RATE_LIMIT option - puts("Testing RATE_LIMIT option"); - assert(!chmod(fn, 0600)); - assert((fd = open(fn, O_APPEND | O_WRONLY)) >= 0); - assert(write(fd, "\" RATE_LIMIT 4 120\n", 19) == 19); - close(fd); - for (int *tm = (int []){ 20000, 20001, 20002, 20003, 20004, 20006, -1 }, - *res = (int []){ PAM_SUCCESS, PAM_SUCCESS, PAM_SUCCESS, - PAM_SUCCESS, PAM_AUTH_ERR, PAM_SUCCESS, -1 }; - *tm >= 0;) { - set_time(*tm * 30); - char buf[7]; - response = buf; - sprintf(response, "%06d", - compute_code(binary_secret, binary_secret_len, *tm++)); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == *res); - verify_prompts_shown( - *res != PAM_SUCCESS ? 0 : expected_good_prompts_shown); - ++res; - } - set_time(10000 * 30); - response = old_response; - assert(!chmod(fn, 0600)); - assert((fd = open(fn, O_RDWR)) >= 0); - memset(state_file_buf, 0, sizeof(state_file_buf)); - assert(read(fd, state_file_buf, sizeof(state_file_buf)-1) > 0); - const char *rate_limit = strstr(state_file_buf, "\" RATE_LIMIT "); - assert(rate_limit); - assert(!memcmp(rate_limit + 13, - "4 120 600060 600090 600120 600180\n", 35)); - - // Test trailing space in RATE_LIMIT. This is considered a file format - // error. - char *eol = strchr(rate_limit, '\n'); - *eol = ' '; - assert(!lseek(fd, 0, SEEK_SET)); - assert(write(fd, state_file_buf, strlen(state_file_buf)) == - strlen(state_file_buf)); - close(fd); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR); - verify_prompts_shown(0); - assert(!strncmp(get_error_msg(), - "Invalid list of timestamps in RATE_LIMIT", 40)); - *eol = '\n'; - assert(!chmod(fn, 0600)); - assert((fd = open(fn, O_WRONLY)) >= 0); - assert(write(fd, state_file_buf, strlen(state_file_buf)) == - strlen(state_file_buf)); - close(fd); - - // Test TIME_SKEW option - puts("Testing TIME_SKEW"); - for (int i = 0; i < 4; ++i) { - set_time((12000 + i)*30); - char buf[7]; - response = buf; - sprintf(response, "%06d", - compute_code(binary_secret, binary_secret_len, 11000 + i)); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == - (i >= 2 ? PAM_SUCCESS : PAM_AUTH_ERR)); - verify_prompts_shown(expected_good_prompts_shown); - } - - puts("Testing TIME_SKEW - noskewadj"); - set_time(12020 * 30); - char buf[7]; - response = buf; - sprintf(response, "%06d", compute_code(binary_secret, - binary_secret_len, 11010)); - targv[targc] = "noskewadj"; - assert(pam_sm_authenticate(NULL, 0, targc+1, targv) == PAM_AUTH_ERR); - targv[targc] = NULL; - verify_prompts_shown(expected_bad_prompts_shown); - set_time(10000*30); - - // Test scratch codes - puts("Testing scratch codes"); - response = "12345678"; - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR); - verify_prompts_shown(expected_bad_prompts_shown); - assert(!chmod(fn, 0600)); - assert((fd = open(fn, O_APPEND | O_WRONLY)) >= 0); - assert(write(fd, "12345678\n", 9) == 9); - close(fd); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS); - verify_prompts_shown(expected_good_prompts_shown); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR); - verify_prompts_shown(expected_bad_prompts_shown); - - // Set up secret file for counter-based codes. - assert(!chmod(fn, 0600)); - assert((fd = open(fn, O_TRUNC | O_WRONLY)) >= 0); - assert(write(fd, secret, sizeof(secret)-1) == sizeof(secret)-1); - assert(write(fd, "\n\" HOTP_COUNTER 1\n", 18) == 18); - close(fd); - - response = "293240"; - - // Check if we can log in when using a valid verification code - puts("Testing successful counter-based login"); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS); - verify_prompts_shown(expected_good_prompts_shown); - - // Verify that the hotp counter incremented - assert((fd = open(fn, O_RDONLY)) >= 0); - memset(state_file_buf, 0, sizeof(state_file_buf)); - assert(read(fd, state_file_buf, sizeof(state_file_buf)-1) > 0); - close(fd); - const char *hotp_counter = strstr(state_file_buf, "\" HOTP_COUNTER "); - assert(hotp_counter); - assert(!memcmp(hotp_counter + 15, "2\n", 2)); - - // Check if we can log in when using an invalid verification code - // (including the same code a second time) - puts("Testing failed counter-based login attempt"); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR); - verify_prompts_shown(expected_bad_prompts_shown); - - // Verify that the hotp counter incremented - assert((fd = open(fn, O_RDONLY)) >= 0); - memset(state_file_buf, 0, sizeof(state_file_buf)); - assert(read(fd, state_file_buf, sizeof(state_file_buf)-1) > 0); - close(fd); - hotp_counter = strstr(state_file_buf, "\" HOTP_COUNTER "); - assert(hotp_counter); - assert(!memcmp(hotp_counter + 15, "3\n", 2)); - - response = "932068"; - - // Check if we can log in using a future valid verification code (using - // default window_size of 3) - puts("Testing successful future counter-based login"); - assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS); - verify_prompts_shown(expected_good_prompts_shown); - - // Verify that the hotp counter incremented - assert((fd = open(fn, O_RDONLY)) >= 0); - memset(state_file_buf, 0, sizeof(state_file_buf)); - assert(read(fd, state_file_buf, sizeof(state_file_buf)-1) > 0); - close(fd); - hotp_counter = strstr(state_file_buf, "\" HOTP_COUNTER "); - assert(hotp_counter); - assert(!memcmp(hotp_counter + 15, "6\n", 2)); - - // Remove the temporarily created secret file - unlink(fn); - // Release memory for the test arguments for (int i = 0; i < targc; ++i) { free((void *)targv[i]); -- 2.24.1