|
Packit |
ae5a87 |
#!perl
|
|
Packit |
ae5a87 |
use strict;
|
|
Packit |
ae5a87 |
use warnings;
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
BEGIN {
|
|
Packit |
ae5a87 |
require Test::More;
|
|
Packit |
ae5a87 |
eval { require Digest::MD5 } or Test::More->import(skip_all => 'Need Digest::MD5');
|
|
Packit |
ae5a87 |
eval { require Digest::HMAC_MD5 } or Test::More->import(skip_all => 'Need Digest::HMAC_MD5');
|
|
Packit |
ae5a87 |
}
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
use Test::More (tests => 33);
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
use Authen::SASL qw(Perl);
|
|
Packit |
ae5a87 |
use_ok 'Authen::SASL::Perl::DIGEST_MD5';
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $authname;
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $sasl = Authen::SASL->new(
|
|
Packit |
ae5a87 |
mechanism => 'DIGEST-MD5',
|
|
Packit |
ae5a87 |
callback => {
|
|
Packit |
ae5a87 |
getsecret => sub { $_[2]->('fred') },
|
|
Packit |
ae5a87 |
},
|
|
Packit |
ae5a87 |
);
|
|
Packit |
ae5a87 |
ok($sasl,'new');
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
no warnings 'once';
|
|
Packit |
ae5a87 |
# override for testing as by default it uses $$, time and rand
|
|
Packit |
ae5a87 |
$Authen::SASL::Perl::DIGEST_MD5::NONCE = "foobaz";
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
is($sasl->mechanism, 'DIGEST-MD5', 'sasl mechanism');
|
|
Packit |
ae5a87 |
my $server = $sasl->server_new("ldap","elwood.innosoft.com", { no_integrity => 1 });
|
|
Packit |
ae5a87 |
is($server->mechanism, 'DIGEST-MD5', 'conn mechanism');
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
## simple success without authzid
|
|
Packit |
ae5a87 |
{
|
|
Packit |
ae5a87 |
my $expected_ss = join ",",
|
|
Packit |
ae5a87 |
'algorithm=md5-sess',
|
|
Packit |
ae5a87 |
'charset=utf-8',
|
|
Packit |
ae5a87 |
'cipher="rc4,3des,des,rc4-56,rc4-40"',
|
|
Packit |
ae5a87 |
'maxbuf=16777215',
|
|
Packit |
ae5a87 |
'nonce="80338e79d2ca9b9c090ebaaa2ef293c7"',
|
|
Packit |
ae5a87 |
'qop="auth"',
|
|
Packit |
ae5a87 |
'realm="elwood.innosoft.com"';
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $ss;
|
|
Packit |
ae5a87 |
$server->server_start('', sub { $ss = shift });
|
|
Packit |
ae5a87 |
is($ss, $expected_ss, 'server_start');
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $c1 = join ",", qw(
|
|
Packit |
ae5a87 |
charset=utf-8
|
|
Packit |
ae5a87 |
cnonce="3858f62230ac3c915f300c664312c63f"
|
|
Packit |
ae5a87 |
digest-uri="ldap/elwood.innosoft.com"
|
|
Packit |
ae5a87 |
nc=00000001
|
|
Packit |
ae5a87 |
nonce="80338e79d2ca9b9c090ebaaa2ef293c7"
|
|
Packit |
ae5a87 |
qop=auth
|
|
Packit |
ae5a87 |
realm="elwood.innosoft.com"
|
|
Packit |
ae5a87 |
response=39ab7388b1f52492b1b87cda55177d04
|
|
Packit |
ae5a87 |
username="gbarr"
|
|
Packit |
ae5a87 |
);
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $s1;
|
|
Packit |
ae5a87 |
$server->server_step($c1, sub { $s1 = shift });
|
|
Packit |
ae5a87 |
ok $server->is_success, "This is the first and only step";
|
|
Packit |
ae5a87 |
ok !$server->error, "no error" or diag $server->error;
|
|
Packit |
ae5a87 |
ok !$server->need_step, "over";
|
|
Packit |
ae5a87 |
is $server->property('ssf'), 0, "auth doesn't provide any protection";
|
|
Packit |
ae5a87 |
is($s1, "rspauth=dbf4b44d397bafd53be835344988ec9d", "rspauth matches");
|
|
Packit |
ae5a87 |
}
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
# try with an authname
|
|
Packit |
ae5a87 |
{
|
|
Packit |
ae5a87 |
my $expected_ss = join ",",
|
|
Packit |
ae5a87 |
'algorithm=md5-sess',
|
|
Packit |
ae5a87 |
'charset=utf-8',
|
|
Packit |
ae5a87 |
'cipher="rc4,3des,des,rc4-56,rc4-40"',
|
|
Packit |
ae5a87 |
'maxbuf=16777215',
|
|
Packit |
ae5a87 |
'nonce="80338e79d2ca9b9c090ebaaa2ef293c7"',
|
|
Packit |
ae5a87 |
'qop="auth"',
|
|
Packit |
ae5a87 |
'realm="elwood.innosoft.com"';
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $ss;
|
|
Packit |
ae5a87 |
$server->server_start('', sub { $ss = shift });
|
|
Packit |
ae5a87 |
is($ss, $expected_ss, 'server_start');
|
|
Packit |
ae5a87 |
ok !$server->is_success, "not success yet";
|
|
Packit |
ae5a87 |
ok !$server->error, "no error" or diag $server->error;
|
|
Packit |
ae5a87 |
ok $server->need_step, "we need one more step";
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
$authname = 'meme';
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $c1 = join ",", qw(
|
|
Packit |
ae5a87 |
authzid="meme"
|
|
Packit |
ae5a87 |
charset=utf-8
|
|
Packit |
ae5a87 |
cnonce="3858f62230ac3c915f300c664312c63f"
|
|
Packit |
ae5a87 |
digest-uri="ldap/elwood.innosoft.com"
|
|
Packit |
ae5a87 |
nc=00000002
|
|
Packit |
ae5a87 |
nonce="80338e79d2ca9b9c090ebaaa2ef293c7"
|
|
Packit |
ae5a87 |
qop=auth
|
|
Packit |
ae5a87 |
realm="elwood.innosoft.com"
|
|
Packit |
ae5a87 |
response=e01f51543754aa665cfa2c621d59ee9e
|
|
Packit |
ae5a87 |
username="gbarr"
|
|
Packit |
ae5a87 |
);
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $s1;
|
|
Packit |
ae5a87 |
$server->server_step($c1, sub { $s1 = shift });
|
|
Packit |
ae5a87 |
is($s1, "rspauth=d10458627b2b6bb553d796f4d805fdd1", "rspauth")
|
|
Packit |
ae5a87 |
or diag $server->error;
|
|
Packit |
ae5a87 |
ok $server->is_success, "success!";
|
|
Packit |
ae5a87 |
ok !$server->error, "no error" or diag $server->error;
|
|
Packit |
ae5a87 |
ok !$server->need_step, "over";
|
|
Packit |
ae5a87 |
is $server->property('ssf'), 0, "auth doesn't provide any protection";
|
|
Packit |
ae5a87 |
}
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
## using auth-conf (if available)
|
|
Packit |
ae5a87 |
{
|
|
Packit |
ae5a87 |
SKIP: {
|
|
Packit |
ae5a87 |
skip "Crypt not available", 6
|
|
Packit |
ae5a87 |
if $Authen::SASL::Perl::DIGEST_MD5::NO_CRYPT_AVAILABLE;
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
$server = $sasl->server_new("ldap","elwood.innosoft.com");
|
|
Packit |
ae5a87 |
my $expected_ss = join ",",
|
|
Packit |
ae5a87 |
'algorithm=md5-sess',
|
|
Packit |
ae5a87 |
'charset=utf-8',
|
|
Packit |
ae5a87 |
'cipher="rc4,3des,des,rc4-56,rc4-40"',
|
|
Packit |
ae5a87 |
'maxbuf=16777215',
|
|
Packit |
ae5a87 |
'nonce="80338e79d2ca9b9c090ebaaa2ef293c7"',
|
|
Packit |
ae5a87 |
'qop="auth,auth-conf,auth-int"',
|
|
Packit |
ae5a87 |
'realm="elwood.innosoft.com"';
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $ss;
|
|
Packit |
ae5a87 |
$server->server_start('', sub { $ss = shift });
|
|
Packit |
ae5a87 |
is($ss, $expected_ss, 'server_start');
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $c1 = join ",", qw(
|
|
Packit |
ae5a87 |
charset=utf-8
|
|
Packit |
ae5a87 |
cnonce="3858f62230ac3c915f300c664312c63f"
|
|
Packit |
ae5a87 |
digest-uri="ldap/elwood.innosoft.com"
|
|
Packit |
ae5a87 |
nc=00000001
|
|
Packit |
ae5a87 |
nonce="80338e79d2ca9b9c090ebaaa2ef293c7"
|
|
Packit |
ae5a87 |
qop=auth-conf
|
|
Packit |
ae5a87 |
realm="elwood.innosoft.com"
|
|
Packit |
ae5a87 |
response=e3c8b38d9bd9556761253e9879c4a8a2
|
|
Packit |
ae5a87 |
username="gbarr"
|
|
Packit |
ae5a87 |
);
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $s1;
|
|
Packit |
ae5a87 |
$server->server_step($c1, sub { $s1 = shift });
|
|
Packit |
ae5a87 |
ok $server->is_success, "This is the first and only step";
|
|
Packit |
ae5a87 |
ok !$server->error, "no error" or diag $server->error;
|
|
Packit |
ae5a87 |
ok !$server->need_step, "over";
|
|
Packit |
ae5a87 |
is($s1, "rspauth=1b1156d0e7f046bd0ea1476eb7d63a7b", "rspauth matches");
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
## we have negociated the conf layer
|
|
Packit |
ae5a87 |
ok $server->property('ssf') > 1, "yes! secure layer set up";
|
|
Packit |
ae5a87 |
};
|
|
Packit |
ae5a87 |
}
|
|
Packit |
ae5a87 |
## wrong challenge response
|
|
Packit |
ae5a87 |
{
|
|
Packit |
ae5a87 |
$server = $sasl->server_new("ldap","elwood.innosoft.com");
|
|
Packit |
ae5a87 |
$server->server_start('');
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $c1 = join ",", qw(
|
|
Packit |
ae5a87 |
charset=utf-8
|
|
Packit |
ae5a87 |
cnonce="3858f62230ac3c915f300c664312c63f"
|
|
Packit |
ae5a87 |
digest-uri="ldap/elwood.innosoft.com"
|
|
Packit |
ae5a87 |
nc=00000001
|
|
Packit |
ae5a87 |
nonce="80338e79d2ca9b9c090ebaaa2ef293c7"
|
|
Packit |
ae5a87 |
qop=auth-conf
|
|
Packit |
ae5a87 |
realm="elwood.innosoft.com"
|
|
Packit |
ae5a87 |
response=nottherightone
|
|
Packit |
ae5a87 |
username="gbarr"
|
|
Packit |
ae5a87 |
);
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
$server->server_step($c1);
|
|
Packit |
ae5a87 |
ok !$server->is_success, "Bad challenge";
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
if ($Authen::SASL::Perl::DIGEST_MD5::NO_CRYPT_AVAILABLE) {
|
|
Packit |
ae5a87 |
like $server->error, qr/Client qop not supported/, $server->error;
|
|
Packit |
ae5a87 |
}
|
|
Packit |
ae5a87 |
else {
|
|
Packit |
ae5a87 |
like $server->error, qr/incorrect.*response/i, $server->error;
|
|
Packit |
ae5a87 |
}
|
|
Packit |
ae5a87 |
}
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
## multiple digest-uri;
|
|
Packit |
ae5a87 |
{
|
|
Packit |
ae5a87 |
$server = $sasl->server_new("ldap","elwood.innosoft.com");
|
|
Packit |
ae5a87 |
$server->server_start('');
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $c1 = join ",", qw(
|
|
Packit |
ae5a87 |
charset=utf-8
|
|
Packit |
ae5a87 |
cnonce="3858f62230ac3c915f300c664312c63f"
|
|
Packit |
ae5a87 |
digest-uri="ldap/elwood.innosoft.com"
|
|
Packit |
ae5a87 |
digest-uri="ldap/elwood.innosoft.com"
|
|
Packit |
ae5a87 |
nc=00000001
|
|
Packit |
ae5a87 |
nonce="80338e79d2ca9b9c090ebaaa2ef293c7"
|
|
Packit |
ae5a87 |
qop=auth-conf
|
|
Packit |
ae5a87 |
realm="elwood.innosoft.com"
|
|
Packit |
ae5a87 |
response=e3c8b38d9bd9556761253e9879c4a8a2
|
|
Packit |
ae5a87 |
username="gbarr"
|
|
Packit |
ae5a87 |
);
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
$server->server_step($c1);
|
|
Packit |
ae5a87 |
ok !$server->is_success, "Bad challenge";
|
|
Packit |
ae5a87 |
like $server->error, qr/Bad.*challenge/i, $server->error;
|
|
Packit |
ae5a87 |
}
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
## nonce-count;
|
|
Packit |
ae5a87 |
{
|
|
Packit |
ae5a87 |
$server = $sasl->server_new("ldap","elwood.innosoft.com");
|
|
Packit |
ae5a87 |
$server->server_start('');
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
my $c1 = join ",", qw(
|
|
Packit |
ae5a87 |
charset=utf-8
|
|
Packit |
ae5a87 |
cnonce="3858f62230ac3c915f300c664312c63f"
|
|
Packit |
ae5a87 |
digest-uri="ldap/elwood.innosoft.com"
|
|
Packit |
ae5a87 |
nc=00000001
|
|
Packit |
ae5a87 |
nonce="80338e79d2ca9b9c090ebaaa2ef293c7"
|
|
Packit |
ae5a87 |
qop=auth-conf
|
|
Packit |
ae5a87 |
realm="elwood.innosoft.com"
|
|
Packit |
ae5a87 |
response=e3c8b38d9bd9556761253e9879c4a8a2
|
|
Packit |
ae5a87 |
username="gbarr"
|
|
Packit |
ae5a87 |
);
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
SKIP: {
|
|
Packit |
ae5a87 |
skip "no crypt available", 4
|
|
Packit |
ae5a87 |
if $Authen::SASL::Perl::DIGEST_MD5::NO_CRYPT_AVAILABLE;
|
|
Packit |
ae5a87 |
$server->server_step($c1);
|
|
Packit |
ae5a87 |
ok $server->is_success, "first is success";
|
|
Packit |
ae5a87 |
ok ! $server->error, "no error";
|
|
Packit |
ae5a87 |
|
|
Packit |
ae5a87 |
$server->server_step($c1);
|
|
Packit |
ae5a87 |
ok !$server->is_success, "replay attack";
|
|
Packit |
ae5a87 |
like $server->error, qr/nonce-count.*match/i, $server->error;
|
|
Packit |
ae5a87 |
}
|
|
Packit |
ae5a87 |
}
|