PageRenderTime 63ms CodeModel.GetById 39ms RepoModel.GetById 1ms app.codeStats 0ms

/sys-auth/google-authenticator/files/1.08-remove-failing-tests.patch

https://gitlab.com/redcore/portage
Patch | 301 lines | 297 code | 4 blank | 0 comment | 0 complexity | 32c2bacb83a2dc051651a2427ea6c40a MD5 | raw file
    

  1. From 9e26b1885250cb0b7a710d9ae65542e3fcae684f Mon Sep 17 00:00:00 2001
    2. 

  2. From: Ronny Gutbrod <gentoo@tastytea.de>
    3. 

  3. Date: Sat, 11 Apr 2020 21:08:37 +0200
    4. 

  4. Subject: [PATCH] Remove calls to  pam_sm_authenticate().
    5. 

  5. 

  6. It tries to change the user id, which is prohibited by the sandbox. See #624588.
    7. 

  7. ---
    8. 

  8.  tests/pam_google_authenticator_unittest.c | 271 ----------------------
    9. 

  9.  1 file changed, 271 deletions(-)
    10. 

  10. 

  11. diff --git a/tests/pam_google_authenticator_unittest.c b/tests/pam_google_authenticator_unittest.c
    12. 

  12. index edade47..0661b8b 100644
    13. 

  13. --- a/tests/pam_google_authenticator_unittest.c
    14. 

  14. +++ b/tests/pam_google_authenticator_unittest.c
    15. 

  15. @@ -338,72 +338,6 @@ int main(int argc, char *argv[]) {
    16. 

  16.      // Make sure num_prompts_shown is still 0.
    17. 

  17.      verify_prompts_shown(0);
    18. 

  18. 

  19. -    // Set the timestamp that this test vector needs
    20. 

  20. -    set_time(10000*30);
    21. 

  21. -
    22. 

  22. -    response = "123456";
    23. 

  23. -
    24. 

  24. -    // Check if we can log in when using an invalid verification code
    25. 

  25. -    puts("Testing failed login attempt");
    26. 

  26. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR);
    27. 

  27. -    verify_prompts_shown(expected_bad_prompts_shown);
    28. 

  28. -
    29. 

  29. -    // Check required number of digits
    30. 

  30. -    if (conv_mode == TWO_PROMPTS) {
    31. 

  31. -      puts("Testing required number of digits");
    32. 

  32. -      response = "50548";
    33. 

  33. -      assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR);
    34. 

  34. -      verify_prompts_shown(expected_bad_prompts_shown);
    35. 

  35. -      response = "0050548";
    36. 

  36. -      assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR);
    37. 

  37. -      verify_prompts_shown(expected_bad_prompts_shown);
    38. 

  38. -      response = "00050548";
    39. 

  39. -      assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR);
    40. 

  40. -      verify_prompts_shown(expected_bad_prompts_shown);
    41. 

  41. -    }
    42. 

  42. -
    43. 

  43. -    // Test a blank response
    44. 

  44. -    puts("Testing a blank response");
    45. 

  45. -    response = "";
    46. 

  46. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR);
    47. 

  47. -    verify_prompts_shown(expected_bad_prompts_shown);
    48. 

  48. -
    49. 

  49. -    // Set the response that we should send back to the authentication module
    50. 

  50. -    response = "050548";
    51. 

  51. -
    52. 

  52. -    // Test handling of missing state files
    53. 

  53. -    puts("Test handling of missing state files");
    54. 

  54. -    const char *old_secret = targv[0];
    55. 

  55. -    targv[0] = "secret=/NOSUCHFILE";
    56. 

  56. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR);
    57. 

  57. -    verify_prompts_shown(password_is_provided_from_external ? 0 : expected_bad_prompts_shown);
    58. 

  58. -    targv[targc++] = "nullok";
    59. 

  59. -    targv[targc] = NULL;
    60. 

  60. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_IGNORE);
    61. 

  61. -    verify_prompts_shown(0);
    62. 

  62. -    targv[--targc] = NULL;
    63. 

  63. -    targv[0] = old_secret;
    64. 

  64. -
    65. 

  65. -    // Check if we can log in when using a valid verification code
    66. 

  66. -    puts("Testing successful login");
    67. 

  67. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS);
    68. 

  68. -    verify_prompts_shown(expected_good_prompts_shown);
    69. 

  69. -
    70. 

  70. -    // Test the STEP_SIZE option
    71. 

  71. -    puts("Testing STEP_SIZE option");
    72. 

  72. -    assert(!chmod(fn, 0600));
    73. 

  73. -    assert((fd = open(fn, O_APPEND | O_WRONLY)) >= 0);
    74. 

  74. -    assert(write(fd, "\n\" STEP_SIZE 60\n", 16) == 16);
    75. 

  75. -    close(fd);
    76. 

  76. -    for (int *tm  = (int []){ 9998, 9999, 10001, 10002, 10000, -1 },
    77. 

  77. -             *res = (int []){ PAM_AUTH_ERR, PAM_SUCCESS, PAM_SUCCESS,
    78. 

  78. -                              PAM_AUTH_ERR, PAM_SUCCESS };
    79. 

  79. -         *tm >= 0;) {
    80. 

  80. -      set_time(*tm++ * 60);
    81. 

  81. -      assert(pam_sm_authenticate(NULL, 0, targc, targv) == *res++);
    82. 

  82. -      verify_prompts_shown(expected_good_prompts_shown);
    83. 

  83. -    }
    84. 

  84. -
    85. 

  85.      // Reset secret file after step size testing.
    86. 

  86.      assert(!chmod(fn, 0600));
    87. 

  87.      assert((fd = open(fn, O_TRUNC | O_WRONLY)) >= 0);
    88. 

  88. @@ -411,211 +345,6 @@ int main(int argc, char *argv[]) {
    89. 

  89.      assert(write(fd, "\n\" TOTP_AUTH", 12) == 12);
    90. 

  90.      close(fd);
    91. 

  91. 

  92. -    // Test the WINDOW_SIZE option
    93. 

  93. -    puts("Testing WINDOW_SIZE option");
    94. 

  94. -    for (int *tm  = (int []){ 9998, 9999, 10001, 10002, 10000, -1 },
    95. 

  95. -             *res = (int []){ PAM_AUTH_ERR, PAM_SUCCESS, PAM_SUCCESS,
    96. 

  96. -                              PAM_AUTH_ERR, PAM_SUCCESS };
    97. 

  97. -         *tm >= 0;) {
    98. 

  98. -      set_time(*tm++ * 30);
    99. 

  99. -      assert(pam_sm_authenticate(NULL, 0, targc, targv) == *res++);
    100. 

  100. -      verify_prompts_shown(expected_good_prompts_shown);
    101. 

  101. -    }
    102. 

  102. -    assert(!chmod(fn, 0600));
    103. 

  103. -    assert((fd = open(fn, O_APPEND | O_WRONLY)) >= 0);
    104. 

  104. -    assert(write(fd, "\n\" WINDOW_SIZE 6\n", 17) == 17);
    105. 

  105. -    close(fd);
    106. 

  106. -    for (int *tm  = (int []){ 9996, 9997, 10002, 10003, 10000, -1 },
    107. 

  107. -             *res = (int []){ PAM_AUTH_ERR, PAM_SUCCESS, PAM_SUCCESS,
    108. 

  108. -                              PAM_AUTH_ERR, PAM_SUCCESS };
    109. 

  109. -         *tm >= 0;) {
    110. 

  110. -      set_time(*tm++ * 30);
    111. 

  111. -      assert(pam_sm_authenticate(NULL, 0, targc, targv) == *res++);
    112. 

  112. -      verify_prompts_shown(expected_good_prompts_shown);
    113. 

  113. -    }
    114. 

  114. -
    115. 

  115. -    // Test the DISALLOW_REUSE option
    116. 

  116. -    puts("Testing DISALLOW_REUSE option");
    117. 

  117. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS);
    118. 

  118. -    verify_prompts_shown(expected_good_prompts_shown);
    119. 

  119. -    assert(!chmod(fn, 0600));
    120. 

  120. -    assert((fd = open(fn, O_APPEND | O_WRONLY)) >= 0);
    121. 

  121. -    assert(write(fd, "\" DISALLOW_REUSE\n", 17) == 17);
    122. 

  122. -    close(fd);
    123. 

  123. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS);
    124. 

  124. -    verify_prompts_shown(expected_good_prompts_shown);
    125. 

  125. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR);
    126. 

  126. -    verify_prompts_shown(expected_good_prompts_shown);
    127. 

  127. -
    128. 

  128. -    // Test that DISALLOW_REUSE expires old entries from the re-use list
    129. 

  129. -    char *old_response = response;
    130. 

  130. -    for (int i = 10001; i < 10008; ++i) {
    131. 

  131. -      set_time(i * 30);
    132. 

  132. -      char buf[7];
    133. 

  133. -      response = buf;
    134. 

  134. -      sprintf(response, "%06d", compute_code(binary_secret,
    135. 

  135. -                                             binary_secret_len, i));
    136. 

  136. -      assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS);
    137. 

  137. -      verify_prompts_shown(expected_good_prompts_shown);
    138. 

  138. -    }
    139. 

  139. -    set_time(10000 * 30);
    140. 

  140. -    response = old_response;
    141. 

  141. -    assert((fd = open(fn, O_RDONLY)) >= 0);
    142. 

  142. -    char state_file_buf[4096] = { 0 };
    143. 

  143. -    assert(read(fd, state_file_buf, sizeof(state_file_buf)-1) > 0);
    144. 

  144. -    close(fd);
    145. 

  145. -    const char *disallow = strstr(state_file_buf, "\" DISALLOW_REUSE ");
    146. 

  146. -    assert(disallow);
    147. 

  147. -    assert(!memcmp(disallow + 17,
    148. 

  148. -                   "10002 10003 10004 10005 10006 10007\n", 36));
    149. 

  149. -
    150. 

  150. -    // Test the RATE_LIMIT option
    151. 

  151. -    puts("Testing RATE_LIMIT option");
    152. 

  152. -    assert(!chmod(fn, 0600));
    153. 

  153. -    assert((fd = open(fn, O_APPEND | O_WRONLY)) >= 0);
    154. 

  154. -    assert(write(fd, "\" RATE_LIMIT 4 120\n", 19) == 19);
    155. 

  155. -    close(fd);
    156. 

  156. -    for (int *tm  = (int []){ 20000, 20001, 20002, 20003, 20004, 20006, -1 },
    157. 

  157. -             *res = (int []){ PAM_SUCCESS, PAM_SUCCESS, PAM_SUCCESS,
    158. 

  158. -                              PAM_SUCCESS, PAM_AUTH_ERR, PAM_SUCCESS, -1 };
    159. 

  159. -         *tm >= 0;) {
    160. 

  160. -      set_time(*tm * 30);
    161. 

  161. -      char buf[7];
    162. 

  162. -      response = buf;
    163. 

  163. -      sprintf(response, "%06d",
    164. 

  164. -              compute_code(binary_secret, binary_secret_len, *tm++));
    165. 

  165. -      assert(pam_sm_authenticate(NULL, 0, targc, targv) == *res);
    166. 

  166. -      verify_prompts_shown(
    167. 

  167. -          *res != PAM_SUCCESS ? 0 : expected_good_prompts_shown);
    168. 

  168. -      ++res;
    169. 

  169. -    }
    170. 

  170. -    set_time(10000 * 30);
    171. 

  171. -    response = old_response;
    172. 

  172. -    assert(!chmod(fn, 0600));
    173. 

  173. -    assert((fd = open(fn, O_RDWR)) >= 0);
    174. 

  174. -    memset(state_file_buf, 0, sizeof(state_file_buf));
    175. 

  175. -    assert(read(fd, state_file_buf, sizeof(state_file_buf)-1) > 0);
    176. 

  176. -    const char *rate_limit = strstr(state_file_buf, "\" RATE_LIMIT ");
    177. 

  177. -    assert(rate_limit);
    178. 

  178. -    assert(!memcmp(rate_limit + 13,
    179. 

  179. -                   "4 120 600060 600090 600120 600180\n", 35));
    180. 

  180. -
    181. 

  181. -    // Test trailing space in RATE_LIMIT. This is considered a file format
    182. 

  182. -    // error.
    183. 

  183. -    char *eol = strchr(rate_limit, '\n');
    184. 

  184. -    *eol = ' ';
    185. 

  185. -    assert(!lseek(fd, 0, SEEK_SET));
    186. 

  186. -    assert(write(fd, state_file_buf, strlen(state_file_buf)) ==
    187. 

  187. -           strlen(state_file_buf));
    188. 

  188. -    close(fd);
    189. 

  189. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR);
    190. 

  190. -    verify_prompts_shown(0);
    191. 

  191. -    assert(!strncmp(get_error_msg(),
    192. 

  192. -                    "Invalid list of timestamps in RATE_LIMIT", 40));
    193. 

  193. -    *eol = '\n';
    194. 

  194. -    assert(!chmod(fn, 0600));
    195. 

  195. -    assert((fd = open(fn, O_WRONLY)) >= 0);
    196. 

  196. -    assert(write(fd, state_file_buf, strlen(state_file_buf)) ==
    197. 

  197. -           strlen(state_file_buf));
    198. 

  198. -    close(fd);
    199. 

  199. -
    200. 

  200. -    // Test TIME_SKEW option
    201. 

  201. -    puts("Testing TIME_SKEW");
    202. 

  202. -    for (int i = 0; i < 4; ++i) {
    203. 

  203. -      set_time((12000 + i)*30);
    204. 

  204. -      char buf[7];
    205. 

  205. -      response = buf;
    206. 

  206. -      sprintf(response, "%06d",
    207. 

  207. -              compute_code(binary_secret, binary_secret_len, 11000 + i));
    208. 

  208. -      assert(pam_sm_authenticate(NULL, 0, targc, targv) ==
    209. 

  209. -             (i >= 2 ? PAM_SUCCESS : PAM_AUTH_ERR));
    210. 

  210. -      verify_prompts_shown(expected_good_prompts_shown);
    211. 

  211. -    }
    212. 

  212. -
    213. 

  213. -    puts("Testing TIME_SKEW - noskewadj");
    214. 

  214. -    set_time(12020 * 30);
    215. 

  215. -    char buf[7];
    216. 

  216. -    response = buf;
    217. 

  217. -    sprintf(response, "%06d", compute_code(binary_secret,
    218. 

  218. -                                           binary_secret_len, 11010));
    219. 

  219. -    targv[targc] = "noskewadj";
    220. 

  220. -    assert(pam_sm_authenticate(NULL, 0, targc+1, targv) == PAM_AUTH_ERR);
    221. 

  221. -    targv[targc] = NULL;
    222. 

  222. -    verify_prompts_shown(expected_bad_prompts_shown);
    223. 

  223. -    set_time(10000*30);
    224. 

  224. -
    225. 

  225. -    // Test scratch codes
    226. 

  226. -    puts("Testing scratch codes");
    227. 

  227. -    response = "12345678";
    228. 

  228. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR);
    229. 

  229. -    verify_prompts_shown(expected_bad_prompts_shown);
    230. 

  230. -    assert(!chmod(fn, 0600));
    231. 

  231. -    assert((fd = open(fn, O_APPEND | O_WRONLY)) >= 0);
    232. 

  232. -    assert(write(fd, "12345678\n", 9) == 9);
    233. 

  233. -    close(fd);
    234. 

  234. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS);
    235. 

  235. -    verify_prompts_shown(expected_good_prompts_shown);
    236. 

  236. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR);
    237. 

  237. -    verify_prompts_shown(expected_bad_prompts_shown);
    238. 

  238. -
    239. 

  239. -    // Set up secret file for counter-based codes.
    240. 

  240. -    assert(!chmod(fn, 0600));
    241. 

  241. -    assert((fd = open(fn, O_TRUNC | O_WRONLY)) >= 0);
    242. 

  242. -    assert(write(fd, secret, sizeof(secret)-1) == sizeof(secret)-1);
    243. 

  243. -    assert(write(fd, "\n\" HOTP_COUNTER 1\n", 18) == 18);
    244. 

  244. -    close(fd);
    245. 

  245. -
    246. 

  246. -    response = "293240";
    247. 

  247. -
    248. 

  248. -    // Check if we can log in when using a valid verification code
    249. 

  249. -    puts("Testing successful counter-based login");
    250. 

  250. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS);
    251. 

  251. -    verify_prompts_shown(expected_good_prompts_shown);
    252. 

  252. -
    253. 

  253. -    // Verify that the hotp counter incremented
    254. 

  254. -    assert((fd = open(fn, O_RDONLY)) >= 0);
    255. 

  255. -    memset(state_file_buf, 0, sizeof(state_file_buf));
    256. 

  256. -    assert(read(fd, state_file_buf, sizeof(state_file_buf)-1) > 0);
    257. 

  257. -    close(fd);
    258. 

  258. -    const char *hotp_counter = strstr(state_file_buf, "\" HOTP_COUNTER ");
    259. 

  259. -    assert(hotp_counter);
    260. 

  260. -    assert(!memcmp(hotp_counter + 15, "2\n", 2));
    261. 

  261. -
    262. 

  262. -    // Check if we can log in when using an invalid verification code
    263. 

  263. -    // (including the same code a second time)
    264. 

  264. -    puts("Testing failed counter-based login attempt");
    265. 

  265. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_AUTH_ERR);
    266. 

  266. -    verify_prompts_shown(expected_bad_prompts_shown);
    267. 

  267. -
    268. 

  268. -    // Verify that the hotp counter incremented
    269. 

  269. -    assert((fd = open(fn, O_RDONLY)) >= 0);
    270. 

  270. -    memset(state_file_buf, 0, sizeof(state_file_buf));
    271. 

  271. -    assert(read(fd, state_file_buf, sizeof(state_file_buf)-1) > 0);
    272. 

  272. -    close(fd);
    273. 

  273. -    hotp_counter = strstr(state_file_buf, "\" HOTP_COUNTER ");
    274. 

  274. -    assert(hotp_counter);
    275. 

  275. -    assert(!memcmp(hotp_counter + 15, "3\n", 2));
    276. 

  276. -
    277. 

  277. -    response = "932068";
    278. 

  278. -
    279. 

  279. -    // Check if we can log in using a future valid verification code (using
    280. 

  280. -    // default window_size of 3)
    281. 

  281. -    puts("Testing successful future counter-based login");
    282. 

  282. -    assert(pam_sm_authenticate(NULL, 0, targc, targv) == PAM_SUCCESS);
    283. 

  283. -    verify_prompts_shown(expected_good_prompts_shown);
    284. 

  284. -
    285. 

  285. -    // Verify that the hotp counter incremented
    286. 

  286. -    assert((fd = open(fn, O_RDONLY)) >= 0);
    287. 

  287. -    memset(state_file_buf, 0, sizeof(state_file_buf));
    288. 

  288. -    assert(read(fd, state_file_buf, sizeof(state_file_buf)-1) > 0);
    289. 

  289. -    close(fd);
    290. 

  290. -    hotp_counter = strstr(state_file_buf, "\" HOTP_COUNTER ");
    291. 

  291. -    assert(hotp_counter);
    292. 

  292. -    assert(!memcmp(hotp_counter + 15, "6\n", 2));
    293. 

  293. -
    294. 

  294. -    // Remove the temporarily created secret file
    295. 

  295. -    unlink(fn);
    296. 

  296. -
    297. 

  297.      // Release memory for the test arguments
    298. 

  298.      for (int i = 0; i < targc; ++i) {
    299. 

  299.        free((void *)targv[i]);
    300. 

  300. --
    301. 

  301. 2.24.1
    302. 

  302.