diff options
Diffstat (limited to '')
-rw-r--r-- | src/tests/keywords/crypt | 151 |
1 files changed, 151 insertions, 0 deletions
diff --git a/src/tests/keywords/crypt b/src/tests/keywords/crypt new file mode 100644 index 0000000..e6d63aa --- /dev/null +++ b/src/tests/keywords/crypt @@ -0,0 +1,151 @@ +# +# PRE: update if +# + +# Skip all these tests if crypt_r was not available +# +if ("%{crypt:&User-Password}") { + noop +} +if ("%{request:Module-Failure-Message[0]}" !~ /^Crypt not available at compile time/) { + + +# Set required attributes +# +update reply { + &Filter-Id := "filter" +} + +update request { + &Tmp-String-0 := 'foo' + &Tmp-String-1 := 'foo:bar' + &Tmp-String-2 := 'f:' + &Tmp-String-3 := &User-Password + &Tmp-String-4 := &control:Cleartext-Password + &Tmp-String-5 := 'fwtLWDtMiSbH8lmXCMIVfrSMJjF' + &Tmp-String-8 := 'aa' + &Tmp-String-9 := '$1$abcdefgh' +} + + +# Check for error on no salt +# +if ("%{crypt:&User-Password}") { + update reply { + &Filter-Id += 'fail 1a' + } +} + +if ("%{request:Module-Failure-Message[0]}" != 'No salt specified in crypt xlat') { + update reply { + &Filter-Id += 'fail 1b' + } +} + + +# Check DES - all crypt_r() implementations should do this. +# +if ("%{crypt:aa:foo}" != "aaKNIEDOaueR6") { + update reply { + &Filter-Id += 'fail 2a' + } +} + +if ("%{crypt:&Tmp-String-8:foo}" != "aaKNIEDOaueR6") { + update reply { + &Filter-Id += 'fail 2b' + } +} + +if ("%{crypt:aa:&User-Password}" != "aaPwJ9XL9Y99E") { + update reply { + &Filter-Id += 'fail 2c' + } +} + + +# Test we can encrypt and then authenticate +# +update { + &request:User-Password := &request:Tmp-String-5 + &control:Crypt-Password := "%{crypt:AZ:&Tmp-String-5}" + &control:Cleartext-Password !* "" +} + +group { + pap.authenticate { + fail = 1 + reject = 1 + } + + if (!ok) { + update reply { + &Filter-Id += 'fail 3' + } + } +} + +update { + &request:User-Password := &Tmp-String-3 + &control:Cleartext-Password := &Tmp-String-4 +} + + +# Clear Module-Failure-Message so below tests work no matter what +# happened above +# +update request { + &Module-Failure-Message !* "" +} + + +# Check colons in password +# +if ("%{crypt:aa:foo:bar}" != "aadzEnaZwH90k") { + update reply { + &Filter-Id += 'fail 4a' + } +} + +if ("%{crypt:aa:&Tmp-String-1}" != "aadzEnaZwH90k") { + update reply { + &Filter-Id += 'fail 4b' + } +} + + +# Check invalid chars in salt +# +# In this case, depending on the library implementation, crypt +# seems to either return an empty string (null) and set an error, +# or it will return an invalid hash beginning with '*'. +# +update request { + &Tmp-String-7 := "%{crypt:&Tmp-String-2:foo}" +} + +if (&Tmp-String-7 !~ /^\*/ && \ + "%{request:Module-Failure-Message[0]}" !~ /Crypt salt has the wrong format/) { + update reply { + &Filter-Id += 'fail 5a' + } +} + + +# Convert the Cleartext-Password to Password-With-Header and auth with that +# +update control { + &Password-With-Header := "{crypt}%{crypt:$1$abcdefgh:&Tmp-String-4}" + &Crypt-Password !* "" + &Cleartext-Password !* "" +} + + +# Crypt not available at compile time? Force the test to pass. +# +} +else { + update reply { + &Filter-Id := "filter" + } +} |