summaryrefslogtreecommitdiffstats
path: root/check
diff options
context:
space:
mode:
Diffstat (limited to 'check')
-rwxr-xr-xcheck266
1 files changed, 266 insertions, 0 deletions
diff --git a/check b/check
new file mode 100755
index 0000000..6d9123f
--- /dev/null
+++ b/check
@@ -0,0 +1,266 @@
+#!/bin/sh
+
+CRYPT=${CRYPT:-./crypt}
+ASKPASS=${ASKPASS:-./askpass}
+
+oneTimeSetUp() {
+ export OUTDIR="$SHUNIT_TMPDIR/out"
+ export BINDIR="$SHUNIT_TMPDIR/bin"
+ export PATH="$BINDIR:$PATH"
+
+ # Directory for output data (dropped after each test)
+ mkdir -p $OUTDIR
+
+ # Test helper scripts
+ mkdir -p $BINDIR
+ cat >$BINDIR/askpass <<END
+#!/bin/sh
+echo -n "\${FAKE_ASKPASS_ANSWER:-foobar}"
+END
+ cat >$BINDIR/cryptsetup <<END
+#!/bin/sh
+echo "\$@" >>$OUTDIR/cryptsetup
+END
+ chmod 755 $BINDIR/*
+}
+
+setUp() {
+ # Overrides for askpass
+ export DIVERTED_ASKPASS="$BINDIR/askpass"
+ export CRYPT_HELPER="$CRYPT"
+ export NUKE_PASSWORD_HASH_PATH="$SHUNIT_TMPDIR/password_hash"
+ export CRYPTTAB_SOURCE="$SHUNIT_TMPDIR/device"
+ touch $CRYPTTAB_SOURCE
+
+ # Clean up some environment variables that might be set by tests
+ unset FAKE_ASKPASS_ANSWER
+}
+
+tearDown() {
+ if [ -d "$OUTDIR" ]; then
+ rm -f $OUTDIR/*
+ fi
+ rm -f $NUKE_PASSWORD_HASH_PATH
+}
+
+testCryptNoArgsOutput() {
+ output=$($CRYPT 2>&1 </dev/null)
+ if ! echo "$output" | grep -q "Usage:"; then
+ fail 'Does not print Usage output without argument'
+ fi
+}
+testCryptNoArgsExitCode() {
+ $CRYPT >/dev/null 2>&1 </dev/null
+ assertEquals 'Bad exit code when ran without argument' 1 $?
+}
+
+testCryptBadArgOutput() {
+ output=$($CRYPT --doesnotexist 2>&1 </dev/null)
+ if ! echo "$output" | grep -q "Usage:"; then
+ fail 'Does not print Usage output with invalid argument'
+ fi
+}
+testCryptBadArgExitCode() {
+ $CRYPT --doesnotexist >/dev/null 2>&1 </dev/null
+ assertEquals 'Bad exit code when ran with invalid argument' 1 $?
+}
+
+testCryptHelpOutput() {
+ output=$($CRYPT --help 2>&1 </dev/null)
+ if ! echo "$output" | grep -q "Usage:"; then
+ fail 'Does not print Usage output with --help'
+ fi
+}
+testCryptHelpExitCode() {
+ $CRYPT --help >/dev/null 2>&1 </dev/null
+ assertEquals 'Bad exit code when ran with --help' 0 $?
+}
+
+testCryptGenerateEmptyPassword() {
+ output_stdout=$($CRYPT --generate 'h/' 2>/dev/null </dev/null)
+ output_stderr=$($CRYPT --generate 'h/' 2>&1 >/dev/null </dev/null)
+ exit_code=$?
+ assertNull "'crypt --generate </dev/null' unexpectedly generated something" "$output_stdout"
+ if ! echo "$output_stderr" | grep -q "ERROR:"; then
+ fail "'crypt --generate </dev/null' did not print any error message"
+ fi
+ assertEquals "'crypt --generate </dev/null' has a bad exit code" 1 $exit_code
+}
+
+do_testCryptGenerate() {
+ output=$(echo "foobar" | $CRYPT --generate $1)
+ exit_code=$?
+ assertNotNull "'echo foobar | crypt --generate $1' ($2) provided no output" "$output"
+ assertEquals "'echo foobar | crypt --generate $1' ($2) returned bad exit code" 0 $exit_code
+}
+
+testCryptGenerateBasic() {
+ do_testCryptGenerate 'h/' 'DES'
+}
+testCryptGenerateMD5() {
+ do_testCryptGenerate '$1$h/$' 'MD5'
+}
+testCryptGenerateSHA256() {
+ do_testCryptGenerate '$5$h/$' 'SHA-256'
+}
+testCryptGenerateSHA512() {
+ do_testCryptGenerate '$6$h/$' 'SHA-512'
+}
+
+testCryptGenerateBadSalt() {
+ output_stdout=$(echo foobar | $CRYPT --generate '$999$foobar$' 2>/dev/null)
+ output_stderr=$(echo foobar | $CRYPT --generate '$999$foobar$' 2>&1 >/dev/null)
+ exit_code=$?
+ assertNull "'echo foobar | crypt --generate <bad-salt>' unexpectedly generated something" "$output_stdout"
+ if ! echo "$output_stderr" | grep -q "ERROR:"; then
+ fail "'echo foobar | crypt --generate <bad-salt>' did not print any error message"
+ fi
+ assertEquals "'echo foobar | crypt --generate <bad-salt>' has a bad exit code" 1 $exit_code
+}
+
+testCryptGenerateNoSaltSupplied() {
+ output_stdout=$(echo foobar | $CRYPT --generate 2>/dev/null)
+ output_stderr=$(echo foobar | $CRYPT --generate 2>&1 >/dev/null)
+ exit_code=$?
+ assertNull "'echo foobar | crypt --generate' generated noise on stderr" "$output_stderr"
+ if ! echo "$output_stdout" | grep -q '^\$6\$'; then
+ fail "'echo foobar | crypt --generate' did not generate a SHA-512 based hash ($output_stdout)"
+ fi
+ assertEquals "'echo foobar | crypt --generate' has a bad exit code" 0 $exit_code
+}
+
+testCryptGenerateEmptySaltSupplied() {
+ output_stdout=$(echo foobar | $CRYPT --generate '' 2>/dev/null)
+ output_stderr=$(echo foobar | $CRYPT --generate '' 2>&1 >/dev/null)
+ exit_code=$?
+ assertNull "'echo foobar | crypt --generate ''' generated noise on stderr" "$output_stderr"
+ if ! echo "$output_stdout" | grep -q '^\$6\$'; then
+ fail "'echo foobar | crypt --generate ''' did not generate a SHA-512 based hash ($output_stdout)"
+ fi
+ assertEquals "'echo foobar | crypt --generate ''' has a bad exit code" 0 $exit_code
+}
+
+testCryptGenerateNoSaltRandomness() {
+ output1=$(echo foobar | $CRYPT --generate 2>/dev/null)
+ output2=$(echo foobar | $CRYPT --generate 2>/dev/null)
+ salt1="$(echo $output1 | cut -d$ -f1-3)"'$'
+ salt2="$(echo $output2 | cut -d$ -f1-3)"'$'
+ assertNotEquals "Two consecutive runs of 'echo foobar | $CRYPT --generate' generated the same salt" "$output1" "$output2"
+ output3=$(echo foobar | $CRYPT --generate "$salt1")
+ assertEquals "'echo foobar | $CRYPT --generate <salt>' did not recreate the original hash" "$output1" "$output3"
+}
+
+testCryptCheckEmptyPassword() {
+ output_stdout=$($CRYPT --check 'h/GdiFWQsXxA.' 2>/dev/null </dev/null)
+ output_stderr=$($CRYPT --check 'h/GdiFWQsXxA.' 2>&1 >/dev/null </dev/null)
+ exit_code=$?
+ assertNull "'crypt --check <hash> </dev/null' unexpectedly generated something" "$output_stdout"
+ if ! echo "$output_stderr" | grep -q "ERROR:"; then
+ fail "'crypt --check <hash> </dev/null' did not print any error message"
+ fi
+ assertEquals "'crypt --check <hash> </dev/null' has a bad exit code" 1 $exit_code
+}
+
+testCryptCheckNoHashSupplied() {
+ output_stdout=$(echo "foobar" | $CRYPT --check 2>/dev/null)
+ output_stderr=$(echo "foobar" | $CRYPT --check 2>&1 >/dev/null)
+ if ! echo "$output_stderr" | grep -q "ERROR:"; then
+ fail "'echo foobar | crypt --check' did not print any error message"
+ fi
+ assertNull "'echo foobar | crypt --check' unexpectly returned something on stdout" "$output_stdout"
+}
+
+testCryptCheckGoodPassword() {
+ output=$(echo "foobar" | $CRYPT --check '$6$dkcZzIkv$Ju7XCIc4igWvht3bOu266vvRam6IdnIFxoyonDt.6JZl8NfCaukACeIRYVW7WQtrUtqN2TrWSgEFnXumuTiN41' 2>&1)
+ exit_code=$?
+ assertNull "'echo foobar | $CRYPT --check <good-hash>' printed unexpected output" "$output"
+ assertEquals "'echo foobar | $CRYPT --check <good-hash>' did not exit with" 0 $exit_code
+}
+
+testCryptCheckBadPassword() {
+ output=$(echo "foobar-bad" | $CRYPT --check '$6$dkcZzIkv$Ju7XCIc4igWvht3bOu266vvRam6IdnIFxoyonDt.6JZl8NfCaukACeIRYVW7WQtrUtqN2TrWSgEFnXumuTiN41' 2>&1)
+ exit_code=$?
+ assertNull "'echo foobar | $CRYPT --check <bad-hash>' printed unexpected output" "$output"
+ assertEquals "'echo foobar | $CRYPT --check <bad-hash>' did not exit with" 1 $exit_code
+}
+
+testCryptGenerateCheckRoundtrip() {
+ for salt in '' 'h/' '$1$abcd$' '$5$12345678$' '$6$deadbeef$'
+ do
+ password="haX0rd3ad"
+
+ password_hash=$(echo $password | $CRYPT --generate "$salt")
+ exit_code=$?
+ assertEquals "'echo $password | $CRYPT --generate $salt' did not exit with" 0 $exit_code
+
+ echo $password | $CRYPT --check "$password_hash"
+ exit_code=$?
+ assertEquals "'echo $password | $CRYPT --check $password_hash' did not exit with" 0 $exit_code
+ done
+}
+
+testAskPassWarnsAboutMissingCrypttabSource() {
+ export CRYPTTAB_SOURCE=/does/not/exist
+
+ $ASKPASS >$OUTDIR/log 2>&1
+
+ if ! grep -q 'WARNING: $CRYPTTAB_SOURCE' $OUTDIR/log; then
+ fail "askpass should complain of missing CRYPTTAB_SOURCE"
+ fi
+}
+
+testAskPassWarnsAboutMissingCryptHelper() {
+ export CRYPT_HELPER=/does/not/exist
+
+ $ASKPASS >$OUTDIR/log 2>&1
+
+ if ! grep -q "WARNING: $CRYPT_HELPER" $OUTDIR/log; then
+ fail "askpass should complain of missing \$CRYPT_HELPER"
+ fi
+}
+
+testAskPassCallsCryptsetupErase() {
+ # Setup the password and its matching hash
+ export FAKE_ASKPASS_ANSWER="foobar"
+ echo '$6$dkcZzIkv$Ju7XCIc4igWvht3bOu266vvRam6IdnIFxoyonDt.6JZl8NfCaukACeIRYVW7WQtrUtqN2TrWSgEFnXumuTiN41' >$NUKE_PASSWORD_HASH_PATH
+
+ $ASKPASS >$OUTDIR/log 2>&1
+
+ touch $OUTDIR/cryptsetup
+ if ! grep -q "erase $CRYPTTAB_SOURCE" $OUTDIR/cryptsetup; then
+ echo "Output of askpass:"
+ cat $OUTDIR/log
+ echo ""
+ echo "Cryptsetup log:"
+ cat $OUTDIR/cryptsetup
+ fail "cryptsetup erase has not been called by askpass"
+ fi
+}
+
+testAskPassWithoutPasswordHash() {
+ # No password_hash is created
+
+ $ASKPASS >$OUTDIR/log 2>&1
+
+ assertFalse 'cryptsetup was unexpectly run' "[ -e $OUTDIR/cryptsetup ]"
+}
+
+testAskPassWithNonMatchingPasswordHash() {
+ # Setup the password and a non-matching hash
+ export FAKE_ASKPASS_ANSWER="this-is-not-the-good-password"
+ echo '$6$dkcZzIkv$Ju7XCIc4igWvht3bOu266vvRam6IdnIFxoyonDt.6JZl8NfCaukACeIRYVW7WQtrUtqN2TrWSgEFnXumuTiN41' >$NUKE_PASSWORD_HASH_PATH
+
+ $ASKPASS >$OUTDIR/log 2>&1
+
+ assertFalse 'cryptsetup was unexpectly run' "[ -e $OUTDIR/cryptsetup ]"
+}
+
+testAskPassReturnsPassword() {
+ export FAKE_ASKPASS_ANSWER="my-password"
+
+ OUT=$($ASKPASS 2>/dev/null)
+
+ assertEquals "askpass did not print the password" "$FAKE_ASKPASS_ANSWER" "$OUT"
+}
+
+. shunit2
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-07 05:27:17 +0000