1 files changed, 151 insertions, 0 deletions
diff --git a/src/tests/keywords/crypt b/src/tests/keywords/crypt
new file mode 100644
index 0000000..e6d63aa
--- /dev/null
+++ b/src/tests/keywords/crypt
@@ -0,0 +1,151 @@
+#
+# PRE: update if
+#
+
+# Skip all these tests if crypt_r was not available
+#
+if ("%{crypt:&User-Password}") {
+	noop
+}
+if ("%{request:Module-Failure-Message[0]}" !~ /^Crypt not available at compile time/) {
+
+
+# Set required attributes
+#
+update reply {
+	&Filter-Id := "filter"
+}
+
+update request {
+	&Tmp-String-0 := 'foo'
+	&Tmp-String-1 := 'foo:bar'
+	&Tmp-String-2 := 'f:'
+	&Tmp-String-3 := &User-Password
+	&Tmp-String-4 := &control:Cleartext-Password
+	&Tmp-String-5 := 'fwtLWDtMiSbH8lmXCMIVfrSMJjF'
+	&Tmp-String-8 := 'aa'
+	&Tmp-String-9 := '$1$abcdefgh'
+}
+
+
+# Check for error on no salt
+#
+if ("%{crypt:&User-Password}") {
+	update reply {
+		&Filter-Id += 'fail 1a'
+	}
+}
+
+if ("%{request:Module-Failure-Message[0]}" != 'No salt specified in crypt xlat') {
+        update reply {
+                &Filter-Id += 'fail 1b'
+        }
+}
+
+
+# Check DES - all crypt_r() implementations should do this.
+#
+if ("%{crypt:aa:foo}" != "aaKNIEDOaueR6") {
+	update reply {
+		&Filter-Id += 'fail 2a'
+	}
+}
+
+if ("%{crypt:&Tmp-String-8:foo}" != "aaKNIEDOaueR6") {
+	update reply {
+		&Filter-Id += 'fail 2b'
+	}
+}
+
+if ("%{crypt:aa:&User-Password}" != "aaPwJ9XL9Y99E") {
+	update reply {
+		&Filter-Id += 'fail 2c'
+	}
+}
+
+
+# Test we can encrypt and then authenticate
+#
+update {
+	&request:User-Password := &request:Tmp-String-5
+	&control:Crypt-Password := "%{crypt:AZ:&Tmp-String-5}"
+	&control:Cleartext-Password !* ""
+}
+
+group {
+	pap.authenticate {
+		fail = 1
+		reject = 1
+	}
+
+	if (!ok) {
+		update reply {
+			&Filter-Id += 'fail 3'
+		}
+	}
+}
+
+update {
+	&request:User-Password := &Tmp-String-3
+	&control:Cleartext-Password := &Tmp-String-4
+}
+
+
+# Clear Module-Failure-Message so below tests work no matter what
+# happened above
+#
+update request {
+	&Module-Failure-Message !* ""
+}
+
+
+# Check colons in password
+#
+if ("%{crypt:aa:foo:bar}" != "aadzEnaZwH90k") {
+	update reply {
+		&Filter-Id += 'fail 4a'
+	}
+}
+
+if ("%{crypt:aa:&Tmp-String-1}" != "aadzEnaZwH90k") {
+	update reply {
+		&Filter-Id += 'fail 4b'
+	}
+}
+
+
+# Check invalid chars in salt
+#
+# In this case, depending on the library implementation, crypt
+# seems to either return an empty string (null) and set an error,
+# or it will return an invalid hash beginning with '*'.
+#
+update request {
+	&Tmp-String-7 := "%{crypt:&Tmp-String-2:foo}"
+}
+
+if (&Tmp-String-7 !~ /^\*/ && \
+		"%{request:Module-Failure-Message[0]}" !~ /Crypt salt has the wrong format/) {
+        update reply {
+                &Filter-Id += 'fail 5a'
+        }
+}
+
+
+# Convert the Cleartext-Password to Password-With-Header and auth with that
+#
+update control {
+	&Password-With-Header := "{crypt}%{crypt:$1$abcdefgh:&Tmp-String-4}"
+	&Crypt-Password !* ""
+	&Cleartext-Password !* ""
+}
+
+
+# Crypt not available at compile time? Force the test to pass.
+#
+}
+else {
+	update reply {
+		&Filter-Id := "filter"
+	}
+}