blob: e6d63aa8f95fc6536210757631c0078b57945789 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
#
# PRE: update if
#
# Skip all these tests if crypt_r was not available
#
if ("%{crypt:&User-Password}") {
noop
}
if ("%{request:Module-Failure-Message[0]}" !~ /^Crypt not available at compile time/) {
# Set required attributes
#
update reply {
&Filter-Id := "filter"
}
update request {
&Tmp-String-0 := 'foo'
&Tmp-String-1 := 'foo:bar'
&Tmp-String-2 := 'f:'
&Tmp-String-3 := &User-Password
&Tmp-String-4 := &control:Cleartext-Password
&Tmp-String-5 := 'fwtLWDtMiSbH8lmXCMIVfrSMJjF'
&Tmp-String-8 := 'aa'
&Tmp-String-9 := '$1$abcdefgh'
}
# Check for error on no salt
#
if ("%{crypt:&User-Password}") {
update reply {
&Filter-Id += 'fail 1a'
}
}
if ("%{request:Module-Failure-Message[0]}" != 'No salt specified in crypt xlat') {
update reply {
&Filter-Id += 'fail 1b'
}
}
# Check DES - all crypt_r() implementations should do this.
#
if ("%{crypt:aa:foo}" != "aaKNIEDOaueR6") {
update reply {
&Filter-Id += 'fail 2a'
}
}
if ("%{crypt:&Tmp-String-8:foo}" != "aaKNIEDOaueR6") {
update reply {
&Filter-Id += 'fail 2b'
}
}
if ("%{crypt:aa:&User-Password}" != "aaPwJ9XL9Y99E") {
update reply {
&Filter-Id += 'fail 2c'
}
}
# Test we can encrypt and then authenticate
#
update {
&request:User-Password := &request:Tmp-String-5
&control:Crypt-Password := "%{crypt:AZ:&Tmp-String-5}"
&control:Cleartext-Password !* ""
}
group {
pap.authenticate {
fail = 1
reject = 1
}
if (!ok) {
update reply {
&Filter-Id += 'fail 3'
}
}
}
update {
&request:User-Password := &Tmp-String-3
&control:Cleartext-Password := &Tmp-String-4
}
# Clear Module-Failure-Message so below tests work no matter what
# happened above
#
update request {
&Module-Failure-Message !* ""
}
# Check colons in password
#
if ("%{crypt:aa:foo:bar}" != "aadzEnaZwH90k") {
update reply {
&Filter-Id += 'fail 4a'
}
}
if ("%{crypt:aa:&Tmp-String-1}" != "aadzEnaZwH90k") {
update reply {
&Filter-Id += 'fail 4b'
}
}
# Check invalid chars in salt
#
# In this case, depending on the library implementation, crypt
# seems to either return an empty string (null) and set an error,
# or it will return an invalid hash beginning with '*'.
#
update request {
&Tmp-String-7 := "%{crypt:&Tmp-String-2:foo}"
}
if (&Tmp-String-7 !~ /^\*/ && \
"%{request:Module-Failure-Message[0]}" !~ /Crypt salt has the wrong format/) {
update reply {
&Filter-Id += 'fail 5a'
}
}
# Convert the Cleartext-Password to Password-With-Header and auth with that
#
update control {
&Password-With-Header := "{crypt}%{crypt:$1$abcdefgh:&Tmp-String-4}"
&Crypt-Password !* ""
&Cleartext-Password !* ""
}
# Crypt not available at compile time? Force the test to pass.
#
}
else {
update reply {
&Filter-Id := "filter"
}
}
|
