| 1 | #! /usr/bin/env perl
|
|---|
| 2 | # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 3 | #
|
|---|
| 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use
|
|---|
| 5 | # this file except in compliance with the License. You can obtain a copy
|
|---|
| 6 | # in the file LICENSE in the source distribution or at
|
|---|
| 7 | # https://www.openssl.org/source/license.html
|
|---|
| 8 |
|
|---|
| 9 |
|
|---|
| 10 | use strict;
|
|---|
| 11 | use warnings;
|
|---|
| 12 |
|
|---|
| 13 | use OpenSSL::Test;
|
|---|
| 14 | use OpenSSL::Test::Utils;
|
|---|
| 15 |
|
|---|
| 16 | setup("test_passwd");
|
|---|
| 17 |
|
|---|
| 18 | # The following tests are an adaptation of those in
|
|---|
| 19 | # https://www.akkadia.org/drepper/SHA-crypt.txt
|
|---|
| 20 | my @sha_tests =
|
|---|
| 21 | ({ type => '5',
|
|---|
| 22 | salt => 'saltstring',
|
|---|
| 23 | key => 'Hello world!',
|
|---|
| 24 | expected => '$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5' },
|
|---|
| 25 | { type => '5',
|
|---|
| 26 | salt => 'rounds=10000$saltstringsaltstring',
|
|---|
| 27 | key => 'Hello world!',
|
|---|
| 28 | expected => '$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2.opqey6IcA' },
|
|---|
| 29 | { type => '5',
|
|---|
| 30 | salt => 'rounds=5000$toolongsaltstring',
|
|---|
| 31 | key => 'This is just a test',
|
|---|
| 32 | expected => '$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8mGRcvxa5' },
|
|---|
| 33 | { type => '5',
|
|---|
| 34 | salt => 'rounds=1400$anotherlongsaltstring',
|
|---|
| 35 | key => 'a very much longer text to encrypt. This one even stretches over morethan one line.',
|
|---|
| 36 | expected => '$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12oP84Bnq1' },
|
|---|
| 37 | { type => '5',
|
|---|
| 38 | salt => 'rounds=10$roundstoolow',
|
|---|
| 39 | key => 'the minimum number is still observed',
|
|---|
| 40 | expected => '$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL972bIC' },
|
|---|
| 41 | { type => '6',
|
|---|
| 42 | salt => 'saltstring',
|
|---|
| 43 | key => 'Hello world!',
|
|---|
| 44 | expected => '$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBFdcbYEdFCoEOfaS35inz1' },
|
|---|
| 45 | { type => '6',
|
|---|
| 46 | salt => 'rounds=10000$saltstringsaltstring',
|
|---|
| 47 | key => 'Hello world!',
|
|---|
| 48 | expected => '$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sbHbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v.' },
|
|---|
| 49 | { type => '6',
|
|---|
| 50 | salt => 'rounds=5000$toolongsaltstring',
|
|---|
| 51 | key => 'This is just a test',
|
|---|
| 52 | expected => '$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQzQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0' },
|
|---|
| 53 | { type => '6',
|
|---|
| 54 | salt => 'rounds=1400$anotherlongsaltstring',
|
|---|
| 55 | key => 'a very much longer text to encrypt. This one even stretches over morethan one line.',
|
|---|
| 56 | expected => '$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wPvMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1' },
|
|---|
| 57 | { type => '6',
|
|---|
| 58 | salt => 'rounds=10$roundstoolow',
|
|---|
| 59 | key => 'the minimum number is still observed',
|
|---|
| 60 | expected => '$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1xhLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX.' }
|
|---|
| 61 | );
|
|---|
| 62 | # From the same source as above, these tests use a number of rounds > 10000. They are separated because this can
|
|---|
| 63 | # cause out of memory problems in the address sanitizer in the no-cache-fetch build.
|
|---|
| 64 | my @sha_high_rounds_tests =
|
|---|
| 65 | ({ type => '5',
|
|---|
| 66 | salt => 'rounds=77777$short',
|
|---|
| 67 | key => 'we have a short salt string but not a short password',
|
|---|
| 68 | expected => '$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/' },
|
|---|
| 69 | { type => '5',
|
|---|
| 70 | salt => 'rounds=123456$asaltof16chars..',
|
|---|
| 71 | key => 'a short string',
|
|---|
| 72 | expected => '$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/cZKmF/wJvD' },
|
|---|
| 73 | { type => '6',
|
|---|
| 74 | salt => 'rounds=77777$short',
|
|---|
| 75 | key => 'we have a short salt string but not a short password',
|
|---|
| 76 | expected => '$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0gge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0' },
|
|---|
| 77 | { type => '6',
|
|---|
| 78 | salt => 'rounds=123456$asaltof16chars..',
|
|---|
| 79 | key => 'a short string',
|
|---|
| 80 | expected => '$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwcelCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1' },
|
|---|
| 81 | );
|
|---|
| 82 |
|
|---|
| 83 | plan tests => 9 + scalar @sha_tests + scalar @sha_high_rounds_tests;
|
|---|
| 84 |
|
|---|
| 85 |
|
|---|
| 86 | ok(compare1stline_re([qw{openssl passwd -1 password}], '^\$1\$.{8}\$.{22}\R$'),
|
|---|
| 87 | 'BSD style MD5 password with random salt');
|
|---|
| 88 | ok(compare1stline_re([qw{openssl passwd -apr1 password}], '^\$apr1\$.{8}\$.{22}\R$'),
|
|---|
| 89 | 'Apache style MD5 password with random salt');
|
|---|
| 90 | ok(compare1stline_re([qw{openssl passwd -5 password}], '^\$5\$.{16}\$.{43}\R$'),
|
|---|
| 91 | 'SHA256 password with random salt');
|
|---|
| 92 | ok(compare1stline_re([qw{openssl passwd -6 password}], '^\$6\$.{16}\$.{86}\R$'),
|
|---|
| 93 | 'Apache SHA512 password with random salt');
|
|---|
| 94 |
|
|---|
| 95 | ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -1 password}], '$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.'),
|
|---|
| 96 | 'BSD style MD5 password with salt xxxxxxxx');
|
|---|
| 97 | ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -apr1 password}], '$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0'),
|
|---|
| 98 | 'Apache style MD5 password with salt xxxxxxxx');
|
|---|
| 99 | ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -aixmd5 password}], 'xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/'),
|
|---|
| 100 | 'AIX style MD5 password with salt xxxxxxxx');
|
|---|
| 101 | ok(compare1stline([qw{openssl passwd -salt xxxxxxxxxxxxxxxx -5 password}], '$5$xxxxxxxxxxxxxxxx$fHytsM.wVD..zPN/h3i40WJRggt/1f73XkAC/gkelkB'),
|
|---|
| 102 | 'SHA256 password with salt xxxxxxxxxxxxxxxx');
|
|---|
| 103 | ok(compare1stline([qw{openssl passwd -salt xxxxxxxxxxxxxxxx -6 password}], '$6$xxxxxxxxxxxxxxxx$VjGUrXBG6/8yW0f6ikBJVOb/lK/Tm9LxHJmFfwMvT7cpk64N9BW7ZQhNeMXAYFbOJ6HDG7wb0QpxJyYQn0rh81'),
|
|---|
| 104 | 'SHA512 password with salt xxxxxxxxxxxxxxxx');
|
|---|
| 105 |
|
|---|
| 106 | foreach (@sha_tests) {
|
|---|
| 107 | ok(compare1stline([qw{openssl passwd}, '-'.$_->{type}, '-salt', $_->{salt},
|
|---|
| 108 | $_->{key}], $_->{expected}),
|
|---|
| 109 | { 5 => 'SHA256', 6 => 'SHA512' }->{$_->{type}} . ' password with salt ' . $_->{salt});
|
|---|
| 110 | }
|
|---|
| 111 |
|
|---|
| 112 | SKIP: {
|
|---|
| 113 | skip "Skipping high rounds tests in non caching builds", scalar @sha_high_rounds_tests
|
|---|
| 114 | if disabled("cached-fetch");
|
|---|
| 115 |
|
|---|
| 116 | foreach (@sha_high_rounds_tests) {
|
|---|
| 117 | ok(compare1stline([qw{openssl passwd}, '-'.$_->{type}, '-salt', $_->{salt},
|
|---|
| 118 | $_->{key}], $_->{expected}),
|
|---|
| 119 | { 5 => 'SHA256', 6 => 'SHA512' }->{$_->{type}} . ' password with salt ' . $_->{salt});
|
|---|
| 120 | }
|
|---|
| 121 | }
|
|---|
| 122 |
|
|---|
| 123 | sub compare1stline_re {
|
|---|
| 124 | my ($cmdarray, $regexp) = @_;
|
|---|
| 125 | my @lines = run(app($cmdarray), capture => 1);
|
|---|
| 126 |
|
|---|
| 127 | return $lines[0] =~ m|$regexp|;
|
|---|
| 128 | }
|
|---|
| 129 |
|
|---|
| 130 | sub compare1stline {
|
|---|
| 131 | my ($cmdarray, $str) = @_;
|
|---|
| 132 | my @lines = run(app($cmdarray), capture => 1);
|
|---|
| 133 |
|
|---|
| 134 | return $lines[0] =~ m|^\Q${str}\E\R$|;
|
|---|
| 135 | }
|
|---|
