[thirdparty/openssl.git] / test / recipes / 20-test_passwd.t

#! /usr/bin/env perl
# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


use strict;
use warnings;

use OpenSSL::Test;
use OpenSSL::Test::Utils;

setup("test_passwd");

# The following tests are an adaptation of those in
# https://www.akkadia.org/drepper/SHA-crypt.txt
my @sha_tests =
    ({ type => '5',
       salt => 'saltstring',
       key => 'Hello world!',
       expected => '$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5' },
     { type => '5',
       salt => 'rounds=10000$saltstringsaltstring',
       key => 'Hello world!',
       expected => '$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2.opqey6IcA' },
     { type => '5',
       salt => 'rounds=5000$toolongsaltstring',
       key => 'This is just a test',
       expected => '$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8mGRcvxa5' },
     { type => '5',
       salt => 'rounds=1400$anotherlongsaltstring',
       key => 'a very much longer text to encrypt.  This one even stretches over morethan one line.',
       expected => '$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12oP84Bnq1' },
     { type => '5',
       salt => 'rounds=10$roundstoolow',
       key => 'the minimum number is still observed',
       expected => '$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL972bIC' },
     { type => '6',
       salt => 'saltstring',
       key => 'Hello world!',
       expected => '$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBFdcbYEdFCoEOfaS35inz1' },
     { type => '6',
       salt => 'rounds=10000$saltstringsaltstring',
       key => 'Hello world!',
       expected => '$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sbHbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v.' },
     { type => '6',
       salt => 'rounds=5000$toolongsaltstring',
       key => 'This is just a test',
       expected => '$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQzQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0' },
     { type => '6',
       salt => 'rounds=1400$anotherlongsaltstring',
       key => 'a very much longer text to encrypt.  This one even stretches over morethan one line.',
       expected => '$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wPvMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1' },
     { type => '6',
       salt => 'rounds=10$roundstoolow',
       key => 'the minimum number is still observed',
       expected => '$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1xhLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX.' }
    );
# From the same source as above, these tests use a number of rounds > 10000.  They are separated because this can
# cause out of memory problems in the address sanitizer in the no-cache-fetch build.
my @sha_high_rounds_tests =
    ({ type => '5',
       salt => 'rounds=77777$short',
       key => 'we have a short salt string but not a short password',
       expected => '$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/' },
     { type => '5',
       salt => 'rounds=123456$asaltof16chars..',
       key => 'a short string',
       expected => '$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/cZKmF/wJvD' },
     { type => '6',
       salt => 'rounds=77777$short',
       key => 'we have a short salt string but not a short password',
       expected => '$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0gge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0' },
     { type => '6',
       salt => 'rounds=123456$asaltof16chars..',
       key => 'a short string',
       expected => '$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwcelCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1' },
    );

plan tests => 9 + scalar @sha_tests + scalar @sha_high_rounds_tests;


ok(compare1stline_re([qw{openssl passwd -1 password}], '^\$1\$.{8}\$.{22}\R$'),
   'BSD style MD5 password with random salt');
ok(compare1stline_re([qw{openssl passwd -apr1 password}], '^\$apr1\$.{8}\$.{22}\R$'),
   'Apache style MD5 password with random salt');
ok(compare1stline_re([qw{openssl passwd -5 password}], '^\$5\$.{16}\$.{43}\R$'),
   'SHA256 password with random salt');
ok(compare1stline_re([qw{openssl passwd -6 password}], '^\$6\$.{16}\$.{86}\R$'),
   'Apache SHA512 password with random salt');

ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -1 password}], '$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.'),
   'BSD style MD5 password with salt xxxxxxxx');
ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -apr1 password}], '$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0'),
   'Apache style MD5 password with salt xxxxxxxx');
ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -aixmd5 password}], 'xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/'),
   'AIX style MD5 password with salt xxxxxxxx');
ok(compare1stline([qw{openssl passwd -salt xxxxxxxxxxxxxxxx -5 password}], '$5$xxxxxxxxxxxxxxxx$fHytsM.wVD..zPN/h3i40WJRggt/1f73XkAC/gkelkB'),
   'SHA256 password with salt xxxxxxxxxxxxxxxx');
ok(compare1stline([qw{openssl passwd -salt xxxxxxxxxxxxxxxx -6 password}], '$6$xxxxxxxxxxxxxxxx$VjGUrXBG6/8yW0f6ikBJVOb/lK/Tm9LxHJmFfwMvT7cpk64N9BW7ZQhNeMXAYFbOJ6HDG7wb0QpxJyYQn0rh81'),
   'SHA512 password with salt xxxxxxxxxxxxxxxx');

foreach (@sha_tests) {
    ok(compare1stline([qw{openssl passwd}, '-'.$_->{type}, '-salt', $_->{salt},
                       $_->{key}], $_->{expected}),
       { 5 => 'SHA256', 6 => 'SHA512' }->{$_->{type}} . ' password with salt ' . $_->{salt});
}

SKIP: {
    skip "Skipping high rounds tests in non caching builds", scalar @sha_high_rounds_tests
        if disabled("cached-fetch");

    foreach (@sha_high_rounds_tests) {
        ok(compare1stline([qw{openssl passwd}, '-'.$_->{type}, '-salt', $_->{salt},
                           $_->{key}], $_->{expected}),
           { 5 => 'SHA256', 6 => 'SHA512' }->{$_->{type}} . ' password with salt ' . $_->{salt});
    }
}

sub compare1stline_re {
    my ($cmdarray, $regexp) = @_;
    my @lines = run(app($cmdarray), capture => 1);

    return $lines[0] =~ m|$regexp|;
}

sub compare1stline {
    my ($cmdarray, $str) = @_;
    my @lines = run(app($cmdarray), capture => 1);

    return $lines[0] =~ m|^\Q${str}\E\R$|;
}
Commit	Line	Data
497f3bf9	1	#! /usr/bin/env perl
54b40531	2	# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
497f3bf9	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
497f3bf9 RL	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9
	10	use strict;
	11	use warnings;
	12
	13	use OpenSSL::Test;
c1eba83f	14	use OpenSSL::Test::Utils;
497f3bf9 RL	15
	16	setup("test_passwd");
	17
49681ae1 RL	18	# The following tests are an adaptation of those in
	19	# https://www.akkadia.org/drepper/SHA-crypt.txt
	20	my @sha_tests =
	21	({ type => '5',
	22	salt => 'saltstring',
	23	key => 'Hello world!',
	24	expected => '$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5' },
	25	{ type => '5',
	26	salt => 'rounds=10000$saltstringsaltstring',
	27	key => 'Hello world!',
	28	expected => '$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2.opqey6IcA' },
	29	{ type => '5',
	30	salt => 'rounds=5000$toolongsaltstring',
	31	key => 'This is just a test',
	32	expected => '$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8mGRcvxa5' },
	33	{ type => '5',
	34	salt => 'rounds=1400$anotherlongsaltstring',
	35	key => 'a very much longer text to encrypt. This one even stretches over morethan one line.',
	36	expected => '$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12oP84Bnq1' },
49681ae1 RL	37	{ type => '5',
	38	salt => 'rounds=10$roundstoolow',
	39	key => 'the minimum number is still observed',
	40	expected => '$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL972bIC' },
	41	{ type => '6',
	42	salt => 'saltstring',
	43	key => 'Hello world!',
	44	expected => '$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBFdcbYEdFCoEOfaS35inz1' },
	45	{ type => '6',
	46	salt => 'rounds=10000$saltstringsaltstring',
	47	key => 'Hello world!',
	48	expected => '$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sbHbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v.' },
	49	{ type => '6',
	50	salt => 'rounds=5000$toolongsaltstring',
	51	key => 'This is just a test',
	52	expected => '$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQzQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0' },
	53	{ type => '6',
	54	salt => 'rounds=1400$anotherlongsaltstring',
	55	key => 'a very much longer text to encrypt. This one even stretches over morethan one line.',
	56	expected => '$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wPvMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1' },
e6f0c8d3 P	57	{ type => '6',
	58	salt => 'rounds=10$roundstoolow',
	59	key => 'the minimum number is still observed',
	60	expected => '$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1xhLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX.' }
	61	);
	62	# From the same source as above, these tests use a number of rounds > 10000. They are separated because this can
	63	# cause out of memory problems in the address sanitizer in the no-cache-fetch build.
	64	my @sha_high_rounds_tests =
	65	({ type => '5',
	66	salt => 'rounds=77777$short',
	67	key => 'we have a short salt string but not a short password',
	68	expected => '$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/' },
	69	{ type => '5',
	70	salt => 'rounds=123456$asaltof16chars..',
	71	key => 'a short string',
	72	expected => '$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/cZKmF/wJvD' },
49681ae1 RL	73	{ type => '6',
	74	salt => 'rounds=77777$short',
	75	key => 'we have a short salt string but not a short password',
	76	expected => '$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0gge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0' },
	77	{ type => '6',
	78	salt => 'rounds=123456$asaltof16chars..',
	79	key => 'a short string',
	80	expected => '$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwcelCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1' },
49681ae1	81	);
497f3bf9	82
e6f0c8d3	83	plan tests => 9 + scalar @sha_tests + scalar @sha_high_rounds_tests;
49681ae1 RL	84
49681ae1 RL	85
49681ae1	86	ok(compare1stline_re([qw{openssl passwd -1 password}], '^\$1\$.{8}\$.{22}\R$'),
497f3bf9	87	'BSD style MD5 password with random salt');
49681ae1	88	ok(compare1stline_re([qw{openssl passwd -apr1 password}], '^\$apr1\$.{8}\$.{22}\R$'),
497f3bf9	89	'Apache style MD5 password with random salt');
49681ae1 RL	90	ok(compare1stline_re([qw{openssl passwd -5 password}], '^\$5\$.{16}\$.{43}\R$'),
	91	'SHA256 password with random salt');
	92	ok(compare1stline_re([qw{openssl passwd -6 password}], '^\$6\$.{16}\$.{86}\R$'),
	93	'Apache SHA512 password with random salt');
	94
49681ae1	95	ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -1 password}], '$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.'),
497f3bf9	96	'BSD style MD5 password with salt xxxxxxxx');
49681ae1	97	ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -apr1 password}], '$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0'),
497f3bf9	98	'Apache style MD5 password with salt xxxxxxxx');
037f2c3f GN	99	ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -aixmd5 password}], 'xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/'),
037f2c3f GN	100	'AIX style MD5 password with salt xxxxxxxx');
49681ae1 RL	101	ok(compare1stline([qw{openssl passwd -salt xxxxxxxxxxxxxxxx -5 password}], '$5$xxxxxxxxxxxxxxxx$fHytsM.wVD..zPN/h3i40WJRggt/1f73XkAC/gkelkB'),
	102	'SHA256 password with salt xxxxxxxxxxxxxxxx');
	103	ok(compare1stline([qw{openssl passwd -salt xxxxxxxxxxxxxxxx -6 password}], '$6$xxxxxxxxxxxxxxxx$VjGUrXBG6/8yW0f6ikBJVOb/lK/Tm9LxHJmFfwMvT7cpk64N9BW7ZQhNeMXAYFbOJ6HDG7wb0QpxJyYQn0rh81'),
	104	'SHA512 password with salt xxxxxxxxxxxxxxxx');
497f3bf9	105
49681ae1 RL	106	foreach (@sha_tests) {
	107	ok(compare1stline([qw{openssl passwd}, '-'.$_->{type}, '-salt', $_->{salt},
	108	$_->{key}], $_->{expected}),
	109	{ 5 => 'SHA256', 6 => 'SHA512' }->{$_->{type}} . ' password with salt ' . $_->{salt});
	110	}
497f3bf9	111
e6f0c8d3 P	112	SKIP: {
	113	skip "Skipping high rounds tests in non caching builds", scalar @sha_high_rounds_tests
	114	if disabled("cached-fetch");
	115
	116	foreach (@sha_high_rounds_tests) {
	117	ok(compare1stline([qw{openssl passwd}, '-'.$_->{type}, '-salt', $_->{salt},
	118	$_->{key}], $_->{expected}),
	119	{ 5 => 'SHA256', 6 => 'SHA512' }->{$_->{type}} . ' password with salt ' . $_->{salt});
	120	}
	121	}
49681ae1 RL	122
49681ae1 RL	123	sub compare1stline_re {
497f3bf9 RL	124	my ($cmdarray, $regexp) = @_;
	125	my @lines = run(app($cmdarray), capture => 1);
	126
	127	return $lines[0] =~ m\|$regexp\|;
	128	}
49681ae1 RL	129
	130	sub compare1stline {
	131	my ($cmdarray, $str) = @_;
	132	my @lines = run(app($cmdarray), capture => 1);
	133
	134	return $lines[0] =~ m\|^\Q${str}\E\R$\|;
	135	}