[thirdparty/pdns.git] / pdns / test-credentials_cc.cc


#ifndef BOOST_TEST_DYN_LINK
#define BOOST_TEST_DYN_LINK
#endif

#define BOOST_TEST_NO_MAIN

#include <boost/algorithm/string.hpp>
#include <boost/test/unit_test.hpp>

#include "config.h"
#include "credentials.hh"

BOOST_AUTO_TEST_SUITE(credentials_cc)

#if defined(DISABLE_HASHED_CREDENTIALS)
#undef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
#endif

#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
BOOST_AUTO_TEST_CASE(test_CredentialsUtils)
{
  const std::string plaintext("test");
  /* generated with hashPassword("test") */
  const std::string sampleHash("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=");

  auto hashed = hashPassword(plaintext);
  BOOST_CHECK(!hashed.empty());

  BOOST_CHECK(verifyPassword(hashed, plaintext));
  BOOST_CHECK(verifyPassword(sampleHash, plaintext));

  BOOST_CHECK(!verifyPassword(hashed, "not test"));
  BOOST_CHECK(!verifyPassword(sampleHash, "not test"));
  BOOST_CHECK(!verifyPassword("test", "test"));

  BOOST_CHECK(isPasswordHashed(hashed));
  BOOST_CHECK(isPasswordHashed(sampleHash));
  BOOST_CHECK(!isPasswordHashed(plaintext));

  {
    // hash password with custom parameters
    auto customParams = hashPassword(plaintext, 512, 2, 16);
    // check that the output is OK
    BOOST_CHECK(boost::starts_with(customParams, "$scrypt$ln=9,p=2,r=16$"));
    // check that we can verify the password
    BOOST_CHECK(verifyPassword(customParams, plaintext));
  }

  {
    // hash password with invalid parameters
    BOOST_CHECK_THROW(hashPassword(plaintext, 0, 2, 16), std::runtime_error);
    BOOST_CHECK_THROW(hashPassword(plaintext, 512, 0, 16), std::runtime_error);
    BOOST_CHECK_THROW(hashPassword(plaintext, 512, 2, 0), std::runtime_error);
  }

  // empty
  BOOST_CHECK(!isPasswordHashed(""));
  // missing leading $
  BOOST_CHECK(!isPasswordHashed("scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
  // prefix-only
  BOOST_CHECK(!isPasswordHashed("$scrypt$"));
  // unknown algo
  BOOST_CHECK(!isPasswordHashed("$tcrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
  // missing parameters
  BOOST_CHECK(!isPasswordHashed("$scrypt$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
  // empty parameters
  BOOST_CHECK(!isPasswordHashed("$scrypt$$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
  // missing r
  BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
  // salt is too short
  BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$dGVzdA==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
  // hash is too short
  BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$c2hvcnQ="));
  // missing salt
  BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
  // missing $ between the salt and hash
  BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
  // no hash
  BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$"));
  // hash is too long
  BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$dGhpcyBpcyBhIHZlcnkgbG9uZyBoYXNoLCBtdWNoIG11Y2ggbG9uZ2VyIHRoYW4gdGhlIG9uZXMgd2UgYXJlIGdlbmVyYXRpbmc="));

  // empty r
  BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=1,r=$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
  // too many parameters
  BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=1,r=8,t=1$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
  // invalid ln
  BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=A,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
  // invalid p
  BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=p,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
  // missing ln
  BOOST_CHECK_THROW(verifyPassword("$scrypt$la=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
  // missing p
  BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,q=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
  // missing r
  BOOST_CHECK_THROW(verifyPassword("$scrypt$l,ln=10,q=1,s=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
  // work factor is too large
  BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=16,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
  // salt is too long
  BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=1,r=8$dGhpcyBpcyBhIHZlcnkgbG9uZyBzYWx0$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
  // invalid b64 salt
  BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
  // invalid b64 hash
  BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJd", plaintext), std::runtime_error);
}
#endif

BOOST_AUTO_TEST_CASE(test_CredentialsHolder)
{
  const std::string plaintext("test");

  auto holder = CredentialsHolder(std::string(plaintext), false);

  BOOST_CHECK(holder.matches(plaintext));
  BOOST_CHECK(!holder.matches("not test"));
  BOOST_CHECK(!holder.wasHashed());
  BOOST_CHECK(!holder.isHashed());

#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
  BOOST_CHECK(CredentialsHolder::isHashingAvailable());
  const std::string sampleHash("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=");

  auto fromHashedHolder = CredentialsHolder(std::string(sampleHash), true);
  BOOST_CHECK(fromHashedHolder.wasHashed());
  BOOST_CHECK(fromHashedHolder.isHashed());
  BOOST_CHECK(fromHashedHolder.matches(plaintext));
  BOOST_CHECK(!fromHashedHolder.matches("not test"));

  auto fromPlaintextHolder = CredentialsHolder(std::string(plaintext), true);
  BOOST_CHECK(!fromPlaintextHolder.wasHashed());
  BOOST_CHECK(fromPlaintextHolder.isHashed());
  BOOST_CHECK(fromPlaintextHolder.matches(plaintext));
  BOOST_CHECK(!fromPlaintextHolder.matches("not test"));
#else
  BOOST_CHECK(!CredentialsHolder::isHashingAvailable());
#endif
}

BOOST_AUTO_TEST_CASE(test_SensitiveData)
{
  size_t bytes = 16;
  SensitiveData data(bytes);
  BOOST_CHECK_EQUAL(data.getString().size(), bytes);

  SensitiveData data2("test");
  data2 = std::move(data);
  BOOST_CHECK_EQUAL(data2.getString().size(), bytes);
  BOOST_CHECK_EQUAL(data.getString().size(), 0U);

  data2.clear();
  BOOST_CHECK_EQUAL(data2.getString().size(), 0U);
}

BOOST_AUTO_TEST_SUITE_END()
Commit	Line	Data
3a338f79	1
1c2d079d	2	#ifndef BOOST_TEST_DYN_LINK
3a338f79	3	#define BOOST_TEST_DYN_LINK
1c2d079d FM	4	#endif
1c2d079d FM	5
3a338f79 RG	6	#define BOOST_TEST_NO_MAIN
3a338f79 RG	7
4ec3ff03	8	#include <boost/algorithm/string.hpp>
3a338f79 RG	9	#include <boost/test/unit_test.hpp>
	10
	11	#include "config.h"
	12	#include "credentials.hh"
	13
	14	BOOST_AUTO_TEST_SUITE(credentials_cc)
	15
2f32819a RG	16	#if defined(DISABLE_HASHED_CREDENTIALS)
	17	#undef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
	18	#endif
	19
8a6030b6	20	#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
3a338f79 RG	21	BOOST_AUTO_TEST_CASE(test_CredentialsUtils)
	22	{
	23	const std::string plaintext("test");
	24	/* generated with hashPassword("test") */
8a6030b6	25	const std::string sampleHash("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=");
3a338f79 RG	26
	27	auto hashed = hashPassword(plaintext);
	28	BOOST_CHECK(!hashed.empty());
	29
	30	BOOST_CHECK(verifyPassword(hashed, plaintext));
	31	BOOST_CHECK(verifyPassword(sampleHash, plaintext));
	32
	33	BOOST_CHECK(!verifyPassword(hashed, "not test"));
	34	BOOST_CHECK(!verifyPassword(sampleHash, "not test"));
47c4ed83	35	BOOST_CHECK(!verifyPassword("test", "test"));
3a338f79 RG	36
	37	BOOST_CHECK(isPasswordHashed(hashed));
	38	BOOST_CHECK(isPasswordHashed(sampleHash));
	39	BOOST_CHECK(!isPasswordHashed(plaintext));
4ec3ff03 RG	40
	41	{
	42	// hash password with custom parameters
	43	auto customParams = hashPassword(plaintext, 512, 2, 16);
	44	// check that the output is OK
	45	BOOST_CHECK(boost::starts_with(customParams, "$scrypt$ln=9,p=2,r=16$"));
	46	// check that we can verify the password
	47	BOOST_CHECK(verifyPassword(customParams, plaintext));
	48	}
	49
71f6572a RG	50	{
	51	// hash password with invalid parameters
	52	BOOST_CHECK_THROW(hashPassword(plaintext, 0, 2, 16), std::runtime_error);
	53	BOOST_CHECK_THROW(hashPassword(plaintext, 512, 0, 16), std::runtime_error);
	54	BOOST_CHECK_THROW(hashPassword(plaintext, 512, 2, 0), std::runtime_error);
	55	}
	56
4ec3ff03 RG	57	// empty
	58	BOOST_CHECK(!isPasswordHashed(""));
	59	// missing leading $
	60	BOOST_CHECK(!isPasswordHashed("scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
47c4ed83 RG	61	// prefix-only
47c4ed83 RG	62	BOOST_CHECK(!isPasswordHashed("$scrypt$"));
4ec3ff03 RG	63	// unknown algo
	64	BOOST_CHECK(!isPasswordHashed("$tcrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
	65	// missing parameters
	66	BOOST_CHECK(!isPasswordHashed("$scrypt$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
	67	// empty parameters
	68	BOOST_CHECK(!isPasswordHashed("$scrypt$$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
	69	// missing r
	70	BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
	71	// salt is too short
	72	BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$dGVzdA==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
	73	// hash is too short
	74	BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$c2hvcnQ="));
	75	// missing salt
	76	BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
	77	// missing $ between the salt and hash
	78	BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI="));
	79	// no hash
	80	BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$"));
	81	// hash is too long
	82	BOOST_CHECK(!isPasswordHashed("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$dGhpcyBpcyBhIHZlcnkgbG9uZyBoYXNoLCBtdWNoIG11Y2ggbG9uZ2VyIHRoYW4gdGhlIG9uZXMgd2UgYXJlIGdlbmVyYXRpbmc="));
	83
	84	// empty r
	85	BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=1,r=$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
	86	// too many parameters
	87	BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=1,r=8,t=1$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
	88	// invalid ln
	89	BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=A,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
	90	// invalid p
	91	BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=p,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
71f6572a RG	92	// missing ln
	93	BOOST_CHECK_THROW(verifyPassword("$scrypt$la=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
	94	// missing p
	95	BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,q=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
	96	// missing r
	97	BOOST_CHECK_THROW(verifyPassword("$scrypt$l,ln=10,q=1,s=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
4ec3ff03 RG	98	// work factor is too large
	99	BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=16,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
	100	// salt is too long
	101	BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=1,r=8$dGhpcyBpcyBhIHZlcnkgbG9uZyBzYWx0$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
	102	// invalid b64 salt
	103	BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=", plaintext), std::runtime_error);
	104	// invalid b64 hash
	105	BOOST_CHECK_THROW(verifyPassword("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJd", plaintext), std::runtime_error);
3a338f79 RG	106	}
	107	#endif
	108
	109	BOOST_AUTO_TEST_CASE(test_CredentialsHolder)
	110	{
	111	const std::string plaintext("test");
	112
64c4f83c	113	auto holder = CredentialsHolder(std::string(plaintext), false);
3a338f79 RG	114
	115	BOOST_CHECK(holder.matches(plaintext));
	116	BOOST_CHECK(!holder.matches("not test"));
	117	BOOST_CHECK(!holder.wasHashed());
64c4f83c	118	BOOST_CHECK(!holder.isHashed());
3a338f79	119
8a6030b6	120	#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
3a338f79	121	BOOST_CHECK(CredentialsHolder::isHashingAvailable());
8a6030b6	122	const std::string sampleHash("$scrypt$ln=10,p=1,r=8$1GZ10YdmSGtTmKK9jTH85Q==$JHeICW1mUCnTC+nnULDr7QFQ3kRrZ7u12djruJdrPhI=");
3a338f79	123
64c4f83c	124	auto fromHashedHolder = CredentialsHolder(std::string(sampleHash), true);
3a338f79	125	BOOST_CHECK(fromHashedHolder.wasHashed());
64c4f83c	126	BOOST_CHECK(fromHashedHolder.isHashed());
3a338f79 RG	127	BOOST_CHECK(fromHashedHolder.matches(plaintext));
3a338f79 RG	128	BOOST_CHECK(!fromHashedHolder.matches("not test"));
64c4f83c RG	129
	130	auto fromPlaintextHolder = CredentialsHolder(std::string(plaintext), true);
	131	BOOST_CHECK(!fromPlaintextHolder.wasHashed());
	132	BOOST_CHECK(fromPlaintextHolder.isHashed());
	133	BOOST_CHECK(fromPlaintextHolder.matches(plaintext));
	134	BOOST_CHECK(!fromPlaintextHolder.matches("not test"));
3a338f79 RG	135	#else
	136	BOOST_CHECK(!CredentialsHolder::isHashingAvailable());
	137	#endif
	138	}
	139
71f6572a RG	140	BOOST_AUTO_TEST_CASE(test_SensitiveData)
	141	{
	142	size_t bytes = 16;
	143	SensitiveData data(bytes);
	144	BOOST_CHECK_EQUAL(data.getString().size(), bytes);
	145
	146	SensitiveData data2("test");
	147	data2 = std::move(data);
	148	BOOST_CHECK_EQUAL(data2.getString().size(), bytes);
	149	BOOST_CHECK_EQUAL(data.getString().size(), 0U);
	150
	151	data2.clear();
	152	BOOST_CHECK_EQUAL(data2.getString().size(), 0U);
	153	}
	154
3a338f79	155	BOOST_AUTO_TEST_SUITE_END()