"""passlib.tests.test_handlers - tests for passlib hash algorithms""" #============================================================================= # imports #============================================================================= from __future__ import with_statement # core import logging; log = logging.getLogger(__name__) import os import sys import warnings # site # pkg from passlib import hash from passlib.utils import repeat_string from passlib.utils.compat import irange, PY3, u, get_method_function from passlib.tests.utils import TestCase, HandlerCase, skipUnless, \ TEST_MODE, UserHandlerMixin, EncodingHandlerMixin # module #============================================================================= # constants & support #============================================================================= # some common unicode passwords which used as test cases UPASS_WAV = u('\u0399\u03c9\u03b1\u03bd\u03bd\u03b7\u03c2') UPASS_USD = u("\u20AC\u00A5$") UPASS_TABLE = u("t\u00e1\u0411\u2113\u0259") PASS_TABLE_UTF8 = b't\xc3\xa1\xd0\x91\xe2\x84\x93\xc9\x99' # utf-8 # handlers which support multiple backends, but don't have multi-backend tests. _omitted_backend_tests = ["django_bcrypt", "django_bcrypt_sha256", "django_argon2"] #: modules where get_handler_case() should search for test cases. _handler_test_modules = [ "test_handlers", "test_handlers_argon2", "test_handlers_bcrypt", "test_handlers_cisco", "test_handlers_django", "test_handlers_pbkdf2", "test_handlers_scrypt", ] def get_handler_case(scheme): """return HandlerCase instance for scheme, used by other tests""" from passlib.registry import get_crypt_handler handler = get_crypt_handler(scheme) if hasattr(handler, "backends") and scheme not in _omitted_backend_tests: # NOTE: will throw MissingBackendError if none are installed. backend = handler.get_backend() name = "%s_%s_test" % (scheme, backend) else: name = "%s_test" % scheme for module in _handler_test_modules: modname = "passlib.tests." + module __import__(modname) mod = sys.modules[modname] try: return getattr(mod, name) except AttributeError: pass raise KeyError("test case %r not found" % name) #: hashes which there may not be a backend available for, #: and get_handler_case() may (correctly) throw a MissingBackendError conditionally_available_hashes = ["argon2", "bcrypt", "bcrypt_sha256"] #============================================================================= # apr md5 crypt #============================================================================= class apr_md5_crypt_test(HandlerCase): handler = hash.apr_md5_crypt known_correct_hashes = [ # # http://httpd.apache.org/docs/2.2/misc/password_encryptions.html # ('myPassword', '$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/'), # # custom # # ensures utf-8 used for unicode (UPASS_TABLE, '$apr1$bzYrOHUx$a1FcpXuQDJV3vPY20CS6N1'), ] known_malformed_hashes = [ # bad char in otherwise correct hash ----\/ '$apr1$r31.....$HqJZimcKQFAMYayBlzkrA!' ] #============================================================================= # bigcrypt #============================================================================= class bigcrypt_test(HandlerCase): handler = hash.bigcrypt # TODO: find an authoritative source of test vectors known_correct_hashes = [ # # various docs & messages on the web. # ("passphrase", "qiyh4XPJGsOZ2MEAyLkfWqeQ"), ("This is very long passwd", "f8.SVpL2fvwjkAnxn8/rgTkwvrif6bjYB5c"), # # custom # # ensures utf-8 used for unicode (UPASS_TABLE, 'SEChBAyMbMNhgGLyP7kD1HZU'), ] known_unidentified_hashes = [ # one char short (10 % 11) "qiyh4XPJGsOZ2MEAyLkfWqe" # one char too many (1 % 11) "f8.SVpL2fvwjkAnxn8/rgTkwvrif6bjYB5cd" ] # omit des_crypt from known_other since it's a valid bigcrypt hash too. known_other_hashes = [row for row in HandlerCase.known_other_hashes if row[0] != "des_crypt"] def test_90_internal(self): # check that _norm_checksum() also validates checksum size. # (current code uses regex in parser) self.assertRaises(ValueError, hash.bigcrypt, use_defaults=True, checksum=u('yh4XPJGsOZ')) #============================================================================= # bsdi crypt #============================================================================= class _bsdi_crypt_test(HandlerCase): """test BSDiCrypt algorithm""" handler = hash.bsdi_crypt known_correct_hashes = [ # # from JTR 1.7.9 # ('U*U*U*U*', '_J9..CCCCXBrJUJV154M'), ('U*U***U', '_J9..CCCCXUhOBTXzaiE'), ('U*U***U*', '_J9..CCCC4gQ.mB/PffM'), ('*U*U*U*U', '_J9..XXXXvlzQGqpPPdk'), ('*U*U*U*U*', '_J9..XXXXsqM/YSSP..Y'), ('*U*U*U*U*U*U*U*U', '_J9..XXXXVL7qJCnku0I'), ('*U*U*U*U*U*U*U*U*', '_J9..XXXXAj8cFbP5scI'), ('ab1234567', '_J9..SDizh.vll5VED9g'), ('cr1234567', '_J9..SDizRjWQ/zePPHc'), ('zxyDPWgydbQjgq', '_J9..SDizxmRI1GjnQuE'), ('726 even', '_K9..SaltNrQgIYUAeoY'), ('', '_J9..SDSD5YGyRCr4W4c'), # # custom # (" ", "_K1..crsmZxOLzfJH8iw"), ("my", '_KR/.crsmykRplHbAvwA'), # <-- to detect old 12-bit rounds bug ("my socra", "_K1..crsmf/9NzZr1fLM"), ("my socrates", '_K1..crsmOv1rbde9A9o'), ("my socrates note", "_K1..crsm/2qeAhdISMA"), # ensures utf-8 used for unicode (UPASS_TABLE, '_7C/.ABw0WIKy0ILVqo2'), ] known_unidentified_hashes = [ # bad char in otherwise correctly formatted hash # \/ "_K1.!crsmZxOLzfJH8iw" ] platform_crypt_support = [ ("freebsd|openbsd|netbsd|darwin", True), ("linux|solaris", False), ] def test_77_fuzz_input(self, **kwds): # we want to generate even rounds to verify it's correct, but want to ignore warnings warnings.filterwarnings("ignore", "bsdi_crypt rounds should be odd.*") super(_bsdi_crypt_test, self).test_77_fuzz_input(**kwds) def test_needs_update_w_even_rounds(self): """needs_update() should flag even rounds""" handler = self.handler even_hash = '_Y/../cG0zkJa6LY6k4c' odd_hash = '_Z/..TgFg0/ptQtpAgws' secret = 'test' # don't issue warning self.assertTrue(handler.verify(secret, even_hash)) self.assertTrue(handler.verify(secret, odd_hash)) # *do* signal as needing updates self.assertTrue(handler.needs_update(even_hash)) self.assertFalse(handler.needs_update(odd_hash)) # new hashes shouldn't have even rounds new_hash = handler.hash("stub") self.assertFalse(handler.needs_update(new_hash)) # create test cases for specific backends bsdi_crypt_os_crypt_test = _bsdi_crypt_test.create_backend_case("os_crypt") bsdi_crypt_builtin_test = _bsdi_crypt_test.create_backend_case("builtin") #============================================================================= # crypt16 #============================================================================= class crypt16_test(HandlerCase): handler = hash.crypt16 # TODO: find an authortative source of test vectors known_correct_hashes = [ # # from messages around the web, including # http://seclists.org/bugtraq/1999/Mar/76 # ("passphrase", "qi8H8R7OM4xMUNMPuRAZxlY."), ("printf", "aaCjFz4Sh8Eg2QSqAReePlq6"), ("printf", "AA/xje2RyeiSU0iBY3PDwjYo"), ("LOLOAQICI82QB4IP", "/.FcK3mad6JwYt8LVmDqz9Lc"), ("LOLOAQICI", "/.FcK3mad6JwYSaRHJoTPzY2"), ("LOLOAQIC", "/.FcK3mad6JwYelhbtlysKy6"), ("L", "/.CIu/PzYCkl6elhbtlysKy6"), # # custom # # ensures utf-8 used for unicode (UPASS_TABLE, 'YeDc9tKkkmDvwP7buzpwhoqQ'), ] #============================================================================= # des crypt #============================================================================= class _des_crypt_test(HandlerCase): """test des-crypt algorithm""" handler = hash.des_crypt known_correct_hashes = [ # # from JTR 1.7.9 # ('U*U*U*U*', 'CCNf8Sbh3HDfQ'), ('U*U***U', 'CCX.K.MFy4Ois'), ('U*U***U*', 'CC4rMpbg9AMZ.'), ('*U*U*U*U', 'XXxzOu6maQKqQ'), ('', 'SDbsugeBiC58A'), # # custom # ('', 'OgAwTx2l6NADI'), (' ', '/Hk.VPuwQTXbc'), ('test', 'N1tQbOFcM5fpg'), ('Compl3X AlphaNu3meric', 'um.Wguz3eVCx2'), ('4lpHa N|_|M3r1K W/ Cur5Es: #$%(*)(*%#', 'sNYqfOyauIyic'), ('AlOtBsOl', 'cEpWz5IUCShqM'), # ensures utf-8 used for unicode (u('hell\u00D6'), 'saykDgk3BPZ9E'), ] known_unidentified_hashes = [ # bad char in otherwise correctly formatted hash #\/ '!gAwTx2l6NADI', # wrong size 'OgAwTx2l6NAD', 'OgAwTx2l6NADIj', ] platform_crypt_support = [ ("freebsd|openbsd|netbsd|linux|solaris|darwin", True), ] # create test cases for specific backends des_crypt_os_crypt_test = _des_crypt_test.create_backend_case("os_crypt") des_crypt_builtin_test = _des_crypt_test.create_backend_case("builtin") #============================================================================= # fshp #============================================================================= class fshp_test(HandlerCase): """test fshp algorithm""" handler = hash.fshp known_correct_hashes = [ # # test vectors from FSHP reference implementation # https://github.com/bdd/fshp-is-not-secure-anymore/blob/master/python/test.py # ('test', '{FSHP0|0|1}qUqP5cyxm6YcTAhz05Hph5gvu9M='), ('test', '{FSHP1|8|4096}MTIzNDU2NzjTdHcmoXwNc0f' 'f9+ArUHoN0CvlbPZpxFi1C6RDM/MHSA==' ), ('OrpheanBeholderScryDoubt', '{FSHP1|8|4096}GVSUFDAjdh0vBosn1GUhz' 'GLHP7BmkbCZVH/3TQqGIjADXpc+6NCg3g==' ), ('ExecuteOrder66', '{FSHP3|16|8192}0aY7rZQ+/PR+Rd5/I9ss' 'RM7cjguyT8ibypNaSp/U1uziNO3BVlg5qPU' 'ng+zHUDQC3ao/JbzOnIBUtAeWHEy7a2vZeZ' '7jAwyJJa2EqOsq4Io=' ), # # custom # # ensures utf-8 used for unicode (UPASS_TABLE, '{FSHP1|16|16384}9v6/l3Lu/d9by5nznpOS' 'cqQo8eKu/b/CKli3RCkgYg4nRTgZu5y659YV8cCZ68UL'), ] known_unidentified_hashes = [ # incorrect header '{FSHX0|0|1}qUqP5cyxm6YcTAhz05Hph5gvu9M=', 'FSHP0|0|1}qUqP5cyxm6YcTAhz05Hph5gvu9M=', ] known_malformed_hashes = [ # bad base64 padding '{FSHP0|0|1}qUqP5cyxm6YcTAhz05Hph5gvu9M', # wrong salt size '{FSHP0|1|1}qUqP5cyxm6YcTAhz05Hph5gvu9M=', # bad rounds '{FSHP0|0|A}qUqP5cyxm6YcTAhz05Hph5gvu9M=', ] def test_90_variant(self): """test variant keyword""" handler = self.handler kwds = dict(salt=b'a', rounds=1) # accepts ints handler(variant=1, **kwds) # accepts bytes or unicode handler(variant=u('1'), **kwds) handler(variant=b'1', **kwds) # aliases handler(variant=u('sha256'), **kwds) handler(variant=b'sha256', **kwds) # rejects None self.assertRaises(TypeError, handler, variant=None, **kwds) # rejects other types self.assertRaises(TypeError, handler, variant=complex(1,1), **kwds) # invalid variant self.assertRaises(ValueError, handler, variant='9', **kwds) self.assertRaises(ValueError, handler, variant=9, **kwds) #============================================================================= # hex digests #============================================================================= class hex_md4_test(HandlerCase): handler = hash.hex_md4 known_correct_hashes = [ ("password", '8a9d093f14f8701df17732b2bb182c74'), (UPASS_TABLE, '876078368c47817ce5f9115f3a42cf74'), ] class hex_md5_test(HandlerCase): handler = hash.hex_md5 known_correct_hashes = [ ("password", '5f4dcc3b5aa765d61d8327deb882cf99'), (UPASS_TABLE, '05473f8a19f66815e737b33264a0d0b0'), ] class hex_sha1_test(HandlerCase): handler = hash.hex_sha1 known_correct_hashes = [ ("password", '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'), (UPASS_TABLE, 'e059b2628e3a3e2de095679de9822c1d1466e0f0'), ] class hex_sha256_test(HandlerCase): handler = hash.hex_sha256 known_correct_hashes = [ ("password", '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8'), (UPASS_TABLE, '6ed729e19bf24d3d20f564375820819932029df05547116cfc2cc868a27b4493'), ] class hex_sha512_test(HandlerCase): handler = hash.hex_sha512 known_correct_hashes = [ ("password", 'b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c' '706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cac' 'bc86'), (UPASS_TABLE, 'd91bb0a23d66dca07a1781fd63ae6a05f6919ee5fc368049f350c9f' '293b078a18165d66097cf0d89fdfbeed1ad6e7dba2344e57348cd6d51308c843a06f' '29caf'), ] #============================================================================= # htdigest hash #============================================================================= class htdigest_test(UserHandlerMixin, HandlerCase): handler = hash.htdigest known_correct_hashes = [ # secret, user, realm # from RFC 2617 (("Circle Of Life", "Mufasa", "testrealm@host.com"), '939e7578ed9e3c518a452acee763bce9'), # custom ((UPASS_TABLE, UPASS_USD, UPASS_WAV), '4dabed2727d583178777fab468dd1f17'), ] known_unidentified_hashes = [ # bad char \/ - currently rejecting upper hex chars, may change '939e7578edAe3c518a452acee763bce9', # bad char \/ '939e7578edxe3c518a452acee763bce9', ] def test_80_user(self): raise self.skipTest("test case doesn't support 'realm' keyword") def populate_context(self, secret, kwds): """insert username into kwds""" if isinstance(secret, tuple): secret, user, realm = secret else: user, realm = "user", "realm" kwds.setdefault("user", user) kwds.setdefault("realm", realm) return secret #============================================================================= # ldap hashes #============================================================================= class ldap_md5_test(HandlerCase): handler = hash.ldap_md5 known_correct_hashes = [ ("helloworld", '{MD5}/F4DjTilcDIIVEHn/nAQsA=='), (UPASS_TABLE, '{MD5}BUc/ihn2aBXnN7MyZKDQsA=='), ] class ldap_sha1_test(HandlerCase): handler = hash.ldap_sha1 known_correct_hashes = [ ("helloworld", '{SHA}at+xg6SiyUovktq1redipHiJpaE='), (UPASS_TABLE, '{SHA}4FmyYo46Pi3glWed6YIsHRRm4PA='), ] class ldap_salted_md5_test(HandlerCase): handler = hash.ldap_salted_md5 known_correct_hashes = [ ("testing1234", '{SMD5}UjFY34os/pnZQ3oQOzjqGu4yeXE='), (UPASS_TABLE, '{SMD5}Z0ioJ58LlzUeRxm3K6JPGAvBGIM='), # alternate salt sizes (8, 15, 16) ('test', '{SMD5}LnuZPJhiaY95/4lmVFpg548xBsD4P4cw'), ('test', '{SMD5}XRlncfRzvGi0FDzgR98tUgBg7B3jXOs9p9S615qTkg=='), ('test', '{SMD5}FbAkzOMOxRbMp6Nn4hnZuel9j9Gas7a2lvI+x5hT6j0='), ] known_malformed_hashes = [ # salt too small (3) '{SMD5}IGVhwK+anvspmfDt2t0vgGjt/Q==', # incorrect base64 encoding '{SMD5}LnuZPJhiaY95/4lmVFpg548xBsD4P4c', '{SMD5}LnuZPJhiaY95/4lmVFpg548xBsD4P4cw' '{SMD5}LnuZPJhiaY95/4lmVFpg548xBsD4P4cw=', '{SMD5}LnuZPJhiaY95/4lmV=pg548xBsD4P4cw', '{SMD5}LnuZPJhiaY95/4lmVFpg548xBsD4P===', ] class ldap_salted_sha1_test(HandlerCase): handler = hash.ldap_salted_sha1 known_correct_hashes = [ ("testing123", '{SSHA}0c0blFTXXNuAMHECS4uxrj3ZieMoWImr'), ("secret", "{SSHA}0H+zTv8o4MR4H43n03eCsvw1luG8LdB7"), (UPASS_TABLE, '{SSHA}3yCSD1nLZXznra4N8XzZgAL+s1sQYsx5'), # alternate salt sizes (8, 15, 16) ('test', '{SSHA}P90+qijSp8MJ1tN25j5o1PflUvlqjXHOGeOckw=='), ('test', '{SSHA}/ZMF5KymNM+uEOjW+9STKlfCFj51bg3BmBNCiPHeW2ttbU0='), ('test', '{SSHA}Pfx6Vf48AT9x3FVv8znbo8WQkEVSipHSWovxXmvNWUvp/d/7'), ] known_malformed_hashes = [ # salt too small (3) '{SSHA}ZQK3Yvtvl6wtIRoISgMGPkcWU7Nfq5U=', # incorrect base64 encoding '{SSHA}P90+qijSp8MJ1tN25j5o1PflUvlqjXHOGeOck', '{SSHA}P90+qijSp8MJ1tN25j5o1PflUvlqjXHOGeOckw=', '{SSHA}P90+qijSp8MJ1tN25j5o1Pf=UvlqjXHOGeOckw==', '{SSHA}P90+qijSp8MJ1tN25j5o1PflUvlqjXHOGeOck===', ] class ldap_plaintext_test(HandlerCase): # TODO: integrate EncodingHandlerMixin handler = hash.ldap_plaintext known_correct_hashes = [ ("password", 'password'), (UPASS_TABLE, UPASS_TABLE if PY3 else PASS_TABLE_UTF8), (PASS_TABLE_UTF8, UPASS_TABLE if PY3 else PASS_TABLE_UTF8), ] known_unidentified_hashes = [ "{FOO}bar", # NOTE: this hash currently rejects the empty string. "", ] known_other_hashes = [ ("ldap_md5", "{MD5}/F4DjTilcDIIVEHn/nAQsA==") ] class FuzzHashGenerator(HandlerCase.FuzzHashGenerator): def random_password(self): # NOTE: this hash currently rejects the empty string. while True: pwd = super(ldap_plaintext_test.FuzzHashGenerator, self).random_password() if pwd: return pwd class _ldap_md5_crypt_test(HandlerCase): # NOTE: since the ldap_{crypt} handlers are all wrappers, don't need # separate test; this is just to test the codebase end-to-end handler = hash.ldap_md5_crypt known_correct_hashes = [ # # custom # ('', '{CRYPT}$1$dOHYPKoP$tnxS1T8Q6VVn3kpV8cN6o.'), (' ', '{CRYPT}$1$m/5ee7ol$bZn0kIBFipq39e.KDXX8I0'), ('test', '{CRYPT}$1$ec6XvcoW$ghEtNK2U1MC5l.Dwgi3020'), ('Compl3X AlphaNu3meric', '{CRYPT}$1$nX1e7EeI$ljQn72ZUgt6Wxd9hfvHdV0'), ('4lpHa N|_|M3r1K W/ Cur5Es: #$%(*)(*%#', '{CRYPT}$1$jQS7o98J$V6iTcr71CGgwW2laf17pi1'), ('test', '{CRYPT}$1$SuMrG47N$ymvzYjr7QcEQjaK5m1PGx1'), # ensures utf-8 used for unicode (UPASS_TABLE, '{CRYPT}$1$d6/Ky1lU$/xpf8m7ftmWLF.TjHCqel0'), ] known_malformed_hashes = [ # bad char in otherwise correct hash '{CRYPT}$1$dOHYPKoP$tnxS1T8Q6VVn3kpV8cN6o!', ] # create test cases for specific backends ldap_md5_crypt_os_crypt_test =_ldap_md5_crypt_test.create_backend_case("os_crypt") ldap_md5_crypt_builtin_test =_ldap_md5_crypt_test.create_backend_case("builtin") class _ldap_sha1_crypt_test(HandlerCase): # NOTE: this isn't for testing the hash (see ldap_md5_crypt note) # but as a self-test of the os_crypt patching code in HandlerCase. handler = hash.ldap_sha1_crypt known_correct_hashes = [ ('password', '{CRYPT}$sha1$10$c.mcTzCw$gF8UeYst9yXX7WNZKc5Fjkq0.au7'), (UPASS_TABLE, '{CRYPT}$sha1$10$rnqXlOsF$aGJf.cdRPewJAXo1Rn1BkbaYh0fP'), ] def populate_settings(self, kwds): kwds.setdefault("rounds", 10) super(_ldap_sha1_crypt_test, self).populate_settings(kwds) def test_77_fuzz_input(self): raise self.skipTest("unneeded") # create test cases for specific backends ldap_sha1_crypt_os_crypt_test = _ldap_sha1_crypt_test.create_backend_case("os_crypt") #============================================================================= # lanman #============================================================================= class lmhash_test(EncodingHandlerMixin, HandlerCase): handler = hash.lmhash secret_case_insensitive = True known_correct_hashes = [ # # http://msdn.microsoft.com/en-us/library/cc245828(v=prot.10).aspx # ("OLDPASSWORD", "c9b81d939d6fd80cd408e6b105741864"), ("NEWPASSWORD", '09eeab5aa415d6e4d408e6b105741864'), ("welcome", "c23413a8a1e7665faad3b435b51404ee"), # # custom # ('', 'aad3b435b51404eeaad3b435b51404ee'), ('zzZZZzz', 'a5e6066de61c3e35aad3b435b51404ee'), ('passphrase', '855c3697d9979e78ac404c4ba2c66533'), ('Yokohama', '5ecd9236d21095ce7584248b8d2c9f9e'), # ensures cp437 used for unicode (u('ENCYCLOP\xC6DIA'), 'fed6416bffc9750d48462b9d7aaac065'), (u('encyclop\xE6dia'), 'fed6416bffc9750d48462b9d7aaac065'), # test various encoding values ((u("\xC6"), None), '25d8ab4a0659c97aaad3b435b51404ee'), ((u("\xC6"), "cp437"), '25d8ab4a0659c97aaad3b435b51404ee'), ((u("\xC6"), "latin-1"), '184eecbbe9991b44aad3b435b51404ee'), ((u("\xC6"), "utf-8"), '00dd240fcfab20b8aad3b435b51404ee'), ] known_unidentified_hashes = [ # bad char in otherwise correct hash '855c3697d9979e78ac404c4ba2c6653X', ] def test_90_raw(self): """test lmhash.raw() method""" from binascii import unhexlify from passlib.utils.compat import str_to_bascii lmhash = self.handler for secret, hash in self.known_correct_hashes: kwds = {} secret = self.populate_context(secret, kwds) data = unhexlify(str_to_bascii(hash)) self.assertEqual(lmhash.raw(secret, **kwds), data) self.assertRaises(TypeError, lmhash.raw, 1) #============================================================================= # md5 crypt #============================================================================= class _md5_crypt_test(HandlerCase): handler = hash.md5_crypt known_correct_hashes = [ # # from JTR 1.7.9 # ('U*U*U*U*', '$1$dXc3I7Rw$ctlgjDdWJLMT.qwHsWhXR1'), ('U*U***U', '$1$dXc3I7Rw$94JPyQc/eAgQ3MFMCoMF.0'), ('U*U***U*', '$1$dXc3I7Rw$is1mVIAEtAhIzSdfn5JOO0'), ('*U*U*U*U', '$1$eQT9Hwbt$XtuElNJD.eW5MN5UCWyTQ0'), ('', '$1$Eu.GHtia$CFkL/nE1BYTlEPiVx1VWX0'), # # custom # # NOTE: would need to patch HandlerCase to coerce hashes # to native str for this first one to work under py3. ## ('', b('$1$dOHYPKoP$tnxS1T8Q6VVn3kpV8cN6o.')), ('', '$1$dOHYPKoP$tnxS1T8Q6VVn3kpV8cN6o.'), (' ', '$1$m/5ee7ol$bZn0kIBFipq39e.KDXX8I0'), ('test', '$1$ec6XvcoW$ghEtNK2U1MC5l.Dwgi3020'), ('Compl3X AlphaNu3meric', '$1$nX1e7EeI$ljQn72ZUgt6Wxd9hfvHdV0'), ('4lpHa N|_|M3r1K W/ Cur5Es: #$%(*)(*%#', '$1$jQS7o98J$V6iTcr71CGgwW2laf17pi1'), ('test', '$1$SuMrG47N$ymvzYjr7QcEQjaK5m1PGx1'), (b'test', '$1$SuMrG47N$ymvzYjr7QcEQjaK5m1PGx1'), (u('s'), '$1$ssssssss$YgmLTApYTv12qgTwBoj8i/'), # ensures utf-8 used for unicode (UPASS_TABLE, '$1$d6/Ky1lU$/xpf8m7ftmWLF.TjHCqel0'), ] known_malformed_hashes = [ # bad char in otherwise correct hash \/ '$1$dOHYPKoP$tnxS1T8Q6VVn3kpV8cN6o!', # too many fields '$1$dOHYPKoP$tnxS1T8Q6VVn3kpV8cN6o.$', ] platform_crypt_support = [ ("freebsd|openbsd|netbsd|linux|solaris", True), ("darwin", False), ] # create test cases for specific backends md5_crypt_os_crypt_test = _md5_crypt_test.create_backend_case("os_crypt") md5_crypt_builtin_test = _md5_crypt_test.create_backend_case("builtin") #============================================================================= # msdcc 1 & 2 #============================================================================= class msdcc_test(UserHandlerMixin, HandlerCase): handler = hash.msdcc user_case_insensitive = True known_correct_hashes = [ # # http://www.jedge.com/wordpress/windows-password-cache/ # (("Asdf999", "sevans"), "b1176c2587478785ec1037e5abc916d0"), # # http://infosecisland.com/blogview/12156-Cachedump-for-Meterpreter-in-Action.html # (("ASDqwe123", "jdoe"), "592cdfbc3f1ef77ae95c75f851e37166"), # # http://comments.gmane.org/gmane.comp.security.openwall.john.user/1917 # (("test1", "test1"), "64cd29e36a8431a2b111378564a10631"), (("test2", "test2"), "ab60bdb4493822b175486810ac2abe63"), (("test3", "test3"), "14dd041848e12fc48c0aa7a416a4a00c"), (("test4", "test4"), "b945d24866af4b01a6d89b9d932a153c"), # # http://ciscoit.wordpress.com/2011/04/13/metasploit-hashdump-vs-cachedump/ # (("1234qwer!@#$", "Administrator"), "7b69d06ef494621e3f47b9802fe7776d"), # # http://www.securiteam.com/tools/5JP0I2KFPA.html # (("password", "user"), "2d9f0b052932ad18b87f315641921cda"), # # from JTR 1.7.9 # (("", "root"), "176a4c2bd45ac73687676c2f09045353"), (("test1", "TEST1"), "64cd29e36a8431a2b111378564a10631"), (("okolada", "nineteen_characters"), "290efa10307e36a79b3eebf2a6b29455"), ((u("\u00FC"), u("\u00FC")), "48f84e6f73d6d5305f6558a33fa2c9bb"), ((u("\u00FC\u00FC"), u("\u00FC\u00FC")), "593246a8335cf0261799bda2a2a9c623"), ((u("\u20AC\u20AC"), "user"), "9121790702dda0fa5d353014c334c2ce"), # # custom # # ensures utf-8 used for unicode ((UPASS_TABLE, 'bob'), 'fcb82eb4212865c7ac3503156ca3f349'), ] known_alternate_hashes = [ # check uppercase accepted. ("B1176C2587478785EC1037E5ABC916D0", ("Asdf999", "sevans"), "b1176c2587478785ec1037e5abc916d0"), ] class msdcc2_test(UserHandlerMixin, HandlerCase): handler = hash.msdcc2 user_case_insensitive = True known_correct_hashes = [ # # from JTR 1.7.9 # (("test1", "test1"), "607bbe89611e37446e736f7856515bf8"), (("qerwt", "Joe"), "e09b38f84ab0be586b730baf61781e30"), (("12345", "Joe"), "6432f517a900b3fc34ffe57f0f346e16"), (("", "bin"), "c0cbe0313a861062e29f92ede58f9b36"), (("w00t", "nineteen_characters"), "87136ae0a18b2dafe4a41d555425b2ed"), (("w00t", "eighteencharacters"), "fc5df74eca97afd7cd5abb0032496223"), (("longpassword", "twentyXXX_characters"), "cfc6a1e33eb36c3d4f84e4c2606623d2"), (("longpassword", "twentyoneX_characters"), "99ff74cea552799da8769d30b2684bee"), (("longpassword", "twentytwoXX_characters"), "0a721bdc92f27d7fb23b87a445ec562f"), (("test2", "TEST2"), "c6758e5be7fc943d00b97972a8a97620"), (("test3", "test3"), "360e51304a2d383ea33467ab0b639cc4"), (("test4", "test4"), "6f79ee93518306f071c47185998566ae"), ((u("\u00FC"), "joe"), "bdb80f2c4656a8b8591bd27d39064a54"), ((u("\u20AC\u20AC"), "joe"), "1e1e20f482ff748038e47d801d0d1bda"), ((u("\u00FC\u00FC"), "admin"), "0839e4a07c00f18a8c65cf5b985b9e73"), # # custom # # custom unicode test ((UPASS_TABLE, 'bob'), 'cad511dc9edefcf69201da72efb6bb55'), ] #============================================================================= # mssql 2000 & 2005 #============================================================================= class mssql2000_test(HandlerCase): handler = hash.mssql2000 secret_case_insensitive = "verify-only" # FIXME: fix UT framework - this hash is sensitive to password case, but verify() is not known_correct_hashes = [ # # http://hkashfi.blogspot.com/2007/08/breaking-sql-server-2005-hashes.html # ('Test', '0x010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503412FD54D6119FFF04129A1D72E7C3194F7284A7F3A'), ('TEST', '0x010034767D5C2FD54D6119FFF04129A1D72E7C3194F7284A7F3A2FD54D6119FFF04129A1D72E7C3194F7284A7F3A'), # # http://www.sqlmag.com/forums/aft/68438 # ('x', '0x010086489146C46DD7318D2514D1AC706457CBF6CD3DF8407F071DB4BBC213939D484BF7A766E974F03C96524794'), # # http://stackoverflow.com/questions/173329/how-to-decrypt-a-password-from-sql-server # ('AAAA', '0x0100CF465B7B12625EF019E157120D58DD46569AC7BF4118455D12625EF019E157120D58DD46569AC7BF4118455D'), # # http://msmvps.com/blogs/gladchenko/archive/2005/04/06/41083.aspx # ('123', '0x01002D60BA07FE612C8DE537DF3BFCFA49CD9968324481C1A8A8FE612C8DE537DF3BFCFA49CD9968324481C1A8A8'), # # http://www.simple-talk.com/sql/t-sql-programming/temporarily-changing-an-unknown-password-of-the-sa-account-/ # ('12345', '0x01005B20054332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B3'), # # XXX: sample is incomplete, password unknown # https://anthonystechblog.wordpress.com/2011/04/20/password-encryption-in-sql-server-how-to-tell-if-a-user-is-using-a-weak-password/ # (????, '0x0100813F782D66EF15E40B1A3FDF7AB88B322F51401A87D8D3E3A8483C4351A3D96FC38499E6CDD2B6F?????????'), # # # from JTR 1.7.9 # ('foo', '0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254'), ('bar', '0x01000508513EADDF6DB7DDD270CCA288BF097F2FF69CC2DB74FBB9644D6901764F999BAB9ECB80DE578D92E3F80D'), ('canard', '0x01008408C523CF06DCB237835D701C165E68F9460580132E28ED8BC558D22CEDF8801F4503468A80F9C52A12C0A3'), ('lapin', '0x0100BF088517935FC9183FE39FDEC77539FD5CB52BA5F5761881E5B9638641A79DBF0F1501647EC941F3355440A2'), # # custom # # ensures utf-8 used for unicode (UPASS_USD, '0x0100624C0961B28E39FEE13FD0C35F57B4523F0DA1861C11D5A5B28E39FEE13FD0C35F57B4523F0DA1861C11D5A5'), (UPASS_TABLE, '0x010083104228FAD559BE52477F2131E538BE9734E5C4B0ADEFD7F6D784B03C98585DC634FE2B8CA3A6DFFEC729B4'), ] known_alternate_hashes = [ # lower case hex ('0x01005b20054332752e1bc2e7c5df0f9ebfe486e9bee063e8d3b332752e1bc2e7c5df0f9ebfe486e9bee063e8d3b3', '12345', '0x01005B20054332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B3'), ] known_unidentified_hashes = [ # malformed start '0X01005B20054332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B3', # wrong magic value '0x02005B20054332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B3', # wrong size '0x01005B20054332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3', '0x01005B20054332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B3AF', # mssql2005 '0x01005B20054332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B3', ] known_malformed_hashes = [ # non-hex char -----\/ b'0x01005B200543327G2E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B3', u('0x01005B200543327G2E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B3'), ] class mssql2005_test(HandlerCase): handler = hash.mssql2005 known_correct_hashes = [ # # http://hkashfi.blogspot.com/2007/08/breaking-sql-server-2005-hashes.html # ('TEST', '0x010034767D5C2FD54D6119FFF04129A1D72E7C3194F7284A7F3A'), # # http://www.openwall.com/lists/john-users/2009/07/14/2 # ('toto', '0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908'), # # http://msmvps.com/blogs/gladchenko/archive/2005/04/06/41083.aspx # ('123', '0x01004A335DCEDB366D99F564D460B1965B146D6184E4E1025195'), ('123', '0x0100E11D573F359629B344990DCD3D53DE82CF8AD6BBA7B638B6'), # # XXX: password unknown # http://www.simple-talk.com/sql/t-sql-programming/temporarily-changing-an-unknown-password-of-the-sa-account-/ # (???, '0x01004086CEB6301EEC0A994E49E30DA235880057410264030797'), # # # http://therelentlessfrontend.com/2010/03/26/encrypting-and-decrypting-passwords-in-sql-server/ # ('AAAA', '0x010036D726AE86834E97F20B198ACD219D60B446AC5E48C54F30'), # # from JTR 1.7.9 # ("toto", "0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908"), ("titi", "0x01004086CEB60ED526885801C23B366965586A43D3DEAC6DD3FD"), ("foo", "0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8"), ("bar", "0x01000508513EADDF6DB7DDD270CCA288BF097F2FF69CC2DB74FB"), ("canard", "0x01008408C523CF06DCB237835D701C165E68F9460580132E28ED"), ("lapin", "0x0100BF088517935FC9183FE39FDEC77539FD5CB52BA5F5761881"), # # adapted from mssql2000.known_correct_hashes (above) # ('Test', '0x010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341'), ('Test', '0x0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F'), ('x', '0x010086489146C46DD7318D2514D1AC706457CBF6CD3DF8407F07'), ('AAAA', '0x0100CF465B7B12625EF019E157120D58DD46569AC7BF4118455D'), ('123', '0x01002D60BA07FE612C8DE537DF3BFCFA49CD9968324481C1A8A8'), ('12345', '0x01005B20054332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B3'), # # custom # # ensures utf-8 used for unicode (UPASS_USD, '0x0100624C0961B28E39FEE13FD0C35F57B4523F0DA1861C11D5A5'), (UPASS_TABLE, '0x010083104228FAD559BE52477F2131E538BE9734E5C4B0ADEFD7'), ] known_alternate_hashes = [ # lower case hex ('0x01005b20054332752e1bc2e7c5df0f9ebfe486e9bee063e8d3b3', '12345', '0x01005B20054332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B3'), ] known_unidentified_hashes = [ # malformed start '0X010036D726AE86834E97F20B198ACD219D60B446AC5E48C54F30', # wrong magic value '0x020036D726AE86834E97F20B198ACD219D60B446AC5E48C54F30', # wrong size '0x010036D726AE86834E97F20B198ACD219D60B446AC5E48C54F', '0x010036D726AE86834E97F20B198ACD219D60B446AC5E48C54F3012', # mssql2000 '0x01005B20054332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B332752E1BC2E7C5DF0F9EBFE486E9BEE063E8D3B3', ] known_malformed_hashes = [ # non-hex char --\/ '0x010036D726AE86G34E97F20B198ACD219D60B446AC5E48C54F30', ] #============================================================================= # mysql 323 & 41 #============================================================================= class mysql323_test(HandlerCase): handler = hash.mysql323 known_correct_hashes = [ # # from JTR 1.7.9 # ('drew', '697a7de87c5390b2'), ('password', "5d2e19393cc5ef67"), # # custom # ('mypass', '6f8c114b58f2ce9e'), # ensures utf-8 used for unicode (UPASS_TABLE, '4ef327ca5491c8d7'), ] known_unidentified_hashes = [ # bad char in otherwise correct hash '6z8c114b58f2ce9e', ] def test_90_whitespace(self): """check whitespace is ignored per spec""" h = self.do_encrypt("mypass") h2 = self.do_encrypt("my pass") self.assertEqual(h, h2) class FuzzHashGenerator(HandlerCase.FuzzHashGenerator): def accept_password_pair(self, secret, other): # override to handle whitespace return secret.replace(" ","") != other.replace(" ","") class mysql41_test(HandlerCase): handler = hash.mysql41 known_correct_hashes = [ # # from JTR 1.7.9 # ('verysecretpassword', '*2C905879F74F28F8570989947D06A8429FB943E6'), ('12345678123456781234567812345678', '*F9F1470004E888963FB466A5452C9CBD9DF6239C'), ("' OR 1 /*'", '*97CF7A3ACBE0CA58D5391AC8377B5D9AC11D46D9'), # # custom # ('mypass', '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4'), # ensures utf-8 used for unicode (UPASS_TABLE, '*E7AFE21A9CFA2FC9D15D942AE8FB5C240FE5837B'), ] known_unidentified_hashes = [ # bad char in otherwise correct hash '*6Z8989366EAF75BB670AD8EA7A7FC1176A95CEF4', ] #============================================================================= # NTHASH #============================================================================= class nthash_test(HandlerCase): handler = hash.nthash known_correct_hashes = [ # # http://msdn.microsoft.com/en-us/library/cc245828(v=prot.10).aspx # ("OLDPASSWORD", u("6677b2c394311355b54f25eec5bfacf5")), ("NEWPASSWORD", u("256781a62031289d3c2c98c14f1efc8c")), # # from JTR 1.7.9 # # ascii ('', '31d6cfe0d16ae931b73c59d7e0c089c0'), ('tigger', 'b7e0ea9fbffcf6dd83086e905089effd'), # utf-8 (b'\xC3\xBC', '8bd6e4fb88e01009818749c5443ea712'), (b'\xC3\xBC\xC3\xBC', 'cc1260adb6985ca749f150c7e0b22063'), (b'\xE2\x82\xAC', '030926b781938db4365d46adc7cfbcb8'), (b'\xE2\x82\xAC\xE2\x82\xAC','682467b963bb4e61943e170a04f7db46'), # # custom # ('passphrase', '7f8fe03093cc84b267b109625f6bbf4b'), ] known_unidentified_hashes = [ # bad char in otherwise correct hash '7f8fe03093cc84b267b109625f6bbfxb', ] class bsd_nthash_test(HandlerCase): handler = hash.bsd_nthash known_correct_hashes = [ ('passphrase', '$3$$7f8fe03093cc84b267b109625f6bbf4b'), (b'\xC3\xBC', '$3$$8bd6e4fb88e01009818749c5443ea712'), ] known_unidentified_hashes = [ # bad char in otherwise correct hash --\/ '$3$$7f8fe03093cc84b267b109625f6bbfxb', ] #============================================================================= # oracle 10 & 11 #============================================================================= class oracle10_test(UserHandlerMixin, HandlerCase): handler = hash.oracle10 secret_case_insensitive = True user_case_insensitive = True # TODO: get more test vectors (especially ones which properly test unicode) known_correct_hashes = [ # ((secret,user),hash) # # http://www.petefinnigan.com/default/default_password_list.htm # (('tiger', 'scott'), 'F894844C34402B67'), ((u('ttTiGGeR'), u('ScO')), '7AA1A84E31ED7771'), (("d_syspw", "SYSTEM"), '1B9F1F9A5CB9EB31'), (("strat_passwd", "strat_user"), 'AEBEDBB4EFB5225B'), # # http://openwall.info/wiki/john/sample-hashes # (('#95LWEIGHTS', 'USER'), '000EA4D72A142E29'), (('CIAO2010', 'ALFREDO'), 'EB026A76F0650F7B'), # # from JTR 1.7.9 # (('GLOUGlou', 'Bob'), 'CDC6B483874B875B'), (('GLOUGLOUTER', 'bOB'), 'EF1F9139DB2D5279'), (('LONG_MOT_DE_PASSE_OUI', 'BOB'), 'EC8147ABB3373D53'), # # custom # ((UPASS_TABLE, 'System'), 'B915A853F297B281'), ] known_unidentified_hashes = [ # bad char in hash --\ 'F894844C34402B6Z', ] class oracle11_test(HandlerCase): handler = hash.oracle11 # TODO: find more test vectors (especially ones which properly test unicode) known_correct_hashes = [ # # from JTR 1.7.9 # ("abc123", "S:5FDAB69F543563582BA57894FE1C1361FB8ED57B903603F2C52ED1B4D642"), ("SyStEm123!@#", "S:450F957ECBE075D2FA009BA822A9E28709FBC3DA82B44D284DDABEC14C42"), ("oracle", "S:3437FF72BD69E3FB4D10C750B92B8FB90B155E26227B9AB62D94F54E5951"), ("11g", "S:61CE616647A4F7980AFD7C7245261AF25E0AFE9C9763FCF0D54DA667D4E6"), ("11g", "S:B9E7556F53500C8C78A58F50F24439D79962DE68117654B6700CE7CC71CF"), # # source? # ("SHAlala", "S:2BFCFDF5895014EE9BB2B9BA067B01E0389BB5711B7B5F82B7235E9E182C"), # # custom # (UPASS_TABLE, 'S:51586343E429A6DF024B8F242F2E9F8507B1096FACD422E29142AA4974B0'), ] #============================================================================= # PHPass Portable Crypt #============================================================================= class phpass_test(HandlerCase): handler = hash.phpass known_correct_hashes = [ # # from official 0.3 implementation # http://www.openwall.com/phpass/ # ('test12345', '$P$9IQRaTwmfeRo7ud9Fh4E2PdI0S3r.L0'), # from the source # # from JTR 1.7.9 # ('test1', '$H$9aaaaaSXBjgypwqm.JsMssPLiS8YQ00'), ('123456', '$H$9PE8jEklgZhgLmZl5.HYJAzfGCQtzi1'), ('123456', '$H$9pdx7dbOW3Nnt32sikrjAxYFjX8XoK1'), ('thisisalongertestPW', '$P$912345678LIjjb6PhecupozNBmDndU0'), ('JohnRipper', '$P$612345678si5M0DDyPpmRCmcltU/YW/'), ('JohnRipper', '$H$712345678WhEyvy1YWzT4647jzeOmo0'), ('JohnRipper', '$P$B12345678L6Lpt4BxNotVIMILOa9u81'), # # custom # ('', '$P$7JaFQsPzJSuenezefD/3jHgt5hVfNH0'), ('compL3X!', '$P$FiS0N5L672xzQx1rt1vgdJQRYKnQM9/'), # ensures utf-8 used for unicode (UPASS_TABLE, '$P$7SMy8VxnfsIy2Sxm7fJxDSdil.h7TW.'), ] known_malformed_hashes = [ # bad char in otherwise correct hash # ---\/ '$P$9IQRaTwmfeRo7ud9Fh4E2PdI0S3r!L0', ] #============================================================================= # plaintext #============================================================================= class plaintext_test(HandlerCase): # TODO: integrate EncodingHandlerMixin handler = hash.plaintext accepts_all_hashes = True known_correct_hashes = [ ('',''), ('password', 'password'), # ensure unicode uses utf-8 (UPASS_TABLE, UPASS_TABLE if PY3 else PASS_TABLE_UTF8), (PASS_TABLE_UTF8, UPASS_TABLE if PY3 else PASS_TABLE_UTF8), ] #============================================================================= # postgres_md5 #============================================================================= class postgres_md5_test(UserHandlerMixin, HandlerCase): handler = hash.postgres_md5 known_correct_hashes = [ # ((secret,user),hash) # # generated using postgres 8.1 # (('mypass', 'postgres'), 'md55fba2ea04fd36069d2574ea71c8efe9d'), (('mypass', 'root'), 'md540c31989b20437833f697e485811254b'), (("testpassword",'testuser'), 'md5d4fc5129cc2c25465a5370113ae9835f'), # # custom # # verify unicode->utf8 ((UPASS_TABLE, 'postgres'), 'md5cb9f11283265811ce076db86d18a22d2'), ] known_unidentified_hashes = [ # bad 'z' char in otherwise correct hash 'md54zc31989b20437833f697e485811254b', ] #============================================================================= # (netbsd's) sha1 crypt #============================================================================= class _sha1_crypt_test(HandlerCase): handler = hash.sha1_crypt known_correct_hashes = [ # # custom # ("password", "$sha1$19703$iVdJqfSE$v4qYKl1zqYThwpjJAoKX6UvlHq/a"), ("password", "$sha1$21773$uV7PTeux$I9oHnvwPZHMO0Nq6/WgyGV/tDJIH"), (UPASS_TABLE, '$sha1$40000$uJ3Sp7LE$.VEmLO5xntyRFYihC7ggd3297T/D'), ] known_malformed_hashes = [ # bad char in otherwise correct hash '$sha1$21773$u!7PTeux$I9oHnvwPZHMO0Nq6/WgyGV/tDJIH', # zero padded rounds '$sha1$01773$uV7PTeux$I9oHnvwPZHMO0Nq6/WgyGV/tDJIH', # too many fields '$sha1$21773$uV7PTeux$I9oHnvwPZHMO0Nq6/WgyGV/tDJIH$', # empty rounds field '$sha1$$uV7PTeux$I9oHnvwPZHMO0Nq6/WgyGV/tDJIH$', ] platform_crypt_support = [ ("netbsd", True), ("freebsd|openbsd|linux|solaris|darwin", False), ] # create test cases for specific backends sha1_crypt_os_crypt_test = _sha1_crypt_test.create_backend_case("os_crypt") sha1_crypt_builtin_test = _sha1_crypt_test.create_backend_case("builtin") #============================================================================= # roundup #============================================================================= # NOTE: all roundup hashes use PrefixWrapper, # so there's nothing natively to test. # so we just have a few quick cases... class RoundupTest(TestCase): def _test_pair(self, h, secret, hash): self.assertTrue(h.verify(secret, hash)) self.assertFalse(h.verify('x'+secret, hash)) def test_pairs(self): self._test_pair( hash.ldap_hex_sha1, "sekrit", '{SHA}8d42e738c7adee551324955458b5e2c0b49ee655') self._test_pair( hash.ldap_hex_md5, "sekrit", '{MD5}ccbc53f4464604e714f69dd11138d8b5') self._test_pair( hash.ldap_des_crypt, "sekrit", '{CRYPT}nFia0rj2TT59A') self._test_pair( hash.roundup_plaintext, "sekrit", '{plaintext}sekrit') self._test_pair( hash.ldap_pbkdf2_sha1, "sekrit", '{PBKDF2}5000$7BvbBq.EZzz/O0HuwX3iP.nAG3s$g3oPnFFaga2BJaX5PoPRljl4XIE') #============================================================================= # sha256-crypt #============================================================================= class _sha256_crypt_test(HandlerCase): handler = hash.sha256_crypt known_correct_hashes = [ # # from JTR 1.7.9 # ('U*U*U*U*', '$5$LKO/Ute40T3FNF95$U0prpBQd4PloSGU0pnpM4z9wKn4vZ1.jsrzQfPqxph9'), ('U*U***U', '$5$LKO/Ute40T3FNF95$fdgfoJEBoMajNxCv3Ru9LyQ0xZgv0OBMQoq80LQ/Qd.'), ('U*U***U*', '$5$LKO/Ute40T3FNF95$8Ry82xGnnPI/6HtFYnvPBTYgOL23sdMXn8C29aO.x/A'), ('*U*U*U*U', '$5$9mx1HkCz7G1xho50$O7V7YgleJKLUhcfk9pgzdh3RapEaWqMtEp9UUBAKIPA'), ('', '$5$kc7lRD1fpYg0g.IP$d7CMTcEqJyTXyeq8hTdu/jB/I6DGkoo62NXbHIR7S43'), # # custom tests # ('', '$5$rounds=10428$uy/jIAhCetNCTtb0$YWvUOXbkqlqhyoPMpN8BMe.ZGsGx2aBvxTvDFI613c3'), (' ', '$5$rounds=10376$I5lNtXtRmf.OoMd8$Ko3AI1VvTANdyKhBPavaRjJzNpSatKU6QVN9uwS9MH.'), ('test', '$5$rounds=11858$WH1ABM5sKhxbkgCK$aTQsjPkz0rBsH3lQlJxw9HDTDXPKBxC0LlVeV69P.t1'), ('Compl3X AlphaNu3meric', '$5$rounds=10350$o.pwkySLCzwTdmQX$nCMVsnF3TXWcBPOympBUUSQi6LGGloZoOsVJMGJ09UB'), ('4lpHa N|_|M3r1K W/ Cur5Es: #$%(*)(*%#', '$5$rounds=11944$9dhlu07dQMRWvTId$LyUI5VWkGFwASlzntk1RLurxX54LUhgAcJZIt0pYGT7'), (u('with unic\u00D6de'), '$5$rounds=1000$IbG0EuGQXw5EkMdP$LQ5AfPf13KufFsKtmazqnzSGZ4pxtUNw3woQ.ELRDF4'), ] if TEST_MODE("full"): # builtin alg was changed in 1.6, and had possibility of fencepost # errors near rounds that are multiples of 42. these hashes test rounds # 1004..1012 (42*24=1008 +/- 4) to ensure no mistakes were made. # (also relying on fuzz testing against os_crypt backend). known_correct_hashes.extend([ ("secret", '$5$rounds=1004$nacl$oiWPbm.kQ7.jTCZoOtdv7/tO5mWv/vxw5yTqlBagVR7'), ("secret", '$5$rounds=1005$nacl$6Mo/TmGDrXxg.bMK9isRzyWH3a..6HnSVVsJMEX7ud/'), ("secret", '$5$rounds=1006$nacl$I46VwuAiUBwmVkfPFakCtjVxYYaOJscsuIeuZLbfKID'), ("secret", '$5$rounds=1007$nacl$9fY4j1AV3N/dV/YMUn1enRHKH.7nEL4xf1wWB6wfDD4'), ("secret", '$5$rounds=1008$nacl$CiFWCfn8ODmWs0I1xAdXFo09tM8jr075CyP64bu3by9'), ("secret", '$5$rounds=1009$nacl$QtpFX.CJHgVQ9oAjVYStxAeiU38OmFILWm684c6FyED'), ("secret", '$5$rounds=1010$nacl$ktAwXuT5WbjBW/0ZU1eNMpqIWY1Sm4twfRE1zbZyo.B'), ("secret", '$5$rounds=1011$nacl$QJWLBEhO9qQHyMx4IJojSN9sS41P1Yuz9REddxdO721'), ("secret", '$5$rounds=1012$nacl$mmf/k2PkbBF4VCtERgky3bEVavmLZKFwAcvxD1p3kV2'), ]) known_malformed_hashes = [ # bad char in otherwise correct hash '$5$rounds=10428$uy/:jIAhCetNCTtb0$YWvUOXbkqlqhyoPMpN8BMeZGsGx2aBvxTvDFI613c3', # zero-padded rounds '$5$rounds=010428$uy/jIAhCetNCTtb0$YWvUOXbkqlqhyoPMpN8BMe.ZGsGx2aBvxTvDFI613c3', # extra "$" '$5$rounds=10428$uy/jIAhCetNCTtb0$YWvUOXbkqlqhyoPMpN8BMe.ZGsGx2aBvxTvDFI613c3$', ] known_correct_configs = [ # config, secret, result # # taken from official specification at http://www.akkadia.org/drepper/SHA-crypt.txt # ( "$5$saltstring", "Hello world!", "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" ), ( "$5$rounds=10000$saltstringsaltstring", "Hello world!", "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2." "opqey6IcA" ), ( "$5$rounds=5000$toolongsaltstring", "This is just a test", "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8" "mGRcvxa5" ), ( "$5$rounds=1400$anotherlongsaltstring", "a very much longer text to encrypt. This one even stretches over more" "than one line.", "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12" "oP84Bnq1" ), ( "$5$rounds=77777$short", "we have a short salt string but not a short password", "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" ), ( "$5$rounds=123456$asaltof16chars..", "a short string", "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/" "cZKmF/wJvD" ), ( "$5$rounds=10$roundstoolow", "the minimum number is still observed", "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97" "2bIC" ), ] filter_config_warnings = True # rounds too low, salt too small platform_crypt_support = [ ("freebsd(9|1\d)|linux", True), ("freebsd8", None), # added in freebsd 8.3 ("freebsd|openbsd|netbsd|darwin", False), # solaris - depends on policy ] # create test cases for specific backends sha256_crypt_os_crypt_test = _sha256_crypt_test.create_backend_case("os_crypt") sha256_crypt_builtin_test = _sha256_crypt_test.create_backend_case("builtin") #============================================================================= # test sha512-crypt #============================================================================= class _sha512_crypt_test(HandlerCase): handler = hash.sha512_crypt known_correct_hashes = [ # # from JTR 1.7.9 # ('U*U*U*U*', "$6$LKO/Ute40T3FNF95$6S/6T2YuOIHY0N3XpLKABJ3soYcXD9mB7uVbtEZDj/LNscVhZoZ9DEH.sBciDrMsHOWOoASbNLTypH/5X26gN0"), ('U*U***U', "$6$LKO/Ute40T3FNF95$wK80cNqkiAUzFuVGxW6eFe8J.fSVI65MD5yEm8EjYMaJuDrhwe5XXpHDJpwF/kY.afsUs1LlgQAaOapVNbggZ1"), ('U*U***U*', "$6$LKO/Ute40T3FNF95$YS81pp1uhOHTgKLhSMtQCr2cDiUiN03Ud3gyD4ameviK1Zqz.w3oXsMgO6LrqmIEcG3hiqaUqHi/WEE2zrZqa/"), ('*U*U*U*U', "$6$OmBOuxFYBZCYAadG$WCckkSZok9xhp4U1shIZEV7CCVwQUwMVea7L3A77th6SaE9jOPupEMJB.z0vIWCDiN9WLh2m9Oszrj5G.gt330"), ('', "$6$ojWH1AiTee9x1peC$QVEnTvRVlPRhcLQCk/HnHaZmlGAAjCfrAN0FtOsOnUk5K5Bn/9eLHHiRzrTzaIKjW9NTLNIBUCtNVOowWS2mN."), # # custom tests # ('', '$6$rounds=11021$KsvQipYPWpr93wWP$v7xjI4X6vyVptJjB1Y02vZC5SaSijBkGmq1uJhPr3cvqvvkd42Xvo48yLVPFt8dvhCsnlUgpX.//Cxn91H4qy1'), (' ', '$6$rounds=11104$ED9SA4qGmd57Fq2m$q/.PqACDM/JpAHKmr86nkPzzuR5.YpYa8ZJJvI8Zd89ZPUYTJExsFEIuTYbM7gAGcQtTkCEhBKmp1S1QZwaXx0'), ('test', '$6$rounds=11531$G/gkPn17kHYo0gTF$Kq.uZBHlSBXyzsOJXtxJruOOH4yc0Is13uY7yK0PvAvXxbvc1w8DO1RzREMhKsc82K/Jh8OquV8FZUlreYPJk1'), ('Compl3X AlphaNu3meric', '$6$rounds=10787$wakX8nGKEzgJ4Scy$X78uqaX1wYXcSCtS4BVYw2trWkvpa8p7lkAtS9O/6045fK4UB2/Jia0Uy/KzCpODlfVxVNZzCCoV9s2hoLfDs/'), ('4lpHa N|_|M3r1K W/ Cur5Es: #$%(*)(*%#', '$6$rounds=11065$5KXQoE1bztkY5IZr$Jf6krQSUKKOlKca4hSW07MSerFFzVIZt/N3rOTsUgKqp7cUdHrwV8MoIVNCk9q9WL3ZRMsdbwNXpVk0gVxKtz1'), # ensures utf-8 used for unicode (UPASS_TABLE, '$6$rounds=40000$PEZTJDiyzV28M3.m$GTlnzfzGB44DGd1XqlmC4erAJKCP.rhvLvrYxiT38htrNzVGBnplFOHjejUGVrCfusGWxLQCc3pFO0A/1jYYr0'), ] known_malformed_hashes = [ # zero-padded rounds '$6$rounds=011021$KsvQipYPWpr93wWP$v7xjI4X6vyVptJjB1Y02vZC5SaSijBkGmq1uJhPr3cvqvvkd42Xvo48yLVPFt8dvhCsnlUgpX.//Cxn91H4qy1', # bad char in otherwise correct hash '$6$rounds=11021$KsvQipYPWpr9:wWP$v7xjI4X6vyVptJjB1Y02vZC5SaSijBkGmq1uJhPr3cvqvvkd42Xvo48yLVPFt8dvhCsnlUgpX.//Cxn91H4qy1', ] known_correct_configs = [ # config, secret, result # # taken from official specification at http://www.akkadia.org/drepper/SHA-crypt.txt # ("$6$saltstring", "Hello world!", "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu" "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1" ), ( "$6$rounds=10000$saltstringsaltstring", "Hello world!", "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb" "HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v." ), ( "$6$rounds=5000$toolongsaltstring", "This is just a test", "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ" "zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0" ), ( "$6$rounds=1400$anotherlongsaltstring", "a very much longer text to encrypt. This one even stretches over more" "than one line.", "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP" "vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1" ), ( "$6$rounds=77777$short", "we have a short salt string but not a short password", "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g" "ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0" ), ( "$6$rounds=123456$asaltof16chars..", "a short string", "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc" "elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1" ), ( "$6$rounds=10$roundstoolow", "the minimum number is still observed", "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x" "hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX." ), ] filter_config_warnings = True # rounds too low, salt too small platform_crypt_support = _sha256_crypt_test.platform_crypt_support # create test cases for specific backends sha512_crypt_os_crypt_test = _sha512_crypt_test.create_backend_case("os_crypt") sha512_crypt_builtin_test = _sha512_crypt_test.create_backend_case("builtin") #============================================================================= # sun md5 crypt #============================================================================= class sun_md5_crypt_test(HandlerCase): handler = hash.sun_md5_crypt # TODO: this scheme needs some real test vectors, especially due to # the "bare salt" issue which plagued the official parser. known_correct_hashes = [ # # http://forums.halcyoninc.com/showthread.php?t=258 # ("Gpcs3_adm", "$md5$zrdhpMlZ$$wBvMOEqbSjU.hu5T2VEP01"), # # http://www.c0t0d0s0.org/archives/4453-Less-known-Solaris-features-On-passwords-Part-2-Using-stronger-password-hashing.html # ("aa12345678", "$md5$vyy8.OVF$$FY4TWzuauRl4.VQNobqMY."), # # http://www.cuddletech.com/blog/pivot/entry.php?id=778 # ("this", "$md5$3UqYqndY$$6P.aaWOoucxxq.l00SS9k0"), # # http://compgroups.net/comp.unix.solaris/password-file-in-linux-and-solaris-8-9 # ("passwd", "$md5$RPgLF6IJ$WTvAlUJ7MqH5xak2FMEwS/"), # # source: http://solaris-training.com/301_HTML/docs/deepdiv.pdf page 27 # FIXME: password unknown # "$md5,rounds=8000$kS9FT1JC$$mnUrRO618lLah5iazwJ9m1" # # source: http://www.visualexams.com/310-303.htm # XXX: this has 9 salt chars unlike all other hashes. is that valid? # FIXME: password unknown # "$md5,rounds=2006$2amXesSj5$$kCF48vfPsHDjlKNXeEw7V." # # # custom # # ensures utf-8 used for unicode (UPASS_TABLE, '$md5,rounds=5000$10VYDzAA$$1arAVtMA3trgE1qJ2V0Ez1'), ] known_correct_configs = [ # (config, secret, hash) #--------------------------- # test salt string handling # # these tests attempt to verify that passlib is handling # the "bare salt" issue (see sun md5 crypt docs) # in a sane manner #--------------------------- # config with "$" suffix, hash strings with "$$" suffix, # should all be treated the same, with one "$" added to salt digest. ("$md5$3UqYqndY$", "this", "$md5$3UqYqndY$$6P.aaWOoucxxq.l00SS9k0"), ("$md5$3UqYqndY$$.................DUMMY", "this", "$md5$3UqYqndY$$6P.aaWOoucxxq.l00SS9k0"), # config with no suffix, hash strings with "$" suffix, # should all be treated the same, and no suffix added to salt digest. # NOTE: this is just a guess re: config w/ no suffix, # but otherwise there's no sane way to encode bare_salt=False # within config string. ("$md5$3UqYqndY", "this", "$md5$3UqYqndY$HIZVnfJNGCPbDZ9nIRSgP1"), ("$md5$3UqYqndY$.................DUMMY", "this", "$md5$3UqYqndY$HIZVnfJNGCPbDZ9nIRSgP1"), ] known_malformed_hashes = [ # unexpected end of hash "$md5,rounds=5000", # bad rounds "$md5,rounds=500A$xxxx", "$md5,rounds=0500$xxxx", "$md5,rounds=0$xxxx", # bad char in otherwise correct hash "$md5$RPgL!6IJ$WTvAlUJ7MqH5xak2FMEwS/", # digest too short "$md5$RPgLa6IJ$WTvAlUJ7MqH5xak2FMEwS", # digest too long "$md5$RPgLa6IJ$WTvAlUJ7MqH5xak2FMEwS/.", # 2+ "$" at end of salt in config # NOTE: not sure what correct behavior is, so forbidding format for now. "$md5$3UqYqndY$$", # 3+ "$" at end of salt in hash # NOTE: not sure what correct behavior is, so forbidding format for now. "$md5$RPgLa6IJ$$$WTvAlUJ7MqH5xak2FMEwS/", ] platform_crypt_support = [ ("solaris", True), ("freebsd|openbsd|netbsd|linux|darwin", False), ] def do_verify(self, secret, hash): # Override to fake error for "$..." hash string listed in known_correct_configs (above) # These have to be hash strings, in order to test bare salt issue. if isinstance(hash, str) and hash.endswith("$.................DUMMY"): raise ValueError("pretending '$...' stub hash is config string") return self.handler.verify(secret, hash) #============================================================================= # unix disabled / fallback #============================================================================= class unix_disabled_test(HandlerCase): handler = hash.unix_disabled # accepts_all_hashes = True # TODO: turn this off. known_correct_hashes = [ # everything should hash to "!" (or "*" on BSD), # and nothing should verify against either string ("password", "!"), (UPASS_TABLE, "*"), ] known_unidentified_hashes = [ # should never identify anything crypt() could return... "$1$xxx", "abc", "./az", "{SHA}xxx", ] def test_76_hash_border(self): # so empty strings pass self.accepts_all_hashes = True super(unix_disabled_test, self).test_76_hash_border() def test_90_special(self): """test marker option & special behavior""" warnings.filterwarnings("ignore", "passing settings to .*.hash\(\) is deprecated") handler = self.handler # preserve hash if provided self.assertEqual(handler.genhash("stub", "!asd"), "!asd") # use marker if no hash self.assertEqual(handler.genhash("stub", ""), handler.default_marker) self.assertEqual(handler.hash("stub"), handler.default_marker) self.assertEqual(handler.using().default_marker, handler.default_marker) # custom marker self.assertEqual(handler.genhash("stub", "", marker="*xxx"), "*xxx") self.assertEqual(handler.hash("stub", marker="*xxx"), "*xxx") self.assertEqual(handler.using(marker="*xxx").hash("stub"), "*xxx") # reject invalid marker self.assertRaises(ValueError, handler.genhash, 'stub', "", marker='abc') self.assertRaises(ValueError, handler.hash, 'stub', marker='abc') self.assertRaises(ValueError, handler.using, marker='abc') class unix_fallback_test(HandlerCase): handler = hash.unix_fallback accepts_all_hashes = True known_correct_hashes = [ # *everything* should hash to "!", and nothing should verify ("password", "!"), (UPASS_TABLE, "!"), ] # silence annoying deprecation warning def setUp(self): super(unix_fallback_test, self).setUp() warnings.filterwarnings("ignore", "'unix_fallback' is deprecated") def test_90_wildcard(self): """test enable_wildcard flag""" h = self.handler self.assertTrue(h.verify('password','', enable_wildcard=True)) self.assertFalse(h.verify('password','')) for c in "!*x": self.assertFalse(h.verify('password',c, enable_wildcard=True)) self.assertFalse(h.verify('password',c)) def test_91_preserves_existing(self): """test preserves existing disabled hash""" handler = self.handler # use marker if no hash self.assertEqual(handler.genhash("stub", ""), "!") self.assertEqual(handler.hash("stub"), "!") # use hash if provided and valid self.assertEqual(handler.genhash("stub", "!asd"), "!asd") #============================================================================= # eof #=============================================================================