1f2ae886aSAndreas Gohr<?php 2f2ae886aSAndreas Gohr 336340418SAndreas Gohrclass auth_password_test extends DokuWikiTest { 4f2ae886aSAndreas Gohr 5b216b154SAndreas Gohr /** 6b216b154SAndreas Gohr * precomputed hashes 7b216b154SAndreas Gohr * 8b216b154SAndreas Gohr * for the password foo$method, using abcdefgh12345678912345678912345678 as salt 9b216b154SAndreas Gohr * 10b216b154SAndreas Gohr * @return array 11b216b154SAndreas Gohr */ 12b216b154SAndreas Gohr public function hashes() { 13b216b154SAndreas Gohr 14b216b154SAndreas Gohr $passes = array( 15b216b154SAndreas Gohr array('smd5', '$1$abcdefgh$SYbjm2AEvSoHG7Xapi8so.'), 16b216b154SAndreas Gohr array('apr1', '$apr1$abcdefgh$C/GzYTF4kOVByYLEoD5X4.'), 17b216b154SAndreas Gohr array('md5', '8fa22d62408e5351553acdd91c6b7003'), 18b216b154SAndreas Gohr array('sha1', 'b456d3b0efd105d613744ffd549514ecafcfc7e1'), 19b216b154SAndreas Gohr array('ssha', '{SSHA}QMHG+uC7bHNYKkmoLbNsNI38/dJhYmNk'), 20b216b154SAndreas Gohr array('lsmd5', '{SMD5}HGbkPrkWgy9KgcRGWlrsUWFiY2RlZmdo'), 21b216b154SAndreas Gohr array('crypt', 'ablvoGr1hvZ5k'), 22b216b154SAndreas Gohr array('mysql', '4a1fa3780bd6fd55'), 23b216b154SAndreas Gohr array('my411', '*E5929347E25F82E19E4EBE92F1DC6B6E7C2DBD29'), 24b216b154SAndreas Gohr array('kmd5', 'a579299436d7969791189acadd86fcb716'), 25b216b154SAndreas Gohr array('djangomd5', 'md5$abcde$d0fdddeda8cd92725d2b54148ac09158'), 26b216b154SAndreas Gohr array('djangosha1', 'sha1$abcde$c8e65a7f0acc9158843048a53dcc5a6bc4d17678'), 27f2ae886aSAndreas Gohr ); 28f2ae886aSAndreas Gohr 2932c7ba22SAndreas Gohr if(defined('CRYPT_SHA512') && CRYPT_SHA512 == 1) { 3032c7ba22SAndreas Gohr // Check SHA512 only if available in this PHP 31b216b154SAndreas Gohr $passes[] = array('sha512', '$6$abcdefgh12345678$J9.zOcgx0lotwZdcz0uulA3IVQMinZvFZVjA5vapRLVAAqtay23XD4xeeUxQ3B4JvDWYFBIxVWW1tOYlHX13k1'); 3232c7ba22SAndreas Gohr } 33924cc11cSAndreas Gohr if(function_exists('hash_pbkdf2')) { 34924cc11cSAndreas Gohr if(in_array('sha256', hash_algos())) { 35b216b154SAndreas Gohr $passes[] = array('djangopbkdf2_sha256', 'pbkdf2_sha256$24000$abcdefgh1234$R23OyZJ0nGHLG6MvPNfEkV5AOz3jUY5zthByPXs2gn0='); 36924cc11cSAndreas Gohr } 37924cc11cSAndreas Gohr if(in_array('sha1', hash_algos())) { 38b216b154SAndreas Gohr $passes[] = array('djangopbkdf2_sha1', 'pbkdf2_sha1$24000$abcdefgh1234$pOliX4vV1hgOv7lFNURIHHx41HI='); 39924cc11cSAndreas Gohr } 40924cc11cSAndreas Gohr } 41b216b154SAndreas Gohr return $passes; 4232c7ba22SAndreas Gohr } 4332c7ba22SAndreas Gohr 44b216b154SAndreas Gohr /** 45b216b154SAndreas Gohr * @dataProvider hashes 46b216b154SAndreas Gohr * @param $method 47b216b154SAndreas Gohr * @param $hash 48b216b154SAndreas Gohr */ 49b216b154SAndreas Gohr function test_cryptPassword($method, $hash) { 50924cc11cSAndreas Gohr $this->assertEquals( 51924cc11cSAndreas Gohr $hash, 52b216b154SAndreas Gohr auth_cryptPassword('foo' . $method, $method, 'abcdefgh12345678912345678912345678') 53b216b154SAndreas Gohr ); 54f2ae886aSAndreas Gohr } 55f2ae886aSAndreas Gohr 56b216b154SAndreas Gohr /** 57b216b154SAndreas Gohr * @dataProvider hashes 58b216b154SAndreas Gohr * @param $method 59b216b154SAndreas Gohr * @param $hash 60b216b154SAndreas Gohr */ 61b216b154SAndreas Gohr function test_verifyPassword($method, $hash) { 62b216b154SAndreas Gohr $this->assertTrue(auth_verifyPassword('foo' . $method, $hash)); 63b216b154SAndreas Gohr $this->assertFalse(auth_verifyPassword('bar' . $method, $hash)); 64f2ae886aSAndreas Gohr } 65f2ae886aSAndreas Gohr 66b216b154SAndreas Gohr /** 67b216b154SAndreas Gohr * @dataProvider hashes 68b216b154SAndreas Gohr * @param $method 69b216b154SAndreas Gohr * @param $hash 70b216b154SAndreas Gohr */ 71b216b154SAndreas Gohr function test_verifySelf($method, $hash) { 72f2ae886aSAndreas Gohr $hash = auth_cryptPassword('foo' . $method, $method); 73b216b154SAndreas Gohr $this->assertTrue(auth_verifyPassword('foo' . $method, $hash)); 74f2ae886aSAndreas Gohr } 75f2ae886aSAndreas Gohr 76*527ad715STobias Bengfort /** 77*527ad715STobias Bengfort * @dataProvider hashes 78*527ad715STobias Bengfort * @param $method 79*527ad715STobias Bengfort * @param $hash 80*527ad715STobias Bengfort */ 81*527ad715STobias Bengfort function test_verifyUnusable($method, $hash) { 82*527ad715STobias Bengfort $hash = auth_cryptPassword(null, $method); 83*527ad715STobias Bengfort $this->assertFalse(auth_verifyPassword(null, $hash)); 84*527ad715STobias Bengfort } 85*527ad715STobias Bengfort 86f2ae886aSAndreas Gohr function test_bcrypt_self() { 87f2ae886aSAndreas Gohr $hash = auth_cryptPassword('foobcrypt', 'bcrypt'); 88f2ae886aSAndreas Gohr $this->assertTrue(auth_verifyPassword('foobcrypt', $hash)); 89f2ae886aSAndreas Gohr } 90f2ae886aSAndreas Gohr 91f2ae886aSAndreas Gohr function test_verifyPassword_fixedbcrypt() { 92f2ae886aSAndreas Gohr $this->assertTrue(auth_verifyPassword('foobcrypt', '$2a$12$uTWercxbq4sjp2xAzv3we.ZOxk51m5V/Bv5bp2H27oVFJl5neFQoC')); 93dfaf0747SAndreas Gohr $this->assertTrue(auth_verifyPassword('lemmybcrypt12hash', '$2b$12$zMBuY6QAGXuT6elIbadavO1JTI6DfaGe1MpfBthG/nt6mkodwmKAi')); 94f2ae886aSAndreas Gohr } 95f2ae886aSAndreas Gohr 96f2ae886aSAndreas Gohr function test_verifyPassword_nohash() { 97f2ae886aSAndreas Gohr $this->assertTrue(auth_verifyPassword('foo', '$1$$n1rTiFE0nRifwV/43bVon/')); 98f2ae886aSAndreas Gohr } 99f2ae886aSAndreas Gohr 100f2ae886aSAndreas Gohr function test_verifyPassword_fixedpmd5() { 101f2ae886aSAndreas Gohr $this->assertTrue(auth_verifyPassword('test12345', '$P$9IQRaTwmfeRo7ud9Fh4E2PdI0S3r.L0')); 102f2ae886aSAndreas Gohr $this->assertTrue(auth_verifyPassword('test12345', '$H$9IQRaTwmfeRo7ud9Fh4E2PdI0S3r.L0')); 103f2ae886aSAndreas Gohr } 104f2ae886aSAndreas Gohr 1050f43ea44SSchplurtz le Déboulonné function test_verifypassword_drupal_sha512() { 106b53267d3SPhy $this->assertTrue(auth_verifypassword('drupal_sha512', '$S$D7JxIm0f7QKO3zjwVS1RH4AW8sYvmLjO0.Rn4swH0JVt6OrZ4yzZ')); 1070f43ea44SSchplurtz le Déboulonné } 1080f43ea44SSchplurtz le Déboulonné 1090f43ea44SSchplurtz le Déboulonné function test_verifypassword_drupal_migrated_6to7() { 110b53267d3SPhy $this->assertTrue(auth_verifypassword('pouette1234', 'U$S$9c47LGZuhR6TvhRQXzymkJIQ3mXthUCc6KDEGTt4B7eOL/H9Ykuy')); 1110f43ea44SSchplurtz le Déboulonné } 1120f43ea44SSchplurtz le Déboulonné 1130f43ea44SSchplurtz le Déboulonné function test_verifyPassword_seafilepbkdf2() { 1140f43ea44SSchplurtz le Déboulonné $hash='PBKDF2SHA256$10000$99227b6df52aa1394b5ca0aceee2733dd6c2670c85bbe26c751a2c65e79d4db7$d61dd1c4df6873c73813fe97f96d0e917792602a33966f3fab0eef154637cc84'; 1150f43ea44SSchplurtz le Déboulonné $pw='@STR0NGpassW0RD'; 1160f43ea44SSchplurtz le Déboulonné $this->assertTrue(auth_verifyPassword($pw, $hash)); 1170f43ea44SSchplurtz le Déboulonné } 1180f43ea44SSchplurtz le Déboulonné 119529b0416SAndreas Gohr function test_veryPassword_mediawiki() { 120529b0416SAndreas Gohr $this->assertTrue(auth_verifyPassword('password', ':B:838c83e1:e4ab7024509eef084cdabd03d8b2972c')); 121529b0416SAndreas Gohr } 122529b0416SAndreas Gohr 1231831d8a0SAndreas Gohr /** 1241831d8a0SAndreas Gohr * pmd5 checking should throw an exception when a hash with a too high 1251831d8a0SAndreas Gohr * iteration count is passed 1261831d8a0SAndreas Gohr */ 1271831d8a0SAndreas Gohr function test_verifyPassword_pmd5Exception() { 1281831d8a0SAndreas Gohr $except = false; 1291831d8a0SAndreas Gohr try { 1301831d8a0SAndreas Gohr auth_verifyPassword('foopmd5', '$H$abcdefgh1ZbJodHxmeXVAhEzTG7IAp.'); 1311831d8a0SAndreas Gohr } catch(Exception $e) { 1321831d8a0SAndreas Gohr $except = true; 1331831d8a0SAndreas Gohr } 1341831d8a0SAndreas Gohr $this->assertTrue($except); 1351831d8a0SAndreas Gohr } 1361831d8a0SAndreas Gohr 1371c7f6650SJan Baier function test_verifyPassword_sha256_crypt() { 1381c7f6650SJan Baier if(defined('CRYPT_SHA256') && CRYPT_SHA256 == 1) { 1391c7f6650SJan Baier $this->assertTrue(auth_verifyPassword('password', '$5$KvtIFskJlsLHR95A$CABu0dPozYsRq/dGNj4KITBQ21ZK.gC9KVXAkYFNE85')); 1401c7f6650SJan Baier $this->assertTrue(auth_verifyPassword('password', '$5$rounds=1000$FQM/YjSke3Iqsdma$RYwG1MP21u68qUBQKqHoz7GLpWlnA6tunNKMNH3nRh5')); 1411c7f6650SJan Baier } else { 1421c7f6650SJan Baier $this->markTestSkipped('SHA256 not available in this PHP environment'); 1431c7f6650SJan Baier } 1441c7f6650SJan Baier } 1456f9868d5SPhy /** 1466f9868d5SPhy * issue #2629, support PHP's crypt() format (with rounds=0 parameter) 1476f9868d5SPhy */ 1486f9868d5SPhy function test_verifyPassword_sha512_crypt() { 1496f9868d5SPhy if(defined('CRYPT_SHA512') && CRYPT_SHA512 == 1) { 1506f9868d5SPhy $this->assertTrue(auth_verifyPassword('Qwerty123', '$6$rounds=3000$9in6UciYPFG6ydsJ$YBjypQ7XoRqvJoX1a2.spSysSVHcdreVXi1Xh5SyOxo2yNSxDjlUCun2YXrwk9.YP6vmRvCWrhp0fbPgSOT7..')); 1516f9868d5SPhy } else { 1526f9868d5SPhy $this->markTestSkipped('SHA512 not available in this PHP environment'); 1536f9868d5SPhy } 1546f9868d5SPhy } 1556f9868d5SPhy 15607a871e6SAndreas Gohr function test_verifyPassword_Woltlab() 15707a871e6SAndreas Gohr { 15807a871e6SAndreas Gohr $this->assertTrue(auth_verifyPassword('zQ9ZwsTvgufN', 'Bcrypt:$2y$12$ygz.4TeGn/NXEcXIE0pyge4lJyuSMqRdDPT5dW469lODb.HswSzjW')); 15907a871e6SAndreas Gohr } 160f2ae886aSAndreas Gohr} 161