def _test_hmac_auth(self, mod_name, password, **kwargs): for test_password in (password, "somethingelse"): a = self._init_auth(mod_name, **kwargs) assert a.requires_challenge() assert a.get_passwords() salt, mac = a.get_challenge( [x for x in get_digests() if x.startswith("hmac")]) assert salt assert mac.startswith("hmac"), "invalid mac: %s" % mac client_salt = strtobytes(uuid.uuid4().hex + uuid.uuid4().hex) salt_digest = a.choose_salt_digest(get_digests()) auth_salt = strtobytes(gendigest(salt_digest, client_salt, salt)) digestmod = get_digest_module(mac) verify = hmac.HMAC(strtobytes(test_password), auth_salt, digestmod=digestmod).hexdigest() passed = a.authenticate(verify, client_salt) assert passed == ( test_password == password ), "expected authentication to %s with %s vs %s" % ([ "fail", "succeed" ][test_password == password], test_password, password) assert not a.authenticate( verify, client_salt ), "should not be able to athenticate again with the same values"
def _test_file_auth(self, mod_name, genauthdata, display_count=0): #no file, no go: a = self._init_auth(mod_name) assert a.requires_challenge() p = a.get_passwords() assert not p, "got passwords from %s: %s" % (a, p) #challenge twice is a fail assert a.get_challenge(get_digests()) assert not a.get_challenge(get_digests()) assert not a.get_challenge(get_digests()) for muck in (0, 1): with TempFileContext(prefix=mod_name) as context: f = context.file filename = context.filename with f: a = self._init_auth(mod_name, filename=filename) password, filedata = genauthdata(a) #print("saving password file data='%s' to '%s'" % (filedata, filename)) f.write(strtobytes(filedata)) f.flush() assert a.requires_challenge() salt, mac = a.get_challenge(get_digests()) assert salt assert mac in get_digests() assert mac != "xor" password = strtobytes(password) client_salt = strtobytes(uuid.uuid4().hex + uuid.uuid4().hex)[:len(salt)] salt_digest = a.choose_salt_digest(get_digests()) assert salt_digest auth_salt = strtobytes( gendigest(salt_digest, client_salt, salt)) if muck == 0: digestmod = get_digest_module(mac) verify = hmac.HMAC(password, auth_salt, digestmod=digestmod).hexdigest() assert a.authenticate( verify, client_salt), "%s failed" % a.authenticate if display_count > 0: sessions = a.get_sessions() assert len(sessions) >= 3 displays = sessions[2] assert len( displays ) == display_count, "expected %i displays but got %i : %s" % ( display_count, len(sessions), sessions) assert not a.authenticate( verify, client_salt), "authenticated twice!" passwords = a.get_passwords() assert len( passwords ) == 1, "expected just one password in file, got %i" % len( passwords) assert password in passwords elif muck == 1: for verify in ("whatever", None, "bad"): assert not a.authenticate(verify, client_salt) return a
def test_all_digests(self): for digest in get_digests(): if digest.startswith("hmac"): m = get_digest_module(digest) assert m is not None, "digest module not found for '%s'" % digest salt = get_salt(32) password = "******" d = gendigest(digest, password, salt) assert d is not None assert not verify_digest(digest, None, salt, d) assert not verify_digest(digest, password, None, d) assert not verify_digest(digest, password, salt, None) assert not verify_digest(digest, password, salt, d[:-1]) assert verify_digest(digest, password, salt, d)
def test_invalid_digest(self): for invalid_digest in (None, "foo", "hmac", "hmac+INVALID_HASH_ALGO"): assert get_digest_module(invalid_digest) is None assert gendigest(invalid_digest, "bar", "0" * 16) is None