def _test_hmac_auth(self, mod_name, password, **kwargs):
for test_password in (password, "somethingelse"):
a = self._init_auth(mod_name, **kwargs)
assert a.requires_challenge()
assert a.get_passwords()
salt, mac = a.get_challenge(
[x for x in get_digests() if x.startswith("hmac")])
assert salt
assert mac.startswith("hmac"), "invalid mac: %s" % mac
client_salt = strtobytes(uuid.uuid4().hex + uuid.uuid4().hex)
salt_digest = a.choose_salt_digest(get_digests())
auth_salt = strtobytes(gendigest(salt_digest, client_salt, salt))
digestmod = get_digest_module(mac)
verify = hmac.HMAC(strtobytes(test_password),
auth_salt,
digestmod=digestmod).hexdigest()
passed = a.authenticate(verify, client_salt)
assert passed == (
test_password == password
), "expected authentication to %s with %s vs %s" % ([
"fail", "succeed"
][test_password == password], test_password, password)
assert not a.authenticate(
verify, client_salt
), "should not be able to athenticate again with the same values"
def _test_file_auth(self, mod_name, genauthdata, display_count=0):
#no file, no go:
a = self._init_auth(mod_name)
assert a.requires_challenge()
p = a.get_passwords()
assert not p, "got passwords from %s: %s" % (a, p)
#challenge twice is a fail
assert a.get_challenge(get_digests())
assert not a.get_challenge(get_digests())
assert not a.get_challenge(get_digests())
for muck in (0, 1):
with TempFileContext(prefix=mod_name) as context:
f = context.file
filename = context.filename
with f:
a = self._init_auth(mod_name, filename=filename)
password, filedata = genauthdata(a)
#print("saving password file data='%s' to '%s'" % (filedata, filename))
f.write(strtobytes(filedata))
f.flush()
assert a.requires_challenge()
salt, mac = a.get_challenge(get_digests())
assert salt
assert mac in get_digests()
assert mac != "xor"
password = strtobytes(password)
client_salt = strtobytes(uuid.uuid4().hex +
uuid.uuid4().hex)[:len(salt)]
salt_digest = a.choose_salt_digest(get_digests())
assert salt_digest
auth_salt = strtobytes(
gendigest(salt_digest, client_salt, salt))
if muck == 0:
digestmod = get_digest_module(mac)
verify = hmac.HMAC(password,
auth_salt,
digestmod=digestmod).hexdigest()
assert a.authenticate(
verify, client_salt), "%s failed" % a.authenticate
if display_count > 0:
sessions = a.get_sessions()
assert len(sessions) >= 3
displays = sessions[2]
assert len(
displays
) == display_count, "expected %i displays but got %i : %s" % (
display_count, len(sessions), sessions)
assert not a.authenticate(
verify, client_salt), "authenticated twice!"
passwords = a.get_passwords()
assert len(
passwords
) == 1, "expected just one password in file, got %i" % len(
passwords)
assert password in passwords
elif muck == 1:
for verify in ("whatever", None, "bad"):
assert not a.authenticate(verify, client_salt)
return a
def test_all_digests(self):
for digest in get_digests():
if digest.startswith("hmac"):
m = get_digest_module(digest)
assert m is not None, "digest module not found for '%s'" % digest
salt = get_salt(32)
password = "******"
d = gendigest(digest, password, salt)
assert d is not None
assert not verify_digest(digest, None, salt, d)
assert not verify_digest(digest, password, None, d)
assert not verify_digest(digest, password, salt, None)
assert not verify_digest(digest, password, salt, d[:-1])
assert verify_digest(digest, password, salt, d)
def test_invalid_digest(self):
for invalid_digest in (None, "foo", "hmac", "hmac+INVALID_HASH_ALGO"):
assert get_digest_module(invalid_digest) is None
assert gendigest(invalid_digest, "bar", "0" * 16) is None
