33403b03e6e1fe8b19fd56339a995e38b081171c
[Packages/TYPO3.CMS.git] / typo3 / sysext / saltedpasswords / Tests / Unit / Salt / Pbkdf2SaltTest.php
1 <?php
2 namespace TYPO3\CMS\Saltedpasswords\Tests\Unit\Salt;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Core\Crypto\Random;
18 use TYPO3\CMS\Saltedpasswords\Salt\Pbkdf2Salt;
19
20 /**
21 * Testcase for Pbkdf2Salt
22 */
23 class Pbkdf2SaltTest extends \TYPO3\TestingFramework\Core\Unit\UnitTestCase
24 {
25 /**
26 * Keeps instance of object to test.
27 *
28 * @var Pbkdf2Salt
29 */
30 protected $objectInstance = null;
31
32 /**
33 * Sets up the fixtures for this testcase.
34 */
35 protected function setUp()
36 {
37 $this->objectInstance = $this->getMockBuilder(Pbkdf2Salt::class)
38 ->setMethods(['dummy'])
39 ->getMock();
40 // Speed up the tests by reducing the iteration count
41 $this->objectInstance->setHashCount(1000);
42 }
43
44 /**
45 * @test
46 */
47 public function hasCorrectBaseClass()
48 {
49 $hasCorrectBaseClass = get_class($this->objectInstance) === Pbkdf2Salt::class;
50 // XCLASS ?
51 if (!$hasCorrectBaseClass && false != get_parent_class($this->objectInstance)) {
52 $hasCorrectBaseClass = is_subclass_of($this->objectInstance, Pbkdf2Salt::class);
53 }
54 $this->assertTrue($hasCorrectBaseClass);
55 }
56
57 /**
58 * @test
59 */
60 public function nonZeroSaltLength()
61 {
62 $this->assertTrue($this->objectInstance->getSaltLength() > 0);
63 }
64
65 /**
66 * @test
67 */
68 public function emptyPasswordResultsInNullSaltedPassword()
69 {
70 $password = '';
71 $this->assertNull($this->objectInstance->getHashedPassword($password));
72 }
73
74 /**
75 * @test
76 */
77 public function nonEmptyPasswordResultsInNonNullSaltedPassword()
78 {
79 $password = 'a';
80 $this->assertNotNull($this->objectInstance->getHashedPassword($password));
81 }
82
83 /**
84 * @test
85 */
86 public function createdSaltedHashOfProperStructure()
87 {
88 $password = 'password';
89 $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
90 $this->assertTrue($this->objectInstance->isValidSaltedPW($saltedHashPassword));
91 }
92
93 /**
94 * @test
95 */
96 public function createdSaltedHashOfProperStructureForCustomSaltWithoutSetting()
97 {
98 $password = 'password';
99 // custom salt without setting
100 $randomBytes = (new Random())->generateRandomBytes($this->objectInstance->getSaltLength());
101 $salt = $this->objectInstance->base64Encode($randomBytes, $this->objectInstance->getSaltLength());
102 $this->assertTrue($this->objectInstance->isValidSalt($salt));
103 $saltedHashPassword = $this->objectInstance->getHashedPassword($password, $salt);
104 $this->assertTrue($this->objectInstance->isValidSaltedPW($saltedHashPassword));
105 }
106
107 /**
108 * @test
109 */
110 public function createdSaltedHashOfProperStructureForMinimumHashCount()
111 {
112 $password = 'password';
113 $minHashCount = $this->objectInstance->getMinHashCount();
114 $this->objectInstance->setHashCount($minHashCount);
115 $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
116 $this->assertTrue($this->objectInstance->isValidSaltedPW($saltedHashPassword));
117 // reset hashcount
118 $this->objectInstance->setHashCount(null);
119 }
120
121 /**
122 * Tests authentication procedure with fixed password and fixed (pre-generated) hash.
123 *
124 * Checks if a "plain-text password" is every time mapped to the
125 * same "salted password hash" when using the same fixed salt.
126 *
127 * @test
128 */
129 public function authenticationWithValidAlphaCharClassPasswordAndFixedHash()
130 {
131 $password = 'password';
132 $saltedHashPassword = '$pbkdf2-sha256$1000$woPhT0yoWm3AXJXSjuxJ3w$iZ6EvTulMqXlzr0NO8z5EyrklFcJk5Uw2Fqje68FfaQ';
133 $this->assertTrue($this->objectInstance->checkPassword($password, $saltedHashPassword));
134 }
135
136 /**
137 * Tests that authentication procedure fails with broken hash to compare to
138 *
139 * @test
140 */
141 public function authenticationFailsWithBrokenHash()
142 {
143 $password = 'password';
144 $saltedHashPassword = '$pbkdf2-sha256$1000$woPhT0yoWm3AXJXSjuxJ3w$iZ6EvTulMqXlzr0NO8z5EyrklFcJk5Uw2Fqje68Ffa';
145 $this->assertFalse($this->objectInstance->checkPassword($password, $saltedHashPassword));
146 }
147
148 /**
149 * Tests authentication procedure with alphabet characters.
150 *
151 * Checks if a "plain-text password" is every time mapped to the
152 * same "salted password hash" when using the same salt.
153 *
154 * @test
155 */
156 public function authenticationWithValidAlphaCharClassPassword()
157 {
158 $password = 'aEjOtY';
159 $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
160 $this->assertTrue($this->objectInstance->checkPassword($password, $saltedHashPassword));
161 }
162
163 /**
164 * Tests authentication procedure with numeric characters.
165 *
166 * Checks if a "plain-text password" is every time mapped to the
167 * same "salted password hash" when using the same salt.
168 *
169 * @test
170 */
171 public function authenticationWithValidNumericCharClassPassword()
172 {
173 $password = '01369';
174 $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
175 $this->assertTrue($this->objectInstance->checkPassword($password, $saltedHashPassword));
176 }
177
178 /**
179 * Tests authentication procedure with US-ASCII special characters.
180 *
181 * Checks if a "plain-text password" is every time mapped to the
182 * same "salted password hash" when using the same salt.
183 *
184 * @test
185 */
186 public function authenticationWithValidAsciiSpecialCharClassPassword()
187 {
188 $password = ' !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~';
189 $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
190 $this->assertTrue($this->objectInstance->checkPassword($password, $saltedHashPassword));
191 }
192
193 /**
194 * Tests authentication procedure with latin1 special characters.
195 *
196 * Checks if a "plain-text password" is every time mapped to the
197 * same "salted password hash" when using the same salt.
198 *
199 * @test
200 */
201 public function authenticationWithValidLatin1SpecialCharClassPassword()
202 {
203 $password = '';
204 for ($i = 160; $i <= 191; $i++) {
205 $password .= chr($i);
206 }
207 $password .= chr(215) . chr(247);
208 $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
209 $this->assertTrue($this->objectInstance->checkPassword($password, $saltedHashPassword));
210 }
211
212 /**
213 * Tests authentication procedure with latin1 umlauts.
214 *
215 * Checks if a "plain-text password" is every time mapped to the
216 * same "salted password hash" when using the same salt.
217 *
218 * @test
219 */
220 public function authenticationWithValidLatin1UmlautCharClassPassword()
221 {
222 $password = '';
223 for ($i = 192; $i <= 214; $i++) {
224 $password .= chr($i);
225 }
226 for ($i = 216; $i <= 246; $i++) {
227 $password .= chr($i);
228 }
229 for ($i = 248; $i <= 255; $i++) {
230 $password .= chr($i);
231 }
232 $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
233 $this->assertTrue($this->objectInstance->checkPassword($password, $saltedHashPassword));
234 }
235
236 /**
237 * @test
238 */
239 public function authenticationWithNonValidPassword()
240 {
241 $password = 'password';
242 $password1 = $password . 'INVALID';
243 $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
244 $this->assertFalse($this->objectInstance->checkPassword($password1, $saltedHashPassword));
245 }
246
247 /**
248 * @test
249 */
250 public function passwordVariationsResultInDifferentHashes()
251 {
252 $pad = 'a';
253 $criticalPwLength = 0;
254 // We're using a constant salt.
255 $saltedHashPasswordCurrent = $salt = $this->objectInstance->getHashedPassword($pad);
256 for ($i = 0; $i <= 128; $i += 8) {
257 $password = str_repeat($pad, max($i, 1));
258 $saltedHashPasswordPrevious = $saltedHashPasswordCurrent;
259 $saltedHashPasswordCurrent = $this->objectInstance->getHashedPassword($password, $salt);
260 if ($i > 0 && $saltedHashPasswordPrevious === $saltedHashPasswordCurrent) {
261 $criticalPwLength = $i;
262 break;
263 }
264 }
265 $this->assertTrue($criticalPwLength == 0 || $criticalPwLength > 32, 'Duplicates of hashed passwords with plaintext password of length ' . $criticalPwLength . '+.');
266 }
267
268 /**
269 * @test
270 */
271 public function modifiedMinHashCount()
272 {
273 $minHashCount = $this->objectInstance->getMinHashCount();
274 $this->objectInstance->setMinHashCount($minHashCount - 1);
275 $this->assertTrue($this->objectInstance->getMinHashCount() < $minHashCount);
276 $this->objectInstance->setMinHashCount($minHashCount + 1);
277 $this->assertTrue($this->objectInstance->getMinHashCount() > $minHashCount);
278 }
279
280 /**
281 * @test
282 */
283 public function modifiedMaxHashCount()
284 {
285 $maxHashCount = $this->objectInstance->getMaxHashCount();
286 $this->objectInstance->setMaxHashCount($maxHashCount + 1);
287 $this->assertTrue($this->objectInstance->getMaxHashCount() > $maxHashCount);
288 $this->objectInstance->setMaxHashCount($maxHashCount - 1);
289 $this->assertTrue($this->objectInstance->getMaxHashCount() < $maxHashCount);
290 }
291
292 /**
293 * @test
294 */
295 public function modifiedHashCount()
296 {
297 $hashCount = $this->objectInstance->getHashCount();
298 $this->objectInstance->setMaxHashCount($hashCount + 1);
299 $this->objectInstance->setHashCount($hashCount + 1);
300 $this->assertTrue($this->objectInstance->getHashCount() > $hashCount);
301 $this->objectInstance->setMinHashCount($hashCount - 1);
302 $this->objectInstance->setHashCount($hashCount - 1);
303 $this->assertTrue($this->objectInstance->getHashCount() < $hashCount);
304 // reset hashcount
305 $this->objectInstance->setHashCount(null);
306 }
307
308 /**
309 * @test
310 */
311 public function updateNecessityForValidSaltedPassword()
312 {
313 $password = 'password';
314 $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
315 $this->assertFalse($this->objectInstance->isHashUpdateNeeded($saltedHashPassword));
316 }
317
318 /**
319 * @test
320 */
321 public function updateNecessityForIncreasedHashcount()
322 {
323 $password = 'password';
324 $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
325 $increasedHashCount = $this->objectInstance->getHashCount() + 1;
326 $this->objectInstance->setMaxHashCount($increasedHashCount);
327 $this->objectInstance->setHashCount($increasedHashCount);
328 $this->assertTrue($this->objectInstance->isHashUpdateNeeded($saltedHashPassword));
329 // reset hashcount
330 $this->objectInstance->setHashCount(null);
331 }
332
333 /**
334 * @test
335 */
336 public function updateNecessityForDecreasedHashcount()
337 {
338 $password = 'password';
339 $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
340 $decreasedHashCount = $this->objectInstance->getHashCount() - 1;
341 $this->objectInstance->setMinHashCount($decreasedHashCount);
342 $this->objectInstance->setHashCount($decreasedHashCount);
343 $this->assertFalse($this->objectInstance->isHashUpdateNeeded($saltedHashPassword));
344 // reset hashcount
345 $this->objectInstance->setHashCount(null);
346 }
347
348 /**
349 * @test
350 */
351 public function isCompatibleWithPythonPasslibHashes()
352 {
353 $this->objectInstance->setMinHashCount(1000);
354 $passlibSaltedHash= '$pbkdf2-sha256$6400$.6UI/S.nXIk8jcbdHx3Fhg$98jZicV16ODfEsEZeYPGHU3kbrUrvUEXOPimVSQDD44';
355 $saltedHashPassword = $this->objectInstance->getHashedPassword('password', $passlibSaltedHash);
356
357 $this->assertSame($passlibSaltedHash, $saltedHashPassword);
358 }
359 }