adam/znc
1
0
Fork 0
mirror of https://github.com/znc/znc.git synced 2026-06-12 01:34:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

User,Utils: move ConstantTimeEquals to CUtils and add tests (#2011)

Browse Source
This commit is contained in:
MarkLee131
2026-04-25 17:37:33 +08:00
parent 794ae6cd60
commit f0c3341e35
5 changed files with 102 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
test/UserTest.cpp
+49
View File
@@ -16,6 +16,7 @@
#include <gtest/gtest.h>
#include <znc/User.h>
#include <znc/Utils.h>
#include <znc/znc.h>
class UserTest : public ::testing::Test {
@@ -149,3 +150,51 @@ TEST_F(UserTest, TestAuthOnlyViaModule) {
CZNC::Get().SetAuthOnlyViaModule(bAuthOnlyViaModuleDefault);
}
// Functional regression for the constant-time CheckPass paths (#2011).
// We can't measure timing in a unit test, but we verify the boolean
// contract for each hash mode: correct password matches, wrong password
// (including same-length and length-mismatch variants) does not.
TEST_F(UserTest, CheckPassPlain) {
CUser user("user");
user.SetPass("plaintext", CUser::HASH_NONE);
EXPECT_FALSE(user.CheckPass(""));
EXPECT_FALSE(user.CheckPass("plaintex")); // shorter
EXPECT_FALSE(user.CheckPass("plaintextX")); // longer
EXPECT_FALSE(user.CheckPass("plaintexT")); // case-sensitive
EXPECT_FALSE(user.CheckPass("Xlaintext")); // first byte differs
EXPECT_FALSE(user.CheckPass("plaintexX")); // last byte differs
EXPECT_TRUE(user.CheckPass("plaintext"));
}
TEST_F(UserTest, CheckPassMD5) {
CUser user("user");
CString sSalt = "the-salt";
CString sCorrect = "correct-password";
user.SetPass(CUtils::SaltedMD5Hash(sCorrect, sSalt), CUser::HASH_MD5,
sSalt);
// Wrong inputs first; the success path may upgrade the stored hash
// to argon2id, after which the hash type is no longer MD5.
EXPECT_FALSE(user.CheckPass(""));
EXPECT_FALSE(user.CheckPass("wrong-password"));
EXPECT_FALSE(user.CheckPass("correct-passworX")); // last byte differs
EXPECT_FALSE(user.CheckPass("Xorrect-password")); // first byte differs
EXPECT_FALSE(user.CheckPass("Correct-password")); // case-sensitive
EXPECT_TRUE(user.CheckPass(sCorrect));
}
TEST_F(UserTest, CheckPassSHA256) {
CUser user("user");
CString sSalt = "another-salt";
CString sCorrect = "another-password";
user.SetPass(CUtils::SaltedSHA256Hash(sCorrect, sSalt),
CUser::HASH_SHA256, sSalt);
EXPECT_FALSE(user.CheckPass(""));
EXPECT_FALSE(user.CheckPass("wrong"));
EXPECT_FALSE(user.CheckPass("another-passworX"));
EXPECT_FALSE(user.CheckPass("Another-password"));
EXPECT_TRUE(user.CheckPass(sCorrect));
}