#
# PRE: edit-list-remove if
#
string salt
string result_string
octets result_octets

control := {}
salt := "5RNqNl8iYLbkCc7JhR8as4TtDDCX6otuuWtcja8rITUyx9zrnHSe9tTHGmKK"	# 60 byte salt

#
#  Unencoded Password.Cleartext in password with header
#
control := {
	Password.With-Header = User-Password
}

pap.authorize
pap.authenticate {
	reject = 1
}
if (reject) {
	test_fail
}

#
#  Base64 encoded Password.Cleartext in password with header
#
result_string := "{clear}%{User-Password}"
control := {
	Password.With-Header = %base64.encode(%{result_string})
}

pap.authorize
pap.authenticate {
	reject = 1
}
if (reject) {
	test_fail
}

#
#  Hex encoded SSHA password
#
control := {
	Password.With-Header = "{ssha}%hex(%sha1(%{User-Password}%{salt}))%hex(%{salt})"
}

pap.authorize
pap.authenticate {
	reject = 1
}
if (reject) {
	test_fail
}

#
#  Base64 encoded SSHA password
#
result_string := "%hex(%sha1(%{User-Password}%{salt}))%hex(%{salt})"

# To Binary
result_octets := "%bin(%{result_string})"

# To Base64
result_string := "%base64.encode(%{result_octets})"
control.Password.With-Header := "{ssha}%{result_string}"

pap.authorize
pap.authenticate {
	reject = 1
	fail = 2
}
if (reject) {
	test_fail
}

#
#  Base64 of Base64 encoded SSHA password
#
result_string := "%hex(%sha1(%{User-Password}%{salt}))%hex(%{salt})"

# To Binary
result_octets := "%bin(%{result_string})"

# To Base64
result_string := "{ssha}%base64.encode(%{result_octets})"
control.Password.With-Header := "%base64.encode(%{result_string})"

pap.authorize
pap.authenticate {
	reject = 1
}
if (reject) {
	test_fail
}


control := {
	Auth-Type = ::Accept
}

success
