python/samba/tests/password_hash_fl2008.py

   1 # Tests for Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
   2 #
   3 # Copyright (C) Catalyst IT Ltd. 2017
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18
  19 """
  20 Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
  21
  22 These tests need to be run in an environment in which
  23 io->ac->gpg_key_ids == NULL, so that the gpg supplemental credentials
  24 are not generated. And also need to be in an environment with a
  25 functional level of 2008 or greater to ensure the kerberos newer keys are
  26 generated
  27 """
  28 from samba.tests.password_hash import (
  29     PassWordHashTests,
  30     get_package,
  31     USER_PASS
  32 )
  33 from samba.ndr import ndr_unpack
  34 from samba.dcerpc import drsblobs
  35 import binascii
  36
  37 class PassWordHashFl2008Tests(PassWordHashTests):
  38
  39     def setUp(self):
  40         super(PassWordHashFl2008Tests, self).setUp()
  41
  42
  43     def test_default_supplementalCredentials(self):
  44         self.add_user()
  45
  46         sc = self.get_supplemental_creds()
  47
  48         # Check that we got all the expected supplemental credentials
  49         # And they are in the expected order.
  50         size = len(sc.sub.packages)
  51         self.assertEquals(4, size)
  52         (pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
  53         self.assertEquals(1, pos)
  54         self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
  55
  56         (pos, package) = get_package(sc, "Primary:Kerberos")
  57         self.assertEquals(2, pos)
  58         self.assertEquals("Primary:Kerberos", package.name)
  59
  60         (pos, package) = get_package(sc, "Packages")
  61         self.assertEquals(3, pos)
  62         self.assertEquals("Packages", package.name)
  63
  64         (pos, package) = get_package(sc, "Primary:WDigest")
  65         self.assertEquals(4, pos)
  66         self.assertEquals("Primary:WDigest", package.name)
  67
  68         # Check that the WDigest values are correct.
  69         #
  70         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
  71                              binascii.a2b_hex(package.data))
  72         self.check_wdigests(digests)
  73
  74     def test_userPassword_sha512(self):
  75         self.add_user(options=[("password hash userPassword schemes",
  76                                 "CryptSHA512")])
  77
  78         sc = self.get_supplemental_creds()
  79
  80         # Check that we got all the expected supplemental credentials
  81         # And they are in the expected order.
  82         size = len(sc.sub.packages)
  83         self.assertEquals(5, size)
  84
  85         (pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
  86         self.assertEquals(1, pos)
  87         self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
  88
  89         (pos, package) = get_package(sc, "Primary:Kerberos")
  90         self.assertEquals(2, pos)
  91         self.assertEquals("Primary:Kerberos", package.name)
  92
  93         (pos, wp_package) = get_package(sc, "Primary:WDigest")
  94         self.assertEquals(3, pos)
  95         self.assertEquals("Primary:WDigest", wp_package.name)
  96
  97         (pos, package) = get_package(sc, "Packages")
  98         self.assertEquals(4, pos)
  99         self.assertEquals("Packages", package.name)
 100
 101         (pos, up_package) = get_package(sc, "Primary:userPassword")
 102         self.assertEquals(5, pos)
 103         self.assertEquals("Primary:userPassword", up_package.name)
 104
 105         # Check that the WDigest values are correct.
 106         #
 107         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
 108                              binascii.a2b_hex(wp_package.data))
 109         self.check_wdigests(digests)
 110
 111         # Check that the userPassword hashes are computed correctly
 112         #
 113         up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob,
 114                         binascii.a2b_hex(up_package.data))
 115         self.checkUserPassword(up, [("{CRYPT}", "6",None)])
 116         self.checkNtHash(USER_PASS, up.current_nt_hash.hash)
 117
 118     def test_supplementalCredentials_cleartext(self):
 119         self.add_user(clear_text=True)
 120
 121         sc = self.get_supplemental_creds()
 122
 123         # Check that we got all the expected supplemental credentials
 124         # And they are in the expected order.
 125         size = len(sc.sub.packages)
 126         self.assertEquals(5, size)
 127         (pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
 128         self.assertEquals(1, pos)
 129         self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
 130
 131         (pos, package) = get_package(sc, "Primary:Kerberos")
 132         self.assertEquals(2, pos)
 133         self.assertEquals("Primary:Kerberos", package.name)
 134
 135         (pos, wd_package) = get_package(sc, "Primary:WDigest")
 136         self.assertEquals(3, pos)
 137         self.assertEquals("Primary:WDigest", wd_package.name)
 138
 139         (pos, package) = get_package(sc, "Packages")
 140         self.assertEquals(4, pos)
 141         self.assertEquals("Packages", package.name)
 142
 143         (pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
 144         self.assertEquals(5, pos)
 145         self.assertEquals("Primary:CLEARTEXT", ct_package.name)
 146
 147         # Check that the WDigest values are correct.
 148         #
 149         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
 150                              binascii.a2b_hex(wd_package.data))
 151         self.check_wdigests(digests)
 152
 153         # Check the clear text  value is correct.
 154         ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
 155                         binascii.a2b_hex(ct_package.data))
 156         self.assertEquals(USER_PASS.encode('utf-16-le'), ct.cleartext)
 157
 158     def test_userPassword_cleartext_sha256(self):
 159         self.add_user(clear_text=True,
 160                       options=[("password hash userPassword schemes",
 161                                 "CryptSHA256:rounds=100")])
 162
 163         sc = self.get_supplemental_creds()
 164
 165         # Check that we got all the expected supplemental credentials
 166         # And they are in the expected order.
 167         size = len(sc.sub.packages)
 168         self.assertEquals(6, size)
 169
 170         (pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
 171         self.assertEquals(1, pos)
 172         self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
 173
 174         (pos, package) = get_package(sc, "Primary:Kerberos")
 175         self.assertEquals(2, pos)
 176         self.assertEquals("Primary:Kerberos", package.name)
 177
 178         (pos, wd_package) = get_package(sc, "Primary:WDigest")
 179         self.assertEquals(3, pos)
 180         self.assertEquals("Primary:WDigest", wd_package.name)
 181
 182         (pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
 183         self.assertEquals(4, pos)
 184         self.assertEquals("Primary:CLEARTEXT", ct_package.name)
 185
 186         (pos, package) = get_package(sc, "Packages")
 187         self.assertEquals(5, pos)
 188         self.assertEquals("Packages", package.name)
 189
 190         (pos, up_package) = get_package(sc, "Primary:userPassword")
 191         self.assertEquals(6, pos)
 192         self.assertEquals("Primary:userPassword", up_package.name)
 193
 194         # Check that the WDigest values are correct.
 195         #
 196         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
 197                              binascii.a2b_hex(wd_package.data))
 198         self.check_wdigests(digests)
 199
 200         # Check the clear text  value is correct.
 201         ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
 202                         binascii.a2b_hex(ct_package.data))
 203         self.assertEquals(USER_PASS.encode('utf-16-le'), ct.cleartext)
 204
 205         # Check that the userPassword hashes are computed correctly
 206         #
 207         up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob,
 208                         binascii.a2b_hex(up_package.data))
 209         self.checkUserPassword(up, [("{CRYPT}", "5",100)])
 210         self.checkNtHash(USER_PASS, up.current_nt_hash.hash)