python/samba/tests/password_hash_fl2008.py

   1 # Tests for Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
   2 #
   3 # Copyright (C) Catalyst IT Ltd. 2017
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18
  19 """
  20 Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
  21
  22 These tests need to be run in an environment in which
  23 io->ac->gpg_key_ids == NULL, so that the gpg supplemental credentials
  24 are not generated. And also need to be in an environment with a
  25 functional level of 2008 or greater to ensure the kerberos newer keys are
  26 generated
  27 """
  28 from samba.tests.password_hash import (
  29     PassWordHashTests,
  30     get_package,
  31     USER_PASS
  32 )
  33 from samba.ndr import ndr_unpack
  34 from samba.dcerpc import drsblobs
  35 import binascii
  36
  37
  38 class PassWordHashFl2008Tests(PassWordHashTests):
  39
  40     def setUp(self):
  41         super(PassWordHashFl2008Tests, self).setUp()
  42
  43
  44     def test_default_supplementalCredentials(self):
  45         self.add_user()
  46
  47         sc = self.get_supplemental_creds()
  48
  49         # Check that we got all the expected supplemental credentials
  50         # And they are in the expected order.
  51         size = len(sc.sub.packages)
  52         self.assertEquals(4, size)
  53         (pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
  54         self.assertEquals(1, pos)
  55         self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
  56
  57         (pos, package) = get_package(sc, "Primary:Kerberos")
  58         self.assertEquals(2, pos)
  59         self.assertEquals("Primary:Kerberos", package.name)
  60
  61         (pos, package) = get_package(sc, "Packages")
  62         self.assertEquals(3, pos)
  63         self.assertEquals("Packages", package.name)
  64
  65         (pos, package) = get_package(sc, "Primary:WDigest")
  66         self.assertEquals(4, pos)
  67         self.assertEquals("Primary:WDigest", package.name)
  68
  69         # Check that the WDigest values are correct.
  70         #
  71         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
  72                              binascii.a2b_hex(package.data))
  73         self.check_wdigests(digests)
  74
  75     def test_userPassword_sha512(self):
  76         self.add_user(options=[("password hash userPassword schemes",
  77                                 "CryptSHA512")])
  78
  79         sc = self.get_supplemental_creds()
  80
  81         # Check that we got all the expected supplemental credentials
  82         # And they are in the expected order.
  83         size = len(sc.sub.packages)
  84         self.assertEquals(5, size)
  85
  86         (pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
  87         self.assertEquals(1, pos)
  88         self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
  89
  90         (pos, package) = get_package(sc, "Primary:Kerberos")
  91         self.assertEquals(2, pos)
  92         self.assertEquals("Primary:Kerberos", package.name)
  93
  94         (pos, wp_package) = get_package(sc, "Primary:WDigest")
  95         self.assertEquals(3, pos)
  96         self.assertEquals("Primary:WDigest", wp_package.name)
  97
  98         (pos, package) = get_package(sc, "Packages")
  99         self.assertEquals(4, pos)
 100         self.assertEquals("Packages", package.name)
 101
 102         (pos, up_package) = get_package(sc, "Primary:userPassword")
 103         self.assertEquals(5, pos)
 104         self.assertEquals("Primary:userPassword", up_package.name)
 105
 106         # Check that the WDigest values are correct.
 107         #
 108         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
 109                              binascii.a2b_hex(wp_package.data))
 110         self.check_wdigests(digests)
 111
 112         # Check that the userPassword hashes are computed correctly
 113         #
 114         up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob,
 115                         binascii.a2b_hex(up_package.data))
 116         self.checkUserPassword(up, [("{CRYPT}", "6", None)])
 117         self.checkNtHash(USER_PASS, up.current_nt_hash.hash)
 118
 119     def test_supplementalCredentials_cleartext(self):
 120         self.add_user(clear_text=True)
 121
 122         sc = self.get_supplemental_creds()
 123
 124         # Check that we got all the expected supplemental credentials
 125         # And they are in the expected order.
 126         size = len(sc.sub.packages)
 127         self.assertEquals(5, size)
 128         (pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
 129         self.assertEquals(1, pos)
 130         self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
 131
 132         (pos, package) = get_package(sc, "Primary:Kerberos")
 133         self.assertEquals(2, pos)
 134         self.assertEquals("Primary:Kerberos", package.name)
 135
 136         (pos, wd_package) = get_package(sc, "Primary:WDigest")
 137         self.assertEquals(3, pos)
 138         self.assertEquals("Primary:WDigest", wd_package.name)
 139
 140         (pos, package) = get_package(sc, "Packages")
 141         self.assertEquals(4, pos)
 142         self.assertEquals("Packages", package.name)
 143
 144         (pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
 145         self.assertEquals(5, pos)
 146         self.assertEquals("Primary:CLEARTEXT", ct_package.name)
 147
 148         # Check that the WDigest values are correct.
 149         #
 150         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
 151                              binascii.a2b_hex(wd_package.data))
 152         self.check_wdigests(digests)
 153
 154         # Check the clear text  value is correct.
 155         ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
 156                         binascii.a2b_hex(ct_package.data))
 157         self.assertEquals(USER_PASS.encode('utf-16-le'), ct.cleartext)
 158
 159     def test_userPassword_cleartext_sha256(self):
 160         self.add_user(clear_text=True,
 161                       options=[("password hash userPassword schemes",
 162                                 "CryptSHA256:rounds=100")])
 163
 164         sc = self.get_supplemental_creds()
 165
 166         # Check that we got all the expected supplemental credentials
 167         # And they are in the expected order.
 168         size = len(sc.sub.packages)
 169         self.assertEquals(6, size)
 170
 171         (pos, package) = get_package(sc, "Primary:Kerberos-Newer-Keys")
 172         self.assertEquals(1, pos)
 173         self.assertEquals("Primary:Kerberos-Newer-Keys", package.name)
 174
 175         (pos, package) = get_package(sc, "Primary:Kerberos")
 176         self.assertEquals(2, pos)
 177         self.assertEquals("Primary:Kerberos", package.name)
 178
 179         (pos, wd_package) = get_package(sc, "Primary:WDigest")
 180         self.assertEquals(3, pos)
 181         self.assertEquals("Primary:WDigest", wd_package.name)
 182
 183         (pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
 184         self.assertEquals(4, pos)
 185         self.assertEquals("Primary:CLEARTEXT", ct_package.name)
 186
 187         (pos, package) = get_package(sc, "Packages")
 188         self.assertEquals(5, pos)
 189         self.assertEquals("Packages", package.name)
 190
 191         (pos, up_package) = get_package(sc, "Primary:userPassword")
 192         self.assertEquals(6, pos)
 193         self.assertEquals("Primary:userPassword", up_package.name)
 194
 195         # Check that the WDigest values are correct.
 196         #
 197         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
 198                              binascii.a2b_hex(wd_package.data))
 199         self.check_wdigests(digests)
 200
 201         # Check the clear text  value is correct.
 202         ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
 203                         binascii.a2b_hex(ct_package.data))
 204         self.assertEquals(USER_PASS.encode('utf-16-le'), ct.cleartext)
 205
 206         # Check that the userPassword hashes are computed correctly
 207         #
 208         up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob,
 209                         binascii.a2b_hex(up_package.data))
 210         self.checkUserPassword(up, [("{CRYPT}", "5", 100)])
 211         self.checkNtHash(USER_PASS, up.current_nt_hash.hash)