python/samba/tests/password_hash_fl2003.py

   1 # Tests for Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
   2 #
   3 # Copyright (C) Catalyst IT Ltd. 2017
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18
  19 """
  20 Tests for source4/dsdb/samdb/ldb_modules/password_hash.c
  21
  22 These tests need to be run in an environment in which
  23 io->ac->gpg_key_ids == NULL, so that the gpg supplemental credentials
  24 are not generated. And also need to be in an environment with a
  25 functional level less than 2008 to ensure the kerberos newer keys are not
  26 generated
  27 """
  28
  29 from samba.tests.password_hash import (
  30     PassWordHashTests,
  31     get_package,
  32     USER_PASS
  33 )
  34 from samba.ndr import ndr_unpack
  35 from samba.dcerpc import drsblobs
  36 import binascii
  37
  38
  39 class PassWordHashFl2003Tests(PassWordHashTests):
  40
  41     def setUp(self):
  42         super(PassWordHashFl2003Tests, self).setUp()
  43
  44     def test_default_supplementalCredentials(self):
  45         self.add_user(options=[("password hash userPassword schemes", "")])
  46
  47         sc = self.get_supplemental_creds()
  48
  49         # Check that we got all the expected supplemental credentials
  50         # And they are in the expected order.
  51         size = len(sc.sub.packages)
  52         self.assertEquals(3, size)
  53
  54         (pos, package) = get_package(sc, "Primary:Kerberos")
  55         self.assertEquals(1, pos)
  56         self.assertEquals("Primary:Kerberos", package.name)
  57
  58         (pos, package) = get_package(sc, "Packages")
  59         self.assertEquals(2, pos)
  60         self.assertEquals("Packages", package.name)
  61
  62         (pos, package) = get_package(sc, "Primary:WDigest")
  63         self.assertEquals(3, pos)
  64         self.assertEquals("Primary:WDigest", package.name)
  65
  66         # Check that the WDigest values are correct.
  67         #
  68         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
  69                              binascii.a2b_hex(package.data))
  70         self.check_wdigests(digests)
  71
  72         # Check that the Package names are correct.
  73         #
  74         pb = ndr_unpack(drsblobs.package_PackagesBlob,
  75                              binascii.a2b_hex(package.data))
  76         expected = ["Kerberos", "WDigest"]
  77         self.assertEquals(expected, pb.names)
  78
  79     def test_userPassword_sha256(self):
  80         self.add_user(options=[("password hash userPassword schemes",
  81                                 "CryptSHA256")])
  82
  83         sc = self.get_supplemental_creds()
  84
  85         # Check that we got all the expected supplemental credentials
  86         # And they are in the expected order.
  87         size = len(sc.sub.packages)
  88         self.assertEquals(4, size)
  89
  90         (pos, package) = get_package(sc, "Primary:Kerberos")
  91         self.assertEquals(1, pos)
  92         self.assertEquals("Primary:Kerberos", package.name)
  93
  94         (pos, wd_package) = get_package(sc, "Primary:WDigest")
  95         self.assertEquals(2, pos)
  96         self.assertEquals("Primary:WDigest", wd_package.name)
  97
  98         (pos, package) = get_package(sc, "Packages")
  99         self.assertEquals(3, pos)
 100         self.assertEquals("Packages", package.name)
 101
 102         (pos, up_package) = get_package(sc, "Primary:userPassword")
 103         self.assertEquals(4, pos)
 104         self.assertEquals("Primary:userPassword", up_package.name)
 105
 106         # Check that the WDigest values are correct.
 107         #
 108         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
 109                              binascii.a2b_hex(wd_package.data))
 110         self.check_wdigests(digests)
 111
 112         # Check that the userPassword hashes are computed correctly
 113         #
 114         up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob,
 115                         binascii.a2b_hex(up_package.data))
 116
 117         self.checkUserPassword(up, [("{CRYPT}", "5", None)])
 118         self.checkNtHash(USER_PASS, up.current_nt_hash.hash)
 119
 120     def test_supplementalCredentials_cleartext(self):
 121         self.add_user(clear_text=True,
 122                       options=[("password hash userPassword schemes", "")])
 123
 124         sc = self.get_supplemental_creds()
 125
 126         # Check that we got all the expected supplemental credentials
 127         # And they are in the expected order.
 128         size = len(sc.sub.packages)
 129         self.assertEquals(4, size)
 130
 131         (pos, package) = get_package(sc, "Primary:Kerberos")
 132         self.assertEquals(1, pos)
 133         self.assertEquals("Primary:Kerberos", package.name)
 134
 135         (pos, wd_package) = get_package(sc, "Primary:WDigest")
 136         self.assertEquals(2, pos)
 137         self.assertEquals("Primary:WDigest", wd_package.name)
 138
 139         (pos, package) = get_package(sc, "Packages")
 140         self.assertEquals(3, pos)
 141         self.assertEquals("Packages", package.name)
 142
 143         (pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
 144         self.assertEquals(4, pos)
 145         self.assertEquals("Primary:CLEARTEXT", ct_package.name)
 146
 147         # Check that the WDigest values are correct.
 148         #
 149         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
 150                              binascii.a2b_hex(wd_package.data))
 151         self.check_wdigests(digests)
 152
 153         # Check the clear text  value is correct.
 154         ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
 155                         binascii.a2b_hex(ct_package.data))
 156         self.assertEquals(USER_PASS.encode('utf-16-le'), ct.cleartext)
 157
 158     def test_userPassword_cleartext_sha512(self):
 159         self.add_user(clear_text=True,
 160                       options=[("password hash userPassword schemes",
 161                                 "CryptSHA512:rounds=10000")])
 162
 163         sc = self.get_supplemental_creds()
 164
 165         # Check that we got all the expected supplemental credentials
 166         # And they are in the expected order.
 167         size = len(sc.sub.packages)
 168         self.assertEquals(5, size)
 169
 170         (pos, package) = get_package(sc, "Primary:Kerberos")
 171         self.assertEquals(1, pos)
 172         self.assertEquals("Primary:Kerberos", package.name)
 173
 174         (pos, wd_package) = get_package(sc, "Primary:WDigest")
 175         self.assertEquals(2, pos)
 176         self.assertEquals("Primary:WDigest", wd_package.name)
 177
 178         (pos, ct_package) = get_package(sc, "Primary:CLEARTEXT")
 179         self.assertEquals(3, pos)
 180         self.assertEquals("Primary:CLEARTEXT", ct_package.name)
 181
 182         (pos, package) = get_package(sc, "Packages")
 183         self.assertEquals(4, pos)
 184         self.assertEquals("Packages", package.name)
 185
 186         (pos, up_package) = get_package(sc, "Primary:userPassword")
 187         self.assertEquals(5, pos)
 188         self.assertEquals("Primary:userPassword", up_package.name)
 189
 190         # Check that the WDigest values are correct.
 191         #
 192         digests = ndr_unpack(drsblobs.package_PrimaryWDigestBlob,
 193                              binascii.a2b_hex(wd_package.data))
 194         self.check_wdigests(digests)
 195
 196         # Check the clear text  value is correct.
 197         ct = ndr_unpack(drsblobs.package_PrimaryCLEARTEXTBlob,
 198                         binascii.a2b_hex(ct_package.data))
 199         self.assertEquals(USER_PASS.encode('utf-16-le'), ct.cleartext)
 200
 201         # Check that the userPassword hashes are computed correctly
 202         #
 203         up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob,
 204                         binascii.a2b_hex(up_package.data))
 205         self.checkUserPassword(up, [("{CRYPT}", "6", 10000)])
 206         self.checkNtHash(USER_PASS, up.current_nt_hash.hash)