From 189fe8742332fc9f0a36372d0fbd94878969e857 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 1 Jul 2020 14:35:39 +1200 Subject: [PATCH 1/3] dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7 On RHEL7 crypt_r() will set errno. This is a problem because the implementation of crypt_r() in RHEL8 and elsewhere in libcrypt will return non-NULL but set errno on failure. The workaround is to use crypt_rn(), provided only by libcrypt, which will return NULL on failure, and so avoid checking errno in the non-failure case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424 Signed-off-by: Andrew Bartlett Reviewed-by: Alexander Bokovoy (cherry picked from commit 91453f110fa72062291eb59ad9d95fab0f423557) --- lib/replace/wscript | 1 + .../dsdb/samdb/ldb_modules/password_hash.c | 37 +++++++++++++++---- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/lib/replace/wscript b/lib/replace/wscript index 56e2a22de49..d5651f1bdc0 100644 --- a/lib/replace/wscript +++ b/lib/replace/wscript @@ -649,6 +649,7 @@ def configure(conf): conf.CHECK_FUNCS_IN('crypt', 'crypt', checklibc=True) conf.CHECK_FUNCS_IN('crypt_r', 'crypt', checklibc=True) + conf.CHECK_FUNCS_IN('crypt_rn', 'crypt', checklibc=True) conf.CHECK_VARIABLE('rl_event_hook', define='HAVE_DECL_RL_EVENT_HOOK', always=True, headers='readline.h readline/readline.h readline/history.h') diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 006e35c46d5..f5a6bdc43d6 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -1507,8 +1507,10 @@ static int setup_primary_userPassword_hash( int rounds = 0; /* The number of hash rounds */ DATA_BLOB *hash_blob = NULL; TALLOC_CTX *frame = talloc_stackframe(); -#ifdef HAVE_CRYPT_R - struct crypt_data crypt_data; /* working storage used by crypt */ +#if defined(HAVE_CRYPT_R) || defined(HAVE_CRYPT_RN) + struct crypt_data crypt_data = { + .initialized = 0 /* working storage used by crypt */ + }; #endif /* Genrate a random password salt */ @@ -1549,8 +1551,32 @@ static int setup_primary_userPassword_hash( * Relies on the assertion that cleartext_utf8->data is a zero * terminated UTF-8 string */ + + /* + * crypt_r() and crypt() may return a null pointer upon error + * depending on how libcrypt was configured, so we prefer + * crypt_rn() from libcrypt / libxcrypt which always returns + * NULL on error. + * + * POSIX specifies returning a null pointer and setting + * errno. + * + * RHEL 7 (which does not use libcrypt / libxcrypt) returns a + * non-NULL pointer from crypt_r() on success but (always?) + * sets errno during internal processing in the NSS crypto + * subsystem. + * + * By preferring crypt_rn we avoid the 'return non-NULL but + * set-errno' that we otherwise cannot tell apart from the + * RHEL 7 behaviour. + */ errno = 0; -#ifdef HAVE_CRYPT_R +#ifdef HAVE_CRYPT_RN + hash = crypt_rn((char *)io->n.cleartext_utf8->data, + cmd, + &crypt_data, + sizeof(crypt_data)); +#elif HAVE_CRYPT_R hash = crypt_r((char *)io->n.cleartext_utf8->data, cmd, &crypt_data); #else /* @@ -1559,10 +1585,7 @@ static int setup_primary_userPassword_hash( */ hash = crypt((char *)io->n.cleartext_utf8->data, cmd); #endif - /* crypt_r and crypt may return a null pointer upon error depending on - * how libcrypt was configured. POSIX specifies returning a null - * pointer and setting errno. */ - if (hash == NULL || errno != 0) { + if (hash == NULL) { char buf[1024]; int err = strerror_r(errno, buf, sizeof(buf)); if (err != 0) { -- 2.17.1 From 53d16391841259c6466d6470f44fa63de25d7d6f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 1 Jul 2020 14:30:24 +1200 Subject: [PATCH 2/3] selftest: Split samba.tests.samba_tool.user_virtualCryptSHA into GPG and not GPG parts This allows the userPassword (not GPG) part of the test to run on hosts without python3-gpg (eg RHEL7) while still testing the userPassword handling. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424 Signed-off-by: Andrew Bartlett Reviewed-by: Alexander Bokovoy (cherry picked from commit 2c4ecf002a3fbbe8be061814468529c8bd6bb7aa) --- .../samba_tool/user_virtualCryptSHA_base.py | 118 ++++++++ .../samba_tool/user_virtualCryptSHA_gpg.py | 261 ++++++++++++++++++ .../user_virtualCryptSHA_userPassword.py | 185 +++++++++++++ source4/selftest/tests.py | 3 +- 4 files changed, 566 insertions(+), 1 deletion(-) create mode 100644 python/samba/tests/samba_tool/user_virtualCryptSHA_base.py create mode 100644 python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py create mode 100644 python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA_base.py b/python/samba/tests/samba_tool/user_virtualCryptSHA_base.py new file mode 100644 index 00000000000..e32f8d7343c --- /dev/null +++ b/python/samba/tests/samba_tool/user_virtualCryptSHA_base.py @@ -0,0 +1,118 @@ +# Tests for the samba-tool user sub command reading Primary:userPassword +# +# Copyright (C) Andrew Bartlett 2017 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import os +import time +import base64 +import ldb +import samba +from samba.tests.samba_tool.base import SambaToolCmdTest +from samba.credentials import Credentials +from samba.samdb import SamDB +from samba.auth import system_session +from samba.ndr import ndr_unpack +from samba.dcerpc import drsblobs +from samba import dsdb +import re + +USER_NAME = "CryptSHATestUser" +HASH_OPTION = "password hash userPassword schemes" + +# Get the value of an attribute from the output string +# Note: Does not correctly handle values spanning multiple lines, +# which is acceptable for it's usage in these tests. + + +def _get_attribute(out, name): + p = re.compile("^" + name + ":\s+(\S+)") + for line in out.split("\n"): + m = p.match(line) + if m: + return m.group(1) + return "" + + +class UserCmdCryptShaTestCase(SambaToolCmdTest): + """ + Tests for samba-tool user subcommands generation of the virtualCryptSHA256 + and virtualCryptSHA512 attributes + """ + users = [] + samdb = None + + def setUp(self): + super(UserCmdCryptShaTestCase, self).setUp() + + def add_user(self, hashes=""): + self.lp = samba.tests.env_loadparm() + + # set the extra hashes to be calculated + self.lp.set(HASH_OPTION, hashes) + + self.creds = Credentials() + self.session = system_session() + self.ldb = SamDB( + session_info=self.session, + credentials=self.creds, + lp=self.lp) + + password = self.random_password() + self.runsubcmd("user", + "create", + USER_NAME, + password) + + def tearDown(self): + super(UserCmdCryptShaTestCase, self).tearDown() + self.runsubcmd("user", "delete", USER_NAME) + + def _get_password(self, attributes, decrypt=False): + command = ["user", + "getpassword", + USER_NAME, + "--attributes", + attributes] + if decrypt: + command.append("--decrypt-samba-gpg") + + (result, out, err) = self.runsubcmd(*command) + self.assertCmdSuccess(result, + out, + err, + "Ensure getpassword runs") + self.assertEqual(err, "", "getpassword") + self.assertMatch(out, + "Got password OK", + "getpassword out[%s]" % out) + return out + + # Change the just the NT password hash, as would happen if the password + # was updated by Windows, the userPassword values are now obsolete. + # + def _change_nt_hash(self): + res = self.ldb.search(expression = "cn=%s" % USER_NAME, + scope = ldb.SCOPE_SUBTREE) + msg = ldb.Message() + msg.dn = res[0].dn + msg["unicodePwd"] = ldb.MessageElement(b"ABCDEF1234567890", + ldb.FLAG_MOD_REPLACE, + "unicodePwd") + self.ldb.modify( + msg, + controls=["local_oid:%s:0" % + dsdb.DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID]) diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py b/python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py new file mode 100644 index 00000000000..25c02d9ac2a --- /dev/null +++ b/python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py @@ -0,0 +1,261 @@ +# Tests for the samba-tool user sub command reading Primary:userPassword +# +# Copyright (C) Andrew Bartlett 2017 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from samba.tests.samba_tool.user_virtualCryptSHA_base import UserCmdCryptShaTestCase, _get_attribute + +class UserCmdCryptShaTestCaseGPG(UserCmdCryptShaTestCase): + """ + Tests for samba-tool user subcommands generation of the virtualCryptSHA256 + and virtualCryptSHA512 attributes + """ + + # gpg decryption enabled. + # both virtual attributes specified, no rounds option + # no hashes stored in supplementalCredentials + # Should get values + def test_gpg_both_hashes_no_rounds(self): + self.add_user() + out = self._get_password("virtualCryptSHA256,virtualCryptSHA512", True) + + self.assertTrue("virtualCryptSHA256:" in out) + self.assertTrue("virtualCryptSHA512:" in out) + self.assertTrue("rounds=" not in out) + + # gpg decryption enabled. + # SHA256 specified + # no hashes stored in supplementalCredentials + # No rounds + # + # Should get values + def test_gpg_sha256_no_rounds(self): + self.add_user() + out = self._get_password("virtualCryptSHA256", True) + + self.assertTrue("virtualCryptSHA256:" in out) + self.assertTrue("virtualCryptSHA512:" not in out) + self.assertTrue("rounds=" not in out) + + # gpg decryption enabled. + # SHA512 specified + # no hashes stored in supplementalCredentials + # No rounds + # + # Should get values + def test_gpg_sha512_no_rounds(self): + self.add_user() + out = self._get_password("virtualCryptSHA512", True) + + self.assertTrue("virtualCryptSHA256:" not in out) + self.assertTrue("virtualCryptSHA512:" in out) + self.assertTrue("rounds=" not in out) + + # gpg decryption enabled. + # SHA128 specified, i.e. invalid/unknown algorithm + # no hashes stored in supplementalCredentials + # No rounds + # + # Should not get values + def test_gpg_invalid_alg_no_rounds(self): + self.add_user() + out = self._get_password("virtualCryptSHA128", True) + + self.assertTrue("virtualCryptSHA256:" not in out) + self.assertTrue("virtualCryptSHA512:" not in out) + self.assertTrue("rounds=" not in out) + + # gpg decryption enabled. + # both virtual attributes specified, no rounds option + # no hashes stored in supplementalCredentials + # underlying windows password changed, so plain text password is + # invalid. + # Should not get values + def test_gpg_both_hashes_no_rounds_pwd_changed(self): + self.add_user() + self._change_nt_hash() + out = self._get_password("virtualCryptSHA256,virtualCryptSHA512", True) + + self.assertTrue("virtualCryptSHA256:" not in out) + self.assertTrue("virtualCryptSHA512:" not in out) + self.assertTrue("rounds=" not in out) + + # gpg decryption enabled. + # SHA256 specified, no rounds option + # no hashes stored in supplementalCredentials + # underlying windows password changed, so plain text password is + # invalid. + # Should not get values + def test_gpg_sha256_no_rounds_pwd_changed(self): + self.add_user() + self._change_nt_hash() + out = self._get_password("virtualCryptSHA256", True) + + self.assertTrue("virtualCryptSHA256:" not in out) + self.assertTrue("virtualCryptSHA512:" not in out) + self.assertTrue("rounds=" not in out) + + # gpg decryption enabled. + # SHA512 specified, no rounds option + # no hashes stored in supplementalCredentials + # underlying windows password changed, so plain text password is + # invalid. + # Should not get values + def test_gpg_sha512_no_rounds_pwd_changed(self): + self.add_user() + self._change_nt_hash() + out = self._get_password("virtualCryptSHA256", True) + + self.assertTrue("virtualCryptSHA256:" not in out) + self.assertTrue("virtualCryptSHA512:" not in out) + self.assertTrue("rounds=" not in out) + + # gpg decryption enabled. + # both virtual attributes specified, rounds specified + # no hashes stored in supplementalCredentials + # Should get values reflecting the requested rounds + def test_gpg_both_hashes_both_rounds(self): + self.add_user() + out = self._get_password( + "virtualCryptSHA256;rounds=10123,virtualCryptSHA512;rounds=10456", + True) + + self.assertTrue("virtualCryptSHA256:" in out) + self.assertTrue("virtualCryptSHA512:" in out) + + sha256 = _get_attribute(out, "virtualCryptSHA256") + self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=10123$")) + + sha512 = _get_attribute(out, "virtualCryptSHA512") + self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=10456$")) + + # gpg decryption enabled. + # both virtual attributes specified, rounds specified + # invalid rounds for sha256 + # no hashes stored in supplementalCredentials + # Should get values, no rounds for sha256, rounds for sha 512 + def test_gpg_both_hashes_sha256_rounds_invalid(self): + self.add_user() + out = self._get_password( + "virtualCryptSHA256;rounds=invalid,virtualCryptSHA512;rounds=3125", + True) + + self.assertTrue("virtualCryptSHA256:" in out) + self.assertTrue("virtualCryptSHA512:" in out) + + sha256 = _get_attribute(out, "virtualCryptSHA256") + self.assertTrue(sha256.startswith("{CRYPT}$5$")) + self.assertTrue("rounds" not in sha256) + + sha512 = _get_attribute(out, "virtualCryptSHA512") + self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=3125$")) + + # gpg decryption enabled. + # both virtual attributes specified, rounds specified + # both hashes stored in supplementalCredentials, with no rounds + # Should get calculated hashed with the correct number of rounds + def test_gpg_both_hashes_rounds_stored_hashes(self): + self.add_user("CryptSHA512 CryptSHA256") + + out = self._get_password("virtualCryptSHA256;rounds=2561," + + "virtualCryptSHA512;rounds=5129", + True) + + self.assertTrue("virtualCryptSHA256:" in out) + self.assertTrue("virtualCryptSHA512:" in out) + self.assertTrue("rounds=" in out) + + # Should be calculating the hashes + # so they should change between calls. + sha256 = _get_attribute(out, "virtualCryptSHA256") + sha512 = _get_attribute(out, "virtualCryptSHA512") + + out = self._get_password("virtualCryptSHA256;rounds=2561," + + "virtualCryptSHA512;rounds=5129", + True) + self.assertFalse(sha256 == _get_attribute(out, "virtualCryptSHA256")) + self.assertFalse(sha512 == _get_attribute(out, "virtualCryptSHA512")) + + # The returned hashes should specify the correct number of rounds + self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561")) + self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129")) + + # gpg decryption enabled. + # both virtual attributes specified, rounds specified + # both hashes stored in supplementalCredentials, with rounds + # Should get values + def test_gpg_both_hashes_rounds_stored_hashes_with_rounds(self): + self.add_user("CryptSHA512 " + + "CryptSHA256 " + + "CryptSHA512:rounds=5129 " + + "CryptSHA256:rounds=2561") + + out = self._get_password("virtualCryptSHA256;rounds=2561," + + "virtualCryptSHA512;rounds=5129", + True) + + self.assertTrue("virtualCryptSHA256:" in out) + self.assertTrue("virtualCryptSHA512:" in out) + self.assertTrue("rounds=" in out) + + # Should be using the pre computed hash in supplementalCredentials + # so it should not change between calls. + sha256 = _get_attribute(out, "virtualCryptSHA256") + sha512 = _get_attribute(out, "virtualCryptSHA512") + + out = self._get_password("virtualCryptSHA256;rounds=2561," + + "virtualCryptSHA512;rounds=5129", + True) + self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) + self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) + + # The returned hashes should specify the correct number of rounds + self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561")) + self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129")) + + # gpg decryption enabled. + # both virtual attributes specified, rounds specified + # both hashes stored in supplementalCredentials, with rounds + # number of rounds stored/requested do not match + # Should get calculated hashes with the correct number of rounds + def test_gpg_both_hashes_rounds_stored_hashes_with_rounds_no_match(self): + self.add_user("CryptSHA512 " + + "CryptSHA256 " + + "CryptSHA512:rounds=5129 " + + "CryptSHA256:rounds=2561") + + out = self._get_password("virtualCryptSHA256;rounds=4000," + + "virtualCryptSHA512;rounds=5000", + True) + + self.assertTrue("virtualCryptSHA256:" in out) + self.assertTrue("virtualCryptSHA512:" in out) + self.assertTrue("rounds=" in out) + + # Should be calculating the hashes + # so they should change between calls. + sha256 = _get_attribute(out, "virtualCryptSHA256") + sha512 = _get_attribute(out, "virtualCryptSHA512") + + out = self._get_password("virtualCryptSHA256;rounds=4000," + + "virtualCryptSHA512;rounds=5000", + True) + self.assertFalse(sha256 == _get_attribute(out, "virtualCryptSHA256")) + self.assertFalse(sha512 == _get_attribute(out, "virtualCryptSHA512")) + + # The calculated hashes should specify the correct number of rounds + self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=4000")) + self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5000")) diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py b/python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py new file mode 100644 index 00000000000..6c1c6295b85 --- /dev/null +++ b/python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py @@ -0,0 +1,185 @@ +# Tests for the samba-tool user sub command reading Primary:userPassword +# +# Copyright (C) Andrew Bartlett 2017 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from samba.tests.samba_tool.user_virtualCryptSHA_base import UserCmdCryptShaTestCase, _get_attribute + +class UserCmdCryptShaTestCaseUserPassword(UserCmdCryptShaTestCase): + # gpg decryption not enabled. + # both virtual attributes specified, no rounds option + # no hashes stored in supplementalCredentials + # Should not get values + def test_no_gpg_both_hashes_no_rounds(self): + self.add_user() + out = self._get_password("virtualCryptSHA256,virtualCryptSHA512") + + self.assertTrue("virtualCryptSHA256:" not in out) + self.assertTrue("virtualCryptSHA512:" not in out) + self.assertTrue("rounds=" not in out) + + # gpg decryption not enabled. + # SHA256 specified + # no hashes stored in supplementalCredentials + # No rounds + # + # Should not get values + def test_no_gpg_sha256_no_rounds(self): + self.add_user() + out = self._get_password("virtualCryptSHA256") + + self.assertTrue("virtualCryptSHA256:" not in out) + self.assertTrue("virtualCryptSHA512:" not in out) + self.assertTrue("rounds=" not in out) + + # gpg decryption not enabled. + # SHA512 specified + # no hashes stored in supplementalCredentials + # No rounds + # + # Should not get values + def test_no_gpg_sha512_no_rounds(self): + self.add_user() + out = self._get_password("virtualCryptSHA512") + + self.assertTrue("virtualCryptSHA256:" not in out) + self.assertTrue("virtualCryptSHA512:" not in out) + self.assertTrue("rounds=" not in out) + + # gpg decryption not enabled. + # SHA128 specified, i.e. invalid/unknown algorithm + # no hashes stored in supplementalCredentials + # No rounds + # + # Should not get values + def test_no_gpg_invalid_alg_no_rounds(self): + self.add_user() + out = self._get_password("virtualCryptSHA128") + + self.assertTrue("virtualCryptSHA256:" not in out) + self.assertTrue("virtualCryptSHA512:" not in out) + self.assertTrue("rounds=" not in out) + + # gpg decryption not enabled. + # both virtual attributes specified, no rounds option + # both hashes stored in supplementalCredentials + # Should get values + def test_no_gpg_both_hashes_no_rounds_stored_hashes(self): + self.add_user("CryptSHA512 CryptSHA256") + + out = self._get_password("virtualCryptSHA256,virtualCryptSHA512") + + self.assertTrue("virtualCryptSHA256:" in out) + self.assertTrue("virtualCryptSHA512:" in out) + self.assertTrue("rounds=" not in out) + + # Should be using the pre computed hash in supplementalCredentials + # so it should not change between calls. + sha256 = _get_attribute(out, "virtualCryptSHA256") + sha512 = _get_attribute(out, "virtualCryptSHA512") + + out = self._get_password("virtualCryptSHA256,virtualCryptSHA512") + self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) + self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) + + # gpg decryption not enabled. + # both virtual attributes specified, rounds specified + # both hashes stored in supplementalCredentials, with not rounds + # Should get hashes for the first matching scheme entry + def test_no_gpg_both_hashes_rounds_stored_hashes(self): + self.add_user("CryptSHA512 CryptSHA256") + + out = self._get_password("virtualCryptSHA256;rounds=2561," + + "virtualCryptSHA512;rounds=5129") + + self.assertTrue("virtualCryptSHA256:" in out) + self.assertTrue("virtualCryptSHA512:" in out) + self.assertTrue("rounds=" not in out) + + # Should be using the pre computed hash in supplementalCredentials + # so it should not change between calls. + sha256 = _get_attribute(out, "virtualCryptSHA256") + sha512 = _get_attribute(out, "virtualCryptSHA512") + + out = self._get_password("virtualCryptSHA256,virtualCryptSHA512") + self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) + self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) + + # gpg decryption not enabled. + # both virtual attributes specified, rounds specified + # both hashes stored in supplementalCredentials, with rounds + # Should get values + def test_no_gpg_both_hashes_rounds_stored_hashes_with_rounds(self): + self.add_user("CryptSHA512 " + + "CryptSHA256 " + + "CryptSHA512:rounds=5129 " + + "CryptSHA256:rounds=2561") + + out = self._get_password("virtualCryptSHA256;rounds=2561," + + "virtualCryptSHA512;rounds=5129") + + self.assertTrue("virtualCryptSHA256:" in out) + self.assertTrue("virtualCryptSHA512:" in out) + self.assertTrue("rounds=" in out) + + # Should be using the pre computed hash in supplementalCredentials + # so it should not change between calls. + sha256 = _get_attribute(out, "virtualCryptSHA256") + sha512 = _get_attribute(out, "virtualCryptSHA512") + + out = self._get_password("virtualCryptSHA256;rounds=2561," + + "virtualCryptSHA512;rounds=5129") + self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) + self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) + + # Number of rounds should match that specified + self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561")) + self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129")) + + # gpg decryption not enabled. + # both virtual attributes specified, rounds specified + # both hashes stored in supplementalCredentials, with rounds + # number of rounds stored/requested do not match + # Should get the precomputed hashes for CryptSHA512 and CryptSHA256 + def test_no_gpg_both_hashes_rounds_stored_hashes_with_rounds_no_match(self): + self.add_user("CryptSHA512 " + + "CryptSHA256 " + + "CryptSHA512:rounds=5129 " + + "CryptSHA256:rounds=2561") + + out = self._get_password("virtualCryptSHA256;rounds=4000," + + "virtualCryptSHA512;rounds=5000") + + self.assertTrue("virtualCryptSHA256:" in out) + self.assertTrue("virtualCryptSHA512:" in out) + self.assertTrue("rounds=" not in out) + + # Should be using the pre computed hash in supplementalCredentials + # so it should not change between calls. + sha256 = _get_attribute(out, "virtualCryptSHA256") + sha512 = _get_attribute(out, "virtualCryptSHA512") + + out = self._get_password("virtualCryptSHA256;rounds=4000," + + "virtualCryptSHA512;rounds=5000") + self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) + self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) + + # As the number of rounds did not match, should have returned the + # first hash of the coresponding scheme + out = self._get_password("virtualCryptSHA256," + + "virtualCryptSHA512") + self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) + self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index f7645365384..e31f2251846 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -685,7 +685,8 @@ planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.processes") planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.user") planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.user_wdigest") planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user") -planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user_virtualCryptSHA") +planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user_virtualCryptSHA_userPassword") +planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user_virtualCryptSHA_gpg") planpythontestsuite("chgdcpass:local", "samba.tests.samba_tool.user_check_password_script") planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.group") planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.ou") -- 2.17.1 From 3a44f8c67398db8ebd524c5f7e849db2c2b6b1e6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 1 Jul 2020 14:31:54 +1200 Subject: [PATCH 3/3] selftest: Run test of how userPassword / crypt() style passwords are stored in quicktest This ensures that the crypt_r()/crypt_rn()/crypt() behaviour is tested in all the samba-o3 builds and so is checked on RHEL7 in GitLab CI. https://bugzilla.samba.org/show_bug.cgi?id=14424 Signed-off-by: Andrew Bartlett Reviewed-by: Alexander Bokovoy (cherry picked from commit cabf873b75b1d4d456190358bc3ed051bca16978) --- selftest/quick | 3 +++ 1 file changed, 3 insertions(+) diff --git a/selftest/quick b/selftest/quick index 7605f3f8877..0e79f1020bf 100644 --- a/selftest/quick +++ b/selftest/quick @@ -35,3 +35,6 @@ rpc.echo smb.signing drs.unit samba4.blackbox.dbcheck.dc +# This needs to be here to get testing of crypt_r() +# behaviour on multiple OS distributions. +samba.tests.samba_tool.user_virtualCryptSHA_userPassword \ No newline at end of file -- 2.17.1