The Samba-Bugzilla – Attachment 16104 Details for
Bug 14424
crypt_r() on CentOS 7 can return with errno to EISDIR or ENOENT due to using NSS
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
backported patch for 4.11
crypt_r-v4-11.patch (text/plain), 30.65 KB, created by
Andrew Bartlett
on 2020-07-01 23:31:44 UTC
(
hide
)
Description:
backported patch for 4.11
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2020-07-01 23:31:44 UTC
Size:
30.65 KB
patch
obsolete
>From 189fe8742332fc9f0a36372d0fbd94878969e857 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 1 Jul 2020 14:35:39 +1200 >Subject: [PATCH 1/3] dsdb: Allow "password hash userPassword schemes = > CryptSHA256" to work on RHEL7 > >On RHEL7 crypt_r() will set errno. This is a problem because the implementation of crypt_r() >in RHEL8 and elsewhere in libcrypt will return non-NULL but set errno on failure. > >The workaround is to use crypt_rn(), provided only by libcrypt, which will return NULL >on failure, and so avoid checking errno in the non-failure case. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit 91453f110fa72062291eb59ad9d95fab0f423557) >--- > lib/replace/wscript | 1 + > .../dsdb/samdb/ldb_modules/password_hash.c | 37 +++++++++++++++---- > 2 files changed, 31 insertions(+), 7 deletions(-) > >diff --git a/lib/replace/wscript b/lib/replace/wscript >index 56e2a22de49..d5651f1bdc0 100644 >--- a/lib/replace/wscript >+++ b/lib/replace/wscript >@@ -649,6 +649,7 @@ def configure(conf): > > conf.CHECK_FUNCS_IN('crypt', 'crypt', checklibc=True) > conf.CHECK_FUNCS_IN('crypt_r', 'crypt', checklibc=True) >+ conf.CHECK_FUNCS_IN('crypt_rn', 'crypt', checklibc=True) > > conf.CHECK_VARIABLE('rl_event_hook', define='HAVE_DECL_RL_EVENT_HOOK', always=True, > headers='readline.h readline/readline.h readline/history.h') >diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c >index 006e35c46d5..f5a6bdc43d6 100644 >--- a/source4/dsdb/samdb/ldb_modules/password_hash.c >+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c >@@ -1507,8 +1507,10 @@ static int setup_primary_userPassword_hash( > int rounds = 0; /* The number of hash rounds */ > DATA_BLOB *hash_blob = NULL; > TALLOC_CTX *frame = talloc_stackframe(); >-#ifdef HAVE_CRYPT_R >- struct crypt_data crypt_data; /* working storage used by crypt */ >+#if defined(HAVE_CRYPT_R) || defined(HAVE_CRYPT_RN) >+ struct crypt_data crypt_data = { >+ .initialized = 0 /* working storage used by crypt */ >+ }; > #endif > > /* Genrate a random password salt */ >@@ -1549,8 +1551,32 @@ static int setup_primary_userPassword_hash( > * Relies on the assertion that cleartext_utf8->data is a zero > * terminated UTF-8 string > */ >+ >+ /* >+ * crypt_r() and crypt() may return a null pointer upon error >+ * depending on how libcrypt was configured, so we prefer >+ * crypt_rn() from libcrypt / libxcrypt which always returns >+ * NULL on error. >+ * >+ * POSIX specifies returning a null pointer and setting >+ * errno. >+ * >+ * RHEL 7 (which does not use libcrypt / libxcrypt) returns a >+ * non-NULL pointer from crypt_r() on success but (always?) >+ * sets errno during internal processing in the NSS crypto >+ * subsystem. >+ * >+ * By preferring crypt_rn we avoid the 'return non-NULL but >+ * set-errno' that we otherwise cannot tell apart from the >+ * RHEL 7 behaviour. >+ */ > errno = 0; >-#ifdef HAVE_CRYPT_R >+#ifdef HAVE_CRYPT_RN >+ hash = crypt_rn((char *)io->n.cleartext_utf8->data, >+ cmd, >+ &crypt_data, >+ sizeof(crypt_data)); >+#elif HAVE_CRYPT_R > hash = crypt_r((char *)io->n.cleartext_utf8->data, cmd, &crypt_data); > #else > /* >@@ -1559,10 +1585,7 @@ static int setup_primary_userPassword_hash( > */ > hash = crypt((char *)io->n.cleartext_utf8->data, cmd); > #endif >- /* crypt_r and crypt may return a null pointer upon error depending on >- * how libcrypt was configured. POSIX specifies returning a null >- * pointer and setting errno. */ >- if (hash == NULL || errno != 0) { >+ if (hash == NULL) { > char buf[1024]; > int err = strerror_r(errno, buf, sizeof(buf)); > if (err != 0) { >-- >2.17.1 > > >From 53d16391841259c6466d6470f44fa63de25d7d6f Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 1 Jul 2020 14:30:24 +1200 >Subject: [PATCH 2/3] selftest: Split > samba.tests.samba_tool.user_virtualCryptSHA into GPG and not GPG parts > >This allows the userPassword (not GPG) part of the test to run on hosts without >python3-gpg (eg RHEL7) while still testing the userPassword handling. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit 2c4ecf002a3fbbe8be061814468529c8bd6bb7aa) >--- > .../samba_tool/user_virtualCryptSHA_base.py | 118 ++++++++ > .../samba_tool/user_virtualCryptSHA_gpg.py | 261 ++++++++++++++++++ > .../user_virtualCryptSHA_userPassword.py | 185 +++++++++++++ > source4/selftest/tests.py | 3 +- > 4 files changed, 566 insertions(+), 1 deletion(-) > create mode 100644 python/samba/tests/samba_tool/user_virtualCryptSHA_base.py > create mode 100644 python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py > create mode 100644 python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py > >diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA_base.py b/python/samba/tests/samba_tool/user_virtualCryptSHA_base.py >new file mode 100644 >index 00000000000..e32f8d7343c >--- /dev/null >+++ b/python/samba/tests/samba_tool/user_virtualCryptSHA_base.py >@@ -0,0 +1,118 @@ >+# Tests for the samba-tool user sub command reading Primary:userPassword >+# >+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import os >+import time >+import base64 >+import ldb >+import samba >+from samba.tests.samba_tool.base import SambaToolCmdTest >+from samba.credentials import Credentials >+from samba.samdb import SamDB >+from samba.auth import system_session >+from samba.ndr import ndr_unpack >+from samba.dcerpc import drsblobs >+from samba import dsdb >+import re >+ >+USER_NAME = "CryptSHATestUser" >+HASH_OPTION = "password hash userPassword schemes" >+ >+# Get the value of an attribute from the output string >+# Note: Does not correctly handle values spanning multiple lines, >+# which is acceptable for it's usage in these tests. >+ >+ >+def _get_attribute(out, name): >+ p = re.compile("^" + name + ":\s+(\S+)") >+ for line in out.split("\n"): >+ m = p.match(line) >+ if m: >+ return m.group(1) >+ return "" >+ >+ >+class UserCmdCryptShaTestCase(SambaToolCmdTest): >+ """ >+ Tests for samba-tool user subcommands generation of the virtualCryptSHA256 >+ and virtualCryptSHA512 attributes >+ """ >+ users = [] >+ samdb = None >+ >+ def setUp(self): >+ super(UserCmdCryptShaTestCase, self).setUp() >+ >+ def add_user(self, hashes=""): >+ self.lp = samba.tests.env_loadparm() >+ >+ # set the extra hashes to be calculated >+ self.lp.set(HASH_OPTION, hashes) >+ >+ self.creds = Credentials() >+ self.session = system_session() >+ self.ldb = SamDB( >+ session_info=self.session, >+ credentials=self.creds, >+ lp=self.lp) >+ >+ password = self.random_password() >+ self.runsubcmd("user", >+ "create", >+ USER_NAME, >+ password) >+ >+ def tearDown(self): >+ super(UserCmdCryptShaTestCase, self).tearDown() >+ self.runsubcmd("user", "delete", USER_NAME) >+ >+ def _get_password(self, attributes, decrypt=False): >+ command = ["user", >+ "getpassword", >+ USER_NAME, >+ "--attributes", >+ attributes] >+ if decrypt: >+ command.append("--decrypt-samba-gpg") >+ >+ (result, out, err) = self.runsubcmd(*command) >+ self.assertCmdSuccess(result, >+ out, >+ err, >+ "Ensure getpassword runs") >+ self.assertEqual(err, "", "getpassword") >+ self.assertMatch(out, >+ "Got password OK", >+ "getpassword out[%s]" % out) >+ return out >+ >+ # Change the just the NT password hash, as would happen if the password >+ # was updated by Windows, the userPassword values are now obsolete. >+ # >+ def _change_nt_hash(self): >+ res = self.ldb.search(expression = "cn=%s" % USER_NAME, >+ scope = ldb.SCOPE_SUBTREE) >+ msg = ldb.Message() >+ msg.dn = res[0].dn >+ msg["unicodePwd"] = ldb.MessageElement(b"ABCDEF1234567890", >+ ldb.FLAG_MOD_REPLACE, >+ "unicodePwd") >+ self.ldb.modify( >+ msg, >+ controls=["local_oid:%s:0" % >+ dsdb.DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID]) >diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py b/python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py >new file mode 100644 >index 00000000000..25c02d9ac2a >--- /dev/null >+++ b/python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py >@@ -0,0 +1,261 @@ >+# Tests for the samba-tool user sub command reading Primary:userPassword >+# >+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+from samba.tests.samba_tool.user_virtualCryptSHA_base import UserCmdCryptShaTestCase, _get_attribute >+ >+class UserCmdCryptShaTestCaseGPG(UserCmdCryptShaTestCase): >+ """ >+ Tests for samba-tool user subcommands generation of the virtualCryptSHA256 >+ and virtualCryptSHA512 attributes >+ """ >+ >+ # gpg decryption enabled. >+ # both virtual attributes specified, no rounds option >+ # no hashes stored in supplementalCredentials >+ # Should get values >+ def test_gpg_both_hashes_no_rounds(self): >+ self.add_user() >+ out = self._get_password("virtualCryptSHA256,virtualCryptSHA512", True) >+ >+ self.assertTrue("virtualCryptSHA256:" in out) >+ self.assertTrue("virtualCryptSHA512:" in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # gpg decryption enabled. >+ # SHA256 specified >+ # no hashes stored in supplementalCredentials >+ # No rounds >+ # >+ # Should get values >+ def test_gpg_sha256_no_rounds(self): >+ self.add_user() >+ out = self._get_password("virtualCryptSHA256", True) >+ >+ self.assertTrue("virtualCryptSHA256:" in out) >+ self.assertTrue("virtualCryptSHA512:" not in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # gpg decryption enabled. >+ # SHA512 specified >+ # no hashes stored in supplementalCredentials >+ # No rounds >+ # >+ # Should get values >+ def test_gpg_sha512_no_rounds(self): >+ self.add_user() >+ out = self._get_password("virtualCryptSHA512", True) >+ >+ self.assertTrue("virtualCryptSHA256:" not in out) >+ self.assertTrue("virtualCryptSHA512:" in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # gpg decryption enabled. >+ # SHA128 specified, i.e. invalid/unknown algorithm >+ # no hashes stored in supplementalCredentials >+ # No rounds >+ # >+ # Should not get values >+ def test_gpg_invalid_alg_no_rounds(self): >+ self.add_user() >+ out = self._get_password("virtualCryptSHA128", True) >+ >+ self.assertTrue("virtualCryptSHA256:" not in out) >+ self.assertTrue("virtualCryptSHA512:" not in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # gpg decryption enabled. >+ # both virtual attributes specified, no rounds option >+ # no hashes stored in supplementalCredentials >+ # underlying windows password changed, so plain text password is >+ # invalid. >+ # Should not get values >+ def test_gpg_both_hashes_no_rounds_pwd_changed(self): >+ self.add_user() >+ self._change_nt_hash() >+ out = self._get_password("virtualCryptSHA256,virtualCryptSHA512", True) >+ >+ self.assertTrue("virtualCryptSHA256:" not in out) >+ self.assertTrue("virtualCryptSHA512:" not in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # gpg decryption enabled. >+ # SHA256 specified, no rounds option >+ # no hashes stored in supplementalCredentials >+ # underlying windows password changed, so plain text password is >+ # invalid. >+ # Should not get values >+ def test_gpg_sha256_no_rounds_pwd_changed(self): >+ self.add_user() >+ self._change_nt_hash() >+ out = self._get_password("virtualCryptSHA256", True) >+ >+ self.assertTrue("virtualCryptSHA256:" not in out) >+ self.assertTrue("virtualCryptSHA512:" not in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # gpg decryption enabled. >+ # SHA512 specified, no rounds option >+ # no hashes stored in supplementalCredentials >+ # underlying windows password changed, so plain text password is >+ # invalid. >+ # Should not get values >+ def test_gpg_sha512_no_rounds_pwd_changed(self): >+ self.add_user() >+ self._change_nt_hash() >+ out = self._get_password("virtualCryptSHA256", True) >+ >+ self.assertTrue("virtualCryptSHA256:" not in out) >+ self.assertTrue("virtualCryptSHA512:" not in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # gpg decryption enabled. >+ # both virtual attributes specified, rounds specified >+ # no hashes stored in supplementalCredentials >+ # Should get values reflecting the requested rounds >+ def test_gpg_both_hashes_both_rounds(self): >+ self.add_user() >+ out = self._get_password( >+ "virtualCryptSHA256;rounds=10123,virtualCryptSHA512;rounds=10456", >+ True) >+ >+ self.assertTrue("virtualCryptSHA256:" in out) >+ self.assertTrue("virtualCryptSHA512:" in out) >+ >+ sha256 = _get_attribute(out, "virtualCryptSHA256") >+ self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=10123$")) >+ >+ sha512 = _get_attribute(out, "virtualCryptSHA512") >+ self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=10456$")) >+ >+ # gpg decryption enabled. >+ # both virtual attributes specified, rounds specified >+ # invalid rounds for sha256 >+ # no hashes stored in supplementalCredentials >+ # Should get values, no rounds for sha256, rounds for sha 512 >+ def test_gpg_both_hashes_sha256_rounds_invalid(self): >+ self.add_user() >+ out = self._get_password( >+ "virtualCryptSHA256;rounds=invalid,virtualCryptSHA512;rounds=3125", >+ True) >+ >+ self.assertTrue("virtualCryptSHA256:" in out) >+ self.assertTrue("virtualCryptSHA512:" in out) >+ >+ sha256 = _get_attribute(out, "virtualCryptSHA256") >+ self.assertTrue(sha256.startswith("{CRYPT}$5$")) >+ self.assertTrue("rounds" not in sha256) >+ >+ sha512 = _get_attribute(out, "virtualCryptSHA512") >+ self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=3125$")) >+ >+ # gpg decryption enabled. >+ # both virtual attributes specified, rounds specified >+ # both hashes stored in supplementalCredentials, with no rounds >+ # Should get calculated hashed with the correct number of rounds >+ def test_gpg_both_hashes_rounds_stored_hashes(self): >+ self.add_user("CryptSHA512 CryptSHA256") >+ >+ out = self._get_password("virtualCryptSHA256;rounds=2561," + >+ "virtualCryptSHA512;rounds=5129", >+ True) >+ >+ self.assertTrue("virtualCryptSHA256:" in out) >+ self.assertTrue("virtualCryptSHA512:" in out) >+ self.assertTrue("rounds=" in out) >+ >+ # Should be calculating the hashes >+ # so they should change between calls. >+ sha256 = _get_attribute(out, "virtualCryptSHA256") >+ sha512 = _get_attribute(out, "virtualCryptSHA512") >+ >+ out = self._get_password("virtualCryptSHA256;rounds=2561," + >+ "virtualCryptSHA512;rounds=5129", >+ True) >+ self.assertFalse(sha256 == _get_attribute(out, "virtualCryptSHA256")) >+ self.assertFalse(sha512 == _get_attribute(out, "virtualCryptSHA512")) >+ >+ # The returned hashes should specify the correct number of rounds >+ self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561")) >+ self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129")) >+ >+ # gpg decryption enabled. >+ # both virtual attributes specified, rounds specified >+ # both hashes stored in supplementalCredentials, with rounds >+ # Should get values >+ def test_gpg_both_hashes_rounds_stored_hashes_with_rounds(self): >+ self.add_user("CryptSHA512 " + >+ "CryptSHA256 " + >+ "CryptSHA512:rounds=5129 " + >+ "CryptSHA256:rounds=2561") >+ >+ out = self._get_password("virtualCryptSHA256;rounds=2561," + >+ "virtualCryptSHA512;rounds=5129", >+ True) >+ >+ self.assertTrue("virtualCryptSHA256:" in out) >+ self.assertTrue("virtualCryptSHA512:" in out) >+ self.assertTrue("rounds=" in out) >+ >+ # Should be using the pre computed hash in supplementalCredentials >+ # so it should not change between calls. >+ sha256 = _get_attribute(out, "virtualCryptSHA256") >+ sha512 = _get_attribute(out, "virtualCryptSHA512") >+ >+ out = self._get_password("virtualCryptSHA256;rounds=2561," + >+ "virtualCryptSHA512;rounds=5129", >+ True) >+ self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) >+ self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) >+ >+ # The returned hashes should specify the correct number of rounds >+ self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561")) >+ self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129")) >+ >+ # gpg decryption enabled. >+ # both virtual attributes specified, rounds specified >+ # both hashes stored in supplementalCredentials, with rounds >+ # number of rounds stored/requested do not match >+ # Should get calculated hashes with the correct number of rounds >+ def test_gpg_both_hashes_rounds_stored_hashes_with_rounds_no_match(self): >+ self.add_user("CryptSHA512 " + >+ "CryptSHA256 " + >+ "CryptSHA512:rounds=5129 " + >+ "CryptSHA256:rounds=2561") >+ >+ out = self._get_password("virtualCryptSHA256;rounds=4000," + >+ "virtualCryptSHA512;rounds=5000", >+ True) >+ >+ self.assertTrue("virtualCryptSHA256:" in out) >+ self.assertTrue("virtualCryptSHA512:" in out) >+ self.assertTrue("rounds=" in out) >+ >+ # Should be calculating the hashes >+ # so they should change between calls. >+ sha256 = _get_attribute(out, "virtualCryptSHA256") >+ sha512 = _get_attribute(out, "virtualCryptSHA512") >+ >+ out = self._get_password("virtualCryptSHA256;rounds=4000," + >+ "virtualCryptSHA512;rounds=5000", >+ True) >+ self.assertFalse(sha256 == _get_attribute(out, "virtualCryptSHA256")) >+ self.assertFalse(sha512 == _get_attribute(out, "virtualCryptSHA512")) >+ >+ # The calculated hashes should specify the correct number of rounds >+ self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=4000")) >+ self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5000")) >diff --git a/python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py b/python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py >new file mode 100644 >index 00000000000..6c1c6295b85 >--- /dev/null >+++ b/python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py >@@ -0,0 +1,185 @@ >+# Tests for the samba-tool user sub command reading Primary:userPassword >+# >+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+from samba.tests.samba_tool.user_virtualCryptSHA_base import UserCmdCryptShaTestCase, _get_attribute >+ >+class UserCmdCryptShaTestCaseUserPassword(UserCmdCryptShaTestCase): >+ # gpg decryption not enabled. >+ # both virtual attributes specified, no rounds option >+ # no hashes stored in supplementalCredentials >+ # Should not get values >+ def test_no_gpg_both_hashes_no_rounds(self): >+ self.add_user() >+ out = self._get_password("virtualCryptSHA256,virtualCryptSHA512") >+ >+ self.assertTrue("virtualCryptSHA256:" not in out) >+ self.assertTrue("virtualCryptSHA512:" not in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # gpg decryption not enabled. >+ # SHA256 specified >+ # no hashes stored in supplementalCredentials >+ # No rounds >+ # >+ # Should not get values >+ def test_no_gpg_sha256_no_rounds(self): >+ self.add_user() >+ out = self._get_password("virtualCryptSHA256") >+ >+ self.assertTrue("virtualCryptSHA256:" not in out) >+ self.assertTrue("virtualCryptSHA512:" not in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # gpg decryption not enabled. >+ # SHA512 specified >+ # no hashes stored in supplementalCredentials >+ # No rounds >+ # >+ # Should not get values >+ def test_no_gpg_sha512_no_rounds(self): >+ self.add_user() >+ out = self._get_password("virtualCryptSHA512") >+ >+ self.assertTrue("virtualCryptSHA256:" not in out) >+ self.assertTrue("virtualCryptSHA512:" not in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # gpg decryption not enabled. >+ # SHA128 specified, i.e. invalid/unknown algorithm >+ # no hashes stored in supplementalCredentials >+ # No rounds >+ # >+ # Should not get values >+ def test_no_gpg_invalid_alg_no_rounds(self): >+ self.add_user() >+ out = self._get_password("virtualCryptSHA128") >+ >+ self.assertTrue("virtualCryptSHA256:" not in out) >+ self.assertTrue("virtualCryptSHA512:" not in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # gpg decryption not enabled. >+ # both virtual attributes specified, no rounds option >+ # both hashes stored in supplementalCredentials >+ # Should get values >+ def test_no_gpg_both_hashes_no_rounds_stored_hashes(self): >+ self.add_user("CryptSHA512 CryptSHA256") >+ >+ out = self._get_password("virtualCryptSHA256,virtualCryptSHA512") >+ >+ self.assertTrue("virtualCryptSHA256:" in out) >+ self.assertTrue("virtualCryptSHA512:" in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # Should be using the pre computed hash in supplementalCredentials >+ # so it should not change between calls. >+ sha256 = _get_attribute(out, "virtualCryptSHA256") >+ sha512 = _get_attribute(out, "virtualCryptSHA512") >+ >+ out = self._get_password("virtualCryptSHA256,virtualCryptSHA512") >+ self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) >+ self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) >+ >+ # gpg decryption not enabled. >+ # both virtual attributes specified, rounds specified >+ # both hashes stored in supplementalCredentials, with not rounds >+ # Should get hashes for the first matching scheme entry >+ def test_no_gpg_both_hashes_rounds_stored_hashes(self): >+ self.add_user("CryptSHA512 CryptSHA256") >+ >+ out = self._get_password("virtualCryptSHA256;rounds=2561," + >+ "virtualCryptSHA512;rounds=5129") >+ >+ self.assertTrue("virtualCryptSHA256:" in out) >+ self.assertTrue("virtualCryptSHA512:" in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # Should be using the pre computed hash in supplementalCredentials >+ # so it should not change between calls. >+ sha256 = _get_attribute(out, "virtualCryptSHA256") >+ sha512 = _get_attribute(out, "virtualCryptSHA512") >+ >+ out = self._get_password("virtualCryptSHA256,virtualCryptSHA512") >+ self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) >+ self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) >+ >+ # gpg decryption not enabled. >+ # both virtual attributes specified, rounds specified >+ # both hashes stored in supplementalCredentials, with rounds >+ # Should get values >+ def test_no_gpg_both_hashes_rounds_stored_hashes_with_rounds(self): >+ self.add_user("CryptSHA512 " + >+ "CryptSHA256 " + >+ "CryptSHA512:rounds=5129 " + >+ "CryptSHA256:rounds=2561") >+ >+ out = self._get_password("virtualCryptSHA256;rounds=2561," + >+ "virtualCryptSHA512;rounds=5129") >+ >+ self.assertTrue("virtualCryptSHA256:" in out) >+ self.assertTrue("virtualCryptSHA512:" in out) >+ self.assertTrue("rounds=" in out) >+ >+ # Should be using the pre computed hash in supplementalCredentials >+ # so it should not change between calls. >+ sha256 = _get_attribute(out, "virtualCryptSHA256") >+ sha512 = _get_attribute(out, "virtualCryptSHA512") >+ >+ out = self._get_password("virtualCryptSHA256;rounds=2561," + >+ "virtualCryptSHA512;rounds=5129") >+ self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) >+ self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) >+ >+ # Number of rounds should match that specified >+ self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561")) >+ self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129")) >+ >+ # gpg decryption not enabled. >+ # both virtual attributes specified, rounds specified >+ # both hashes stored in supplementalCredentials, with rounds >+ # number of rounds stored/requested do not match >+ # Should get the precomputed hashes for CryptSHA512 and CryptSHA256 >+ def test_no_gpg_both_hashes_rounds_stored_hashes_with_rounds_no_match(self): >+ self.add_user("CryptSHA512 " + >+ "CryptSHA256 " + >+ "CryptSHA512:rounds=5129 " + >+ "CryptSHA256:rounds=2561") >+ >+ out = self._get_password("virtualCryptSHA256;rounds=4000," + >+ "virtualCryptSHA512;rounds=5000") >+ >+ self.assertTrue("virtualCryptSHA256:" in out) >+ self.assertTrue("virtualCryptSHA512:" in out) >+ self.assertTrue("rounds=" not in out) >+ >+ # Should be using the pre computed hash in supplementalCredentials >+ # so it should not change between calls. >+ sha256 = _get_attribute(out, "virtualCryptSHA256") >+ sha512 = _get_attribute(out, "virtualCryptSHA512") >+ >+ out = self._get_password("virtualCryptSHA256;rounds=4000," + >+ "virtualCryptSHA512;rounds=5000") >+ self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) >+ self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) >+ >+ # As the number of rounds did not match, should have returned the >+ # first hash of the coresponding scheme >+ out = self._get_password("virtualCryptSHA256," + >+ "virtualCryptSHA512") >+ self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256")) >+ self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512")) >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index f7645365384..e31f2251846 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -685,7 +685,8 @@ planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.processes") > planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.user") > planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.user_wdigest") > planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user") >-planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user_virtualCryptSHA") >+planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user_virtualCryptSHA_userPassword") >+planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.user_virtualCryptSHA_gpg") > planpythontestsuite("chgdcpass:local", "samba.tests.samba_tool.user_check_password_script") > planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.group") > planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.ou") >-- >2.17.1 > > >From 3a44f8c67398db8ebd524c5f7e849db2c2b6b1e6 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 1 Jul 2020 14:31:54 +1200 >Subject: [PATCH 3/3] selftest: Run test of how userPassword / crypt() style > passwords are stored in quicktest > >This ensures that the crypt_r()/crypt_rn()/crypt() behaviour is tested in all >the samba-o3 builds and so is checked on RHEL7 in GitLab CI. > >https://bugzilla.samba.org/show_bug.cgi?id=14424 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit cabf873b75b1d4d456190358bc3ed051bca16978) >--- > selftest/quick | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/selftest/quick b/selftest/quick >index 7605f3f8877..0e79f1020bf 100644 >--- a/selftest/quick >+++ b/selftest/quick >@@ -35,3 +35,6 @@ rpc.echo > smb.signing > drs.unit > samba4.blackbox.dbcheck.dc >+# This needs to be here to get testing of crypt_r() >+# behaviour on multiple OS distributions. >+samba.tests.samba_tool.user_virtualCryptSHA_userPassword >\ No newline at end of file >-- >2.17.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16104">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
dbagnall
:
review+
abartlet
:
ci-passed+
Actions:
View
Attachments on
bug 14424
: 16104 |
16105