From 1e1d8b9c83f32c06ecab31214a20b77529ee038e Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Wed, 4 Nov 2020 13:58:24 +1300
Subject: [PATCH] tests python krb5: Add python kerberos compatability tests

Add new python test to document the differences between the MIT and
Heimdal Kerberos implementations.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 python/samba/tests/krb5/compatability_tests.py | 174 +++++++++++++++++++++++++
 python/samba/tests/usage.py                    |   1 +
 selftest/knownfail_heimdal_kdc                 |   4 +
 selftest/knownfail_mit_kdc                     |   4 +
 source4/selftest/tests.py                      |   1 +
 5 files changed, 184 insertions(+)
 create mode 100755 python/samba/tests/krb5/compatability_tests.py

diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py
new file mode 100755
index 00000000000..63bd5269c2b
--- /dev/null
+++ b/python/samba/tests/krb5/compatability_tests.py
@@ -0,0 +1,174 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+# Copyright (C) Catalyst.Net Ltd 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
+from samba.tests.krb5.raw_testcase import RawKerberosTest
+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+
+global_asn1_print = False
+global_hexdump = False
+
+
+class SimpleKerberosTests(RawKerberosTest):
+
+    def setUp(self):
+        super(SimpleKerberosTests, self).setUp()
+        self.do_asn1_print = global_asn1_print
+        self.do_hexdump = global_hexdump
+
+    def test_mit_EncASRepPart_tag(self):
+        creds = self.get_user_creds()
+        (enc, _) = self.as_req(creds)
+        self.assertEqual(0x7a, enc[0])
+
+    def test_heimdal_EncASRepPart_tag(self):
+        creds = self.get_user_creds()
+        (enc, _) = self.as_req(creds)
+        self.assertEqual(0x79, enc[0])
+
+    def test_mit_EncryptedData_kvno(self):
+        creds = self.get_user_creds()
+        (_, enc) = self.as_req(creds)
+        if 'kvno' in enc:
+            self.fail("kvno present in EncryptedData")
+
+    def test_heimdal_EncryptedData_kvno(self):
+        creds = self.get_user_creds()
+        (_, enc) = self.as_req(creds)
+        if 'kvno' not in enc:
+            self.fail("kvno absent in EncryptedData")
+
+    def test_mit_EncASRepPart_FAST_support(self):
+        creds = self.get_user_creds()
+        (enc, _) = self.as_req(creds)
+        self.assertEqual(0x7A, enc[0])
+        as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart())
+        flags = int(as_rep['flags'], base=2)
+        # MIT sets enc-pa-rep, flag bit 15
+        # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests
+        self.assertTrue(0x00010000 & flags)
+
+    def test_heimdal_EncASRepPart_FAST_support(self):
+        creds = self.get_user_creds()
+        (enc, _) = self.as_req(creds)
+        self.assertEqual(0x79, enc[0])
+        as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart())
+        flags = as_rep['flags']
+        flags = int(as_rep['flags'], base=2)
+        # Heimdal does not set enc-pa-rep, flag bit 15
+        # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests
+        self.assertFalse(0x00010000 & flags)
+
+    def as_req(self, creds):
+        user = creds.get_username()
+        realm = creds.get_realm()
+
+        cname = self.PrincipalName_create(name_type=1, names=[user])
+        sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm])
+
+        till = self.get_KerberosTime(offset=36000)
+
+        kdc_options = krb5_asn1.KDCOptions('forwardable')
+        padata = None
+
+        etypes = (18, 17, 23)
+
+        req = self.AS_REQ_create(padata=padata,
+                                 kdc_options=str(kdc_options),
+                                 cname=cname,
+                                 realm=realm,
+                                 sname=sname,
+                                 from_time=None,
+                                 till_time=till,
+                                 renew_time=None,
+                                 nonce=0x7fffffff,
+                                 etypes=etypes,
+                                 addresses=None,
+                                 EncAuthorizationData=None,
+                                 EncAuthorizationData_key=None,
+                                 additional_tickets=None)
+        rep = self.send_recv_transaction(req)
+        self.assertIsNotNone(rep)
+
+        self.assertEqual(rep['msg-type'], 30)
+        self.assertEqual(rep['error-code'], 25)
+        rep_padata = self.der_decode(
+            rep['e-data'],
+            asn1Spec=krb5_asn1.METHOD_DATA())
+
+        for pa in rep_padata:
+            if pa['padata-type'] == 19:
+                etype_info2 = pa['padata-value']
+                break
+
+        etype_info2 = self.der_decode(
+            etype_info2,
+            asn1Spec=krb5_asn1.ETYPE_INFO2())
+
+        key = self.PasswordKey_from_etype_info2(creds, etype_info2[0])
+
+        (patime, pausec) = self.get_KerberosTimeWithUsec()
+        pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec)
+        pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC())
+
+        enc_pa_ts_usage = 1
+        pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts)
+        pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData())
+
+        pa_ts = self.PA_DATA_create(2, pa_ts)
+
+        kdc_options = krb5_asn1.KDCOptions('forwardable')
+        padata = [pa_ts]
+
+        req = self.AS_REQ_create(padata=padata,
+                                 kdc_options=str(kdc_options),
+                                 cname=cname,
+                                 realm=realm,
+                                 sname=sname,
+                                 from_time=None,
+                                 till_time=till,
+                                 renew_time=None,
+                                 nonce=0x7fffffff,
+                                 etypes=etypes,
+                                 addresses=None,
+                                 EncAuthorizationData=None,
+                                 EncAuthorizationData_key=None,
+                                 additional_tickets=None)
+        rep = self.send_recv_transaction(req)
+        self.assertIsNotNone(rep)
+
+        msg_type = rep['msg-type']
+        self.assertEqual(msg_type, 11)
+
+        usage = 3
+        enc_part = rep['enc-part']
+        enc_as_rep_part = key.decrypt(usage, rep['enc-part']['cipher'])
+        return (enc_as_rep_part, enc_part)
+
+
+if __name__ == "__main__":
+    global_asn1_print = True
+    global_hexdump = True
+    import unittest
+    unittest.main()
diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py
index 2f813760814..fbb9a06d99e 100644
--- a/python/samba/tests/usage.py
+++ b/python/samba/tests/usage.py
@@ -90,6 +90,7 @@ EXCLUDE_USAGE = {
     'python/samba/tests/krb5/s4u_tests.py',
     'python/samba/tests/krb5/xrealm_tests.py',
     'python/samba/tests/krb5/as_canonicalization_tests.py',
+    'python/samba/tests/krb5/compatability_tests.py',
 }
 
 EXCLUDE_HELP = {
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index e69de29bb2d..7ab56b6721b 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -0,0 +1,4 @@
+#
+# We expect all the MIT specific compatability tests to fail on heimdal
+# kerberos
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 96d3e51da5c..68eecd1bbfc 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -1,4 +1,8 @@
 #
+# We expect all the heimdal specific compatability tests to fail on MIT
+# kerberos
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_heimdal_
+#
 # Currently MOST but not quite all the Canonicalization tests fail on the
 # MIT KDC
 #
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 7afc8399255..006396444b4 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -1365,6 +1365,7 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]:
                              "samba4.krb5.kdc with machine account")
 
 planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests")
+planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests")
 
 for env in [
         'vampire_dc',
-- 
2.11.4.GIT