CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()

This lets us select the encryption types we claim to support in the
request body.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de)
[jsutton@samba.org Adapted to 4.17 version of function taking different
 parameters]

diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index 91d0bb575b0bd3dcc4fcbd862bc303dc1aedd826..4e26a011669d6f6a7c11297ae7994668e676e6a6 100755 (executable)
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -69,6 +69,7 @@ class KdcTgsBaseTests(KDCBaseTest):
                  srealm=None,
                  use_fast=False,
                  expect_claims=True,
+                 etypes=None,
                  expect_pac=True,
                  expect_pac_attrs=None,
                  expect_pac_attrs_pac_request=None,
@@ -134,7 +135,8 @@ class KdcTgsBaseTests(KDCBaseTest):
 
             pac_options = None
 
-        etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
+        if etypes is None:
+            etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
 
         if expected_error:
             check_error_fn = self.generic_check_kdc_error