tests/krb5: Add methods to convert between enctypes and bitfields

These methods are useful for converting a collection of encryption types
into msDS-SupportedEncryptionTypes bit flags, and vice versa.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 3d2d20cb65b1d1ccea9ac01e9047fa88978b39f5..10ad9e6961f1d8f92ec1e98ebc5d683547ea1c55 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -633,10 +633,8 @@ class KDCBaseTest(RawKerberosTest):
 
         enctypes = supported_enctypes
         if fast_support:
-            fast_bits = (security.KERB_ENCTYPE_FAST_SUPPORTED |
-                         security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED |
-                         security.KERB_ENCTYPE_CLAIMS_SUPPORTED)
-            enctypes = (enctypes or 0) | fast_bits
+            enctypes = enctypes or 0
+            enctypes |= KerberosCredentials.fast_supported_bits
 
         if enctypes is not None:
             details['msDS-SupportedEncryptionTypes'] = str(enctypes)

diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 57013caafb1f5c90a91c757f5e89693eff13a104..57579126f8adf3ff505bf406042f1c1edc2cbca8 100644 (file)
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -304,6 +304,11 @@ class RodcPacEncryptionKey(Krb5EncryptionKey):
 
 
 class KerberosCredentials(Credentials):
+
+    fast_supported_bits = (security.KERB_ENCTYPE_FAST_SUPPORTED |
+                           security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED |
+                           security.KERB_ENCTYPE_CLAIMS_SUPPORTED)
+
     def __init__(self):
         super(KerberosCredentials, self).__init__()
         all_enc_types = 0
@@ -331,26 +336,52 @@ class KerberosCredentials(Credentials):
     def set_ap_supported_enctypes(self, value):
         self.ap_supported_enctypes = int(value)
 
-    def _get_krb5_etypes(self, supported_enctypes):
+    etype_map = collections.OrderedDict([
+        (kcrypto.Enctype.AES256,
+            security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96),
+        (kcrypto.Enctype.AES128,
+            security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96),
+        (kcrypto.Enctype.RC4,
+            security.KERB_ENCTYPE_RC4_HMAC_MD5),
+        (kcrypto.Enctype.DES_MD5,
+            security.KERB_ENCTYPE_DES_CBC_MD5),
+        (kcrypto.Enctype.DES_CRC,
+            security.KERB_ENCTYPE_DES_CBC_CRC)
+    ])
+
+    @classmethod
+    def etypes_to_bits(self, etypes):
+        bits = 0
+        for etype in etypes:
+            bit = self.etype_map[etype]
+            if bits & bit:
+                raise ValueError(f'Got duplicate etype: {etype}')
+            bits |= bit
+
+        return bits
+
+    @classmethod
+    def bits_to_etypes(self, bits):
         etypes = ()
+        for etype, bit in self.etype_map.items():
+            if bit & bits:
+                bits &= ~bit
+                etypes += (etype,)
 
-        if supported_enctypes & security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96:
-            etypes += (kcrypto.Enctype.AES256,)
-        if supported_enctypes & security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96:
-            etypes += (kcrypto.Enctype.AES128,)
-        if supported_enctypes & security.KERB_ENCTYPE_RC4_HMAC_MD5:
-            etypes += (kcrypto.Enctype.RC4,)
+        bits &= ~self.fast_supported_bits
+        if bits != 0:
+            raise ValueError(f'Unsupported etype bits: {bits}')
 
         return etypes
 
     def get_as_krb5_etypes(self):
-        return self._get_krb5_etypes(self.as_supported_enctypes)
+        return self.bits_to_etypes(self.as_supported_enctypes)
 
     def get_tgs_krb5_etypes(self):
-        return self._get_krb5_etypes(self.tgs_supported_enctypes)
+        return self.bits_to_etypes(self.tgs_supported_enctypes)
 
     def get_ap_krb5_etypes(self):
-        return self._get_krb5_etypes(self.ap_supported_enctypes)
+        return self.bits_to_etypes(self.ap_supported_enctypes)
 
     def set_kvno(self, kvno):
         # Sign-extend from 32 bits.