]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Tue, 21 Sep 2021 05:11:28 +0000 (17:11 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 23 Sep 2021 18:32:29 +0000 (18:32 +0000)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python/samba/tests/krb5/fast_tests.py
python/samba/tests/krb5/kdc_base_test.py
python/samba/tests/krb5/raw_testcase.py

index 7133f89305ff5bb28aa8c7b3ff84222da2c07b52..5f396542d1862cbdff0ce0e6cadc16b08e2b311c 100755 (executable)
@@ -1169,6 +1169,7 @@ class FAST_Tests(KDCBaseTest):
             name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm])
         krbtgt_decryption_key = self.TicketDecryptionKey_from_creds(
             krbtgt_creds)
+        krbtgt_etypes = krbtgt_creds.tgs_supported_enctypes
 
         target_username = target_creds.get_username()[:-1]
         target_realm = target_creds.get_realm()
@@ -1177,6 +1178,7 @@ class FAST_Tests(KDCBaseTest):
             name_type=NT_SRV_INST, names=[target_service, target_username])
         target_decryption_key = self.TicketDecryptionKey_from_creds(
             target_creds)
+        target_etypes = target_creds.tgs_supported_enctypes
 
         fast_cookie = None
         preauth_etype_info2 = None
@@ -1365,6 +1367,7 @@ class FAST_Tests(KDCBaseTest):
                     expected_anon=expected_anon,
                     expected_srealm=expected_srealm,
                     expected_sname=expected_sname,
+                    expected_supported_etypes=krbtgt_etypes,
                     expected_flags=expected_flags,
                     unexpected_flags=unexpected_flags,
                     ticket_decryption_key=krbtgt_decryption_key,
@@ -1398,6 +1401,7 @@ class FAST_Tests(KDCBaseTest):
                     expected_anon=expected_anon,
                     expected_srealm=expected_srealm,
                     expected_sname=expected_sname,
+                    expected_supported_etypes=target_etypes,
                     expected_flags=expected_flags,
                     unexpected_flags=unexpected_flags,
                     ticket_decryption_key=target_decryption_key,
index cdaeaf9f3e189cbc7ccfd79756ef74620bc187ee..646859e85b3ffacec8ab5c64fd9a02a142b0fec9 100644 (file)
@@ -1267,6 +1267,8 @@ class KDCBaseTest(RawKerberosTest):
         expected_sname = self.PrincipalName_create(
             name_type=NT_SRV_INST, names=['krbtgt', realm.upper()])
 
+        expected_etypes = krbtgt_creds.tgs_supported_enctypes
+
         rep, kdc_exchange_dict = self._test_as_exchange(
             cname=cname,
             realm=realm,
@@ -1279,6 +1281,7 @@ class KDCBaseTest(RawKerberosTest):
             expected_srealm=expected_realm,
             expected_sname=expected_sname,
             expected_salt=salt,
+            expected_supported_etypes=expected_etypes,
             etypes=etype,
             padata=padata,
             kdc_options=kdc_options,
index 8d7778602f59302055c3cbb17e8f04e0a8f4b131..c6bc3e553ad506989e99218cabed5aadb605f3e6 100644 (file)
@@ -1879,6 +1879,7 @@ class RawKerberosTest(TestCaseInTempDir):
                          expected_anon=False,
                          expected_srealm=None,
                          expected_sname=None,
+                         expected_supported_etypes=None,
                          expected_flags=None,
                          unexpected_flags=None,
                          ticket_decryption_key=None,
@@ -1923,6 +1924,7 @@ class RawKerberosTest(TestCaseInTempDir):
             'expected_anon': expected_anon,
             'expected_srealm': expected_srealm,
             'expected_sname': expected_sname,
+            'expected_supported_etypes': expected_supported_etypes,
             'expected_flags': expected_flags,
             'unexpected_flags': unexpected_flags,
             'ticket_decryption_key': ticket_decryption_key,
@@ -1963,6 +1965,7 @@ class RawKerberosTest(TestCaseInTempDir):
                           expected_anon=False,
                           expected_srealm=None,
                           expected_sname=None,
+                          expected_supported_etypes=None,
                           expected_flags=None,
                           unexpected_flags=None,
                           ticket_decryption_key=None,
@@ -2006,6 +2009,7 @@ class RawKerberosTest(TestCaseInTempDir):
             'expected_anon': expected_anon,
             'expected_srealm': expected_srealm,
             'expected_sname': expected_sname,
+            'expected_supported_etypes': expected_supported_etypes,
             'expected_flags': expected_flags,
             'unexpected_flags': unexpected_flags,
             'ticket_decryption_key': ticket_decryption_key,
@@ -2312,19 +2316,19 @@ class RawKerberosTest(TestCaseInTempDir):
                     if canonicalize:
                         self.assertIn(PADATA_SUPPORTED_ETYPES, enc_pa_dict)
 
+                        expected_supported_etypes = kdc_exchange_dict[
+                            'expected_supported_etypes']
+                        expected_supported_etypes |= (
+                            security.KERB_ENCTYPE_DES_CBC_CRC |
+                            security.KERB_ENCTYPE_DES_CBC_MD5 |
+                            security.KERB_ENCTYPE_RC4_HMAC_MD5)
+
                         (supported_etypes,) = struct.unpack(
                             '<L',
                             enc_pa_dict[PADATA_SUPPORTED_ETYPES])
 
-                        self.assertTrue(
-                            security.KERB_ENCTYPE_FAST_SUPPORTED
-                            & supported_etypes)
-                        self.assertTrue(
-                            security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED
-                            & supported_etypes)
-                        self.assertTrue(
-                            security.KERB_ENCTYPE_CLAIMS_SUPPORTED
-                            & supported_etypes)
+                        self.assertEqual(supported_etypes,
+                                         expected_supported_etypes)
                     else:
                         self.assertNotIn(PADATA_SUPPORTED_ETYPES, enc_pa_dict)
 
@@ -3396,6 +3400,7 @@ class RawKerberosTest(TestCaseInTempDir):
                           kdc_options,
                           expected_flags=None,
                           unexpected_flags=None,
+                          expected_supported_etypes=None,
                           preauth_key=None,
                           ticket_decryption_key=None,
                           pac_request=None,
@@ -3424,6 +3429,7 @@ class RawKerberosTest(TestCaseInTempDir):
             expected_cname=expected_cname,
             expected_srealm=expected_srealm,
             expected_sname=expected_sname,
+            expected_supported_etypes=expected_supported_etypes,
             ticket_decryption_key=ticket_decryption_key,
             generate_padata_fn=generate_padata_fn,
             check_error_fn=check_error_fn,