From 92763515d9f0bb8ed56c721d752db1fb7a268407 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 26 Oct 2022 14:29:54 +1300 Subject: [PATCH] CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req() This lets us select the encryption types we claim to support in the request body. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de) [jsutton@samba.org Adapted to 4.17 version of function taking different parameters] --- python/samba/tests/krb5/kdc_tgs_tests.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index 91d0bb575b0..4e26a011669 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -69,6 +69,7 @@ class KdcTgsBaseTests(KDCBaseTest): srealm=None, use_fast=False, expect_claims=True, + etypes=None, expect_pac=True, expect_pac_attrs=None, expect_pac_attrs_pac_request=None, @@ -134,7 +135,8 @@ class KdcTgsBaseTests(KDCBaseTest): pac_options = None - etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + if etypes is None: + etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) if expected_error: check_error_fn = self.generic_check_kdc_error -- 2.47.2