user_name = client_creds.get_username()
if client_account is None:
client_account = user_name
- client_as_etypes = self.get_default_enctypes()
client_kvno = client_creds.get_kvno()
krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True)
krbtgt_account = krbtgt_creds.get_username()
till = self.get_KerberosTime(offset=36000)
if etypes is None:
- etypes = client_as_etypes
+ etypes = self.get_default_enctypes()
if kdc_options is None:
kdc_options = krb5_asn1.KDCOptions('forwardable')
if expected_error is not None:
realm,
sname,
till,
- client_as_etypes,
initial_error_mode,
expected_crealm,
expected_cname,
realm,
sname,
till,
- client_as_etypes,
preauth_error_mode,
expected_crealm,
expected_cname,
initial_kdc_options=None):
client_creds = self.get_client_creds()
client_account = client_creds.get_username()
- client_as_etypes = self.get_default_enctypes()
krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
krbtgt_account = krbtgt_creds.get_username()
realm = krbtgt_creds.get_realm()
expected_sname = sname
expected_salt = client_creds.get_salt()
- if any(etype in client_as_etypes and etype in initial_etypes
- for etype in (kcrypto.Enctype.AES256,
- kcrypto.Enctype.AES128,
- kcrypto.Enctype.RC4)):
+ if any(etype in initial_etypes
+ for etype in self.get_default_enctypes()):
expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
else:
expected_error_mode = KDC_ERR_ETYPE_NOSUPP
check_error_fn=self.generic_check_kdc_error,
check_rep_fn=None,
expected_error_mode=expected_error_mode,
- client_as_etypes=client_as_etypes,
expected_salt=expected_salt,
kdc_options=str(initial_kdc_options),
pac_request=pac)
sname=sname,
till=till,
renew_time=renew_time,
- client_as_etypes=etype,
expected_error_mode=expected_error_mode,
expected_crealm=realm,
expected_cname=expected_cname,
sname=sname,
till=till,
renew_time=renew_time,
- client_as_etypes=etype,
expected_error_mode=expected_error,
expected_crealm=expected_realm,
expected_cname=expected_cname,
realm=realm,
sname=sname,
till=till,
- client_as_etypes=etype,
expected_error_mode=KDC_ERR_PREAUTH_REQUIRED,
expected_crealm=realm,
expected_cname=expected_cname,
realm=realm,
sname=sname,
till=till,
- client_as_etypes=etype,
expected_error_mode=expected_error,
expected_crealm=expected_realm,
expected_cname=expected_cname,
c.set_anonymous()
return c
+ # Overridden by KDCBaseTest. At this level we don't know what actual
+ # enctypes are supported, so assume they all are. This matches the
+ # behaviour that tests expect by default.
+ def get_default_enctypes(self):
+ return [
+ kcrypto.Enctype.AES256,
+ kcrypto.Enctype.AES128,
+ kcrypto.Enctype.RC4,
+ ]
+
def asn1_dump(self, name, obj, asn1_print=None):
if asn1_print is None:
asn1_print = self.do_asn1_print
callback_dict=None,
expected_error_mode=0,
expected_status=None,
- client_as_etypes=None,
expected_salt=None,
authenticator_subkey=None,
preauth_key=None,
'callback_dict': callback_dict,
'expected_error_mode': expected_error_mode,
'expected_status': expected_status,
- 'client_as_etypes': client_as_etypes,
'expected_salt': expected_salt,
'authenticator_subkey': authenticator_subkey,
'preauth_key': preauth_key,
req_body = kdc_exchange_dict['req_body']
proposed_etypes = req_body['etype']
- client_as_etypes = kdc_exchange_dict.get('client_as_etypes', [])
sent_fast = self.sent_fast(kdc_exchange_dict)
sent_enc_challenge = self.sent_enc_challenge(kdc_exchange_dict)
rc4_support = kdc_exchange_dict['rc4_support']
+ def expected_etype(etypes, proposed_etypes):
+ return max(filter(lambda e: e in etypes, proposed_etypes),
+ default=None)
+
+ supported_etypes = self.get_default_enctypes()
+
+ aes_etypes = set()
+ if kcrypto.Enctype.AES256 in supported_etypes:
+ aes_etypes.add(kcrypto.Enctype.AES256)
+ if kcrypto.Enctype.AES128 in supported_etypes:
+ aes_etypes.add(kcrypto.Enctype.AES128)
+
+ rc4_etypes = set()
+ if rc4_support and kcrypto.Enctype.RC4 in supported_etypes:
+ rc4_etypes.add(kcrypto.Enctype.RC4)
+
+ expected_aes = expected_etype(aes_etypes, proposed_etypes)
+ expected_rc4 = expected_etype(rc4_etypes, proposed_etypes)
+
expect_etype_info2 = ()
expect_etype_info = False
- expected_aes_type = 0
- expected_rc4_type = 0
- if kcrypto.Enctype.RC4 in proposed_etypes:
- expect_etype_info = True
- for etype in proposed_etypes:
- if etype not in client_as_etypes:
- continue
- if etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128):
- expect_etype_info = False
- if etype > expected_aes_type:
- expected_aes_type = etype
- if etype in (kcrypto.Enctype.RC4,) and error_code != 0:
- if etype > expected_rc4_type and rc4_support:
- expected_rc4_type = etype
-
- if expected_aes_type != 0:
- expect_etype_info2 += (expected_aes_type,)
- if expected_rc4_type != 0:
- expect_etype_info2 += (expected_rc4_type,)
+ if expected_aes is not None:
+ expect_etype_info2 += (expected_aes,)
+ if expected_rc4 is not None:
+ if error_code != 0:
+ expect_etype_info2 += (expected_rc4,)
+ if expected_aes is None:
+ expect_etype_info = True
expected_patypes = ()
if sent_fast and error_code != 0:
expected_patypes += (PADATA_PAC_OPTIONS,)
elif error_code != KDC_ERR_GENERIC:
if expect_etype_info:
- if rc4_support:
- self.assertGreater(len(expect_etype_info2), 0)
+ self.assertGreater(len(expect_etype_info2), 0)
expected_patypes += (PADATA_ETYPE_INFO,)
if len(expect_etype_info2) != 0:
expected_patypes += (PADATA_ETYPE_INFO2,)
realm,
sname,
till,
- client_as_etypes,
expected_error_mode,
expected_crealm,
expected_cname,
check_rep_fn=check_rep_fn,
check_kdc_private_fn=self.generic_check_kdc_private,
expected_error_mode=expected_error_mode,
- client_as_etypes=client_as_etypes,
expected_salt=expected_salt,
expected_flags=expected_flags,
unexpected_flags=unexpected_flags,
projects / thirdparty / samba.git / commitdiff
