sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

tests/krb5: Add methods to convert between enctypes and bitfields

Browse Source 
These methods are useful for converting a collection of encryption types
into msDS-SupportedEncryptionTypes bit flags, and vice versa.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2021-09-21 21:01:46 +12:00 committed by Andrew Bartlett
parent 7cedd383bc
commit 432eba9e09
2 changed files with 44 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
python/samba/tests/krb5/kdc_base_test.py
View File

@ -633,10 +633,8 @@ class KDCBaseTest(RawKerberosTest):
enctypes = supported_enctypes
if fast_support:
fast_bits = (security.KERB_ENCTYPE_FAST_SUPPORTED |
security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED |
security.KERB_ENCTYPE_CLAIMS_SUPPORTED)
enctypes = (enctypes or 0) | fast_bits
enctypes = enctypes or 0
enctypes |= KerberosCredentials.fast_supported_bits
if enctypes is not None:
details['msDS-SupportedEncryptionTypes'] = str(enctypes)

53
python/samba/tests/krb5/raw_testcase.py
View File

@ -304,6 +304,11 @@ class RodcPacEncryptionKey(Krb5EncryptionKey):
class KerberosCredentials(Credentials):
fast_supported_bits = (security.KERB_ENCTYPE_FAST_SUPPORTED |
security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED |
security.KERB_ENCTYPE_CLAIMS_SUPPORTED)
def __init__(self):
super(KerberosCredentials, self).__init__()
all_enc_types = 0
@ -331,26 +336,52 @@ class KerberosCredentials(Credentials):
def set_ap_supported_enctypes(self, value):
self.ap_supported_enctypes = int(value)
def _get_krb5_etypes(self, supported_enctypes):
etypes = ()
etype_map = collections.OrderedDict([
(kcrypto.Enctype.AES256,
security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96),
(kcrypto.Enctype.AES128,
security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96),
(kcrypto.Enctype.RC4,
security.KERB_ENCTYPE_RC4_HMAC_MD5),
(kcrypto.Enctype.DES_MD5,
security.KERB_ENCTYPE_DES_CBC_MD5),
(kcrypto.Enctype.DES_CRC,
security.KERB_ENCTYPE_DES_CBC_CRC)
])
if supported_enctypes & security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96:
etypes += (kcrypto.Enctype.AES256,)
if supported_enctypes & security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96:
etypes += (kcrypto.Enctype.AES128,)
if supported_enctypes & security.KERB_ENCTYPE_RC4_HMAC_MD5:
etypes += (kcrypto.Enctype.RC4,)
@classmethod
def etypes_to_bits(self, etypes):
bits = 0
for etype in etypes:
bit = self.etype_map[etype]
if bits & bit:
raise ValueError(f'Got duplicate etype: {etype}')
bits |= bit
return bits
@classmethod
def bits_to_etypes(self, bits):
etypes = ()
for etype, bit in self.etype_map.items():
if bit & bits:
bits &= ~bit
etypes += (etype,)
bits &= ~self.fast_supported_bits
if bits != 0:
raise ValueError(f'Unsupported etype bits: {bits}')
return etypes
def get_as_krb5_etypes(self):
return self._get_krb5_etypes(self.as_supported_enctypes)
return self.bits_to_etypes(self.as_supported_enctypes)
def get_tgs_krb5_etypes(self):
return self._get_krb5_etypes(self.tgs_supported_enctypes)
return self.bits_to_etypes(self.tgs_supported_enctypes)
def get_ap_krb5_etypes(self):
return self._get_krb5_etypes(self.ap_supported_enctypes)
return self.bits_to_etypes(self.ap_supported_enctypes)
def set_kvno(self, kvno):
# Sign-extend from 32 bits.