diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 4c0acd5936d..2b94bf5d218 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -52,7 +52,6 @@ class AsReqBaseTest(KDCBaseTest): user_name = client_creds.get_username() if client_account is None: client_account = user_name - client_as_etypes = self.get_default_enctypes() client_kvno = client_creds.get_kvno() krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True) krbtgt_account = krbtgt_creds.get_username() @@ -76,7 +75,7 @@ class AsReqBaseTest(KDCBaseTest): till = self.get_KerberosTime(offset=36000) if etypes is None: - etypes = client_as_etypes + etypes = self.get_default_enctypes() if kdc_options is None: kdc_options = krb5_asn1.KDCOptions('forwardable') if expected_error is not None: @@ -89,7 +88,6 @@ class AsReqBaseTest(KDCBaseTest): realm, sname, till, - client_as_etypes, initial_error_mode, expected_crealm, expected_cname, @@ -137,7 +135,6 @@ class AsReqBaseTest(KDCBaseTest): realm, sname, till, - client_as_etypes, preauth_error_mode, expected_crealm, expected_cname, @@ -180,7 +177,6 @@ class AsReqKerberosTests(AsReqBaseTest): initial_kdc_options=None): client_creds = self.get_client_creds() client_account = client_creds.get_username() - client_as_etypes = self.get_default_enctypes() krbtgt_creds = self.get_krbtgt_creds(require_keys=False) krbtgt_account = krbtgt_creds.get_username() realm = krbtgt_creds.get_realm() @@ -196,10 +192,8 @@ class AsReqKerberosTests(AsReqBaseTest): expected_sname = sname expected_salt = client_creds.get_salt() - if any(etype in client_as_etypes and etype in initial_etypes - for etype in (kcrypto.Enctype.AES256, - kcrypto.Enctype.AES128, - kcrypto.Enctype.RC4)): + if any(etype in initial_etypes + for etype in self.get_default_enctypes()): expected_error_mode = KDC_ERR_PREAUTH_REQUIRED else: expected_error_mode = KDC_ERR_ETYPE_NOSUPP @@ -213,7 +207,6 @@ class AsReqKerberosTests(AsReqBaseTest): check_error_fn=self.generic_check_kdc_error, check_rep_fn=None, expected_error_mode=expected_error_mode, - client_as_etypes=client_as_etypes, expected_salt=expected_salt, kdc_options=str(initial_kdc_options), pac_request=pac) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index fe7da8d24d1..f5125495fa2 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -1730,7 +1730,6 @@ class FAST_Tests(KDCBaseTest): check_kdc_private_fn=self.generic_check_kdc_private, callback_dict={}, expected_error_mode=expected_error_mode, - client_as_etypes=etypes, expected_salt=expected_salt, authenticator_subkey=authenticator_subkey, preauth_key=preauth_key, diff --git a/python/samba/tests/krb5/group_tests.py b/python/samba/tests/krb5/group_tests.py index 74f8587e41e..8ad7cd43d03 100755 --- a/python/samba/tests/krb5/group_tests.py +++ b/python/samba/tests/krb5/group_tests.py @@ -2123,7 +2123,6 @@ class GroupTests(KDCBaseTest): realm=realm, sname=sname, till=till, - client_as_etypes=etypes, expected_error_mode=0, expected_crealm=realm, expected_cname=cname, diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index c90862c4726..cbefeb0dcb9 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1907,7 +1907,6 @@ class KDCBaseTest(RawKerberosTest): realm=realm, sname=sname, till=till, - client_as_etypes=etype, expected_error_mode=KDC_ERR_PREAUTH_REQUIRED, expected_crealm=realm, expected_cname=expected_cname, @@ -1960,7 +1959,6 @@ class KDCBaseTest(RawKerberosTest): realm=realm, sname=sname, till=till, - client_as_etypes=etype, expected_error_mode=0, expected_crealm=expected_realm, expected_cname=expected_cname, diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index a9c61e95150..66269aa81a6 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -108,7 +108,6 @@ class KdcTgsBaseTests(KDCBaseTest): realm=realm, sname=sname, till=till, - client_as_etypes=etype, expected_error_mode=initial_error, expected_crealm=realm, expected_cname=cname, @@ -148,7 +147,6 @@ class KdcTgsBaseTests(KDCBaseTest): realm=realm, sname=sname, till=till, - client_as_etypes=etype, expected_error_mode=expected_error, expected_crealm=expected_realm, expected_cname=cname, diff --git a/python/samba/tests/krb5/lockout_tests.py b/python/samba/tests/krb5/lockout_tests.py index 1e3330b0a42..55193aa7d93 100755 --- a/python/samba/tests/krb5/lockout_tests.py +++ b/python/samba/tests/krb5/lockout_tests.py @@ -155,7 +155,6 @@ def connect_kdc(pipe, realm=realm, sname=sname, till=till, - client_as_etypes=etypes, expected_error_mode=expected_error_modes, expected_crealm=realm, expected_cname=cname, diff --git a/python/samba/tests/krb5/protected_users_tests.py b/python/samba/tests/krb5/protected_users_tests.py index ebda6381975..af6b6b57bf3 100755 --- a/python/samba/tests/krb5/protected_users_tests.py +++ b/python/samba/tests/krb5/protected_users_tests.py @@ -947,7 +947,6 @@ class ProtectedUsersTests(KDCBaseTest): sname=sname, till=till, renew_time=renew_time, - client_as_etypes=etype, expected_error_mode=expected_error_mode, expected_crealm=realm, expected_cname=expected_cname, @@ -991,7 +990,6 @@ class ProtectedUsersTests(KDCBaseTest): sname=sname, till=till, renew_time=renew_time, - client_as_etypes=etype, expected_error_mode=expected_error, expected_crealm=expected_realm, expected_cname=expected_cname, @@ -1060,7 +1058,6 @@ class ProtectedUsersTests(KDCBaseTest): realm=realm, sname=sname, till=till, - client_as_etypes=etype, expected_error_mode=KDC_ERR_PREAUTH_REQUIRED, expected_crealm=realm, expected_cname=expected_cname, @@ -1095,7 +1092,6 @@ class ProtectedUsersTests(KDCBaseTest): realm=realm, sname=sname, till=till, - client_as_etypes=etype, expected_error_mode=expected_error, expected_crealm=expected_realm, expected_cname=expected_cname, diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 7703bee01d2..0d9c616cb09 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -974,6 +974,16 @@ class RawKerberosTest(TestCaseInTempDir): c.set_anonymous() return c + # Overridden by KDCBaseTest. At this level we don't know what actual + # enctypes are supported, so assume they all are. This matches the + # behaviour that tests expect by default. + def get_default_enctypes(self): + return [ + kcrypto.Enctype.AES256, + kcrypto.Enctype.AES128, + kcrypto.Enctype.RC4, + ] + def asn1_dump(self, name, obj, asn1_print=None): if asn1_print is None: asn1_print = self.do_asn1_print @@ -2476,7 +2486,6 @@ class RawKerberosTest(TestCaseInTempDir): callback_dict=None, expected_error_mode=0, expected_status=None, - client_as_etypes=None, expected_salt=None, authenticator_subkey=None, preauth_key=None, @@ -2548,7 +2557,6 @@ class RawKerberosTest(TestCaseInTempDir): 'callback_dict': callback_dict, 'expected_error_mode': expected_error_mode, 'expected_status': expected_status, - 'client_as_etypes': client_as_etypes, 'expected_salt': expected_salt, 'authenticator_subkey': authenticator_subkey, 'preauth_key': preauth_key, @@ -3872,7 +3880,6 @@ class RawKerberosTest(TestCaseInTempDir): req_body = kdc_exchange_dict['req_body'] proposed_etypes = req_body['etype'] - client_as_etypes = kdc_exchange_dict.get('client_as_etypes', []) sent_fast = self.sent_fast(kdc_exchange_dict) sent_enc_challenge = self.sent_enc_challenge(kdc_exchange_dict) @@ -3882,27 +3889,34 @@ class RawKerberosTest(TestCaseInTempDir): rc4_support = kdc_exchange_dict['rc4_support'] + def expected_etype(etypes, proposed_etypes): + return max(filter(lambda e: e in etypes, proposed_etypes), + default=None) + + supported_etypes = self.get_default_enctypes() + + aes_etypes = set() + if kcrypto.Enctype.AES256 in supported_etypes: + aes_etypes.add(kcrypto.Enctype.AES256) + if kcrypto.Enctype.AES128 in supported_etypes: + aes_etypes.add(kcrypto.Enctype.AES128) + + rc4_etypes = set() + if rc4_support and kcrypto.Enctype.RC4 in supported_etypes: + rc4_etypes.add(kcrypto.Enctype.RC4) + + expected_aes = expected_etype(aes_etypes, proposed_etypes) + expected_rc4 = expected_etype(rc4_etypes, proposed_etypes) + expect_etype_info2 = () expect_etype_info = False - expected_aes_type = 0 - expected_rc4_type = 0 - if kcrypto.Enctype.RC4 in proposed_etypes: - expect_etype_info = True - for etype in proposed_etypes: - if etype not in client_as_etypes: - continue - if etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128): - expect_etype_info = False - if etype > expected_aes_type: - expected_aes_type = etype - if etype in (kcrypto.Enctype.RC4,) and error_code != 0: - if etype > expected_rc4_type and rc4_support: - expected_rc4_type = etype - - if expected_aes_type != 0: - expect_etype_info2 += (expected_aes_type,) - if expected_rc4_type != 0: - expect_etype_info2 += (expected_rc4_type,) + if expected_aes is not None: + expect_etype_info2 += (expected_aes,) + if expected_rc4 is not None: + if error_code != 0: + expect_etype_info2 += (expected_rc4,) + if expected_aes is None: + expect_etype_info = True expected_patypes = () if sent_fast and error_code != 0: @@ -3916,8 +3930,7 @@ class RawKerberosTest(TestCaseInTempDir): expected_patypes += (PADATA_PAC_OPTIONS,) elif error_code != KDC_ERR_GENERIC: if expect_etype_info: - if rc4_support: - self.assertGreater(len(expect_etype_info2), 0) + self.assertGreater(len(expect_etype_info2), 0) expected_patypes += (PADATA_ETYPE_INFO,) if len(expect_etype_info2) != 0: expected_patypes += (PADATA_ETYPE_INFO2,) @@ -4824,7 +4837,6 @@ class RawKerberosTest(TestCaseInTempDir): realm, sname, till, - client_as_etypes, expected_error_mode, expected_crealm, expected_cname, @@ -4897,7 +4909,6 @@ class RawKerberosTest(TestCaseInTempDir): check_rep_fn=check_rep_fn, check_kdc_private_fn=self.generic_check_kdc_private, expected_error_mode=expected_error_mode, - client_as_etypes=client_as_etypes, expected_salt=expected_salt, expected_flags=expected_flags, unexpected_flags=unexpected_flags,