tests/krb5: Remove client_as_etypes parameter

The client_as_etypes parameter previously indicated which etypes we
thought the client supported. In practice, this was rarely specified, so
we simply assumed that all three main enctypes were supported.

Now that we have removed this parameter, rewrite the etype-info padata
checking code to be simpler, and no longer to contain loops.

Use get_default_enctypes() to determine which enctypes are supported.
For tests that inherit from KDCBaseTest, this is based on the domain
functional level, and will be more correct for tests that previously
passed in client_as_etypes=None.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/samba/tests/krb5/as_req_tests.py

@@ -52,7 +52,6 @@ class AsReqBaseTest(KDCBaseTest):
         user_name = client_creds.get_username()
         if client_account is None:
             client_account = user_name
-        client_as_etypes = self.get_default_enctypes()
         client_kvno = client_creds.get_kvno()
         krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True)
         krbtgt_account = krbtgt_creds.get_username()
@@ -76,7 +75,7 @@ class AsReqBaseTest(KDCBaseTest):
             till = self.get_KerberosTime(offset=36000)
 
         if etypes is None:
-            etypes = client_as_etypes
+            etypes = self.get_default_enctypes()
         if kdc_options is None:
             kdc_options = krb5_asn1.KDCOptions('forwardable')
         if expected_error is not None:
@@ -89,7 +88,6 @@ class AsReqBaseTest(KDCBaseTest):
             realm,
             sname,
             till,
-            client_as_etypes,
             initial_error_mode,
             expected_crealm,
             expected_cname,
@@ -137,7 +135,6 @@ class AsReqBaseTest(KDCBaseTest):
             realm,
             sname,
             till,
-            client_as_etypes,
             preauth_error_mode,
             expected_crealm,
             expected_cname,
@@ -180,7 +177,6 @@ class AsReqKerberosTests(AsReqBaseTest):
                                initial_kdc_options=None):
         client_creds = self.get_client_creds()
         client_account = client_creds.get_username()
-        client_as_etypes = self.get_default_enctypes()
         krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
         krbtgt_account = krbtgt_creds.get_username()
         realm = krbtgt_creds.get_realm()
@@ -196,10 +192,8 @@ class AsReqKerberosTests(AsReqBaseTest):
         expected_sname = sname
         expected_salt = client_creds.get_salt()
 
-        if any(etype in client_as_etypes and etype in initial_etypes
+        if any(etype in initial_etypes
-               for etype in (kcrypto.Enctype.AES256,
+               for etype in self.get_default_enctypes()):
-                             kcrypto.Enctype.AES128,
-                             kcrypto.Enctype.RC4)):
             expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
         else:
             expected_error_mode = KDC_ERR_ETYPE_NOSUPP
@@ -213,7 +207,6 @@ class AsReqKerberosTests(AsReqBaseTest):
             check_error_fn=self.generic_check_kdc_error,
             check_rep_fn=None,
             expected_error_mode=expected_error_mode,
-            client_as_etypes=client_as_etypes,
             expected_salt=expected_salt,
             kdc_options=str(initial_kdc_options),
             pac_request=pac)

python/samba/tests/krb5/fast_tests.py

@@ -1730,7 +1730,6 @@ class FAST_Tests(KDCBaseTest):
                     check_kdc_private_fn=self.generic_check_kdc_private,
                     callback_dict={},
                     expected_error_mode=expected_error_mode,
-                    client_as_etypes=etypes,
                     expected_salt=expected_salt,
                     authenticator_subkey=authenticator_subkey,
                     preauth_key=preauth_key,

python/samba/tests/krb5/group_tests.py

@@ -2123,7 +2123,6 @@ class GroupTests(KDCBaseTest):
             realm=realm,
             sname=sname,
             till=till,
-            client_as_etypes=etypes,
             expected_error_mode=0,
             expected_crealm=realm,
             expected_cname=cname,

python/samba/tests/krb5/kdc_base_test.py

@@ -1907,7 +1907,6 @@ class KDCBaseTest(RawKerberosTest):
             realm=realm,
             sname=sname,
             till=till,
-            client_as_etypes=etype,
             expected_error_mode=KDC_ERR_PREAUTH_REQUIRED,
             expected_crealm=realm,
             expected_cname=expected_cname,
@@ -1960,7 +1959,6 @@ class KDCBaseTest(RawKerberosTest):
             realm=realm,
             sname=sname,
             till=till,
-            client_as_etypes=etype,
             expected_error_mode=0,
             expected_crealm=expected_realm,
             expected_cname=expected_cname,

python/samba/tests/krb5/kdc_tgs_tests.py

@@ -108,7 +108,6 @@ class KdcTgsBaseTests(KDCBaseTest):
             realm=realm,
             sname=sname,
             till=till,
-            client_as_etypes=etype,
             expected_error_mode=initial_error,
             expected_crealm=realm,
             expected_cname=cname,
@@ -148,7 +147,6 @@ class KdcTgsBaseTests(KDCBaseTest):
             realm=realm,
             sname=sname,
             till=till,
-            client_as_etypes=etype,
             expected_error_mode=expected_error,
             expected_crealm=expected_realm,
             expected_cname=cname,

python/samba/tests/krb5/lockout_tests.py

@@ -155,7 +155,6 @@ def connect_kdc(pipe,
         realm=realm,
         sname=sname,
         till=till,
-        client_as_etypes=etypes,
         expected_error_mode=expected_error_modes,
         expected_crealm=realm,
         expected_cname=cname,

python/samba/tests/krb5/protected_users_tests.py

@@ -947,7 +947,6 @@ class ProtectedUsersTests(KDCBaseTest):
                 sname=sname,
                 till=till,
                 renew_time=renew_time,
-                client_as_etypes=etype,
                 expected_error_mode=expected_error_mode,
                 expected_crealm=realm,
                 expected_cname=expected_cname,
@@ -991,7 +990,6 @@ class ProtectedUsersTests(KDCBaseTest):
             sname=sname,
             till=till,
             renew_time=renew_time,
-            client_as_etypes=etype,
             expected_error_mode=expected_error,
             expected_crealm=expected_realm,
             expected_cname=expected_cname,
@@ -1060,7 +1058,6 @@ class ProtectedUsersTests(KDCBaseTest):
             realm=realm,
             sname=sname,
             till=till,
-            client_as_etypes=etype,
             expected_error_mode=KDC_ERR_PREAUTH_REQUIRED,
             expected_crealm=realm,
             expected_cname=expected_cname,
@@ -1095,7 +1092,6 @@ class ProtectedUsersTests(KDCBaseTest):
             realm=realm,
             sname=sname,
             till=till,
-            client_as_etypes=etype,
             expected_error_mode=expected_error,
             expected_crealm=expected_realm,
             expected_cname=expected_cname,

python/samba/tests/krb5/raw_testcase.py

@@ -974,6 +974,16 @@ class RawKerberosTest(TestCaseInTempDir):
         c.set_anonymous()
         return c
 
+    # Overridden by KDCBaseTest. At this level we don't know what actual
+    # enctypes are supported, so assume they all are. This matches the
+    # behaviour that tests expect by default.
+    def get_default_enctypes(self):
+        return [
+            kcrypto.Enctype.AES256,
+            kcrypto.Enctype.AES128,
+            kcrypto.Enctype.RC4,
+        ]
+
     def asn1_dump(self, name, obj, asn1_print=None):
         if asn1_print is None:
             asn1_print = self.do_asn1_print
@@ -2476,7 +2486,6 @@ class RawKerberosTest(TestCaseInTempDir):
                          callback_dict=None,
                          expected_error_mode=0,
                          expected_status=None,
-                         client_as_etypes=None,
                          expected_salt=None,
                          authenticator_subkey=None,
                          preauth_key=None,
@@ -2548,7 +2557,6 @@ class RawKerberosTest(TestCaseInTempDir):
             'callback_dict': callback_dict,
             'expected_error_mode': expected_error_mode,
             'expected_status': expected_status,
-            'client_as_etypes': client_as_etypes,
             'expected_salt': expected_salt,
             'authenticator_subkey': authenticator_subkey,
             'preauth_key': preauth_key,
@@ -3872,7 +3880,6 @@ class RawKerberosTest(TestCaseInTempDir):
 
         req_body = kdc_exchange_dict['req_body']
         proposed_etypes = req_body['etype']
-        client_as_etypes = kdc_exchange_dict.get('client_as_etypes', [])
 
         sent_fast = self.sent_fast(kdc_exchange_dict)
         sent_enc_challenge = self.sent_enc_challenge(kdc_exchange_dict)
@@ -3882,27 +3889,34 @@ class RawKerberosTest(TestCaseInTempDir):
 
         rc4_support = kdc_exchange_dict['rc4_support']
 
+        def expected_etype(etypes, proposed_etypes):
+            return max(filter(lambda e: e in etypes, proposed_etypes),
+                       default=None)
+
+        supported_etypes = self.get_default_enctypes()
+
+        aes_etypes = set()
+        if kcrypto.Enctype.AES256 in supported_etypes:
+            aes_etypes.add(kcrypto.Enctype.AES256)
+        if kcrypto.Enctype.AES128 in supported_etypes:
+            aes_etypes.add(kcrypto.Enctype.AES128)
+
+        rc4_etypes = set()
+        if rc4_support and kcrypto.Enctype.RC4 in supported_etypes:
+            rc4_etypes.add(kcrypto.Enctype.RC4)
+
+        expected_aes = expected_etype(aes_etypes, proposed_etypes)
+        expected_rc4 = expected_etype(rc4_etypes, proposed_etypes)
+
         expect_etype_info2 = ()
         expect_etype_info = False
-        expected_aes_type = 0
+        if expected_aes is not None:
-        expected_rc4_type = 0
+            expect_etype_info2 += (expected_aes,)
-        if kcrypto.Enctype.RC4 in proposed_etypes:
+        if expected_rc4 is not None:
-            expect_etype_info = True
+            if error_code != 0:
-        for etype in proposed_etypes:
+                expect_etype_info2 += (expected_rc4,)
-            if etype not in client_as_etypes:
+            if expected_aes is None:
-                continue
+                expect_etype_info = True
-            if etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128):
-                expect_etype_info = False
-                if etype > expected_aes_type:
-                    expected_aes_type = etype
-            if etype in (kcrypto.Enctype.RC4,) and error_code != 0:
-                if etype > expected_rc4_type and rc4_support:
-                    expected_rc4_type = etype
-
-        if expected_aes_type != 0:
-            expect_etype_info2 += (expected_aes_type,)
-        if expected_rc4_type != 0:
-            expect_etype_info2 += (expected_rc4_type,)
 
         expected_patypes = ()
         if sent_fast and error_code != 0:
@@ -3916,8 +3930,7 @@ class RawKerberosTest(TestCaseInTempDir):
                 expected_patypes += (PADATA_PAC_OPTIONS,)
         elif error_code != KDC_ERR_GENERIC:
             if expect_etype_info:
-                if rc4_support:
+                self.assertGreater(len(expect_etype_info2), 0)
-                    self.assertGreater(len(expect_etype_info2), 0)
                 expected_patypes += (PADATA_ETYPE_INFO,)
             if len(expect_etype_info2) != 0:
                 expected_patypes += (PADATA_ETYPE_INFO2,)
@@ -4824,7 +4837,6 @@ class RawKerberosTest(TestCaseInTempDir):
                           realm,
                           sname,
                           till,
-                          client_as_etypes,
                           expected_error_mode,
                           expected_crealm,
                           expected_cname,
@@ -4897,7 +4909,6 @@ class RawKerberosTest(TestCaseInTempDir):
             check_rep_fn=check_rep_fn,
             check_kdc_private_fn=self.generic_check_kdc_private,
             expected_error_mode=expected_error_mode,
-            client_as_etypes=client_as_etypes,
             expected_salt=expected_salt,
             expected_flags=expected_flags,
             unexpected_flags=unexpected_flags,