CVE-2021-20251 tests/krb5: Add tests for password lockout race

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 91e2e5616c)

[jsutton@samba.org Fixed conflicts in usage.py, knownfails, and tests.py
 due to not having claims tests]

python/samba/tests/krb5/raw_testcase.py

@@ -50,6 +50,7 @@ from samba.tests.krb5.rfc4120_constants import (
     AD_IF_RELEVANT,
     AD_WIN2K_PAC,
     FX_FAST_ARMOR_AP_REQUEST,
+    KDC_ERR_CLIENT_REVOKED,
     KDC_ERR_GENERIC,
     KDC_ERR_POLICY,
     KDC_ERR_PREAUTH_FAILED,
@@ -640,6 +641,13 @@ class RawKerberosTest(TestCaseInTempDir):
             tkt_sig_support = '0'
         cls.tkt_sig_support = bool(int(tkt_sig_support))
 
+        gnutls_pbkdf2_support = samba.tests.env_get_var_value(
+            'GNUTLS_PBKDF2_SUPPORT',
+            allow_missing=True)
+        if gnutls_pbkdf2_support is None:
+            gnutls_pbkdf2_support = '1'
+        cls.gnutls_pbkdf2_support = bool(int(gnutls_pbkdf2_support))
+
         expect_pac = samba.tests.env_get_var_value('EXPECT_PAC',
                                                    allow_missing=True)
         if expect_pac is None:
@@ -3489,7 +3497,7 @@ class RawKerberosTest(TestCaseInTempDir):
                 expected_patypes += (PADATA_ETYPE_INFO2,)
 
             if error_code not in (KDC_ERR_PREAUTH_FAILED, KDC_ERR_SKEW,
-                                  KDC_ERR_POLICY):
+                                  KDC_ERR_POLICY, KDC_ERR_CLIENT_REVOKED):
                 if sent_fast:
                     expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,)
                 else:

python/samba/tests/krb5/rfc4120_constants.py

@@ -88,6 +88,7 @@ KDC_ERR_POLICY = 12
 KDC_ERR_BADOPTION = 13
 KDC_ERR_ETYPE_NOSUPP = 14
 KDC_ERR_SUMTYPE_NOSUPP = 15
+KDC_ERR_CLIENT_REVOKED = 18
 KDC_ERR_TGT_REVOKED = 20
 KDC_ERR_PREAUTH_FAILED = 24
 KDC_ERR_PREAUTH_REQUIRED = 25

python/samba/tests/usage.py

@@ -113,6 +113,7 @@ EXCLUDE_USAGE = {
     'python/samba/tests/krb5/protected_users_tests.py',
     'python/samba/tests/krb5/nt_hash_tests.py',
     'python/samba/tests/krb5/kpasswd_tests.py',
+    'python/samba/tests/krb5/lockout_tests.py',
 }
 
 EXCLUDE_HELP = {