From d82d3a20d320a9921ef6cbc31cd945b011875281 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 10:32:52 +1200 Subject: [PATCH] tests/krb5: Always specify expected error code Now the expected error code is always determined by the test code itself rather than by generic_check_as_error(). Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 21c64fda8f98d451e028ea483dbe351b1280390c) --- python/samba/tests/krb5/as_req_tests.py | 11 ++++++++++- python/samba/tests/krb5/raw_testcase.py | 13 ++++++------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 3b7841243c5..861d2371b75 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -24,8 +24,10 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests import DynamicTestCase from samba.tests.krb5.kdc_base_test import KDCBaseTest +import samba.tests.krb5.kcrypto as kcrypto import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( + KDC_ERR_ETYPE_NOSUPP, KDC_ERR_PREAUTH_REQUIRED, KU_PA_ENC_TIMESTAMP, NT_PRINCIPAL, @@ -68,13 +70,20 @@ class AsReqKerberosTests(KDCBaseTest): sname = self.PrincipalName_create(name_type=NT_SRV_INST, names=[krbtgt_account, realm]) - expected_error_mode = KDC_ERR_PREAUTH_REQUIRED expected_crealm = realm expected_cname = cname expected_srealm = realm expected_sname = sname expected_salt = client_creds.get_forced_salt() + if any(etype in client_as_etypes and etype in initial_etypes + for etype in (kcrypto.Enctype.AES256, + kcrypto.Enctype.AES128, + kcrypto.Enctype.RC4)): + expected_error_mode = KDC_ERR_PREAUTH_REQUIRED + else: + expected_error_mode = KDC_ERR_ETYPE_NOSUPP + def _generate_padata_copy(_kdc_exchange_dict, _callback_dict, req_body): diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 2dbcc39114a..5579e989d1c 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -40,9 +40,7 @@ from samba.tests import TestCaseInTempDir import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( - KDC_ERR_ETYPE_NOSUPP, KDC_ERR_GENERIC, - KDC_ERR_PREAUTH_REQUIRED, KRB_AP_REQ, KRB_AS_REP, KRB_AS_REQ, @@ -1524,7 +1522,7 @@ class RawKerberosTest(TestCaseInTempDir): check_padata_fn=None, check_kdc_private_fn=None, callback_dict=None, - expected_error_mode=None, + expected_error_mode=0, client_as_etypes=None, expected_salt=None): kdc_exchange_dict = { @@ -1809,13 +1807,11 @@ class RawKerberosTest(TestCaseInTempDir): if expected_rc4_type != 0: expect_etype_info2 += (expected_rc4_type,) - expected_error = KDC_ERR_ETYPE_NOSUPP expected_patypes = () if expect_etype_info: self.assertGreater(len(expect_etype_info2), 0) expected_patypes += (PADATA_ETYPE_INFO,) if len(expect_etype_info2) != 0: - expected_error = KDC_ERR_PREAUTH_REQUIRED expected_patypes += (PADATA_ETYPE_INFO2,) expected_patypes += (PADATA_ENC_TIMESTAMP,) @@ -1824,7 +1820,7 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementEqual(rep, 'pvno', 5) self.assertElementEqual(rep, 'msg-type', KRB_ERROR) - self.assertElementEqual(rep, 'error-code', expected_error) + self.assertElementEqual(rep, 'error-code', expected_error_mode) self.assertElementMissing(rep, 'ctime') self.assertElementMissing(rep, 'cusec') self.assertElementPresent(rep, 'stime') @@ -1889,7 +1885,10 @@ class RawKerberosTest(TestCaseInTempDir): self.assertEqual(len(pk_as_rep19), 0) continue - if expected_error == KDC_ERR_ETYPE_NOSUPP: + if all(etype not in client_as_etypes or etype not in proposed_etypes + for etype in (kcrypto.Enctype.AES256, + kcrypto.Enctype.AES128, + kcrypto.Enctype.RC4)): self.assertIsNone(etype_info2) self.assertIsNone(etype_info) if self.strict_checking: -- 2.11.4.GIT