krb5/Log-unknown-enctypes-as-unsupported-in-KDC.patch

From 0f91902e92ea411582e56c0495860d523d223bf9 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 27 Sep 2019 16:55:37 -0400
Subject: [PATCH] Log unknown enctypes as unsupported in KDC

Commit 8d8e68283b599e680f9fe45eff8af397e827bd6c logs both invalid and
deprecated enctypes as "DEPRECATED:".  An invalid enctype might be too
old or marginal to be supported (like single-DES) or too new to be
recognized.  For clarity, prefix invalid enctypes with "UNSUPPORTED:"
instead.

ticket: 8773
(cherry picked from commit 5ee99b0007f480f01f86340d1c30da51cc80da96)
---
 src/kdc/kdc_util.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 698f18c1c..8700ec02c 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1048,20 +1048,22 @@ void limit_string(char *name)
 static krb5_error_code
 enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
 {
-    char *name;
+    const char *name, *prefix = "";
     size_t len;
 
     if (buflen == 0)
         return EINVAL;
     *buf = '\0'; /* ensure these are always valid C-strings */
 
-    if (krb5int_c_deprecated_enctype(ktype)) {
-        len = strlcpy(buf, "DEPRECATED:", buflen);
-        if (len >= buflen)
-            return ENOMEM;
-        buflen -= len;
-        buf += len;
-    }
+    if (!krb5_c_valid_enctype(ktype))
+        prefix = "UNSUPPORTED:";
+    else if (krb5int_c_deprecated_enctype(ktype))
+        prefix = "DEPRECATED:";
+    len = strlcpy(buf, prefix, buflen);
+    if (len >= buflen)
+        return ENOMEM;
+    buflen -= len;
+    buf += len;
 
     /* rfc4556 recommends that clients wishing to indicate support for these
      * pkinit algorithms include them in the etype field of the AS-REQ. */
Log unknown enctypes as unsupported in KDC 2019-10-02 15:19:07 +00:00			`From 0f91902e92ea411582e56c0495860d523d223bf9 Mon Sep 17 00:00:00 2001`
			`From: Greg Hudson <ghudson@mit.edu>`
			`Date: Fri, 27 Sep 2019 16:55:37 -0400`
			`Subject: [PATCH] Log unknown enctypes as unsupported in KDC`

			`Commit 8d8e68283b599e680f9fe45eff8af397e827bd6c logs both invalid and`
			`deprecated enctypes as "DEPRECATED:". An invalid enctype might be too`
			`old or marginal to be supported (like single-DES) or too new to be`
			`recognized. For clarity, prefix invalid enctypes with "UNSUPPORTED:"`
			`instead.`

			`ticket: 8773`
			`(cherry picked from commit 5ee99b0007f480f01f86340d1c30da51cc80da96)`
			`---`
			`src/kdc/kdc_util.c \| 18 ++++++++++--------`
			`1 file changed, 10 insertions(+), 8 deletions(-)`

			`diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c`
			`index 698f18c1c..8700ec02c 100644`
			`--- a/src/kdc/kdc_util.c`
			`+++ b/src/kdc/kdc_util.c`
			`@@ -1048,20 +1048,22 @@ void limit_string(char *name)`
			`static krb5_error_code`
			`enctype_name(krb5_enctype ktype, char *buf, size_t buflen)`
			`{`
			`- char *name;`
			`+ const char name, prefix = "";`
			`size_t len;`

			`if (buflen == 0)`
			`return EINVAL;`
			`buf = '\0'; / ensure these are always valid C-strings */`

			`- if (krb5int_c_deprecated_enctype(ktype)) {`
			`- len = strlcpy(buf, "DEPRECATED:", buflen);`
			`- if (len >= buflen)`
			`- return ENOMEM;`
			`- buflen -= len;`
			`- buf += len;`
			`- }`
			`+ if (!krb5_c_valid_enctype(ktype))`
			`+ prefix = "UNSUPPORTED:";`
			`+ else if (krb5int_c_deprecated_enctype(ktype))`
			`+ prefix = "DEPRECATED:";`
			`+ len = strlcpy(buf, prefix, buflen);`
			`+ if (len >= buflen)`
			`+ return ENOMEM;`
			`+ buflen -= len;`
			`+ buf += len;`

			`/* rfc4556 recommends that clients wishing to indicate support for these`
			`* pkinit algorithms include them in the etype field of the AS-REQ. */`