From 9ce53b906d391547da28260acb8c3b56761c2632 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 2 Oct 2019 11:19:07 -0400
Subject: [PATCH] Log unknown enctypes as unsupported in KDC

---
 ...known-enctypes-as-unsupported-in-KDC.patch | 52 +++++++++++++++++++
 krb5.spec                                     |  6 ++-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 Log-unknown-enctypes-as-unsupported-in-KDC.patch

diff --git a/Log-unknown-enctypes-as-unsupported-in-KDC.patch b/Log-unknown-enctypes-as-unsupported-in-KDC.patch
new file mode 100644
index 0000000..a93f228
--- /dev/null
+++ b/Log-unknown-enctypes-as-unsupported-in-KDC.patch
@@ -0,0 +1,52 @@
+From 0f91902e92ea411582e56c0495860d523d223bf9 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 27 Sep 2019 16:55:37 -0400
+Subject: [PATCH] Log unknown enctypes as unsupported in KDC
+
+Commit 8d8e68283b599e680f9fe45eff8af397e827bd6c logs both invalid and
+deprecated enctypes as "DEPRECATED:".  An invalid enctype might be too
+old or marginal to be supported (like single-DES) or too new to be
+recognized.  For clarity, prefix invalid enctypes with "UNSUPPORTED:"
+instead.
+
+ticket: 8773
+(cherry picked from commit 5ee99b0007f480f01f86340d1c30da51cc80da96)
+---
+ src/kdc/kdc_util.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 698f18c1c..8700ec02c 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -1048,20 +1048,22 @@ void limit_string(char *name)
+ static krb5_error_code
+ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
+ {
+-    char *name;
++    const char *name, *prefix = "";
+     size_t len;
+ 
+     if (buflen == 0)
+         return EINVAL;
+     *buf = '\0'; /* ensure these are always valid C-strings */
+ 
+-    if (krb5int_c_deprecated_enctype(ktype)) {
+-        len = strlcpy(buf, "DEPRECATED:", buflen);
+-        if (len >= buflen)
+-            return ENOMEM;
+-        buflen -= len;
+-        buf += len;
+-    }
++    if (!krb5_c_valid_enctype(ktype))
++        prefix = "UNSUPPORTED:";
++    else if (krb5int_c_deprecated_enctype(ktype))
++        prefix = "DEPRECATED:";
++    len = strlcpy(buf, prefix, buflen);
++    if (len >= buflen)
++        return ENOMEM;
++    buflen -= len;
++    buf += len;
+ 
+     /* rfc4556 recommends that clients wishing to indicate support for these
+      * pkinit algorithms include them in the etype field of the AS-REQ. */
diff --git a/krb5.spec b/krb5.spec
index 52ba958..ccbae26 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 45%{?dist}
+Release: 46%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@@ -124,6 +124,7 @@ Patch162: Simplify-krb5_dbe_def_search_enctype.patch
 Patch163: Squash-apparent-forward-null-in-clnttcp_create.patch
 Patch164: Remove-null-check-in-krb5_gss_duplicate_name.patch
 Patch165: Fix-KDC-crash-when-logging-PKINIT-enctypes.patch
+Patch166: Log-unknown-enctypes-as-unsupported-in-KDC.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -730,6 +731,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Wed Oct 02 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-46
+- Log unknown enctypes as unsupported in KDC
+
 * Wed Sep 25 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-45
 - Fix KDC crash when logging PKINIT enctypes (CVE-2019-14844)