From 9ce53b906d391547da28260acb8c3b56761c2632 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 2 Oct 2019 11:19:07 -0400 Subject: [PATCH] Log unknown enctypes as unsupported in KDC --- ...known-enctypes-as-unsupported-in-KDC.patch | 52 +++++++++++++++++++ krb5.spec | 6 ++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 Log-unknown-enctypes-as-unsupported-in-KDC.patch diff --git a/Log-unknown-enctypes-as-unsupported-in-KDC.patch b/Log-unknown-enctypes-as-unsupported-in-KDC.patch new file mode 100644 index 0000000..a93f228 --- /dev/null +++ b/Log-unknown-enctypes-as-unsupported-in-KDC.patch @@ -0,0 +1,52 @@ +From 0f91902e92ea411582e56c0495860d523d223bf9 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 27 Sep 2019 16:55:37 -0400 +Subject: [PATCH] Log unknown enctypes as unsupported in KDC + +Commit 8d8e68283b599e680f9fe45eff8af397e827bd6c logs both invalid and +deprecated enctypes as "DEPRECATED:". An invalid enctype might be too +old or marginal to be supported (like single-DES) or too new to be +recognized. For clarity, prefix invalid enctypes with "UNSUPPORTED:" +instead. + +ticket: 8773 +(cherry picked from commit 5ee99b0007f480f01f86340d1c30da51cc80da96) +--- + src/kdc/kdc_util.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 698f18c1c..8700ec02c 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1048,20 +1048,22 @@ void limit_string(char *name) + static krb5_error_code + enctype_name(krb5_enctype ktype, char *buf, size_t buflen) + { +- char *name; ++ const char *name, *prefix = ""; + size_t len; + + if (buflen == 0) + return EINVAL; + *buf = '\0'; /* ensure these are always valid C-strings */ + +- if (krb5int_c_deprecated_enctype(ktype)) { +- len = strlcpy(buf, "DEPRECATED:", buflen); +- if (len >= buflen) +- return ENOMEM; +- buflen -= len; +- buf += len; +- } ++ if (!krb5_c_valid_enctype(ktype)) ++ prefix = "UNSUPPORTED:"; ++ else if (krb5int_c_deprecated_enctype(ktype)) ++ prefix = "DEPRECATED:"; ++ len = strlcpy(buf, prefix, buflen); ++ if (len >= buflen) ++ return ENOMEM; ++ buflen -= len; ++ buf += len; + + /* rfc4556 recommends that clients wishing to indicate support for these + * pkinit algorithms include them in the etype field of the AS-REQ. */ diff --git a/krb5.spec b/krb5.spec index 52ba958..ccbae26 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 45%{?dist} +Release: 46%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz @@ -124,6 +124,7 @@ Patch162: Simplify-krb5_dbe_def_search_enctype.patch Patch163: Squash-apparent-forward-null-in-clnttcp_create.patch Patch164: Remove-null-check-in-krb5_gss_duplicate_name.patch Patch165: Fix-KDC-crash-when-logging-PKINIT-enctypes.patch +Patch166: Log-unknown-enctypes-as-unsupported-in-KDC.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -730,6 +731,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Oct 02 2019 Robbie Harwood - 1.17-46 +- Log unknown enctypes as unsupported in KDC + * Wed Sep 25 2019 Robbie Harwood - 1.17-45 - Fix KDC crash when logging PKINIT enctypes (CVE-2019-14844)