Log unknown enctypes as unsupported in KDC

2019-10-02 11:19:07 -04:00 · 2019-10-02 11:19:07 -04:00 · 9ce53b906d
commit 9ce53b906d
parent 1a6673d2ee
2 changed files with 57 additions and 1 deletions
--- a/Log-unknown-enctypes-as-unsupported-in-KDC.patch
+++ b/Log-unknown-enctypes-as-unsupported-in-KDC.patch
@ -0,0 +1,52 @@
+From 0f91902e92ea411582e56c0495860d523d223bf9 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 27 Sep 2019 16:55:37 -0400
+Subject: [PATCH] Log unknown enctypes as unsupported in KDC
+
+Commit 8d8e68283b599e680f9fe45eff8af397e827bd6c logs both invalid and
+deprecated enctypes as "DEPRECATED:".  An invalid enctype might be too
+old or marginal to be supported (like single-DES) or too new to be
+recognized.  For clarity, prefix invalid enctypes with "UNSUPPORTED:"
+instead.
+
+ticket: 8773
+(cherry picked from commit 5ee99b0007f480f01f86340d1c30da51cc80da96)
+---
+ src/kdc/kdc_util.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 698f18c1c..8700ec02c 100644
+--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
+@@ -1048,20 +1048,22 @@ void limit_string(char *name)
+ static krb5_error_code
+ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
+ {
+-    char *name;
+    const char *name, *prefix = "";
+     size_t len;
+ 
+     if (buflen == 0)
+         return EINVAL;
+     *buf = '\0'; /* ensure these are always valid C-strings */
+ 
+-    if (krb5int_c_deprecated_enctype(ktype)) {
+-        len = strlcpy(buf, "DEPRECATED:", buflen);
+-        if (len >= buflen)
+-            return ENOMEM;
+-        buflen -= len;
+-        buf += len;
+-    }
+    if (!krb5_c_valid_enctype(ktype))
+        prefix = "UNSUPPORTED:";
+    else if (krb5int_c_deprecated_enctype(ktype))
+        prefix = "DEPRECATED:";
+    len = strlcpy(buf, prefix, buflen);
+    if (len >= buflen)
+        return ENOMEM;
+    buflen -= len;
+    buf += len;
+ 
+     /* rfc4556 recommends that clients wishing to indicate support for these
+      * pkinit algorithms include them in the etype field of the AS-REQ. */
--- a/krb5.spec
+++ b/krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 45%{?dist}
+Release: 46%{?dist}

 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -124,6 +124,7 @@ Patch162: Simplify-krb5_dbe_def_search_enctype.patch
 Patch163: Squash-apparent-forward-null-in-clnttcp_create.patch
 Patch164: Remove-null-check-in-krb5_gss_duplicate_name.patch
 Patch165: Fix-KDC-crash-when-logging-PKINIT-enctypes.patch
+Patch166: Log-unknown-enctypes-as-unsupported-in-KDC.patch

 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@ -730,6 +731,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Wed Oct 02 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-46
+- Log unknown enctypes as unsupported in KDC
+
 * Wed Sep 25 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-45
 - Fix KDC crash when logging PKINIT enctypes (CVE-2019-14844)