krb5/Log-unknown-enctypes-as-unsupported-in-KDC.patch
Robbie Harwood 1404656ded Use OpenSSL's backported KDFs
Restore MD4 in FIPS mode (for samba)
2019-11-19 14:45:23 -05:00

53 lines
1.7 KiB
Diff

From 3324eb7fcc3cf4effdde891cefdc37526ff20cf7 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 27 Sep 2019 16:55:37 -0400
Subject: [PATCH] Log unknown enctypes as unsupported in KDC
Commit 8d8e68283b599e680f9fe45eff8af397e827bd6c logs both invalid and
deprecated enctypes as "DEPRECATED:". An invalid enctype might be too
old or marginal to be supported (like single-DES) or too new to be
recognized. For clarity, prefix invalid enctypes with "UNSUPPORTED:"
instead.
ticket: 8773
(cherry picked from commit 5ee99b0007f480f01f86340d1c30da51cc80da96)
---
src/kdc/kdc_util.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 698f18c1c..8700ec02c 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1048,20 +1048,22 @@ void limit_string(char *name)
static krb5_error_code
enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
{
- char *name;
+ const char *name, *prefix = "";
size_t len;
if (buflen == 0)
return EINVAL;
*buf = '\0'; /* ensure these are always valid C-strings */
- if (krb5int_c_deprecated_enctype(ktype)) {
- len = strlcpy(buf, "DEPRECATED:", buflen);
- if (len >= buflen)
- return ENOMEM;
- buflen -= len;
- buf += len;
- }
+ if (!krb5_c_valid_enctype(ktype))
+ prefix = "UNSUPPORTED:";
+ else if (krb5int_c_deprecated_enctype(ktype))
+ prefix = "DEPRECATED:";
+ len = strlcpy(buf, prefix, buflen);
+ if (len >= buflen)
+ return ENOMEM;
+ buflen -= len;
+ buf += len;
/* rfc4556 recommends that clients wishing to indicate support for these
* pkinit algorithms include them in the etype field of the AS-REQ. */