krb5/Display-unsupported-enctype-names.patch
2019-05-28 15:22:45 -04:00

80 lines
2.9 KiB
Diff

From 144eea330aba65a140c0e0bf66ad3cfe06f28899 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 21 May 2019 13:34:39 -0400
Subject: [PATCH] Display unsupported enctype names
Add a table of unsupported enctype numbers to enctype_util.c and
consult it in krb5_enctype_to_name(). Treat unsupported enctype
numbers as deprecated in krb5int_c_deprecated_enctype(). In kadmin,
display "UNSUPPORTED:" before invalid enctype names.
ticket: 8808
(cherry picked from commit ebbc6e8e99ee9d5d757411200a6a3173171774df)
---
src/kadmin/cli/kadmin.c | 4 +++-
src/lib/crypto/krb/enctype_util.c | 22 +++++++++++++++++++++-
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index fe4cb493c..b4d1aad93 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -1461,7 +1461,9 @@ kadmin_getprinc(int argc, char *argv[])
enctype, sizeof(enctype)))
snprintf(enctype, sizeof(enctype), _("<Encryption type 0x%x>"),
key_data->key_data_type[0]);
- if (krb5int_c_deprecated_enctype(key_data->key_data_type[0]))
+ if (!krb5_c_valid_enctype(key_data->key_data_type[0]))
+ deprecated = "UNSUPPORTED:";
+ else if (krb5int_c_deprecated_enctype(key_data->key_data_type[0]))
deprecated = "DEPRECATED:";
printf("Key: vno %d, %s%s", key_data->key_data_kvno, deprecated,
enctype);
diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c
index e394f4e19..1542d4062 100644
--- a/src/lib/crypto/krb/enctype_util.c
+++ b/src/lib/crypto/krb/enctype_util.c
@@ -36,6 +36,18 @@
#include "crypto_int.h"
+struct {
+ krb5_enctype etype;
+ const char *name;
+} unsupported_etypes[] = {
+ { ENCTYPE_DES_CBC_CRC, "des-cbc-crc" },
+ { ENCTYPE_DES_CBC_MD4, "des-cbc-md4" },
+ { ENCTYPE_DES_CBC_MD5, "des-cbc-md5" },
+ { ENCTYPE_DES_CBC_RAW, "des-cbc-raw" },
+ { ENCTYPE_DES_HMAC_SHA1, "des-hmac-sha1" },
+ { ENCTYPE_NULL, NULL }
+};
+
krb5_boolean KRB5_CALLCONV
krb5_c_valid_enctype(krb5_enctype etype)
{
@@ -55,7 +67,7 @@ krb5_boolean KRB5_CALLCONV
krb5int_c_deprecated_enctype(krb5_enctype etype)
{
const struct krb5_keytypes *ktp = find_enctype(etype);
- return ktp != NULL && (ktp->flags & ETYPE_DEPRECATED) != 0;
+ return ktp == NULL || (ktp->flags & ETYPE_DEPRECATED) != 0;
}
krb5_error_code KRB5_CALLCONV
@@ -122,6 +134,14 @@ krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest,
const char *name;
int i;
+ for (i = 0; unsupported_etypes[i].etype != ENCTYPE_NULL; i++) {
+ if (enctype == unsupported_etypes[i].etype) {
+ if (strlcpy(buffer, unsupported_etypes[i].name, buflen) >= buflen)
+ return ENOMEM;
+ return 0;
+ }
+ }
+
ktp = find_enctype(enctype);
if (ktp == NULL)
return EINVAL;