From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 21 May 2019 17:34:39 +0000 (-0400)
Subject: Display unsupported enctype names
X-Git-Tag: krb5-1.18-beta1~124
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F923%2Fhead;p=thirdparty%2Fkrb5.git

Display unsupported enctype names

Add a table of unsupported enctype numbers to enctype_util.c and
consult it in krb5_enctype_to_name().  Treat unsupported enctype
numbers as deprecated in krb5int_c_deprecated_enctype().  In kadmin,
display "UNSUPPORTED:" before invalid enctype names.

ticket: 8808
---

diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index fe4cb493c0..b4d1aad936 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -1461,7 +1461,9 @@ kadmin_getprinc(int argc, char *argv[])
                                      enctype, sizeof(enctype)))
                 snprintf(enctype, sizeof(enctype), _("<Encryption type 0x%x>"),
                          key_data->key_data_type[0]);
-            if (krb5int_c_deprecated_enctype(key_data->key_data_type[0]))
+            if (!krb5_c_valid_enctype(key_data->key_data_type[0]))
+                deprecated = "UNSUPPORTED:";
+            else if (krb5int_c_deprecated_enctype(key_data->key_data_type[0]))
                 deprecated = "DEPRECATED:";
             printf("Key: vno %d, %s%s", key_data->key_data_kvno, deprecated,
                    enctype);
diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c
index e394f4e197..1542d40629 100644
--- a/src/lib/crypto/krb/enctype_util.c
+++ b/src/lib/crypto/krb/enctype_util.c
@@ -36,6 +36,18 @@
 
 #include "crypto_int.h"
 
+struct {
+    krb5_enctype etype;
+    const char *name;
+} unsupported_etypes[] = {
+    { ENCTYPE_DES_CBC_CRC, "des-cbc-crc" },
+    { ENCTYPE_DES_CBC_MD4, "des-cbc-md4" },
+    { ENCTYPE_DES_CBC_MD5, "des-cbc-md5" },
+    { ENCTYPE_DES_CBC_RAW, "des-cbc-raw" },
+    { ENCTYPE_DES_HMAC_SHA1, "des-hmac-sha1" },
+    { ENCTYPE_NULL, NULL }
+};
+
 krb5_boolean KRB5_CALLCONV
 krb5_c_valid_enctype(krb5_enctype etype)
 {
@@ -55,7 +67,7 @@ krb5_boolean KRB5_CALLCONV
 krb5int_c_deprecated_enctype(krb5_enctype etype)
 {
     const struct krb5_keytypes *ktp = find_enctype(etype);
-    return ktp != NULL && (ktp->flags & ETYPE_DEPRECATED) != 0;
+    return ktp == NULL || (ktp->flags & ETYPE_DEPRECATED) != 0;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -122,6 +134,14 @@ krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest,
     const char *name;
     int i;
 
+    for (i = 0; unsupported_etypes[i].etype != ENCTYPE_NULL; i++) {
+        if (enctype == unsupported_etypes[i].etype) {
+            if (strlcpy(buffer, unsupported_etypes[i].name, buflen) >= buflen)
+                return ENOMEM;
+            return 0;
+        }
+    }
+
     ktp = find_enctype(enctype);
     if (ktp == NULL)
         return EINVAL;