[31307] in CVS-changelog-for-Kerberos-V5
krb5 commit: Improve error message for DES kadmin/history key
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Tue Mar 26 11:19:59 2024
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20240326151954.463D3101960@krbdev.mit.edu>
Date: Tue, 26 Mar 2024 11:19:54 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/ebe416acff31616a342d27876e510007d426aae9
commit ebe416acff31616a342d27876e510007d426aae9
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Mar 20 17:17:50 2024 -0400
Improve error message for DES kadmin/history key
If the kadmin/history entry contains an unsupported encryption type,
produce a better error message than "Bad encryption type". Reuse the
error code KADM5_BAD_HIST_KEY (unused since release 1.8). Non-updated
kadmin clients will report the message "Password history principal key
version mismatch", which at least points in the direction of password
history.
ticket: 9116 (new)
src/lib/kadm5/kadm_err.et | 2 +-
src/lib/kadm5/srv/svr_principal.c | 2 ++
src/tests/hist.c | 28 +++++++++++++++++++++-------
src/tests/t_policy.py | 5 +++++
4 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/src/lib/kadm5/kadm_err.et b/src/lib/kadm5/kadm_err.et
index fbe2e7637..cf07e8068 100644
--- a/src/lib/kadm5/kadm_err.et
+++ b/src/lib/kadm5/kadm_err.et
@@ -14,7 +14,7 @@ error_code KADM5_BAD_DB, "Database inconsistency detected"
error_code KADM5_DUP, "Principal or policy already exists"
error_code KADM5_RPC_ERROR, "Communication failure with server"
error_code KADM5_NO_SRV, "No administration server found for realm"
-error_code KADM5_BAD_HIST_KEY, "Password history principal key version mismatch"
+error_code KADM5_BAD_HIST_KEY, "Password history entry (kadmin/history) contains unsupported key type"
error_code KADM5_NOT_INIT, "Connection to server not initialized"
error_code KADM5_UNK_PRINC, "Principal does not exist"
error_code KADM5_UNK_POLICY, "Policy does not exist"
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index d5bb0b167..444c16ed7 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1281,6 +1281,8 @@ kadm5_chpass_principal_3(void *server_handle,
goto done;
ret = create_history_entry(handle->context, &hist_keyblocks[0],
kdb->n_key_data, kdb->key_data, &hist);
+ if (ret == KRB5_BAD_ENCTYPE)
+ ret = KADM5_BAD_HIST_KEY;
if (ret)
goto done;
}
diff --git a/src/tests/hist.c b/src/tests/hist.c
index 6bab968e8..b2f8ba5d7 100644
--- a/src/tests/hist.c
+++ b/src/tests/hist.c
@@ -31,13 +31,21 @@
*/
/*
- * This program is invoked from t_pwhist.py to simulate some conditions
- * normally only seen in databases created before krb5 1.3. With the "make"
- * argument, the history key is rolled over to a kvno containing two keys
- * (since krb5 1.3 we ordinarily ensure that there's only one). With the
- * "swap" argument, the two history keys are swapped in order; we use this
- * operation to simulate the case where krb5 1.7 or earlier chose something
- * other than the first history key to create password history entries.
+ * This program is invoked from t_policy.py to simulate some conditions
+ * normally only seen in older databases. It expects one argument, which can
+ * be:
+ *
+ * make: The kadmin/history entry is created with two keys. (Since krb5 1.3
+ * we ordinarily ensure that there's only one.)
+ *
+ * swap: The kadmin/history entry previously created with "make" is modified
+ * to swap the order of its keys. We use this operation to simulate the case
+ * where krb5 1.7 or earlier chose something other than the first history key
+ * to create password history entries.
+ *
+ * des: The kadmin/history entry is modified to change its first key type to
+ * des-cbc-crc. The key length and contents are not changed. (DES support
+ * was removed in krb5 1.18.)
*/
#include <k5-int.h>
@@ -90,6 +98,12 @@ main(int argc, char **argv)
ent->key_data[1] = kd;
check(krb5_db_put_principal(ctx, ent));
krb5_db_free_principal(ctx, ent);
+ } else if (strcmp(argv[1], "des") == 0) {
+ check(krb5_db_get_principal(ctx, hprinc, 0, &ent));
+ assert(ent->n_key_data >= 1);
+ ent->key_data[0].key_data_type[0] = ENCTYPE_DES_CBC_CRC;
+ check(krb5_db_put_principal(ctx, ent));
+ krb5_db_free_principal(ctx, ent);
}
krb5_free_default_realm(ctx, realm);
kadm5_destroy(handle);
diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py
index 2bb4f5f18..0b0e8c51e 100755
--- a/src/tests/t_policy.py
+++ b/src/tests/t_policy.py
@@ -163,6 +163,11 @@ realm.run(['./hist', 'swap'])
realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], expected_code=1,
expected_msg='Cannot reuse password')
+mark('Error message for unsupported kadmin/history key type')
+realm.run(['./hist', 'des'])
+realm.run([kadminl, 'cpw', '-pw', 'pw', 'user'], expected_code=1,
+ expected_msg='(kadmin/history) contains unsupported key type')
+
# Test key/salt constraints.
mark('allowedkeysalts')
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
