krb5 commit: Improve error message for DES kadmin/history key

ghudson at mit.edu ghudson at mit.edu
Tue Mar 26 11:19:54 EDT 2024 

https://github.com/krb5/krb5/commit/ebe416acff31616a342d27876e510007d426aae9
commit ebe416acff31616a342d27876e510007d426aae9
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Mar 20 17:17:50 2024 -0400

    Improve error message for DES kadmin/history key
    
    If the kadmin/history entry contains an unsupported encryption type,
    produce a better error message than "Bad encryption type".  Reuse the
    error code KADM5_BAD_HIST_KEY (unused since release 1.8).  Non-updated
    kadmin clients will report the message "Password history principal key
    version mismatch", which at least points in the direction of password
    history.
    
    ticket: 9116 (new)

 src/lib/kadm5/kadm_err.et         |  2 +-
 src/lib/kadm5/srv/svr_principal.c |  2 ++
 src/tests/hist.c                  | 28 +++++++++++++++++++++-------
 src/tests/t_policy.py             |  5 +++++
 4 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/src/lib/kadm5/kadm_err.et b/src/lib/kadm5/kadm_err.et
index fbe2e7637..cf07e8068 100644
--- a/src/lib/kadm5/kadm_err.et
+++ b/src/lib/kadm5/kadm_err.et
@@ -14,7 +14,7 @@ error_code KADM5_BAD_DB, "Database inconsistency detected"
 error_code KADM5_DUP, "Principal or policy already exists"
 error_code KADM5_RPC_ERROR, "Communication failure with server"
 error_code KADM5_NO_SRV, "No administration server found for realm"
-error_code KADM5_BAD_HIST_KEY, "Password history principal key version mismatch"
+error_code KADM5_BAD_HIST_KEY, "Password history entry (kadmin/history) contains unsupported key type"
 error_code KADM5_NOT_INIT, "Connection to server not initialized"
 error_code KADM5_UNK_PRINC, "Principal does not exist"
 error_code KADM5_UNK_POLICY, "Policy does not exist"
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index d5bb0b167..444c16ed7 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1281,6 +1281,8 @@ kadm5_chpass_principal_3(void *server_handle,
             goto done;
         ret = create_history_entry(handle->context, &hist_keyblocks[0],
                                    kdb->n_key_data, kdb->key_data, &hist);
+        if (ret == KRB5_BAD_ENCTYPE)
+            ret = KADM5_BAD_HIST_KEY;
         if (ret)
             goto done;
     }
diff --git a/src/tests/hist.c b/src/tests/hist.c
index 6bab968e8..b2f8ba5d7 100644
--- a/src/tests/hist.c
+++ b/src/tests/hist.c
@@ -31,13 +31,21 @@
  */
 
 /*
- * This program is invoked from t_pwhist.py to simulate some conditions
- * normally only seen in databases created before krb5 1.3.  With the "make"
- * argument, the history key is rolled over to a kvno containing two keys
- * (since krb5 1.3 we ordinarily ensure that there's only one).  With the
- * "swap" argument, the two history keys are swapped in order; we use this
- * operation to simulate the case where krb5 1.7 or earlier chose something
- * other than the first history key to create password history entries.
+ * This program is invoked from t_policy.py to simulate some conditions
+ * normally only seen in older databases.  It expects one argument, which can
+ * be:
+ *
+ *   make: The kadmin/history entry is created with two keys.  (Since krb5 1.3
+ *   we ordinarily ensure that there's only one.)
+ *
+ *   swap: The kadmin/history entry previously created with "make" is modified
+ *   to swap the order of its keys.  We use this operation to simulate the case
+ *   where krb5 1.7 or earlier chose something other than the first history key
+ *   to create password history entries.
+ *
+ *   des: The kadmin/history entry is modified to change its first key type to
+ *   des-cbc-crc.  The key length and contents are not changed.  (DES support
+ *   was removed in krb5 1.18.)
  */
 
 #include <k5-int.h>
@@ -90,6 +98,12 @@ main(int argc, char **argv)
 	ent->key_data[1] = kd;
         check(krb5_db_put_principal(ctx, ent));
         krb5_db_free_principal(ctx, ent);
+    } else if (strcmp(argv[1], "des") == 0) {
+        check(krb5_db_get_principal(ctx, hprinc, 0, &ent));
+        assert(ent->n_key_data >= 1);
+        ent->key_data[0].key_data_type[0] = ENCTYPE_DES_CBC_CRC;
+        check(krb5_db_put_principal(ctx, ent));
+        krb5_db_free_principal(ctx, ent);
     }
     krb5_free_default_realm(ctx, realm);
     kadm5_destroy(handle);
diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py
index 2bb4f5f18..0b0e8c51e 100755
--- a/src/tests/t_policy.py
+++ b/src/tests/t_policy.py
@@ -163,6 +163,11 @@ realm.run(['./hist', 'swap'])
 realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], expected_code=1,
           expected_msg='Cannot reuse password')
 
+mark('Error message for unsupported kadmin/history key type')
+realm.run(['./hist', 'des'])
+realm.run([kadminl, 'cpw', '-pw', 'pw', 'user'], expected_code=1,
+          expected_msg='(kadmin/history) contains unsupported key type')
+
 # Test key/salt constraints.
 mark('allowedkeysalts')

More information about the cvs-krb5 mailing list