From 4e061b8902614f9d9005c9135216c32231c9b621 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 20 Mar 2024 17:17:50 -0400
Subject: [PATCH] Improve error message for DES kadmin/history key

If the kadmin/history entry contains an unsupported encryption type,
produce a better error message than "Bad encryption type".  Reuse the
error code KADM5_BAD_HIST_KEY (unused since release 1.8).  Non-updated
kadmin clients will report the message "Password history principal key
version mismatch", which at least points in the direction of password
history.

ticket: 9116 (new)
---
 src/lib/kadm5/kadm_err.et         |  2 +-
 src/lib/kadm5/srv/svr_principal.c |  2 ++
 src/tests/hist.c                  | 29 +++++++++++++++++++++--------
 src/tests/t_policy.py             |  5 +++++
 4 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/lib/kadm5/kadm_err.et b/src/lib/kadm5/kadm_err.et
index fbe2e7637a9..cf07e8068c3 100644
--- a/src/lib/kadm5/kadm_err.et
+++ b/src/lib/kadm5/kadm_err.et
@@ -14,7 +14,7 @@ error_code KADM5_BAD_DB, "Database inconsistency detected"
 error_code KADM5_DUP, "Principal or policy already exists"
 error_code KADM5_RPC_ERROR, "Communication failure with server"
 error_code KADM5_NO_SRV, "No administration server found for realm"
-error_code KADM5_BAD_HIST_KEY, "Password history principal key version mismatch"
+error_code KADM5_BAD_HIST_KEY, "Password history entry (kadmin/history) contains unsupported key type"
 error_code KADM5_NOT_INIT, "Connection to server not initialized"
 error_code KADM5_UNK_PRINC, "Principal does not exist"
 error_code KADM5_UNK_POLICY, "Policy does not exist"
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index d5bb0b167d7..444c16ed75b 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1281,6 +1281,8 @@ kadm5_chpass_principal_3(void *server_handle,
             goto done;
         ret = create_history_entry(handle->context, &hist_keyblocks[0],
                                    kdb->n_key_data, kdb->key_data, &hist);
+        if (ret == KRB5_BAD_ENCTYPE)
+            ret = KADM5_BAD_HIST_KEY;
         if (ret)
             goto done;
     }
diff --git a/src/tests/hist.c b/src/tests/hist.c
index 6bab968e8ba..f340311cf1a 100644
--- a/src/tests/hist.c
+++ b/src/tests/hist.c
@@ -31,13 +31,21 @@
  */
 
 /*
- * This program is invoked from t_pwhist.py to simulate some conditions
- * normally only seen in databases created before krb5 1.3.  With the "make"
- * argument, the history key is rolled over to a kvno containing two keys
- * (since krb5 1.3 we ordinarily ensure that there's only one).  With the
- * "swap" argument, the two history keys are swapped in order; we use this
- * operation to simulate the case where krb5 1.7 or earlier chose something
- * other than the first history key to create password history entries.
+ * This program is invoked from t_policy.py to simulate some conditions
+ * normally only seen in older databases.  It expects one argument, which can
+ * be:
+ *
+ *   make: The kadmin/history entry is created with two keys.  (Since krb5 1.3
+ *   we ordinarily ensure that there's only one.)
+ *
+ *   swap: The kadmin/history entry previously created with "make" is modified
+ *   to swap the order of its keys.  We use this operation to simulate the case
+ *   where krb5 1.7 or earlier chose something other than the first history key
+ *   to create password history entries.
+ *
+ *   des: The kadmin/history entry is modified to change its first key type to
+ *   des-cbc-crc.  The key length and contents are not changed.  (DES support
+ *   was removed in krb5 1.18.)
  */
 
 #include <k5-int.h>
@@ -74,7 +82,6 @@ main(int argc, char **argv)
     check(kadm5_init(ctx, "user", "", "", &params, KADM5_STRUCT_VERSION,
                      KADM5_API_VERSION_4, NULL, &handle));
     if (strcmp(argv[1], "make") == 0) {
-        memset(&kent, 0, sizeof(kent));
         kent.principal = hprinc;
         kent.max_life = KRB5_KDB_DISALLOW_ALL_TIX;
         kent.attributes = 0;
@@ -90,6 +97,12 @@ main(int argc, char **argv)
 	ent->key_data[1] = kd;
         check(krb5_db_put_principal(ctx, ent));
         krb5_db_free_principal(ctx, ent);
+    } else if (strcmp(argv[1], "des") == 0) {
+        check(krb5_db_get_principal(ctx, hprinc, 0, &ent));
+        assert(ent->n_key_data >= 1);
+        ent->key_data[0].key_data_type[0] = ENCTYPE_DES_CBC_CRC;
+        check(krb5_db_put_principal(ctx, ent));
+        krb5_db_free_principal(ctx, ent);
     }
     krb5_free_default_realm(ctx, realm);
     kadm5_destroy(handle);
diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py
index 2bb4f5f1868..0b0e8c51ebc 100755
--- a/src/tests/t_policy.py
+++ b/src/tests/t_policy.py
@@ -163,6 +163,11 @@ def histfail(*pwlist):
 realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], expected_code=1,
           expected_msg='Cannot reuse password')
 
+mark('Error message for unsupported kadmin/history key type')
+realm.run(['./hist', 'des'])
+realm.run([kadminl, 'cpw', '-pw', 'pw', 'user'], expected_code=1,
+          expected_msg='(kadmin/history) contains unsupported key type')
+
 # Test key/salt constraints.
 mark('allowedkeysalts')