search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug 7063 - Samba 3.4.5 on ubuntu 8.04 64 bit - Core dumps.
[Samba/gbeck.git] / source4 / heimdal / kdc / kerberos4.c
blob2bd2383940527c62e58e3a82b8a0dbb54726cb14
1 /*
2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 #include <krb5-v4compat.h>
37
38 RCSID("$Id$");
39
40 #ifndef swap32
41 static uint32_t
42 swap32(uint32_t x)
43 {
44 return ((x << 24) & 0xff000000) |
45 ((x << 8) & 0xff0000) |
46 ((x >> 8) & 0xff00) |
47 ((x >> 24) & 0xff);
48 }
49 #endif /* swap32 */
50
51 int
52 _kdc_maybe_version4(unsigned char *buf, int len)
53 {
54 return len > 0 && *buf == 4;
55 }
56
57 static void
58 make_err_reply(krb5_context context, krb5_data *reply,
59 int code, const char *msg)
60 {
61 _krb5_krb_cr_err_reply(context, "", "", "",
62 kdc_time, code, msg, reply);
63 }
64
65 struct valid_princ_ctx {
66 krb5_kdc_configuration *config;
67 unsigned flags;
68 };
69
70 static krb5_boolean
71 valid_princ(krb5_context context,
72 void *funcctx,
73 krb5_principal princ)
74 {
75 struct valid_princ_ctx *ctx = funcctx;
76 krb5_error_code ret;
77 char *s;
78 hdb_entry_ex *ent;
79
80 ret = krb5_unparse_name(context, princ, &s);
81 if (ret)
82 return FALSE;
83 ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, NULL, &ent);
84 if (ret) {
85 kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
86 krb5_get_err_text (context, ret));
87 free(s);
88 return FALSE;
89 }
90 kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s);
91 free(s);
92 _kdc_free_ent(context, ent);
93 return TRUE;
94 }
95
96 krb5_error_code
97 _kdc_db_fetch4(krb5_context context,
98 krb5_kdc_configuration *config,
99 const char *name, const char *instance, const char *realm,
100 unsigned flags,
101 hdb_entry_ex **ent)
102 {
103 krb5_principal p;
104 krb5_error_code ret;
105 struct valid_princ_ctx ctx;
106
107 ctx.config = config;
108 ctx.flags = flags;
109
110 ret = krb5_425_conv_principal_ext2(context, name, instance, realm,
111 valid_princ, &ctx, 0, &p);
112 if(ret)
113 return ret;
114 ret = _kdc_db_fetch(context, config, p, flags, NULL, ent);
115 krb5_free_principal(context, p);
116 return ret;
117 }
118
119 #define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;}
120
121 /*
122 * Process the v4 request in `buf, len' (received from `addr'
123 * (with string `from').
124 * Return an error code and a reply in `reply'.
125 */
126
127 krb5_error_code
128 _kdc_do_version4(krb5_context context,
129 krb5_kdc_configuration *config,
130 unsigned char *buf,
131 size_t len,
132 krb5_data *reply,
133 const char *from,
134 struct sockaddr_in *addr)
135 {
136 krb5_storage *sp;
137 krb5_error_code ret = EINVAL;
138 hdb_entry_ex *client = NULL, *server = NULL;
139 Key *ckey, *skey;
140 int8_t pvno;
141 int8_t msg_type;
142 int lsb;
143 char *name = NULL, *inst = NULL, *realm = NULL;
144 char *sname = NULL, *sinst = NULL;
145 int32_t req_time;
146 time_t max_life;
147 uint8_t life;
148 char client_name[256];
149 char server_name[256];
150
151 if(!config->enable_v4) {
152 kdc_log(context, config, 0,
153 "Rejected version 4 request from %s", from);
154 make_err_reply(context, reply, KRB4ET_KDC_GEN_ERR,
155 "Function not enabled");
156 return 0;
157 }
158
159 sp = krb5_storage_from_mem(buf, len);
160 RCHECK(krb5_ret_int8(sp, &pvno), out);
161 if(pvno != 4){
162 kdc_log(context, config, 0,
163 "Protocol version mismatch (krb4) (%d)", pvno);
164 make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch");
165 ret = KRB4ET_KDC_PKT_VER;
166 goto out;
167 }
168 RCHECK(krb5_ret_int8(sp, &msg_type), out);
169 lsb = msg_type & 1;
170 msg_type &= ~1;
171 switch(msg_type){
172 case AUTH_MSG_KDC_REQUEST: {
173 krb5_data ticket, cipher;
174 krb5_keyblock session;
175
176 krb5_data_zero(&ticket);
177 krb5_data_zero(&cipher);
178
179 RCHECK(krb5_ret_stringz(sp, &name), out1);
180 RCHECK(krb5_ret_stringz(sp, &inst), out1);
181 RCHECK(krb5_ret_stringz(sp, &realm), out1);
182 RCHECK(krb5_ret_int32(sp, &req_time), out1);
183 if(lsb)
184 req_time = swap32(req_time);
185 RCHECK(krb5_ret_uint8(sp, &life), out1);
186 RCHECK(krb5_ret_stringz(sp, &sname), out1);
187 RCHECK(krb5_ret_stringz(sp, &sinst), out1);
188 snprintf (client_name, sizeof(client_name),
189 "%s.%s@%s", name, inst, realm);
190 snprintf (server_name, sizeof(server_name),
191 "%s.%s@%s", sname, sinst, config->v4_realm);
192
193 kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
194 client_name, from, server_name);
195
196 ret = _kdc_db_fetch4(context, config, name, inst, realm,
197 HDB_F_GET_CLIENT, &client);
198 if(ret) {
199 kdc_log(context, config, 0, "Client not found in database: %s: %s",
200 client_name, krb5_get_err_text(context, ret));
201 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
202 "principal unknown");
203 goto out1;
204 }
205 ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
206 HDB_F_GET_SERVER, &server);
207 if(ret){
208 kdc_log(context, config, 0, "Server not found in database: %s: %s",
209 server_name, krb5_get_err_text(context, ret));
210 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
211 "principal unknown");
212 goto out1;
213 }
214
215 ret = _kdc_check_flags (context, config,
216 client, client_name,
217 server, server_name,
218 TRUE);
219 if (ret) {
220 /* good error code? */
221 make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
222 "operation not allowed");
223 goto out1;
224 }
225
226 if (config->enable_v4_per_principal &&
227 client->entry.flags.allow_kerberos4 == 0)
228 {
229 kdc_log(context, config, 0,
230 "Per principal Kerberos 4 flag not turned on for %s",
231 client_name);
232 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
233 "allow kerberos4 flag required");
234 goto out1;
235 }
236
237 /*
238 * There's no way to do pre-authentication in v4 and thus no
239 * good error code to return if preauthentication is required.
240 */
241
242 if (config->require_preauth
243 || client->entry.flags.require_preauth
244 || server->entry.flags.require_preauth) {
245 kdc_log(context, config, 0,
246 "Pre-authentication required for v4-request: "
247 "%s for %s",
248 client_name, server_name);
249 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
250 "preauth required");
251 goto out1;
252 }
253
254 ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
255 if(ret){
256 kdc_log(context, config, 0, "no suitable DES key for client");
257 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
258 "no suitable DES key for client");
259 goto out1;
260 }
261
262 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
263 if(ret){
264 kdc_log(context, config, 0, "no suitable DES key for server");
265 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
266 "no suitable DES key for server");
267 goto out1;
268 }
269
270 max_life = _krb5_krb_life_to_time(0, life);
271 if(client->entry.max_life)
272 max_life = min(max_life, *client->entry.max_life);
273 if(server->entry.max_life)
274 max_life = min(max_life, *server->entry.max_life);
275
276 life = krb_time_to_life(kdc_time, kdc_time + max_life);
277
278 ret = krb5_generate_random_keyblock(context,
279 ETYPE_DES_PCBC_NONE,
280 &session);
281 if (ret) {
282 make_err_reply(context, reply, KFAILURE,
283 "Not enough random i KDC");
284 goto out1;
285 }
286
287 ret = _krb5_krb_create_ticket(context,
288 0,
289 name,
290 inst,
291 config->v4_realm,
292 addr->sin_addr.s_addr,
293 &session,
294 life,
295 kdc_time,
296 sname,
297 sinst,
298 &skey->key,
299 &ticket);
300 if (ret) {
301 krb5_free_keyblock_contents(context, &session);
302 make_err_reply(context, reply, KFAILURE,
303 "failed to create v4 ticket");
304 goto out1;
305 }
306
307 ret = _krb5_krb_create_ciph(context,
308 &session,
309 sname,
310 sinst,
311 config->v4_realm,
312 life,
313 server->entry.kvno % 255,
314 &ticket,
315 kdc_time,
316 &ckey->key,
317 &cipher);
318 krb5_free_keyblock_contents(context, &session);
319 krb5_data_free(&ticket);
320 if (ret) {
321 make_err_reply(context, reply, KFAILURE,
322 "Failed to create v4 cipher");
323 goto out1;
324 }
325
326 ret = _krb5_krb_create_auth_reply(context,
327 name,
328 inst,
329 realm,
330 req_time,
331 0,
332 client->entry.pw_end ? *client->entry.pw_end : 0,
333 client->entry.kvno % 256,
334 &cipher,
335 reply);
336 krb5_data_free(&cipher);
337
338 out1:
339 break;
340 }
341 case AUTH_MSG_APPL_REQUEST: {
342 struct _krb5_krb_auth_data ad;
343 int8_t kvno;
344 int8_t ticket_len;
345 int8_t req_len;
346 krb5_data auth;
347 int32_t address;
348 size_t pos;
349 krb5_principal tgt_princ = NULL;
350 hdb_entry_ex *tgt = NULL;
351 Key *tkey;
352 time_t max_end, actual_end, issue_time;
353
354 memset(&ad, 0, sizeof(ad));
355 krb5_data_zero(&auth);
356
357 RCHECK(krb5_ret_int8(sp, &kvno), out2);
358 RCHECK(krb5_ret_stringz(sp, &realm), out2);
359
360 ret = krb5_425_conv_principal(context, "krbtgt", realm,
361 config->v4_realm,
362 &tgt_princ);
363 if(ret){
364 kdc_log(context, config, 0,
365 "Converting krbtgt principal (krb4): %s",
366 krb5_get_err_text(context, ret));
367 make_err_reply(context, reply, KFAILURE,
368 "Failed to convert v4 principal (krbtgt)");
369 goto out2;
370 }
371
372 ret = _kdc_db_fetch(context, config, tgt_princ,
373 HDB_F_GET_KRBTGT, NULL, &tgt);
374 if(ret){
375 char *s;
376 s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
377 "found in database (krb4): krbtgt.%s@%s: %s",
378 realm, config->v4_realm,
379 krb5_get_err_text(context, ret));
380 make_err_reply(context, reply, KFAILURE, s);
381 free(s);
382 goto out2;
383 }
384
385 if(tgt->entry.kvno % 256 != kvno){
386 kdc_log(context, config, 0,
387 "tgs-req (krb4) with old kvno %d (current %d) for "
388 "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256,
389 realm, config->v4_realm);
390 make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP,
391 "old krbtgt kvno used");
392 goto out2;
393 }
394
395 ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey);
396 if(ret){
397 kdc_log(context, config, 0,
398 "no suitable DES key for krbtgt (krb4)");
399 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
400 "no suitable DES key for krbtgt");
401 goto out2;
402 }
403
404 RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
405 RCHECK(krb5_ret_int8(sp, &req_len), out2);
406
407 pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
408
409 auth.data = buf;
410 auth.length = pos;
411
412 if (config->check_ticket_addresses)
413 address = addr->sin_addr.s_addr;
414 else
415 address = 0;
416
417 ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm,
418 config->v4_realm,
419 address, &tkey->key, &ad);
420 if(ret){
421 kdc_log(context, config, 0, "krb_rd_req: %d", ret);
422 make_err_reply(context, reply, ret, "failed to parse request");
423 goto out2;
424 }
425
426 RCHECK(krb5_ret_int32(sp, &req_time), out2);
427 if(lsb)
428 req_time = swap32(req_time);
429 RCHECK(krb5_ret_uint8(sp, &life), out2);
430 RCHECK(krb5_ret_stringz(sp, &sname), out2);
431 RCHECK(krb5_ret_stringz(sp, &sinst), out2);
432 snprintf (server_name, sizeof(server_name),
433 "%s.%s@%s",
434 sname, sinst, config->v4_realm);
435 snprintf (client_name, sizeof(client_name),
436 "%s.%s@%s",
437 ad.pname, ad.pinst, ad.prealm);
438
439 kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s",
440 client_name, from, server_name);
441
442 if(strcmp(ad.prealm, realm)){
443 kdc_log(context, config, 0,
444 "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
445 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
446 "Can't hop realms");
447 goto out2;
448 }
449
450 if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) {
451 kdc_log(context, config, 0,
452 "krb4 Cross-realm %s -> %s disabled",
453 realm, config->v4_realm);
454 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
455 "Can't hop realms");
456 goto out2;
457 }
458
459 if(strcmp(sname, "changepw") == 0){
460 kdc_log(context, config, 0,
461 "Bad request for changepw ticket (krb4)");
462 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
463 "Can't authorize password change based on TGT");
464 goto out2;
465 }
466
467 ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm,
468 HDB_F_GET_CLIENT, &client);
469 if(ret && ret != HDB_ERR_NOENTRY) {
470 char *s;
471 s = kdc_log_msg(context, config, 0,
472 "Client not found in database: (krb4) %s: %s",
473 client_name, krb5_get_err_text(context, ret));
474 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
475 free(s);
476 goto out2;
477 }
478 if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
479 char *s;
480 s = kdc_log_msg(context, config, 0,
481 "Local client not found in database: (krb4) "
482 "%s", client_name);
483 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
484 free(s);
485 goto out2;
486 }
487
488 ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
489 HDB_F_GET_SERVER, &server);
490 if(ret){
491 char *s;
492 s = kdc_log_msg(context, config, 0,
493 "Server not found in database (krb4): %s: %s",
494 server_name, krb5_get_err_text(context, ret));
495 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
496 free(s);
497 goto out2;
498 }
499
500 ret = _kdc_check_flags (context, config,
501 client, client_name,
502 server, server_name,
503 FALSE);
504 if (ret) {
505 make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
506 "operation not allowed");
507 goto out2;
508 }
509
510 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
511 if(ret){
512 kdc_log(context, config, 0,
513 "no suitable DES key for server (krb4)");
514 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
515 "no suitable DES key for server");
516 goto out2;
517 }
518
519 max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life);
520 max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life));
521 if(server->entry.max_life)
522 max_end = min(max_end, kdc_time + *server->entry.max_life);
523 if(client && client->entry.max_life)
524 max_end = min(max_end, kdc_time + *client->entry.max_life);
525 life = min(life, krb_time_to_life(kdc_time, max_end));
526
527 issue_time = kdc_time;
528 actual_end = _krb5_krb_life_to_time(issue_time, life);
529 while (actual_end > max_end && life > 1) {
530 /* move them into the next earlier lifetime bracket */
531 life--;
532 actual_end = _krb5_krb_life_to_time(issue_time, life);
533 }
534 if (actual_end > max_end) {
535 /* if life <= 1 and it's still too long, backdate the ticket */
536 issue_time -= actual_end - max_end;
537 }
538
539 {
540 krb5_data ticket, cipher;
541 krb5_keyblock session;
542
543 krb5_data_zero(&ticket);
544 krb5_data_zero(&cipher);
545
546 ret = krb5_generate_random_keyblock(context,
547 ETYPE_DES_PCBC_NONE,
548 &session);
549 if (ret) {
550 make_err_reply(context, reply, KFAILURE,
551 "Not enough random i KDC");
552 goto out2;
553 }
554
555 ret = _krb5_krb_create_ticket(context,
556 0,
557 ad.pname,
558 ad.pinst,
559 ad.prealm,
560 addr->sin_addr.s_addr,
561 &session,
562 life,
563 issue_time,
564 sname,
565 sinst,
566 &skey->key,
567 &ticket);
568 if (ret) {
569 krb5_free_keyblock_contents(context, &session);
570 make_err_reply(context, reply, KFAILURE,
571 "failed to create v4 ticket");
572 goto out2;
573 }
574
575 ret = _krb5_krb_create_ciph(context,
576 &session,
577 sname,
578 sinst,
579 config->v4_realm,
580 life,
581 server->entry.kvno % 255,
582 &ticket,
583 issue_time,
584 &ad.session,
585 &cipher);
586 krb5_free_keyblock_contents(context, &session);
587 if (ret) {
588 make_err_reply(context, reply, KFAILURE,
589 "failed to create v4 cipher");
590 goto out2;
591 }
592
593 ret = _krb5_krb_create_auth_reply(context,
594 ad.pname,
595 ad.pinst,
596 ad.prealm,
597 req_time,
598 0,
599 0,
600 0,
601 &cipher,
602 reply);
603 krb5_data_free(&cipher);
604 }
605 out2:
606 _krb5_krb_free_auth_data(context, &ad);
607 if(tgt_princ)
608 krb5_free_principal(context, tgt_princ);
609 if(tgt)
610 _kdc_free_ent(context, tgt);
611 break;
612 }
613 case AUTH_MSG_ERR_REPLY:
614 ret = EINVAL;
615 break;
616 default:
617 kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s",
618 msg_type, from);
619
620 make_err_reply(context, reply, KFAILURE, "Unknown message type");
621 ret = EINVAL;
622 }
623 out:
624 if(name)
625 free(name);
626 if(inst)
627 free(inst);
628 if(realm)
629 free(realm);
630 if(sname)
631 free(sname);
632 if(sinst)
633 free(sinst);
634 if(client)
635 _kdc_free_ent(context, client);
636 if(server)
637 _kdc_free_ent(context, server);
638 krb5_storage_free(sp);
639 return ret;
640 }
641
642 krb5_error_code
643 _kdc_encode_v4_ticket(krb5_context context,
644 krb5_kdc_configuration *config,
645 void *buf, size_t len, const EncTicketPart *et,
646 const PrincipalName *service, size_t *size)
647 {
648 krb5_storage *sp;
649 krb5_error_code ret;
650 char name[40], inst[40], realm[40];
651 char sname[40], sinst[40];
652
653 {
654 krb5_principal princ;
655 _krb5_principalname2krb5_principal(context,
656 &princ,
657 *service,
658 et->crealm);
659 ret = krb5_524_conv_principal(context,
660 princ,
661 sname,
662 sinst,
663 realm);
664 krb5_free_principal(context, princ);
665 if(ret)
666 return ret;
667
668 _krb5_principalname2krb5_principal(context,
669 &princ,
670 et->cname,
671 et->crealm);
672
673 ret = krb5_524_conv_principal(context,
674 princ,
675 name,
676 inst,
677 realm);
678 krb5_free_principal(context, princ);
679 }
680 if(ret)
681 return ret;
682
683 sp = krb5_storage_emem();
684
685 krb5_store_int8(sp, 0); /* flags */
686 krb5_store_stringz(sp, name);
687 krb5_store_stringz(sp, inst);
688 krb5_store_stringz(sp, realm);
689 {
690 unsigned char tmp[4] = { 0, 0, 0, 0 };
691 int i;
692 if(et->caddr){
693 for(i = 0; i < et->caddr->len; i++)
694 if(et->caddr->val[i].addr_type == AF_INET &&
695 et->caddr->val[i].address.length == 4){
696 memcpy(tmp, et->caddr->val[i].address.data, 4);
697 break;
698 }
699 }
700 krb5_storage_write(sp, tmp, sizeof(tmp));
701 }
702
703 if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
704 et->key.keytype != ETYPE_DES_CBC_MD4 &&
705 et->key.keytype != ETYPE_DES_CBC_CRC) ||
706 et->key.keyvalue.length != 8)
707 return -1;
708 krb5_storage_write(sp, et->key.keyvalue.data, 8);
709
710 {
711 time_t start = et->starttime ? *et->starttime : et->authtime;
712 krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
713 krb5_store_int32(sp, start);
714 }
715
716 krb5_store_stringz(sp, sname);
717 krb5_store_stringz(sp, sinst);
718
719 {
720 krb5_data data;
721 krb5_storage_to_data(sp, &data);
722 krb5_storage_free(sp);
723 *size = (data.length + 7) & ~7; /* pad to 8 bytes */
724 if(*size > len)
725 return -1;
726 memset((unsigned char*)buf - *size + 1, 0, *size);
727 memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
728 krb5_data_free(&data);
729 }
730 return 0;
731 }
732
733 krb5_error_code
734 _kdc_get_des_key(krb5_context context,
735 hdb_entry_ex *principal, krb5_boolean is_server,
736 krb5_boolean prefer_afs_key, Key **ret_key)
737 {
738 Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
739 int i;
740 krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5,
741 ETYPE_DES_CBC_MD4,
742 ETYPE_DES_CBC_CRC };
743
744 for(i = 0;
745 i < sizeof(etypes)/sizeof(etypes[0])
746 && (v5_key == NULL || v4_key == NULL ||
747 afs_key == NULL || server_key == NULL);
748 ++i) {
749 Key *key = NULL;
750 while(hdb_next_enctype2key(context, &principal->entry, etypes[i], &key) == 0) {
751 if(key->salt == NULL) {
752 if(v5_key == NULL)
753 v5_key = key;
754 } else if(key->salt->type == hdb_pw_salt &&
755 key->salt->salt.length == 0) {
756 if(v4_key == NULL)
757 v4_key = key;
758 } else if(key->salt->type == hdb_afs3_salt) {
759 if(afs_key == NULL)
760 afs_key = key;
761 } else if(server_key == NULL)
762 server_key = key;
763 }
764 }
765
766 if(prefer_afs_key) {
767 if(afs_key)
768 *ret_key = afs_key;
769 else if(v4_key)
770 *ret_key = v4_key;
771 else if(v5_key)
772 *ret_key = v5_key;
773 else if(is_server && server_key)
774 *ret_key = server_key;
775 else
776 return KRB4ET_KDC_NULL_KEY;
777 } else {
778 if(v4_key)
779 *ret_key = v4_key;
780 else if(afs_key)
781 *ret_key = afs_key;
782 else if(v5_key)
783 *ret_key = v5_key;
784 else if(is_server && server_key)
785 *ret_key = server_key;
786 else
787 return KRB4ET_KDC_NULL_KEY;
788 }
789
790 if((*ret_key)->key.keyvalue.length == 0)
791 return KRB4ET_KDC_NULL_KEY;
792 return 0;
793 }
794
WIP