add opt files
[heimdal.git] / kdc / kerberos4.c
blobb28e50b5f5d635de06f9ec27ee1ba387a72e80ab
1 /*
2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
34 #define KRB5_DEPRECATED /* uses v4 functions that will die */
36 #include "kdc_locl.h"
38 #ifdef KRB4
40 #include <krb5-v4compat.h>
42 #ifndef swap32
43 static uint32_t
44 swap32(uint32_t x)
46 return ((x << 24) & 0xff000000) |
47 ((x << 8) & 0xff0000) |
48 ((x >> 8) & 0xff00) |
49 ((x >> 24) & 0xff);
51 #endif /* swap32 */
53 int
54 _kdc_maybe_version4(unsigned char *buf, int len)
56 return len > 0 && *buf == 4;
59 static void
60 make_err_reply(krb5_context context, krb5_data *reply,
61 int code, const char *msg)
63 _krb5_krb_cr_err_reply(context, "", "", "",
64 kdc_time, code, msg, reply);
67 struct valid_princ_ctx {
68 krb5_kdc_configuration *config;
69 unsigned flags;
72 static krb5_boolean
73 valid_princ(krb5_context context,
74 void *funcctx,
75 krb5_principal princ)
77 struct valid_princ_ctx *ctx = funcctx;
78 krb5_error_code ret;
79 char *s;
80 hdb_entry_ex *ent;
82 ret = krb5_unparse_name(context, princ, &s);
83 if (ret)
84 return FALSE;
85 ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, NULL, &ent);
86 if (ret) {
87 kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
88 krb5_get_err_text (context, ret));
89 free(s);
90 return FALSE;
92 kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s);
93 free(s);
94 _kdc_free_ent(context, ent);
95 return TRUE;
98 krb5_error_code
99 _kdc_db_fetch4(krb5_context context,
100 krb5_kdc_configuration *config,
101 const char *name, const char *instance, const char *realm,
102 unsigned flags,
103 hdb_entry_ex **ent)
105 krb5_principal p;
106 krb5_error_code ret;
107 struct valid_princ_ctx ctx;
109 ctx.config = config;
110 ctx.flags = flags;
112 ret = krb5_425_conv_principal_ext2(context, name, instance, realm,
113 valid_princ, &ctx, 0, &p);
114 if(ret)
115 return ret;
116 ret = _kdc_db_fetch(context, config, p, flags, NULL, ent);
117 krb5_free_principal(context, p);
118 return ret;
121 #define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;}
124 * Process the v4 request in `buf, len' (received from `addr'
125 * (with string `from').
126 * Return an error code and a reply in `reply'.
129 krb5_error_code
130 _kdc_do_version4(krb5_context context,
131 krb5_kdc_configuration *config,
132 unsigned char *buf,
133 size_t len,
134 krb5_data *reply,
135 const char *from,
136 struct sockaddr_in *addr)
138 krb5_storage *sp;
139 krb5_error_code ret = EINVAL;
140 hdb_entry_ex *client = NULL, *server = NULL;
141 Key *ckey, *skey;
142 int8_t pvno;
143 int8_t msg_type;
144 int lsb;
145 char *name = NULL, *inst = NULL, *realm = NULL;
146 char *sname = NULL, *sinst = NULL;
147 int32_t req_time;
148 time_t max_life;
149 uint8_t life;
150 char client_name[256];
151 char server_name[256];
153 if(!config->enable_v4) {
154 kdc_log(context, config, 0,
155 "Rejected version 4 request from %s", from);
156 make_err_reply(context, reply, KRB4ET_KDC_GEN_ERR,
157 "Function not enabled");
158 return 0;
161 sp = krb5_storage_from_mem(buf, len);
162 RCHECK(krb5_ret_int8(sp, &pvno), out);
163 if(pvno != 4){
164 kdc_log(context, config, 0,
165 "Protocol version mismatch (krb4) (%d)", pvno);
166 make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch");
167 ret = KRB4ET_KDC_PKT_VER;
168 goto out;
170 RCHECK(krb5_ret_int8(sp, &msg_type), out);
171 lsb = msg_type & 1;
172 msg_type &= ~1;
173 switch(msg_type){
174 case AUTH_MSG_KDC_REQUEST: {
175 krb5_data ticket, cipher;
176 krb5_keyblock session;
178 krb5_data_zero(&ticket);
179 krb5_data_zero(&cipher);
181 RCHECK(krb5_ret_stringz(sp, &name), out1);
182 RCHECK(krb5_ret_stringz(sp, &inst), out1);
183 RCHECK(krb5_ret_stringz(sp, &realm), out1);
184 RCHECK(krb5_ret_int32(sp, &req_time), out1);
185 if(lsb)
186 req_time = swap32(req_time);
187 RCHECK(krb5_ret_uint8(sp, &life), out1);
188 RCHECK(krb5_ret_stringz(sp, &sname), out1);
189 RCHECK(krb5_ret_stringz(sp, &sinst), out1);
190 snprintf (client_name, sizeof(client_name),
191 "%s.%s@%s", name, inst, realm);
192 snprintf (server_name, sizeof(server_name),
193 "%s.%s@%s", sname, sinst, config->v4_realm);
195 kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
196 client_name, from, server_name);
198 ret = _kdc_db_fetch4(context, config, name, inst, realm,
199 HDB_F_GET_CLIENT, &client);
200 if(ret) {
201 kdc_log(context, config, 0, "Client not found in database: %s: %s",
202 client_name, krb5_get_err_text(context, ret));
203 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
204 "principal unknown");
205 goto out1;
207 ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
208 HDB_F_GET_SERVER, &server);
209 if(ret){
210 kdc_log(context, config, 0, "Server not found in database: %s: %s",
211 server_name, krb5_get_err_text(context, ret));
212 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
213 "principal unknown");
214 goto out1;
217 ret = kdc_check_flags (context, config,
218 client, client_name,
219 server, server_name,
220 TRUE);
221 if (ret) {
222 /* good error code? */
223 make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
224 "operation not allowed");
225 goto out1;
228 if (config->enable_v4_per_principal &&
229 client->entry.flags.allow_kerberos4 == 0)
231 kdc_log(context, config, 0,
232 "Per principal Kerberos 4 flag not turned on for %s",
233 client_name);
234 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
235 "allow kerberos4 flag required");
236 goto out1;
240 * There's no way to do pre-authentication in v4 and thus no
241 * good error code to return if preauthentication is required.
244 if (config->require_preauth
245 || client->entry.flags.require_preauth
246 || server->entry.flags.require_preauth) {
247 kdc_log(context, config, 0,
248 "Pre-authentication required for v4-request: "
249 "%s for %s",
250 client_name, server_name);
251 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
252 "preauth required");
253 goto out1;
256 ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
257 if(ret){
258 kdc_log(context, config, 0, "no suitable DES key for client");
259 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
260 "no suitable DES key for client");
261 goto out1;
264 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
265 if(ret){
266 kdc_log(context, config, 0, "no suitable DES key for server");
267 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
268 "no suitable DES key for server");
269 goto out1;
272 max_life = _krb5_krb_life_to_time(0, life);
273 if(client->entry.max_life)
274 max_life = min(max_life, *client->entry.max_life);
275 if(server->entry.max_life)
276 max_life = min(max_life, *server->entry.max_life);
278 life = krb_time_to_life(kdc_time, kdc_time + max_life);
280 ret = krb5_generate_random_keyblock(context,
281 ETYPE_DES_PCBC_NONE,
282 &session);
283 if (ret) {
284 make_err_reply(context, reply, KFAILURE,
285 "Not enough random i KDC");
286 goto out1;
289 ret = _krb5_krb_create_ticket(context,
291 name,
292 inst,
293 config->v4_realm,
294 addr->sin_addr.s_addr,
295 &session,
296 life,
297 kdc_time,
298 sname,
299 sinst,
300 &skey->key,
301 &ticket);
302 if (ret) {
303 krb5_free_keyblock_contents(context, &session);
304 make_err_reply(context, reply, KFAILURE,
305 "failed to create v4 ticket");
306 goto out1;
309 ret = _krb5_krb_create_ciph(context,
310 &session,
311 sname,
312 sinst,
313 config->v4_realm,
314 life,
315 server->entry.kvno % 255,
316 &ticket,
317 kdc_time,
318 &ckey->key,
319 &cipher);
320 krb5_free_keyblock_contents(context, &session);
321 krb5_data_free(&ticket);
322 if (ret) {
323 make_err_reply(context, reply, KFAILURE,
324 "Failed to create v4 cipher");
325 goto out1;
328 ret = _krb5_krb_create_auth_reply(context,
329 name,
330 inst,
331 realm,
332 req_time,
334 client->entry.pw_end ? *client->entry.pw_end : 0,
335 client->entry.kvno % 256,
336 &cipher,
337 reply);
338 krb5_data_free(&cipher);
340 out1:
341 break;
343 case AUTH_MSG_APPL_REQUEST: {
344 struct _krb5_krb_auth_data ad;
345 int8_t kvno;
346 int8_t ticket_len;
347 int8_t req_len;
348 krb5_data auth;
349 int32_t address;
350 size_t pos;
351 krb5_principal tgt_princ = NULL;
352 hdb_entry_ex *tgt = NULL;
353 Key *tkey;
354 time_t max_end, actual_end, issue_time;
356 memset(&ad, 0, sizeof(ad));
357 krb5_data_zero(&auth);
359 RCHECK(krb5_ret_int8(sp, &kvno), out2);
360 RCHECK(krb5_ret_stringz(sp, &realm), out2);
362 ret = krb5_425_conv_principal(context, "krbtgt", realm,
363 config->v4_realm,
364 &tgt_princ);
365 if(ret){
366 kdc_log(context, config, 0,
367 "Converting krbtgt principal (krb4): %s",
368 krb5_get_err_text(context, ret));
369 make_err_reply(context, reply, KFAILURE,
370 "Failed to convert v4 principal (krbtgt)");
371 goto out2;
374 ret = _kdc_db_fetch(context, config, tgt_princ,
375 HDB_F_GET_KRBTGT, NULL, &tgt);
376 if(ret){
377 char *s;
378 s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
379 "found in database (krb4): krbtgt.%s@%s: %s",
380 realm, config->v4_realm,
381 krb5_get_err_text(context, ret));
382 make_err_reply(context, reply, KFAILURE, s);
383 free(s);
384 goto out2;
387 if(tgt->entry.kvno % 256 != kvno){
388 kdc_log(context, config, 0,
389 "tgs-req (krb4) with old kvno %d (current %d) for "
390 "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256,
391 realm, config->v4_realm);
392 make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP,
393 "old krbtgt kvno used");
394 goto out2;
397 ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey);
398 if(ret){
399 kdc_log(context, config, 0,
400 "no suitable DES key for krbtgt (krb4)");
401 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
402 "no suitable DES key for krbtgt");
403 goto out2;
406 RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
407 RCHECK(krb5_ret_int8(sp, &req_len), out2);
409 pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
411 auth.data = buf;
412 auth.length = pos;
414 if (config->check_ticket_addresses)
415 address = addr->sin_addr.s_addr;
416 else
417 address = 0;
419 ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm,
420 config->v4_realm,
421 address, &tkey->key, &ad);
422 if(ret){
423 kdc_log(context, config, 0, "krb_rd_req: %d", ret);
424 make_err_reply(context, reply, ret, "failed to parse request");
425 goto out2;
428 RCHECK(krb5_ret_int32(sp, &req_time), out2);
429 if(lsb)
430 req_time = swap32(req_time);
431 RCHECK(krb5_ret_uint8(sp, &life), out2);
432 RCHECK(krb5_ret_stringz(sp, &sname), out2);
433 RCHECK(krb5_ret_stringz(sp, &sinst), out2);
434 snprintf (server_name, sizeof(server_name),
435 "%s.%s@%s",
436 sname, sinst, config->v4_realm);
437 snprintf (client_name, sizeof(client_name),
438 "%s.%s@%s",
439 ad.pname, ad.pinst, ad.prealm);
441 kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s",
442 client_name, from, server_name);
444 if(strcmp(ad.prealm, realm)){
445 kdc_log(context, config, 0,
446 "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
447 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
448 "Can't hop realms");
449 goto out2;
452 if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) {
453 kdc_log(context, config, 0,
454 "krb4 Cross-realm %s -> %s disabled",
455 realm, config->v4_realm);
456 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
457 "Can't hop realms");
458 goto out2;
461 if(strcmp(sname, "changepw") == 0){
462 kdc_log(context, config, 0,
463 "Bad request for changepw ticket (krb4)");
464 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
465 "Can't authorize password change based on TGT");
466 goto out2;
469 ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm,
470 HDB_F_GET_CLIENT, &client);
471 if(ret && ret != HDB_ERR_NOENTRY) {
472 char *s;
473 s = kdc_log_msg(context, config, 0,
474 "Client not found in database: (krb4) %s: %s",
475 client_name, krb5_get_err_text(context, ret));
476 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
477 free(s);
478 goto out2;
480 if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
481 char *s;
482 s = kdc_log_msg(context, config, 0,
483 "Local client not found in database: (krb4) "
484 "%s", client_name);
485 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
486 free(s);
487 goto out2;
490 ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
491 HDB_F_GET_SERVER, &server);
492 if(ret){
493 char *s;
494 s = kdc_log_msg(context, config, 0,
495 "Server not found in database (krb4): %s: %s",
496 server_name, krb5_get_err_text(context, ret));
497 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
498 free(s);
499 goto out2;
502 ret = kdc_check_flags (context, config,
503 client, client_name,
504 server, server_name,
505 FALSE);
506 if (ret) {
507 make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
508 "operation not allowed");
509 goto out2;
512 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
513 if(ret){
514 kdc_log(context, config, 0,
515 "no suitable DES key for server (krb4)");
516 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
517 "no suitable DES key for server");
518 goto out2;
521 max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life);
522 max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life));
523 if(server->entry.max_life)
524 max_end = min(max_end, kdc_time + *server->entry.max_life);
525 if(client && client->entry.max_life)
526 max_end = min(max_end, kdc_time + *client->entry.max_life);
527 life = min(life, krb_time_to_life(kdc_time, max_end));
529 issue_time = kdc_time;
530 actual_end = _krb5_krb_life_to_time(issue_time, life);
531 while (actual_end > max_end && life > 1) {
532 /* move them into the next earlier lifetime bracket */
533 life--;
534 actual_end = _krb5_krb_life_to_time(issue_time, life);
536 if (actual_end > max_end) {
537 /* if life <= 1 and it's still too long, backdate the ticket */
538 issue_time -= actual_end - max_end;
542 krb5_data ticket, cipher;
543 krb5_keyblock session;
545 krb5_data_zero(&ticket);
546 krb5_data_zero(&cipher);
548 ret = krb5_generate_random_keyblock(context,
549 ETYPE_DES_PCBC_NONE,
550 &session);
551 if (ret) {
552 make_err_reply(context, reply, KFAILURE,
553 "Not enough random i KDC");
554 goto out2;
557 ret = _krb5_krb_create_ticket(context,
559 ad.pname,
560 ad.pinst,
561 ad.prealm,
562 addr->sin_addr.s_addr,
563 &session,
564 life,
565 issue_time,
566 sname,
567 sinst,
568 &skey->key,
569 &ticket);
570 if (ret) {
571 krb5_free_keyblock_contents(context, &session);
572 make_err_reply(context, reply, KFAILURE,
573 "failed to create v4 ticket");
574 goto out2;
577 ret = _krb5_krb_create_ciph(context,
578 &session,
579 sname,
580 sinst,
581 config->v4_realm,
582 life,
583 server->entry.kvno % 255,
584 &ticket,
585 issue_time,
586 &ad.session,
587 &cipher);
588 krb5_free_keyblock_contents(context, &session);
589 if (ret) {
590 make_err_reply(context, reply, KFAILURE,
591 "failed to create v4 cipher");
592 goto out2;
595 ret = _krb5_krb_create_auth_reply(context,
596 ad.pname,
597 ad.pinst,
598 ad.prealm,
599 req_time,
603 &cipher,
604 reply);
605 krb5_data_free(&cipher);
607 out2:
608 _krb5_krb_free_auth_data(context, &ad);
609 if(tgt_princ)
610 krb5_free_principal(context, tgt_princ);
611 if(tgt)
612 _kdc_free_ent(context, tgt);
613 break;
615 case AUTH_MSG_ERR_REPLY:
616 ret = EINVAL;
617 break;
618 default:
619 kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s",
620 msg_type, from);
622 make_err_reply(context, reply, KFAILURE, "Unknown message type");
623 ret = EINVAL;
625 out:
626 if(name)
627 free(name);
628 if(inst)
629 free(inst);
630 if(realm)
631 free(realm);
632 if(sname)
633 free(sname);
634 if(sinst)
635 free(sinst);
636 if(client)
637 _kdc_free_ent(context, client);
638 if(server)
639 _kdc_free_ent(context, server);
640 krb5_storage_free(sp);
641 return ret;
644 krb5_error_code
645 _kdc_encode_v4_ticket(krb5_context context,
646 krb5_kdc_configuration *config,
647 void *buf, size_t len, const EncTicketPart *et,
648 const PrincipalName *service, size_t *size)
650 krb5_storage *sp;
651 krb5_error_code ret;
652 char name[40], inst[40], realm[40];
653 char sname[40], sinst[40];
656 krb5_principal princ;
657 _krb5_principalname2krb5_principal(context,
658 &princ,
659 *service,
660 et->crealm);
661 ret = krb5_524_conv_principal(context,
662 princ,
663 sname,
664 sinst,
665 realm);
666 krb5_free_principal(context, princ);
667 if(ret)
668 return ret;
670 _krb5_principalname2krb5_principal(context,
671 &princ,
672 et->cname,
673 et->crealm);
675 ret = krb5_524_conv_principal(context,
676 princ,
677 name,
678 inst,
679 realm);
680 krb5_free_principal(context, princ);
682 if(ret)
683 return ret;
685 sp = krb5_storage_emem();
687 krb5_store_int8(sp, 0); /* flags */
688 krb5_store_stringz(sp, name);
689 krb5_store_stringz(sp, inst);
690 krb5_store_stringz(sp, realm);
692 unsigned char tmp[4] = { 0, 0, 0, 0 };
693 int i;
694 if(et->caddr){
695 for(i = 0; i < et->caddr->len; i++)
696 if(et->caddr->val[i].addr_type == AF_INET &&
697 et->caddr->val[i].address.length == 4){
698 memcpy(tmp, et->caddr->val[i].address.data, 4);
699 break;
702 krb5_storage_write(sp, tmp, sizeof(tmp));
705 if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
706 et->key.keytype != ETYPE_DES_CBC_MD4 &&
707 et->key.keytype != ETYPE_DES_CBC_CRC) ||
708 et->key.keyvalue.length != 8)
709 return -1;
710 krb5_storage_write(sp, et->key.keyvalue.data, 8);
713 time_t start = et->starttime ? *et->starttime : et->authtime;
714 krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
715 krb5_store_int32(sp, start);
718 krb5_store_stringz(sp, sname);
719 krb5_store_stringz(sp, sinst);
722 krb5_data data;
723 krb5_storage_to_data(sp, &data);
724 krb5_storage_free(sp);
725 *size = (data.length + 7) & ~7; /* pad to 8 bytes */
726 if(*size > len)
727 return -1;
728 memset((unsigned char*)buf - *size + 1, 0, *size);
729 memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
730 krb5_data_free(&data);
732 return 0;
735 krb5_error_code
736 _kdc_get_des_key(krb5_context context,
737 hdb_entry_ex *principal, krb5_boolean is_server,
738 krb5_boolean prefer_afs_key, Key **ret_key)
740 Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
741 int i;
742 krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5,
743 ETYPE_DES_CBC_MD4,
744 ETYPE_DES_CBC_CRC };
746 for(i = 0;
747 i < sizeof(etypes)/sizeof(etypes[0])
748 && (v5_key == NULL || v4_key == NULL ||
749 afs_key == NULL || server_key == NULL);
750 ++i) {
751 Key *key = NULL;
752 while(hdb_next_enctype2key(context, &principal->entry, etypes[i], &key) == 0) {
753 if(key->salt == NULL) {
754 if(v5_key == NULL)
755 v5_key = key;
756 } else if(key->salt->type == hdb_pw_salt &&
757 key->salt->salt.length == 0) {
758 if(v4_key == NULL)
759 v4_key = key;
760 } else if(key->salt->type == hdb_afs3_salt) {
761 if(afs_key == NULL)
762 afs_key = key;
763 } else if(server_key == NULL)
764 server_key = key;
768 if(prefer_afs_key) {
769 if(afs_key)
770 *ret_key = afs_key;
771 else if(v4_key)
772 *ret_key = v4_key;
773 else if(v5_key)
774 *ret_key = v5_key;
775 else if(is_server && server_key)
776 *ret_key = server_key;
777 else
778 return KRB4ET_KDC_NULL_KEY;
779 } else {
780 if(v4_key)
781 *ret_key = v4_key;
782 else if(afs_key)
783 *ret_key = afs_key;
784 else if(v5_key)
785 *ret_key = v5_key;
786 else if(is_server && server_key)
787 *ret_key = server_key;
788 else
789 return KRB4ET_KDC_NULL_KEY;
792 if((*ret_key)->key.keyvalue.length == 0)
793 return KRB4ET_KDC_NULL_KEY;
794 return 0;
797 #endif /* KRB4 */