diff options
author | Heimdal Import User <samba-bugs@samba.org> | 2005-07-11 01:16:55 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:19:33 -0500 |
commit | 954c01728e0c7485b72c9a5d5737e5f6bd0cf0b9 (patch) | |
tree | fc11a048c8a582e2ca66415ff04dacf74f9abf22 /source4/heimdal/kdc/kerberos4.c | |
parent | 7ead5ab06cea9f33e954a4579163262f97ea06ff (diff) | |
download | samba-954c01728e0c7485b72c9a5d5737e5f6bd0cf0b9.tar.gz samba-954c01728e0c7485b72c9a5d5737e5f6bd0cf0b9.tar.bz2 samba-954c01728e0c7485b72c9a5d5737e5f6bd0cf0b9.zip |
r8302: import mini HEIMDAL into the tree
(This used to be commit 118be28a7aef233799956615a99d1a2a74dac175)
Diffstat (limited to 'source4/heimdal/kdc/kerberos4.c')
-rw-r--r-- | source4/heimdal/kdc/kerberos4.c | 783 |
1 files changed, 783 insertions, 0 deletions
diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c new file mode 100644 index 0000000000..a81fbb7b59 --- /dev/null +++ b/source4/heimdal/kdc/kerberos4.c @@ -0,0 +1,783 @@ +/* + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kdc_locl.h" + +#include <krb5-v4compat.h> + +RCSID("$Id: kerberos4.c,v 1.54 2005/06/30 01:51:43 lha Exp $"); + +#ifndef swap32 +static u_int32_t +swap32(u_int32_t x) +{ + return ((x << 24) & 0xff000000) | + ((x << 8) & 0xff0000) | + ((x >> 8) & 0xff00) | + ((x >> 24) & 0xff); +} +#endif /* swap32 */ + +int +_kdc_maybe_version4(unsigned char *buf, int len) +{ + return len > 0 && *buf == 4; +} + +static void +make_err_reply(krb5_context context, krb5_data *reply, + int code, const char *msg) +{ + _krb5_krb_cr_err_reply(context, "", "", "", + kdc_time, code, msg, reply); +} + +static krb5_boolean +valid_princ(krb5_context context, + void *funcctx, + krb5_principal princ) +{ + krb5_kdc_configuration *config = funcctx; + krb5_error_code ret; + char *s; + hdb_entry *ent; + + ret = krb5_unparse_name(context, princ, &s); + if (ret) + return FALSE; + ret = _kdc_db_fetch(context, config, princ, HDB_ENT_TYPE_ANY, &ent); + if (ret) { + kdc_log(context, config, 7, "Lookup %s failed: %s", s, + krb5_get_err_text (context, ret)); + free(s); + return FALSE; + } + kdc_log(context, config, 7, "Lookup %s succeeded", s); + free(s); + _kdc_free_ent(context, ent); + return TRUE; +} + +krb5_error_code +_kdc_db_fetch4(krb5_context context, + krb5_kdc_configuration *config, + const char *name, const char *instance, const char *realm, + enum hdb_ent_type ent_type, + hdb_entry **ent) +{ + krb5_principal p; + krb5_error_code ret; + + ret = krb5_425_conv_principal_ext2(context, name, instance, realm, + valid_princ, config, 0, &p); + if(ret) + return ret; + ret = _kdc_db_fetch(context, config, p, ent_type, ent); + krb5_free_principal(context, p); + return ret; +} + +#define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;} + +/* + * Process the v4 request in `buf, len' (received from `addr' + * (with string `from'). + * Return an error code and a reply in `reply'. + */ + +krb5_error_code +_kdc_do_version4(krb5_context context, + krb5_kdc_configuration *config, + unsigned char *buf, + size_t len, + krb5_data *reply, + const char *from, + struct sockaddr_in *addr) +{ + krb5_storage *sp; + krb5_error_code ret; + hdb_entry *client = NULL, *server = NULL; + Key *ckey, *skey; + int8_t pvno; + int8_t msg_type; + int lsb; + char *name = NULL, *inst = NULL, *realm = NULL; + char *sname = NULL, *sinst = NULL; + int32_t req_time; + time_t max_life; + u_int8_t life; + char client_name[256]; + char server_name[256]; + + if(!config->enable_v4) { + kdc_log(context, config, 0, + "Rejected version 4 request from %s", from); + make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled"); + return 0; + } + + sp = krb5_storage_from_mem(buf, len); + RCHECK(krb5_ret_int8(sp, &pvno), out); + if(pvno != 4){ + kdc_log(context, config, 0, + "Protocol version mismatch (krb4) (%d)", pvno); + make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch"); + goto out; + } + RCHECK(krb5_ret_int8(sp, &msg_type), out); + lsb = msg_type & 1; + msg_type &= ~1; + switch(msg_type){ + case AUTH_MSG_KDC_REQUEST: { + krb5_data ticket, cipher; + krb5_keyblock session; + + krb5_data_zero(&ticket); + krb5_data_zero(&cipher); + + RCHECK(krb5_ret_stringz(sp, &name), out1); + RCHECK(krb5_ret_stringz(sp, &inst), out1); + RCHECK(krb5_ret_stringz(sp, &realm), out1); + RCHECK(krb5_ret_int32(sp, &req_time), out1); + if(lsb) + req_time = swap32(req_time); + RCHECK(krb5_ret_int8(sp, &life), out1); + RCHECK(krb5_ret_stringz(sp, &sname), out1); + RCHECK(krb5_ret_stringz(sp, &sinst), out1); + snprintf (client_name, sizeof(client_name), + "%s.%s@%s", name, inst, realm); + snprintf (server_name, sizeof(server_name), + "%s.%s@%s", sname, sinst, config->v4_realm); + + kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s", + client_name, from, server_name); + + ret = _kdc_db_fetch4(context, config, name, inst, realm, HDB_ENT_TYPE_CLIENT, &client); + if(ret) { + kdc_log(context, config, 0, "Client not found in database: %s: %s", + client_name, krb5_get_err_text(context, ret)); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + "principal unknown"); + goto out1; + } + ret = _kdc_db_fetch4(context, config, sname, sinst, + config->v4_realm, HDB_ENT_TYPE_SERVER, &server); + if(ret){ + kdc_log(context, config, 0, "Server not found in database: %s: %s", + server_name, krb5_get_err_text(context, ret)); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + "principal unknown"); + goto out1; + } + + ret = _kdc_check_flags (context, config, + client, client_name, + server, server_name, + TRUE); + if (ret) { + /* good error code? */ + make_err_reply(context, reply, KERB_ERR_NAME_EXP, + "operation not allowed"); + goto out1; + } + + /* + * There's no way to do pre-authentication in v4 and thus no + * good error code to return if preauthentication is required. + */ + + if (config->require_preauth + || client->flags.require_preauth + || server->flags.require_preauth) { + kdc_log(context, config, 0, + "Pre-authentication required for v4-request: " + "%s for %s", + client_name, server_name); + make_err_reply(context, reply, KERB_ERR_NULL_KEY, + "preauth required"); + goto out1; + } + + ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey); + if(ret){ + kdc_log(context, config, 0, "no suitable DES key for client"); + make_err_reply(context, reply, KDC_NULL_KEY, + "no suitable DES key for client"); + goto out1; + } + +#if 0 + /* this is not necessary with the new code in libkrb */ + /* find a properly salted key */ + while(ckey->salt == NULL || ckey->salt->salt.length != 0) + ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey); + if(ret){ + kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s", + name, inst, realm); + make_err_reply(context, reply, KDC_NULL_KEY, + "No version-4 salted key in database"); + goto out1; + } +#endif + + ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey); + if(ret){ + kdc_log(context, config, 0, "no suitable DES key for server"); + /* XXX */ + make_err_reply(context, reply, KDC_NULL_KEY, + "no suitable DES key for server"); + goto out1; + } + + max_life = _krb5_krb_life_to_time(0, life); + if(client->max_life) + max_life = min(max_life, *client->max_life); + if(server->max_life) + max_life = min(max_life, *server->max_life); + + life = krb_time_to_life(kdc_time, kdc_time + max_life); + + ret = krb5_generate_random_keyblock(context, + ETYPE_DES_PCBC_NONE, + &session); + if (ret) { + make_err_reply(context, reply, KFAILURE, + "Not enough random i KDC"); + goto out1; + } + + ret = _krb5_krb_create_ticket(context, + 0, + name, + inst, + config->v4_realm, + addr->sin_addr.s_addr, + &session, + life, + kdc_time, + sname, + sinst, + &skey->key, + &ticket); + if (ret) { + krb5_free_keyblock_contents(context, &session); + make_err_reply(context, reply, KFAILURE, + "failed to create v4 ticket"); + goto out1; + } + + ret = _krb5_krb_create_ciph(context, + &session, + sname, + sinst, + config->v4_realm, + life, + server->kvno % 255, + &ticket, + kdc_time, + &ckey->key, + &cipher); + krb5_free_keyblock_contents(context, &session); + krb5_data_free(&ticket); + if (ret) { + make_err_reply(context, reply, KFAILURE, + "Failed to create v4 cipher"); + goto out1; + } + + ret = _krb5_krb_create_auth_reply(context, + name, + inst, + realm, + req_time, + 0, + client->pw_end ? *client->pw_end : 0, + client->kvno % 256, + &cipher, + reply); + krb5_data_free(&cipher); + + out1: + break; + } + case AUTH_MSG_APPL_REQUEST: { + struct _krb5_krb_auth_data ad; + int8_t kvno; + int8_t ticket_len; + int8_t req_len; + krb5_data auth; + int32_t address; + size_t pos; + krb5_principal tgt_princ = NULL; + hdb_entry *tgt = NULL; + Key *tkey; + time_t max_end, actual_end, issue_time; + + memset(&ad, 0, sizeof(ad)); + krb5_data_zero(&auth); + + RCHECK(krb5_ret_int8(sp, &kvno), out2); + RCHECK(krb5_ret_stringz(sp, &realm), out2); + + ret = krb5_425_conv_principal(context, "krbtgt", realm, + config->v4_realm, + &tgt_princ); + if(ret){ + kdc_log(context, config, 0, + "Converting krbtgt principal (krb4): %s", + krb5_get_err_text(context, ret)); + make_err_reply(context, reply, KFAILURE, + "Failed to convert v4 principal (krbtgt)"); + goto out2; + } + + ret = _kdc_db_fetch(context, config, tgt_princ, HDB_ENT_TYPE_SERVER, &tgt); + if(ret){ + char *s; + s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not " + "found in database (krb4): krbtgt.%s@%s: %s", + realm, config->v4_realm, + krb5_get_err_text(context, ret)); + make_err_reply(context, reply, KFAILURE, s); + free(s); + goto out2; + } + + if(tgt->kvno % 256 != kvno){ + kdc_log(context, config, 0, + "tgs-req (krb4) with old kvno %d (current %d) for " + "krbtgt.%s@%s", kvno, tgt->kvno % 256, + realm, config->v4_realm); + make_err_reply(context, reply, KDC_AUTH_EXP, + "old krbtgt kvno used"); + goto out2; + } + + ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey); + if(ret){ + kdc_log(context, config, 0, + "no suitable DES key for krbtgt (krb4)"); + /* XXX */ + make_err_reply(context, reply, KDC_NULL_KEY, + "no suitable DES key for krbtgt"); + goto out2; + } + + RCHECK(krb5_ret_int8(sp, &ticket_len), out2); + RCHECK(krb5_ret_int8(sp, &req_len), out2); + + pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR); + + auth.data = buf; + auth.length = pos; + + if (config->check_ticket_addresses) + address = addr->sin_addr.s_addr; + else + address = 0; + + ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm, + config->v4_realm, + address, &tkey->key, &ad); + if(ret){ + kdc_log(context, config, 0, "krb_rd_req: %d", ret); + make_err_reply(context, reply, ret, "failed to parse request"); + goto out2; + } + + RCHECK(krb5_ret_int32(sp, &req_time), out2); + if(lsb) + req_time = swap32(req_time); + RCHECK(krb5_ret_int8(sp, &life), out2); + RCHECK(krb5_ret_stringz(sp, &sname), out2); + RCHECK(krb5_ret_stringz(sp, &sinst), out2); + snprintf (server_name, sizeof(server_name), + "%s.%s@%s", + sname, sinst, config->v4_realm); + snprintf (client_name, sizeof(client_name), + "%s.%s@%s", + ad.pname, ad.pinst, ad.prealm); + + kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s", + client_name, from, server_name); + + if(strcmp(ad.prealm, realm)){ + kdc_log(context, config, 0, + "Can't hop realms (krb4) %s -> %s", realm, ad.prealm); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + "Can't hop realms"); + goto out2; + } + + if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) { + kdc_log(context, config, 0, + "krb4 Cross-realm %s -> %s disabled", + realm, config->v4_realm); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + "Can't hop realms"); + goto out2; + } + + if(strcmp(sname, "changepw") == 0){ + kdc_log(context, config, 0, + "Bad request for changepw ticket (krb4)"); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + "Can't authorize password change based on TGT"); + goto out2; + } + + ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, HDB_ENT_TYPE_CLIENT, &client); + if(ret && ret != HDB_ERR_NOENTRY) { + char *s; + s = kdc_log_msg(context, config, 0, + "Client not found in database: (krb4) %s: %s", + client_name, krb5_get_err_text(context, ret)); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); + free(s); + goto out2; + } + if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) { + char *s; + s = kdc_log_msg(context, config, 0, + "Local client not found in database: (krb4) " + "%s", client_name); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); + free(s); + goto out2; + } + + ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm, + HDB_ENT_TYPE_SERVER, &server); + if(ret){ + char *s; + s = kdc_log_msg(context, config, 0, + "Server not found in database (krb4): %s: %s", + server_name, krb5_get_err_text(context, ret)); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); + free(s); + goto out2; + } + + ret = _kdc_check_flags (context, config, + client, client_name, + server, server_name, + FALSE); + if (ret) { + /* good error code? */ + make_err_reply(context, reply, KERB_ERR_NAME_EXP, + "operation not allowed"); + goto out2; + } + + ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey); + if(ret){ + kdc_log(context, config, 0, + "no suitable DES key for server (krb4)"); + /* XXX */ + make_err_reply(context, reply, KDC_NULL_KEY, + "no suitable DES key for server"); + goto out2; + } + + max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life); + max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life)); + if(server->max_life) + max_end = min(max_end, kdc_time + *server->max_life); + if(client && client->max_life) + max_end = min(max_end, kdc_time + *client->max_life); + life = min(life, krb_time_to_life(kdc_time, max_end)); + + issue_time = kdc_time; + actual_end = _krb5_krb_life_to_time(issue_time, life); + while (actual_end > max_end && life > 1) { + /* move them into the next earlier lifetime bracket */ + life--; + actual_end = _krb5_krb_life_to_time(issue_time, life); + } + if (actual_end > max_end) { + /* if life <= 1 and it's still too long, backdate the ticket */ + issue_time -= actual_end - max_end; + } + + { + krb5_data ticket, cipher; + krb5_keyblock session; + + krb5_data_zero(&ticket); + krb5_data_zero(&cipher); + + ret = krb5_generate_random_keyblock(context, + ETYPE_DES_PCBC_NONE, + &session); + if (ret) { + make_err_reply(context, reply, KFAILURE, + "Not enough random i KDC"); + goto out2; + } + + ret = _krb5_krb_create_ticket(context, + 0, + ad.pname, + ad.pinst, + ad.prealm, + addr->sin_addr.s_addr, + &session, + life, + issue_time, + sname, + sinst, + &skey->key, + &ticket); + if (ret) { + krb5_free_keyblock_contents(context, &session); + make_err_reply(context, reply, KFAILURE, + "failed to create v4 ticket"); + goto out2; + } + + ret = _krb5_krb_create_ciph(context, + &session, + sname, + sinst, + config->v4_realm, + life, + server->kvno % 255, + &ticket, + issue_time, + &ad.session, + &cipher); + krb5_free_keyblock_contents(context, &session); + if (ret) { + make_err_reply(context, reply, KFAILURE, + "failed to create v4 cipher"); + goto out2; + } + + ret = _krb5_krb_create_auth_reply(context, + ad.pname, + ad.pinst, + ad.prealm, + req_time, + 0, + 0, + 0, + &cipher, + reply); + krb5_data_free(&cipher); + } + out2: + _krb5_krb_free_auth_data(context, &ad); + if(tgt_princ) + krb5_free_principal(context, tgt_princ); + if(tgt) + _kdc_free_ent(context, tgt); + break; + } + case AUTH_MSG_ERR_REPLY: + break; + default: + kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s", + msg_type, from); + + make_err_reply(context, reply, KFAILURE, "Unknown message type"); + } + out: + if(name) + free(name); + if(inst) + free(inst); + if(realm) + free(realm); + if(sname) + free(sname); + if(sinst) + free(sinst); + if(client) + _kdc_free_ent(context, client); + if(server) + _kdc_free_ent(context, server); + krb5_storage_free(sp); + return 0; +} + +krb5_error_code +_kdc_encode_v4_ticket(krb5_context context, + krb5_kdc_configuration *config, + void *buf, size_t len, const EncTicketPart *et, + const PrincipalName *service, size_t *size) +{ + krb5_storage *sp; + krb5_error_code ret; + char name[40], inst[40], realm[40]; + char sname[40], sinst[40]; + + { + krb5_principal princ; + _krb5_principalname2krb5_principal(&princ, + *service, + et->crealm); + ret = krb5_524_conv_principal(context, + princ, + sname, + sinst, + realm); + krb5_free_principal(context, princ); + if(ret) + return ret; + + _krb5_principalname2krb5_principal(&princ, + et->cname, + et->crealm); + + ret = krb5_524_conv_principal(context, + princ, + name, + inst, + realm); + krb5_free_principal(context, princ); + } + if(ret) + return ret; + + sp = krb5_storage_emem(); + + krb5_store_int8(sp, 0); /* flags */ + krb5_store_stringz(sp, name); + krb5_store_stringz(sp, inst); + krb5_store_stringz(sp, realm); + { + unsigned char tmp[4] = { 0, 0, 0, 0 }; + int i; + if(et->caddr){ + for(i = 0; i < et->caddr->len; i++) + if(et->caddr->val[i].addr_type == AF_INET && + et->caddr->val[i].address.length == 4){ + memcpy(tmp, et->caddr->val[i].address.data, 4); + break; + } + } + krb5_storage_write(sp, tmp, sizeof(tmp)); + } + + if((et->key.keytype != ETYPE_DES_CBC_MD5 && + et->key.keytype != ETYPE_DES_CBC_MD4 && + et->key.keytype != ETYPE_DES_CBC_CRC) || + et->key.keyvalue.length != 8) + return -1; + krb5_storage_write(sp, et->key.keyvalue.data, 8); + + { + time_t start = et->starttime ? *et->starttime : et->authtime; + krb5_store_int8(sp, krb_time_to_life(start, et->endtime)); + krb5_store_int32(sp, start); + } + + krb5_store_stringz(sp, sname); + krb5_store_stringz(sp, sinst); + + { + krb5_data data; + krb5_storage_to_data(sp, &data); + krb5_storage_free(sp); + *size = (data.length + 7) & ~7; /* pad to 8 bytes */ + if(*size > len) + return -1; + memset((unsigned char*)buf - *size + 1, 0, *size); + memcpy((unsigned char*)buf - *size + 1, data.data, data.length); + krb5_data_free(&data); + } + return 0; +} + +krb5_error_code +_kdc_get_des_key(krb5_context context, + hdb_entry *principal, krb5_boolean is_server, + krb5_boolean prefer_afs_key, Key **ret_key) +{ + Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL; + int i; + krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5, + ETYPE_DES_CBC_MD4, + ETYPE_DES_CBC_CRC }; + + for(i = 0; + i < sizeof(etypes)/sizeof(etypes[0]) + && (v5_key == NULL || v4_key == NULL || + afs_key == NULL || server_key == NULL); + ++i) { + Key *key = NULL; + while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) { + if(key->salt == NULL) { + if(v5_key == NULL) + v5_key = key; + } else if(key->salt->type == hdb_pw_salt && + key->salt->salt.length == 0) { + if(v4_key == NULL) + v4_key = key; + } else if(key->salt->type == hdb_afs3_salt) { + if(afs_key == NULL) + afs_key = key; + } else if(server_key == NULL) + server_key = key; + } + } + + if(prefer_afs_key) { + if(afs_key) + *ret_key = afs_key; + else if(v4_key) + *ret_key = v4_key; + else if(v5_key) + *ret_key = v5_key; + else if(is_server && server_key) + *ret_key = server_key; + else + return KERB_ERR_NULL_KEY; + } else { + if(v4_key) + *ret_key = v4_key; + else if(afs_key) + *ret_key = afs_key; + else if(v5_key) + *ret_key = v5_key; + else if(is_server && server_key) + *ret_key = server_key; + else + return KERB_ERR_NULL_KEY; + } + + if((*ret_key)->key.keyvalue.length == 0) + return KERB_ERR_NULL_KEY; + return 0; +} + |