krb5_error_code ret;
krb5_salt def_salt;
krb5_enctype enctype = ETYPE_NULL;
- Key *key;
+ Key *key = NULL;
int i;
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
/* drive the search with local supported enctypes list */
p = krb5_kerberos_enctypes(context);
- for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
+ for (i = 0; p[i] != ETYPE_NULL && key == NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
/* check that the client supports it too */
- for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
+ for (j = 0; j < len && key == NULL; j++) {
if (p[i] != etypes[j])
continue;
/* save best of union of { client, crypto system } */
if (clientbest == ETYPE_NULL)
clientbest = p[i];
+ if (enctype == ETYPE_NULL) {
+ ret = hdb_enctype_supported(context, &princ->entry, p[i]);
+ if (ret == 0) {
+ enctype = p[i];
+ }
+ }
/* check target princ support */
ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
if (ret)
continue;
if (is_preauth && !is_default_salt_p(&def_salt, key))
continue;
- enctype = p[i];
}
}
if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
enctype = clientbest;
- else if (enctype == ETYPE_NULL)
+ else if (key == NULL)
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
if (ret == 0 && ret_enctype != NULL)
*ret_enctype = enctype;
ret = _kdc_find_etype(context,
config->tgs_use_strongest_session_key, FALSE,
- server, b->etype.val, b->etype.len, NULL,
+ server, b->etype.val, b->etype.len, &etype,
&skey);
if(ret) {
kdc_log(context, config, 0,
goto out;
}
ekey = &skey->key;
- etype = skey->key.keytype;
kvno = server->entry.kvno;
}
#endif
-krb5_error_code
-hdb_next_enctype2key(krb5_context context,
+static krb5_error_code
+_hdb_next_enctype2key(krb5_context context,
const hdb_entry *e,
krb5_enctype enctype,
- Key **key)
+ Key **key,
+ bool require_key)
{
Key *k;
k < e->keys.val + e->keys.len;
k++)
{
+ if (require_key && k->key.keyvalue.length == 0) {
+ continue;
+ }
+
if(k->key.keytype == enctype){
*key = k;
return 0;
return KRB5_PROG_ETYPE_NOSUPP; /* XXX */
}
+
+krb5_error_code
+hdb_next_enctype2key(krb5_context context,
+ const hdb_entry *e,
+ krb5_enctype enctype,
+ Key **key)
+{
+ return _hdb_next_enctype2key(context, e, enctype, key, true);
+}
+
krb5_error_code
hdb_enctype2key(krb5_context context,
hdb_entry *e,
return hdb_next_enctype2key(context, e, enctype, key);
}
+krb5_error_code
+hdb_enctype_supported(krb5_context context,
+ hdb_entry *e,
+ krb5_enctype enctype)
+{
+ Key *key = NULL;
+ return _hdb_next_enctype2key(context, e, enctype, &key, false);
+}
+
void
hdb_free_key(Key *key)
{
hdb_dbinfo_get_realm;
hdb_default_db;
hdb_enctype2key;
+ hdb_enctype_supported;
hdb_entry2string;
hdb_entry2value;
hdb_entry_alias2value;