summaryrefslogtreecommitdiff
path: root/source4/heimdal
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal')
-rw-r--r--source4/heimdal/kdc/kerberos5.c15
-rw-r--r--source4/heimdal/kdc/krb5tgs.c3
-rw-r--r--source4/heimdal/lib/hdb/hdb.c30
-rw-r--r--source4/heimdal/lib/hdb/version-script.map1
4 files changed, 39 insertions, 10 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index db2c6262116..c6ec65ee926 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -131,7 +131,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
krb5_error_code ret;
krb5_salt def_salt;
krb5_enctype enctype = ETYPE_NULL;
- Key *key;
+ Key *key = NULL;
int i;
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
@@ -159,29 +159,34 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
/* drive the search with local supported enctypes list */
p = krb5_kerberos_enctypes(context);
- for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
+ for (i = 0; p[i] != ETYPE_NULL && key == NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
/* check that the client supports it too */
- for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
+ for (j = 0; j < len && key == NULL; j++) {
if (p[i] != etypes[j])
continue;
/* save best of union of { client, crypto system } */
if (clientbest == ETYPE_NULL)
clientbest = p[i];
+ if (enctype == ETYPE_NULL) {
+ ret = hdb_enctype_supported(context, &princ->entry, p[i]);
+ if (ret == 0) {
+ enctype = p[i];
+ }
+ }
/* check target princ support */
ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
if (ret)
continue;
if (is_preauth && !is_default_salt_p(&def_salt, key))
continue;
- enctype = p[i];
}
}
if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
enctype = clientbest;
- else if (enctype == ETYPE_NULL)
+ else if (key == NULL)
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
if (ret == 0 && ret_enctype != NULL)
*ret_enctype = enctype;
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index a71cfbff66c..a91b319c630 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1703,7 +1703,7 @@ server_lookup:
ret = _kdc_find_etype(context,
config->tgs_use_strongest_session_key, FALSE,
- server, b->etype.val, b->etype.len, NULL,
+ server, b->etype.val, b->etype.len, &etype,
&skey);
if(ret) {
kdc_log(context, config, 0,
@@ -1711,7 +1711,6 @@ server_lookup:
goto out;
}
ekey = &skey->key;
- etype = skey->key.keytype;
kvno = server->entry.kvno;
}
diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c
index 5dc5a0957e0..4c8df930b0c 100644
--- a/source4/heimdal/lib/hdb/hdb.c
+++ b/source4/heimdal/lib/hdb/hdb.c
@@ -93,11 +93,12 @@ static struct hdb_method dbmetod =
#endif
-krb5_error_code
-hdb_next_enctype2key(krb5_context context,
+static krb5_error_code
+_hdb_next_enctype2key(krb5_context context,
const hdb_entry *e,
krb5_enctype enctype,
- Key **key)
+ Key **key,
+ bool require_key)
{
Key *k;
@@ -105,6 +106,10 @@ hdb_next_enctype2key(krb5_context context,
k < e->keys.val + e->keys.len;
k++)
{
+ if (require_key && k->key.keyvalue.length == 0) {
+ continue;
+ }
+
if(k->key.keytype == enctype){
*key = k;
return 0;
@@ -116,6 +121,16 @@ hdb_next_enctype2key(krb5_context context,
return KRB5_PROG_ETYPE_NOSUPP; /* XXX */
}
+
+krb5_error_code
+hdb_next_enctype2key(krb5_context context,
+ const hdb_entry *e,
+ krb5_enctype enctype,
+ Key **key)
+{
+ return _hdb_next_enctype2key(context, e, enctype, key, true);
+}
+
krb5_error_code
hdb_enctype2key(krb5_context context,
hdb_entry *e,
@@ -126,6 +141,15 @@ hdb_enctype2key(krb5_context context,
return hdb_next_enctype2key(context, e, enctype, key);
}
+krb5_error_code
+hdb_enctype_supported(krb5_context context,
+ hdb_entry *e,
+ krb5_enctype enctype)
+{
+ Key *key = NULL;
+ return _hdb_next_enctype2key(context, e, enctype, &key, false);
+}
+
void
hdb_free_key(Key *key)
{
diff --git a/source4/heimdal/lib/hdb/version-script.map b/source4/heimdal/lib/hdb/version-script.map
index f80fb78a654..c4bd8f4cd44 100644
--- a/source4/heimdal/lib/hdb/version-script.map
+++ b/source4/heimdal/lib/hdb/version-script.map
@@ -20,6 +20,7 @@ HEIMDAL_HDB_1.0 {
hdb_dbinfo_get_realm;
hdb_default_db;
hdb_enctype2key;
+ hdb_enctype_supported;
hdb_entry2string;
hdb_entry2value;
hdb_entry_alias2value;
View Lorry Controller Status