1 /*
2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6
7 /*
8 * lib/kdb/decrypt_key.c
9 *
10 * Copyright 1990,1991 by the Massachusetts Institute of Technology.
11 * All Rights Reserved.
12 *
13 * Export of this software from the United States of America may
14 * require a specific license from the United States Government.
15 * It is the responsibility of any person or organization contemplating
16 * export to obtain such a license before exporting.
17 *
18 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
19 * distribute this software and its documentation for any purpose and
20 * without fee is hereby granted, provided that the above copyright
21 * notice appear in all copies and that both that copyright notice and
22 * this permission notice appear in supporting documentation, and that
23 * the name of M.I.T. not be used in advertising or publicity pertaining
24 * to distribution of the software without specific, written prior
25 * permission. Furthermore if you modify this software you must label
26 * your software as modified software and not distribute it in such a
27 * fashion that it might be confused with the original M.I.T. software.
28 * M.I.T. makes no representations about the suitability of
29 * this software for any purpose. It is provided "as is" without express
30 * or implied warranty.
31 *
32 *
33 * krb5_kdb_encrypt_key(), krb5_kdb_decrypt_key functions
34 */
35
36 /*
37 * Copyright (C) 1998 by the FundsXpress, INC.
38 *
39 * All rights reserved.
40 *
41 * Export of this software from the United States of America may require
42 * a specific license from the United States Government. It is the
43 * responsibility of any person or organization contemplating export to
44 * obtain such a license before exporting.
45 *
46 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
47 * distribute this software and its documentation for any purpose and
48 * without fee is hereby granted, provided that the above copyright
49 * notice appear in all copies and that both that copyright notice and
50 * this permission notice appear in supporting documentation, and that
51 * the name of FundsXpress. not be used in advertising or publicity pertaining
52 * to distribution of the software without specific, written prior
53 * permission. FundsXpress makes no representations about the suitability of
54 * this software for any purpose. It is provided "as is" without express
55 * or implied warranty.
56 *
57 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
58 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
59 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
60 */
61
62 #include "k5-int.h"
63 #include <krb5/kdb.h>
64
65 /*
66 * Decrypt a key from storage in the database. "eblock" is used
67 * to decrypt the key in "in" into "out"; the storage pointed to by "out"
68 * is allocated before use.
69 */
70
71 krb5_error_code
krb5_dbekd_decrypt_key_data(krb5_context context,const krb5_keyblock * mkey,const krb5_key_data * key_data,krb5_keyblock * dbkey,krb5_keysalt * keysalt)72 krb5_dbekd_decrypt_key_data( krb5_context context,
73 const krb5_keyblock * mkey,
74 const krb5_key_data * key_data,
75 krb5_keyblock * dbkey,
76 krb5_keysalt * keysalt)
77 {
78 krb5_error_code retval = 0;
79 krb5_int16 tmplen;
80 krb5_octet * ptr;
81 krb5_enc_data cipher;
82 krb5_data plain;
83
84 ptr = key_data->key_data_contents[0];
85
86 if (ptr) {
87 krb5_kdb_decode_int16(ptr, tmplen);
88 ptr += 2;
89
90 cipher.enctype = ENCTYPE_UNKNOWN;
91 cipher.ciphertext.length = key_data->key_data_length[0]-2;
92 cipher.ciphertext.data = (char *)ptr; /* SUNWresync121 XXX */
93 plain.length = key_data->key_data_length[0]-2;
94 if ((plain.data = (char *) malloc(plain.length)) == NULL)
95 return(ENOMEM);
96 (void) memset(plain.data, 0, plain.length);
97
98 if ((retval = krb5_c_decrypt(context, mkey, 0 /* XXX */, 0,
99 &cipher, &plain))) {
100 krb5_xfree(plain.data);
101 return retval;
102 }
103
104 /* tmplen is the true length of the key. plain.data is the
105 plaintext data length, but it may be padded, since the
106 old-style etypes didn't store the real length. I can check
107 to make sure that there are enough bytes, but I can't do
108 any better than that. */
109
110 if (tmplen > plain.length) {
111 krb5_xfree(plain.data);
112 return(KRB5_CRYPTO_INTERNAL);
113 }
114
115 dbkey->magic = KV5M_KEYBLOCK;
116 dbkey->enctype = key_data->key_data_type[0];
117 dbkey->length = tmplen;
118 dbkey->contents = (unsigned char *) plain.data; /* SUNWresync121 XXX */
119 dbkey->dk_list = NULL;
120 dbkey->hKey = CK_INVALID_HANDLE;
121 }
122
123 /* Decode salt data */
124 if (keysalt) {
125 if (key_data->key_data_ver == 2) {
126 keysalt->type = key_data->key_data_type[1];
127 if ((keysalt->data.length = key_data->key_data_length[1])) {
128 if (!(keysalt->data.data=(char *)malloc(keysalt->data.length))){
129 if (key_data->key_data_contents[0]) {
130 krb5_xfree(dbkey->contents);
131 dbkey->contents = 0;
132 dbkey->length = 0;
133 }
134 return ENOMEM;
135 }
136 memcpy(keysalt->data.data, key_data->key_data_contents[1],
137 (size_t) keysalt->data.length);
138 } else
139 keysalt->data.data = (char *) NULL;
140 } else {
141 keysalt->type = KRB5_KDB_SALTTYPE_NORMAL;
142 keysalt->data.data = (char *) NULL;
143 keysalt->data.length = 0;
144 }
145 }
146
147 return retval;
148 }
149