1 /* 2 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #pragma ident "%Z%%M% %I% %E% SMI" 7 8 /* 9 * lib/kdb/decrypt_key.c 10 * 11 * Copyright 1990,1991 by the Massachusetts Institute of Technology. 12 * All Rights Reserved. 13 * 14 * Export of this software from the United States of America may 15 * require a specific license from the United States Government. 16 * It is the responsibility of any person or organization contemplating 17 * export to obtain such a license before exporting. 18 * 19 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 20 * distribute this software and its documentation for any purpose and 21 * without fee is hereby granted, provided that the above copyright 22 * notice appear in all copies and that both that copyright notice and 23 * this permission notice appear in supporting documentation, and that 24 * the name of M.I.T. not be used in advertising or publicity pertaining 25 * to distribution of the software without specific, written prior 26 * permission. Furthermore if you modify this software you must label 27 * your software as modified software and not distribute it in such a 28 * fashion that it might be confused with the original M.I.T. software. 29 * M.I.T. makes no representations about the suitability of 30 * this software for any purpose. It is provided "as is" without express 31 * or implied warranty. 32 * 33 * 34 * krb5_kdb_encrypt_key(), krb5_kdb_decrypt_key functions 35 */ 36 37 /* 38 * Copyright (C) 1998 by the FundsXpress, INC. 39 * 40 * All rights reserved. 41 * 42 * Export of this software from the United States of America may require 43 * a specific license from the United States Government. It is the 44 * responsibility of any person or organization contemplating export to 45 * obtain such a license before exporting. 46 * 47 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 48 * distribute this software and its documentation for any purpose and 49 * without fee is hereby granted, provided that the above copyright 50 * notice appear in all copies and that both that copyright notice and 51 * this permission notice appear in supporting documentation, and that 52 * the name of FundsXpress. not be used in advertising or publicity pertaining 53 * to distribution of the software without specific, written prior 54 * permission. FundsXpress makes no representations about the suitability of 55 * this software for any purpose. It is provided "as is" without express 56 * or implied warranty. 57 * 58 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 59 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 60 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 61 */ 62 63 #include "k5-int.h" 64 #include <krb5/kdb.h> 65 66 /* 67 * Decrypt a key from storage in the database. "eblock" is used 68 * to decrypt the key in "in" into "out"; the storage pointed to by "out" 69 * is allocated before use. 70 */ 71 72 krb5_error_code 73 krb5_dbekd_decrypt_key_data(context, mkey, key_data, dbkey, keysalt) 74 krb5_context context; 75 const krb5_keyblock * mkey; 76 const krb5_key_data * key_data; 77 krb5_keyblock * dbkey; 78 krb5_keysalt * keysalt; 79 { 80 krb5_error_code retval = 0; 81 krb5_int16 tmplen; 82 krb5_octet * ptr; 83 krb5_enc_data cipher; 84 krb5_data plain; 85 86 ptr = key_data->key_data_contents[0]; 87 88 if (ptr) { 89 krb5_kdb_decode_int16(ptr, tmplen); 90 ptr += 2; 91 92 cipher.enctype = ENCTYPE_UNKNOWN; 93 cipher.ciphertext.length = key_data->key_data_length[0]-2; 94 cipher.ciphertext.data = (char *)ptr; /* SUNWresync121 XXX */ 95 plain.length = key_data->key_data_length[0]-2; 96 if ((plain.data = (char *) malloc(plain.length)) == NULL) 97 return(ENOMEM); 98 (void) memset(plain.data, 0, plain.length); 99 100 if ((retval = krb5_c_decrypt(context, mkey, 0 /* XXX */, 0, 101 &cipher, &plain))) { 102 krb5_xfree(plain.data); 103 return retval; 104 } 105 106 /* tmplen is the true length of the key. plain.data is the 107 plaintext data length, but it may be padded, since the 108 old-style etypes didn't store the real length. I can check 109 to make sure that there are enough bytes, but I can't do 110 any better than that. */ 111 112 if (tmplen > plain.length) { 113 krb5_xfree(plain.data); 114 return(KRB5_CRYPTO_INTERNAL); 115 } 116 117 dbkey->magic = KV5M_KEYBLOCK; 118 dbkey->enctype = key_data->key_data_type[0]; 119 dbkey->length = tmplen; 120 dbkey->contents = (unsigned char *) plain.data; /* SUNWresync121 XXX */ 121 dbkey->dk_list = NULL; 122 dbkey->hKey = CK_INVALID_HANDLE; 123 } 124 125 /* Decode salt data */ 126 if (keysalt) { 127 if (key_data->key_data_ver == 2) { 128 keysalt->type = key_data->key_data_type[1]; 129 if ((keysalt->data.length = key_data->key_data_length[1])) { 130 if (!(keysalt->data.data=(char *)malloc(keysalt->data.length))){ 131 if (key_data->key_data_contents[0]) { 132 krb5_xfree(dbkey->contents); 133 dbkey->contents = 0; 134 dbkey->length = 0; 135 } 136 return ENOMEM; 137 } 138 memcpy(keysalt->data.data, key_data->key_data_contents[1], 139 (size_t) keysalt->data.length); 140 } else 141 keysalt->data.data = (char *) NULL; 142 } else { 143 keysalt->type = KRB5_KDB_SALTTYPE_NORMAL; 144 keysalt->data.data = (char *) NULL; 145 keysalt->data.length = 0; 146 } 147 } 148 149 return retval; 150 } 151