1/*
2 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3 * Use is subject to license terms.
4 */
5
6
7/*
8 * lib/kdb/decrypt_key.c
9 *
10 * Copyright 1990,1991 by the Massachusetts Institute of Technology.
11 * All Rights Reserved.
12 *
13 * Export of this software from the United States of America may
14 *   require a specific license from the United States Government.
15 *   It is the responsibility of any person or organization contemplating
16 *   export to obtain such a license before exporting.
17 *
18 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
19 * distribute this software and its documentation for any purpose and
20 * without fee is hereby granted, provided that the above copyright
21 * notice appear in all copies and that both that copyright notice and
22 * this permission notice appear in supporting documentation, and that
23 * the name of M.I.T. not be used in advertising or publicity pertaining
24 * to distribution of the software without specific, written prior
25 * permission.  Furthermore if you modify this software you must label
26 * your software as modified software and not distribute it in such a
27 * fashion that it might be confused with the original M.I.T. software.
28 * M.I.T. makes no representations about the suitability of
29 * this software for any purpose.  It is provided "as is" without express
30 * or implied warranty.
31 *
32 *
33 * krb5_kdb_encrypt_key(), krb5_kdb_decrypt_key functions
34 */
35
36/*
37 * Copyright (C) 1998 by the FundsXpress, INC.
38 *
39 * All rights reserved.
40 *
41 * Export of this software from the United States of America may require
42 * a specific license from the United States Government.  It is the
43 * responsibility of any person or organization contemplating export to
44 * obtain such a license before exporting.
45 *
46 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
47 * distribute this software and its documentation for any purpose and
48 * without fee is hereby granted, provided that the above copyright
49 * notice appear in all copies and that both that copyright notice and
50 * this permission notice appear in supporting documentation, and that
51 * the name of FundsXpress. not be used in advertising or publicity pertaining
52 * to distribution of the software without specific, written prior
53 * permission.  FundsXpress makes no representations about the suitability of
54 * this software for any purpose.  It is provided "as is" without express
55 * or implied warranty.
56 *
57 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
58 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
59 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
60 */
61
62#include "k5-int.h"
63#include <krb5/kdb.h>
64
65/*
66 * Decrypt a key from storage in the database.  "eblock" is used
67 * to decrypt the key in "in" into "out"; the storage pointed to by "out"
68 * is allocated before use.
69 */
70
71krb5_error_code
72krb5_dbekd_decrypt_key_data( krb5_context 	  context,
73			     const krb5_keyblock	* mkey,
74			     const krb5_key_data	* key_data,
75			     krb5_keyblock 	* dbkey,
76			     krb5_keysalt 	* keysalt)
77{
78    krb5_error_code 	  retval = 0;
79    krb5_int16		  tmplen;
80    krb5_octet		* ptr;
81    krb5_enc_data	  cipher;
82    krb5_data		  plain;
83
84    ptr = key_data->key_data_contents[0];
85
86    if (ptr) {
87	krb5_kdb_decode_int16(ptr, tmplen);
88	ptr += 2;
89
90	cipher.enctype = ENCTYPE_UNKNOWN;
91	cipher.ciphertext.length = key_data->key_data_length[0]-2;
92	cipher.ciphertext.data = (char *)ptr;  /* SUNWresync121 XXX */
93	plain.length = key_data->key_data_length[0]-2;
94	if ((plain.data = (char *) malloc(plain.length)) == NULL)
95	    return(ENOMEM);
96	(void) memset(plain.data, 0, plain.length);
97
98	if ((retval = krb5_c_decrypt(context, mkey, 0 /* XXX */, 0,
99				     &cipher, &plain))) {
100	    krb5_xfree(plain.data);
101	    return retval;
102	}
103
104	/* tmplen is the true length of the key.  plain.data is the
105	   plaintext data length, but it may be padded, since the
106	   old-style etypes didn't store the real length.  I can check
107	   to make sure that there are enough bytes, but I can't do
108	   any better than that. */
109
110	if (tmplen > plain.length) {
111	    krb5_xfree(plain.data);
112	    return(KRB5_CRYPTO_INTERNAL);
113	}
114
115	dbkey->magic = KV5M_KEYBLOCK;
116	dbkey->enctype = key_data->key_data_type[0];
117	dbkey->length = tmplen;
118	dbkey->contents = (unsigned char *) plain.data;  /* SUNWresync121 XXX */
119	dbkey->dk_list = NULL;
120	dbkey->hKey = CK_INVALID_HANDLE;
121    }
122
123    /* Decode salt data */
124    if (keysalt) {
125	if (key_data->key_data_ver == 2) {
126	    keysalt->type = key_data->key_data_type[1];
127	    if ((keysalt->data.length = key_data->key_data_length[1])) {
128		if (!(keysalt->data.data=(char *)malloc(keysalt->data.length))){
129		    if (key_data->key_data_contents[0]) {
130			krb5_xfree(dbkey->contents);
131			dbkey->contents = 0;
132			dbkey->length = 0;
133		    }
134		    return ENOMEM;
135		}
136		memcpy(keysalt->data.data, key_data->key_data_contents[1],
137		       (size_t) keysalt->data.length);
138	    } else
139		keysalt->data.data = (char *) NULL;
140	} else {
141	    keysalt->type = KRB5_KDB_SALTTYPE_NORMAL;
142	    keysalt->data.data = (char *) NULL;
143	    keysalt->data.length = 0;
144	}
145    }
146
147    return retval;
148}
149