17c478bd9Sstevel@tonic-gate /* 2*159d09a2SMark Phalan * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 37c478bd9Sstevel@tonic-gate * Use is subject to license terms. 47c478bd9Sstevel@tonic-gate */ 57c478bd9Sstevel@tonic-gate 67c478bd9Sstevel@tonic-gate 77c478bd9Sstevel@tonic-gate /* 87c478bd9Sstevel@tonic-gate * lib/kdb/decrypt_key.c 97c478bd9Sstevel@tonic-gate * 107c478bd9Sstevel@tonic-gate * Copyright 1990,1991 by the Massachusetts Institute of Technology. 117c478bd9Sstevel@tonic-gate * All Rights Reserved. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may 147c478bd9Sstevel@tonic-gate * require a specific license from the United States Government. 157c478bd9Sstevel@tonic-gate * It is the responsibility of any person or organization contemplating 167c478bd9Sstevel@tonic-gate * export to obtain such a license before exporting. 177c478bd9Sstevel@tonic-gate * 187c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 197c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and 207c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright 217c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and 227c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that 237c478bd9Sstevel@tonic-gate * the name of M.I.T. not be used in advertising or publicity pertaining 247c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior 257c478bd9Sstevel@tonic-gate * permission. Furthermore if you modify this software you must label 267c478bd9Sstevel@tonic-gate * your software as modified software and not distribute it in such a 277c478bd9Sstevel@tonic-gate * fashion that it might be confused with the original M.I.T. software. 287c478bd9Sstevel@tonic-gate * M.I.T. makes no representations about the suitability of 297c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express 307c478bd9Sstevel@tonic-gate * or implied warranty. 317c478bd9Sstevel@tonic-gate * 327c478bd9Sstevel@tonic-gate * 337c478bd9Sstevel@tonic-gate * krb5_kdb_encrypt_key(), krb5_kdb_decrypt_key functions 347c478bd9Sstevel@tonic-gate */ 357c478bd9Sstevel@tonic-gate 367c478bd9Sstevel@tonic-gate /* 377c478bd9Sstevel@tonic-gate * Copyright (C) 1998 by the FundsXpress, INC. 387c478bd9Sstevel@tonic-gate * 397c478bd9Sstevel@tonic-gate * All rights reserved. 407c478bd9Sstevel@tonic-gate * 417c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may require 427c478bd9Sstevel@tonic-gate * a specific license from the United States Government. It is the 437c478bd9Sstevel@tonic-gate * responsibility of any person or organization contemplating export to 447c478bd9Sstevel@tonic-gate * obtain such a license before exporting. 457c478bd9Sstevel@tonic-gate * 467c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 477c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and 487c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright 497c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and 507c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that 517c478bd9Sstevel@tonic-gate * the name of FundsXpress. not be used in advertising or publicity pertaining 527c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior 537c478bd9Sstevel@tonic-gate * permission. FundsXpress makes no representations about the suitability of 547c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express 557c478bd9Sstevel@tonic-gate * or implied warranty. 567c478bd9Sstevel@tonic-gate * 577c478bd9Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 587c478bd9Sstevel@tonic-gate * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 597c478bd9Sstevel@tonic-gate * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 607c478bd9Sstevel@tonic-gate */ 617c478bd9Sstevel@tonic-gate 627c478bd9Sstevel@tonic-gate #include "k5-int.h" 6354925bf6Swillf #include <krb5/kdb.h> 647c478bd9Sstevel@tonic-gate 657c478bd9Sstevel@tonic-gate /* 667c478bd9Sstevel@tonic-gate * Decrypt a key from storage in the database. "eblock" is used 677c478bd9Sstevel@tonic-gate * to decrypt the key in "in" into "out"; the storage pointed to by "out" 687c478bd9Sstevel@tonic-gate * is allocated before use. 697c478bd9Sstevel@tonic-gate */ 707c478bd9Sstevel@tonic-gate 717c478bd9Sstevel@tonic-gate krb5_error_code 72*159d09a2SMark Phalan krb5_dbekd_decrypt_key_data( krb5_context context, 73*159d09a2SMark Phalan const krb5_keyblock * mkey, 74*159d09a2SMark Phalan const krb5_key_data * key_data, 75*159d09a2SMark Phalan krb5_keyblock * dbkey, 76*159d09a2SMark Phalan krb5_keysalt * keysalt) 777c478bd9Sstevel@tonic-gate { 787c478bd9Sstevel@tonic-gate krb5_error_code retval = 0; 797c478bd9Sstevel@tonic-gate krb5_int16 tmplen; 807c478bd9Sstevel@tonic-gate krb5_octet * ptr; 817c478bd9Sstevel@tonic-gate krb5_enc_data cipher; 827c478bd9Sstevel@tonic-gate krb5_data plain; 837c478bd9Sstevel@tonic-gate 847c478bd9Sstevel@tonic-gate ptr = key_data->key_data_contents[0]; 857c478bd9Sstevel@tonic-gate 867c478bd9Sstevel@tonic-gate if (ptr) { 877c478bd9Sstevel@tonic-gate krb5_kdb_decode_int16(ptr, tmplen); 887c478bd9Sstevel@tonic-gate ptr += 2; 897c478bd9Sstevel@tonic-gate 907c478bd9Sstevel@tonic-gate cipher.enctype = ENCTYPE_UNKNOWN; 917c478bd9Sstevel@tonic-gate cipher.ciphertext.length = key_data->key_data_length[0]-2; 927c478bd9Sstevel@tonic-gate cipher.ciphertext.data = (char *)ptr; /* SUNWresync121 XXX */ 937c478bd9Sstevel@tonic-gate plain.length = key_data->key_data_length[0]-2; 947c478bd9Sstevel@tonic-gate if ((plain.data = (char *) malloc(plain.length)) == NULL) 957c478bd9Sstevel@tonic-gate return(ENOMEM); 967c478bd9Sstevel@tonic-gate (void) memset(plain.data, 0, plain.length); 977c478bd9Sstevel@tonic-gate 987c478bd9Sstevel@tonic-gate if ((retval = krb5_c_decrypt(context, mkey, 0 /* XXX */, 0, 997c478bd9Sstevel@tonic-gate &cipher, &plain))) { 1007c478bd9Sstevel@tonic-gate krb5_xfree(plain.data); 1017c478bd9Sstevel@tonic-gate return retval; 1027c478bd9Sstevel@tonic-gate } 1037c478bd9Sstevel@tonic-gate 1047c478bd9Sstevel@tonic-gate /* tmplen is the true length of the key. plain.data is the 1057c478bd9Sstevel@tonic-gate plaintext data length, but it may be padded, since the 1067c478bd9Sstevel@tonic-gate old-style etypes didn't store the real length. I can check 1077c478bd9Sstevel@tonic-gate to make sure that there are enough bytes, but I can't do 1087c478bd9Sstevel@tonic-gate any better than that. */ 1097c478bd9Sstevel@tonic-gate 1107c478bd9Sstevel@tonic-gate if (tmplen > plain.length) { 1117c478bd9Sstevel@tonic-gate krb5_xfree(plain.data); 1127c478bd9Sstevel@tonic-gate return(KRB5_CRYPTO_INTERNAL); 1137c478bd9Sstevel@tonic-gate } 1147c478bd9Sstevel@tonic-gate 1157c478bd9Sstevel@tonic-gate dbkey->magic = KV5M_KEYBLOCK; 1167c478bd9Sstevel@tonic-gate dbkey->enctype = key_data->key_data_type[0]; 1177c478bd9Sstevel@tonic-gate dbkey->length = tmplen; 1187c478bd9Sstevel@tonic-gate dbkey->contents = (unsigned char *) plain.data; /* SUNWresync121 XXX */ 1197c478bd9Sstevel@tonic-gate dbkey->dk_list = NULL; 1207c478bd9Sstevel@tonic-gate dbkey->hKey = CK_INVALID_HANDLE; 1217c478bd9Sstevel@tonic-gate } 1227c478bd9Sstevel@tonic-gate 1237c478bd9Sstevel@tonic-gate /* Decode salt data */ 1247c478bd9Sstevel@tonic-gate if (keysalt) { 1257c478bd9Sstevel@tonic-gate if (key_data->key_data_ver == 2) { 1267c478bd9Sstevel@tonic-gate keysalt->type = key_data->key_data_type[1]; 1277c478bd9Sstevel@tonic-gate if ((keysalt->data.length = key_data->key_data_length[1])) { 1287c478bd9Sstevel@tonic-gate if (!(keysalt->data.data=(char *)malloc(keysalt->data.length))){ 1297c478bd9Sstevel@tonic-gate if (key_data->key_data_contents[0]) { 1307c478bd9Sstevel@tonic-gate krb5_xfree(dbkey->contents); 1317c478bd9Sstevel@tonic-gate dbkey->contents = 0; 1327c478bd9Sstevel@tonic-gate dbkey->length = 0; 1337c478bd9Sstevel@tonic-gate } 1347c478bd9Sstevel@tonic-gate return ENOMEM; 1357c478bd9Sstevel@tonic-gate } 1367c478bd9Sstevel@tonic-gate memcpy(keysalt->data.data, key_data->key_data_contents[1], 1377c478bd9Sstevel@tonic-gate (size_t) keysalt->data.length); 1387c478bd9Sstevel@tonic-gate } else 1397c478bd9Sstevel@tonic-gate keysalt->data.data = (char *) NULL; 1407c478bd9Sstevel@tonic-gate } else { 1417c478bd9Sstevel@tonic-gate keysalt->type = KRB5_KDB_SALTTYPE_NORMAL; 1427c478bd9Sstevel@tonic-gate keysalt->data.data = (char *) NULL; 1437c478bd9Sstevel@tonic-gate keysalt->data.length = 0; 1447c478bd9Sstevel@tonic-gate } 1457c478bd9Sstevel@tonic-gate } 1467c478bd9Sstevel@tonic-gate 1477c478bd9Sstevel@tonic-gate return retval; 1487c478bd9Sstevel@tonic-gate } 149