17c478bd9Sstevel@tonic-gate /* 2*54925bf6Swillf * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 37c478bd9Sstevel@tonic-gate * Use is subject to license terms. 47c478bd9Sstevel@tonic-gate */ 57c478bd9Sstevel@tonic-gate 67c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 77c478bd9Sstevel@tonic-gate 87c478bd9Sstevel@tonic-gate /* 97c478bd9Sstevel@tonic-gate * lib/kdb/decrypt_key.c 107c478bd9Sstevel@tonic-gate * 117c478bd9Sstevel@tonic-gate * Copyright 1990,1991 by the Massachusetts Institute of Technology. 127c478bd9Sstevel@tonic-gate * All Rights Reserved. 137c478bd9Sstevel@tonic-gate * 147c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may 157c478bd9Sstevel@tonic-gate * require a specific license from the United States Government. 167c478bd9Sstevel@tonic-gate * It is the responsibility of any person or organization contemplating 177c478bd9Sstevel@tonic-gate * export to obtain such a license before exporting. 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 207c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and 217c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright 227c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and 237c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that 247c478bd9Sstevel@tonic-gate * the name of M.I.T. not be used in advertising or publicity pertaining 257c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior 267c478bd9Sstevel@tonic-gate * permission. Furthermore if you modify this software you must label 277c478bd9Sstevel@tonic-gate * your software as modified software and not distribute it in such a 287c478bd9Sstevel@tonic-gate * fashion that it might be confused with the original M.I.T. software. 297c478bd9Sstevel@tonic-gate * M.I.T. makes no representations about the suitability of 307c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express 317c478bd9Sstevel@tonic-gate * or implied warranty. 327c478bd9Sstevel@tonic-gate * 337c478bd9Sstevel@tonic-gate * 347c478bd9Sstevel@tonic-gate * krb5_kdb_encrypt_key(), krb5_kdb_decrypt_key functions 357c478bd9Sstevel@tonic-gate */ 367c478bd9Sstevel@tonic-gate 377c478bd9Sstevel@tonic-gate /* 387c478bd9Sstevel@tonic-gate * Copyright (C) 1998 by the FundsXpress, INC. 397c478bd9Sstevel@tonic-gate * 407c478bd9Sstevel@tonic-gate * All rights reserved. 417c478bd9Sstevel@tonic-gate * 427c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may require 437c478bd9Sstevel@tonic-gate * a specific license from the United States Government. It is the 447c478bd9Sstevel@tonic-gate * responsibility of any person or organization contemplating export to 457c478bd9Sstevel@tonic-gate * obtain such a license before exporting. 467c478bd9Sstevel@tonic-gate * 477c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 487c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and 497c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright 507c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and 517c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that 527c478bd9Sstevel@tonic-gate * the name of FundsXpress. not be used in advertising or publicity pertaining 537c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior 547c478bd9Sstevel@tonic-gate * permission. FundsXpress makes no representations about the suitability of 557c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express 567c478bd9Sstevel@tonic-gate * or implied warranty. 577c478bd9Sstevel@tonic-gate * 587c478bd9Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 597c478bd9Sstevel@tonic-gate * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 607c478bd9Sstevel@tonic-gate * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 617c478bd9Sstevel@tonic-gate */ 627c478bd9Sstevel@tonic-gate 637c478bd9Sstevel@tonic-gate #include "k5-int.h" 64*54925bf6Swillf #include <krb5/kdb.h> 657c478bd9Sstevel@tonic-gate 667c478bd9Sstevel@tonic-gate /* 677c478bd9Sstevel@tonic-gate * Decrypt a key from storage in the database. "eblock" is used 687c478bd9Sstevel@tonic-gate * to decrypt the key in "in" into "out"; the storage pointed to by "out" 697c478bd9Sstevel@tonic-gate * is allocated before use. 707c478bd9Sstevel@tonic-gate */ 717c478bd9Sstevel@tonic-gate 727c478bd9Sstevel@tonic-gate krb5_error_code 737c478bd9Sstevel@tonic-gate krb5_dbekd_decrypt_key_data(context, mkey, key_data, dbkey, keysalt) 747c478bd9Sstevel@tonic-gate krb5_context context; 757c478bd9Sstevel@tonic-gate const krb5_keyblock * mkey; 767c478bd9Sstevel@tonic-gate const krb5_key_data * key_data; 777c478bd9Sstevel@tonic-gate krb5_keyblock * dbkey; 787c478bd9Sstevel@tonic-gate krb5_keysalt * keysalt; 797c478bd9Sstevel@tonic-gate { 807c478bd9Sstevel@tonic-gate krb5_error_code retval = 0; 817c478bd9Sstevel@tonic-gate krb5_int16 tmplen; 827c478bd9Sstevel@tonic-gate krb5_octet * ptr; 837c478bd9Sstevel@tonic-gate krb5_enc_data cipher; 847c478bd9Sstevel@tonic-gate krb5_data plain; 857c478bd9Sstevel@tonic-gate 867c478bd9Sstevel@tonic-gate ptr = key_data->key_data_contents[0]; 877c478bd9Sstevel@tonic-gate 887c478bd9Sstevel@tonic-gate if (ptr) { 897c478bd9Sstevel@tonic-gate krb5_kdb_decode_int16(ptr, tmplen); 907c478bd9Sstevel@tonic-gate ptr += 2; 917c478bd9Sstevel@tonic-gate 927c478bd9Sstevel@tonic-gate cipher.enctype = ENCTYPE_UNKNOWN; 937c478bd9Sstevel@tonic-gate cipher.ciphertext.length = key_data->key_data_length[0]-2; 947c478bd9Sstevel@tonic-gate cipher.ciphertext.data = (char *)ptr; /* SUNWresync121 XXX */ 957c478bd9Sstevel@tonic-gate plain.length = key_data->key_data_length[0]-2; 967c478bd9Sstevel@tonic-gate if ((plain.data = (char *) malloc(plain.length)) == NULL) 977c478bd9Sstevel@tonic-gate return(ENOMEM); 987c478bd9Sstevel@tonic-gate (void) memset(plain.data, 0, plain.length); 997c478bd9Sstevel@tonic-gate 1007c478bd9Sstevel@tonic-gate if ((retval = krb5_c_decrypt(context, mkey, 0 /* XXX */, 0, 1017c478bd9Sstevel@tonic-gate &cipher, &plain))) { 1027c478bd9Sstevel@tonic-gate krb5_xfree(plain.data); 1037c478bd9Sstevel@tonic-gate return retval; 1047c478bd9Sstevel@tonic-gate } 1057c478bd9Sstevel@tonic-gate 1067c478bd9Sstevel@tonic-gate /* tmplen is the true length of the key. plain.data is the 1077c478bd9Sstevel@tonic-gate plaintext data length, but it may be padded, since the 1087c478bd9Sstevel@tonic-gate old-style etypes didn't store the real length. I can check 1097c478bd9Sstevel@tonic-gate to make sure that there are enough bytes, but I can't do 1107c478bd9Sstevel@tonic-gate any better than that. */ 1117c478bd9Sstevel@tonic-gate 1127c478bd9Sstevel@tonic-gate if (tmplen > plain.length) { 1137c478bd9Sstevel@tonic-gate krb5_xfree(plain.data); 1147c478bd9Sstevel@tonic-gate return(KRB5_CRYPTO_INTERNAL); 1157c478bd9Sstevel@tonic-gate } 1167c478bd9Sstevel@tonic-gate 1177c478bd9Sstevel@tonic-gate dbkey->magic = KV5M_KEYBLOCK; 1187c478bd9Sstevel@tonic-gate dbkey->enctype = key_data->key_data_type[0]; 1197c478bd9Sstevel@tonic-gate dbkey->length = tmplen; 1207c478bd9Sstevel@tonic-gate dbkey->contents = (unsigned char *) plain.data; /* SUNWresync121 XXX */ 1217c478bd9Sstevel@tonic-gate dbkey->dk_list = NULL; 1227c478bd9Sstevel@tonic-gate dbkey->hKey = CK_INVALID_HANDLE; 1237c478bd9Sstevel@tonic-gate } 1247c478bd9Sstevel@tonic-gate 1257c478bd9Sstevel@tonic-gate /* Decode salt data */ 1267c478bd9Sstevel@tonic-gate if (keysalt) { 1277c478bd9Sstevel@tonic-gate if (key_data->key_data_ver == 2) { 1287c478bd9Sstevel@tonic-gate keysalt->type = key_data->key_data_type[1]; 1297c478bd9Sstevel@tonic-gate if ((keysalt->data.length = key_data->key_data_length[1])) { 1307c478bd9Sstevel@tonic-gate if (!(keysalt->data.data=(char *)malloc(keysalt->data.length))){ 1317c478bd9Sstevel@tonic-gate if (key_data->key_data_contents[0]) { 1327c478bd9Sstevel@tonic-gate krb5_xfree(dbkey->contents); 1337c478bd9Sstevel@tonic-gate dbkey->contents = 0; 1347c478bd9Sstevel@tonic-gate dbkey->length = 0; 1357c478bd9Sstevel@tonic-gate } 1367c478bd9Sstevel@tonic-gate return ENOMEM; 1377c478bd9Sstevel@tonic-gate } 1387c478bd9Sstevel@tonic-gate memcpy(keysalt->data.data, key_data->key_data_contents[1], 1397c478bd9Sstevel@tonic-gate (size_t) keysalt->data.length); 1407c478bd9Sstevel@tonic-gate } else 1417c478bd9Sstevel@tonic-gate keysalt->data.data = (char *) NULL; 1427c478bd9Sstevel@tonic-gate } else { 1437c478bd9Sstevel@tonic-gate keysalt->type = KRB5_KDB_SALTTYPE_NORMAL; 1447c478bd9Sstevel@tonic-gate keysalt->data.data = (char *) NULL; 1457c478bd9Sstevel@tonic-gate keysalt->data.length = 0; 1467c478bd9Sstevel@tonic-gate } 1477c478bd9Sstevel@tonic-gate } 1487c478bd9Sstevel@tonic-gate 1497c478bd9Sstevel@tonic-gate return retval; 1507c478bd9Sstevel@tonic-gate } 151