krb5_error_code KRB5_CALLCONV
krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context,
const krb5_data *inbuf, krb5_ui_4 *nonce)
{
krb5_error_code retval;
krb5_ap_rep * reply;
krb5_data scratch;
krb5_ap_rep_enc_part *repl = NULL;
if (!krb5_is_ap_rep(inbuf))
return KRB5KRB_AP_ERR_MSG_TYPE;
/* decode it */
if ((retval = decode_krb5_ap_rep(inbuf, &reply)))
return retval;
/* put together an eblock for this encryption */
scratch.length = reply->enc_part.ciphertext.length;
if (!(scratch.data = malloc(scratch.length))) {
krb5_free_ap_rep(context, reply);
return(ENOMEM);
}
if ((retval = krb5_k_decrypt(context, auth_context->key,
KRB5_KEYUSAGE_AP_REP_ENCPART, 0,
&reply->enc_part, &scratch)))
goto clean_scratch;
/* now decode the decrypted stuff */
retval = decode_krb5_ap_rep_enc_part(&scratch, &repl);
if (retval)
goto clean_scratch;
*nonce = repl->seq_number;
if (*nonce != auth_context->local_seq_number) {
retval = KRB5_MUTUAL_FAILED;
goto clean_scratch;
}
/* Must be NULL to prevent echoing for client AP-REP */
if (repl->subkey != NULL) {
retval = KRB5_MUTUAL_FAILED;
goto clean_scratch;
}
TRACE_RD_REP_DCE(context, repl->ctime, repl->cusec, repl->seq_number);
clean_scratch:
memset(scratch.data, 0, scratch.length);
if (repl != NULL)
krb5_free_ap_rep_enc_part(context, repl);
krb5_free_ap_rep(context, reply);
free(scratch.data);
return retval;
}
krb5_error_code KRB5_CALLCONV
krb5_rd_rep(krb5_context context, krb5_auth_context auth_context,
const krb5_data *inbuf, krb5_ap_rep_enc_part **repl)
{
krb5_error_code retval;
krb5_ap_rep * reply;
krb5_data scratch;
if (!krb5_is_ap_rep(inbuf))
return KRB5KRB_AP_ERR_MSG_TYPE;
/* decode it */
if ((retval = decode_krb5_ap_rep(inbuf, &reply)))
return retval;
/* put together an eblock for this encryption */
scratch.length = reply->enc_part.ciphertext.length;
if (!(scratch.data = malloc(scratch.length))) {
krb5_free_ap_rep(context, reply);
return(ENOMEM);
}
if ((retval = krb5_c_decrypt(context, auth_context->keyblock,
KRB5_KEYUSAGE_AP_REP_ENCPART, 0,
&reply->enc_part, &scratch)))
goto clean_scratch;
/* now decode the decrypted stuff */
retval = decode_krb5_ap_rep_enc_part(&scratch, repl);
if (retval)
goto clean_scratch;
/* Check reply fields */
if (((*repl)->ctime != auth_context->authentp->ctime) ||
((*repl)->cusec != auth_context->authentp->cusec)) {
retval = KRB5_MUTUAL_FAILED;
goto clean_scratch;
}
/* Set auth subkey */
if ((*repl)->subkey) {
if (auth_context->recv_subkey) {
krb5_free_keyblock(context, auth_context->recv_subkey);
auth_context->recv_subkey = NULL;
}
retval = krb5_copy_keyblock(context, (*repl)->subkey,
&auth_context->recv_subkey);
if (retval)
goto clean_scratch;
if (auth_context->send_subkey) {
krb5_free_keyblock(context, auth_context->send_subkey);
auth_context->send_subkey = NULL;
}
retval = krb5_copy_keyblock(context, (*repl)->subkey,
&auth_context->send_subkey);
if (retval) {
krb5_free_keyblock(context, auth_context->send_subkey);
auth_context->send_subkey = NULL;
}
/* not used for anything yet */
auth_context->negotiated_etype = (*repl)->subkey->enctype;
}
/* Get remote sequence number */
auth_context->remote_seq_number = (*repl)->seq_number;
clean_scratch:
memset(scratch.data, 0, scratch.length);
krb5_free_ap_rep(context, reply);
free(scratch.data);
return retval;
}
krb5_error_code KRB5_CALLCONV
krb5_rd_rep(krb5_context context, krb5_auth_context auth_context,
const krb5_data *inbuf, krb5_ap_rep_enc_part **repl)
{
krb5_error_code retval;
krb5_ap_rep *reply = NULL;
krb5_ap_rep_enc_part *enc = NULL;
krb5_data scratch;
*repl = NULL;
if (!krb5_is_ap_rep(inbuf))
return KRB5KRB_AP_ERR_MSG_TYPE;
/* Decode inbuf. */
retval = decode_krb5_ap_rep(inbuf, &reply);
if (retval)
return retval;
/* Put together an eblock for this encryption. */
scratch.length = reply->enc_part.ciphertext.length;
scratch.data = malloc(scratch.length);
if (scratch.data == NULL) {
retval = ENOMEM;
goto clean_scratch;
}
retval = krb5_k_decrypt(context, auth_context->key,
KRB5_KEYUSAGE_AP_REP_ENCPART, 0,
&reply->enc_part, &scratch);
if (retval)
goto clean_scratch;
/* Now decode the decrypted stuff. */
retval = decode_krb5_ap_rep_enc_part(&scratch, &enc);
if (retval)
goto clean_scratch;
/* Check reply fields. */
if ((enc->ctime != auth_context->authentp->ctime)
|| (enc->cusec != auth_context->authentp->cusec)) {
retval = KRB5_MUTUAL_FAILED;
goto clean_scratch;
}
/* Set auth subkey. */
if (enc->subkey) {
retval = krb5_auth_con_setrecvsubkey(context, auth_context,
enc->subkey);
if (retval)
goto clean_scratch;
retval = krb5_auth_con_setsendsubkey(context, auth_context,
enc->subkey);
if (retval) {
(void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL);
goto clean_scratch;
}
/* Not used for anything yet. */
auth_context->negotiated_etype = enc->subkey->enctype;
}
/* Get remote sequence number. */
auth_context->remote_seq_number = enc->seq_number;
TRACE_RD_REP(context, enc->ctime, enc->cusec, enc->subkey,
enc->seq_number);
*repl = enc;
enc = NULL;
clean_scratch:
if (scratch.data)
memset(scratch.data, 0, scratch.length);
free(scratch.data);
krb5_free_ap_rep(context, reply);
krb5_free_ap_rep_enc_part(context, enc);
return retval;
}
