/* * Decrypt and decode the enc_part of a krb5_cred using the receiving subkey or * the session key of authcon. If neither key is present, ctext->ciphertext is * assumed to be unencrypted plain text (RFC 6448). */ static krb5_error_code decrypt_encpart(krb5_context context, krb5_enc_data *ctext, krb5_auth_context authcon, krb5_cred_enc_part **encpart_out) { krb5_error_code ret; krb5_data plain = empty_data(); krb5_boolean decrypted = FALSE; *encpart_out = NULL; if (authcon->recv_subkey == NULL && authcon->key == NULL) return decode_krb5_enc_cred_part(&ctext->ciphertext, encpart_out); ret = alloc_data(&plain, ctext->ciphertext.length); if (ret) return ret; if (authcon->recv_subkey != NULL) { ret = krb5_k_decrypt(context, authcon->recv_subkey, KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, ctext, &plain); decrypted = (ret == 0); } if (!decrypted && authcon->key != NULL) { ret = krb5_k_decrypt(context, authcon->key, KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, ctext, &plain); decrypted = (ret == 0); } if (decrypted) ret = decode_krb5_enc_cred_part(&plain, encpart_out); zapfree(plain.data, plain.length); return ret; }
/* * decrypt the enc_part of a krb5_cred */ static krb5_error_code decrypt_credencdata(krb5_context context, krb5_cred *pcred, krb5_key pkey, krb5_cred_enc_part *pcredenc) { krb5_cred_enc_part * ppart = NULL; krb5_error_code retval = 0; krb5_data scratch; scratch.length = pcred->enc_part.ciphertext.length; if (!(scratch.data = (char *)malloc(scratch.length))) return ENOMEM; if (pkey != NULL) { if ((retval = krb5_k_decrypt(context, pkey, KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, &pcred->enc_part, &scratch))) goto cleanup; } else { memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length); } /* now decode the decrypted stuff */ if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart))) goto cleanup; *pcredenc = *ppart; cleanup: if (ppart != NULL) { memset(ppart, 0, sizeof(*ppart)); free(ppart); } memset(scratch.data, 0, scratch.length); free(scratch.data); return retval; }