/*
* Decrypt and decode the enc_part of a krb5_cred using the receiving subkey or
* the session key of authcon. If neither key is present, ctext->ciphertext is
* assumed to be unencrypted plain text (RFC 6448).
*/
static krb5_error_code
decrypt_encpart(krb5_context context, krb5_enc_data *ctext,
krb5_auth_context authcon, krb5_cred_enc_part **encpart_out)
{
krb5_error_code ret;
krb5_data plain = empty_data();
krb5_boolean decrypted = FALSE;
*encpart_out = NULL;
if (authcon->recv_subkey == NULL && authcon->key == NULL)
return decode_krb5_enc_cred_part(&ctext->ciphertext, encpart_out);
ret = alloc_data(&plain, ctext->ciphertext.length);
if (ret)
return ret;
if (authcon->recv_subkey != NULL) {
ret = krb5_k_decrypt(context, authcon->recv_subkey,
KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, ctext, &plain);
decrypted = (ret == 0);
}
if (!decrypted && authcon->key != NULL) {
ret = krb5_k_decrypt(context, authcon->key,
KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, ctext, &plain);
decrypted = (ret == 0);
}
if (decrypted)
ret = decode_krb5_enc_cred_part(&plain, encpart_out);
zapfree(plain.data, plain.length);
return ret;
}
/*
* decrypt the enc_part of a krb5_cred
*/
static krb5_error_code
decrypt_credencdata(krb5_context context, krb5_cred *pcred,
krb5_key pkey, krb5_cred_enc_part *pcredenc)
{
krb5_cred_enc_part * ppart = NULL;
krb5_error_code retval = 0;
krb5_data scratch;
scratch.length = pcred->enc_part.ciphertext.length;
if (!(scratch.data = (char *)malloc(scratch.length)))
return ENOMEM;
if (pkey != NULL) {
if ((retval = krb5_k_decrypt(context, pkey,
KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0,
&pcred->enc_part, &scratch)))
goto cleanup;
} else {
memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length);
}
/* now decode the decrypted stuff */
if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
goto cleanup;
*pcredenc = *ppart;
cleanup:
if (ppart != NULL) {
memset(ppart, 0, sizeof(*ppart));
free(ppart);
}
memset(scratch.data, 0, scratch.length);
free(scratch.data);
return retval;
}
