/* * lib/krb5/krb/rd_rep.c * * Copyright 1990,1991 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright * notice appear in all copies and that both that copyright notice and * this permission notice appear in supporting documentation, and that * the name of M.I.T. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior * permission. Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a * fashion that it might be confused with the original M.I.T. software. * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. * * * krb5_rd_rep() */ #include "k5-int.h" #include "auth_con.h" /* * Parses a KRB_AP_REP message, returning its contents. * * repl is filled in with with a pointer to allocated memory containing * the fields from the encrypted response. * * the key in kblock is used to decrypt the message. * * returns system errors, encryption errors, replay errors */ krb5_error_code KRB5_CALLCONV krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, krb5_ap_rep_enc_part **repl) { krb5_error_code retval; krb5_ap_rep * reply; krb5_data scratch; if (!krb5_is_ap_rep(inbuf)) return KRB5KRB_AP_ERR_MSG_TYPE; /* decode it */ if ((retval = decode_krb5_ap_rep(inbuf, &reply))) return retval; /* put together an eblock for this encryption */ scratch.length = reply->enc_part.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) { krb5_free_ap_rep(context, reply); return(ENOMEM); } if ((retval = krb5_c_decrypt(context, auth_context->keyblock, KRB5_KEYUSAGE_AP_REP_ENCPART, 0, &reply->enc_part, &scratch))) goto clean_scratch; /* now decode the decrypted stuff */ retval = decode_krb5_ap_rep_enc_part(&scratch, repl); if (retval) goto clean_scratch; /* Check reply fields */ if (((*repl)->ctime != auth_context->authentp->ctime) || ((*repl)->cusec != auth_context->authentp->cusec)) { retval = KRB5_MUTUAL_FAILED; goto clean_scratch; } /* Set auth subkey */ if ((*repl)->subkey) { if (auth_context->recv_subkey) { krb5_free_keyblock(context, auth_context->recv_subkey); auth_context->recv_subkey = NULL; } retval = krb5_copy_keyblock(context, (*repl)->subkey, &auth_context->recv_subkey); if (retval) goto clean_scratch; if (auth_context->send_subkey) { krb5_free_keyblock(context, auth_context->send_subkey); auth_context->send_subkey = NULL; } retval = krb5_copy_keyblock(context, (*repl)->subkey, &auth_context->send_subkey); if (retval) { krb5_free_keyblock(context, auth_context->send_subkey); auth_context->send_subkey = NULL; } } /* Get remote sequence number */ auth_context->remote_seq_number = (*repl)->seq_number; clean_scratch: memset(scratch.data, 0, scratch.length); krb5_free_ap_rep(context, reply); free(scratch.data); return retval; }