src/lib/krb5/krb/decode_kdc.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

/*
 * $Source$
 * $Author$
 *
 * Copyright 1990 by the Massachusetts Institute of Technology.
 *
 * For copying and distribution information, please see the file
 * <krb5/mit-copyright.h>.
 *
 * krb5_decode_kdc_rep() function.
 */

#if !defined(lint) && !defined(SABER)
static char rcsid_decode_kdc_c[] =
"$Id$";
#endif	/* !lint & !SABER */

#include <krb5/copyright.h>

#include <krb5/krb5.h>
#include <krb5/krb5_err.h>
#include <krb5/isode_err.h>
#include <krb5/asn1.h>

#include <errno.h>

#include <krb5/ext-proto.h>

/* array of pointers into encryption systems */
extern krb5_cs_table_entry *csarray[];
extern int max_cryptosystem;

/*
 Takes a KDC_REP message and decrypts encrypted part using etype and
 *key, putting result in *rep.
 dec_rep->client,ticket,session.last_req,server,caddrs
 are all set to allocated storage which should be freed by the caller
 when finished with the response.

 If the response isn't a KDC_REP (tgs or as), it returns an error from
 the decoding routines (usually ISODE_50_LOCAL_ERR_BADDECODE).

 returns errors from encryption routines, system errors
 */

krb5_error_code
krb5_decode_kdc_rep(enc_rep, key, etype, dec_rep)
krb5_data *enc_rep;
krb5_keyblock *key;
krb5_enctype etype;
krb5_kdc_rep **dec_rep;
{
    krb5_error_code retval;
    krb5_kdc_rep *local_dec_rep;
    krb5_encrypt_block eblock;
    krb5_data scratch;
    krb5_enc_kdc_rep_part *local_encpart;


    /* XXX maybe caller should specify type expected? */
    retval = decode_krb5_as_rep(enc_rep, &local_dec_rep);
    switch (retval) {
    case ISODE_50_LOCAL_ERR_BADMSGTYPE:
	retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep);
	switch (retval) {
	case 0:
	    break;
	default:
	    return(retval);
	}
    case 0:
	break;
    default:
	return (retval);
    }
    scratch.length = local_dec_rep->enc_part.length;
    if (!(scratch.data = malloc(local_dec_rep->enc_part.length))) {
	krb5_free_kdc_rep(local_dec_rep);
	return(ENOMEM);
    }

    if (!valid_etype(local_dec_rep->etype))
	return KRB5KDC_ERR_ETYPE_NOSUPP;

    /* put together an eblock for this encryption */

    eblock.crypto_entry = csarray[local_dec_rep->etype]->system;

    /* do any necessary key pre-processing */
    if (retval = (*eblock.crypto_entry->process_key)(&eblock, key)) {
	krb5_free_kdc_rep(local_dec_rep);
	free(scratch.data);
	return(retval);
    }

    /* call the encryption routine */
    if (retval =
	(*eblock.crypto_entry->decrypt_func)((krb5_pointer) local_dec_rep->enc_part.data,
					     (krb5_pointer) scratch.data,
					     scratch.length, &eblock)) {
	(void) (*eblock.crypto_entry->finish_key)(&eblock);
	krb5_free_kdc_rep(local_dec_rep);
	free(scratch.data);
	return retval;
    }
#define clean_scratch() {bzero(scratch.data, scratch.length); free(scratch.data);}
    if (retval = (*eblock.crypto_entry->finish_key)(&eblock)) {
	krb5_free_kdc_rep(local_dec_rep);
	clean_scratch();
	return retval;
    }
    if (retval = decode_krb5_enc_kdc_rep_part(&scratch, &local_encpart)) {
	krb5_free_kdc_rep(local_dec_rep);
	clean_scratch();
	return retval;
    }
    clean_scratch();

    local_dec_rep->enc_part2 = local_encpart;
    *dec_rep = local_dec_rep;
    return 0;
}