1 /* 2 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #pragma ident "%Z%%M% %I% %E% SMI" 7 8 /* 9 * lib/krb5/krb/rd_rep.c 10 * 11 * Copyright 1990,1991 by the Massachusetts Institute of Technology. 12 * All Rights Reserved. 13 * 14 * Export of this software from the United States of America may 15 * require a specific license from the United States Government. 16 * It is the responsibility of any person or organization contemplating 17 * export to obtain such a license before exporting. 18 * 19 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 20 * distribute this software and its documentation for any purpose and 21 * without fee is hereby granted, provided that the above copyright 22 * notice appear in all copies and that both that copyright notice and 23 * this permission notice appear in supporting documentation, and that 24 * the name of M.I.T. not be used in advertising or publicity pertaining 25 * to distribution of the software without specific, written prior 26 * permission. Furthermore if you modify this software you must label 27 * your software as modified software and not distribute it in such a 28 * fashion that it might be confused with the original M.I.T. software. 29 * M.I.T. makes no representations about the suitability of 30 * this software for any purpose. It is provided "as is" without express 31 * or implied warranty. 32 * 33 * 34 * krb5_rd_rep() 35 */ 36 37 #include <k5-int.h> 38 #include <auth_con.h> 39 40 /* 41 * Parses a KRB_AP_REP message, returning its contents. 42 * 43 * repl is filled in with with a pointer to allocated memory containing 44 * the fields from the encrypted response. 45 * 46 * the key in kblock is used to decrypt the message. 47 * 48 * returns system errors, encryption errors, replay errors 49 */ 50 51 krb5_error_code KRB5_CALLCONV 52 krb5_rd_rep( 53 krb5_context context, 54 krb5_auth_context auth_context, 55 const krb5_data * inbuf, 56 krb5_ap_rep_enc_part * *repl) 57 { 58 krb5_error_code retval; 59 krb5_ap_rep * reply; 60 krb5_data scratch; 61 62 if (!krb5_is_ap_rep(inbuf)) 63 return KRB5KRB_AP_ERR_MSG_TYPE; 64 65 /* decode it */ 66 67 if ((retval = decode_krb5_ap_rep(inbuf, &reply))) 68 return retval; 69 70 /* put together an eblock for this encryption */ 71 72 scratch.length = reply->enc_part.ciphertext.length; 73 if (!(scratch.data = malloc(scratch.length))) { 74 krb5_free_ap_rep(context, reply); 75 return(ENOMEM); 76 } 77 78 retval = krb5_c_decrypt(context, auth_context->keyblock, 79 KRB5_KEYUSAGE_AP_REP_ENCPART, 0, 80 &reply->enc_part, &scratch); 81 if (retval) 82 goto clean_scratch; 83 84 /* now decode the decrypted stuff */ 85 retval = decode_krb5_ap_rep_enc_part(&scratch, repl); 86 87 if (retval) 88 goto clean_scratch; 89 90 /* Check reply fields */ 91 if (((*repl)->ctime != auth_context->authentp->ctime) || 92 ((*repl)->cusec != auth_context->authentp->cusec)) { 93 retval = KRB5_MUTUAL_FAILED; 94 goto clean_scratch; 95 } 96 97 /* Set auth subkey */ 98 if ((*repl)->subkey) { 99 if (auth_context->recv_subkey) { 100 krb5_free_keyblock(context, auth_context->recv_subkey); 101 auth_context->recv_subkey = NULL; 102 } 103 retval = krb5_copy_keyblock(context, (*repl)->subkey, 104 &auth_context->recv_subkey); 105 if (retval) 106 goto clean_scratch; 107 if (auth_context->send_subkey) { 108 krb5_free_keyblock(context, auth_context->send_subkey); 109 auth_context->send_subkey = NULL; 110 } 111 retval = krb5_copy_keyblock(context, (*repl)->subkey, 112 &auth_context->send_subkey); 113 if (retval) { 114 krb5_free_keyblock(context, auth_context->send_subkey); 115 auth_context->send_subkey = NULL; 116 } 117 } 118 /* Get remote sequence number */ 119 auth_context->remote_seq_number = (*repl)->seq_number; 120 121 clean_scratch: 122 memset(scratch.data, 0, scratch.length); 123 errout: 124 krb5_free_ap_rep(context, reply); 125 free(scratch.data); 126 return retval; 127 } 128