search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
/sess-/session-/g since a few extra letter makes it easier to understand
[heimdal.git] / kuser / kimpersonate.c
blob5b37a209506c5e336fbff47970b0e3d5bc98b87e
1 /*
2 * Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kuser_locl.h"
35 #include <parse_units.h>
36
37 static char *client_principal_str = NULL;
38 static krb5_principal client_principal;
39 static char *server_principal_str = NULL;
40 static krb5_principal server_principal;
41
42 static char *ccache_str = NULL;
43
44 static char *ticket_flags_str = NULL;
45 static TicketFlags ticket_flags;
46 static char *keytab_file = NULL;
47 static char *enctype_string = NULL;
48 static char *session_enctype_string = NULL;
49 static int expiration_time = 3600;
50 static struct getarg_strings client_addresses;
51 static int version_flag = 0;
52 static int help_flag = 0;
53 static int use_krb5 = 1;
54
55 static const char *enc_type = "aes256-cts-hmac-sha1-96";
56 static const char *session_enc_type = NULL;
57
58 static void
59 encode_ticket (krb5_context context,
60 EncryptionKey *skey,
61 krb5_enctype etype,
62 int skvno,
63 krb5_creds *cred)
64 {
65 size_t len, size;
66 char *buf;
67 krb5_error_code ret;
68 krb5_crypto crypto;
69 EncryptedData enc_part;
70 EncTicketPart et;
71 Ticket ticket;
72
73 memset (&enc_part, 0, sizeof(enc_part));
74 memset (&ticket, 0, sizeof(ticket));
75
76 /*
77 * Set up `enc_part'
78 */
79
80 et.flags = cred->flags.b;
81 et.key = cred->session;
82 et.crealm = cred->client->realm;
83 copy_PrincipalName(&cred->client->name, &et.cname);
84 {
85 krb5_data empty_string;
86
87 krb5_data_zero(&empty_string);
88 et.transited.tr_type = DOMAIN_X500_COMPRESS;
89 et.transited.contents = empty_string;
90 }
91 et.authtime = cred->times.authtime;
92 et.starttime = NULL;
93 et.endtime = cred->times.endtime;
94 et.renew_till = NULL;
95 et.caddr = &cred->addresses;
96 et.authorization_data = NULL; /* XXX allow random authorization_data */
97
98 /*
99 * Encrypt `enc_part' of ticket with service key
100 */
101
102 ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, &et, &size, ret);
103 if (ret)
104 krb5_err(context, 1, ret, "EncTicketPart");
105
106 ret = krb5_crypto_init(context, skey, etype, &crypto);
107 if (ret)
108 krb5_err(context, 1, ret, "krb5_crypto_init");
109 ret = krb5_encrypt_EncryptedData (context,
110 crypto,
111 KRB5_KU_TICKET,
112 buf,
113 len,
114 skvno,
115 &ticket.enc_part);
116 if (ret)
117 krb5_err(context, 1, ret, "krb5_encrypt_EncryptedData");
118
119 free(buf);
120 krb5_crypto_destroy(context, crypto);
121
122 /*
123 * Encode ticket
124 */
125
126 ticket.tkt_vno = 5;
127 ticket.realm = cred->server->realm;
128 copy_PrincipalName(&cred->server->name, &ticket.sname);
129
130 ASN1_MALLOC_ENCODE(Ticket, buf, len, &ticket, &size, ret);
131 if(ret)
132 krb5_err (context, 1, ret, "encode_Ticket");
133
134 krb5_data_copy(&cred->ticket, buf, len);
135 free(buf);
136 }
137
138 /*
139 *
140 */
141
142 static int
143 create_krb5_tickets (krb5_context context, krb5_keytab kt)
144 {
145 krb5_error_code ret;
146 krb5_keytab_entry entry;
147 krb5_creds cred;
148 krb5_enctype etype;
149 krb5_enctype session_etype;
150 krb5_ccache ccache;
151
152 memset (&cred, 0, sizeof(cred));
153
154 ret = krb5_string_to_enctype (context, enc_type, &etype);
155 if (ret)
156 krb5_err (context, 1, ret, "krb5_string_to_enctype (enc-type)");
157 ret = krb5_string_to_enctype (context, session_enc_type, &session_etype);
158 if (ret)
159 krb5_err (context, 1, ret, "krb5_string_to_enctype (session-enc-type)");
160 ret = krb5_kt_get_entry (context, kt, server_principal,
161 0, etype, &entry);
162 if (ret)
163 krb5_err (context, 1, ret, "krb5_kt_get_entry");
164
165 /*
166 * setup cred
167 */
168
169
170 ret = krb5_copy_principal (context, client_principal, &cred.client);
171 if (ret)
172 krb5_err (context, 1, ret, "krb5_copy_principal");
173 ret = krb5_copy_principal (context, server_principal, &cred.server);
174 if (ret)
175 krb5_err (context, 1, ret, "krb5_copy_principal");
176 krb5_generate_random_keyblock(context, session_etype, &cred.session);
177
178 cred.times.authtime = time(NULL);
179 cred.times.starttime = time(NULL);
180 cred.times.endtime = time(NULL) + expiration_time;
181 cred.times.renew_till = 0;
182 krb5_data_zero(&cred.second_ticket);
183
184 ret = krb5_get_all_client_addrs (context, &cred.addresses);
185 if (ret)
186 krb5_err (context, 1, ret, "krb5_get_all_client_addrs");
187 cred.flags.b = ticket_flags;
188
189
190 /*
191 * Encode encrypted part of ticket
192 */
193
194 encode_ticket (context, &entry.keyblock, etype, entry.vno, &cred);
195
196 /*
197 * Write to cc
198 */
199
200 if (ccache_str) {
201 ret = krb5_cc_resolve(context, ccache_str, &ccache);
202 if (ret)
203 krb5_err (context, 1, ret, "krb5_cc_resolve");
204 } else {
205 ret = krb5_cc_default (context, &ccache);
206 if (ret)
207 krb5_err (context, 1, ret, "krb5_cc_default");
208 }
209
210 ret = krb5_cc_initialize (context, ccache, cred.client);
211 if (ret)
212 krb5_err (context, 1, ret, "krb5_cc_initialize");
213
214 ret = krb5_cc_store_cred (context, ccache, &cred);
215 if (ret)
216 krb5_err (context, 1, ret, "krb5_cc_store_cred");
217
218 krb5_free_cred_contents (context, &cred);
219 krb5_cc_close (context, ccache);
220
221 return 0;
222 }
223
224 /*
225 *
226 */
227
228 static void
229 setup_env (krb5_context context, krb5_keytab *kt)
230 {
231 krb5_error_code ret;
232
233 if (keytab_file)
234 ret = krb5_kt_resolve (context, keytab_file, kt);
235 else
236 ret = krb5_kt_default (context, kt);
237 if (ret)
238 krb5_err (context, 1, ret, "resolving keytab");
239
240 if (client_principal_str == NULL)
241 krb5_errx (context, 1, "missing client principal");
242 ret = krb5_parse_name (context, client_principal_str, &client_principal);
243 if (ret)
244 krb5_err (context, 1, ret, "resolvning client name");
245
246 if (server_principal_str == NULL)
247 krb5_errx (context, 1, "missing server principal");
248 ret = krb5_parse_name (context, server_principal_str, &server_principal);
249 if (ret)
250 krb5_err (context, 1, ret, "resolvning server name");
251
252 /* If no session-enc-type specified on command line and this is an afs */
253 /* service ticket, change default of session_enc_type to DES. */
254 if (session_enctype_string == NULL
255 && strcmp("afs", *server_principal->name.name_string.val) == 0)
256 session_enc_type = "des-cbc-crc";
257
258 if (ticket_flags_str) {
259 int ticket_flags_int;
260
261 ticket_flags_int = parse_flags(ticket_flags_str,
262 asn1_TicketFlags_units(), 0);
263 if (ticket_flags_int <= 0) {
264 krb5_warnx (context, "bad ticket flags: `%s'", ticket_flags_str);
265 print_flags_table (asn1_TicketFlags_units(), stderr);
266 exit (1);
267 }
268 if (ticket_flags_int)
269 ticket_flags = int2TicketFlags (ticket_flags_int);
270 }
271 }
272
273 /*
274 *
275 */
276
277 struct getargs args[] = {
278 { "ccache", 0, arg_string, &ccache_str,
279 "name of kerberos 5 credential cache", "cache-name"},
280 { "server", 's', arg_string, &server_principal_str,
281 "name of server principal", NULL },
282 { "client", 'c', arg_string, &client_principal_str,
283 "name of client principal", NULL },
284 { "keytab", 'k', arg_string, &keytab_file,
285 "name of keytab file", NULL },
286 { "krb5", '5', arg_flag, &use_krb5,
287 "create a kerberos 5 ticket", NULL },
288 { "expire-time", 'e', arg_integer, &expiration_time,
289 "lifetime of ticket in seconds", NULL },
290 { "client-addresses", 'a', arg_strings, &client_addresses,
291 "addresses of client", NULL },
292 { "enc-type", 't', arg_string, &enctype_string,
293 "encryption type", NULL },
294 { "session-enc-type", 0, arg_string,&session_enctype_string,
295 "encryption type", NULL },
296 { "ticket-flags", 'f', arg_string, &ticket_flags_str,
297 "ticket flags for krb5 ticket", NULL },
298 { "version", 0, arg_flag, &version_flag, "Print version",
299 NULL },
300 { "help", 0, arg_flag, &help_flag, NULL,
301 NULL }
302 };
303
304 static void
305 usage (int ret)
306 {
307 arg_printusage (args,
308 sizeof(args) / sizeof(args[0]),
309 NULL,
310 "");
311 exit (ret);
312 }
313
314 int
315 main (int argc, char **argv)
316 {
317 int optidx = 0;
318 krb5_error_code ret;
319 krb5_context context;
320 krb5_keytab kt;
321
322 setprogname (argv[0]);
323
324 ret = krb5_init_context (&context);
325 if (ret)
326 errx(1, "krb5_init_context failed: %u", ret);
327
328 if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
329 usage(1);
330
331 if (help_flag)
332 usage(0);
333
334 if (version_flag) {
335 print_version(NULL);
336 return 0;
337 }
338
339 if (enctype_string)
340 enc_type = enctype_string;
341 if (session_enctype_string)
342 session_enc_type = session_enctype_string;
343 else
344 session_enc_type = enc_type;
345
346 setup_env(context, &kt);
347
348 if (use_krb5)
349 create_krb5_tickets(context, kt);
350
351 krb5_kt_close(context, kt);
352
353 return 0;
354 }
Heimdal