search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kadmin: kadmind_dispatch do not write NULL 'rsp' to 'out'
[heimdal.git] / kuser / kimpersonate.c
blob8395477b6f752ce9df5264920b18fb49256fd7d2
1 /*
2 * Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kuser_locl.h"
35 #include <parse_units.h>
36
37 static char *client_principal_str = NULL;
38 static krb5_principal client_principal;
39 static char *server_principal_str = NULL;
40 static krb5_principal server_principal;
41
42 static char *ccache_str = NULL;
43
44 static char *ticket_flags_str = NULL;
45 static TicketFlags ticket_flags;
46 static char *keytab_file = NULL;
47 static char *enctype_string = NULL;
48 static char *session_enctype_string = NULL;
49 static int expiration_time = 3600;
50 static struct getarg_strings client_addresses;
51 static int version_flag = 0;
52 static int help_flag = 0;
53 static int use_krb5 = 1;
54 static int add_to_ccache = 0;
55 static int use_referral_realm = 0;
56
57 static const char *enc_type = "aes256-cts-hmac-sha1-96";
58 static const char *session_enc_type = NULL;
59
60 static void
61 encode_ticket(krb5_context context,
62 EncryptionKey *skey,
63 krb5_enctype etype,
64 int skvno,
65 krb5_creds *cred)
66 {
67 size_t len, size;
68 char *buf;
69 krb5_error_code ret;
70 krb5_crypto crypto;
71 EncryptedData enc_part;
72 EncTicketPart et;
73 Ticket ticket;
74
75 memset(&enc_part, 0, sizeof(enc_part));
76 memset(&ticket, 0, sizeof(ticket));
77
78 /*
79 * Set up `enc_part'
80 */
81
82 et.flags = cred->flags.b;
83 et.key = cred->session;
84 et.crealm = cred->client->realm;
85 et.cname = cred->client->name;
86 {
87 krb5_data empty_string;
88
89 krb5_data_zero(&empty_string);
90 et.transited.tr_type = domain_X500_Compress;
91 et.transited.contents = empty_string;
92 }
93 et.authtime = cred->times.authtime;
94 et.starttime = NULL;
95 et.endtime = cred->times.endtime;
96 et.renew_till = NULL;
97 et.caddr = &cred->addresses;
98 et.authorization_data = NULL; /* XXX allow random authorization_data */
99
100 /*
101 * Encrypt `enc_part' of ticket with service key
102 */
103
104 ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, &et, &size, ret);
105 if (ret)
106 krb5_err(context, 1, ret, "EncTicketPart");
107
108 ret = krb5_crypto_init(context, skey, etype, &crypto);
109 if (ret)
110 krb5_err(context, 1, ret, "krb5_crypto_init");
111 ret = krb5_encrypt_EncryptedData(context,
112 crypto,
113 KRB5_KU_TICKET,
114 buf,
115 len,
116 skvno,
117 &ticket.enc_part);
118 if (ret)
119 krb5_err(context, 1, ret, "krb5_encrypt_EncryptedData");
120
121 free(buf);
122 krb5_crypto_destroy(context, crypto);
123
124 /*
125 * Encode ticket
126 */
127
128 ticket.tkt_vno = 5;
129 ticket.realm = cred->server->realm;
130 ticket.sname = cred->server->name;
131 ASN1_MALLOC_ENCODE(Ticket, cred->ticket.data, cred->ticket.length, &ticket, &size, ret);
132 free_EncryptedData(&ticket.enc_part);
133 if(ret)
134 krb5_err(context, 1, ret, "encode_Ticket");
135 }
136
137 /*
138 *
139 */
140
141 static int
142 create_krb5_tickets(krb5_context context, krb5_keytab kt)
143 {
144 krb5_error_code ret;
145 krb5_keytab_entry entry;
146 krb5_creds cred;
147 krb5_enctype etype;
148 krb5_enctype session_etype;
149 krb5_ccache ccache;
150
151 memset(&cred, 0, sizeof(cred));
152
153 ret = krb5_string_to_enctype(context, enc_type, &etype);
154 if (ret)
155 krb5_err (context, 1, ret, "krb5_string_to_enctype (enc-type)");
156 ret = krb5_string_to_enctype(context, session_enc_type, &session_etype);
157 if (ret)
158 krb5_err (context, 1, ret, "krb5_string_to_enctype (session-enc-type)");
159 ret = krb5_kt_get_entry(context, kt, server_principal, 0, etype, &entry);
160 if (ret)
161 krb5_err(context, 1, ret, "krb5_kt_get_entry (perhaps use different --enc-type)");
162
163 /*
164 * setup cred
165 */
166
167
168 ret = krb5_copy_principal(context, client_principal, &cred.client);
169 if (ret == 0)
170 ret = krb5_copy_principal(context, server_principal, &cred.server);
171 if (ret)
172 krb5_err(context, 1, ret, "krb5_copy_principal");
173 ret = krb5_generate_random_keyblock(context, session_etype, &cred.session);
174 if (ret)
175 krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
176
177 cred.times.authtime = time(NULL);
178 cred.times.starttime = time(NULL);
179 cred.times.endtime = time(NULL) + expiration_time;
180 cred.times.renew_till = 0;
181 krb5_data_zero(&cred.second_ticket);
182
183 ret = krb5_get_all_client_addrs(context, &cred.addresses);
184 if (ret)
185 krb5_err(context, 1, ret, "krb5_get_all_client_addrs");
186 cred.flags.b = ticket_flags;
187
188
189 /*
190 * Encode encrypted part of ticket
191 */
192
193 encode_ticket(context, &entry.keyblock, etype, entry.vno, &cred);
194 krb5_kt_free_entry(context, &entry);
195
196 /*
197 * Write to cc
198 */
199
200 if (ccache_str) {
201 ret = krb5_cc_resolve(context, ccache_str, &ccache);
202 if (ret)
203 krb5_err(context, 1, ret, "krb5_cc_resolve");
204 } else {
205 ret = krb5_cc_default(context, &ccache);
206 if (ret)
207 krb5_err(context, 1, ret, "krb5_cc_default");
208 }
209
210 if (add_to_ccache) {
211 krb5_principal def_princ = NULL;
212
213 /*
214 * Force fcache to read the ccache header, otherwise the store
215 * will fail.
216 */
217 ret = krb5_cc_get_principal(context, ccache, &def_princ);
218 if (ret) {
219 krb5_warn(context, ret,
220 "Given ccache appears not to exist; initializing it");
221 ret = krb5_cc_initialize(context, ccache, cred.client);
222 if (ret)
223 krb5_err(context, 1, ret, "krb5_cc_initialize");
224 }
225 krb5_free_principal(context, def_princ);
226 } else {
227 ret = krb5_cc_initialize(context, ccache, cred.client);
228 if (ret)
229 krb5_err(context, 1, ret, "krb5_cc_initialize");
230 }
231
232 if (use_referral_realm &&
233 strcmp(krb5_principal_get_realm(context, cred.server), "") != 0) {
234 krb5_free_principal(context, cred.server);
235 ret = krb5_copy_principal(context, server_principal, &cred.server);
236 if (ret)
237 krb5_err(context, 1, ret, "krb5_copy_principal");
238 ret = krb5_principal_set_realm(context, cred.server, "");
239 if (ret)
240 krb5_err(context, 1, ret, "krb5_principal_set_realm");
241 ret = krb5_cc_store_cred(context, ccache, &cred);
242 if (ret)
243 krb5_err(context, 1, ret, "krb5_cc_store_cred");
244
245 krb5_free_principal(context, cred.server);
246 ret = krb5_copy_principal(context, server_principal, &cred.server);
247 if (ret)
248 krb5_err(context, 1, ret, "krb5_copy_principal");
249 }
250 ret = krb5_cc_store_cred(context, ccache, &cred);
251 if (ret)
252 krb5_err(context, 1, ret, "krb5_cc_store_cred");
253
254 krb5_free_cred_contents(context, &cred);
255 krb5_cc_close(context, ccache);
256
257 return 0;
258 }
259
260 /*
261 *
262 */
263
264 static void
265 setup_env(krb5_context context, krb5_keytab *kt)
266 {
267 krb5_error_code ret;
268
269 if (keytab_file)
270 ret = krb5_kt_resolve(context, keytab_file, kt);
271 else
272 ret = krb5_kt_default(context, kt);
273 if (ret)
274 krb5_err(context, 1, ret, "resolving keytab");
275
276 if (client_principal_str == NULL)
277 krb5_errx(context, 1, "missing client principal");
278 ret = krb5_parse_name(context, client_principal_str, &client_principal);
279 if (ret)
280 krb5_err(context, 1, ret, "resolvning client name");
281
282 if (server_principal_str == NULL)
283 krb5_errx(context, 1, "missing server principal");
284 ret = krb5_parse_name(context, server_principal_str, &server_principal);
285 if (ret)
286 krb5_err(context, 1, ret, "resolvning server name");
287
288 /* If no session-enc-type specified on command line and this is an afs */
289 /* service ticket, change default of session_enc_type to DES. */
290 if (session_enctype_string == NULL
291 && strcmp("afs", *server_principal->name.name_string.val) == 0)
292 session_enc_type = "des-cbc-crc";
293
294 if (ticket_flags_str) {
295 int ticket_flags_int;
296
297 ticket_flags_int = parse_flags(ticket_flags_str,
298 asn1_TicketFlags_units(), 0);
299 if (ticket_flags_int <= 0) {
300 krb5_warnx(context, "bad ticket flags: `%s'", ticket_flags_str);
301 print_flags_table(asn1_TicketFlags_units(), stderr);
302 exit(1);
303 }
304 if (ticket_flags_int)
305 ticket_flags = int2TicketFlags(ticket_flags_int);
306 }
307 }
308
309 /*
310 *
311 */
312
313 struct getargs args[] = {
314 { "ccache", 0, arg_string, &ccache_str,
315 "name of kerberos 5 credential cache", "cache-name"},
316 { "server", 's', arg_string, &server_principal_str,
317 "name of server principal", NULL },
318 { "client", 'c', arg_string, &client_principal_str,
319 "name of client principal", NULL },
320 { "keytab", 'k', arg_string, &keytab_file,
321 "name of keytab file", NULL },
322 { "krb5", '5', arg_flag, &use_krb5,
323 "create a kerberos 5 ticket", NULL },
324 { "add", 'A', arg_flag, &add_to_ccache,
325 "add to ccache without re-initializing it", NULL },
326 { "referral", 'R', arg_flag, &use_referral_realm,
327 "store an additional entry for the service with the empty realm", NULL },
328 { "expire-time", 'e', arg_integer, &expiration_time,
329 "lifetime of ticket in seconds", NULL },
330 { "client-addresses", 'a', arg_strings, &client_addresses,
331 "addresses of client", NULL },
332 { "enc-type", 't', arg_string, &enctype_string,
333 "encryption type", NULL },
334 { "session-enc-type", 0, arg_string,&session_enctype_string,
335 "encryption type", NULL },
336 { "ticket-flags", 'f', arg_string, &ticket_flags_str,
337 "ticket flags for krb5 ticket", NULL },
338 { "version", 0, arg_flag, &version_flag, "Print version",
339 NULL },
340 { "help", 0, arg_flag, &help_flag, NULL,
341 NULL }
342 };
343
344 static void
345 usage(int ret)
346 {
347 arg_printusage(args,
348 sizeof(args) / sizeof(args[0]),
349 NULL,
350 "");
351 exit(ret);
352 }
353
354 int
355 main(int argc, char **argv)
356 {
357 int optidx = 0;
358 krb5_error_code ret;
359 krb5_context context;
360 krb5_keytab kt;
361
362 setprogname(argv[0]);
363
364 ret = krb5_init_context(&context);
365 if (ret)
366 errx(1, "krb5_init_context failed: %u", ret);
367
368 if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
369 usage(1);
370
371 if (help_flag)
372 usage(0);
373
374 if (version_flag) {
375 print_version(NULL);
376 return 0;
377 }
378
379 if (enctype_string)
380 enc_type = enctype_string;
381 if (session_enctype_string)
382 session_enc_type = session_enctype_string;
383 else
384 session_enc_type = enc_type;
385
386 setup_env(context, &kt);
387
388 if (use_krb5)
389 create_krb5_tickets(context, kt);
390
391 krb5_kt_close(context, kt);
392 krb5_free_context(context);
393
394 return 0;
395 }
Heimdal