lib/krb5/test_mkforwardable.c

   1 /*
   2  * Copyright (c) 1997-2021 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * Copyright (c) 2021 Isaac Boukris
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  *
  11  * 1. Redistributions of source code must retain the above copyright
  12  *    notice, this list of conditions and the following disclaimer.
  13  *
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  *
  18  * 3. Neither the name of the Institute nor the names of its contributors
  19  *    may be used to endorse or promote products derived from this software
  20  *    without specific prior written permission.
  21  *
  22  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  32  * SUCH DAMAGE.
  33  */
  34
  35 #include "krb5_locl.h"
  36
  37 /*
  38  * Usage: mkforwardable server out_ccache
  39  *
  40  * The default cache contains a ticket to server and the default keytab
  41  * contains a key to decrypt it, the ticket is decrypted and the forwardable
  42  * flag is added, the ticket is then re-encrypted and stored in out_cache.
  43  *
  44  */
  45
  46 static krb5_context context;
  47
  48 static void
  49 check(krb5_error_code code)
  50 {
  51     const char *errmsg;
  52
  53     if (code == 0)
  54         return;
  55
  56     errmsg = krb5_get_error_message(context, code);
  57     fprintf(stderr, "%s\n", errmsg);
  58     krb5_free_error_message(context, errmsg);
  59
  60     abort();
  61 }
  62
  63 static void
  64 decrypt_ticket_enc_part(EncryptionKey *key,
  65                         krb5_enctype etype,
  66                         Ticket *ticket,
  67                         EncTicketPart *et)
  68 {
  69     krb5_error_code ret;
  70     krb5_data plain;
  71     size_t len;
  72     krb5_crypto crypto;
  73
  74     check(krb5_crypto_init(context, key, etype, &crypto));
  75
  76     ret = krb5_decrypt_EncryptedData (context,
  77                                       crypto,
  78                                       KRB5_KU_TICKET,
  79                                       &ticket->enc_part,
  80                                       &plain);
  81     check(ret);
  82
  83     check(decode_EncTicketPart(plain.data, plain.length, et, &len));
  84
  85     krb5_data_free (&plain);
  86     krb5_crypto_destroy(context, crypto);
  87 }
  88
  89 static void
  90 encrypt_ticket_enc_part(EncryptionKey *key,
  91                         krb5_enctype etype,
  92                         krb5_kvno skvno,
  93                         EncTicketPart *et,
  94                         Ticket *ticket)
  95 {
  96     size_t len, size;
  97     char *buf;
  98     krb5_error_code ret;
  99     krb5_crypto crypto;
 100
 101     ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, et, &size, ret);
 102     check(ret);
 103
 104     check(krb5_crypto_init(context, key, etype, &crypto));
 105     ret = krb5_encrypt_EncryptedData(context,
 106                                       crypto,
 107                                       KRB5_KU_TICKET,
 108                                       buf,
 109                                       len,
 110                                       skvno,
 111                                       &ticket->enc_part);
 112     check(ret);
 113
 114     free(buf);
 115     krb5_crypto_destroy(context, crypto);
 116 }
 117
 118
 119 int
 120 main(int argc, char **argv)
 121 {
 122     krb5_error_code ret;
 123     krb5_keytab kt;
 124     krb5_keytab_entry entry;
 125     krb5_enctype etype;
 126     krb5_creds mc, cred;
 127     krb5_ccache ccache;
 128     EncTicketPart et;
 129     Ticket ticket;
 130     size_t size;
 131     krb5_kvno kvno = 0;
 132
 133     memset(&cred, 0, sizeof(cred));
 134
 135     if (argc != 3)
 136         errx(1, "Usage: mkforwardable server out_ccache");
 137
 138     ret = krb5_init_context(&context);
 139     if (ret)
 140         errx(1, "krb5_init_context failed: %u", ret);
 141
 142     check(krb5_cc_default(context, &ccache));
 143
 144     krb5_cc_clear_mcred(&mc);
 145
 146     check(krb5_parse_name(context, argv[1], &mc.server));
 147
 148     check(krb5_cc_retrieve_cred(context, ccache, 0, &mc, &cred));
 149
 150     check(decode_Ticket(cred.ticket.data, cred.ticket.length, &ticket, NULL));
 151
 152     etype = ticket.enc_part.etype;
 153
 154     if (ticket.enc_part.kvno != NULL)
 155         kvno = *ticket.enc_part.kvno;
 156
 157     check(krb5_kt_default(context, &kt));
 158
 159     check(krb5_kt_get_entry(context, kt, mc.server, kvno, etype, &entry));
 160
 161     decrypt_ticket_enc_part(&entry.keyblock, etype, &ticket, &et);
 162
 163     et.flags.forwardable = 1;
 164     cred.flags.b = et.flags;
 165
 166     free_EncryptedData(&ticket.enc_part);
 167
 168     encrypt_ticket_enc_part(&entry.keyblock, etype, kvno, &et, &ticket);
 169
 170     krb5_data_free(&cred.ticket);
 171     ASN1_MALLOC_ENCODE(Ticket, cred.ticket.data, cred.ticket.length, &ticket,
 172                        &size, ret);
 173     check(ret);
 174
 175     krb5_cc_close(context, ccache);
 176
 177     check(krb5_cc_resolve(context, argv[2], &ccache));
 178     check(krb5_cc_initialize(context, ccache, cred.client));
 179
 180     check(krb5_cc_store_cred(context, ccache, &cred));
 181
 182     free_Ticket(&ticket);
 183     free_EncTicketPart(&et);
 184     krb5_cc_close(context, ccache);
 185     krb5_free_principal(context, mc.server);
 186     krb5_free_cred_contents(context, &cred);
 187     krb5_kt_free_entry(context, &entry);
 188     krb5_kt_close(context, kt);
 189
 190     return 0;
 191 }