search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gss: free user keytab before resolving system keytab
[heimdal.git] / kuser / kimpersonate.c
blobb1cefea0fd496722f21da58c66c4139bfc9ca5cc
1 /*
2 * Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kuser_locl.h"
35 #include <parse_units.h>
36
37 static char *client_principal_str = NULL;
38 static krb5_principal client_principal;
39 static char *server_principal_str = NULL;
40 static krb5_principal server_principal;
41
42 static char *ccache_str = NULL;
43
44 static char *ticket_flags_str = NULL;
45 static TicketFlags ticket_flags;
46 static char *keytab_file = NULL;
47 static char *enctype_string = NULL;
48 static char *session_enctype_string = NULL;
49 static int expiration_time = 3600;
50 static struct getarg_strings client_addresses;
51 static int version_flag = 0;
52 static int help_flag = 0;
53 static int use_krb5 = 1;
54 static int add_to_ccache = 0;
55 static int use_referral_realm = 0;
56
57 static const char *enc_type = "aes256-cts-hmac-sha1-96";
58 static const char *session_enc_type = NULL;
59
60 static void
61 encode_ticket(krb5_context context,
62 EncryptionKey *skey,
63 krb5_enctype etype,
64 int skvno,
65 krb5_creds *cred)
66 {
67 size_t len, size;
68 char *buf;
69 krb5_error_code ret;
70 krb5_crypto crypto;
71 EncryptedData enc_part;
72 EncTicketPart et;
73 Ticket ticket;
74
75 memset(&enc_part, 0, sizeof(enc_part));
76 memset(&ticket, 0, sizeof(ticket));
77
78 /*
79 * Set up `enc_part'
80 */
81
82 et.flags = cred->flags.b;
83 et.key = cred->session;
84 et.crealm = cred->client->realm;
85 ret = copy_PrincipalName(&cred->client->name, &et.cname);
86 if (ret)
87 krb5_err(context, 1, ret, "copy_PrincipalName");
88 {
89 krb5_data empty_string;
90
91 krb5_data_zero(&empty_string);
92 et.transited.tr_type = DOMAIN_X500_COMPRESS;
93 et.transited.contents = empty_string;
94 }
95 et.authtime = cred->times.authtime;
96 et.starttime = NULL;
97 et.endtime = cred->times.endtime;
98 et.renew_till = NULL;
99 et.caddr = &cred->addresses;
100 et.authorization_data = NULL; /* XXX allow random authorization_data */
101
102 /*
103 * Encrypt `enc_part' of ticket with service key
104 */
105
106 ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, &et, &size, ret);
107 if (ret)
108 krb5_err(context, 1, ret, "EncTicketPart");
109
110 ret = krb5_crypto_init(context, skey, etype, &crypto);
111 if (ret)
112 krb5_err(context, 1, ret, "krb5_crypto_init");
113 ret = krb5_encrypt_EncryptedData(context,
114 crypto,
115 KRB5_KU_TICKET,
116 buf,
117 len,
118 skvno,
119 &ticket.enc_part);
120 if (ret)
121 krb5_err(context, 1, ret, "krb5_encrypt_EncryptedData");
122
123 free(buf);
124 krb5_crypto_destroy(context, crypto);
125
126 /*
127 * Encode ticket
128 */
129
130 ticket.tkt_vno = 5;
131 ticket.realm = cred->server->realm;
132 ret = copy_PrincipalName(&cred->server->name, &ticket.sname);
133 if (ret)
134 krb5_err(context, 1, ret, "copy_PrincipalName");
135
136 ASN1_MALLOC_ENCODE(Ticket, buf, len, &ticket, &size, ret);
137 if(ret)
138 krb5_err(context, 1, ret, "encode_Ticket");
139
140 krb5_data_copy(&cred->ticket, buf, len);
141 free(buf);
142 }
143
144 /*
145 *
146 */
147
148 static int
149 create_krb5_tickets(krb5_context context, krb5_keytab kt)
150 {
151 krb5_error_code ret;
152 krb5_keytab_entry entry;
153 krb5_creds cred;
154 krb5_enctype etype;
155 krb5_enctype session_etype;
156 krb5_ccache ccache;
157
158 memset(&cred, 0, sizeof(cred));
159
160 ret = krb5_string_to_enctype(context, enc_type, &etype);
161 if (ret)
162 krb5_err (context, 1, ret, "krb5_string_to_enctype (enc-type)");
163 ret = krb5_string_to_enctype(context, session_enc_type, &session_etype);
164 if (ret)
165 krb5_err (context, 1, ret, "krb5_string_to_enctype (session-enc-type)");
166 ret = krb5_kt_get_entry(context, kt, server_principal, 0, etype, &entry);
167 if (ret)
168 krb5_err(context, 1, ret, "krb5_kt_get_entry (perhaps use different --enc-type)");
169
170 /*
171 * setup cred
172 */
173
174
175 ret = krb5_copy_principal(context, client_principal, &cred.client);
176 if (ret)
177 krb5_err(context, 1, ret, "krb5_copy_principal");
178 ret = krb5_copy_principal(context, server_principal, &cred.server);
179 if (ret)
180 krb5_err(context, 1, ret, "krb5_copy_principal");
181 krb5_generate_random_keyblock(context, session_etype, &cred.session);
182
183 cred.times.authtime = time(NULL);
184 cred.times.starttime = time(NULL);
185 cred.times.endtime = time(NULL) + expiration_time;
186 cred.times.renew_till = 0;
187 krb5_data_zero(&cred.second_ticket);
188
189 ret = krb5_get_all_client_addrs(context, &cred.addresses);
190 if (ret)
191 krb5_err(context, 1, ret, "krb5_get_all_client_addrs");
192 cred.flags.b = ticket_flags;
193
194
195 /*
196 * Encode encrypted part of ticket
197 */
198
199 encode_ticket(context, &entry.keyblock, etype, entry.vno, &cred);
200 krb5_kt_free_entry(context, &entry);
201
202 /*
203 * Write to cc
204 */
205
206 if (ccache_str) {
207 ret = krb5_cc_resolve(context, ccache_str, &ccache);
208 if (ret)
209 krb5_err(context, 1, ret, "krb5_cc_resolve");
210 } else {
211 ret = krb5_cc_default(context, &ccache);
212 if (ret)
213 krb5_err(context, 1, ret, "krb5_cc_default");
214 }
215
216 if (add_to_ccache) {
217 krb5_principal def_princ;
218
219 /*
220 * Force fcache to read the ccache header, otherwise the store
221 * will fail.
222 */
223 ret = krb5_cc_get_principal(context, ccache, &def_princ);
224 if (ret) {
225 krb5_warn(context, ret,
226 "Given ccache appears not to exist; initializing it");
227 ret = krb5_cc_initialize(context, ccache, cred.client);
228 if (ret)
229 krb5_err(context, 1, ret, "krb5_cc_initialize");
230 }
231 krb5_free_principal(context, def_princ);
232 } else {
233 ret = krb5_cc_initialize(context, ccache, cred.client);
234 if (ret)
235 krb5_err(context, 1, ret, "krb5_cc_initialize");
236 }
237
238 if (use_referral_realm &&
239 strcmp(krb5_principal_get_realm(context, cred.server), "") != 0) {
240 krb5_free_principal(context, cred.server);
241 ret = krb5_copy_principal(context, server_principal, &cred.server);
242 if (ret)
243 krb5_err(context, 1, ret, "krb5_copy_principal");
244 ret = krb5_principal_set_realm(context, cred.server, "");
245 if (ret)
246 krb5_err(context, 1, ret, "krb5_principal_set_realm");
247 ret = krb5_cc_store_cred(context, ccache, &cred);
248 if (ret)
249 krb5_err(context, 1, ret, "krb5_cc_store_cred");
250
251 krb5_free_principal(context, cred.server);
252 ret = krb5_copy_principal(context, server_principal, &cred.server);
253 if (ret)
254 krb5_err(context, 1, ret, "krb5_copy_principal");
255 }
256 ret = krb5_cc_store_cred(context, ccache, &cred);
257 if (ret)
258 krb5_err(context, 1, ret, "krb5_cc_store_cred");
259
260 krb5_free_cred_contents(context, &cred);
261 krb5_cc_close(context, ccache);
262
263 return 0;
264 }
265
266 /*
267 *
268 */
269
270 static void
271 setup_env(krb5_context context, krb5_keytab *kt)
272 {
273 krb5_error_code ret;
274
275 if (keytab_file)
276 ret = krb5_kt_resolve(context, keytab_file, kt);
277 else
278 ret = krb5_kt_default(context, kt);
279 if (ret)
280 krb5_err(context, 1, ret, "resolving keytab");
281
282 if (client_principal_str == NULL)
283 krb5_errx(context, 1, "missing client principal");
284 ret = krb5_parse_name(context, client_principal_str, &client_principal);
285 if (ret)
286 krb5_err(context, 1, ret, "resolvning client name");
287
288 if (server_principal_str == NULL)
289 krb5_errx(context, 1, "missing server principal");
290 ret = krb5_parse_name(context, server_principal_str, &server_principal);
291 if (ret)
292 krb5_err(context, 1, ret, "resolvning server name");
293
294 /* If no session-enc-type specified on command line and this is an afs */
295 /* service ticket, change default of session_enc_type to DES. */
296 if (session_enctype_string == NULL
297 && strcmp("afs", *server_principal->name.name_string.val) == 0)
298 session_enc_type = "des-cbc-crc";
299
300 if (ticket_flags_str) {
301 int ticket_flags_int;
302
303 ticket_flags_int = parse_flags(ticket_flags_str,
304 asn1_TicketFlags_units(), 0);
305 if (ticket_flags_int <= 0) {
306 krb5_warnx(context, "bad ticket flags: `%s'", ticket_flags_str);
307 print_flags_table(asn1_TicketFlags_units(), stderr);
308 exit(1);
309 }
310 if (ticket_flags_int)
311 ticket_flags = int2TicketFlags(ticket_flags_int);
312 }
313 }
314
315 /*
316 *
317 */
318
319 struct getargs args[] = {
320 { "ccache", 0, arg_string, &ccache_str,
321 "name of kerberos 5 credential cache", "cache-name"},
322 { "server", 's', arg_string, &server_principal_str,
323 "name of server principal", NULL },
324 { "client", 'c', arg_string, &client_principal_str,
325 "name of client principal", NULL },
326 { "keytab", 'k', arg_string, &keytab_file,
327 "name of keytab file", NULL },
328 { "krb5", '5', arg_flag, &use_krb5,
329 "create a kerberos 5 ticket", NULL },
330 { "add", 'A', arg_flag, &add_to_ccache,
331 "add to ccache without re-initializing it", NULL },
332 { "referral", 'R', arg_flag, &use_referral_realm,
333 "store an additional entry for the service with the empty realm", NULL },
334 { "expire-time", 'e', arg_integer, &expiration_time,
335 "lifetime of ticket in seconds", NULL },
336 { "client-addresses", 'a', arg_strings, &client_addresses,
337 "addresses of client", NULL },
338 { "enc-type", 't', arg_string, &enctype_string,
339 "encryption type", NULL },
340 { "session-enc-type", 0, arg_string,&session_enctype_string,
341 "encryption type", NULL },
342 { "ticket-flags", 'f', arg_string, &ticket_flags_str,
343 "ticket flags for krb5 ticket", NULL },
344 { "version", 0, arg_flag, &version_flag, "Print version",
345 NULL },
346 { "help", 0, arg_flag, &help_flag, NULL,
347 NULL }
348 };
349
350 static void
351 usage(int ret)
352 {
353 arg_printusage(args,
354 sizeof(args) / sizeof(args[0]),
355 NULL,
356 "");
357 exit(ret);
358 }
359
360 int
361 main(int argc, char **argv)
362 {
363 int optidx = 0;
364 krb5_error_code ret;
365 krb5_context context;
366 krb5_keytab kt;
367
368 setprogname(argv[0]);
369
370 ret = krb5_init_context(&context);
371 if (ret)
372 errx(1, "krb5_init_context failed: %u", ret);
373
374 if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
375 usage(1);
376
377 if (help_flag)
378 usage(0);
379
380 if (version_flag) {
381 print_version(NULL);
382 return 0;
383 }
384
385 if (enctype_string)
386 enc_type = enctype_string;
387 if (session_enctype_string)
388 session_enc_type = session_enctype_string;
389 else
390 session_enc_type = enc_type;
391
392 setup_env(context, &kt);
393
394 if (use_krb5)
395 create_krb5_tickets(context, kt);
396
397 krb5_kt_close(context, kt);
398
399 return 0;
400 }
Heimdal