search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Release 6.99.1 (beta)
[heimdal.git] / kuser / kimpersonate.c
blobd2a485b3f9399fef72ddd1f40c628de8412d5e36
1 /*
2 * Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kuser_locl.h"
35 #include <parse_units.h>
36
37 static char *client_principal_str = NULL;
38 static krb5_principal client_principal;
39 static char *server_principal_str = NULL;
40 static krb5_principal server_principal;
41
42 static char *ccache_str = NULL;
43
44 static char *ticket_flags_str = NULL;
45 static TicketFlags ticket_flags;
46 static char *keytab_file = NULL;
47 static char *enctype_string = NULL;
48 static char *session_enctype_string = NULL;
49 static int expiration_time = 3600;
50 static struct getarg_strings client_addresses;
51 static int version_flag = 0;
52 static int help_flag = 0;
53 static int use_krb5 = 1;
54 static int add_to_ccache = 0;
55 static int use_referral_realm = 0;
56
57 static const char *enc_type = "aes256-cts-hmac-sha1-96";
58 static const char *session_enc_type = NULL;
59
60 static void
61 encode_ticket(krb5_context context,
62 EncryptionKey *skey,
63 krb5_enctype etype,
64 int skvno,
65 krb5_creds *cred)
66 {
67 size_t len, size;
68 char *buf;
69 krb5_error_code ret;
70 krb5_crypto crypto;
71 EncryptedData enc_part;
72 EncTicketPart et;
73 Ticket ticket;
74
75 memset(&enc_part, 0, sizeof(enc_part));
76 memset(&ticket, 0, sizeof(ticket));
77
78 /*
79 * Set up `enc_part'
80 */
81
82 et.flags = cred->flags.b;
83 et.key = cred->session;
84 et.crealm = cred->client->realm;
85 copy_PrincipalName(&cred->client->name, &et.cname);
86 {
87 krb5_data empty_string;
88
89 krb5_data_zero(&empty_string);
90 et.transited.tr_type = DOMAIN_X500_COMPRESS;
91 et.transited.contents = empty_string;
92 }
93 et.authtime = cred->times.authtime;
94 et.starttime = NULL;
95 et.endtime = cred->times.endtime;
96 et.renew_till = NULL;
97 et.caddr = &cred->addresses;
98 et.authorization_data = NULL; /* XXX allow random authorization_data */
99
100 /*
101 * Encrypt `enc_part' of ticket with service key
102 */
103
104 ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, &et, &size, ret);
105 if (ret)
106 krb5_err(context, 1, ret, "EncTicketPart");
107
108 ret = krb5_crypto_init(context, skey, etype, &crypto);
109 if (ret)
110 krb5_err(context, 1, ret, "krb5_crypto_init");
111 ret = krb5_encrypt_EncryptedData(context,
112 crypto,
113 KRB5_KU_TICKET,
114 buf,
115 len,
116 skvno,
117 &ticket.enc_part);
118 if (ret)
119 krb5_err(context, 1, ret, "krb5_encrypt_EncryptedData");
120
121 free(buf);
122 krb5_crypto_destroy(context, crypto);
123
124 /*
125 * Encode ticket
126 */
127
128 ticket.tkt_vno = 5;
129 ticket.realm = cred->server->realm;
130 copy_PrincipalName(&cred->server->name, &ticket.sname);
131
132 ASN1_MALLOC_ENCODE(Ticket, buf, len, &ticket, &size, ret);
133 if(ret)
134 krb5_err(context, 1, ret, "encode_Ticket");
135
136 krb5_data_copy(&cred->ticket, buf, len);
137 free(buf);
138 }
139
140 /*
141 *
142 */
143
144 static int
145 create_krb5_tickets(krb5_context context, krb5_keytab kt)
146 {
147 krb5_error_code ret;
148 krb5_keytab_entry entry;
149 krb5_creds cred;
150 krb5_enctype etype;
151 krb5_enctype session_etype;
152 krb5_ccache ccache;
153
154 memset(&cred, 0, sizeof(cred));
155
156 ret = krb5_string_to_enctype(context, enc_type, &etype);
157 if (ret)
158 krb5_err (context, 1, ret, "krb5_string_to_enctype (enc-type)");
159 ret = krb5_string_to_enctype(context, session_enc_type, &session_etype);
160 if (ret)
161 krb5_err (context, 1, ret, "krb5_string_to_enctype (session-enc-type)");
162 ret = krb5_kt_get_entry(context, kt, server_principal, 0, etype, &entry);
163 if (ret)
164 krb5_err(context, 1, ret, "krb5_kt_get_entry (perhaps use different --enc-type)");
165
166 /*
167 * setup cred
168 */
169
170
171 ret = krb5_copy_principal(context, client_principal, &cred.client);
172 if (ret)
173 krb5_err(context, 1, ret, "krb5_copy_principal");
174 ret = krb5_copy_principal(context, server_principal, &cred.server);
175 if (ret)
176 krb5_err(context, 1, ret, "krb5_copy_principal");
177 krb5_generate_random_keyblock(context, session_etype, &cred.session);
178
179 cred.times.authtime = time(NULL);
180 cred.times.starttime = time(NULL);
181 cred.times.endtime = time(NULL) + expiration_time;
182 cred.times.renew_till = 0;
183 krb5_data_zero(&cred.second_ticket);
184
185 ret = krb5_get_all_client_addrs(context, &cred.addresses);
186 if (ret)
187 krb5_err(context, 1, ret, "krb5_get_all_client_addrs");
188 cred.flags.b = ticket_flags;
189
190
191 /*
192 * Encode encrypted part of ticket
193 */
194
195 encode_ticket(context, &entry.keyblock, etype, entry.vno, &cred);
196 krb5_kt_free_entry(context, &entry);
197
198 /*
199 * Write to cc
200 */
201
202 if (ccache_str) {
203 ret = krb5_cc_resolve(context, ccache_str, &ccache);
204 if (ret)
205 krb5_err(context, 1, ret, "krb5_cc_resolve");
206 } else {
207 ret = krb5_cc_default(context, &ccache);
208 if (ret)
209 krb5_err(context, 1, ret, "krb5_cc_default");
210 }
211
212 if (add_to_ccache) {
213 krb5_principal def_princ;
214
215 /*
216 * Force fcache to read the ccache header, otherwise the store
217 * will fail.
218 */
219 ret = krb5_cc_get_principal(context, ccache, &def_princ);
220 if (ret) {
221 krb5_warn(context, ret,
222 "Given ccache appears not to exist; initializing it");
223 ret = krb5_cc_initialize(context, ccache, cred.client);
224 if (ret)
225 krb5_err(context, 1, ret, "krb5_cc_initialize");
226 }
227 krb5_free_principal(context, def_princ);
228 } else {
229 ret = krb5_cc_initialize(context, ccache, cred.client);
230 if (ret)
231 krb5_err(context, 1, ret, "krb5_cc_initialize");
232 }
233
234 if (use_referral_realm &&
235 strcmp(krb5_principal_get_realm(context, cred.server), "") != 0) {
236 krb5_free_principal(context, cred.server);
237 ret = krb5_copy_principal(context, server_principal, &cred.server);
238 if (ret)
239 krb5_err(context, 1, ret, "krb5_copy_principal");
240 ret = krb5_principal_set_realm(context, cred.server, "");
241 if (ret)
242 krb5_err(context, 1, ret, "krb5_principal_set_realm");
243 ret = krb5_cc_store_cred(context, ccache, &cred);
244 if (ret)
245 krb5_err(context, 1, ret, "krb5_cc_store_cred");
246
247 krb5_free_principal(context, cred.server);
248 ret = krb5_copy_principal(context, server_principal, &cred.server);
249 if (ret)
250 krb5_err(context, 1, ret, "krb5_copy_principal");
251 }
252 ret = krb5_cc_store_cred(context, ccache, &cred);
253 if (ret)
254 krb5_err(context, 1, ret, "krb5_cc_store_cred");
255
256 krb5_free_cred_contents(context, &cred);
257 krb5_cc_close(context, ccache);
258
259 return 0;
260 }
261
262 /*
263 *
264 */
265
266 static void
267 setup_env(krb5_context context, krb5_keytab *kt)
268 {
269 krb5_error_code ret;
270
271 if (keytab_file)
272 ret = krb5_kt_resolve(context, keytab_file, kt);
273 else
274 ret = krb5_kt_default(context, kt);
275 if (ret)
276 krb5_err(context, 1, ret, "resolving keytab");
277
278 if (client_principal_str == NULL)
279 krb5_errx(context, 1, "missing client principal");
280 ret = krb5_parse_name(context, client_principal_str, &client_principal);
281 if (ret)
282 krb5_err(context, 1, ret, "resolvning client name");
283
284 if (server_principal_str == NULL)
285 krb5_errx(context, 1, "missing server principal");
286 ret = krb5_parse_name(context, server_principal_str, &server_principal);
287 if (ret)
288 krb5_err(context, 1, ret, "resolvning server name");
289
290 /* If no session-enc-type specified on command line and this is an afs */
291 /* service ticket, change default of session_enc_type to DES. */
292 if (session_enctype_string == NULL
293 && strcmp("afs", *server_principal->name.name_string.val) == 0)
294 session_enc_type = "des-cbc-crc";
295
296 if (ticket_flags_str) {
297 int ticket_flags_int;
298
299 ticket_flags_int = parse_flags(ticket_flags_str,
300 asn1_TicketFlags_units(), 0);
301 if (ticket_flags_int <= 0) {
302 krb5_warnx(context, "bad ticket flags: `%s'", ticket_flags_str);
303 print_flags_table(asn1_TicketFlags_units(), stderr);
304 exit(1);
305 }
306 if (ticket_flags_int)
307 ticket_flags = int2TicketFlags(ticket_flags_int);
308 }
309 }
310
311 /*
312 *
313 */
314
315 struct getargs args[] = {
316 { "ccache", 0, arg_string, &ccache_str,
317 "name of kerberos 5 credential cache", "cache-name"},
318 { "server", 's', arg_string, &server_principal_str,
319 "name of server principal", NULL },
320 { "client", 'c', arg_string, &client_principal_str,
321 "name of client principal", NULL },
322 { "keytab", 'k', arg_string, &keytab_file,
323 "name of keytab file", NULL },
324 { "krb5", '5', arg_flag, &use_krb5,
325 "create a kerberos 5 ticket", NULL },
326 { "add", 'A', arg_flag, &add_to_ccache,
327 "add to ccache without re-initializing it", NULL },
328 { "referral", 'R', arg_flag, &use_referral_realm,
329 "store an additional entry for the service with the empty realm", NULL },
330 { "expire-time", 'e', arg_integer, &expiration_time,
331 "lifetime of ticket in seconds", NULL },
332 { "client-addresses", 'a', arg_strings, &client_addresses,
333 "addresses of client", NULL },
334 { "enc-type", 't', arg_string, &enctype_string,
335 "encryption type", NULL },
336 { "session-enc-type", 0, arg_string,&session_enctype_string,
337 "encryption type", NULL },
338 { "ticket-flags", 'f', arg_string, &ticket_flags_str,
339 "ticket flags for krb5 ticket", NULL },
340 { "version", 0, arg_flag, &version_flag, "Print version",
341 NULL },
342 { "help", 0, arg_flag, &help_flag, NULL,
343 NULL }
344 };
345
346 static void
347 usage(int ret)
348 {
349 arg_printusage(args,
350 sizeof(args) / sizeof(args[0]),
351 NULL,
352 "");
353 exit(ret);
354 }
355
356 int
357 main(int argc, char **argv)
358 {
359 int optidx = 0;
360 krb5_error_code ret;
361 krb5_context context;
362 krb5_keytab kt;
363
364 setprogname(argv[0]);
365
366 ret = krb5_init_context(&context);
367 if (ret)
368 errx(1, "krb5_init_context failed: %u", ret);
369
370 if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
371 usage(1);
372
373 if (help_flag)
374 usage(0);
375
376 if (version_flag) {
377 print_version(NULL);
378 return 0;
379 }
380
381 if (enctype_string)
382 enc_type = enctype_string;
383 if (session_enctype_string)
384 session_enc_type = session_enctype_string;
385 else
386 session_enc_type = enc_type;
387
388 setup_env(context, &kt);
389
390 if (use_krb5)
391 create_krb5_tickets(context, kt);
392
393 krb5_kt_close(context, kt);
394
395 return 0;
396 }
Heimdal