xref: /freebsd/crypto/heimdal/kuser/kimpersonate.c (revision 884a2a699669ec61e2366e3e358342dbc94be24a) 
1 /*
2  * Copyright (c) 2000 - 2007 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "kuser_locl.h"
35 RCSID("$Id: kimpersonate.c 22117 2007-12-03 21:24:16Z lha $");
36 #include <parse_units.h>
37 
38 static char *client_principal_str = NULL;
39 static krb5_principal client_principal;
40 static char *server_principal_str = NULL;
41 static krb5_principal server_principal;
42 
43 static char *ccache_str = NULL;
44 
45 static char *ticket_flags_str = NULL;
46 static TicketFlags ticket_flags;
47 static char *keytab_file = NULL;
48 static char *enc_type = "des-cbc-md5";
49 static int   expiration_time = 3600;
50 static struct getarg_strings client_addresses;
51 static int   version_flag = 0;
52 static int   help_flag = 0;
53 static int   use_krb5 = 1;
54 
55 /*
56  *
57  */
58 
59 static void
60 encode_ticket (krb5_context context,
61 	       EncryptionKey *skey,
62 	       krb5_enctype etype,
63 	       int skvno,
64 	       krb5_creds *cred)
65 {
66     size_t len, size;
67     char *buf;
68     krb5_error_code ret;
69     krb5_crypto crypto;
70     EncryptedData enc_part;
71     EncTicketPart et;
72     Ticket ticket;
73 
74     memset (&enc_part, 0, sizeof(enc_part));
75     memset (&ticket, 0, sizeof(ticket));
76 
77     /*
78      * Set up `enc_part'
79      */
80 
81     et.flags = cred->flags.b;
82     et.key = cred->session;
83     et.crealm = *krb5_princ_realm (context, cred->client);
84     copy_PrincipalName(&cred->client->name, &et.cname);
85     {
86 	krb5_data empty_string;
87 
88 	krb5_data_zero(&empty_string);
89 	et.transited.tr_type = DOMAIN_X500_COMPRESS;
90 	et.transited.contents = empty_string;
91     }
92     et.authtime = cred->times.authtime;
93     et.starttime = NULL;
94     et.endtime = cred->times.endtime;
95     et.renew_till = NULL;
96     et.caddr = &cred->addresses;
97     et.authorization_data = NULL; /* XXX allow random authorization_data */
98 
99     /*
100      * Encrypt `enc_part' of ticket with service key
101      */
102 
103     ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, &et, &size, ret);
104     if (ret)
105 	krb5_err(context, 1, ret, "EncTicketPart");
106 
107     krb5_crypto_init(context, skey, etype, &crypto);
108     krb5_encrypt_EncryptedData (context,
109 				crypto,
110 				KRB5_KU_TICKET,
111 				buf,
112 				len,
113 				skvno,
114 				&ticket.enc_part);
115     free(buf);
116     krb5_crypto_destroy(context, crypto);
117 
118     /*
119      * Encode ticket
120      */
121 
122     ticket.tkt_vno = 5;
123     ticket.realm = *krb5_princ_realm (context, cred->server);
124     copy_PrincipalName(&cred->server->name, &ticket.sname);
125 
126     ASN1_MALLOC_ENCODE(Ticket, buf, len, &ticket, &size, ret);
127     if(ret)
128 	krb5_err (context, 1, ret, "encode_Ticket");
129 
130     krb5_data_copy(&cred->ticket, buf, len);
131 }
132 
133 /*
134  *
135  */
136 
137 static int
138 create_krb5_tickets (krb5_context context, krb5_keytab kt)
139 {
140     krb5_error_code ret;
141     krb5_keytab_entry entry;
142     krb5_creds cred;
143     krb5_enctype etype;
144     krb5_ccache ccache;
145 
146     memset (&cred, 0, sizeof(cred));
147 
148     ret = krb5_string_to_enctype (context, enc_type, &etype);
149     if (ret)
150 	krb5_err (context, 1, ret, "krb5_string_to_enctype");
151     ret = krb5_kt_get_entry (context, kt, server_principal,
152 			     0, etype, &entry);
153     if (ret)
154 	krb5_err (context, 1, ret, "krb5_kt_get_entry");
155 
156     /*
157      * setup cred
158      */
159 
160 
161     ret = krb5_copy_principal (context, client_principal, &cred.client);
162     if (ret)
163 	krb5_err (context, 1, ret, "krb5_copy_principal");
164     ret = krb5_copy_principal (context, server_principal, &cred.server);
165     if (ret)
166 	krb5_err (context, 1, ret, "krb5_copy_principal");
167     krb5_generate_random_keyblock(context, etype, &cred.session);
168 
169     cred.times.authtime = time(NULL);
170     cred.times.starttime = time(NULL);
171     cred.times.endtime = time(NULL) + expiration_time;
172     cred.times.renew_till = 0;
173     krb5_data_zero(&cred.second_ticket);
174 
175     ret = krb5_get_all_client_addrs (context, &cred.addresses);
176     if (ret)
177 	krb5_err (context, 1, ret, "krb5_get_all_client_addrs");
178     cred.flags.b = ticket_flags;
179 
180 
181     /*
182      * Encode encrypted part of ticket
183      */
184 
185     encode_ticket (context, &entry.keyblock, etype, entry.vno, &cred);
186 
187     /*
188      * Write to cc
189      */
190 
191     if (ccache_str) {
192 	ret = krb5_cc_resolve(context, ccache_str, &ccache);
193 	if (ret)
194 	    krb5_err (context, 1, ret, "krb5_cc_resolve");
195     } else {
196 	ret = krb5_cc_default (context, &ccache);
197 	if (ret)
198 	    krb5_err (context, 1, ret, "krb5_cc_default");
199     }
200 
201     ret = krb5_cc_initialize (context, ccache, cred.client);
202     if (ret)
203 	krb5_err (context, 1, ret, "krb5_cc_initialize");
204 
205     ret = krb5_cc_store_cred (context, ccache, &cred);
206     if (ret)
207 	krb5_err (context, 1, ret, "krb5_cc_store_cred");
208 
209     krb5_free_cred_contents (context, &cred);
210     krb5_cc_close (context, ccache);
211 
212     return 0;
213 }
214 
215 /*
216  *
217  */
218 
219 static void
220 setup_env (krb5_context context, krb5_keytab *kt)
221 {
222     krb5_error_code ret;
223 
224     if (keytab_file)
225 	ret = krb5_kt_resolve (context, keytab_file, kt);
226     else
227 	ret = krb5_kt_default (context, kt);
228     if (ret)
229 	krb5_err (context, 1, ret, "resolving keytab");
230 
231     if (client_principal_str == NULL)
232 	krb5_errx (context, 1, "missing client principal");
233     ret = krb5_parse_name (context, client_principal_str, &client_principal);
234     if (ret)
235 	krb5_err (context, 1, ret, "resolvning client name");
236 
237     if (server_principal_str == NULL)
238 	krb5_errx (context, 1, "missing server principal");
239     ret = krb5_parse_name (context, server_principal_str, &server_principal);
240     if (ret)
241 	krb5_err (context, 1, ret, "resolvning client name");
242 
243     if (ticket_flags_str) {
244 	int ticket_flags_int;
245 
246 	ticket_flags_int = parse_flags(ticket_flags_str,
247 				       asn1_TicketFlags_units(), 0);
248 	if (ticket_flags_int <= 0) {
249 	    krb5_warnx (context, "bad ticket flags: `%s'", ticket_flags_str);
250 	    print_flags_table (asn1_TicketFlags_units(), stderr);
251 	    exit (1);
252 	}
253 	if (ticket_flags_int)
254 	    ticket_flags = int2TicketFlags (ticket_flags_int);
255     }
256 }
257 
258 /*
259  *
260  */
261 
262 struct getargs args[] = {
263     { "ccache", 0, arg_string, &ccache_str,
264       "name of kerberos 5 credential cache", "cache-name"},
265     { "server", 's', arg_string, &server_principal_str,
266       "name of server principal" },
267     { "client", 'c', arg_string, &client_principal_str,
268       "name of client principal" },
269     { "keytab", 'k', arg_string, &keytab_file,
270       "name of keytab file" },
271     { "krb5", '5', arg_flag,	 &use_krb5,
272       "create a kerberos 5 ticket"},
273     { "expire-time", 'e', arg_integer, &expiration_time,
274       "lifetime of ticket in seconds" },
275     { "client-addresses", 'a', arg_strings, &client_addresses,
276       "addresses of client" },
277     { "enc-type", 't', arg_string, 	&enc_type,
278       "encryption type" },
279     { "ticket-flags", 'f', arg_string,   &ticket_flags_str,
280       "ticket flags for krb5 ticket" },
281     { "version", 0,  arg_flag,		&version_flag,	"Print version",
282       NULL },
283     { "help",	 0,  arg_flag,		&help_flag,	NULL,
284       NULL }
285 };
286 
287 static void
288 usage (int ret)
289 {
290     arg_printusage (args,
291 		    sizeof(args) / sizeof(args[0]),
292 		    NULL,
293 		    "");
294     exit (ret);
295 }
296 
297 int
298 main (int argc, char **argv)
299 {
300     int optind = 0;
301     krb5_error_code ret;
302     krb5_context context;
303     krb5_keytab kt;
304 
305     setprogname (argv[0]);
306 
307     ret = krb5_init_context (&context);
308     if (ret)
309 	errx(1, "krb5_init_context failed: %u", ret);
310 
311     if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
312 		&optind))
313 	usage (1);
314 
315     if (help_flag)
316 	usage (0);
317 
318     if (version_flag) {
319 	print_version(NULL);
320 	return 0;
321     }
322 
323     setup_env (context, &kt);
324 
325     if (use_krb5)
326 	create_krb5_tickets (context, kt);
327 
328     krb5_kt_close (context, kt);
329     return 0;
330 }
331