xref: /minix3/crypto/external/bsd/heimdal/dist/kuser/kimpersonate.c (revision 0a6a1f1d05b60e214de2f05a7310ddd1f0e590e7) 
1 /*	$NetBSD: kimpersonate.c,v 1.1.1.2 2014/04/24 12:45:28 pettai Exp $	*/
2 
3 /*
4  * Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
5  * (Royal Institute of Technology, Stockholm, Sweden).
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include "kuser_locl.h"
37 #include <krb5/parse_units.h>
38 
39 static char *client_principal_str = NULL;
40 static krb5_principal client_principal;
41 static char *server_principal_str = NULL;
42 static krb5_principal server_principal;
43 
44 static char *ccache_str = NULL;
45 
46 static char *ticket_flags_str = NULL;
47 static TicketFlags ticket_flags;
48 static char *keytab_file = NULL;
49 static char *enctype_string = NULL;
50 static char *session_enctype_string = NULL;
51 static int   expiration_time = 3600;
52 static struct getarg_strings client_addresses;
53 static int   version_flag = 0;
54 static int   help_flag = 0;
55 static int   use_krb5 = 1;
56 
57 static const char *enc_type = "aes256-cts-hmac-sha1-96";
58 static const char *session_enc_type = NULL;
59 
60 static void
encode_ticket(krb5_context context,EncryptionKey * skey,krb5_enctype etype,int skvno,krb5_creds * cred)61 encode_ticket (krb5_context context,
62 	       EncryptionKey *skey,
63 	       krb5_enctype etype,
64 	       int skvno,
65 	       krb5_creds *cred)
66 {
67     size_t len, size;
68     char *buf;
69     krb5_error_code ret;
70     krb5_crypto crypto;
71     EncryptedData enc_part;
72     EncTicketPart et;
73     Ticket ticket;
74 
75     memset (&enc_part, 0, sizeof(enc_part));
76     memset (&ticket, 0, sizeof(ticket));
77 
78     /*
79      * Set up `enc_part'
80      */
81 
82     et.flags = cred->flags.b;
83     et.key = cred->session;
84     et.crealm = cred->client->realm;
85     copy_PrincipalName(&cred->client->name, &et.cname);
86     {
87 	krb5_data empty_string;
88 
89 	krb5_data_zero(&empty_string);
90 	et.transited.tr_type = DOMAIN_X500_COMPRESS;
91 	et.transited.contents = empty_string;
92     }
93     et.authtime = cred->times.authtime;
94     et.starttime = NULL;
95     et.endtime = cred->times.endtime;
96     et.renew_till = NULL;
97     et.caddr = &cred->addresses;
98     et.authorization_data = NULL; /* XXX allow random authorization_data */
99 
100     /*
101      * Encrypt `enc_part' of ticket with service key
102      */
103 
104     ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, &et, &size, ret);
105     if (ret)
106 	krb5_err(context, 1, ret, "EncTicketPart");
107 
108     ret = krb5_crypto_init(context, skey, etype, &crypto);
109     if (ret)
110 	krb5_err(context, 1, ret, "krb5_crypto_init");
111     ret = krb5_encrypt_EncryptedData (context,
112 				      crypto,
113 				      KRB5_KU_TICKET,
114 				      buf,
115 				      len,
116 				      skvno,
117 				      &ticket.enc_part);
118     if (ret)
119 	krb5_err(context, 1, ret, "krb5_encrypt_EncryptedData");
120 
121     free(buf);
122     krb5_crypto_destroy(context, crypto);
123 
124     /*
125      * Encode ticket
126      */
127 
128     ticket.tkt_vno = 5;
129     ticket.realm = cred->server->realm;
130     copy_PrincipalName(&cred->server->name, &ticket.sname);
131 
132     ASN1_MALLOC_ENCODE(Ticket, buf, len, &ticket, &size, ret);
133     if(ret)
134 	krb5_err (context, 1, ret, "encode_Ticket");
135 
136     krb5_data_copy(&cred->ticket, buf, len);
137     free(buf);
138 }
139 
140 /*
141  *
142  */
143 
144 static int
create_krb5_tickets(krb5_context context,krb5_keytab kt)145 create_krb5_tickets (krb5_context context, krb5_keytab kt)
146 {
147     krb5_error_code ret;
148     krb5_keytab_entry entry;
149     krb5_creds cred;
150     krb5_enctype etype;
151     krb5_enctype session_etype;
152     krb5_ccache ccache;
153 
154     memset (&cred, 0, sizeof(cred));
155 
156     ret = krb5_string_to_enctype (context, enc_type, &etype);
157     if (ret)
158 	krb5_err (context, 1, ret, "krb5_string_to_enctype (enc-type)");
159     ret = krb5_string_to_enctype (context, session_enc_type, &session_etype);
160     if (ret)
161 	krb5_err (context, 1, ret, "krb5_string_to_enctype (session-enc-type)");
162     ret = krb5_kt_get_entry (context, kt, server_principal,
163 			     0, etype, &entry);
164     if (ret)
165 	krb5_err (context, 1, ret, "krb5_kt_get_entry");
166 
167     /*
168      * setup cred
169      */
170 
171 
172     ret = krb5_copy_principal (context, client_principal, &cred.client);
173     if (ret)
174 	krb5_err (context, 1, ret, "krb5_copy_principal");
175     ret = krb5_copy_principal (context, server_principal, &cred.server);
176     if (ret)
177 	krb5_err (context, 1, ret, "krb5_copy_principal");
178     krb5_generate_random_keyblock(context, session_etype, &cred.session);
179 
180     cred.times.authtime = time(NULL);
181     cred.times.starttime = time(NULL);
182     cred.times.endtime = time(NULL) + expiration_time;
183     cred.times.renew_till = 0;
184     krb5_data_zero(&cred.second_ticket);
185 
186     ret = krb5_get_all_client_addrs (context, &cred.addresses);
187     if (ret)
188 	krb5_err (context, 1, ret, "krb5_get_all_client_addrs");
189     cred.flags.b = ticket_flags;
190 
191 
192     /*
193      * Encode encrypted part of ticket
194      */
195 
196     encode_ticket (context, &entry.keyblock, etype, entry.vno, &cred);
197 
198     /*
199      * Write to cc
200      */
201 
202     if (ccache_str) {
203 	ret = krb5_cc_resolve(context, ccache_str, &ccache);
204 	if (ret)
205 	    krb5_err (context, 1, ret, "krb5_cc_resolve");
206     } else {
207 	ret = krb5_cc_default (context, &ccache);
208 	if (ret)
209 	    krb5_err (context, 1, ret, "krb5_cc_default");
210     }
211 
212     ret = krb5_cc_initialize (context, ccache, cred.client);
213     if (ret)
214 	krb5_err (context, 1, ret, "krb5_cc_initialize");
215 
216     ret = krb5_cc_store_cred (context, ccache, &cred);
217     if (ret)
218 	krb5_err (context, 1, ret, "krb5_cc_store_cred");
219 
220     krb5_free_cred_contents (context, &cred);
221     krb5_cc_close (context, ccache);
222 
223     return 0;
224 }
225 
226 /*
227  *
228  */
229 
230 static void
setup_env(krb5_context context,krb5_keytab * kt)231 setup_env (krb5_context context, krb5_keytab *kt)
232 {
233     krb5_error_code ret;
234 
235     if (keytab_file)
236 	ret = krb5_kt_resolve (context, keytab_file, kt);
237     else
238 	ret = krb5_kt_default (context, kt);
239     if (ret)
240 	krb5_err (context, 1, ret, "resolving keytab");
241 
242     if (client_principal_str == NULL)
243 	krb5_errx (context, 1, "missing client principal");
244     ret = krb5_parse_name (context, client_principal_str, &client_principal);
245     if (ret)
246 	krb5_err (context, 1, ret, "resolvning client name");
247 
248     if (server_principal_str == NULL)
249 	krb5_errx (context, 1, "missing server principal");
250     ret = krb5_parse_name (context, server_principal_str, &server_principal);
251     if (ret)
252 	krb5_err (context, 1, ret, "resolvning server name");
253 
254     /* If no session-enc-type specified on command line and this is an afs */
255     /* service ticket, change default of session_enc_type to DES.       */
256     if (session_enctype_string == NULL
257 	&& strcmp("afs", *server_principal->name.name_string.val) == 0)
258 	session_enc_type = "des-cbc-crc";
259 
260     if (ticket_flags_str) {
261 	int ticket_flags_int;
262 
263 	ticket_flags_int = parse_flags(ticket_flags_str,
264 				       asn1_TicketFlags_units(), 0);
265 	if (ticket_flags_int <= 0) {
266 	    krb5_warnx (context, "bad ticket flags: `%s'", ticket_flags_str);
267 	    print_flags_table (asn1_TicketFlags_units(), stderr);
268 	    exit (1);
269 	}
270 	if (ticket_flags_int)
271 	    ticket_flags = int2TicketFlags (ticket_flags_int);
272     }
273 }
274 
275 /*
276  *
277  */
278 
279 struct getargs args[] = {
280     { "ccache", 0, arg_string, &ccache_str,
281       "name of kerberos 5 credential cache", "cache-name"},
282     { "server", 's', arg_string, &server_principal_str,
283       "name of server principal", NULL },
284     { "client", 'c', arg_string, &client_principal_str,
285       "name of client principal", NULL },
286     { "keytab", 'k', arg_string, &keytab_file,
287       "name of keytab file", NULL },
288     { "krb5", '5', arg_flag,	 &use_krb5,
289       "create a kerberos 5 ticket", NULL },
290     { "expire-time", 'e', arg_integer, &expiration_time,
291       "lifetime of ticket in seconds", NULL },
292     { "client-addresses", 'a', arg_strings, &client_addresses,
293       "addresses of client", NULL },
294     { "enc-type", 't', arg_string,	&enctype_string,
295       "encryption type", NULL },
296     { "session-enc-type", 0, arg_string,&session_enctype_string,
297       "encryption type", NULL },
298     { "ticket-flags", 'f', arg_string,   &ticket_flags_str,
299       "ticket flags for krb5 ticket", NULL },
300     { "version", 0,  arg_flag,		&version_flag,	"Print version",
301       NULL },
302     { "help",	 0,  arg_flag,		&help_flag,	NULL,
303       NULL }
304 };
305 
306 static void
usage(int ret)307 usage (int ret)
308 {
309     arg_printusage (args,
310 		    sizeof(args) / sizeof(args[0]),
311 		    NULL,
312 		    "");
313     exit (ret);
314 }
315 
316 int
main(int argc,char ** argv)317 main (int argc, char **argv)
318 {
319     int optidx = 0;
320     krb5_error_code ret;
321     krb5_context context;
322     krb5_keytab kt;
323 
324     setprogname (argv[0]);
325 
326     ret = krb5_init_context (&context);
327     if (ret)
328 	errx(1, "krb5_init_context failed: %u", ret);
329 
330     if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
331 	usage(1);
332 
333     if (help_flag)
334 	usage(0);
335 
336     if (version_flag) {
337 	print_version(NULL);
338 	return 0;
339     }
340 
341     if (enctype_string)
342 	enc_type = enctype_string;
343     if (session_enctype_string)
344 	session_enc_type = session_enctype_string;
345     else
346 	session_enc_type = enc_type;
347 
348     setup_env(context, &kt);
349 
350     if (use_krb5)
351 	create_krb5_tickets(context, kt);
352 
353     krb5_kt_close(context, kt);
354 
355     return 0;
356 }
357