kimpersonate.c revision 267654 
1/*
2 * Copyright (c) 2000 - 2007 Kungliga Tekniska H�gskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#include "kuser_locl.h"
35RCSID("$Id: kimpersonate.c 22117 2007-12-03 21:24:16Z lha $");
36#include <parse_units.h>
37
38static char *client_principal_str = NULL;
39static krb5_principal client_principal;
40static char *server_principal_str = NULL;
41static krb5_principal server_principal;
42
43static char *ccache_str = NULL;
44
45static char *ticket_flags_str = NULL;
46static TicketFlags ticket_flags;
47static char *keytab_file = NULL;
48static char *enc_type = "des-cbc-md5";
49static int   expiration_time = 3600;
50static struct getarg_strings client_addresses;
51static int   version_flag = 0;
52static int   help_flag = 0;
53static int   use_krb5 = 1;
54
55/*
56 *
57 */
58
59static void
60encode_ticket (krb5_context context,
61	       EncryptionKey *skey,
62	       krb5_enctype etype,
63	       int skvno,
64	       krb5_creds *cred)
65{
66    size_t len, size;
67    char *buf;
68    krb5_error_code ret;
69    krb5_crypto crypto;
70    EncryptedData enc_part;
71    EncTicketPart et;
72    Ticket ticket;
73
74    memset (&enc_part, 0, sizeof(enc_part));
75    memset (&ticket, 0, sizeof(ticket));
76
77    /*
78     * Set up `enc_part'
79     */
80
81    et.flags = cred->flags.b;
82    et.key = cred->session;
83    et.crealm = *krb5_princ_realm (context, cred->client);
84    copy_PrincipalName(&cred->client->name, &et.cname);
85    {
86	krb5_data empty_string;
87
88	krb5_data_zero(&empty_string);
89	et.transited.tr_type = DOMAIN_X500_COMPRESS;
90	et.transited.contents = empty_string;
91    }
92    et.authtime = cred->times.authtime;
93    et.starttime = NULL;
94    et.endtime = cred->times.endtime;
95    et.renew_till = NULL;
96    et.caddr = &cred->addresses;
97    et.authorization_data = NULL; /* XXX allow random authorization_data */
98
99    /*
100     * Encrypt `enc_part' of ticket with service key
101     */
102
103    ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, &et, &size, ret);
104    if (ret)
105	krb5_err(context, 1, ret, "EncTicketPart");
106
107    krb5_crypto_init(context, skey, etype, &crypto);
108    krb5_encrypt_EncryptedData (context,
109				crypto,
110				KRB5_KU_TICKET,
111				buf,
112				len,
113				skvno,
114				&ticket.enc_part);
115    free(buf);
116    krb5_crypto_destroy(context, crypto);
117
118    /*
119     * Encode ticket
120     */
121
122    ticket.tkt_vno = 5;
123    ticket.realm = *krb5_princ_realm (context, cred->server);
124    copy_PrincipalName(&cred->server->name, &ticket.sname);
125
126    ASN1_MALLOC_ENCODE(Ticket, buf, len, &ticket, &size, ret);
127    if(ret)
128	krb5_err (context, 1, ret, "encode_Ticket");
129
130    krb5_data_copy(&cred->ticket, buf, len);
131}
132
133/*
134 *
135 */
136
137static int
138create_krb5_tickets (krb5_context context, krb5_keytab kt)
139{
140    krb5_error_code ret;
141    krb5_keytab_entry entry;
142    krb5_creds cred;
143    krb5_enctype etype;
144    krb5_ccache ccache;
145
146    memset (&cred, 0, sizeof(cred));
147
148    ret = krb5_string_to_enctype (context, enc_type, &etype);
149    if (ret)
150	krb5_err (context, 1, ret, "krb5_string_to_enctype");
151    ret = krb5_kt_get_entry (context, kt, server_principal,
152			     0, etype, &entry);
153    if (ret)
154	krb5_err (context, 1, ret, "krb5_kt_get_entry");
155
156    /*
157     * setup cred
158     */
159
160
161    ret = krb5_copy_principal (context, client_principal, &cred.client);
162    if (ret)
163	krb5_err (context, 1, ret, "krb5_copy_principal");
164    ret = krb5_copy_principal (context, server_principal, &cred.server);
165    if (ret)
166	krb5_err (context, 1, ret, "krb5_copy_principal");
167    krb5_generate_random_keyblock(context, etype, &cred.session);
168
169    cred.times.authtime = time(NULL);
170    cred.times.starttime = time(NULL);
171    cred.times.endtime = time(NULL) + expiration_time;
172    cred.times.renew_till = 0;
173    krb5_data_zero(&cred.second_ticket);
174
175    ret = krb5_get_all_client_addrs (context, &cred.addresses);
176    if (ret)
177	krb5_err (context, 1, ret, "krb5_get_all_client_addrs");
178    cred.flags.b = ticket_flags;
179
180
181    /*
182     * Encode encrypted part of ticket
183     */
184
185    encode_ticket (context, &entry.keyblock, etype, entry.vno, &cred);
186
187    /*
188     * Write to cc
189     */
190
191    if (ccache_str) {
192	ret = krb5_cc_resolve(context, ccache_str, &ccache);
193	if (ret)
194	    krb5_err (context, 1, ret, "krb5_cc_resolve");
195    } else {
196	ret = krb5_cc_default (context, &ccache);
197	if (ret)
198	    krb5_err (context, 1, ret, "krb5_cc_default");
199    }
200
201    ret = krb5_cc_initialize (context, ccache, cred.client);
202    if (ret)
203	krb5_err (context, 1, ret, "krb5_cc_initialize");
204
205    ret = krb5_cc_store_cred (context, ccache, &cred);
206    if (ret)
207	krb5_err (context, 1, ret, "krb5_cc_store_cred");
208
209    krb5_free_cred_contents (context, &cred);
210    krb5_cc_close (context, ccache);
211
212    return 0;
213}
214
215/*
216 *
217 */
218
219static void
220setup_env (krb5_context context, krb5_keytab *kt)
221{
222    krb5_error_code ret;
223
224    if (keytab_file)
225	ret = krb5_kt_resolve (context, keytab_file, kt);
226    else
227	ret = krb5_kt_default (context, kt);
228    if (ret)
229	krb5_err (context, 1, ret, "resolving keytab");
230
231    if (client_principal_str == NULL)
232	krb5_errx (context, 1, "missing client principal");
233    ret = krb5_parse_name (context, client_principal_str, &client_principal);
234    if (ret)
235	krb5_err (context, 1, ret, "resolvning client name");
236
237    if (server_principal_str == NULL)
238	krb5_errx (context, 1, "missing server principal");
239    ret = krb5_parse_name (context, server_principal_str, &server_principal);
240    if (ret)
241	krb5_err (context, 1, ret, "resolvning client name");
242
243    if (ticket_flags_str) {
244	int ticket_flags_int;
245
246	ticket_flags_int = parse_flags(ticket_flags_str,
247				       asn1_TicketFlags_units(), 0);
248	if (ticket_flags_int <= 0) {
249	    krb5_warnx (context, "bad ticket flags: `%s'", ticket_flags_str);
250	    print_flags_table (asn1_TicketFlags_units(), stderr);
251	    exit (1);
252	}
253	if (ticket_flags_int)
254	    ticket_flags = int2TicketFlags (ticket_flags_int);
255    }
256}
257
258/*
259 *
260 */
261
262struct getargs args[] = {
263    { "ccache", 0, arg_string, &ccache_str,
264      "name of kerberos 5 credential cache", "cache-name"},
265    { "server", 's', arg_string, &server_principal_str,
266      "name of server principal" },
267    { "client", 'c', arg_string, &client_principal_str,
268      "name of client principal" },
269    { "keytab", 'k', arg_string, &keytab_file,
270      "name of keytab file" },
271    { "krb5", '5', arg_flag,	 &use_krb5,
272      "create a kerberos 5 ticket"},
273    { "expire-time", 'e', arg_integer, &expiration_time,
274      "lifetime of ticket in seconds" },
275    { "client-addresses", 'a', arg_strings, &client_addresses,
276      "addresses of client" },
277    { "enc-type", 't', arg_string, 	&enc_type,
278      "encryption type" },
279    { "ticket-flags", 'f', arg_string,   &ticket_flags_str,
280      "ticket flags for krb5 ticket" },
281    { "version", 0,  arg_flag,		&version_flag,	"Print version",
282      NULL },
283    { "help",	 0,  arg_flag,		&help_flag,	NULL,
284      NULL }
285};
286
287static void
288usage (int ret)
289{
290    arg_printusage (args,
291		    sizeof(args) / sizeof(args[0]),
292		    NULL,
293		    "");
294    exit (ret);
295}
296
297int
298main (int argc, char **argv)
299{
300    int optind = 0;
301    krb5_error_code ret;
302    krb5_context context;
303    krb5_keytab kt;
304
305    setprogname (argv[0]);
306
307    ret = krb5_init_context (&context);
308    if (ret)
309	errx(1, "krb5_init_context failed: %u", ret);
310
311    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
312		&optind))
313	usage (1);
314
315    if (help_flag)
316	usage (0);
317
318    if (version_flag) {
319	print_version(NULL);
320	return 0;
321    }
322
323    setup_env (context, &kt);
324
325    if (use_krb5)
326	create_krb5_tickets (context, kt);
327
328    krb5_kt_close (context, kt);
329    return 0;
330}
331