etc/services - sync with NetBSD-8
[minix.git] / crypto / external / bsd / heimdal / dist / kuser / kimpersonate.c
blob8711c42b021dfabd1067ed360f22cddbb78d154a
1 /* $NetBSD: kimpersonate.c,v 1.1.1.2 2014/04/24 12:45:28 pettai Exp $ */
3 /*
4 * Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
36 #include "kuser_locl.h"
37 #include <krb5/parse_units.h>
39 static char *client_principal_str = NULL;
40 static krb5_principal client_principal;
41 static char *server_principal_str = NULL;
42 static krb5_principal server_principal;
44 static char *ccache_str = NULL;
46 static char *ticket_flags_str = NULL;
47 static TicketFlags ticket_flags;
48 static char *keytab_file = NULL;
49 static char *enctype_string = NULL;
50 static char *session_enctype_string = NULL;
51 static int expiration_time = 3600;
52 static struct getarg_strings client_addresses;
53 static int version_flag = 0;
54 static int help_flag = 0;
55 static int use_krb5 = 1;
57 static const char *enc_type = "aes256-cts-hmac-sha1-96";
58 static const char *session_enc_type = NULL;
60 static void
61 encode_ticket (krb5_context context,
62 EncryptionKey *skey,
63 krb5_enctype etype,
64 int skvno,
65 krb5_creds *cred)
67 size_t len, size;
68 char *buf;
69 krb5_error_code ret;
70 krb5_crypto crypto;
71 EncryptedData enc_part;
72 EncTicketPart et;
73 Ticket ticket;
75 memset (&enc_part, 0, sizeof(enc_part));
76 memset (&ticket, 0, sizeof(ticket));
79 * Set up `enc_part'
82 et.flags = cred->flags.b;
83 et.key = cred->session;
84 et.crealm = cred->client->realm;
85 copy_PrincipalName(&cred->client->name, &et.cname);
87 krb5_data empty_string;
89 krb5_data_zero(&empty_string);
90 et.transited.tr_type = DOMAIN_X500_COMPRESS;
91 et.transited.contents = empty_string;
93 et.authtime = cred->times.authtime;
94 et.starttime = NULL;
95 et.endtime = cred->times.endtime;
96 et.renew_till = NULL;
97 et.caddr = &cred->addresses;
98 et.authorization_data = NULL; /* XXX allow random authorization_data */
101 * Encrypt `enc_part' of ticket with service key
104 ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, &et, &size, ret);
105 if (ret)
106 krb5_err(context, 1, ret, "EncTicketPart");
108 ret = krb5_crypto_init(context, skey, etype, &crypto);
109 if (ret)
110 krb5_err(context, 1, ret, "krb5_crypto_init");
111 ret = krb5_encrypt_EncryptedData (context,
112 crypto,
113 KRB5_KU_TICKET,
114 buf,
115 len,
116 skvno,
117 &ticket.enc_part);
118 if (ret)
119 krb5_err(context, 1, ret, "krb5_encrypt_EncryptedData");
121 free(buf);
122 krb5_crypto_destroy(context, crypto);
125 * Encode ticket
128 ticket.tkt_vno = 5;
129 ticket.realm = cred->server->realm;
130 copy_PrincipalName(&cred->server->name, &ticket.sname);
132 ASN1_MALLOC_ENCODE(Ticket, buf, len, &ticket, &size, ret);
133 if(ret)
134 krb5_err (context, 1, ret, "encode_Ticket");
136 krb5_data_copy(&cred->ticket, buf, len);
137 free(buf);
144 static int
145 create_krb5_tickets (krb5_context context, krb5_keytab kt)
147 krb5_error_code ret;
148 krb5_keytab_entry entry;
149 krb5_creds cred;
150 krb5_enctype etype;
151 krb5_enctype session_etype;
152 krb5_ccache ccache;
154 memset (&cred, 0, sizeof(cred));
156 ret = krb5_string_to_enctype (context, enc_type, &etype);
157 if (ret)
158 krb5_err (context, 1, ret, "krb5_string_to_enctype (enc-type)");
159 ret = krb5_string_to_enctype (context, session_enc_type, &session_etype);
160 if (ret)
161 krb5_err (context, 1, ret, "krb5_string_to_enctype (session-enc-type)");
162 ret = krb5_kt_get_entry (context, kt, server_principal,
163 0, etype, &entry);
164 if (ret)
165 krb5_err (context, 1, ret, "krb5_kt_get_entry");
168 * setup cred
172 ret = krb5_copy_principal (context, client_principal, &cred.client);
173 if (ret)
174 krb5_err (context, 1, ret, "krb5_copy_principal");
175 ret = krb5_copy_principal (context, server_principal, &cred.server);
176 if (ret)
177 krb5_err (context, 1, ret, "krb5_copy_principal");
178 krb5_generate_random_keyblock(context, session_etype, &cred.session);
180 cred.times.authtime = time(NULL);
181 cred.times.starttime = time(NULL);
182 cred.times.endtime = time(NULL) + expiration_time;
183 cred.times.renew_till = 0;
184 krb5_data_zero(&cred.second_ticket);
186 ret = krb5_get_all_client_addrs (context, &cred.addresses);
187 if (ret)
188 krb5_err (context, 1, ret, "krb5_get_all_client_addrs");
189 cred.flags.b = ticket_flags;
193 * Encode encrypted part of ticket
196 encode_ticket (context, &entry.keyblock, etype, entry.vno, &cred);
199 * Write to cc
202 if (ccache_str) {
203 ret = krb5_cc_resolve(context, ccache_str, &ccache);
204 if (ret)
205 krb5_err (context, 1, ret, "krb5_cc_resolve");
206 } else {
207 ret = krb5_cc_default (context, &ccache);
208 if (ret)
209 krb5_err (context, 1, ret, "krb5_cc_default");
212 ret = krb5_cc_initialize (context, ccache, cred.client);
213 if (ret)
214 krb5_err (context, 1, ret, "krb5_cc_initialize");
216 ret = krb5_cc_store_cred (context, ccache, &cred);
217 if (ret)
218 krb5_err (context, 1, ret, "krb5_cc_store_cred");
220 krb5_free_cred_contents (context, &cred);
221 krb5_cc_close (context, ccache);
223 return 0;
230 static void
231 setup_env (krb5_context context, krb5_keytab *kt)
233 krb5_error_code ret;
235 if (keytab_file)
236 ret = krb5_kt_resolve (context, keytab_file, kt);
237 else
238 ret = krb5_kt_default (context, kt);
239 if (ret)
240 krb5_err (context, 1, ret, "resolving keytab");
242 if (client_principal_str == NULL)
243 krb5_errx (context, 1, "missing client principal");
244 ret = krb5_parse_name (context, client_principal_str, &client_principal);
245 if (ret)
246 krb5_err (context, 1, ret, "resolvning client name");
248 if (server_principal_str == NULL)
249 krb5_errx (context, 1, "missing server principal");
250 ret = krb5_parse_name (context, server_principal_str, &server_principal);
251 if (ret)
252 krb5_err (context, 1, ret, "resolvning server name");
254 /* If no session-enc-type specified on command line and this is an afs */
255 /* service ticket, change default of session_enc_type to DES. */
256 if (session_enctype_string == NULL
257 && strcmp("afs", *server_principal->name.name_string.val) == 0)
258 session_enc_type = "des-cbc-crc";
260 if (ticket_flags_str) {
261 int ticket_flags_int;
263 ticket_flags_int = parse_flags(ticket_flags_str,
264 asn1_TicketFlags_units(), 0);
265 if (ticket_flags_int <= 0) {
266 krb5_warnx (context, "bad ticket flags: `%s'", ticket_flags_str);
267 print_flags_table (asn1_TicketFlags_units(), stderr);
268 exit (1);
270 if (ticket_flags_int)
271 ticket_flags = int2TicketFlags (ticket_flags_int);
279 struct getargs args[] = {
280 { "ccache", 0, arg_string, &ccache_str,
281 "name of kerberos 5 credential cache", "cache-name"},
282 { "server", 's', arg_string, &server_principal_str,
283 "name of server principal", NULL },
284 { "client", 'c', arg_string, &client_principal_str,
285 "name of client principal", NULL },
286 { "keytab", 'k', arg_string, &keytab_file,
287 "name of keytab file", NULL },
288 { "krb5", '5', arg_flag, &use_krb5,
289 "create a kerberos 5 ticket", NULL },
290 { "expire-time", 'e', arg_integer, &expiration_time,
291 "lifetime of ticket in seconds", NULL },
292 { "client-addresses", 'a', arg_strings, &client_addresses,
293 "addresses of client", NULL },
294 { "enc-type", 't', arg_string, &enctype_string,
295 "encryption type", NULL },
296 { "session-enc-type", 0, arg_string,&session_enctype_string,
297 "encryption type", NULL },
298 { "ticket-flags", 'f', arg_string, &ticket_flags_str,
299 "ticket flags for krb5 ticket", NULL },
300 { "version", 0, arg_flag, &version_flag, "Print version",
301 NULL },
302 { "help", 0, arg_flag, &help_flag, NULL,
303 NULL }
306 static void
307 usage (int ret)
309 arg_printusage (args,
310 sizeof(args) / sizeof(args[0]),
311 NULL,
312 "");
313 exit (ret);
317 main (int argc, char **argv)
319 int optidx = 0;
320 krb5_error_code ret;
321 krb5_context context;
322 krb5_keytab kt;
324 setprogname (argv[0]);
326 ret = krb5_init_context (&context);
327 if (ret)
328 errx(1, "krb5_init_context failed: %u", ret);
330 if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
331 usage(1);
333 if (help_flag)
334 usage(0);
336 if (version_flag) {
337 print_version(NULL);
338 return 0;
341 if (enctype_string)
342 enc_type = enctype_string;
343 if (session_enctype_string)
344 session_enc_type = session_enctype_string;
345 else
346 session_enc_type = enc_type;
348 setup_env(context, &kt);
350 if (use_krb5)
351 create_krb5_tickets(context, kt);
353 krb5_kt_close(context, kt);
355 return 0;