/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 2019 by the Massachusetts Institute of Technology.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* Usage: s4u2self user self out_cache [ad-type ad-contents]
*
* The default ccache contains a TGT for the intermediate service self. An
* S4U2Self request is made to self. The resulting cred is stored in
* out_cache.
*/
#include <k5-int.h>
static krb5_context ctx;
static void
check(krb5_error_code code)
{
const char *errmsg;
if (code) {
errmsg = krb5_get_error_message(ctx, code);
fprintf(stderr, "%s\n", errmsg);
krb5_free_error_message(ctx, errmsg);
exit(1);
}
}
static krb5_authdata **
make_request_authdata(int type, const char *contents)
{
krb5_authdata *ad;
krb5_authdata **req_authdata;
ad = malloc(sizeof(*ad));
assert(ad != NULL);
ad->magic = KV5M_AUTHDATA;
ad->ad_type = type;
ad->length = strlen(contents);
ad->contents = (unsigned char *)strdup(contents);
assert(ad->contents != NULL);
req_authdata = malloc(2 * sizeof(*req_authdata));
assert(req_authdata != NULL);
req_authdata[0] = ad;
req_authdata[1] = NULL;
return req_authdata;
}
int
main(int argc, char **argv)
{
krb5_context context;
krb5_ccache defcc, ocache;
krb5_principal client, self;
krb5_creds mcred, *new_cred;
krb5_authdata **req_authdata = NULL;
if (argc == 6) {
req_authdata = make_request_authdata(atoi(argv[4]), argv[5]);
argc -= 2;
}
assert(argc == 4);
check(krb5_init_context(&context));
/* Open the default ccache. */
check(krb5_cc_default(context, &defcc));
check(krb5_parse_name(context, argv[1], &client));
check(krb5_parse_name(context, argv[2], &self));
memset(&mcred, 0, sizeof(mcred));
mcred.client = client;
mcred.server = self;
mcred.authdata = req_authdata;
check(krb5_get_credentials_for_user(context, KRB5_GC_NO_STORE |
KRB5_GC_CANONICALIZE, defcc,
&mcred, NULL, &new_cred));
if (strcmp(argv[3], "-") == 0) {
check(krb5_cc_store_cred(context, defcc, new_cred));
} else {
check(krb5_cc_resolve(context, argv[3], &ocache));
check(krb5_cc_initialize(context, ocache, new_cred->client));
check(krb5_cc_store_cred(context, ocache, new_cred));
krb5_cc_close(context, ocache);
}
assert(req_authdata == NULL || new_cred->authdata != NULL);
krb5_cc_close(context, defcc);
krb5_free_principal(context, client);
krb5_free_principal(context, self);
krb5_free_creds(context, new_cred);
krb5_free_authdata(context, req_authdata);
krb5_free_context(context);
return 0;
}