/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 2019 by the Massachusetts Institute of Technology. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * * Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ /* * Usage: s4u2self user self out_cache [ad-type ad-contents] * * The default ccache contains a TGT for the intermediate service self. An * S4U2Self request is made to self. The resulting cred is stored in * out_cache. */ #include static krb5_context ctx; static void check(krb5_error_code code) { const char *errmsg; if (code) { errmsg = krb5_get_error_message(ctx, code); fprintf(stderr, "%s\n", errmsg); krb5_free_error_message(ctx, errmsg); exit(1); } } static krb5_authdata ** make_request_authdata(int type, const char *contents) { krb5_authdata *ad; krb5_authdata **req_authdata; ad = malloc(sizeof(*ad)); assert(ad != NULL); ad->magic = KV5M_AUTHDATA; ad->ad_type = type; ad->length = strlen(contents); ad->contents = (unsigned char *)strdup(contents); assert(ad->contents != NULL); req_authdata = malloc(2 * sizeof(*req_authdata)); assert(req_authdata != NULL); req_authdata[0] = ad; req_authdata[1] = NULL; return req_authdata; } int main(int argc, char **argv) { krb5_context context; krb5_ccache defcc, ocache; krb5_principal client, self; krb5_creds mcred, *new_cred; krb5_authdata **req_authdata = NULL; if (argc == 6) { req_authdata = make_request_authdata(atoi(argv[4]), argv[5]); argc -= 2; } assert(argc == 4); check(krb5_init_context(&context)); /* Open the default ccache. */ check(krb5_cc_default(context, &defcc)); check(krb5_parse_name(context, argv[1], &client)); check(krb5_parse_name(context, argv[2], &self)); memset(&mcred, 0, sizeof(mcred)); mcred.client = client; mcred.server = self; mcred.authdata = req_authdata; check(krb5_get_credentials_for_user(context, KRB5_GC_NO_STORE | KRB5_GC_CANONICALIZE, defcc, &mcred, NULL, &new_cred)); if (strcmp(argv[3], "-") == 0) { check(krb5_cc_store_cred(context, defcc, new_cred)); } else { check(krb5_cc_resolve(context, argv[3], &ocache)); check(krb5_cc_initialize(context, ocache, new_cred->client)); check(krb5_cc_store_cred(context, ocache, new_cred)); krb5_cc_close(context, ocache); } assert(req_authdata == NULL || new_cred->authdata != NULL); krb5_cc_close(context, defcc); krb5_free_principal(context, client); krb5_free_principal(context, self); krb5_free_creds(context, new_cred); krb5_free_authdata(context, req_authdata); krb5_free_context(context); return 0; }