/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */1/*2* Copyright (C) 2019 by the Massachusetts Institute of Technology.3* All rights reserved.4*5* Redistribution and use in source and binary forms, with or without6* modification, are permitted provided that the following conditions7* are met:8*9* * Redistributions of source code must retain the above copyright10* notice, this list of conditions and the following disclaimer.11*12* * Redistributions in binary form must reproduce the above copyright13* notice, this list of conditions and the following disclaimer in14* the documentation and/or other materials provided with the15* distribution.16*17* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS18* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT19* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS20* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE21* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,22* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES23* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR24* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)25* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,26* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)27* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED28* OF THE POSSIBILITY OF SUCH DAMAGE.29*/3031/*32* Usage: s4u2self user self out_cache [ad-type ad-contents]33*34* The default ccache contains a TGT for the intermediate service self. An35* S4U2Self request is made to self. The resulting cred is stored in36* out_cache.37*/3839#include <k5-int.h>4041static krb5_context ctx;4243static void44check(krb5_error_code code)45{46const char *errmsg;4748if (code) {49errmsg = krb5_get_error_message(ctx, code);50fprintf(stderr, "%s\n", errmsg);51krb5_free_error_message(ctx, errmsg);52exit(1);53}54}5556static krb5_authdata **57make_request_authdata(int type, const char *contents)58{59krb5_authdata *ad;60krb5_authdata **req_authdata;6162ad = malloc(sizeof(*ad));63assert(ad != NULL);64ad->magic = KV5M_AUTHDATA;65ad->ad_type = type;66ad->length = strlen(contents);67ad->contents = (unsigned char *)strdup(contents);68assert(ad->contents != NULL);6970req_authdata = malloc(2 * sizeof(*req_authdata));71assert(req_authdata != NULL);72req_authdata[0] = ad;73req_authdata[1] = NULL;7475return req_authdata;76}7778int79main(int argc, char **argv)80{81krb5_context context;82krb5_ccache defcc, ocache;83krb5_principal client, self;84krb5_creds mcred, *new_cred;85krb5_authdata **req_authdata = NULL;8687if (argc == 6) {88req_authdata = make_request_authdata(atoi(argv[4]), argv[5]);89argc -= 2;90}9192assert(argc == 4);93check(krb5_init_context(&context));9495/* Open the default ccache. */96check(krb5_cc_default(context, &defcc));9798check(krb5_parse_name(context, argv[1], &client));99check(krb5_parse_name(context, argv[2], &self));100101memset(&mcred, 0, sizeof(mcred));102mcred.client = client;103mcred.server = self;104mcred.authdata = req_authdata;105check(krb5_get_credentials_for_user(context, KRB5_GC_NO_STORE |106KRB5_GC_CANONICALIZE, defcc,107&mcred, NULL, &new_cred));108109if (strcmp(argv[3], "-") == 0) {110check(krb5_cc_store_cred(context, defcc, new_cred));111} else {112check(krb5_cc_resolve(context, argv[3], &ocache));113check(krb5_cc_initialize(context, ocache, new_cred->client));114check(krb5_cc_store_cred(context, ocache, new_cred));115krb5_cc_close(context, ocache);116}117118assert(req_authdata == NULL || new_cred->authdata != NULL);119120krb5_cc_close(context, defcc);121krb5_free_principal(context, client);122krb5_free_principal(context, self);123krb5_free_creds(context, new_cred);124krb5_free_authdata(context, req_authdata);125krb5_free_context(context);126return 0;127}128129130