Initial commit

1f6d250d · Daniel Kouřil · b2fe35a3 · 1f6d250d · 1f6d250d · 1f6d250d
Unverified Commit 1f6d250d authored Mar 16, 2023 by Daniel Kouřil
--- a/Makefile
+++ b/Makefile
+CPPFLAGS = -Wall -I/usr/include/heimdal -DHEIMDAL
+CFLAGS = -O0 -g
+LDLIBS = -L/usr/lib/x86_64-linux-gnu/heimdal -lkrb5
+all: creds2cc
+creds2cc: creds2cc.o base64.o
+clean:
+	$(RM) *.o creds2cc
--- a/base64.c
+++ b/base64.c
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* util/support/base64.c - base64 encoder and decoder */
+/*
+ * Copyright (c) 1995-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+//#include <k5-platform.h>
+//#include <k5-base64.h>
+#include <string.h>
+#include <stdlib.h>
+#ifndef SIZE_MAX
+# define SIZE_MAX ((size_t)((size_t)0 - 1))
+#endif
+static const char base64_chars[] =
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+char *
+k5_base64_encode(const void *data, size_t len)
+{
+    char *s, *p;
+    size_t i;
+    unsigned int c;
+    const unsigned char *q;
+    if (len > SIZE_MAX / 4)
+        return NULL;
+    p = s = malloc(len * 4 / 3 + 4);
+    if (p == NULL)
+        return NULL;
+    q = (const unsigned char *)data;
+    for (i = 0; i < len;) {
+        c = q[i++];
+        c *= 256;
+        if (i < len)
+            c += q[i];
+        i++;
+        c *= 256;
+        if (i < len)
+            c += q[i];
+        i++;
+        p[0] = base64_chars[(c & 0x00fc0000) >> 18];
+        p[1] = base64_chars[(c & 0x0003f000) >> 12];
+        p[2] = base64_chars[(c & 0x00000fc0) >> 6];
+        p[3] = base64_chars[(c & 0x0000003f) >> 0];
+        if (i > len)
+            p[3] = '=';
+        if (i > len + 1)
+            p[2] = '=';
+        p += 4;
+    }
+    *p = '\0';
+    return s;
+}
+#define DECODE_ERROR 0xffffffff
+/* Decode token, which must be four bytes long. */
+static unsigned int
+decode_token(const char *token)
+{
+    int i, marker = 0;
+    unsigned int val = 0;
+    const char *p;
+    for (i = 0; i < 4; i++) {
+        val *= 64;
+        if (token[i] == '=') {
+            marker++;
+        } else if (marker > 0) {
+            return DECODE_ERROR;
+        } else {
+            p = strchr(base64_chars, token[i]);
+            if (p == NULL)
+                return DECODE_ERROR;
+            val += p - base64_chars;
+        }
+    }
+    if (marker > 2)
+        return DECODE_ERROR;
+    return (marker << 24) | val;
+}
+void *
+k5_base64_decode(const char *str, size_t *len_out)
+{
+    unsigned char *data, *q;
+    unsigned int val, marker;
+    size_t len;
+    *len_out = SIZE_MAX;
+    /* Allocate the output buffer. */
+    len = strlen(str);
+    if (len % 4)
+        return NULL;
+    q = data = malloc(len / 4 * 3);
+    if (data == NULL) {
+        *len_out = 0;
+        return NULL;
+    }
+    /* Decode the string. */
+    for (; *str != '\0'; str += 4) {
+        val = decode_token(str);
+        if (val == DECODE_ERROR) {
+            free(data);
+            return NULL;
+        }
+        marker = (val >> 24) & 0xff;
+        *q++ = (val >> 16) & 0xff;
+        if (marker < 2)
+            *q++ = (val >> 8) & 0xff;
+        if (marker < 1)
+            *q++ = val & 0xff;
+    }
+    *len_out = q - data;
+    return data;
+}
--- a/base64.h
+++ b/base64.h
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* include/k5-base64.h - base64 declarations */
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+#ifndef K5_BASE64_H
+#define K5_BASE64_H
+#include <stddef.h>
+/* base64-encode data and return it in an allocated buffer.  Return NULL if out
+ * of memory. */
+char *k5_base64_encode(const void *data, size_t len);
+/*
+ * Decode str as base64 and return the result in an allocated buffer, setting
+ * *len_out to the length.  Return NULL and *len_out == 0 if out of memory,
+ * NULL and *len_out == SIZE_MAX on invalid input.
+ */
+void *k5_base64_decode(const char *str, size_t *len_out);
+#endif /* K5_BASE64_H */
--- a/creds2cc.c
+++ b/creds2cc.c
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <krb5.h>
+#include "base64.h"
+static krb5_error_code
+prepare_ccache_file(krb5_context context, krb5_creds *creds, krb5_ccache *cc, const char *filename)
+{
+	krb5_error_code ret;
+	krb5_ccache ccache = NULL;
+	ret = krb5_cc_resolve(context, filename, &ccache);
+	if (ret) {
+		fprintf(stderr, "krb5_cc_resolve() failed (%s)\n", krb5_get_error_message(context, ret));
+		goto end;
+	}
+	ret = krb5_cc_initialize(context, ccache, creds->client);
+	if (ret) {
+		fprintf(stderr, "krb5_cc_initialize() failed (%s)\n", krb5_get_error_message(context, ret));
+		goto end;
+	}
+	ret = krb5_cc_store_cred(context, ccache, creds);
+	if (ret) {
+		fprintf(stderr, "krb5_cc_store_cred() failed (%s)\n", krb5_get_error_message(context, ret));
+		goto end;
+	}
+	*cc = ccache;
+	ccache = NULL;
+ end:
+	if (ccache)
+		krb5_cc_destroy(context, ccache);
+	return ret;
+}
+static krb5_error_code
+init_auth_context(krb5_context context, krb5_auth_context * auth_context)
+{
+	int32_t flags;
+	krb5_error_code ret;
+	ret = krb5_auth_con_init(context, auth_context);
+	if (ret) {
+		fprintf(stderr, "krb5_auth_con_init() failed: %s.\n", krb5_get_error_message(context, ret));
+		return ret;
+	}
+	krb5_auth_con_getflags(context, *auth_context, &flags);
+	/* We disable putting times in the message so the message could be cached
+	   and re-sent in the future. If caching isn't needed, it could be enabled
+	   again (but read below) */
+	/* N.B. The semantics of KRB5_AUTH_CONTEXT_DO_TIME applied in
+	   krb5_fwd_tgt_creds() seems to differ between Heimdal and MIT. MIT uses
+	   it to (also) enable replay cache checks (that are useless and
+	   troublesome for us). Heimdal uses it to just specify whether or not the
+	   timestamp is included in the forwarded message. */
+	flags &= ~(KRB5_AUTH_CONTEXT_DO_TIME);
+#ifdef HEIMDAL
+	flags |= KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED;
+#endif
+	krb5_auth_con_setflags(context, *auth_context, flags);
+	return 0;
+}
+krb5_error_code
+doit(const char *sent_creds, const char *ccname_file)
+{
+	krb5_error_code ret;
+	krb5_ccache ccache = NULL;
+	krb5_creds **creds = NULL;
+	krb5_context context = NULL;
+	krb5_auth_context auth_context = NULL;
+	krb5_data creds_data;
+	memset(&creds_data, 0, sizeof(creds_data));
+	creds_data.data = k5_base64_decode(sent_creds, &creds_data.length);
+	if (creds_data.data == NULL) {
+		fprintf(stderr, "Failed to decode sent creds\n");
+		ret = -1;
+		goto end;
+	}
+	ret = krb5_init_context(&context);
+	if (ret) {
+		fprintf(stderr, "Cannot initialize Kerberos, exiting.\n");
+		goto end;
+	}
+	ret = init_auth_context(context, &auth_context);
+	if (ret)
+		goto end;
+	ret = krb5_rd_cred(context, auth_context, &creds_data, &creds, NULL);
+	if (ret) {
+		fprintf(stderr, "krb5_rd_cred() failed: %s.\n", krb5_get_error_message(context, ret));
+		goto end;
+	}
+	/* XXX we only handle the first creds */
+	ret = prepare_ccache_file(context, creds[0], &ccache, ccname_file);
+	if (ret)
+		goto end;
+	ret = 0;
+end:
+	krb5_free_data(context, &creds_data);
+	if (auth_context)
+		krb5_auth_con_free(context, auth_context);
+	if (creds) {
+		krb5_creds **c;
+		for (c = creds; c != NULL && *c != NULL; c++)
+			krb5_free_creds(context, *c);
+		free(creds);
+	}
+	if (ccache)
+		krb5_cc_close(context, ccache);
+	if (context)
+		krb5_free_context(context);
+	return ret;
+}
+int
+main(int argc, char *argv[])
+{
+	int ret;
+	size_t len;
+	char *progname;
+	char *input = NULL;
+	if ((progname = strrchr(argv[0], '/')))
+		progname++;
+	else
+		progname = argv[0];
+	if (argc != 2) {
+		fprintf(stderr, "Usage: %s ccname\n", progname);
+		exit(1);
+	}
+	len = getline(&input, &len, stdin);
+	if (len < 0) {
+		fprintf(stderr, "Failed to read the input credentials\n");
+		exit(1);
+	}
+	if (len < 1) {
+		fprintf(stderr, "Wrong input credentials\n");
+		exit(1);
+	}
+	if (input[len-1] == '\n')
+		input[len-1] = '\0';
+	ret = doit(input, argv[1]);
+	free(input);
+	if (ret != 0)
+		ret = 1;
+	return ret;
+}