Select Git revision
csv.spec.ts
creds2cc.c 3.87 KiB
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <krb5.h>
#include "base64.h"
static krb5_error_code
prepare_ccache_file(krb5_context context, krb5_creds *creds, krb5_ccache *cc, const char *filename)
{
krb5_error_code ret;
krb5_ccache ccache = NULL;
ret = krb5_cc_resolve(context, filename, &ccache);
if (ret) {
fprintf(stderr, "krb5_cc_resolve() failed (%s)\n", krb5_get_error_message(context, ret));
goto end;
}
ret = krb5_cc_initialize(context, ccache, creds->client);
if (ret) {
fprintf(stderr, "krb5_cc_initialize() failed (%s)\n", krb5_get_error_message(context, ret));
goto end;
}
ret = krb5_cc_store_cred(context, ccache, creds);
if (ret) {
fprintf(stderr, "krb5_cc_store_cred() failed (%s)\n", krb5_get_error_message(context, ret));
goto end;
}
*cc = ccache;
ccache = NULL;
end:
if (ccache)
krb5_cc_destroy(context, ccache);
return ret;
}
static krb5_error_code
init_auth_context(krb5_context context, krb5_auth_context * auth_context)
{
int32_t flags;
krb5_error_code ret;
ret = krb5_auth_con_init(context, auth_context);
if (ret) {
fprintf(stderr, "krb5_auth_con_init() failed: %s.\n", krb5_get_error_message(context, ret));
return ret;
}
krb5_auth_con_getflags(context, *auth_context, &flags);
/* We disable putting times in the message so the message could be cached
and re-sent in the future. If caching isn't needed, it could be enabled
again (but read below) */
/* N.B. The semantics of KRB5_AUTH_CONTEXT_DO_TIME applied in
krb5_fwd_tgt_creds() seems to differ between Heimdal and MIT. MIT uses
it to (also) enable replay cache checks (that are useless and
troublesome for us). Heimdal uses it to just specify whether or not the
timestamp is included in the forwarded message. */
flags &= ~(KRB5_AUTH_CONTEXT_DO_TIME);
#ifdef HEIMDAL
flags |= KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED;
#endif
krb5_auth_con_setflags(context, *auth_context, flags);
return 0;
}
krb5_error_code
doit(const char *sent_creds, const char *ccname_file)
{
krb5_error_code ret;
krb5_ccache ccache = NULL;
krb5_creds **creds = NULL;
krb5_context context = NULL;
krb5_auth_context auth_context = NULL;
krb5_data creds_data;
memset(&creds_data, 0, sizeof(creds_data));
creds_data.data = k5_base64_decode(sent_creds, &creds_data.length);
if (creds_data.data == NULL) {
fprintf(stderr, "Failed to decode sent creds\n");
ret = -1;
goto end;
}
ret = krb5_init_context(&context);
if (ret) {
fprintf(stderr, "Cannot initialize Kerberos, exiting.\n");
goto end;
}
ret = init_auth_context(context, &auth_context);
if (ret)
goto end;
ret = krb5_rd_cred(context, auth_context, &creds_data, &creds, NULL);
if (ret) {
fprintf(stderr, "krb5_rd_cred() failed: %s.\n", krb5_get_error_message(context, ret));
goto end;
}
/* XXX we only handle the first creds */
ret = prepare_ccache_file(context, creds[0], &ccache, ccname_file);
if (ret)
goto end;
ret = 0;
end:
if (creds_data.data)
krb5_data_free(&creds_data);
if (auth_context)
krb5_auth_con_free(context, auth_context);
if (creds) {
krb5_creds **c;
for (c = creds; c != NULL && *c != NULL; c++)
krb5_free_creds(context, *c);
free(creds);
}
if (ccache)
krb5_cc_close(context, ccache);
if (context)
krb5_free_context(context);
return ret;
}
int
main(int argc, char *argv[])
{
int ret;
size_t len;
char *progname; size_t size = 0;
char *input = NULL;
if ((progname = strrchr(argv[0], '/')))
progname++;
else
progname = argv[0];
if (argc != 2) {
fprintf(stderr, "Usage: %s ccname\n", progname);
exit(1);
}
len = getline(&input, &size, stdin);
if (len < 0) {
fprintf(stderr, "Failed to read the input credentials\n");
exit(1);
}
if (len < 1) {
fprintf(stderr, "Wrong input credentials\n");
exit(1);
}
if (input[len-1] == '\n')
input[len-1] = '\0';
ret = doit(input, argv[1]);
free(input);
if (ret != 0)
ret = 1;
return ret;
}