OM_uint32 gssi_store_cred(OM_uint32 *minor_status,
const gss_cred_id_t input_cred_handle,
gss_cred_usage_t input_usage,
const gss_OID desired_mech,
OM_uint32 overwrite_cred,
OM_uint32 default_cred,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
{
struct gpp_cred_handle *cred = NULL;
OM_uint32 maj, min;
GSSI_TRACE();
*minor_status = 0;
if (input_cred_handle == GSS_C_NO_CREDENTIAL) {
return GSS_S_CALL_INACCESSIBLE_READ;
}
cred = (struct gpp_cred_handle *)input_cred_handle;
if (cred->remote) {
maj = gpp_store_remote_creds(&min, cred->remote);
goto done;
}
maj = gss_store_cred(&min, cred->local, input_usage,
gpp_special_mech(desired_mech),
overwrite_cred, default_cred,
elements_stored, cred_usage_stored);
done:
*minor_status = gpp_map_error(min);
return maj;
}
int
gssapi_session(void *app_data, char *username)
{
struct gssapi_data *data = app_data;
OM_uint32 major, minor;
int ret = 0;
if (data->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
major = gss_store_cred(&minor, data->delegated_cred_handle,
GSS_C_INITIATE, GSS_C_NO_OID,
1, 1, NULL, NULL);
if (GSS_ERROR(major))
ret = 1;
afslog(NULL, 1);
}
gss_release_cred(&minor, &data->delegated_cred_handle);
return ret;
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int status;
OM_uint32 major, minor;
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
gss_OID mech = GSS_C_NO_OID;
if (flags && (flags & PAM_ESTABLISH_CRED) == 0)
return PAM_SUCCESS;
status = pam_get_data(pamh, GSS_CRED_DATA, (const void **)&cred);
BAIL_ON_PAM_ERROR(status);
status = pam_get_data(pamh, GSS_MECH_DATA, (const void **)&mech);
BAIL_ON_PAM_ERROR(status);
major = gss_store_cred(&minor, cred, GSS_C_INITIATE, mech,
1, 1, NULL, NULL);
BAIL_ON_GSS_ERROR(major, minor);
cleanup:
return status;
}
int
main(int argc, char **argv)
{
OM_uint32 major, minor;
gss_cred_id_t from_cred = GSS_C_NO_CREDENTIAL;
gss_cred_id_t to_cred = GSS_C_NO_CREDENTIAL;
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
char *from_env;
char *to_env;
int optidx = 0;
setprogname(argv[0]);
if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if (version_flag){
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (argc < 2)
errx(1, "required arguments missing");
if (argc > 2)
errx(1, "too many arguments");
if (asprintf(&from_env, "KRB5CCNAME=%s", argv[0]) == -1 || from_env == NULL)
err(1, "out of memory");
if (asprintf(&to_env, "KRB5CCNAME=%s", argv[1]) == -1 || to_env == NULL)
err(1, "out of memory");
putenv(from_env);
major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,
GSS_KRB5_MECHANISM, GSS_C_INITIATE, GSS_C_INDEFINITE,
GSS_C_INDEFINITE, &from_cred, NULL, NULL, NULL);
if (major != GSS_S_COMPLETE)
gss_err(1, major, minor, GSS_KRB5_MECHANISM,
"failed to acquire creds from %s", argv[0]);
putenv(to_env);
major = gss_store_cred(&minor, from_cred, GSS_C_INITIATE,
GSS_KRB5_MECHANISM, 1, 1, NULL, NULL);
if (major != GSS_S_COMPLETE)
gss_err(1, major, minor, GSS_KRB5_MECHANISM,
"failed to store creds into %s", argv[1]);
(void) gss_release_cred(&minor, &from_cred);
(void) gss_release_cred(&minor, &to_cred);
major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,
GSS_KRB5_MECHANISM, GSS_C_INITIATE, GSS_C_INDEFINITE,
GSS_C_INDEFINITE, &cred, NULL, NULL, NULL);
if (major != GSS_S_COMPLETE)
gss_err(1, major, minor, GSS_KRB5_MECHANISM,
"failed to acquire creds from %s", argv[1]);
(void) gss_release_cred(&minor, &cred);
putenv("KRB5CCNAME");
free(from_env);
free(to_env);
return 0;
}
int
main(int argc, char *argv[])
{
OM_uint32 minor, major;
gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL;
gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL;
gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL;
gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME;
gss_OID_set_desc mechs;
gss_OID_set actual_mechs = GSS_C_NO_OID_SET;
gss_buffer_desc buf;
if (argc < 2 || argc > 5) {
fprintf(stderr, "Usage: %s [--spnego] [user] "
"[proxy-target] [keytab]\n", argv[0]);
fprintf(stderr, " proxy-target and keytab are optional\n");
exit(1);
}
if (strcmp(argv[1], "--spnego") == 0) {
use_spnego++;
argc--;
argv++;
}
buf.value = argv[1];
buf.length = strlen((char *)buf.value);
major = gss_import_name(&minor, &buf,
(gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME,
&user);
if (GSS_ERROR(major)) {
displayStatus("gss_import_name(user)", major, minor);
goto out;
}
if (argc > 2 && strcmp(argv[2], "-")) {
buf.value = argv[2];
buf.length = strlen((char *)buf.value);
major = gss_import_name(&minor, &buf,
(gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME,
&target);
if (GSS_ERROR(major)) {
displayStatus("gss_import_name(target)", major, minor);
goto out;
}
} else {
target = GSS_C_NO_NAME;
}
mechs.elements = use_spnego ? (gss_OID)&spnego_mech :
(gss_OID)gss_mech_krb5;
mechs.count = 1;
major = getDefaultCred(&minor,
argc > 3 ? argv[3] : NULL,
&mechs,
&impersonator_cred_handle);
if (GSS_ERROR(major))
goto out;
printf("Protocol transition tests follow\n");
printf("-----------------------------------\n\n");
/* get S4U2Self cred */
major = gss_acquire_cred_impersonate_name(&minor,
impersonator_cred_handle,
user,
GSS_C_INDEFINITE,
&mechs,
GSS_C_INITIATE,
&user_cred_handle,
&actual_mechs,
NULL);
if (GSS_ERROR(major)) {
displayStatus("gss_acquire_cred_impersonate_name", major, minor);
goto out;
}
/* Try to store it in default ccache */
major = gss_store_cred(&minor,
user_cred_handle,
GSS_C_INITIATE,
&mechs.elements[0],
1,
1,
NULL,
NULL);
if (GSS_ERROR(major)) {
displayStatus("gss_store_cred", major, minor);
goto out;
}
major = initAcceptSecContext(&minor,
user_cred_handle,
impersonator_cred_handle,
&delegated_cred_handle);
if (GSS_ERROR(major))
goto out;
printf("\n");
out:
(void) gss_release_name(&minor, &user);
(void) gss_release_name(&minor, &target);
(void) gss_release_cred(&minor, &delegated_cred_handle);
(void) gss_release_cred(&minor, &impersonator_cred_handle);
(void) gss_release_cred(&minor, &user_cred_handle);
(void) gss_release_oid_set(&minor, &actual_mechs);
return GSS_ERROR(major) ? 1 : 0;
}
