static void
eval_kgetcred(heim_dict_t o)
{
heim_string_t server, ccache;
krb5_get_creds_opt opt;
heim_bool_t nostore;
krb5_error_code ret;
krb5_ccache cc = NULL;
krb5_principal s;
krb5_creds *out = NULL;
if (ptop)
ptop->tgs_req++;
server = heim_dict_get_value(o, HSTR("server"));
if (server == NULL)
krb5_errx(kdc_context, 1, "no server");
ccache = heim_dict_get_value(o, HSTR("ccache"));
if (ccache == NULL)
krb5_errx(kdc_context, 1, "no ccache");
nostore = heim_dict_get_value(o, HSTR("nostore"));
if (nostore == NULL)
nostore = heim_bool_create(1);
ret = krb5_cc_resolve(kdc_context, heim_string_get_utf8(ccache), &cc);
if (ret)
krb5_err(kdc_context, 1, ret, "krb5_cc_resolve");
ret = krb5_parse_name(kdc_context, heim_string_get_utf8(server), &s);
if (ret)
krb5_err(kdc_context, 1, ret, "krb5_parse_name");
ret = krb5_get_creds_opt_alloc(kdc_context, &opt);
if (ret)
krb5_err(kdc_context, 1, ret, "krb5_get_creds_opt_alloc");
if (heim_bool_val(nostore))
krb5_get_creds_opt_add_options(kdc_context, opt, KRB5_GC_NO_STORE);
ret = krb5_get_creds(kdc_context, opt, cc, s, &out);
if (ret)
krb5_err(kdc_context, 1, ret, "krb5_get_creds");
krb5_free_creds(kdc_context, out);
krb5_free_principal(kdc_context, s);
krb5_get_creds_opt_free(kdc_context, opt);
krb5_cc_close(kdc_context, cc);
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache cache;
krb5_creds *out;
int optidx = 0;
krb5_get_creds_opt opt;
krb5_principal server;
krb5_principal impersonate = NULL;
setprogname (argv[0]);
ret = krb5_init_context (&context);
if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if(version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (argc != 1)
usage (1);
if(cache_str) {
ret = krb5_cc_resolve(context, cache_str, &cache);
if (ret)
krb5_err (context, 1, ret, "%s", cache_str);
} else {
ret = krb5_cc_default (context, &cache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_resolve");
}
ret = krb5_get_creds_opt_alloc(context, &opt);
if (ret)
krb5_err (context, 1, ret, "krb5_get_creds_opt_alloc");
if (etype_str) {
krb5_enctype enctype;
ret = krb5_string_to_enctype(context, etype_str, &enctype);
if (ret)
krb5_errx (context, 1, N_("unrecognized enctype: %s", ""),
etype_str);
krb5_get_creds_opt_set_enctype(context, opt, enctype);
}
if (impersonate_str) {
ret = krb5_parse_name(context, impersonate_str, &impersonate);
if (ret)
krb5_err (context, 1, ret, "krb5_parse_name %s", impersonate_str);
krb5_get_creds_opt_set_impersonate(context, opt, impersonate);
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
}
if (out_cache_str)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
if (forwardable_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_FORWARDABLE);
if (!transit_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_TRANSIT_CHECK);
if (canonicalize_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_CANONICALIZE);
if (delegation_cred_str) {
krb5_ccache id;
krb5_creds c, mc;
Ticket ticket;
krb5_cc_clear_mcred(&mc);
ret = krb5_cc_get_principal(context, cache, &mc.server);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_get_principal");
ret = krb5_cc_resolve(context, delegation_cred_str, &id);
if(ret)
krb5_err (context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_retrieve_cred(context, id, 0, &mc, &c);
if(ret)
krb5_err (context, 1, ret, "krb5_cc_retrieve_cred");
ret = decode_Ticket(c.ticket.data, c.ticket.length, &ticket, NULL);
if (ret) {
krb5_clear_error_message(context);
krb5_err (context, 1, ret, "decode_Ticket");
}
krb5_free_cred_contents(context, &c);
ret = krb5_get_creds_opt_set_ticket(context, opt, &ticket);
if(ret)
krb5_err (context, 1, ret, "krb5_get_creds_opt_set_ticket");
free_Ticket(&ticket);
krb5_cc_close (context, id);
krb5_free_principal(context, mc.server);
krb5_get_creds_opt_add_options(context, opt,
KRB5_GC_CONSTRAINED_DELEGATION);
}
ret = krb5_parse_name(context, argv[0], &server);
if (ret)
krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]);
if (nametype_str) {
int32_t nametype;
ret = krb5_parse_nametype(context, nametype_str, &nametype);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_nametype");
server->name.name_type = (NAME_TYPE)nametype;
}
ret = krb5_get_creds(context, opt, cache, server, &out);
if (ret)
krb5_err (context, 1, ret, "krb5_get_creds");
if (out_cache_str) {
krb5_ccache id;
ret = krb5_cc_resolve(context, out_cache_str, &id);
if(ret)
krb5_err (context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_initialize(context, id, out->client);
if(ret)
krb5_err (context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_store_cred(context, id, out);
if(ret)
krb5_err (context, 1, ret, "krb5_cc_store_cred");
krb5_cc_close (context, id);
}
krb5_free_creds(context, out);
krb5_free_principal(context, server);
krb5_get_creds_opt_free(context, opt);
krb5_cc_close (context, cache);
krb5_free_context (context);
return 0;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache cache;
krb5_creds *out;
int optidx = 0;
int32_t nametype = KRB5_NT_UNKNOWN;
krb5_get_creds_opt opt;
krb5_principal server = NULL;
krb5_principal impersonate;
setprogname(argv[0]);
ret = krb5_init_context(&context);
if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if (version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (debug_flag) {
ret = krb5_set_debug_dest(context, getprogname(), "STDERR");
if (ret)
krb5_warn(context, ret, "krb5_set_debug_dest");
}
if (cache_str) {
ret = krb5_cc_resolve(context, cache_str, &cache);
if (ret)
krb5_err(context, 1, ret, "%s", cache_str);
} else {
ret = krb5_cc_default (context, &cache);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
}
ret = krb5_get_creds_opt_alloc(context, &opt);
if (ret)
krb5_err(context, 1, ret, "krb5_get_creds_opt_alloc");
if (etype_str) {
krb5_enctype enctype;
ret = krb5_string_to_enctype(context, etype_str, &enctype);
if (ret)
krb5_errx(context, 1, N_("unrecognized enctype: %s", ""),
etype_str);
krb5_get_creds_opt_set_enctype(context, opt, enctype);
}
if (impersonate_str) {
ret = krb5_parse_name(context, impersonate_str, &impersonate);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name %s", impersonate_str);
krb5_get_creds_opt_set_impersonate(context, opt, impersonate);
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
krb5_free_principal(context, impersonate);
}
if (out_cache_str)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
if (forwardable_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_FORWARDABLE);
if (!transit_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_TRANSIT_CHECK);
if (canonicalize_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_CANONICALIZE);
if (!store_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
if (cached_only_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_CACHED);
if (delegation_cred_str) {
krb5_ccache id;
krb5_creds c, mc;
Ticket ticket;
krb5_cc_clear_mcred(&mc);
ret = krb5_cc_get_principal(context, cache, &mc.server);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
ret = krb5_cc_resolve(context, delegation_cred_str, &id);
if(ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_retrieve_cred(context, id, 0, &mc, &c);
if(ret)
krb5_err(context, 1, ret, "krb5_cc_retrieve_cred");
ret = decode_Ticket(c.ticket.data, c.ticket.length, &ticket, NULL);
if (ret) {
krb5_clear_error_message(context);
krb5_err(context, 1, ret, "decode_Ticket");
}
krb5_free_cred_contents(context, &c);
ret = krb5_get_creds_opt_set_ticket(context, opt, &ticket);
if(ret)
krb5_err(context, 1, ret, "krb5_get_creds_opt_set_ticket");
free_Ticket(&ticket);
krb5_cc_close(context, id);
krb5_free_principal(context, mc.server);
krb5_get_creds_opt_add_options(context, opt,
KRB5_GC_CONSTRAINED_DELEGATION);
}
if (nametype_str != NULL) {
ret = krb5_parse_nametype(context, nametype_str, &nametype);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_nametype");
}
if (nametype == KRB5_NT_SRV_HST ||
nametype == KRB5_NT_SRV_HST_NEEDS_CANON)
is_hostbased_flag = 1;
if (is_hostbased_flag) {
const char *sname = NULL;
const char *hname = NULL;
if (nametype_str != NULL &&
nametype != KRB5_NT_SRV_HST &&
nametype != KRB5_NT_SRV_HST_NEEDS_CANON)
krb5_errx(context, 1, "--hostbased not compatible with "
"non-hostbased --name-type");
if (is_canonical_flag)
nametype = KRB5_NT_SRV_HST;
else
nametype = KRB5_NT_SRV_HST_NEEDS_CANON;
/*
* Host-based service names can have more than one component.
*
* RFC5179 did not, but should have, assign a Kerberos name-type
* corresponding to GSS_C_NT_DOMAINBASED. But it's basically a
* host-based service name type with one additional component.
*
* So that's how we're treating host-based service names here:
* two or more components.
*/
if (argc == 0) {
usage(1);
} else if (argc == 1) {
krb5_principal server2;
/*
* In this case the one argument is a principal name, not the
* service name.
*
* We parse the argument as a principal name, extract the service
* and hostname components, use krb5_sname_to_principal(), then
* extract the service and hostname components from that.
*/
ret = krb5_parse_name(context, argv[0], &server);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name %s", argv[0]);
sname = krb5_principal_get_comp_string(context, server, 0);
/*
* If a single-component principal name is given, then we'll
* default the hostname, as krb5_principal_get_comp_string()
* returns NULL in this case.
*/
hname = krb5_principal_get_comp_string(context, server, 1);
ret = krb5_sname_to_principal(context, hname, sname,
KRB5_NT_SRV_HST, &server2);
sname = krb5_principal_get_comp_string(context, server2, 0);
hname = krb5_principal_get_comp_string(context, server2, 1);
/*
* Modify the original with the new sname/hname. This way we
* retain any additional principal name components from the given
* principal name.
*
* The name-type is set further below.
*/
ret = krb5_principal_set_comp_string(context, server, 0, sname);
if (ret)
krb5_err(context, 1, ret, "krb5_principal_set_comp_string %s", argv[0]);
ret = krb5_principal_set_comp_string(context, server, 1, hname);
if (ret)
krb5_err(context, 1, ret, "krb5_principal_set_comp_string %s", argv[0]);
krb5_free_principal(context, server2);
} else {
size_t i;
/*
* In this case the arguments are principal name components.
*
* The service and hostname components can be defaulted by passing
* empty strings.
*/
sname = argv[0];
if (*sname == '\0')
sname = NULL;
hname = argv[1];
if (hname == NULL || *hname == '\0')
hname = NULL;
ret = krb5_sname_to_principal(context, hname, sname,
KRB5_NT_SRV_HST, &server);
if (ret)
krb5_err(context, 1, ret, "krb5_sname_to_principal");
for (i = 2; i < argc; i++) {
ret = krb5_principal_set_comp_string(context, server, i, argv[i]);
if (ret)
krb5_err(context, 1, ret, "krb5_principal_set_comp_string");
}
}
} else if (argc == 1) {
ret = krb5_parse_name(context, argv[0], &server);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name %s", argv[0]);
} else {
usage(1);
}
if (nametype != KRB5_NT_UNKNOWN)
server->name.name_type = (NAME_TYPE)nametype;
ret = krb5_get_creds(context, opt, cache, server, &out);
if (ret)
krb5_err(context, 1, ret, "krb5_get_creds");
if (out_cache_str) {
krb5_ccache id;
ret = krb5_cc_resolve(context, out_cache_str, &id);
if(ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_initialize(context, id, out->client);
if(ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_store_cred(context, id, out);
if(ret)
krb5_err(context, 1, ret, "krb5_cc_store_cred");
krb5_cc_close(context, id);
}
krb5_free_creds(context, out);
krb5_free_principal(context, server);
krb5_get_creds_opt_free(context, opt);
krb5_cc_close (context, cache);
krb5_free_context (context);
return 0;
}