freebsd-skq/crypto/heimdal/kuser/klist.c
2004-04-03 21:22:55 +00:00

692 lines
17 KiB
C

/*
* Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kuser_locl.h"
#include "rtbl.h"
RCSID("$Id: klist.c,v 1.68.2.2 2003/10/13 15:13:39 joda Exp $");
static char*
printable_time(time_t t)
{
static char s[128];
strcpy(s, ctime(&t)+ 4);
s[15] = 0;
return s;
}
static char*
printable_time_long(time_t t)
{
static char s[128];
strcpy(s, ctime(&t)+ 4);
s[20] = 0;
return s;
}
#define COL_ISSUED " Issued"
#define COL_EXPIRES " Expires"
#define COL_FLAGS "Flags"
#define COL_PRINCIPAL " Principal"
#define COL_PRINCIPAL_KVNO " Principal (kvno)"
static void
print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags)
{
char *str;
krb5_error_code ret;
krb5_timestamp sec;
krb5_timeofday (context, &sec);
if(cred->times.starttime)
rtbl_add_column_entry(ct, COL_ISSUED,
printable_time(cred->times.starttime));
else
rtbl_add_column_entry(ct, COL_ISSUED,
printable_time(cred->times.authtime));
if(cred->times.endtime > sec)
rtbl_add_column_entry(ct, COL_EXPIRES,
printable_time(cred->times.endtime));
else
rtbl_add_column_entry(ct, COL_EXPIRES, ">>>Expired<<<");
ret = krb5_unparse_name (context, cred->server, &str);
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name");
rtbl_add_column_entry(ct, COL_PRINCIPAL, str);
if(do_flags) {
char s[16], *sp = s;
if(cred->flags.b.forwardable)
*sp++ = 'F';
if(cred->flags.b.forwarded)
*sp++ = 'f';
if(cred->flags.b.proxiable)
*sp++ = 'P';
if(cred->flags.b.proxy)
*sp++ = 'p';
if(cred->flags.b.may_postdate)
*sp++ = 'D';
if(cred->flags.b.postdated)
*sp++ = 'd';
if(cred->flags.b.renewable)
*sp++ = 'R';
if(cred->flags.b.initial)
*sp++ = 'I';
if(cred->flags.b.invalid)
*sp++ = 'i';
if(cred->flags.b.pre_authent)
*sp++ = 'A';
if(cred->flags.b.hw_authent)
*sp++ = 'H';
*sp++ = '\0';
rtbl_add_column_entry(ct, COL_FLAGS, s);
}
free(str);
}
static void
print_cred_verbose(krb5_context context, krb5_creds *cred)
{
int j;
char *str;
krb5_error_code ret;
int first_flag;
krb5_timestamp sec;
krb5_timeofday (context, &sec);
ret = krb5_unparse_name(context, cred->server, &str);
if(ret)
exit(1);
printf("Server: %s\n", str);
free (str);
{
Ticket t;
size_t len;
char *s;
decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
ret = krb5_enctype_to_string(context, t.enc_part.etype, &s);
printf("Ticket etype: ");
if (ret == 0) {
printf("%s", s);
free(s);
} else {
printf("unknown(%d)", t.enc_part.etype);
}
if(t.enc_part.kvno)
printf(", kvno %d", *t.enc_part.kvno);
printf("\n");
if(cred->session.keytype != t.enc_part.etype) {
ret = krb5_keytype_to_string(context, cred->session.keytype, &str);
if(ret == KRB5_PROG_KEYTYPE_NOSUPP)
ret = krb5_enctype_to_string(context, cred->session.keytype,
&str);
if(ret)
krb5_warn(context, ret, "session keytype");
else {
printf("Session key: %s\n", str);
free(str);
}
}
free_Ticket(&t);
}
printf("Auth time: %s\n", printable_time_long(cred->times.authtime));
if(cred->times.authtime != cred->times.starttime)
printf("Start time: %s\n", printable_time_long(cred->times.starttime));
printf("End time: %s", printable_time_long(cred->times.endtime));
if(sec > cred->times.endtime)
printf(" (expired)");
printf("\n");
if(cred->flags.b.renewable)
printf("Renew till: %s\n",
printable_time_long(cred->times.renew_till));
printf("Ticket flags: ");
#define PRINT_FLAG2(f, s) if(cred->flags.b.f) { if(!first_flag) printf(", "); printf("%s", #s); first_flag = 0; }
#define PRINT_FLAG(f) PRINT_FLAG2(f, f)
first_flag = 1;
PRINT_FLAG(forwardable);
PRINT_FLAG(forwarded);
PRINT_FLAG(proxiable);
PRINT_FLAG(proxy);
PRINT_FLAG2(may_postdate, may-postdate);
PRINT_FLAG(postdated);
PRINT_FLAG(invalid);
PRINT_FLAG(renewable);
PRINT_FLAG(initial);
PRINT_FLAG2(pre_authent, pre-authenticated);
PRINT_FLAG2(hw_authent, hw-authenticated);
PRINT_FLAG2(transited_policy_checked, transited-policy-checked);
PRINT_FLAG2(ok_as_delegate, ok-as-delegate);
PRINT_FLAG(anonymous);
printf("\n");
printf("Addresses: ");
for(j = 0; j < cred->addresses.len; j++){
char buf[128];
size_t len;
if(j) printf(", ");
ret = krb5_print_address(&cred->addresses.val[j],
buf, sizeof(buf), &len);
if(ret == 0)
printf("%s", buf);
}
printf("\n\n");
}
/*
* Print all tickets in `ccache' on stdout, verbosily iff do_verbose.
*/
static void
print_tickets (krb5_context context,
krb5_ccache ccache,
krb5_principal principal,
int do_verbose,
int do_flags)
{
krb5_error_code ret;
char *str;
krb5_cc_cursor cursor;
krb5_creds creds;
rtbl_t ct = NULL;
ret = krb5_unparse_name (context, principal, &str);
if (ret)
krb5_err (context, 1, ret, "krb5_unparse_name");
printf ("%17s: %s:%s\n",
"Credentials cache",
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
printf ("%17s: %s\n", "Principal", str);
free (str);
if(do_verbose)
printf ("%17s: %d\n", "Cache version",
krb5_cc_get_version(context, ccache));
if (do_verbose && context->kdc_sec_offset) {
char buf[BUFSIZ];
int val;
int sig;
val = context->kdc_sec_offset;
sig = 1;
if (val < 0) {
sig = -1;
val = -val;
}
unparse_time (val, buf, sizeof(buf));
printf ("%17s: %s%s\n", "KDC time offset",
sig == -1 ? "-" : "", buf);
}
printf("\n");
ret = krb5_cc_start_seq_get (context, ccache, &cursor);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
if(!do_verbose) {
ct = rtbl_create();
rtbl_add_column(ct, COL_ISSUED, 0);
rtbl_add_column(ct, COL_EXPIRES, 0);
if(do_flags)
rtbl_add_column(ct, COL_FLAGS, 0);
rtbl_add_column(ct, COL_PRINCIPAL, 0);
rtbl_set_prefix(ct, " ");
rtbl_set_column_prefix(ct, COL_ISSUED, "");
}
while ((ret = krb5_cc_next_cred (context,
ccache,
&cursor,
&creds)) == 0) {
if(do_verbose){
print_cred_verbose(context, &creds);
}else{
print_cred(context, &creds, ct, do_flags);
}
krb5_free_creds_contents (context, &creds);
}
if(ret != KRB5_CC_END)
krb5_err(context, 1, ret, "krb5_cc_get_next");
ret = krb5_cc_end_seq_get (context, ccache, &cursor);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_end_seq_get");
if(!do_verbose) {
rtbl_format(ct, stdout);
rtbl_destroy(ct);
}
}
/*
* Check if there's a tgt for the realm of `principal' and ccache and
* if so return 0, else 1
*/
static int
check_for_tgt (krb5_context context,
krb5_ccache ccache,
krb5_principal principal)
{
krb5_error_code ret;
krb5_creds pattern;
krb5_creds creds;
krb5_realm *client_realm;
int expired;
client_realm = krb5_princ_realm (context, principal);
ret = krb5_make_principal (context, &pattern.server,
*client_realm, KRB5_TGS_NAME, *client_realm,
NULL);
if (ret)
krb5_err (context, 1, ret, "krb5_make_principal");
ret = krb5_cc_retrieve_cred (context, ccache, 0, &pattern, &creds);
expired = time(NULL) > creds.times.endtime;
krb5_free_principal (context, pattern.server);
krb5_free_creds_contents (context, &creds);
if (ret) {
if (ret == KRB5_CC_END)
return 1;
krb5_err (context, 1, ret, "krb5_cc_retrieve_cred");
}
return expired;
}
#ifdef KRB4
/* prints the approximate kdc time differential as something human
readable */
static void
print_time_diff(int do_verbose)
{
int d = abs(krb_get_kdc_time_diff());
char buf[80];
if ((do_verbose && d > 0) || d > 60) {
unparse_time_approx (d, buf, sizeof(buf));
printf ("Time diff:\t%s\n", buf);
}
}
/*
* return a short representation of `dp' in string form.
*/
static char *
short_date(int32_t dp)
{
char *cp;
time_t t = (time_t)dp;
if (t == (time_t)(-1L)) return "*** Never *** ";
cp = ctime(&t) + 4;
cp[15] = '\0';
return (cp);
}
/*
* Print a list of all the v4 tickets
*/
static int
display_v4_tickets (int do_verbose)
{
char *file;
int ret;
krb_principal princ;
CREDENTIALS cred;
int found = 0;
rtbl_t ct;
file = getenv ("KRBTKFILE");
if (file == NULL)
file = TKT_FILE;
printf("%17s: %s\n", "V4-ticket file", file);
ret = krb_get_tf_realm (file, princ.realm);
if (ret) {
warnx ("%s", krb_get_err_text(ret));
return 1;
}
ret = tf_init (file, R_TKT_FIL);
if (ret) {
warnx ("tf_init: %s", krb_get_err_text(ret));
return 1;
}
ret = tf_get_pname (princ.name);
if (ret) {
tf_close ();
warnx ("tf_get_pname: %s", krb_get_err_text(ret));
return 1;
}
ret = tf_get_pinst (princ.instance);
if (ret) {
tf_close ();
warnx ("tf_get_pname: %s", krb_get_err_text(ret));
return 1;
}
printf ("%17s: %s\n", "Principal", krb_unparse_name(&princ));
print_time_diff(do_verbose);
printf("\n");
ct = rtbl_create();
rtbl_add_column(ct, COL_ISSUED, 0);
rtbl_add_column(ct, COL_EXPIRES, 0);
if (do_verbose)
rtbl_add_column(ct, COL_PRINCIPAL_KVNO, 0);
else
rtbl_add_column(ct, COL_PRINCIPAL, 0);
rtbl_set_prefix(ct, " ");
rtbl_set_column_prefix(ct, COL_ISSUED, "");
while ((ret = tf_get_cred(&cred)) == KSUCCESS) {
struct timeval tv;
char buf1[20], buf2[20];
const char *pp;
found++;
strlcpy(buf1,
short_date(cred.issue_date),
sizeof(buf1));
cred.issue_date = krb_life_to_time(cred.issue_date, cred.lifetime);
krb_kdctimeofday(&tv);
if (do_verbose || tv.tv_sec < (unsigned long) cred.issue_date)
strlcpy(buf2,
short_date(cred.issue_date),
sizeof(buf2));
else
strlcpy(buf2,
">>> Expired <<<",
sizeof(buf2));
rtbl_add_column_entry(ct, COL_ISSUED, buf1);
rtbl_add_column_entry(ct, COL_EXPIRES, buf2);
pp = krb_unparse_name_long(cred.service,
cred.instance,
cred.realm);
if (do_verbose) {
char *tmp;
asprintf(&tmp, "%s (%d)", pp, cred.kvno);
rtbl_add_column_entry(ct, COL_PRINCIPAL_KVNO, tmp);
free(tmp);
} else {
rtbl_add_column_entry(ct, COL_PRINCIPAL, pp);
}
}
rtbl_format(ct, stdout);
rtbl_destroy(ct);
if (!found && ret == EOF)
printf("No tickets in file.\n");
tf_close();
/*
* should do NAT stuff here
*/
return 0;
}
#endif /* KRB4 */
/*
* Print a list of all AFS tokens
*/
static void
display_tokens(int do_verbose)
{
u_int32_t i;
unsigned char t[4096];
struct ViceIoctl parms;
parms.in = (void *)&i;
parms.in_size = sizeof(i);
parms.out = (void *)t;
parms.out_size = sizeof(t);
for (i = 0;; i++) {
int32_t size_secret_tok, size_public_tok;
unsigned char *cell;
struct ClearToken ct;
unsigned char *r = t;
struct timeval tv;
char buf1[20], buf2[20];
if(k_pioctl(NULL, VIOCGETTOK, &parms, 0) < 0) {
if(errno == EDOM)
break;
continue;
}
if(parms.out_size > sizeof(t))
continue;
if(parms.out_size < sizeof(size_secret_tok))
continue;
t[min(parms.out_size,sizeof(t)-1)] = 0;
memcpy(&size_secret_tok, r, sizeof(size_secret_tok));
/* dont bother about the secret token */
r += size_secret_tok + sizeof(size_secret_tok);
if (parms.out_size < (r - t) + sizeof(size_public_tok))
continue;
memcpy(&size_public_tok, r, sizeof(size_public_tok));
r += sizeof(size_public_tok);
if (parms.out_size < (r - t) + size_public_tok + sizeof(int32_t))
continue;
memcpy(&ct, r, size_public_tok);
r += size_public_tok;
/* there is a int32_t with length of cellname, but we dont read it */
r += sizeof(int32_t);
cell = r;
gettimeofday (&tv, NULL);
strlcpy (buf1, printable_time(ct.BeginTimestamp),
sizeof(buf1));
if (do_verbose || tv.tv_sec < ct.EndTimestamp)
strlcpy (buf2, printable_time(ct.EndTimestamp),
sizeof(buf2));
else
strlcpy (buf2, ">>> Expired <<<", sizeof(buf2));
printf("%s %s ", buf1, buf2);
if ((ct.EndTimestamp - ct.BeginTimestamp) & 1)
printf("User's (AFS ID %d) tokens for %s", ct.ViceId, cell);
else
printf("Tokens for %s", cell);
if (do_verbose)
printf(" (%d)", ct.AuthHandle);
putchar('\n');
}
}
/*
* display the ccache in `cred_cache'
*/
static int
display_v5_ccache (const char *cred_cache, int do_test, int do_verbose,
int do_flags)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache ccache;
krb5_principal principal;
int exit_status = 0;
ret = krb5_init_context (&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
if(cred_cache) {
ret = krb5_cc_resolve(context, cred_cache, &ccache);
if (ret)
krb5_err (context, 1, ret, "%s", cred_cache);
} else {
ret = krb5_cc_default (context, &ccache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_resolve");
}
ret = krb5_cc_get_principal (context, ccache, &principal);
if (ret) {
if(ret == ENOENT) {
if (!do_test)
krb5_warnx(context, "No ticket file: %s",
krb5_cc_get_name(context, ccache));
return 1;
} else
krb5_err (context, 1, ret, "krb5_cc_get_principal");
}
if (do_test)
exit_status = check_for_tgt (context, ccache, principal);
else
print_tickets (context, ccache, principal, do_verbose, do_flags);
ret = krb5_cc_close (context, ccache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_close");
krb5_free_principal (context, principal);
krb5_free_context (context);
return exit_status;
}
static int version_flag = 0;
static int help_flag = 0;
static int do_verbose = 0;
static int do_test = 0;
#ifdef KRB4
static int do_v4 = 1;
#endif
static int do_tokens = 0;
static int do_v5 = 1;
static char *cred_cache;
static int do_flags = 0;
static struct getargs args[] = {
{ NULL, 'f', arg_flag, &do_flags },
{ "cache", 'c', arg_string, &cred_cache,
"credentials cache to list", "cache" },
{ "test", 't', arg_flag, &do_test,
"test for having tickets", NULL },
{ NULL, 's', arg_flag, &do_test },
#ifdef KRB4
{ "v4", '4', arg_flag, &do_v4,
"display v4 tickets", NULL },
#endif
{ "tokens", 'T', arg_flag, &do_tokens,
"display AFS tokens", NULL },
{ "v5", '5', arg_flag, &do_v5,
"display v5 cred cache", NULL},
{ "verbose", 'v', arg_flag, &do_verbose,
"verbose output", NULL },
{ NULL, 'a', arg_flag, &do_verbose },
{ NULL, 'n', arg_flag, &do_verbose },
{ "version", 0, arg_flag, &version_flag,
"print version", NULL },
{ "help", 0, arg_flag, &help_flag,
NULL, NULL}
};
static void
usage (int ret)
{
arg_printusage (args,
sizeof(args)/sizeof(*args),
NULL,
"");
exit (ret);
}
int
main (int argc, char **argv)
{
int optind = 0;
int exit_status = 0;
setprogname (argv[0]);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optind;
argv += optind;
if (argc != 0)
usage (1);
if (do_v5)
exit_status = display_v5_ccache (cred_cache, do_test,
do_verbose, do_flags);
if (!do_test) {
#ifdef KRB4
if (do_v4) {
if (do_v5)
printf ("\n");
display_v4_tickets (do_verbose);
}
#endif
if (do_tokens && k_hasafs ()) {
if (do_v5)
printf ("\n");
#ifdef KRB4
else if (do_v4)
printf ("\n");
#endif
display_tokens (do_verbose);
}
}
return exit_status;
}