search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
krb5: rfc3526-MODP-group14 incorrect bit size
[heimdal.git] / kuser / klist.c
blobb33c3c28a7aa33ec0623b0ca9ef787e218a2278a
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kuser_locl.h"
37 #include "parse_units.h"
38 #include "heimtools-commands.h"
39 #undef HC_DEPRECATED_CRYPTO
40
41 static char*
42 printable_time_internal(time_t t, int x)
43 {
44 static char s[128];
45 char *p;
46
47 if ((p = ctime(&t)) == NULL)
48 strlcpy(s, "?", sizeof(s));
49 else
50 strlcpy(s, p + 4, sizeof(s));
51 s[x] = 0;
52 return s;
53 }
54
55 static char*
56 printable_time(time_t t)
57 {
58 return printable_time_internal(t, 20);
59 }
60
61 static char*
62 printable_time_long(time_t t)
63 {
64 return printable_time_internal(t, 20);
65 }
66
67 #define COL_ISSUED NP_(" Issued","")
68 #define COL_EXPIRES NP_(" Expires", "")
69 #define COL_FLAGS NP_("Flags", "")
70 #define COL_NAME NP_(" Name", "")
71 #define COL_PRINCIPAL NP_(" Principal", "in klist output")
72 #define COL_PRINCIPAL_KVNO NP_(" Principal (kvno)", "in klist output")
73 #define COL_CACHENAME NP_(" Cache name", "name in klist output")
74 #define COL_DEFCACHE NP_("", "")
75
76 static void
77 print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags)
78 {
79 char *str;
80 krb5_error_code ret;
81 krb5_timestamp sec;
82
83 krb5_timeofday (context, &sec);
84
85
86 if(cred->times.starttime)
87 rtbl_add_column_entry(ct, COL_ISSUED,
88 printable_time(cred->times.starttime));
89 else
90 rtbl_add_column_entry(ct, COL_ISSUED,
91 printable_time(cred->times.authtime));
92
93 if(cred->times.endtime > sec)
94 rtbl_add_column_entry(ct, COL_EXPIRES,
95 printable_time(cred->times.endtime));
96 else
97 rtbl_add_column_entry(ct, COL_EXPIRES, N_(">>>Expired<<<", ""));
98 ret = krb5_unparse_name (context, cred->server, &str);
99 if (ret)
100 krb5_err(context, 1, ret, "krb5_unparse_name");
101 rtbl_add_column_entry(ct, COL_PRINCIPAL, str);
102 if(do_flags) {
103 char s[16], *sp = s;
104 if(cred->flags.b.forwardable)
105 *sp++ = 'F';
106 if(cred->flags.b.forwarded)
107 *sp++ = 'f';
108 if(cred->flags.b.proxiable)
109 *sp++ = 'P';
110 if(cred->flags.b.proxy)
111 *sp++ = 'p';
112 if(cred->flags.b.may_postdate)
113 *sp++ = 'D';
114 if(cred->flags.b.postdated)
115 *sp++ = 'd';
116 if(cred->flags.b.renewable)
117 *sp++ = 'R';
118 if(cred->flags.b.initial)
119 *sp++ = 'I';
120 if(cred->flags.b.invalid)
121 *sp++ = 'i';
122 if(cred->flags.b.pre_authent)
123 *sp++ = 'A';
124 if(cred->flags.b.hw_authent)
125 *sp++ = 'H';
126 if(cred->flags.b.transited_policy_checked)
127 *sp++ = 'T';
128 if(cred->flags.b.ok_as_delegate)
129 *sp++ = 'O';
130 if(cred->flags.b.anonymous)
131 *sp++ = 'a';
132 *sp = '\0';
133 rtbl_add_column_entry(ct, COL_FLAGS, s);
134 }
135 free(str);
136 }
137
138 static void
139 print_cred_verbose(krb5_context context, krb5_creds *cred, int do_json)
140 {
141 size_t j;
142 char *str;
143 krb5_error_code ret;
144 krb5_timestamp sec;
145
146 if (do_json) { /* XXX support more json formating later */
147 printf("{ \"verbose-supported\" : false }");
148 return;
149 }
150
151 krb5_timeofday (context, &sec);
152
153 ret = krb5_unparse_name(context, cred->server, &str);
154 if(ret)
155 exit(1);
156 printf(N_("Server: %s\n", ""), str);
157 free (str);
158
159 ret = krb5_unparse_name(context, cred->client, &str);
160 if(ret)
161 exit(1);
162 printf(N_("Client: %s\n", ""), str);
163 free (str);
164
165 if (krb5_is_config_principal(context, cred->server)) {
166 if (krb5_principal_get_num_comp(context, cred->server) > 1) {
167 const char *s;
168
169 /* If the payload is text and not secret/sensitive, print it */
170 s = krb5_principal_get_comp_string(context, cred->server, 1);
171 if (strcmp(s, "start_realm") == 0 ||
172 strcmp(s, "anon_pkinit_realm") == 0 ||
173 strcmp(s, "default-ntlm-domain") == 0 ||
174 strcmp(s, "FriendlyName") == 0 ||
175 strcmp(s, "fast_avail") == 0 ||
176 strcmp(s, "kx509store") == 0 ||
177 strcmp(s, "kx509_service_realm") == 0 ||
178 strcmp(s, "kx509_service_status") == 0)
179 printf(N_("Configuration item payload: %.*s\n", ""),
180 (int)cred->ticket.length,
181 (const char *)cred->ticket.data);
182 else
183 printf(N_("Configuration item payload length: %lu\n", ""),
184 (unsigned long)cred->ticket.length);
185 } /* else... this is a meaningless entry; nothing would create it */
186 } else {
187 Ticket t;
188 size_t len;
189 char *s;
190
191 decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
192 ret = krb5_enctype_to_string(context, t.enc_part.etype, &s);
193 printf(N_("Ticket etype: ", ""));
194 if (ret == 0) {
195 printf("%s", s);
196 free(s);
197 } else {
198 printf(N_("unknown-enctype(%d)", ""), t.enc_part.etype);
199 }
200 if(t.enc_part.kvno)
201 printf(N_(", kvno %d", ""), *t.enc_part.kvno);
202 printf("\n");
203 if(cred->session.keytype != t.enc_part.etype) {
204 ret = krb5_enctype_to_string(context, cred->session.keytype, &str);
205 if(ret)
206 krb5_warn(context, ret, "session keytype");
207 else {
208 printf(N_("Session key: %s\n", "enctype"), str);
209 free(str);
210 }
211 }
212 free_Ticket(&t);
213 printf(N_("Ticket length: %lu\n", ""),
214 (unsigned long)cred->ticket.length);
215 printf(N_("Auth time: %s\n", ""),
216 printable_time_long(cred->times.authtime));
217 if(cred->times.authtime != cred->times.starttime)
218 printf(N_("Start time: %s\n", ""),
219 printable_time_long(cred->times.starttime));
220 printf(N_("End time: %s", ""),
221 printable_time_long(cred->times.endtime));
222 if(sec > cred->times.endtime)
223 printf(N_(" (expired)", ""));
224 printf("\n");
225 if(cred->flags.b.renewable)
226 printf(N_("Renew till: %s\n", ""),
227 printable_time_long(cred->times.renew_till));
228 {
229 char flags[1024];
230 int result = unparse_flags(TicketFlags2int(cred->flags.b),
231 asn1_TicketFlags_units(),
232 flags, sizeof(flags));
233 if (result > 0) {
234 printf(N_("Ticket flags: %s\n", ""), flags);
235 }
236 }
237 printf(N_("Addresses: ", ""));
238 if (cred->addresses.len != 0) {
239 for(j = 0; j < cred->addresses.len; j++){
240 char buf[128];
241 if(j) printf(", ");
242 ret = krb5_print_address(&cred->addresses.val[j],
243 buf, sizeof(buf), &len);
244
245 if(ret == 0)
246 printf("%s", buf);
247 }
248 } else {
249 printf(N_("addressless", ""));
250 }
251 }
252 printf("\n\n");
253 }
254
255 /*
256 * Print all tickets in `ccache' on stdout, verbosely if do_verbose.
257 */
258
259 static void
260 print_tickets(krb5_context context,
261 krb5_ccache ccache,
262 krb5_principal principal,
263 int do_verbose,
264 int do_flags,
265 int do_hidden,
266 int do_json)
267 {
268 char *str, *name, *fullname;
269 krb5_error_code ret;
270 krb5_cc_cursor cursor;
271 krb5_creds creds;
272 krb5_deltat sec;
273 rtbl_t ct = NULL;
274 int print_comma = 0;
275
276 ret = krb5_unparse_name (context, principal, &str);
277 if (ret)
278 krb5_err (context, 1, ret, "krb5_unparse_name");
279
280 ret = krb5_cc_get_full_name(context, ccache, &fullname);
281 if (ret)
282 krb5_err (context, 1, ret, "krb5_cc_get_full_name");
283
284 if (!do_json) {
285 printf ("%17s: %s\n", N_("Credentials cache", ""), fullname);
286 printf ("%17s: %s\n", N_("Principal", ""), str);
287
288 ret = krb5_cc_get_friendly_name(context, ccache, &name);
289 if (ret == 0) {
290 if (strcmp(name, str) != 0)
291 printf ("%17s: %s\n", N_("Friendly name", ""), name);
292 free(name);
293 }
294
295 if(do_verbose) {
296 printf ("%17s: %d\n", N_("Cache version", ""),
297 krb5_cc_get_version(context, ccache));
298 } else {
299 krb5_cc_set_flags(context, ccache, KRB5_TC_NOTICKET);
300 }
301
302 ret = krb5_cc_get_kdc_offset(context, ccache, &sec);
303
304 if (ret == 0 && do_verbose && sec != 0) {
305 char buf[BUFSIZ];
306 int val;
307 int sig;
308
309 val = (int)sec;
310 sig = 1;
311 if (val < 0) {
312 sig = -1;
313 val = -val;
314 }
315
316 unparse_time (val, buf, sizeof(buf));
317
318 printf ("%17s: %s%s\n", N_("KDC time offset", ""),
319 sig == -1 ? "-" : "", buf);
320 }
321 printf("\n");
322 } else {
323 printf ("{ \"cache\" : \"%s\", \"principal\" : \"%s\", ", fullname, str);
324 }
325 free(str);
326
327 ret = krb5_cc_start_seq_get (context, ccache, &cursor);
328 if (ret)
329 krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
330
331 if(!do_verbose) {
332 ct = rtbl_create();
333 rtbl_add_column(ct, COL_ISSUED, 0);
334 rtbl_add_column(ct, COL_EXPIRES, 0);
335 if(do_flags)
336 rtbl_add_column(ct, COL_FLAGS, 0);
337 rtbl_add_column(ct, COL_PRINCIPAL, 0);
338 rtbl_set_separator(ct, " ");
339 if (do_json) {
340 rtbl_set_flags(ct, RTBL_JSON);
341 printf("\"tickets\" : ");
342 }
343 }
344 if (do_verbose && do_json)
345 printf("\"tickets\" : [");
346 while ((ret = krb5_cc_next_cred(context, ccache, &cursor, &creds)) == 0) {
347 if (!do_hidden && krb5_is_config_principal(context, creds.server)) {
348 ;
349 } else if (do_verbose) {
350 if (do_json && print_comma)
351 printf(",");
352 print_cred_verbose(context, &creds, do_json);
353 print_comma = 1;
354 } else {
355 print_cred(context, &creds, ct, do_flags);
356 }
357 krb5_free_cred_contents(context, &creds);
358 }
359 if (ret != KRB5_CC_END)
360 krb5_err(context, 1, ret, "krb5_cc_get_next");
361 ret = krb5_cc_end_seq_get (context, ccache, &cursor);
362 if (ret)
363 krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
364
365 if(!do_verbose) {
366 rtbl_format(ct, stdout);
367 rtbl_destroy(ct);
368 }
369 if (do_json) {
370 if (do_verbose)
371 printf("]");
372 printf("}");
373 }
374 free(fullname);
375 }
376
377 /*
378 * Check if there's a tgt for the realm of `principal' and ccache and
379 * if so return 0, else 1
380 */
381
382 static int
383 check_expiration(krb5_context context,
384 krb5_ccache ccache,
385 time_t *expiration)
386 {
387 krb5_error_code ret;
388 time_t t;
389
390 ret = krb5_cc_get_lifetime(context, ccache, &t);
391 if (ret || t == 0)
392 return 1;
393
394 if (expiration)
395 *expiration = time(NULL) + t;
396
397 return 0;
398 }
399
400 /*
401 * Print a list of all AFS tokens
402 */
403
404 #ifndef NO_AFS
405
406 static void
407 display_tokens(int do_verbose)
408 {
409 uint32_t i;
410 unsigned char t[4096];
411 struct ViceIoctl parms;
412
413 parms.in = (void *)&i;
414 parms.in_size = sizeof(i);
415 parms.out = (void *)t;
416 parms.out_size = sizeof(t);
417
418 for (i = 0;; i++) {
419 int32_t size_secret_tok, size_public_tok;
420 unsigned char *cell;
421 struct ClearToken ct;
422 unsigned char *r = t;
423 struct timeval tv;
424 char buf1[20], buf2[20];
425
426 if(k_pioctl(NULL, VIOCGETTOK, &parms, 0) < 0) {
427 if(errno == EDOM)
428 break;
429 continue;
430 }
431 if(parms.out_size > sizeof(t))
432 continue;
433 if(parms.out_size < sizeof(size_secret_tok))
434 continue;
435 t[min(parms.out_size,sizeof(t)-1)] = 0;
436 memcpy(&size_secret_tok, r, sizeof(size_secret_tok));
437 /* don't bother about the secret token */
438 r += size_secret_tok + sizeof(size_secret_tok);
439 if (parms.out_size < (r - t) + sizeof(size_public_tok))
440 continue;
441 memcpy(&size_public_tok, r, sizeof(size_public_tok));
442 r += sizeof(size_public_tok);
443 if (parms.out_size < (r - t) + size_public_tok + sizeof(int32_t))
444 continue;
445 memcpy(&ct, r, size_public_tok);
446 r += size_public_tok;
447 /* there is a int32_t with length of cellname, but we don't read it */
448 r += sizeof(int32_t);
449 cell = r;
450
451 gettimeofday (&tv, NULL);
452 strlcpy (buf1, printable_time(ct.BeginTimestamp),
453 sizeof(buf1));
454 if (do_verbose || tv.tv_sec < ct.EndTimestamp)
455 strlcpy (buf2, printable_time(ct.EndTimestamp),
456 sizeof(buf2));
457 else
458 strlcpy (buf2, N_(">>> Expired <<<", ""), sizeof(buf2));
459
460 printf("%s %s ", buf1, buf2);
461
462 if ((ct.EndTimestamp - ct.BeginTimestamp) & 1)
463 printf(N_("User's (AFS ID %d) tokens for %s", ""), ct.ViceId, cell);
464 else
465 printf(N_("Tokens for %s", ""), cell);
466 if (do_verbose)
467 printf(" (%d)", ct.AuthHandle);
468 putchar('\n');
469 }
470 }
471 #endif
472
473 /*
474 * display the ccache in `cred_cache'
475 */
476
477 static int
478 display_v5_ccache (krb5_context context, krb5_ccache ccache,
479 int do_test, int do_verbose,
480 int do_flags, int do_hidden,
481 int do_json)
482 {
483 krb5_error_code ret;
484 krb5_principal principal;
485 int exit_status = 0;
486
487
488 ret = krb5_cc_get_principal (context, ccache, &principal);
489 if (ret) {
490 if (do_json) {
491 printf("{}");
492 return 0;
493 }
494 if(ret == ENOENT) {
495 if (!do_test)
496 krb5_warnx(context, N_("No ticket file: %s", ""),
497 krb5_cc_get_name(context, ccache));
498 return 1;
499 } else
500 krb5_err (context, 1, ret, "krb5_cc_get_principal");
501 }
502 if (do_test)
503 exit_status = check_expiration(context, ccache, NULL);
504 else
505 print_tickets (context, ccache, principal, do_verbose,
506 do_flags, do_hidden, do_json);
507
508 ret = krb5_cc_close (context, ccache);
509 if (ret)
510 krb5_err (context, 1, ret, "krb5_cc_close");
511
512 krb5_free_principal (context, principal);
513
514 return exit_status;
515 }
516
517 /*
518 *
519 */
520
521 static int
522 list_caches(krb5_context context, struct klist_options *opt)
523 {
524 krb5_cccol_cursor cursor;
525 const char *cdef_name = krb5_cc_default_name(context);
526 char *def_name;
527 krb5_error_code ret;
528 krb5_ccache id;
529 rtbl_t ct;
530
531 if ((def_name = krb5_cccol_get_default_ccname(context)) == NULL)
532 cdef_name = krb5_cc_default_name(context);
533 if (!def_name && cdef_name && (def_name = strdup(cdef_name)) == NULL)
534 krb5_err(context, 1, ENOMEM, "Out of memory");
535
536 ret = krb5_cccol_cursor_new(context, &cursor);
537 if (ret == KRB5_CC_NOSUPP) {
538 free(def_name);
539 return 0;
540 }
541 else if (ret)
542 krb5_err (context, 1, ret, "krb5_cc_cache_get_first");
543
544 ct = rtbl_create();
545 rtbl_add_column(ct, COL_DEFCACHE, 0);
546 rtbl_add_column(ct, COL_NAME, 0);
547 rtbl_add_column(ct, COL_CACHENAME, 0);
548 rtbl_add_column(ct, COL_EXPIRES, 0);
549 rtbl_add_column(ct, COL_DEFCACHE, 0);
550 rtbl_set_prefix(ct, " ");
551 rtbl_set_column_prefix(ct, COL_DEFCACHE, "");
552 rtbl_set_column_prefix(ct, COL_NAME, " ");
553 if (opt->json_flag)
554 rtbl_set_flags(ct, RTBL_JSON);
555
556 while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) {
557 int expired = 0;
558 char *name;
559 time_t t;
560
561 expired = check_expiration(context, id, &t);
562
563 ret = krb5_cc_get_friendly_name(context, id, &name);
564 if (ret == 0) {
565 const char *str;
566 char *fname;
567
568 rtbl_add_column_entry(ct, COL_NAME, name);
569 free(name);
570
571 if (expired)
572 str = N_(">>> Expired <<<", "");
573 else
574 str = printable_time(t);
575 rtbl_add_column_entry(ct, COL_EXPIRES, str);
576
577 ret = krb5_cc_get_full_name(context, id, &fname);
578 if (ret)
579 krb5_err (context, 1, ret, "krb5_cc_get_full_name");
580
581 rtbl_add_column_entry(ct, COL_CACHENAME, fname);
582 if (opt->json_flag)
583 ;
584 else if (def_name && strcmp(fname, def_name) == 0)
585 rtbl_add_column_entry(ct, COL_DEFCACHE, "*");
586 else
587 rtbl_add_column_entry(ct, COL_DEFCACHE, "");
588
589 krb5_xfree(fname);
590 }
591 krb5_cc_close(context, id);
592 }
593
594 krb5_cccol_cursor_free(context, &cursor);
595
596 free(def_name);
597 rtbl_format(ct, stdout);
598 rtbl_destroy(ct);
599
600 if (opt->json_flag)
601 printf("\n");
602
603 return 0;
604 }
605
606 /*
607 *
608 */
609
610 int
611 klist(struct klist_options *opt, int argc, char **argv)
612 {
613 krb5_error_code ret;
614 int exit_status = 0;
615
616 int do_verbose =
617 opt->verbose_flag ||
618 opt->a_flag ||
619 opt->n_flag;
620 int do_test =
621 opt->test_flag ||
622 opt->s_flag;
623
624 if(opt->version_flag) {
625 print_version(NULL);
626 exit(0);
627 }
628
629 if (opt->list_all_flag) {
630 exit_status = list_caches(heimtools_context, opt);
631 return exit_status;
632 }
633
634 if (opt->v5_flag) {
635 krb5_ccache id;
636
637 if (opt->all_content_flag) {
638 krb5_cc_cache_cursor cursor;
639 int first = 1;
640
641 ret = krb5_cc_cache_get_first(heimtools_context, NULL, &cursor);
642 if (ret)
643 krb5_err(heimtools_context, 1, ret, "krb5_cc_cache_get_first");
644
645 if (opt->json_flag)
646 printf("[");
647 while (krb5_cc_cache_next(heimtools_context, cursor, &id) == 0) {
648 if (opt->json_flag && !first)
649 printf(",");
650
651 exit_status |= display_v5_ccache(heimtools_context, id, do_test,
652 do_verbose, opt->flags_flag,
653 opt->hidden_flag,
654 opt->json_flag);
655 if (!opt->json_flag)
656 printf("\n\n");
657
658 first = 0;
659 }
660 krb5_cc_cache_end_seq_get(heimtools_context, cursor);
661 if (opt->json_flag)
662 printf("]");
663 } else {
664 if(opt->cache_string) {
665 ret = krb5_cc_resolve(heimtools_context, opt->cache_string, &id);
666 if (ret)
667 krb5_err(heimtools_context, 1, ret, "%s", opt->cache_string);
668 } else {
669 ret = krb5_cc_default(heimtools_context, &id);
670 if (ret)
671 krb5_err(heimtools_context, 1, ret, "krb5_cc_resolve");
672 }
673 exit_status = display_v5_ccache(heimtools_context, id, do_test,
674 do_verbose, opt->flags_flag,
675 opt->hidden_flag, opt->json_flag);
676 }
677 }
678
679 if (!do_test) {
680 #ifndef NO_AFS
681 if (opt->tokens_flag && k_hasafs()) {
682 if (opt->v5_flag)
683 printf("\n");
684 display_tokens(opt->verbose_flag);
685 }
686 #endif
687 }
688
689 return exit_status;
690 }
Heimdal