1
/*
2
 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3
 * (Royal Institute of Technology, Stockholm, Sweden).
4
 * All rights reserved.
5
 *
6
 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions
10
 * are met:
11
 *
12
 * 1. Redistributions of source code must retain the above copyright
13
 *    notice, this list of conditions and the following disclaimer.
14
 *
15
 * 2. Redistributions in binary form must reproduce the above copyright
16
 *    notice, this list of conditions and the following disclaimer in the
17
 *    documentation and/or other materials provided with the distribution.
18
 *
19
 * 3. Neither the name of the Institute nor the names of its contributors
20
 *    may be used to endorse or promote products derived from this software
21
 *    without specific prior written permission.
22
 *
23
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33
 * SUCH DAMAGE.
34
 */
35

36
#include "kuser_locl.h"
37
#include "rtbl.h"
38
#include "parse_units.h"
39
#include "kcc-commands.h"
40

41
static char*
42
printable_time_internal(time_t t, int x)
43
{
44
    static char s[128];
45
    char *p;
46

47
    if ((p = ctime(&t)) == NULL)
48
	strlcpy(s, "?", sizeof(s));
49
    else
50
	strlcpy(s, p + 4, sizeof(s));
51
    s[x] = 0;
52
    return s;
53
}
54

55
static char*
56
printable_time(time_t t)
57
{
58
    return printable_time_internal(t, 20);
59
}
60

61
static char*
62
printable_time_long(time_t t)
63
{
64
    return printable_time_internal(t, 20);
65
}
66

67
#define COL_ISSUED		NP_("  Issued","")
68
#define COL_EXPIRES		NP_("  Expires", "")
69
#define COL_FLAGS		NP_("Flags", "")
70
#define COL_NAME		NP_("  Name", "")
71
#define COL_PRINCIPAL		NP_("  Principal", "in klist output")
72
#define COL_PRINCIPAL_KVNO	NP_("  Principal (kvno)", "in klist output")
73
#define COL_CACHENAME		NP_("  Cache name", "name in klist output")
74
#define COL_DEFCACHE		NP_("", "")
75

76
static void
77
print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags)
78
{
79
    char *str;
80
    krb5_error_code ret;
81
    krb5_timestamp sec;
82

83
    krb5_timeofday (context, &sec);
84

85

86
    if(cred->times.starttime)
87
	rtbl_add_column_entry(ct, COL_ISSUED,
88
			      printable_time(cred->times.starttime));
89
    else
90
	rtbl_add_column_entry(ct, COL_ISSUED,
91
			      printable_time(cred->times.authtime));
92

93
    if(cred->times.endtime > sec)
94
	rtbl_add_column_entry(ct, COL_EXPIRES,
95
			      printable_time(cred->times.endtime));
96
    else
97
	rtbl_add_column_entry(ct, COL_EXPIRES, N_(">>>Expired<<<", ""));
98
    ret = krb5_unparse_name (context, cred->server, &str);
99
    if (ret)
100
	krb5_err(context, 1, ret, "krb5_unparse_name");
101
    rtbl_add_column_entry(ct, COL_PRINCIPAL, str);
102
    if(do_flags) {
103
	char s[16], *sp = s;
104
	if(cred->flags.b.forwardable)
105
	    *sp++ = 'F';
106
	if(cred->flags.b.forwarded)
107
	    *sp++ = 'f';
108
	if(cred->flags.b.proxiable)
109
	    *sp++ = 'P';
110
	if(cred->flags.b.proxy)
111
	    *sp++ = 'p';
112
	if(cred->flags.b.may_postdate)
113
	    *sp++ = 'D';
114
	if(cred->flags.b.postdated)
115
	    *sp++ = 'd';
116
	if(cred->flags.b.renewable)
117
	    *sp++ = 'R';
118
	if(cred->flags.b.initial)
119
	    *sp++ = 'I';
120
	if(cred->flags.b.invalid)
121
	    *sp++ = 'i';
122
	if(cred->flags.b.pre_authent)
123
	    *sp++ = 'A';
124
	if(cred->flags.b.hw_authent)
125
	    *sp++ = 'H';
126
	*sp = '\0';
127
	rtbl_add_column_entry(ct, COL_FLAGS, s);
128
    }
129
    free(str);
130
}
131

132
static void
133
print_cred_verbose(krb5_context context, krb5_creds *cred)
134
{
135
    size_t j;
136
    char *str;
137
    krb5_error_code ret;
138
    krb5_timestamp sec;
139

140
    krb5_timeofday (context, &sec);
141

142
    ret = krb5_unparse_name(context, cred->server, &str);
143
    if(ret)
144
	exit(1);
145
    printf(N_("Server: %s\n", ""), str);
146
    free (str);
147

148
    ret = krb5_unparse_name(context, cred->client, &str);
149
    if(ret)
150
	exit(1);
151
    printf(N_("Client: %s\n", ""), str);
152
    free (str);
153

154
    {
155
	Ticket t;
156
	size_t len;
157
	char *s;
158

159
	decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
160
	ret = krb5_enctype_to_string(context, t.enc_part.etype, &s);
161
	printf(N_("Ticket etype: ", ""));
162
	if (ret == 0) {
163
	    printf("%s", s);
164
	    free(s);
165
	} else {
166
	    printf(N_("unknown-enctype(%d)", ""), t.enc_part.etype);
167
	}
168
	if(t.enc_part.kvno)
169
	    printf(N_(", kvno %d", ""), *t.enc_part.kvno);
170
	printf("\n");
171
	if(cred->session.keytype != t.enc_part.etype) {
172
	    ret = krb5_enctype_to_string(context, cred->session.keytype, &str);
173
	    if(ret)
174
		krb5_warn(context, ret, "session keytype");
175
	    else {
176
		printf(N_("Session key: %s\n", "enctype"), str);
177
		free(str);
178
	    }
179
	}
180
	free_Ticket(&t);
181
	printf(N_("Ticket length: %lu\n", ""),
182
	       (unsigned long)cred->ticket.length);
183
    }
184
    printf(N_("Auth time:  %s\n", ""),
185
	   printable_time_long(cred->times.authtime));
186
    if(cred->times.authtime != cred->times.starttime)
187
	printf(N_("Start time: %s\n", ""),
188
	       printable_time_long(cred->times.starttime));
189
    printf(N_("End time:   %s", ""),
190
	   printable_time_long(cred->times.endtime));
191
    if(sec > cred->times.endtime)
192
	printf(N_(" (expired)", ""));
193
    printf("\n");
194
    if(cred->flags.b.renewable)
195
	printf(N_("Renew till: %s\n", ""),
196
	       printable_time_long(cred->times.renew_till));
197
    {
198
	char flags[1024];
199
	unparse_flags(TicketFlags2int(cred->flags.b),
200
		      asn1_TicketFlags_units(),
201
		      flags, sizeof(flags));
202
	printf(N_("Ticket flags: %s\n", ""), flags);
203
    }
204
    printf(N_("Addresses: ", ""));
205
    if (cred->addresses.len != 0) {
206
	for(j = 0; j < cred->addresses.len; j++){
207
	    char buf[128];
208
	    size_t len;
209
	    if(j) printf(", ");
210
	    ret = krb5_print_address(&cred->addresses.val[j],
211
				     buf, sizeof(buf), &len);
212

213
	    if(ret == 0)
214
		printf("%s", buf);
215
	}
216
    } else {
217
	printf(N_("addressless", ""));
218
    }
219
    printf("\n\n");
220
}
221

222
/*
223
 * Print all tickets in `ccache' on stdout, verbosily iff do_verbose.
224
 */
225

226
static void
227
print_tickets (krb5_context context,
228
	       krb5_ccache ccache,
229
	       krb5_principal principal,
230
	       int do_verbose,
231
	       int do_flags,
232
	       int do_hidden)
233
{
234
    krb5_error_code ret;
235
    char *str, *name;
236
    krb5_cc_cursor cursor;
237
    krb5_creds creds;
238
    krb5_deltat sec;
239

240
    rtbl_t ct = NULL;
241

242
    ret = krb5_unparse_name (context, principal, &str);
243
    if (ret)
244
	krb5_err (context, 1, ret, "krb5_unparse_name");
245

246
    printf ("%17s: %s:%s\n",
247
	    N_("Credentials cache", ""),
248
	    krb5_cc_get_type(context, ccache),
249
	    krb5_cc_get_name(context, ccache));
250
    printf ("%17s: %s\n", N_("Principal", ""), str);
251

252
    ret = krb5_cc_get_friendly_name(context, ccache, &name);
253
    if (ret == 0) {
254
	if (strcmp(name, str) != 0)
255
	    printf ("%17s: %s\n", N_("Friendly name", ""), name);
256
	free(name);
257
    }
258
    free (str);
259

260
    if(do_verbose) {
261
	printf ("%17s: %d\n", N_("Cache version", ""),
262
		krb5_cc_get_version(context, ccache));
263
    } else {
264
        krb5_cc_set_flags(context, ccache, KRB5_TC_NOTICKET);
265
    }
266

267
    ret = krb5_cc_get_kdc_offset(context, ccache, &sec);
268

269
    if (ret == 0 && do_verbose && sec != 0) {
270
	char buf[BUFSIZ];
271
	int val;
272
	int sig;
273

274
	val = sec;
275
	sig = 1;
276
	if (val < 0) {
277
	    sig = -1;
278
	    val = -val;
279
	}
280

281
	unparse_time (val, buf, sizeof(buf));
282

283
	printf ("%17s: %s%s\n", N_("KDC time offset", ""),
284
		sig == -1 ? "-" : "", buf);
285
    }
286

287
    printf("\n");
288

289
    ret = krb5_cc_start_seq_get (context, ccache, &cursor);
290
    if (ret)
291
	krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
292

293
    if(!do_verbose) {
294
	ct = rtbl_create();
295
	rtbl_add_column(ct, COL_ISSUED, 0);
296
	rtbl_add_column(ct, COL_EXPIRES, 0);
297
	if(do_flags)
298
	    rtbl_add_column(ct, COL_FLAGS, 0);
299
	rtbl_add_column(ct, COL_PRINCIPAL, 0);
300
	rtbl_set_separator(ct, "  ");
301
    }
302
    while ((ret = krb5_cc_next_cred (context,
303
				     ccache,
304
				     &cursor,
305
				     &creds)) == 0) {
306
	if (!do_hidden && krb5_is_config_principal(context, creds.server)) {
307
	    ;
308
	}else if(do_verbose){
309
	    print_cred_verbose(context, &creds);
310
	}else{
311
	    print_cred(context, &creds, ct, do_flags);
312
	}
313
	krb5_free_cred_contents (context, &creds);
314
    }
315
    if(ret != KRB5_CC_END)
316
	krb5_err(context, 1, ret, "krb5_cc_get_next");
317
    ret = krb5_cc_end_seq_get (context, ccache, &cursor);
318
    if (ret)
319
	krb5_err (context, 1, ret, "krb5_cc_end_seq_get");
320
    if(!do_verbose) {
321
	rtbl_format(ct, stdout);
322
	rtbl_destroy(ct);
323
    }
324
}
325

326
/*
327
 * Check if there's a tgt for the realm of `principal' and ccache and
328
 * if so return 0, else 1
329
 */
330

331
static int
332
check_for_tgt (krb5_context context,
333
	       krb5_ccache ccache,
334
	       krb5_principal principal,
335
	       time_t *expiration)
336
{
337
    krb5_error_code ret;
338
    krb5_creds pattern;
339
    krb5_creds creds;
340
    krb5_const_realm client_realm;
341
    int expired;
342

343
    krb5_cc_clear_mcred(&pattern);
344

345
    client_realm = krb5_principal_get_realm(context, principal);
346

347
    ret = krb5_make_principal (context, &pattern.server,
348
			       client_realm, KRB5_TGS_NAME, client_realm, NULL);
349
    if (ret)
350
	krb5_err (context, 1, ret, "krb5_make_principal");
351
    pattern.client = principal;
352

353
    ret = krb5_cc_retrieve_cred (context, ccache, 0, &pattern, &creds);
354
    krb5_free_principal (context, pattern.server);
355
    if (ret) {
356
	if (ret == KRB5_CC_END)
357
	    return 1;
358
	krb5_err (context, 1, ret, "krb5_cc_retrieve_cred");
359
    }
360

361
    expired = time(NULL) > creds.times.endtime;
362

363
    if (expiration)
364
	*expiration = creds.times.endtime;
365

366
    krb5_free_cred_contents (context, &creds);
367

368
    return expired;
369
}
370

371
/*
372
 * Print a list of all AFS tokens
373
 */
374

375
#ifndef NO_AFS
376

377
static void
378
display_tokens(int do_verbose)
379
{
380
    uint32_t i;
381
    unsigned char t[4096];
382
    struct ViceIoctl parms;
383

384
    parms.in = (void *)&i;
385
    parms.in_size = sizeof(i);
386
    parms.out = (void *)t;
387
    parms.out_size = sizeof(t);
388

389
    for (i = 0;; i++) {
390
        int32_t size_secret_tok, size_public_tok;
391
        unsigned char *cell;
392
	struct ClearToken ct;
393
	unsigned char *r = t;
394
	struct timeval tv;
395
	char buf1[20], buf2[20];
396

397
	if(k_pioctl(NULL, VIOCGETTOK, &parms, 0) < 0) {
398
	    if(errno == EDOM)
399
		break;
400
	    continue;
401
	}
402
	if(parms.out_size > sizeof(t))
403
	    continue;
404
	if(parms.out_size < sizeof(size_secret_tok))
405
	    continue;
406
	t[min(parms.out_size,sizeof(t)-1)] = 0;
407
	memcpy(&size_secret_tok, r, sizeof(size_secret_tok));
408
	/* dont bother about the secret token */
409
	r += size_secret_tok + sizeof(size_secret_tok);
410
	if (parms.out_size < (r - t) + sizeof(size_public_tok))
411
	    continue;
412
	memcpy(&size_public_tok, r, sizeof(size_public_tok));
413
	r += sizeof(size_public_tok);
414
	if (parms.out_size < (r - t) + size_public_tok + sizeof(int32_t))
415
	    continue;
416
	memcpy(&ct, r, size_public_tok);
417
	r += size_public_tok;
418
	/* there is a int32_t with length of cellname, but we dont read it */
419
	r += sizeof(int32_t);
420
	cell = r;
421

422
	gettimeofday (&tv, NULL);
423
	strlcpy (buf1, printable_time(ct.BeginTimestamp),
424
		 sizeof(buf1));
425
	if (do_verbose || tv.tv_sec < ct.EndTimestamp)
426
	    strlcpy (buf2, printable_time(ct.EndTimestamp),
427
		     sizeof(buf2));
428
	else
429
	    strlcpy (buf2, N_(">>> Expired <<<", ""), sizeof(buf2));
430

431
	printf("%s  %s  ", buf1, buf2);
432

433
	if ((ct.EndTimestamp - ct.BeginTimestamp) & 1)
434
	    printf(N_("User's (AFS ID %d) tokens for %s", ""), ct.ViceId, cell);
435
	else
436
	    printf(N_("Tokens for %s", ""), cell);
437
	if (do_verbose)
438
	    printf(" (%d)", ct.AuthHandle);
439
	putchar('\n');
440
    }
441
}
442
#endif
443

444
/*
445
 * display the ccache in `cred_cache'
446
 */
447

448
static int
449
display_v5_ccache (krb5_context context, krb5_ccache ccache,
450
		   int do_test, int do_verbose,
451
		   int do_flags, int do_hidden)
452
{
453
    krb5_error_code ret;
454
    krb5_principal principal;
455
    int exit_status = 0;
456

457

458
    ret = krb5_cc_get_principal (context, ccache, &principal);
459
    if (ret) {
460
	if(ret == ENOENT) {
461
	    if (!do_test)
462
		krb5_warnx(context, N_("No ticket file: %s", ""),
463
			   krb5_cc_get_name(context, ccache));
464
	    return 1;
465
	} else
466
	    krb5_err (context, 1, ret, "krb5_cc_get_principal");
467
    }
468
    if (do_test)
469
	exit_status = check_for_tgt (context, ccache, principal, NULL);
470
    else
471
	print_tickets (context, ccache, principal, do_verbose,
472
		       do_flags, do_hidden);
473

474
    ret = krb5_cc_close (context, ccache);
475
    if (ret)
476
	krb5_err (context, 1, ret, "krb5_cc_close");
477

478
    krb5_free_principal (context, principal);
479

480
    return exit_status;
481
}
482

483
/*
484
 *
485
 */
486

487
static int
488
list_caches(krb5_context context)
489
{
490
    krb5_cc_cache_cursor cursor;
491
    const char *cdef_name;
492
    char *def_name;
493
    krb5_error_code ret;
494
    krb5_ccache id;
495
    rtbl_t ct;
496

497
    cdef_name = krb5_cc_default_name(context);
498
    if (cdef_name == NULL)
499
	krb5_errx(context, 1, "krb5_cc_default_name");
500
    def_name = strdup(cdef_name);
501

502
    ret = krb5_cc_cache_get_first (context, NULL, &cursor);
503
    if (ret == KRB5_CC_NOSUPP)
504
	return 0;
505
    else if (ret)
506
	krb5_err (context, 1, ret, "krb5_cc_cache_get_first");
507

508
    ct = rtbl_create();
509
    rtbl_add_column(ct, COL_NAME, 0);
510
    rtbl_add_column(ct, COL_CACHENAME, 0);
511
    rtbl_add_column(ct, COL_EXPIRES, 0);
512
    rtbl_add_column(ct, COL_DEFCACHE, 0);
513
    rtbl_set_prefix(ct, "   ");
514
    rtbl_set_column_prefix(ct, COL_NAME, "");
515

516
    while (krb5_cc_cache_next (context, cursor, &id) == 0) {
517
	krb5_principal principal = NULL;
518
	int expired = 0;
519
	char *name;
520
	time_t t;
521

522
	ret = krb5_cc_get_principal(context, id, &principal);
523
	if (ret)
524
	    continue;
525

526
	expired = check_for_tgt (context, id, principal, &t);
527

528
	ret = krb5_cc_get_friendly_name(context, id, &name);
529
	if (ret == 0) {
530
	    const char *str;
531
	    char *fname;
532
	    rtbl_add_column_entry(ct, COL_NAME, name);
533
	    rtbl_add_column_entry(ct, COL_CACHENAME,
534
				  krb5_cc_get_name(context, id));
535
	    if (expired)
536
		str = N_(">>> Expired <<<", "");
537
	    else
538
		str = printable_time(t);
539
	    rtbl_add_column_entry(ct, COL_EXPIRES, str);
540
	    free(name);
541

542
	    ret = krb5_cc_get_full_name(context, id, &fname);
543
	    if (ret)
544
		krb5_err (context, 1, ret, "krb5_cc_get_full_name");
545

546
	    if (strcmp(fname, def_name) == 0)
547
		rtbl_add_column_entry(ct, COL_DEFCACHE, "*");
548
	    else
549
		rtbl_add_column_entry(ct, COL_DEFCACHE, "");
550

551
	    krb5_xfree(fname);
552
	}
553
	krb5_cc_close(context, id);
554

555
	krb5_free_principal(context, principal);
556
    }
557

558
    krb5_cc_cache_end_seq_get(context, cursor);
559

560
    free(def_name);
561
    rtbl_format(ct, stdout);
562
    rtbl_destroy(ct);
563

564
    return 0;
565
}
566

567
/*
568
 *
569
 */
570

571
int
572
klist(struct klist_options *opt, int argc, char **argv)
573
{
574
    krb5_error_code ret;
575
    int exit_status = 0;
576

577
    int do_verbose =
578
	opt->verbose_flag ||
579
	opt->a_flag ||
580
	opt->n_flag;
581
    int do_test =
582
	opt->test_flag ||
583
	opt->s_flag;
584

585
    if (opt->list_all_flag) {
586
	exit_status = list_caches(kcc_context);
587
	return exit_status;
588
    }
589

590
    if (opt->v5_flag) {
591
	krb5_ccache id;
592

593
	if (opt->all_content_flag) {
594
	    krb5_cc_cache_cursor cursor;
595

596
	    ret = krb5_cc_cache_get_first(kcc_context, NULL, &cursor);
597
	    if (ret)
598
		krb5_err(kcc_context, 1, ret, "krb5_cc_cache_get_first");
599

600

601
	    while (krb5_cc_cache_next(kcc_context, cursor, &id) == 0) {
602
		exit_status |= display_v5_ccache(kcc_context, id, do_test,
603
						 do_verbose, opt->flags_flag,
604
						 opt->hidden_flag);
605
		printf("\n\n");
606
	    }
607
	    krb5_cc_cache_end_seq_get(kcc_context, cursor);
608

609
	} else {
610
	    if(opt->cache_string) {
611
		ret = krb5_cc_resolve(kcc_context, opt->cache_string, &id);
612
		if (ret)
613
		    krb5_err(kcc_context, 1, ret, "%s", opt->cache_string);
614
	    } else {
615
		ret = krb5_cc_default(kcc_context, &id);
616
		if (ret)
617
		    krb5_err(kcc_context, 1, ret, "krb5_cc_resolve");
618
	    }
619
	    exit_status = display_v5_ccache(kcc_context, id, do_test,
620
					    do_verbose, opt->flags_flag,
621
					    opt->hidden_flag);
622
	}
623
    }
624

625
    if (!do_test) {
626
#ifndef NO_AFS
627
	if (opt->tokens_flag && k_hasafs()) {
628
	    if (opt->v5_flag)
629
		printf("\n");
630
	    display_tokens(opt->verbose_flag);
631
	}
632
#endif
633
    }
634

635
    return exit_status;
636
}
637

638