/*
* Check if a ccache has any tickets.
*/
static krb5_error_code
cc_has_tickets(krb5_context kcontext, krb5_ccache ccache, int *has_tickets)
{
krb5_error_code code;
krb5_cc_cursor cursor;
krb5_creds creds;
krb5_timestamp now = time(0);
*has_tickets = 0;
code = krb5_cc_set_flags(kcontext, ccache, KRB5_TC_NOTICKET);
if (code)
return code;
code = krb5_cc_start_seq_get(kcontext, ccache, &cursor);
if (code)
return code;
while (!*has_tickets) {
code = krb5_cc_next_cred(kcontext, ccache, &cursor, &creds);
if (code)
break;
if (!krb5_is_config_principal(kcontext, creds.server) &&
creds.times.endtime > now)
*has_tickets = 1;
krb5_free_cred_contents(kcontext, &creds);
}
krb5_cc_end_seq_get(kcontext, ccache, &cursor);
return 0;
}
krb5_error_code KRB5_CALLCONV
krb5_cccol_have_content(krb5_context context)
{
krb5_cccol_cursor col_cursor;
krb5_cc_cursor cache_cursor;
krb5_ccache cache;
krb5_creds creds;
krb5_boolean found = FALSE;
if (krb5_cccol_cursor_new(context, &col_cursor))
goto no_entries;
while (!found && !krb5_cccol_cursor_next(context, col_cursor, &cache) &&
cache != NULL) {
if (krb5_cc_start_seq_get(context, cache, &cache_cursor))
continue;
while (!found &&
!krb5_cc_next_cred(context, cache, &cache_cursor, &creds)) {
if (!krb5_is_config_principal(context, creds.server))
found = TRUE;
krb5_free_cred_contents(context, &creds);
}
krb5_cc_end_seq_get(context, cache, &cache_cursor);
krb5_cc_close(context, cache);
}
krb5_cccol_cursor_free(context, &col_cursor);
if (found)
return 0;
no_entries:
krb5_set_error_message(context, KRB5_CC_NOTFOUND,
_("No Kerberos credentials available"));
return KRB5_CC_NOTFOUND;
}
/* Display the contents of cache. */
static int
show_ccache(krb5_ccache cache)
{
krb5_cc_cursor cur;
krb5_creds creds;
krb5_principal princ;
krb5_error_code ret;
ret = krb5_cc_get_principal(context, cache, &princ);
if (ret) {
com_err(progname, ret, "");
return 1;
}
ret = krb5_unparse_name(context, princ, &defname);
if (ret) {
com_err(progname, ret, _("while unparsing principal name"));
return 1;
}
printf(_("Ticket cache: %s:%s\nDefault principal: %s\n\n"),
krb5_cc_get_type(context, cache), krb5_cc_get_name(context, cache),
defname);
/* XXX Translating would disturb table alignment; skip for now. */
fputs("Valid starting", stdout);
fillit(stdout, timestamp_width - sizeof("Valid starting") + 3, (int) ' ');
fputs("Expires", stdout);
fillit(stdout, timestamp_width - sizeof("Expires") + 3, (int) ' ');
fputs("Service principal\n", stdout);
ret = krb5_cc_start_seq_get(context, cache, &cur);
if (ret) {
com_err(progname, ret, _("while starting to retrieve tickets"));
return 1;
}
while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
if (show_config || !krb5_is_config_principal(context, creds.server))
show_credential(&creds);
krb5_free_cred_contents(context, &creds);
}
krb5_free_principal(context, princ);
krb5_free_unparsed_name(context, defname);
defname = NULL;
if (ret == KRB5_CC_END) {
ret = krb5_cc_end_seq_get(context, cache, &cur);
if (ret) {
com_err(progname, ret, _("while finishing ticket retrieval"));
return 1;
}
return 0;
} else {
com_err(progname, ret, _("while retrieving a ticket"));
return 1;
}
}
bool next() {
bool valid = next_any();
if (include_config_entries_) {
return valid;
}
krb5_context ctx = context_.get();
while (valid &&
krb5_is_config_principal(ctx, creds_.server)) {
valid = next_any();
}
return valid;
}
static void
check_ticket_count(gss_cred_id_t cred, int expected)
{
krb5_error_code ret;
krb5_context context = NULL;
krb5_creds kcred;
krb5_cc_cursor cur;
krb5_ccache ccache;
int count = 0;
gss_key_value_set_desc store;
gss_key_value_element_desc elem;
OM_uint32 major, minor;
const char *ccname = "MEMORY:count";
store.count = 1;
store.elements = &elem;
elem.key = "ccache";
elem.value = ccname;
major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE, &mech_krb5, 1, 0,
&store, NULL, NULL);
check_gsserr("gss_store_cred_into", major, minor);
ret = krb5_init_context(&context);
check_k5err(context, "krb5_init_context", ret);
ret = krb5_cc_resolve(context, ccname, &ccache);
check_k5err(context, "krb5_cc_resolve", ret);
ret = krb5_cc_start_seq_get(context, ccache, &cur);
check_k5err(context, "krb5_cc_start_seq_get", ret);
while (!krb5_cc_next_cred(context, ccache, &cur, &kcred)) {
if (!krb5_is_config_principal(context, kcred.server))
count++;
krb5_free_cred_contents(context, &kcred);
}
ret = krb5_cc_end_seq_get(context, ccache, &cur);
check_k5err(context, "krb5_cc_end_seq_get", ret);
if (expected != count) {
printf("Expected %d tickets but got %d\n", expected, count);
exit(1);
}
krb5_cc_destroy(context, ccache);
krb5_free_context(context);
}
/*
* The default unset code path depends on the underlying ccache implementation
* knowing how to remove a credential, which most types don't actually support,
* so we have to jump through some hoops to ensure that when we set a value for
* a key, it'll be the only value for that key that'll be found later. The
* ccache portions of libkrb5 will currently duplicate some of the actual
* tickets.
*/
static void
unset_config(krb5_context context, krb5_ccache ccache,
krb5_principal server, const char *key)
{
krb5_ccache tmp1, tmp2;
krb5_cc_cursor cursor;
krb5_creds mcreds, creds;
memset(&mcreds, 0, sizeof(mcreds));
memset(&creds, 0, sizeof(creds));
bail_on_err(context, "Error while deriving configuration principal names",
k5_build_conf_principals(context, ccache, server, key,
&mcreds));
bail_on_err(context, "Error resolving first in-memory ccache",
krb5_cc_resolve(context, "MEMORY:tmp1", &tmp1));
bail_on_err(context, "Error initializing first in-memory ccache",
krb5_cc_initialize(context, tmp1, mcreds.client));
bail_on_err(context, "Error resolving second in-memory ccache",
krb5_cc_resolve(context, "MEMORY:tmp2", &tmp2));
bail_on_err(context, "Error initializing second in-memory ccache",
krb5_cc_initialize(context, tmp2, mcreds.client));
bail_on_err(context, "Error copying credentials to first in-memory ccache",
krb5_cc_copy_creds(context, ccache, tmp1));
bail_on_err(context, "Error starting traversal of first in-memory ccache",
krb5_cc_start_seq_get(context, tmp1, &cursor));
while (krb5_cc_next_cred(context, tmp1, &cursor, &creds) == 0) {
if (!krb5_is_config_principal(context, creds.server) ||
!krb5_principal_compare(context, mcreds.server, creds.server) ||
!krb5_principal_compare(context, mcreds.client, creds.client)) {
bail_on_err(context,
"Error storing non-config item to in-memory ccache",
krb5_cc_store_cred(context, tmp2, &creds));
}
}
bail_on_err(context, "Error ending traversal of first in-memory ccache",
krb5_cc_end_seq_get(context, tmp1, &cursor));
bail_on_err(context, "Error clearing ccache",
krb5_cc_initialize(context, ccache, mcreds.client));
bail_on_err(context, "Error storing creds to the ccache",
krb5_cc_copy_creds(context, tmp2, ccache));
bail_on_err(context, "Error cleaning up first in-memory ccache",
krb5_cc_destroy(context, tmp1));
bail_on_err(context, "Error cleaning up second in-memory ccache",
krb5_cc_destroy(context, tmp2));
}
/* Return 0 if cache is accessible, present, and unexpired; return 1 if not. */
static int
check_ccache(krb5_ccache cache)
{
krb5_error_code ret;
krb5_cc_cursor cur;
krb5_creds creds;
krb5_principal princ;
krb5_boolean found_tgt, found_current_tgt, found_current_cred;
if (krb5_cc_get_principal(context, cache, &princ) != 0)
return 1;
if (krb5_cc_start_seq_get(context, cache, &cur) != 0)
return 1;
found_tgt = found_current_tgt = found_current_cred = FALSE;
while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
if (is_local_tgt(creds.server, &princ->realm)) {
found_tgt = TRUE;
if (ts_after(creds.times.endtime, now))
found_current_tgt = TRUE;
} else if (!krb5_is_config_principal(context, creds.server) &&
ts_after(creds.times.endtime, now)) {
found_current_cred = TRUE;
}
krb5_free_cred_contents(context, &creds);
}
krb5_free_principal(context, princ);
if (ret != KRB5_CC_END)
return 1;
if (krb5_cc_end_seq_get(context, cache, &cur) != 0)
return 1;
/* If the cache contains at least one local TGT, require that it be
* current. Otherwise accept any current cred. */
if (found_tgt)
return found_current_tgt ? 0 : 1;
return found_current_cred ? 0 : 1;
}
static int
kinit_check_tgt(kinit_data *kid, int *remaining)
{
int ret=3;
krb5_principal princ;
krb5_error_code rc;
krb5_cc_cursor cursor;
krb5_creds creds;
char *name;
time_t now=time(NULL);
rc = krb5_cc_get_principal(kid->ctx, kid->ccache, &princ);
if (rc) {
log_krb5_errmsg(kid->ctx, "krb5_cc_get_principal", rc);
return 2;
} else {
if (!krb5_principal_compare(kid->ctx, kid->princ, princ)) {
Log(LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
"Principal in ccache does not match requested principal\n");
krb5_free_principal(kid->ctx, princ);
return 2;
}
}
rc = krb5_cc_start_seq_get(kid->ctx, kid->ccache, &cursor);
if (rc) {
log_krb5_errmsg(kid->ctx, "krb5_cc_start_seq_get", rc);
krb5_free_principal(kid->ctx, princ);
return -1;
}
while (!(rc = krb5_cc_next_cred(kid->ctx, kid->ccache, &cursor, &creds))) {
if (krb5_is_config_principal(kid->ctx, creds.server)) {
krb5_free_cred_contents(kid->ctx, &creds);
continue;
}
if (creds.server->length==2 &&
(!strcmp(creds.server->data[0].data, "krbtgt")) &&
(!strcmp(creds.server->data[1].data, princ->realm.data))) {
krb5_unparse_name(kid->ctx, creds.server, &name);
*remaining = (time_t)creds.times.endtime-now;
if ( *remaining <= 0) {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
"kinit_qtask: TGT (%s) expired\n", name);
} else {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
"kinit_qtask: TGT (%s) expires in %dh:%02dm:%02ds\n",
name, *remaining/3600, (*remaining%3600)/60, *remaining%60);
}
free(name);
if (*remaining <= 30) {
if (creds.times.renew_till-60 > now) {
int renewal=creds.times.renew_till-now;
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
"kinit_qtask: Time remaining for renewal: %dh:%02dm:%02ds\n",
renewal/3600, (renewal%3600)/60, renewal%60);
ret = 1;
} else {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
"kinit_qtask: Only short time left for renewal. "
"Trying to re-init.\n");
ret = 2;
}
} else {
ret=0;
}
krb5_free_cred_contents(kid->ctx, &creds);
break;
}
krb5_free_cred_contents(kid->ctx, &creds);
}
krb5_cc_end_seq_get(kid->ctx, kid->ccache, &cursor);
krb5_free_principal(kid->ctx, princ);
return ret;
}
int print_ccache (kim_ccache in_ccache, int *out_found_valid_tgt)
{
kim_error err = 0;
kim_credential_iterator iterator = NULL;
kim_identity ccache_identity = NULL;
kim_string type = NULL;
kim_string name = NULL;
kim_string ccache_identity_string = NULL;
int found_tickets = 0;
*out_found_valid_tgt = 0;
if (!err) {
err = kim_ccache_get_type (in_ccache, &type);
printiferr (err, "while getting the ccache type");
}
if (!err) {
err = kim_ccache_get_name (in_ccache, &name);
printiferr (err, "while getting the ccache name");
}
if (!err) {
err = kim_ccache_get_client_identity (in_ccache, &ccache_identity);
printiferr (err, "while getting the ccache principal");
}
if (!err) {
err = kim_identity_get_display_string (ccache_identity,
&ccache_identity_string);
printiferr (err, "while unparsing the ccache principal name");
}
if (!err) {
printmsg ("Kerberos 5 ticket cache: '%s:%s'\nDefault principal: %s\n\n",
type, name, ccache_identity_string);
printmsg ("Valid Starting");
printfiller (' ', get_timestamp_width () - sizeof ("Valid Starting") + 3);
printmsg ("Expires");
printfiller (' ', get_timestamp_width () - sizeof ("Expires") + 3);
printmsg ("Service Principal\n");
err = kim_credential_iterator_create (&iterator, in_ccache);
}
while (!err) {
kim_credential credential = NULL;
kim_identity client = NULL;
kim_identity service = NULL;
kim_string client_string = NULL;
kim_string service_string = NULL;
krb5_creds *creds = NULL;
int extra_field = 0;
err = kim_credential_iterator_next (iterator, &credential);
if (!err && !credential) { break; }
if (!err) {
err = kim_credential_get_client_identity (credential, &client);
printiferr (err, "while getting the client principal");
}
if (!err) {
err = kim_identity_get_display_string (client, &client_string);
printiferr (err, "while unparsing the client principal name");
}
if (!err) {
err = kim_credential_get_service_identity (credential, &service);
printiferr (err, "while getting the service principal");
}
if (!err) {
err = kim_identity_get_display_string (service, &service_string);
printiferr (err, "while unparsing the service principal name");
}
if (!err) {
err = kim_credential_get_krb5_creds (credential, kcontext, &creds);
printiferr (err, "while getting krb5 creds");
}
if (!err && krb5_is_config_principal(kcontext, creds->server))
goto next;
if (!err) {
found_tickets = 1;
printtime (creds->times.starttime ? creds->times.starttime : creds->times.authtime);
printmsg (" ");
printtime (creds->times.endtime);
printmsg (" ");
printmsg ("%s\n", service_string);
if (strcmp (ccache_identity_string, client_string)) {
if (!extra_field) {
printmsg ("\t");
}
printmsg ("for client %s", client_string);
extra_field++;
}
if (creds->ticket_flags & TKT_FLG_RENEWABLE) {
printmsg (extra_field ? ", " : "\t");
printmsg ("renew until ");
printtime (creds->times.renew_till);
extra_field += 2;
}
if (extra_field > 2) {
printmsg ("\n");
extra_field = 0;
}
if (show_flags) {
printmsg (extra_field ? ", " : "\t");
printflags (creds->ticket_flags);
extra_field++;
}
if (extra_field > 2) {
printmsg ("\n");
extra_field = 0;
}
if (show_enctypes) {
krb5_ticket *ticket_rep;
if (krb5_decode_ticket (&creds->ticket, &ticket_rep) == 0) {
if (!extra_field) {
printmsg ("\t");
} else {
printmsg (", ");
}
printmsg ("Etype (skey, tkt): %s, ",
enctype_to_string (creds->keyblock.enctype));
printmsg ("%s ",
enctype_to_string (ticket_rep->enc_part.enctype));
extra_field++;
krb5_free_ticket (kcontext, ticket_rep);
}
}
if (extra_field) {
printmsg ("\n");
}
if (show_address_list) {
printmsg ("\tAddresses: ");
if (!creds->addresses || !creds->addresses[0]) {
printmsg ("(none)\n");
} else {
int i;
for (i = 0; creds->addresses[i]; i++) {
if (i > 0) {
printmsg (", ");
}
printaddress (*creds->addresses[i]);
}
printmsg ("\n");
}
}
if (extra_field) {
printmsg ("\n");
}
}
if (!err) {
kim_boolean is_tgt = 0;
kim_credential_state state;
err = kim_credential_is_tgt (credential, &is_tgt);
printiferr (err, "while checking if creds are valid");
if (!err) {
err = kim_credential_get_state (credential, &state);
}
if (!err && is_tgt && state == kim_credentials_state_valid) {
*out_found_valid_tgt = 1;
}
}
next:
if (creds) { krb5_free_creds (kcontext, creds); }
kim_string_free (&client_string);
kim_string_free (&service_string);
kim_identity_free (&client);
kim_identity_free (&service);
kim_credential_free (&credential);
}
kim_string_free (&type);
kim_string_free (&name);
kim_string_free (&ccache_identity_string);
kim_identity_free (&ccache_identity);
kim_credential_iterator_free (&iterator);
if (!err) {
if (!found_tickets) {
printerr ("No Kerberos 5 tickets in credentials cache\n");
} else {
printmsg ("\n");
}
}
return err;
}
static void
print_tickets (krb5_context context,
krb5_ccache ccache,
krb5_principal principal,
int do_verbose,
int do_flags,
int do_hidden)
{
krb5_error_code ret;
char *str, *name;
krb5_cc_cursor cursor;
krb5_creds creds;
krb5_deltat sec;
rtbl_t ct = NULL;
ret = krb5_unparse_name (context, principal, &str);
if (ret)
krb5_err (context, 1, ret, "krb5_unparse_name");
printf ("%17s: %s:%s\n",
N_("Credentials cache", ""),
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
printf ("%17s: %s\n", N_("Principal", ""), str);
ret = krb5_cc_get_friendly_name(context, ccache, &name);
if (ret == 0) {
if (strcmp(name, str) != 0)
printf ("%17s: %s\n", N_("Friendly name", ""), name);
free(name);
}
free (str);
if(do_verbose) {
printf ("%17s: %d\n", N_("Cache version", ""),
krb5_cc_get_version(context, ccache));
} else {
krb5_cc_set_flags(context, ccache, KRB5_TC_NOTICKET);
}
ret = krb5_cc_get_kdc_offset(context, ccache, &sec);
if (ret == 0 && do_verbose && sec != 0) {
char buf[BUFSIZ];
int val;
int sig;
val = sec;
sig = 1;
if (val < 0) {
sig = -1;
val = -val;
}
unparse_time (val, buf, sizeof(buf));
printf ("%17s: %s%s\n", N_("KDC time offset", ""),
sig == -1 ? "-" : "", buf);
}
printf("\n");
ret = krb5_cc_start_seq_get (context, ccache, &cursor);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
if(!do_verbose) {
ct = rtbl_create();
rtbl_add_column(ct, COL_ISSUED, 0);
rtbl_add_column(ct, COL_EXPIRES, 0);
if(do_flags)
rtbl_add_column(ct, COL_FLAGS, 0);
rtbl_add_column(ct, COL_PRINCIPAL, 0);
rtbl_set_separator(ct, " ");
}
while ((ret = krb5_cc_next_cred (context,
ccache,
&cursor,
&creds)) == 0) {
if (!do_hidden && krb5_is_config_principal(context, creds.server)) {
;
}else if(do_verbose){
print_cred_verbose(context, &creds);
}else{
print_cred(context, &creds, ct, do_flags);
}
krb5_free_cred_contents (context, &creds);
}
if(ret != KRB5_CC_END)
krb5_err(context, 1, ret, "krb5_cc_get_next");
ret = krb5_cc_end_seq_get (context, ccache, &cursor);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_end_seq_get");
if(!do_verbose) {
rtbl_format(ct, stdout);
rtbl_destroy(ct);
}
}
/*
* Request:
* NameZ
* WhichFields
* MatchCreds
*
* Response:
* Creds
*
*/
static krb5_error_code
kcm_op_retrieve(krb5_context context,
kcm_client *client,
kcm_operation opcode,
krb5_storage *request,
krb5_storage *response)
{
uint32_t flags;
krb5_creds mcreds;
krb5_error_code ret;
kcm_ccache ccache;
char *name;
krb5_creds *credp;
int free_creds = 0;
ret = krb5_ret_stringz(request, &name);
if (ret)
return ret;
KCM_LOG_REQUEST_NAME(context, client, opcode, name);
ret = krb5_ret_uint32(request, &flags);
if (ret) {
free(name);
return ret;
}
ret = krb5_ret_creds_tag(request, &mcreds);
if (ret) {
free(name);
return ret;
}
if (disallow_getting_krbtgt &&
mcreds.server->name.name_string.len == 2 &&
strcmp(mcreds.server->name.name_string.val[0], KRB5_TGS_NAME) == 0)
{
free(name);
krb5_free_cred_contents(context, &mcreds);
return KRB5_FCC_PERM;
}
ret = kcm_ccache_resolve_client(context, client, opcode,
name, &ccache);
if (ret) {
free(name);
krb5_free_cred_contents(context, &mcreds);
return ret;
}
ret = kcm_ccache_retrieve_cred(context, ccache, flags,
&mcreds, &credp);
if (ret && ((flags & KRB5_GC_CACHED) == 0) &&
!krb5_is_config_principal(context, mcreds.server)) {
krb5_ccache_data ccdata;
/* try and acquire */
HEIMDAL_MUTEX_lock(&ccache->mutex);
/* Fake up an internal ccache */
kcm_internal_ccache(context, ccache, &ccdata);
/* glue cc layer will store creds */
ret = krb5_get_credentials(context, 0, &ccdata, &mcreds, &credp);
if (ret == 0)
free_creds = 1;
HEIMDAL_MUTEX_unlock(&ccache->mutex);
}
if (ret == 0) {
ret = krb5_store_creds(response, credp);
}
free(name);
krb5_free_cred_contents(context, &mcreds);
kcm_release_ccache(context, ccache);
if (free_creds)
krb5_free_cred_contents(context, credp);
return ret;
}
bool Krb5CCache::Iterator::isConfigEntry() {
return state_ && krb5_is_config_principal(
state_->context_.get(), state_->creds_.server);
}
static void
show_credential(krb5_creds *cred)
{
krb5_error_code ret;
krb5_ticket *tkt;
char *name, *sname, *flags;
int extra_field = 0, ccol = 0, i;
ret = krb5_unparse_name(context, cred->client, &name);
if (ret) {
com_err(progname, ret, _("while unparsing client name"));
return;
}
ret = krb5_unparse_name(context, cred->server, &sname);
if (ret) {
com_err(progname, ret, _("while unparsing server name"));
krb5_free_unparsed_name(context, name);
return;
}
if (!cred->times.starttime)
cred->times.starttime = cred->times.authtime;
if (!krb5_is_config_principal(context, cred->server)) {
printtime(cred->times.starttime);
putchar(' ');
putchar(' ');
printtime(cred->times.endtime);
putchar(' ');
putchar(' ');
printf("%s\n", sname);
} else {
fputs("config: ", stdout);
ccol = 8;
for (i = 1; i < cred->server->length; i++) {
ccol += printf("%s%.*s%s",
i > 1 ? "(" : "",
(int)cred->server->data[i].length,
cred->server->data[i].data,
i > 1 ? ")" : "");
}
fputs(" = ", stdout);
ccol += 3;
}
if (strcmp(name, defname)) {
printf(_("\tfor client %s"), name);
extra_field++;
}
if (krb5_is_config_principal(context, cred->server))
print_config_data(ccol, &cred->ticket);
if (cred->times.renew_till) {
if (!extra_field)
fputs("\t",stdout);
else
fputs(", ",stdout);
fputs(_("renew until "), stdout);
printtime(cred->times.renew_till);
extra_field += 2;
}
if (extra_field > 3) {
fputs("\n", stdout);
extra_field = 0;
}
if (show_flags) {
flags = flags_string(cred);
if (flags && *flags) {
if (!extra_field)
fputs("\t",stdout);
else
fputs(", ",stdout);
printf(_("Flags: %s"), flags);
extra_field++;
}
}
if (extra_field > 2) {
fputs("\n", stdout);
extra_field = 0;
}
if (show_etype) {
ret = krb5_decode_ticket(&cred->ticket, &tkt);
if (ret)
goto err_tkt;
if (!extra_field)
fputs("\t",stdout);
else
fputs(", ",stdout);
printf(_("Etype (skey, tkt): %s, "),
etype_string(cred->keyblock.enctype));
printf("%s ", etype_string(tkt->enc_part.enctype));
extra_field++;
err_tkt:
if (tkt != NULL)
krb5_free_ticket(context, tkt);
}
if (show_adtype) {
if (cred->authdata != NULL) {
if (!extra_field)
fputs("\t",stdout);
else
fputs(", ",stdout);
printf(_("AD types: "));
for (i = 0; cred->authdata[i] != NULL; i++) {
if (i)
printf(", ");
printf("%d", cred->authdata[i]->ad_type);
}
extra_field++;
}
}
/* If any additional info was printed, extra_field is non-zero. */
if (extra_field)
putchar('\n');
if (show_addresses) {
if (cred->addresses == NULL || cred->addresses[0] == NULL) {
printf(_("\tAddresses: (none)\n"));
} else {
printf(_("\tAddresses: "));
one_addr(cred->addresses[0]);
for (i = 1; cred->addresses[i] != NULL; i++) {
printf(", ");
one_addr(cred->addresses[i]);
}
printf("\n");
}
}
krb5_free_unparsed_name(context, name);
krb5_free_unparsed_name(context, sname);
}
static void
print_cred_verbose(krb5_context context, krb5_creds *cred, int do_json)
{
size_t j;
char *str;
krb5_error_code ret;
krb5_timestamp sec;
if (do_json) { /* XXX support more json formating later */
printf("{ \"verbose-supported\" : false }");
return;
}
krb5_timeofday (context, &sec);
ret = krb5_unparse_name(context, cred->server, &str);
if(ret)
exit(1);
printf(N_("Server: %s\n", ""), str);
free (str);
ret = krb5_unparse_name(context, cred->client, &str);
if(ret)
exit(1);
printf(N_("Client: %s\n", ""), str);
free (str);
if (!krb5_is_config_principal(context, cred->client)) {
Ticket t;
size_t len;
char *s;
decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
ret = krb5_enctype_to_string(context, t.enc_part.etype, &s);
printf(N_("Ticket etype: ", ""));
if (ret == 0) {
printf("%s", s);
free(s);
} else {
printf(N_("unknown-enctype(%d)", ""), t.enc_part.etype);
}
if(t.enc_part.kvno)
printf(N_(", kvno %d", ""), *t.enc_part.kvno);
printf("\n");
if(cred->session.keytype != t.enc_part.etype) {
ret = krb5_enctype_to_string(context, cred->session.keytype, &str);
if(ret)
krb5_warn(context, ret, "session keytype");
else {
printf(N_("Session key: %s\n", "enctype"), str);
free(str);
}
}
free_Ticket(&t);
printf(N_("Ticket length: %lu\n", ""),
(unsigned long)cred->ticket.length);
}
printf(N_("Auth time: %s\n", ""),
printable_time_long(cred->times.authtime));
if(cred->times.authtime != cred->times.starttime)
printf(N_("Start time: %s\n", ""),
printable_time_long(cred->times.starttime));
printf(N_("End time: %s", ""),
printable_time_long(cred->times.endtime));
if(sec > cred->times.endtime)
printf(N_(" (expired)", ""));
printf("\n");
if(cred->flags.b.renewable)
printf(N_("Renew till: %s\n", ""),
printable_time_long(cred->times.renew_till));
{
char flags[1024];
unparse_flags(TicketFlags2int(cred->flags.b),
asn1_TicketFlags_units(),
flags, sizeof(flags));
printf(N_("Ticket flags: %s\n", ""), flags);
}
printf(N_("Addresses: ", ""));
if (cred->addresses.len != 0) {
for(j = 0; j < cred->addresses.len; j++){
char buf[128];
size_t len;
if(j) printf(", ");
ret = krb5_print_address(&cred->addresses.val[j],
buf, sizeof(buf), &len);
if(ret == 0)
printf("%s", buf);
}
} else {
printf(N_("addressless", ""));
}
printf("\n\n");
}
/* fill in service tickets data */
gboolean
ka_get_service_tickets (GtkListStore * tickets, gboolean hide_conf_tickets)
{
krb5_cc_cursor cursor;
krb5_creds creds;
krb5_error_code ret;
GtkTreeIter iter;
krb5_ccache ccache;
char *name;
krb5_timestamp sec;
gchar start_time[128], end_time[128], end_time_markup[256];
gboolean retval = FALSE;
gtk_list_store_clear (tickets);
krb5_timeofday (kcontext, &sec);
ret = krb5_cc_default (kcontext, &ccache);
g_return_val_if_fail (!ret, FALSE);
ret = krb5_cc_start_seq_get (kcontext, ccache, &cursor);
if (ret == KRB5_FCC_NOFILE) {
ka_log_error_message_at_level (G_LOG_LEVEL_INFO, "krb5_cc_start_seq_get", kcontext, ret);
gtk_list_store_append (tickets, &iter);
gtk_list_store_set (tickets, &iter,
PRINCIPAL_COLUMN, _("Your ticket cache is currently empty"),
FORWARDABLE_COLUMN, FALSE,
RENEWABLE_COLUMN, FALSE,
PROXIABLE_COLUMN, FALSE, -1);
retval = TRUE;
goto out;
} else if (ret) {
goto out;
}
while ((ret = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) {
gboolean renewable, proxiable, forwardable;
if (hide_conf_tickets && krb5_is_config_principal (kcontext,
creds.server)) {
krb5_free_cred_contents (kcontext, &creds);
continue;
}
if (creds.times.starttime)
ka_format_time (creds.times.starttime, start_time,
sizeof (start_time));
else
ka_format_time (creds.times.authtime, start_time,
sizeof (start_time));
ka_format_time (creds.times.endtime, end_time, sizeof (end_time));
if (creds.times.endtime > sec)
strcpy (end_time_markup, end_time);
else
g_snprintf (end_time_markup, sizeof (end_time_markup),
"%s <span foreground=\"red\" style=\"italic\">(%s)</span>",
end_time, _("Expired"));
forwardable = get_cred_forwardable (&creds);
renewable = get_cred_renewable (&creds);
proxiable = get_cred_proxiable (&creds);
ret = krb5_unparse_name (kcontext, creds.server, &name);
if (!ret) {
gtk_list_store_append (tickets, &iter);
gtk_list_store_set (tickets, &iter,
PRINCIPAL_COLUMN, name,
START_TIME_COLUMN, start_time,
END_TIME_COLUMN, end_time_markup,
FORWARDABLE_COLUMN, forwardable,
RENEWABLE_COLUMN, renewable,
PROXIABLE_COLUMN, proxiable, -1);
free (name);
} else
ka_log_error_message ("krb5_unparse_name", kcontext, ret);
krb5_free_cred_contents (kcontext, &creds);
}
if (ret != KRB5_CC_END)
ka_log_error_message ("krb5_cc_get_next", kcontext, ret);
ret = krb5_cc_end_seq_get (kcontext, ccache, &cursor);
if (ret)
ka_log_error_message ("krb5_cc_end_seq_get", kcontext, ret);
retval = TRUE;
out:
ret = krb5_cc_close (kcontext, ccache);
g_return_val_if_fail (!ret, FALSE);
return retval;
}
/*
* output a single credential (ticket)
*/
void show_cred(register krb5_creds *cred) {
krb5_error_code retval;
char *clientname = NULL;
char *servername = NULL;
char *flags;
int is_config;
int i;
is_config = krb5_is_config_principal(ctx, cred->server);
if (is_config && !show_cfg_tkts)
return;
retval = krb5_unparse_name(ctx, cred->client, &clientname);
if (retval) {
com_err(progname, retval, "while unparsing client name");
goto cleanup;
}
retval = krb5_unparse_name(ctx, cred->server, &servername);
if (retval) {
com_err(progname, retval, "while unparsing server name");
goto cleanup;
}
if (show_names_only) {
printf("%s\n", servername);
goto cleanup;
}
if (!cred->times.starttime)
cred->times.starttime = cred->times.authtime;
if (is_config && show_cfg_tkts == 1) {
// "config" <arg>+ <value>
printf("config");
#ifdef KRB5_MIT
printf("\t%d", cred->server->length-1);
for (i = 1; i < cred->server->length; i++)
printf("\t%s", cred->server->data[i].data);
#else
printf("\t%d", cred->server->name.name_string.len-1);
for (i = 1; i < cred->server->name.name_string.len; i++)
printf("\t%s", cred->server->name.name_string.val[i]);
#endif
printf("\t");
print_data(&cred->ticket);
printf("\n");
} else {
// "ticket" <server> <client> <start> <renew> <flags> [data]
printf(is_config ? "cfgticket" : "ticket");
printf("\t%s", clientname);
printf("\t%s", servername);
printf("\t%ld", (unsigned long) cred->times.starttime);
printf("\t%ld", (unsigned long) cred->times.endtime);
printf("\t%ld", (unsigned long) cred->times.renew_till);
flags = strflags(cred);
if (flags && *flags)
printf("\t%s", flags);
else if (flags)
printf("\t-");
else
printf("\t?");
if (is_config || show_tktdata) {
printf("\t");
print_data(&cred->ticket);
} else
printf("\t-");
printf("\n");
}
cleanup:
if (clientname)
krb5_free_unparsed_name(ctx, clientname);
if (servername)
krb5_free_unparsed_name(ctx, servername);
}
krb5_error_code KRB5_CALLCONV
krb5_cccol_have_content(krb5_context context)
{
krb5_error_code ret;
krb5_cccol_cursor col_cursor;
krb5_cc_cursor cache_cursor;
krb5_ccache cache;
krb5_creds creds;
krb5_boolean found = FALSE;
struct errinfo errsave = EMPTY_ERRINFO;
const char *defname;
ret = krb5_cccol_cursor_new(context, &col_cursor);
save_first_error(context, ret, &errsave);
if (ret)
goto no_entries;
while (!found) {
ret = krb5_cccol_cursor_next(context, col_cursor, &cache);
save_first_error(context, ret, &errsave);
if (ret || cache == NULL)
break;
ret = krb5_cc_start_seq_get(context, cache, &cache_cursor);
save_first_error(context, ret, &errsave);
if (ret)
continue;
while (!found) {
ret = krb5_cc_next_cred(context, cache, &cache_cursor, &creds);
save_first_error(context, ret, &errsave);
if (ret)
break;
if (!krb5_is_config_principal(context, creds.server))
found = TRUE;
krb5_free_cred_contents(context, &creds);
}
krb5_cc_end_seq_get(context, cache, &cache_cursor);
krb5_cc_close(context, cache);
}
krb5_cccol_cursor_free(context, &col_cursor);
if (found)
return 0;
no_entries:
if (errsave.code) {
/* Report the first error we encountered. */
ret = k5_restore_ctx_error(context, &errsave);
k5_wrapmsg(context, ret, KRB5_CC_NOTFOUND,
_("No Kerberos credentials available"));
} else {
/* Report the default cache name. */
defname = krb5_cc_default_name(context);
if (defname != NULL) {
k5_setmsg(context, KRB5_CC_NOTFOUND,
_("No Kerberos credentials available "
"(default cache: %s)"), defname);
}
}
return KRB5_CC_NOTFOUND;
}