From 25de2f67774d0ba4a465780fa051640562543536 Mon Sep 17 00:00:00 2001 From: Johan Danielsson Date: Sun, 25 Apr 2004 16:03:45 +0000 Subject: [PATCH] add --valid-for option git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13783 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kuser/copy_cred_cache.1 | 13 ++++---- kuser/copy_cred_cache.c | 74 +++++++++++++++++++++++++++++++++++------ 2 files changed, 70 insertions(+), 17 deletions(-) diff --git a/kuser/copy_cred_cache.1 b/kuser/copy_cred_cache.1 index 0da0bdde0..4c292416c 100644 --- a/kuser/copy_cred_cache.1 +++ b/kuser/copy_cred_cache.1 @@ -31,10 +31,6 @@ .\" .\" $Id$ .\" -.\" Things to fix: -.\" * remove Op from mandatory flags -.\" * use better macros for arguments (like .Pa for files) -.\" .Dd April 24, 2004 .Dt COPY_CRED_CACHE 1 .Os HEIMDAL @@ -48,6 +44,7 @@ copy credentials from one cache to another .Op Fl -service= Ns Ar principal .Op Fl -enctype= Ns Ar enctype .Op Fl -flags= Ns Ar ticketflags +.Op Fl -valid-for= Ns Ar time .Op Fl -fcache-version= Ns Ar integer .Op Aq Ar from-cache .Aq Ar to-cache @@ -70,6 +67,9 @@ Copies only credentials matching this service principal. Copies only credentials a matching enctype. .It Fl -flags= Ns Ar ticketflags Copies only credentials with these ticket flags set. +.It Fl -valid-for= Ns Ar time +Copies only credentials that are valid for at least this long. This +does not take renewable creds into account. .It Fl -fcache-version= Ns Ar integer The created cache, If a standard .Li FILE @@ -78,11 +78,12 @@ cache is created, it will have this file format version. .\".Sh ENVIRONMENT .\".Sh FILES .Sh EXAMPLES -To copy only credentials with the +To copy only credentials that are valid for at least one day and with +the .Li initial flag set, try something like: .Bd -literal -offset indent -$ copy_cred_cache --flags=initial FILE:/some/cache +$ copy_cred_cache --valid-for=1d --flags=initial FILE:/some/cache .Ed .Sh DIAGNOSTICS The diff --git a/kuser/copy_cred_cache.c b/kuser/copy_cred_cache.c index 742485101..7e880f1b2 100644 --- a/kuser/copy_cred_cache.c +++ b/kuser/copy_cred_cache.c @@ -41,11 +41,13 @@ RCSID("$Id$"); #include #include #include +#include static int krbtgt_only_flag; static char *service_string; static char *enctype_string; static char *flags_string; +static char *valid_string; static int fcache_version; static int help_flag; static int version_flag; @@ -59,6 +61,8 @@ static struct getargs args[] = { "limit to this enctype", "enctype" }, { "flags", 0, arg_string, &flags_string, "limit to these flags", "ticketflags" }, + { "valid-for", 0, arg_string, &valid_string, + "limit to creds valid for at least this long", "time" }, { "fcache-version", 0, arg_integer, &fcache_version, "file cache version to create" }, { "version", 0, arg_flag, &version_flag }, @@ -83,6 +87,24 @@ usage(int ret) #define KRB5_TC_MATCH_TIMES (1 << 25) #define KRB5_TC_MATCH_AUTHDATA (1 << 24) #define KRB5_TC_MATCH_2ND_TKT (1 << 23) +#define KRB5_TC_MATCH_IS_SKEY (1 << 22) + +static krb5_boolean +krb5_data_equal(const krb5_data *a, const krb5_data *b) +{ + if(a->length != b->length) + return FALSE; + return memcmp(a->data, b->data, a->length) == 0; +} + +static krb5_boolean +krb5_times_equal(const krb5_times *a, const krb5_times *b) +{ + return a->starttime == b->starttime && + a->authtime == b->authtime && + a->endtime == b->endtime && + a->renew_till == b->renew_till; +} static krb5_boolean krb5_compare_creds2(krb5_context context, krb5_flags whichfields, @@ -108,19 +130,42 @@ krb5_compare_creds2(krb5_context context, krb5_flags whichfields, creds->client); } - if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE) && - !krb5_enctypes_compatible_keys(context, - mcreds->session.keytype, - creds->session.keytype)) - match = FALSE; + if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE)) + match = krb5_enctypes_compatible_keys(context, + mcreds->session.keytype, + creds->session.keytype); - if (match && (whichfields & KRB5_TC_MATCH_FLAGS_EXACT) && - mcreds->flags.i != creds->flags.i) - match = FALSE; + if (match && (whichfields & KRB5_TC_MATCH_FLAGS_EXACT)) + match = mcreds->flags.i == creds->flags.i; - if (match && (whichfields & KRB5_TC_MATCH_FLAGS) && - (creds->flags.i & mcreds->flags.i) != mcreds->flags.i) - match = FALSE; + if (match && (whichfields & KRB5_TC_MATCH_FLAGS)) + match = (creds->flags.i & mcreds->flags.i) == mcreds->flags.i; + + if (match && (whichfields & KRB5_TC_MATCH_TIMES_EXACT)) + match = krb5_times_equal(&mcreds->times, &creds->times); + + if (match && (whichfields & KRB5_TC_MATCH_TIMES)) + /* compare only expiration times */ + match = (mcreds->times.renew_till <= creds->times.renew_till) && + (mcreds->times.endtime <= creds->times.endtime); + + if (match && (whichfields & KRB5_TC_MATCH_AUTHDATA)) { + unsigned int i; + if(mcreds->authdata.len != creds->authdata.len) + match = FALSE; + else + for(i = 0; match && i < mcreds->authdata.len; i++) + match = (mcreds->authdata.val[i].ad_type == + creds->authdata.val[i].ad_type) && + krb5_data_equal(&mcreds->authdata.val[i].ad_data, + &creds->authdata.val[i].ad_data); + } + if (match && (whichfields & KRB5_TC_MATCH_2ND_TKT)) + match = krb5_data_equal(&mcreds->second_ticket, &creds->second_ticket); + + if (match && (whichfields & KRB5_TC_MATCH_IS_SKEY)) + match = ((mcreds->second_ticket.length == 0) == + (creds->second_ticket.length == 0)); return match; } @@ -266,6 +311,13 @@ main(int argc, char **argv) parse_ticket_flags(context, flags_string, &mcreds.flags); whichfields |= KRB5_TC_MATCH_FLAGS; } + if (valid_string) { + time_t t = parse_time(valid_string, "s"); + if(t < 0) + errx(1, "unknown time \"%s\"", valid_string); + mcreds.times.endtime = time(NULL) + t; + whichfields |= KRB5_TC_MATCH_TIMES; + } if (fcache_version) krb5_set_fcache_version(context, fcache_version);