From 19c0cfe38670cc56219f0d9acdc2b3363e92616c Mon Sep 17 00:00:00 2001

From: Alexey Tikhonov <atikhono@redhat.com>

Date: Fri, 4 Dec 2020 12:09:57 +0100

Subject: [PATCH] Squashed commit of the following:

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

commit 325de5a5bb97ba026be6d22492bea8ab2605f1b5

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Thu Nov 26 12:07:06 2020 +0100

    secrets: remove base64 enctype

    This was added as part of KCM performance improvements but never used.

    Ldb is fully capable of holding binary data without the need for base64

    encoding so this is not needed.

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit 39277cdadd317b0ab86cdd37de0616bc3eecbe6a

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Thu Nov 26 11:55:39 2020 +0100

    secrets: move attrs names to macros

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit 9c1b51d057390fb5b26151f814a480911cda4cc9

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Thu Nov 26 11:47:24 2020 +0100

    secrets: default to "plaintext" if "enctype" attr is missing

    This is a sane fallback behavior, however it should not happen since

    the attribute should be always present.

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit bf127d4f3f42e5b2afe25e512211439bc12a9904

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Tue Nov 3 13:35:33 2020 +0100

    secrets: fix may_payload_size exceeded debug message

    The unit is bytes (B) not bits (b) and the conversion of the input

    payload size to KiB was wrong (multiplying bytes * 1024).

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit c3b314db57c34f64aaca7d74e76a9a955288bb51

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Mon Oct 19 12:40:07 2020 +0200

    kcm: store credentials list in hash table to avoid cache lookups

    Iteration over ccache requires CRED_UUID_LIST and then calling

    CRED_BY_UUID for each uuid in the obtained list. Each CRED_BY_UUID

    operation invoked ldb_search and decryption. This was a substantional

    bottle neck.

    Resolves: https://github.com/SSSD/sssd/issues/5349

    :fixes: KCM performance has improved dramatically for cases where

      large amount of credentials are stored in the ccache.

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit a370553c90c2ed6df3b94c169c4960a6f978031f

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Thu Oct 29 14:57:53 2020 +0100

    sss_ptr_hash: fix double free for circular dependencies

    If the hash table delete callback deletes the stored item,

    we can end up in double free in case when we try to override

    an existing item (hash_enter(key) where key already exists).

    ```c

    static void delete_cb(hash_entry_t *item,

                          hash_destroy_enum deltype,

                          void *pvt)

    {

        talloc_free(item->value.ptr);

    }

    hash_enter(key);

    hash_enter(key);

    ```

    The doble free it self is fine, since it is done via talloc destructor

    and talloc can cope with that. However, the hash table fails to store

    the new entry because hash_delete is called twice.

    ```

    _sss_ptr_hash_add -> hash_enter -> hash_delete(old) -> delete_cb -> sss_ptr_hash_value_destructor -> hash_delete

    ```

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit 241ee30da12f564803793ee2b14c1522aabd9235

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Fri Oct 16 15:36:51 2020 +0200

    kcm: add per-connection data to be shared between requests

    Resolves: https://github.com/SSSD/sssd/issues/5349

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit 194447d35c11eb914f54719491dc5cfaab01b9a1

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Tue Oct 27 16:21:31 2020 +0100

    kcm: use binary format to store ccache instead of json

    JSON is computationally complex and the parser is a bottleneck which

    consumes about 10% of time. It also create the ccache unnecessary

    large because it requires lots of unneded character and base64

    encoding.

    Binary format is fast, simple and small.

    This is backwards compatible and there is no need to destroy existing

    ccache. It will be stored in binary format at first write to the cache.

    Resolves: https://github.com/SSSD/sssd/issues/5349

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit f17740d831e16449495fff4ec57cc4800aaac83d

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Tue Oct 27 17:09:43 2020 +0100

    kcm: add spaces around operators in kcmsrv_ccache_key.c

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit 15069a647ed6c7f1ead42baa1d421d953c9bc557

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Tue Oct 27 16:37:05 2020 +0100

    kcm: avoid suppression of cppcheck warning

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit e63a15038ac9c186626e4fdf681a6492031d1e40

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Tue Oct 27 16:18:11 2020 +0100

    kcm: move sec key parser to separate file so it can be shared

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit 9b1631defdcaa3ea7e87889eb136e7fa935ab4ce

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Thu Oct 22 13:34:52 2020 +0200

    kcm: add json suffix to existing searialization functions

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit b6cc661b9f4162e590137430e945aa321fc13121

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Fri Oct 23 13:10:13 2020 +0200

    iobuf: add more iobuf functions

    These will be used in later patches.

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit ed08ba0023e63024bf1c52ae3f6596b9d804d0a5

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Thu Oct 22 12:18:38 2020 +0200

    secrets: accept binary data instead of string

    Currently, both KCM and secrets responders store JSON formatted string

    in the secrets database. One of the next commits makes KCM to store

    binary format instead of JSON string to improve performance. We need

    to be able to distinguish the formats to keep KCM update compatible

    with existing ccache and also to keep secrets responder working.

    Secrets responder test had to be ammended to fit into a new maximum

    payload which is now reduced by one byte for the secrets responder

    to hold the ending zero of a secret string.

    This is a corner case in a long deprecated responder that is not even

    built by default and has no known consumers so it is fine to fast fix

    the test.

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit 908c15af9a9f8f0556a588e368e4a0b2e24ace1b

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Thu Oct 22 11:18:12 2020 +0200

    secrets: allow to specify secret's data format

    Currently, both KCM and secrets responders store JSON formatted string

    in the secrets database. One of the next commits makes KCM to store

    binary format instead of JSON string to improve performance. We need

    to be able to distinguish the formats to keep KCM update compatible

    with existing ccache and also to keep secrets responder working.

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit 74fdaa64b27e88a6e0f153f8cb59989c572d4294

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Tue Oct 27 16:45:22 2020 +0100

    kcm: avoid multiple debug messages if sss_sec_put fails

    sec_put() already logs a message if the underlaying function fails

    so this debug message is really unnecessary.

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit b8f28d9aa9d862cf504691c9c3f92941a63fb0a4

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Mon Oct 19 12:59:48 2020 +0200

    kcm: disable encryption

    Encryption was a huge bottleneck for the secdb backend. This is

    backwards compatible and there is no need to destroy existing

    ccache. It will be stored unencrypted at first write to the cache.

    Note that the encryption did not provide any security as the cache

    is accessible only by root and the master key is stored together

    with the cache. So once someone gains access to the file it can

    be easily decrypted. Additionaly, there was also no encryption at

    the memory level.

    Resolves: https://github.com/SSSD/sssd/issues/5349

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit 8edcea8c377e85d037e83065c1904fa4b92c4a39

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Fri Oct 16 15:33:42 2020 +0200

    kcm: avoid name confusion in GET_CRED_UUID_LIST handlers

    The function name did not follow best practices and it got easily confused

    with `kcm_op_get_cred_by_uuid_getbyname_done`.

    ```

    kcm_op_get_cred_uuid_getbyname_done

    kcm_op_get_cred_by_uuid_getbyname_done

    ```

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

commit 47a316c850107f12d406f27abb216e26383dfab7

Author: Pavel Březina <pbrezina@redhat.com>

Date:   Mon Sep 14 12:44:57 2020 +0200

    kcm: fix typos in debug messages

    Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

---

 Makefile.am                                   |  14 +-

 src/responder/kcm/kcmsrv_ccache.c             |  66 ++++

 src/responder/kcm/kcmsrv_ccache.h             |  47 ++-

 src/responder/kcm/kcmsrv_ccache_binary.c      | 308 ++++++++++++++++++

 src/responder/kcm/kcmsrv_ccache_json.c        | 149 +--------

 src/responder/kcm/kcmsrv_ccache_key.c         | 144 ++++++++

 src/responder/kcm/kcmsrv_ccache_mem.c         |  30 +-

 src/responder/kcm/kcmsrv_ccache_secdb.c       | 128 +++-----

 src/responder/kcm/kcmsrv_ccache_secrets.c     |   9 +-

 src/responder/kcm/kcmsrv_cmd.c                |  23 +-

 src/responder/kcm/kcmsrv_ops.c                | 252 ++++++++++----

 src/responder/kcm/kcmsrv_ops.h                |   8 +

 src/responder/secrets/local.c                 |   5 +-

 src/shared/safealign.h                        |   4 +

 ...n_marshalling.c => test_kcm_marshalling.c} | 147 +++++++--

 src/tests/cmocka/test_sss_ptr_hash.c          |  39 +++

 src/tests/cmocka/test_utils.c                 |   3 +

 src/tests/cmocka/test_utils.h                 |   1 +

 src/tests/intg/test_secrets.py                |   3 +-

 src/tests/multihost/basic/test_kcm.py         |  12 +-

 src/util/secrets/sec_pvt.h                    |   2 +-

 src/util/secrets/secrets.c                    | 290 ++++++++++++-----

 src/util/secrets/secrets.h                    |  20 +-

 src/util/sss_iobuf.c                          | 141 ++++++++

 src/util/sss_iobuf.h                          |  46 +++

 src/util/sss_ptr_hash.c                       |  20 ++

 26 files changed, 1457 insertions(+), 454 deletions(-)

 create mode 100644 src/responder/kcm/kcmsrv_ccache_binary.c

 create mode 100644 src/responder/kcm/kcmsrv_ccache_key.c

 rename src/tests/cmocka/{test_kcm_json_marshalling.c => test_kcm_marshalling.c} (71%)

diff --git a/Makefile.am b/Makefile.am

index 97aa1ec66..430b4e842 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -311,7 +311,7 @@ endif   # HAVE_INOTIFY

 if BUILD_KCM

 non_interactive_cmocka_based_tests += \

-	test_kcm_json \

+	test_kcm_marshalling \

 	test_kcm_queue \

         $(NULL)

 endif   # BUILD_KCM

@@ -1817,8 +1817,10 @@ sssd_kcm_SOURCES = \

     src/responder/kcm/kcm.c \

     src/responder/kcm/kcmsrv_cmd.c \

     src/responder/kcm/kcmsrv_ccache.c \

+    src/responder/kcm/kcmsrv_ccache_binary.c \

     src/responder/kcm/kcmsrv_ccache_mem.c \

     src/responder/kcm/kcmsrv_ccache_json.c \

+    src/responder/kcm/kcmsrv_ccache_key.c \

     src/responder/kcm/kcmsrv_ccache_secdb.c \

     src/responder/kcm/kcmsrv_ops.c \

     src/responder/kcm/kcmsrv_op_queue.c \

@@ -3927,18 +3929,20 @@ test_sssd_krb5_locator_plugin_LDADD = \

     $(NULL)

 if BUILD_KCM

-test_kcm_json_SOURCES = \

-    src/tests/cmocka/test_kcm_json_marshalling.c \

+test_kcm_marshalling_SOURCES = \

+    src/tests/cmocka/test_kcm_marshalling.c \

+    src/responder/kcm/kcmsrv_ccache_binary.c \

     src/responder/kcm/kcmsrv_ccache_json.c \

+    src/responder/kcm/kcmsrv_ccache_key.c \

     src/responder/kcm/kcmsrv_ccache.c \

     src/util/sss_krb5.c \

     src/util/sss_iobuf.c \

     $(NULL)

-test_kcm_json_CFLAGS = \

+test_kcm_marshalling_CFLAGS = \

     $(AM_CFLAGS) \

     $(UUID_CFLAGS) \

     $(NULL)

-test_kcm_json_LDADD = \

+test_kcm_marshalling_LDADD = \

     $(JANSSON_LIBS) \

     $(UUID_LIBS) \

     $(KRB5_LIBS) \

diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c

index 66e2752ba..60eacd451 100644

--- a/src/responder/kcm/kcmsrv_ccache.c

+++ b/src/responder/kcm/kcmsrv_ccache.c

@@ -28,6 +28,9 @@

 #include "responder/kcm/kcmsrv_ccache_pvt.h"

 #include "responder/kcm/kcmsrv_ccache_be.h"

+static struct kcm_cred *kcm_cred_dup(TALLOC_CTX *mem_ctx,

+                                     struct kcm_cred *crd);

+

 static int kcm_cc_destructor(struct kcm_ccache *cc)

 {

     if (cc == NULL) {

@@ -94,6 +97,33 @@ done:

     return ret;

 }

+struct kcm_ccache *kcm_cc_dup(TALLOC_CTX *mem_ctx,

+                              const struct kcm_ccache *cc)

+{

+    struct kcm_ccache *dup;

+    struct kcm_cred *crd_dup;

+    struct kcm_cred *crd;

+

+    dup = talloc_zero(mem_ctx, struct kcm_ccache);

+    if (dup == NULL) {

+        return NULL;

+    }

+    memcpy(dup, cc, sizeof(struct kcm_ccache));

+

+    dup->creds = NULL;

+    DLIST_FOR_EACH(crd, cc->creds) {

+        crd_dup = kcm_cred_dup(dup, crd);

+        if (crd_dup == NULL) {

+            talloc_free(dup);

+            return NULL;

+        }

+

+        DLIST_ADD(dup->creds, crd_dup);

+    }

+

+    return dup;

+}

+

 const char *kcm_cc_get_name(struct kcm_ccache *cc)

 {

     return cc ? cc->name : NULL;

@@ -204,6 +234,22 @@ struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx,

     return kcreds;

 }

+static struct kcm_cred *kcm_cred_dup(TALLOC_CTX *mem_ctx,

+                                     struct kcm_cred *crd)

+{

+    struct kcm_cred *dup;

+

+    dup = talloc_zero(mem_ctx, struct kcm_cred);

+    if (dup == NULL) {

+        return NULL;

+    }

+

+    uuid_copy(dup->uuid, crd->uuid);

+    dup->cred_blob = crd->cred_blob;

+

+    return dup;

+}

+

 /* Add a cred to ccache */

 errno_t kcm_cc_store_creds(struct kcm_ccache *cc,

                            struct kcm_cred *crd)

@@ -213,6 +259,26 @@ errno_t kcm_cc_store_creds(struct kcm_ccache *cc,

     return EOK;

 }

+errno_t kcm_cc_set_header(struct kcm_ccache *cc,

+                          const char *sec_key,

+                          struct cli_creds *client)

+{

+    errno_t ret;

+

+    ret = sec_key_parse(cc, sec_key, &cc->name, cc->uuid);

+    if (ret != EOK) {

+        return ret;

+    }

+

+    /* We rely on sssd-secrets only searching the user's subtree so we

+     * set the ownership to the client

+     */

+    cc->owner.uid = cli_creds_get_uid(client);

+    cc->owner.gid = cli_creds_get_gid(client);

+

+    return EOK;

+}

+

 errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t _uuid)

 {

     if (crd == NULL) {

diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h

index d629923fa..77cf8f61d 100644

--- a/src/responder/kcm/kcmsrv_ccache.h

+++ b/src/responder/kcm/kcmsrv_ccache.h

@@ -72,6 +72,13 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx,

                    krb5_principal princ,

                    struct kcm_ccache **_cc);

+/*

+ * Duplicate the ccache. Only ccache and credentials are duplicated,

+ * but their data are a shallow copy.

+ */

+struct kcm_ccache *kcm_cc_dup(TALLOC_CTX *mem_ctx,

+                              const struct kcm_ccache *cc);

+

 /*

  * Returns true if a client can access a ccache.

  *

@@ -100,6 +107,11 @@ struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx,

 errno_t kcm_cc_store_creds(struct kcm_ccache *cc,

                            struct kcm_cred *crd);

+/* Set cc header information from sec key and client */

+errno_t kcm_cc_set_header(struct kcm_ccache *cc,

+                          const char *sec_key,

+                          struct cli_creds *client);

+

 errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t uuid);

 /*

@@ -320,6 +332,11 @@ bool sec_key_match_name(const char *sec_key,

 bool sec_key_match_uuid(const char *sec_key,

                         uuid_t uuid);

+errno_t sec_key_parse(TALLOC_CTX *mem_ctx,

+                      const char *sec_key,

+                      const char **_name,

+                      uuid_t uuid);

+

 const char *sec_key_get_name(const char *sec_key);

 errno_t sec_key_get_uuid(const char *sec_key,

@@ -333,16 +350,30 @@ const char *sec_key_create(TALLOC_CTX *mem_ctx,

  * sec_key is a concatenation of the ccache's UUID and name

  * sec_value is the JSON dump of the ccache contents

  */

-errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx,

-                         const char *sec_key,

-                         const char *sec_value,

-                         struct cli_creds *client,

-                         struct kcm_ccache **_cc);

+errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx,

+                              const char *sec_key,

+                              const char *sec_value,

+                              struct cli_creds *client,

+                              struct kcm_ccache **_cc);

 /* Convert a kcm_ccache to a key-value pair to be stored in secrets */

-errno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx,

-                                struct kcm_ccache *cc,

+errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx,

+                                     struct kcm_ccache *cc,

+                                     struct sss_iobuf **_payload);

+

+/*

+ * sec_key is a concatenation of the ccache's UUID and name

+ * sec_value is the binary representation of ccache.

+ */

+errno_t sec_kv_to_ccache_binary(TALLOC_CTX *mem_ctx,

+                                const char *sec_key,

+                                struct sss_iobuf *sec_value,

                                 struct cli_creds *client,

-                                struct sss_iobuf **_payload);

+                                struct kcm_ccache **_cc);

+

+/* Convert a kcm_ccache to its binary representation. */

+errno_t kcm_ccache_to_sec_input_binary(TALLOC_CTX *mem_ctx,

+                                       struct kcm_ccache *cc,

+                                       struct sss_iobuf **_payload);

 #endif /* _KCMSRV_CCACHE_H_ */

diff --git a/src/responder/kcm/kcmsrv_ccache_binary.c b/src/responder/kcm/kcmsrv_ccache_binary.c

new file mode 100644

index 000000000..7bfdbf13b

--- /dev/null

+++ b/src/responder/kcm/kcmsrv_ccache_binary.c

@@ -0,0 +1,308 @@

+/*

+    Authors:

+        Pavel Březina <pbrezina@redhat.com>

+

+    Copyright (C) 2020 Red Hat

+

+    This program is free software; you can redistribute it and/or modify

+    it under the terms of the GNU General Public License as published by

+    the Free Software Foundation; either version 3 of the License, or

+    (at your option) any later version.

+

+    This program is distributed in the hope that it will be useful,

+    but WITHOUT ANY WARRANTY; without even the implied warranty of

+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+    GNU General Public License for more details.

+

+    You should have received a copy of the GNU General Public License

+    along with this program.  If not, see <http://www.gnu.org/licenses/>.

+*/

+

+#include "config.h"

+

+#include <stdio.h>

+#include <talloc.h>

+

+#include "util/util.h"

+#include "util/util_creds.h"

+#include "util/crypto/sss_crypto.h"

+#include "responder/kcm/kcmsrv_ccache_pvt.h"

+

+static errno_t krb_data_to_bin(krb5_data *data, struct sss_iobuf *buf)

+{

+    return sss_iobuf_write_varlen(buf, (uint8_t *)data->data, data->length);

+}

+

+static errno_t princ_to_bin(krb5_principal princ, struct sss_iobuf *buf)

+{

+    errno_t ret;

+

+    if (princ == NULL) {

+        return sss_iobuf_write_uint8(buf, 0);

+    }

+

+    /* Mark that principal is not empty. */

+    ret = sss_iobuf_write_uint8(buf, 1);

+    if (ret != EOK) {

+        return ret;

+    }

+

+    ret = krb_data_to_bin(&princ->realm, buf);

+    if (ret != EOK) {

+        return ret;

+    }

+

+    ret = sss_iobuf_write_int32(buf, princ->type);

+    if (ret != EOK) {

+        return ret;

+    }

+

+    ret = sss_iobuf_write_int32(buf, princ->length);

+    if (ret != EOK) {

+        return ret;

+    }

+

+    for (krb5_int32 i = 0; i < princ->length; i++) {

+        ret = krb_data_to_bin(&princ->data[i], buf);

+        if (ret != EOK) {

+            return ret;

+        }

+    }

+

+    return EOK;

+}

+

+static errno_t creds_to_bin(struct kcm_cred *creds, struct sss_iobuf *buf)

+{

+    struct kcm_cred *crd;

+    uint32_t count = 0;

+    errno_t ret;

+

+    DLIST_FOR_EACH(crd, creds) {

+        count++;

+    }

+

+    ret = sss_iobuf_write_uint32(buf, count);

+    if (ret != EOK) {

+        return ret;

+    }

+

+    DLIST_FOR_EACH(crd, creds) {

+        ret = sss_iobuf_write_len(buf, (uint8_t *)crd->uuid, sizeof(uuid_t));

+        if (ret != EOK) {

+            return ret;

+        }

+

+        ret = sss_iobuf_write_iobuf(buf, crd->cred_blob);

+        if (ret != EOK) {

+            return ret;

+        }

+    }

+

+    return EOK;

+}

+

+errno_t kcm_ccache_to_sec_input_binary(TALLOC_CTX *mem_ctx,

+                                       struct kcm_ccache *cc,

+                                       struct sss_iobuf **_payload)

+{

+    struct sss_iobuf *buf;

+    errno_t ret;

+

+    buf = sss_iobuf_init_empty(mem_ctx, sizeof(krb5_principal_data), 0);

+    if (buf == NULL) {

+        return ENOMEM;

+    }

+

+    ret = sss_iobuf_write_int32(buf, cc->kdc_offset);

+    if (ret != EOK) {

+        goto done;

+    }

+

+    ret = princ_to_bin(cc->client, buf);

+    if (ret != EOK) {

+        goto done;

+    }

+

+    ret = creds_to_bin(cc->creds, buf);

+    if (ret != EOK) {

+        goto done;

+    }

+

+    *_payload = buf;

+

+    ret = EOK;

+

+done:

+    if (ret != EOK) {

+        talloc_free(buf);

+    }

+

+    return ret;

+}

+

+static errno_t bin_to_krb_data(TALLOC_CTX *mem_ctx,

+                               struct sss_iobuf *buf,

+                               krb5_data *out)

+{

+    uint8_t *data;

+    size_t len;

+    errno_t ret;

+

+    ret = sss_iobuf_read_varlen(mem_ctx, buf, &data, &len;;

+    if (ret != EOK) {

+        return ret;

+    }

+

+    out->magic = 0;

+    out->data = (char*)data;

+    out->length = len;

+

+    return EOK;

+}

+

+static errno_t bin_to_princ(TALLOC_CTX *mem_ctx,

+                            struct sss_iobuf *buf,

+                            krb5_principal *_princ)

+{

+    krb5_principal princ;

+    uint8_t non_empty;

+    krb5_int32 i;

+    errno_t ret;

+

+    ret = sss_iobuf_read_uint8(buf, &non_empty);

+    if (ret != EOK) {

+        return ret;

+    }

+

+    if (non_empty == 0) {

+        *_princ = NULL;

+        return EOK;

+    }

+

+    princ = talloc_zero(mem_ctx, struct krb5_principal_data);

+    if (princ == NULL) {

+        return ENOMEM;

+    }

+    princ->magic = KV5M_PRINCIPAL;

+

+    ret = bin_to_krb_data(princ, buf, &princ->realm);

+    if (ret != EOK) {

+        return ret;