From c3dd5cd9ba4020d0db0dd4ae1d9003ba852780c8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 17 Nov 2014 17:40:26 +0100
Subject: [PATCH 123/128] krb5: add copy_keytab_into_memory()
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
Makefile.am | 18 +++
src/providers/krb5/krb5_common.h | 31 ++++++
src/providers/krb5/krb5_keytab.c | 165 ++++++++++++++++++++++++++++
src/tests/cmocka/test_copy_keytab.c | 213 ++++++++++++++++++++++++++++++++++++
4 files changed, 427 insertions(+)
create mode 100644 src/providers/krb5/krb5_keytab.c
create mode 100644 src/tests/cmocka/test_copy_keytab.c
diff --git a/Makefile.am b/Makefile.am
index 62d900dec654baff59762c934885aef9ae5510b9..065992b84ce491b8b6ce1826cb5e88d7e0295176 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -215,6 +215,7 @@ if HAVE_CMOCKA
sdap-tests \
test_sysdb_views \
test_copy_ccache \
+ test_copy_keytab \
$(NULL)
if BUILD_IFP
@@ -2097,6 +2098,23 @@ test_copy_ccache_LDADD = \
libsss_test_common.la \
$(NULL)
+test_copy_keytab_SOURCES = \
+ src/tests/cmocka/test_copy_keytab.c \
+ src/providers/krb5/krb5_keytab.c \
+ src/util/sss_krb5.c \
+ $(NULL)
+test_copy_keytab_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(NULL)
+test_copy_keytab_LDADD = \
+ $(CMOCKA_LIBS) \
+ $(POPT_LIBS) \
+ $(TALLOC_LIBS) \
+ $(KRB5_LIBS) \
+ $(SSSD_INTERNAL_LTLIBS) \
+ libsss_test_common.la \
+ $(NULL)
+
endif # HAVE_CMOCKA
noinst_PROGRAMS = pam_test_client
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index a5cee6497e4930b16b1102a525d9fa3452845a58..81e64688a6d93a4b3ecf41d75d1bf6166b4619ce 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -189,4 +189,35 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_auth_data);
+/* from krb5_keytab.c */
+
+/**
+ * @brief Copy given keytab into a MEMORY keytab
+ *
+ * @param[in] mem_ctx Talloc memory context the new keytab name should be
+ * allocated on
+ * @param[in] kctx Kerberos context
+ * @param[in] inp_keytab_file Existing keytab, if set to NULL the default
+ * keytab will be used
+ * @param[out] _mem_name Name of the new MEMORY keytab
+ * @param[out] _mem_keytab Krb5 keytab handle for the new MEMORY keytab, NULL
+ * may be passed here if the caller has no use for the
+ * handle
+ *
+ * The memory for the MEMORY keytab is handled by libkrb5 internally and
+ * a reference counter is used. If the reference counter of the specific
+ * MEMORY keytab reaches 0, i.e. no open ones are left, the memory is free.
+ * This means we cannot call krb5_kt_close() for the new MEMORY keytab in
+ * copy_keytab_into_memory() because this would destroy it immediately. Hence
+ * we have to return the handle so that the caller can safely remove the
+ * MEMORY keytab if the is not needed anymore. Since libkrb5 frees the
+ * internal memory when the library is unloaded short running processes can
+ * safely pass NULL as the 5th argument because on exit all memory is freed.
+ * Long running processes which need more control over the memory consumption
+ * should close the handle for free the memory at runtime.
+ */
+krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx,
+ const char *inp_keytab_file,
+ char **_mem_name,
+ krb5_keytab *_mem_keytab);
#endif /* __KRB5_COMMON_H__ */
diff --git a/src/providers/krb5/krb5_keytab.c b/src/providers/krb5/krb5_keytab.c
new file mode 100644
index 0000000000000000000000000000000000000000..855f69419611b863a7aea79e2788272f819b0736
--- /dev/null
+++ b/src/providers/krb5/krb5_keytab.c
@@ -0,0 +1,165 @@
+/*
+ SSSD
+
+ Kerberos 5 Backend Module -- keytab related utilities
+
+ Authors:
+ Sumit Bose <sbose@redhat.com>
+
+ Copyright (C) 2014 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "util/util.h"
+#include "util/sss_krb5.h"
+
+krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx,
+ char *inp_keytab_file,
+ char **_mem_name,
+ krb5_keytab *_mem_keytab)
+{
+ krb5_error_code kerr;
+ krb5_error_code kt_err;
+ krb5_keytab keytab = NULL;
+ krb5_keytab mem_keytab = NULL;
+ krb5_kt_cursor cursor;
+ krb5_keytab_entry entry;
+ char keytab_name[MAX_KEYTAB_NAME_LEN];
+ char *sep;
+ char *mem_name = NULL;
+ char *keytab_file;
+ char default_keytab_name[MAX_KEYTAB_NAME_LEN];
+
+ keytab_file = inp_keytab_file;
+ if (keytab_file == NULL) {
+ kerr = krb5_kt_default_name(kctx, default_keytab_name,
+ sizeof(default_keytab_name));
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_default_name failed.\n");
+ return kerr;
+ }
+
+ keytab_file = default_keytab_name;
+ }
+
+ kerr = krb5_kt_resolve(kctx, keytab_file, &keytab);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "error resolving keytab [%s].\n",
+ keytab_file);
+ return kerr;
+ }
+
+ kerr = krb5_kt_have_content(kctx, keytab);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "keytab [%s] has not entries.\n",
+ keytab_file);
+ goto done;
+ }
+
+ kerr = krb5_kt_get_name(kctx, keytab, keytab_name, sizeof(keytab_name));
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to read name for keytab [%s].\n",
+ keytab_file);
+ goto done;
+ }
+
+ sep = strchr(keytab_name, ':');
+ if (sep == NULL || sep[1] == '\0') {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Keytab name [%s] does not have delimiter[:] .\n", keytab_name);
+ kerr = KRB5KRB_ERR_GENERIC;
+ goto done;
+ }
+
+ if (strncmp(keytab_name, "MEMORY:", sizeof("MEMORY:") -1) == 0) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Keytab [%s] is already memory keytab.\n",
+ keytab_name);
+ *_mem_name = talloc_strdup(mem_ctx, keytab_name);
+ if(*_mem_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ kerr = KRB5KRB_ERR_GENERIC;
+ goto done;
+ }
+ kerr = 0;
+ goto done;
+ }
+
+ mem_name = talloc_asprintf(mem_ctx, "MEMORY:%s", sep + 1);
+ if (mem_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ kerr = KRB5KRB_ERR_GENERIC;
+ goto done;
+ }
+
+ kerr = krb5_kt_resolve(kctx, mem_name, &mem_keytab);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "error resolving keytab [%s].\n",
+ mem_name);
+ goto done;
+ }
+
+ memset(&cursor, 0, sizeof(cursor));
+ kerr = krb5_kt_start_seq_get(kctx, keytab, &cursor);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s].\n", keytab_file);
+ goto done;
+ }
+
+ memset(&entry, 0, sizeof(entry));
+ while ((kt_err = krb5_kt_next_entry(kctx, keytab, &entry, &cursor)) == 0) {
+ kerr = krb5_kt_add_entry(kctx, mem_keytab, &entry);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_kt_add_entry failed.\n");
+ goto done;
+ }
+
+ kerr = sss_krb5_free_keytab_entry_contents(kctx, &entry);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Failed to free keytab entry.\n");
+ }
+ memset(&entry, 0, sizeof(entry));
+ }
+
+ kerr = krb5_kt_end_seq_get(kctx, keytab, &cursor);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_end_seq_get failed.\n");
+ goto done;
+ }
+
+ /* check if we got any errors from krb5_kt_next_entry */
+ if (kt_err != 0 && kt_err != KRB5_KT_END) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s].\n", keytab_file);
+ kerr = KRB5KRB_ERR_GENERIC;
+ goto done;
+ }
+
+ *_mem_name = mem_name;
+ if (_mem_keytab != NULL) {
+ *_mem_keytab = mem_keytab;
+ }
+
+ kerr = 0;
+done:
+
+ if (kerr != 0) {
+ talloc_free(mem_name);
+ }
+
+ if (keytab != NULL && krb5_kt_close(kctx, keytab) != 0) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "krb5_kt_close failed");
+ }
+
+ return kerr;
+}
diff --git a/src/tests/cmocka/test_copy_keytab.c b/src/tests/cmocka/test_copy_keytab.c
new file mode 100644
index 0000000000000000000000000000000000000000..9d2b801564f738b4a75445045bd7602b2fd01625
--- /dev/null
+++ b/src/tests/cmocka/test_copy_keytab.c
@@ -0,0 +1,213 @@
+/*
+ Authors:
+ Sumit Bose <sbose@redhat.com>
+
+ Copyright (C) 2014 Red Hat
+
+ SSSD tests: Tests keytab utilities
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdio.h>
+#include <popt.h>
+
+#include "util/sss_krb5.h"
+#include "providers/krb5/krb5_common.h"
+#include "tests/cmocka/common_mock.h"
+
+#define KEYTAB_TEST_PRINC "test/keytab@TEST.KEYTAB"
+#define KEYTAB_PATH TEST_DIR "/keytab_test.keytab"
+
+struct keytab_test_ctx {
+ krb5_context kctx;
+ const char *keytab_file_name;
+ krb5_principal principal;
+};
+
+void setup_keytab(void **state)
+{
+ struct keytab_test_ctx *test_ctx;
+ krb5_error_code kerr;
+ krb5_keytab keytab;
+ krb5_keytab_entry kent;
+
+ assert_true(leak_check_setup());
+
+ test_ctx = talloc_zero(global_talloc_context, struct keytab_test_ctx);
+ assert_non_null(test_ctx);
+
+ kerr = krb5_init_context(&test_ctx->kctx);
+ assert_int_equal(kerr, 0);
+
+ test_ctx->keytab_file_name = "FILE:" KEYTAB_PATH;
+
+ kerr = krb5_kt_resolve(test_ctx->kctx, test_ctx->keytab_file_name, &keytab);
+ assert_int_equal(kerr, 0);
+
+ kerr = krb5_parse_name(test_ctx->kctx, KEYTAB_TEST_PRINC,
+ &test_ctx->principal);
+ assert_int_equal(kerr, 0);
+
+ memset(&kent, 0, sizeof(kent));
+ kent.magic = KV5M_KEYTAB_ENTRY;
+ kent.principal = test_ctx->principal;
+ kent.timestamp = 12345;
+ kent.vno = 1;
+ kent.key.magic = KV5M_KEYBLOCK;
+ kent.key.enctype = 1;
+ kent.key.length = 2;
+ kent.key.contents = (krb5_octet *) discard_const("11");
+
+ kerr = krb5_kt_add_entry(test_ctx->kctx, keytab, &kent);
+ assert_int_equal(kerr, 0);
+
+ kent.key.enctype = 2;
+ kent.key.contents = (krb5_octet *) discard_const("12");
+
+ kerr = krb5_kt_add_entry(test_ctx->kctx, keytab, &kent);
+ assert_int_equal(kerr, 0);
+
+ kent.vno = 2;
+ kent.key.enctype = 1;
+ kent.key.contents = (krb5_octet *) discard_const("21");
+
+ kerr = krb5_kt_add_entry(test_ctx->kctx, keytab, &kent);
+ assert_int_equal(kerr, 0);
+
+ kent.key.enctype = 2;
+ kent.key.contents = (krb5_octet *) discard_const("22");
+
+ kerr = krb5_kt_add_entry(test_ctx->kctx, keytab, &kent);
+ assert_int_equal(kerr, 0);
+
+ kerr = krb5_kt_close(test_ctx->kctx, keytab);
+ assert_int_equal(kerr, 0);
+
+ check_leaks_push(test_ctx);
+ *state = test_ctx;
+}
+
+void teardown_keytab(void **state)
+{
+ int ret;
+ struct keytab_test_ctx *test_ctx = talloc_get_type(*state,
+ struct keytab_test_ctx);
+ assert_non_null(test_ctx);
+
+ krb5_free_principal(test_ctx->kctx, test_ctx->principal);
+ krb5_free_context(test_ctx->kctx);
+
+ ret = unlink(KEYTAB_PATH);
+ assert_int_equal(ret, 0);
+
+ assert_true(check_leaks_pop(test_ctx) == true);
+ talloc_free(test_ctx);
+ assert_true(leak_check_teardown());
+}
+
+void test_copy_keytab(void **state)
+{
+ krb5_error_code kerr;
+ char *mem_keytab_name;
+ krb5_keytab mem_keytab;
+ krb5_keytab keytab;
+ krb5_keytab_entry kent;
+ struct keytab_test_ctx *test_ctx = talloc_get_type(*state,
+ struct keytab_test_ctx);
+ assert_non_null(test_ctx);
+
+ kerr = copy_keytab_into_memory(test_ctx, test_ctx->kctx,
+ test_ctx->keytab_file_name,
+ &mem_keytab_name, &mem_keytab);
+ assert_int_equal(kerr, 0);
+ assert_non_null(mem_keytab_name);
+
+ kerr = krb5_kt_resolve(test_ctx->kctx, mem_keytab_name, &keytab);
+ assert_int_equal(kerr, 0);
+
+ kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 9, 9,
+ &kent);
+ assert_int_not_equal(kerr, 0);
+
+ kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 1, 1,
+ &kent);
+ assert_int_equal(kerr, 0);
+ krb5_free_keytab_entry_contents(test_ctx->kctx, &kent);
+
+ kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 1, 2,
+ &kent);
+ assert_int_equal(kerr, 0);
+ krb5_free_keytab_entry_contents(test_ctx->kctx, &kent);
+
+ kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 2, 1,
+ &kent);
+ assert_int_equal(kerr, 0);
+ krb5_free_keytab_entry_contents(test_ctx->kctx, &kent);
+
+ kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 2, 2,
+ &kent);
+ assert_int_equal(kerr, 0);
+ krb5_free_keytab_entry_contents(test_ctx->kctx, &kent);
+
+ talloc_free(mem_keytab_name);
+
+ kerr = krb5_kt_close(test_ctx->kctx, keytab);
+ assert_int_equal(kerr, 0);
+
+ kerr = krb5_kt_close(test_ctx->kctx, mem_keytab);
+ assert_int_equal(kerr, 0);
+}
+
+int main(int argc, const char *argv[])
+{
+ poptContext pc;
+ int opt;
+ int rv;
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+ SSSD_DEBUG_OPTS
+ POPT_TABLEEND
+ };
+
+ const UnitTest tests[] = {
+ unit_test_setup_teardown(test_copy_keytab,
+ setup_keytab, teardown_keytab),
+ };
+
+ /* Set debug level to invalid value so we can deside if -d 0 was used. */
+ debug_level = SSSDBG_INVALID;
+
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
+ while((opt = poptGetNextOpt(pc)) != -1) {
+ switch(opt) {
+ default:
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
+ poptBadOption(pc, 0), poptStrerror(opt));
+ poptPrintUsage(pc, stderr, 0);
+ return 1;
+ }
+ }
+ poptFreeContext(pc);
+
+ DEBUG_CLI_INIT(debug_level);
+
+ /* Even though normally the tests should clean up after themselves
+ * they might not after a failed run. Remove the old db to be sure */
+ tests_set_cwd();
+
+ rv = run_tests(tests);
+
+ return rv;
+}
--
1.9.3