From c3dd5cd9ba4020d0db0dd4ae1d9003ba852780c8 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 17 Nov 2014 17:40:26 +0100 Subject: [PATCH 123/128] krb5: add copy_keytab_into_memory() Reviewed-by: Jakub Hrozek --- Makefile.am | 18 +++ src/providers/krb5/krb5_common.h | 31 ++++++ src/providers/krb5/krb5_keytab.c | 165 ++++++++++++++++++++++++++++ src/tests/cmocka/test_copy_keytab.c | 213 ++++++++++++++++++++++++++++++++++++ 4 files changed, 427 insertions(+) create mode 100644 src/providers/krb5/krb5_keytab.c create mode 100644 src/tests/cmocka/test_copy_keytab.c diff --git a/Makefile.am b/Makefile.am index 62d900dec654baff59762c934885aef9ae5510b9..065992b84ce491b8b6ce1826cb5e88d7e0295176 100644 --- a/Makefile.am +++ b/Makefile.am @@ -215,6 +215,7 @@ if HAVE_CMOCKA sdap-tests \ test_sysdb_views \ test_copy_ccache \ + test_copy_keytab \ $(NULL) if BUILD_IFP @@ -2097,6 +2098,23 @@ test_copy_ccache_LDADD = \ libsss_test_common.la \ $(NULL) +test_copy_keytab_SOURCES = \ + src/tests/cmocka/test_copy_keytab.c \ + src/providers/krb5/krb5_keytab.c \ + src/util/sss_krb5.c \ + $(NULL) +test_copy_keytab_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_copy_keytab_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(KRB5_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + endif # HAVE_CMOCKA noinst_PROGRAMS = pam_test_client diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index a5cee6497e4930b16b1102a525d9fa3452845a58..81e64688a6d93a4b3ecf41d75d1bf6166b4619ce 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -189,4 +189,35 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, struct bet_ops **ops, void **pvt_auth_data); +/* from krb5_keytab.c */ + +/** + * @brief Copy given keytab into a MEMORY keytab + * + * @param[in] mem_ctx Talloc memory context the new keytab name should be + * allocated on + * @param[in] kctx Kerberos context + * @param[in] inp_keytab_file Existing keytab, if set to NULL the default + * keytab will be used + * @param[out] _mem_name Name of the new MEMORY keytab + * @param[out] _mem_keytab Krb5 keytab handle for the new MEMORY keytab, NULL + * may be passed here if the caller has no use for the + * handle + * + * The memory for the MEMORY keytab is handled by libkrb5 internally and + * a reference counter is used. If the reference counter of the specific + * MEMORY keytab reaches 0, i.e. no open ones are left, the memory is free. + * This means we cannot call krb5_kt_close() for the new MEMORY keytab in + * copy_keytab_into_memory() because this would destroy it immediately. Hence + * we have to return the handle so that the caller can safely remove the + * MEMORY keytab if the is not needed anymore. Since libkrb5 frees the + * internal memory when the library is unloaded short running processes can + * safely pass NULL as the 5th argument because on exit all memory is freed. + * Long running processes which need more control over the memory consumption + * should close the handle for free the memory at runtime. + */ +krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, + const char *inp_keytab_file, + char **_mem_name, + krb5_keytab *_mem_keytab); #endif /* __KRB5_COMMON_H__ */ diff --git a/src/providers/krb5/krb5_keytab.c b/src/providers/krb5/krb5_keytab.c new file mode 100644 index 0000000000000000000000000000000000000000..855f69419611b863a7aea79e2788272f819b0736 --- /dev/null +++ b/src/providers/krb5/krb5_keytab.c @@ -0,0 +1,165 @@ +/* + SSSD + + Kerberos 5 Backend Module -- keytab related utilities + + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/sss_krb5.h" + +krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, + char *inp_keytab_file, + char **_mem_name, + krb5_keytab *_mem_keytab) +{ + krb5_error_code kerr; + krb5_error_code kt_err; + krb5_keytab keytab = NULL; + krb5_keytab mem_keytab = NULL; + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + char keytab_name[MAX_KEYTAB_NAME_LEN]; + char *sep; + char *mem_name = NULL; + char *keytab_file; + char default_keytab_name[MAX_KEYTAB_NAME_LEN]; + + keytab_file = inp_keytab_file; + if (keytab_file == NULL) { + kerr = krb5_kt_default_name(kctx, default_keytab_name, + sizeof(default_keytab_name)); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_default_name failed.\n"); + return kerr; + } + + keytab_file = default_keytab_name; + } + + kerr = krb5_kt_resolve(kctx, keytab_file, &keytab); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error resolving keytab [%s].\n", + keytab_file); + return kerr; + } + + kerr = krb5_kt_have_content(kctx, keytab); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "keytab [%s] has not entries.\n", + keytab_file); + goto done; + } + + kerr = krb5_kt_get_name(kctx, keytab, keytab_name, sizeof(keytab_name)); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to read name for keytab [%s].\n", + keytab_file); + goto done; + } + + sep = strchr(keytab_name, ':'); + if (sep == NULL || sep[1] == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Keytab name [%s] does not have delimiter[:] .\n", keytab_name); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + + if (strncmp(keytab_name, "MEMORY:", sizeof("MEMORY:") -1) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Keytab [%s] is already memory keytab.\n", + keytab_name); + *_mem_name = talloc_strdup(mem_ctx, keytab_name); + if(*_mem_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + kerr = 0; + goto done; + } + + mem_name = talloc_asprintf(mem_ctx, "MEMORY:%s", sep + 1); + if (mem_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + + kerr = krb5_kt_resolve(kctx, mem_name, &mem_keytab); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error resolving keytab [%s].\n", + mem_name); + goto done; + } + + memset(&cursor, 0, sizeof(cursor)); + kerr = krb5_kt_start_seq_get(kctx, keytab, &cursor); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s].\n", keytab_file); + goto done; + } + + memset(&entry, 0, sizeof(entry)); + while ((kt_err = krb5_kt_next_entry(kctx, keytab, &entry, &cursor)) == 0) { + kerr = krb5_kt_add_entry(kctx, mem_keytab, &entry); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_kt_add_entry failed.\n"); + goto done; + } + + kerr = sss_krb5_free_keytab_entry_contents(kctx, &entry); + if (kerr != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to free keytab entry.\n"); + } + memset(&entry, 0, sizeof(entry)); + } + + kerr = krb5_kt_end_seq_get(kctx, keytab, &cursor); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_end_seq_get failed.\n"); + goto done; + } + + /* check if we got any errors from krb5_kt_next_entry */ + if (kt_err != 0 && kt_err != KRB5_KT_END) { + DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s].\n", keytab_file); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + + *_mem_name = mem_name; + if (_mem_keytab != NULL) { + *_mem_keytab = mem_keytab; + } + + kerr = 0; +done: + + if (kerr != 0) { + talloc_free(mem_name); + } + + if (keytab != NULL && krb5_kt_close(kctx, keytab) != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "krb5_kt_close failed"); + } + + return kerr; +} diff --git a/src/tests/cmocka/test_copy_keytab.c b/src/tests/cmocka/test_copy_keytab.c new file mode 100644 index 0000000000000000000000000000000000000000..9d2b801564f738b4a75445045bd7602b2fd01625 --- /dev/null +++ b/src/tests/cmocka/test_copy_keytab.c @@ -0,0 +1,213 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + SSSD tests: Tests keytab utilities + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/sss_krb5.h" +#include "providers/krb5/krb5_common.h" +#include "tests/cmocka/common_mock.h" + +#define KEYTAB_TEST_PRINC "test/keytab@TEST.KEYTAB" +#define KEYTAB_PATH TEST_DIR "/keytab_test.keytab" + +struct keytab_test_ctx { + krb5_context kctx; + const char *keytab_file_name; + krb5_principal principal; +}; + +void setup_keytab(void **state) +{ + struct keytab_test_ctx *test_ctx; + krb5_error_code kerr; + krb5_keytab keytab; + krb5_keytab_entry kent; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct keytab_test_ctx); + assert_non_null(test_ctx); + + kerr = krb5_init_context(&test_ctx->kctx); + assert_int_equal(kerr, 0); + + test_ctx->keytab_file_name = "FILE:" KEYTAB_PATH; + + kerr = krb5_kt_resolve(test_ctx->kctx, test_ctx->keytab_file_name, &keytab); + assert_int_equal(kerr, 0); + + kerr = krb5_parse_name(test_ctx->kctx, KEYTAB_TEST_PRINC, + &test_ctx->principal); + assert_int_equal(kerr, 0); + + memset(&kent, 0, sizeof(kent)); + kent.magic = KV5M_KEYTAB_ENTRY; + kent.principal = test_ctx->principal; + kent.timestamp = 12345; + kent.vno = 1; + kent.key.magic = KV5M_KEYBLOCK; + kent.key.enctype = 1; + kent.key.length = 2; + kent.key.contents = (krb5_octet *) discard_const("11"); + + kerr = krb5_kt_add_entry(test_ctx->kctx, keytab, &kent); + assert_int_equal(kerr, 0); + + kent.key.enctype = 2; + kent.key.contents = (krb5_octet *) discard_const("12"); + + kerr = krb5_kt_add_entry(test_ctx->kctx, keytab, &kent); + assert_int_equal(kerr, 0); + + kent.vno = 2; + kent.key.enctype = 1; + kent.key.contents = (krb5_octet *) discard_const("21"); + + kerr = krb5_kt_add_entry(test_ctx->kctx, keytab, &kent); + assert_int_equal(kerr, 0); + + kent.key.enctype = 2; + kent.key.contents = (krb5_octet *) discard_const("22"); + + kerr = krb5_kt_add_entry(test_ctx->kctx, keytab, &kent); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_close(test_ctx->kctx, keytab); + assert_int_equal(kerr, 0); + + check_leaks_push(test_ctx); + *state = test_ctx; +} + +void teardown_keytab(void **state) +{ + int ret; + struct keytab_test_ctx *test_ctx = talloc_get_type(*state, + struct keytab_test_ctx); + assert_non_null(test_ctx); + + krb5_free_principal(test_ctx->kctx, test_ctx->principal); + krb5_free_context(test_ctx->kctx); + + ret = unlink(KEYTAB_PATH); + assert_int_equal(ret, 0); + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); +} + +void test_copy_keytab(void **state) +{ + krb5_error_code kerr; + char *mem_keytab_name; + krb5_keytab mem_keytab; + krb5_keytab keytab; + krb5_keytab_entry kent; + struct keytab_test_ctx *test_ctx = talloc_get_type(*state, + struct keytab_test_ctx); + assert_non_null(test_ctx); + + kerr = copy_keytab_into_memory(test_ctx, test_ctx->kctx, + test_ctx->keytab_file_name, + &mem_keytab_name, &mem_keytab); + assert_int_equal(kerr, 0); + assert_non_null(mem_keytab_name); + + kerr = krb5_kt_resolve(test_ctx->kctx, mem_keytab_name, &keytab); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 9, 9, + &kent); + assert_int_not_equal(kerr, 0); + + kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 1, 1, + &kent); + assert_int_equal(kerr, 0); + krb5_free_keytab_entry_contents(test_ctx->kctx, &kent); + + kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 1, 2, + &kent); + assert_int_equal(kerr, 0); + krb5_free_keytab_entry_contents(test_ctx->kctx, &kent); + + kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 2, 1, + &kent); + assert_int_equal(kerr, 0); + krb5_free_keytab_entry_contents(test_ctx->kctx, &kent); + + kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 2, 2, + &kent); + assert_int_equal(kerr, 0); + krb5_free_keytab_entry_contents(test_ctx->kctx, &kent); + + talloc_free(mem_keytab_name); + + kerr = krb5_kt_close(test_ctx->kctx, keytab); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_close(test_ctx->kctx, mem_keytab); + assert_int_equal(kerr, 0); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const UnitTest tests[] = { + unit_test_setup_teardown(test_copy_keytab, + setup_keytab, teardown_keytab), + }; + + /* Set debug level to invalid value so we can deside if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old db to be sure */ + tests_set_cwd(); + + rv = run_tests(tests); + + return rv; +} -- 1.9.3