From d86ed3a2a2e7a44d9b3ac5f5de31672e3499fbbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Mon, 7 Dec 2020 17:20:34 +0100 Subject: [PATCH] sssd-2.4.0.5 - improve kcm performance --- 0001-fix-compilation-with-check-0.15.1.patch | 4005 ----------------- 0001-kcm-fix-typos-in-debug-messages.patch | 53 + ...warnings-format-not-a-string-literal.patch | 293 -- ...onfusion-in-GET_CRED_UUID_LIST-handl.patch | 51 + 0003-kcm-disable-encryption.patch | 509 +++ ...le-debug-messages-if-sss_sec_put-fai.patch | 26 + ...llow-to-specify-secret-s-data-format.patch | 225 + ...accept-binary-data-instead-of-string.patch | 450 ++ 0007-iobuf-add-more-iobuf-functions.patch | 265 ++ ...fix-to-existing-searialization-funct.patch | 292 ++ ...-parser-to-separate-file-so-it-can-b.patch | 404 ++ ...void-suppression-of-cppcheck-warning.patch | 30 + ...round-operators-in-kcmsrv_ccache_key.patch | 42 + ...ormat-to-store-ccache-instead-of-jso.patch | 741 +++ ...ection-data-to-be-shared-between-req.patch | 131 + ...-double-free-for-circular-dependenci.patch | 165 + ...tials-list-in-hash-table-to-avoid-ca.patch | 551 +++ ..._payload_size-exceeded-debug-message.patch | 38 + ...to-plaintext-if-enctype-attr-is-miss.patch | 43 + 0018-secrets-move-attrs-names-to-macros.patch | 183 + 0019-secrets-remove-base64-enctype.patch | 75 + sssd.spec | 24 +- 22 files changed, 4297 insertions(+), 4299 deletions(-) delete mode 100644 0001-fix-compilation-with-check-0.15.1.patch create mode 100644 0001-kcm-fix-typos-in-debug-messages.patch delete mode 100644 0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch create mode 100644 0002-kcm-avoid-name-confusion-in-GET_CRED_UUID_LIST-handl.patch create mode 100644 0003-kcm-disable-encryption.patch create mode 100644 0004-kcm-avoid-multiple-debug-messages-if-sss_sec_put-fai.patch create mode 100644 0005-secrets-allow-to-specify-secret-s-data-format.patch create mode 100644 0006-secrets-accept-binary-data-instead-of-string.patch create mode 100644 0007-iobuf-add-more-iobuf-functions.patch create mode 100644 0008-kcm-add-json-suffix-to-existing-searialization-funct.patch create mode 100644 0009-kcm-move-sec-key-parser-to-separate-file-so-it-can-b.patch create mode 100644 0010-kcm-avoid-suppression-of-cppcheck-warning.patch create mode 100644 0011-kcm-add-spaces-around-operators-in-kcmsrv_ccache_key.patch create mode 100644 0012-kcm-use-binary-format-to-store-ccache-instead-of-jso.patch create mode 100644 0013-kcm-add-per-connection-data-to-be-shared-between-req.patch create mode 100644 0014-sss_ptr_hash-fix-double-free-for-circular-dependenci.patch create mode 100644 0015-kcm-store-credentials-list-in-hash-table-to-avoid-ca.patch create mode 100644 0016-secrets-fix-may_payload_size-exceeded-debug-message.patch create mode 100644 0017-secrets-default-to-plaintext-if-enctype-attr-is-miss.patch create mode 100644 0018-secrets-move-attrs-names-to-macros.patch create mode 100644 0019-secrets-remove-base64-enctype.patch diff --git a/0001-fix-compilation-with-check-0.15.1.patch b/0001-fix-compilation-with-check-0.15.1.patch deleted file mode 100644 index 5a2a880..0000000 --- a/0001-fix-compilation-with-check-0.15.1.patch +++ /dev/null @@ -1,4005 +0,0 @@ -From ae92ebec5ab0535d0a24c983b36026f615a60b5e Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:01 +0000 -Subject: [PATCH 01/19] =?UTF-8?q?DLOPEN-TESTS:=20Fix=20error=20too=20few?= - =?UTF-8?q?=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros ---- - src/tests/dlopen-tests.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c -index 4727e7cd9..4acaba2a4 100644 ---- a/src/tests/dlopen-tests.c -+++ b/src/tests/dlopen-tests.c -@@ -194,13 +194,13 @@ static char **get_so_files(size_t *_list_size) - char **libraries; - - n = scandir(LIBPFX, &namelist, file_so_filter, alphasort); -- fail_unless(n > 0); -+ fail_unless(n > 0, "Failed to scan dirrectory: " LIBPFX); - - libraries = calloc(n + 1, sizeof(char *)); - - for (int i = 0; i < n; ++i) { - libraries[i] = strdup(namelist[i]->d_name); -- fail_if(libraries[i] == NULL); -+ fail_if(libraries[i] == NULL, "Failed to allocate memory"); - - free(namelist[i]); - } -@@ -250,7 +250,7 @@ START_TEST(test_dlopen_base) - } - free(found_libraries); - -- fail_if(unchecked_library); -+ fail_if(unchecked_library, "Unchecked library found"); - } - END_TEST - --- -2.28.0.rc2 - - -From 23849dfb089c0cbd877feaa3fbb4df94f3d62ebb Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:02 +0000 -Subject: [PATCH 02/19] =?UTF-8?q?SYSDB-TESTS:=20Fix=20error=20too=20few=20?= - =?UTF-8?q?arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros -* convert assertions to different macros - -e.g. -src/tests/sysdb-tests.c:6622:5: error: too few arguments to function ‘_ck_assert_failed’ - 6622 | fail_if(ret != EOK); ---- - src/tests/sysdb-tests.c | 454 +++++++++++++++++++++------------------- - 1 file changed, 236 insertions(+), 218 deletions(-) - -diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c -index 5381b9a17..b7e0e2389 100644 ---- a/src/tests/sysdb-tests.c -+++ b/src/tests/sysdb-tests.c -@@ -694,13 +694,13 @@ START_TEST (test_sysdb_user_new_id) - fqname = sss_create_internal_fqname(test_ctx, - username, - test_ctx->domain->name); -- fail_if(fqname == NULL); -+ fail_if(fqname == NULL, "Failed to allocate memory"); - - attrs = sysdb_new_attrs(test_ctx); -- fail_if(attrs == NULL); -+ fail_if(attrs == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_string(attrs, SYSDB_DESCRIPTION, desc_in); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "Failed to add attribute: " SYSDB_DESCRIPTION); - - ret = sysdb_add_user(test_ctx->domain, fqname, - 1234, 1234, fqname, "/", "/bin/bash", -@@ -713,7 +713,7 @@ START_TEST (test_sysdb_user_new_id) - fail_if(ret != EOK, "Could not retrieve user %s", fqname); - - desc = ldb_msg_find_attr_as_string(msg, SYSDB_DESCRIPTION, NULL); -- fail_unless(desc != NULL); -+ fail_unless(desc != NULL, "Failed to find attribute: " SYSDB_DESCRIPTION); - ck_assert_str_eq(desc, desc_in); - - ret = sysdb_delete_user(test_ctx->domain, fqname, 0); -@@ -738,7 +738,7 @@ START_TEST (test_sysdb_store_user) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_store_user(data); - -@@ -761,7 +761,7 @@ START_TEST (test_sysdb_store_user_existing) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->shell = "/bin/ksh"; - - ret = test_store_user(data); -@@ -831,7 +831,7 @@ START_TEST (test_sysdb_remove_local_user_by_uid) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->uid = _i; - - ret = test_remove_user_by_uid(data); -@@ -855,7 +855,7 @@ START_TEST (test_sysdb_remove_local_group) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_remove_group(data); - -@@ -878,7 +878,7 @@ START_TEST (test_sysdb_remove_local_group_by_gid) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - null_ctx_get_size(data->ctx); - ret = test_remove_group_by_gid(data); -@@ -903,7 +903,7 @@ START_TEST (test_sysdb_add_user) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_user(data); - -@@ -926,7 +926,7 @@ START_TEST (test_sysdb_add_group) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_group(data); - -@@ -951,7 +951,7 @@ START_TEST (test_sysdb_add_group_with_ghosts) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - for (j = MBO_GROUP_BASE; j < _i; j++) { - member_fqname = test_asprintf_fqname(data, data->ctx->domain, -@@ -983,7 +983,7 @@ START_TEST (test_sysdb_add_incomplete_group) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_incomplete_group(data); - -@@ -1053,7 +1053,7 @@ START_TEST (test_sysdb_getpwnam) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - res = test_getpwnam(data); - fail_if(res->count != 1, -@@ -1069,7 +1069,6 @@ START_TEST (test_sysdb_getpwnam) - data->username = test_asprintf_fqname(data, test_ctx->domain, - "TESTUSER%d", _i); - fail_if(data->username == NULL, "OOM"); -- fail_if(ret != EOK); - - res = test_getpwnam(data); - fail_if(res->count != 0, -@@ -1101,15 +1100,16 @@ START_TEST(test_user_group_by_name) - test_ctx->domain->mpg_mode = MPG_ENABLED; - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = sysdb_search_group_by_name(data, - data->ctx->domain, - data->username, /* we're searching for the private group */ - NULL, - &msg); -- fail_if(ret != EOK); -- fail_if(msg == NULL); -+ fail_if(ret != EOK, -+ "sysdb_search_group_by_name failed with error: %d", ret); -+ fail_if(msg == NULL, "Failed to find group: %s", data->username); - - groupname = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); - ck_assert_str_eq(groupname, data->username); -@@ -1131,14 +1131,15 @@ START_TEST(test_user_group_by_name_local) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = sysdb_search_group_by_name(data, - data->ctx->domain, - data->username, /* we're searching for the private group */ - NULL, - &msg); -- fail_if(ret != ENOENT); -+ fail_if(ret != ENOENT, -+ "sysdb_search_group_by_name must return ENOENT got: %d", ret); - } - END_TEST - -@@ -1159,7 +1160,7 @@ START_TEST (test_sysdb_getgrnam) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - res = test_getgrnam(data); - fail_if(res->count != 1, -@@ -1176,7 +1177,6 @@ START_TEST (test_sysdb_getgrnam) - data->groupname = test_asprintf_fqname(data, test_ctx->domain, - "TESTGROUP%d", _i); - fail_if(data->groupname == NULL, "OOM"); -- fail_if(ret != EOK); - - res = test_getgrnam(data); - fail_if(res->count != 0, -@@ -1302,7 +1302,7 @@ START_TEST (test_sysdb_getpwuid) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = sysdb_getpwuid(test_ctx, - test_ctx->domain, -@@ -1397,7 +1397,7 @@ START_TEST (test_sysdb_set_user_attr) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrs = sysdb_new_attrs(test_ctx); - if (ret != EOK) { -@@ -1506,7 +1506,7 @@ START_TEST (test_sysdb_get_user_attr) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username, attrs, - &res); -@@ -1601,7 +1601,7 @@ START_TEST (test_sysdb_add_nonposix_user) - fail_if(fq_name == NULL, "Failed to create fq name."); - - user_attrs = sysdb_new_attrs(test_ctx); -- fail_if(user_attrs == NULL); -+ fail_if(user_attrs == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_bool(user_attrs, SYSDB_POSIX, false); - fail_if(ret != EOK, "Could not add attribute"); -@@ -1691,12 +1691,12 @@ START_TEST (test_sysdb_add_group_member) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = _i - 1000; /* the UID of user to add */ - data->username = test_asprintf_fqname(data, test_ctx->domain, - "testuser%d", data->uid); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = test_add_group_member(data); - -@@ -1771,12 +1771,12 @@ START_TEST (test_sysdb_remove_group_member) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = _i - 1000; /* the UID of user to remove */ - data->username = test_asprintf_fqname(data, test_ctx->domain, - "testuser%d", data->uid); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = test_remove_group_member(data); - fail_if(ret != EOK, "Remove group member failed: %d", ret); -@@ -1799,7 +1799,7 @@ START_TEST (test_sysdb_remove_nonexistent_user) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->uid = 12345; - - ret = test_remove_user_by_uid(data); -@@ -1823,7 +1823,7 @@ START_TEST (test_sysdb_remove_nonexistent_group) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->gid = 12345; - - ret = test_remove_group_by_gid(data); -@@ -1866,7 +1866,7 @@ START_TEST (test_sysdb_store_custom) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = _i; - data->attrs = sysdb_new_attrs(test_ctx); -@@ -1905,7 +1905,7 @@ START_TEST (test_sysdb_search_custom_by_name) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(test_ctx, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed"); -@@ -1958,7 +1958,7 @@ START_TEST (test_sysdb_update_custom) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = 29010; - data->attrs = sysdb_new_attrs(test_ctx); -@@ -2006,7 +2006,7 @@ START_TEST (test_sysdb_search_custom_update) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(test_ctx, const char *, 3); - fail_unless(data->attrlist != NULL, "talloc_array failed"); -@@ -2074,7 +2074,7 @@ START_TEST (test_sysdb_search_custom) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(test_ctx, const char *, 3); - fail_unless(data->attrlist != NULL, "talloc_array failed"); -@@ -2112,7 +2112,7 @@ START_TEST (test_sysdb_delete_custom) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_delete_custom(data); - -@@ -2209,7 +2209,7 @@ static void cached_authentication_without_expiration(uid_t uid, - fail_unless(ret == EOK, "Could not set up the test"); - - data = test_data_new_user(test_ctx, uid); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - val[0] = "0"; - ret = confdb_add_param(test_ctx->confdb, true, CONFDB_PAM_CONF_ENTRY, -@@ -2257,7 +2257,7 @@ static void cached_authentication_with_expiration(uid_t uid, - fail_unless(ret == EOK, "Could not set up the test"); - - data = test_data_new_user(test_ctx, uid); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - val[0] = "1"; - ret = confdb_add_param(test_ctx->confdb, true, CONFDB_PAM_CONF_ENTRY, -@@ -2336,12 +2336,12 @@ START_TEST (test_sysdb_prepare_asq_test_user) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = ASQ_TEST_USER_UID; - data->username = test_asprintf_fqname(data, test_ctx->domain, - "testuser%u", data->uid); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = test_add_group_member(data); - -@@ -2369,7 +2369,7 @@ START_TEST (test_sysdb_asq_search) - } - - data = test_data_new_user(test_ctx, ASQ_TEST_USER_UID); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed"); -@@ -2428,7 +2428,7 @@ START_TEST (test_sysdb_search_all_users) - } - - data = test_data_new(test_ctx); -- fail_unless(data != NULL); -+ fail_unless(data != NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed"); -@@ -2487,7 +2487,7 @@ START_TEST (test_sysdb_delete_recursive) - } - - data = test_data_new(test_ctx); -- fail_unless(data != NULL); -+ fail_unless(data != NULL, "Failed to allocate memory"); - - ret = test_delete_recursive(data); - -@@ -2553,7 +2553,7 @@ START_TEST (test_sysdb_memberof_store_group) - } - - data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - if (_i == 0) { - data->attrlist = NULL; -@@ -2563,7 +2563,7 @@ START_TEST (test_sysdb_memberof_store_group) - data->attrlist[0] = test_asprintf_fqname(data, data->ctx->domain, - "testgroup%d", data->gid - 1); - data->attrlist[1] = NULL; -- fail_if(data->attrlist[0] == NULL); -+ fail_if(data->attrlist[0] == NULL, "Failed to allocate memory"); - } - - ret = test_memberof_store_group(data); -@@ -2587,7 +2587,7 @@ START_TEST (test_sysdb_memberof_store_group_with_ghosts) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - if (_i == 0 || _i == MBO_GROUP_BASE) { - data->attrlist = NULL; -@@ -2597,7 +2597,7 @@ START_TEST (test_sysdb_memberof_store_group_with_ghosts) - data->attrlist[0] = test_asprintf_fqname(data, data->ctx->domain, - "testgroup%d", data->gid - 1); - data->attrlist[1] = NULL; -- fail_if(data->attrlist[0] == NULL); -+ fail_if(data->attrlist[0] == NULL, "Failed to allocate memory"); - } - - data->ghostlist = talloc_array(data, char *, 2); -@@ -2605,7 +2605,7 @@ START_TEST (test_sysdb_memberof_store_group_with_ghosts) - data->ghostlist[0] = test_asprintf_fqname(data, data->ctx->domain, - "testuser%d", data->gid); - data->ghostlist[1] = NULL; -- fail_if(data->ghostlist[0] == NULL); -+ fail_if(data->ghostlist[0] == NULL, "Failed to allocate memory"); - - ret = test_memberof_store_group_with_ghosts(data); - -@@ -2628,7 +2628,7 @@ START_TEST (test_sysdb_memberof_store_group_with_double_ghosts) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - if (_i == 0) { - data->attrlist = NULL; -@@ -2673,7 +2673,7 @@ START_TEST (test_sysdb_memberof_mod_add) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ghostname = test_asprintf_fqname(data, test_ctx->domain, - "testghost%d", _i); -@@ -2755,7 +2755,7 @@ START_TEST (test_sysdb_memberof_mod_replace) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - /* The test replaces the testuser%i attribute with testghost%i */ - ghostname_del = test_asprintf_fqname(data, test_ctx->domain, -@@ -2842,7 +2842,7 @@ START_TEST (test_sysdb_memberof_mod_replace_keep) - } - - data = test_data_new_group(test_ctx, MBO_GROUP_BASE + 10 - _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - /* The test replaces the attributes (testusera$gid, testuserb$gid) with - * just testusera$gid. The result should be not only testusera, but also -@@ -3021,7 +3021,7 @@ START_TEST (test_sysdb_memberof_store_user) - } - - data = test_data_new_user(test_ctx, MBO_USER_BASE + _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_store_user(data); - fail_if(ret != EOK, "Could not store user %s", data->username); -@@ -3043,12 +3043,12 @@ START_TEST (test_sysdb_memberof_add_group_member) - } - - data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = MBO_USER_BASE + _i; - data->username = test_asprintf_fqname(data, test_ctx->domain, - "testuser%d", data->uid); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = test_add_group_member(data); - fail_if(ret != EOK, "Could not modify group %s", data->groupname); -@@ -3071,7 +3071,7 @@ START_TEST (test_sysdb_memberof_check_memberuid_without_group_5) - } - - data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "tallo_array failed."); -@@ -3120,7 +3120,7 @@ START_TEST (test_sysdb_memberof_check_memberuid) - } - - data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3160,7 +3160,7 @@ START_TEST (test_sysdb_memberof_check_memberuid_loop) - } - - data = test_data_new_group(test_ctx, _i + MBO_GROUP_BASE); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3200,7 +3200,7 @@ START_TEST (test_sysdb_memberof_check_memberuid_loop_without_group_5) - } - - data = test_data_new_group(test_ctx, _i + MBO_GROUP_BASE); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "tallo_array failed."); -@@ -3249,7 +3249,7 @@ START_TEST (test_sysdb_memberof_check_nested_ghosts) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3284,7 +3284,7 @@ START_TEST (test_sysdb_memberof_check_nested_double_ghosts) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3321,7 +3321,7 @@ START_TEST (test_sysdb_memberof_remove_child_group_and_check_ghost) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - delgid = data->gid - 1; - - data->attrlist = talloc_array(data, const char *, 2); -@@ -3383,7 +3383,7 @@ START_TEST (test_sysdb_memberof_mod_del) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ghostname = test_asprintf_fqname(data, test_ctx->domain, "testuser%d", _i); - fail_unless(ghostname != NULL, "Out of memory\n"); -@@ -3462,7 +3462,7 @@ START_TEST (test_sysdb_memberof_check_ghost) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3499,7 +3499,9 @@ START_TEST (test_sysdb_memberof_check_ghost) - expected = test_asprintf_fqname(data, test_ctx->domain, "testghost%d", j); - fail_if(expected == NULL, "OOM\n"); - fail_unless(strcmp(expected, -- (const char *) data->msg->elements[0].values[j-MBO_GROUP_BASE].data) == 0); -+ (const char *) data->msg->elements[0].values[j-MBO_GROUP_BASE].data) == 0, -+ "Expecting: %s dot: %s", expected, -+ (const char *) data->msg->elements[0].values[j-MBO_GROUP_BASE].data); - talloc_free(expected); - } - -@@ -3521,10 +3523,10 @@ START_TEST (test_sysdb_memberof_convert_to_real_users) - } - - data = test_data_new_user(test_ctx, _i * 2); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->username = test_asprintf_fqname(data, test_ctx->domain, - "testghost%d", _i); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = test_store_user(data); - fail_if(ret != EOK, "Cannot add user %s\n", data->username); -@@ -3550,7 +3552,7 @@ START_TEST (test_sysdb_memberof_check_convert) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 3); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3613,7 +3615,7 @@ START_TEST (test_sysdb_memberof_ghost_replace) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - /* The test replaces the testghost%i attribute with testuser%i */ - ghostname_del = test_asprintf_fqname(data, test_ctx->domain, -@@ -3687,7 +3689,7 @@ START_TEST (test_sysdb_memberof_ghost_replace_noop) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - /* The test replaces the testghost%i attribute with testuser%i */ - ghostname_del = test_asprintf_fqname(data, test_ctx->domain, -@@ -3757,7 +3759,7 @@ START_TEST (test_sysdb_memberof_user_cleanup) - } - - data = test_data_new_user(test_ctx, _i * 2); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_remove_user_by_uid(data); - -@@ -3782,7 +3784,7 @@ START_TEST (test_sysdb_set_get_bool) - } - - dn = sysdb_domain_dn(test_ctx, test_ctx->domain); -- fail_unless(dn != NULL); -+ fail_unless(dn != NULL, "Failed to allocate memory"); - - /* attribute is not created yet */ - ret = sysdb_get_bool(test_ctx->sysdb, dn, attr_val, -@@ -3794,19 +3796,19 @@ START_TEST (test_sysdb_set_get_bool) - /* add attribute */ - ret = sysdb_set_bool(test_ctx->sysdb, dn, test_ctx->domain->name, - attr_val, true); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "sysdb_set_bool failed with error: %d", ret); - - /* successfully obtain attribute */ - ret = sysdb_get_bool(test_ctx->sysdb, dn, attr_val, - &value); - fail_unless(ret == EOK, "sysdb_get_bool failed %d:[%s]", - ret, sss_strerror(ret)); -- fail_unless(value == true); -+ fail_unless(value == true, "sysdb_get_bool must return true"); - - /* use non-existing DN */ - ne_dn = ldb_dn_new_fmt(test_ctx, test_ctx->sysdb->ldb, SYSDB_DOM_BASE, - "non-existing domain"); -- fail_unless(ne_dn != NULL); -+ fail_unless(ne_dn != NULL, "Failed to allocate memory"); - ret = sysdb_get_bool(test_ctx->sysdb, ne_dn, attr_val, - &value); - fail_unless(ret == ENOENT, -@@ -3835,7 +3837,7 @@ START_TEST (test_sysdb_set_get_uint) - } - - dn = sysdb_domain_dn(test_ctx, test_ctx->domain); -- fail_unless(dn != NULL); -+ fail_unless(dn != NULL, "Failed to allocate memory"); - - /* attribute is not created yet */ - ret = sysdb_get_uint(test_ctx->sysdb, dn, attr_val, -@@ -3847,19 +3849,19 @@ START_TEST (test_sysdb_set_get_uint) - /* add attribute */ - ret = sysdb_set_uint(test_ctx->sysdb, dn, test_ctx->domain->name, - attr_val, 0xCAFEBABE); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "sysdb_set_uint failed with error: %d", ret); - - /* successfully obtain attribute */ - ret = sysdb_get_uint(test_ctx->sysdb, dn, attr_val, - &value); - fail_unless(ret == EOK, "sysdb_get_uint failed %d:[%s]", - ret, sss_strerror(ret)); -- fail_unless(value == 0xCAFEBABE); -+ ck_assert_int_eq(value, 0xCAFEBABE); - - /* use non-existing DN */ - ne_dn = ldb_dn_new_fmt(test_ctx, test_ctx->sysdb->ldb, SYSDB_DOM_BASE, - "non-existing domain"); -- fail_unless(ne_dn != NULL); -+ fail_unless(ne_dn != NULL, "Failed to allocate memory"); - ret = sysdb_get_uint(test_ctx->sysdb, ne_dn, attr_val, - &value); - fail_unless(ret == ENOENT, -@@ -4147,22 +4149,24 @@ START_TEST (test_sysdb_update_members) - fail_if(user_fqname == NULL, "user_fqname returned NULL"); - - ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); -- fail_if(ret != EOK); -- fail_unless(res->count == 1); /* only the user itself */ -+ fail_if(ret != EOK, "sysdb_initgroups failed with error: %d", ret); -+ ck_assert_int_eq(res->count, 1); /* only the user itself */ - - /* Add a user to two groups */ - add_groups = talloc_array(test_ctx, char *, 3); - add_groups[0] = sss_create_internal_fqname(add_groups, "testgroup28001", - test_ctx->domain->name); -- fail_if(add_groups[0] == NULL); -+ fail_if(add_groups[0] == NULL, "Failed to create internal fqname for: %s", -+ test_ctx->domain->name); - add_groups[1] = sss_create_internal_fqname(add_groups, "testgroup28002", - test_ctx->domain->name); -- fail_if(add_groups[1] == NULL); -+ fail_if(add_groups[1] == NULL, "Failed to create internal fqname for: %s" -+ test_ctx->domain->name); - add_groups[2] = NULL; - - /* For later check */ - group_fqname = talloc_strdup(test_ctx, add_groups[1]); -- fail_if(group_fqname == NULL); -+ fail_if(group_fqname == NULL, "Failed to allocate memory"); - - ret = sysdb_update_members(test_ctx->domain, user_fqname, - SYSDB_MEMBER_USER, -@@ -4170,8 +4174,8 @@ START_TEST (test_sysdb_update_members) - fail_unless(ret == EOK, "Could not add groups"); - - ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); -- fail_if(ret != EOK); -- fail_unless(res->count == 3); -+ fail_if(ret != EOK, "sysdb_initgroups failed with error: %d", ret); -+ ck_assert_int_eq(res->count, 3); - - check_fqname = ldb_msg_find_attr_as_string(res->msgs[1], SYSDB_NAME, NULL); - ck_assert_str_eq(check_fqname, add_groups[0]); -@@ -4196,8 +4200,8 @@ START_TEST (test_sysdb_update_members) - fail_unless(ret == EOK, "Group replace failed"); - - ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); -- fail_if(ret != EOK); -- fail_unless(res->count == 3); -+ fail_if(ret != EOK, "sysdb_initgroups failed with error: %d", ret); -+ ck_assert_int_eq(res->count, 3); - - check_fqname = ldb_msg_find_attr_as_string(res->msgs[1], SYSDB_NAME, NULL); - ck_assert_str_eq(check_fqname, group_fqname); -@@ -4208,8 +4212,8 @@ START_TEST (test_sysdb_update_members) - talloc_zfree(del_groups); - - ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); -- fail_if(ret != EOK); -- fail_unless(res->count == 3); -+ fail_if(ret != EOK, "sysdb_initgroups failed with error: %d", ret); -+ ck_assert_int_eq(res->count, 3); - - /* Remove a user from two groups */ - del_groups = talloc_array(test_ctx, char *, 3); -@@ -4224,8 +4228,8 @@ START_TEST (test_sysdb_update_members) - fail_unless(ret == EOK, "Could not remove groups"); - - ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); -- fail_if(ret != EOK); -- fail_unless(res->count == 1); /* only the user itself */ -+ fail_if(ret != EOK, "sysdb_initgroups failed with error: %d", ret); -+ ck_assert_int_eq(res->count, 1); /* only the user itself */ - - talloc_zfree(test_ctx); - } -@@ -4248,7 +4252,7 @@ START_TEST (test_sysdb_group_dn_name) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - group_dn = sysdb_group_dn(test_ctx, test_ctx->domain, data->groupname); - fail_if(group_dn == NULL, "OOM"); -@@ -4277,7 +4281,7 @@ START_TEST (test_sysdb_add_basic_netgroup) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->uid = _i; /* This is kinda abuse of uid, though */ - data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); - -@@ -4310,7 +4314,7 @@ START_TEST (test_sysdb_search_netgroup_by_name) - fail_if(ret != EOK, "Could not find netgroup with name %s", netgrname); - - netgroup_dn = sysdb_netgroup_dn(test_ctx, test_ctx->domain, netgrname); -- fail_if(netgroup_dn == NULL); -+ fail_if(netgroup_dn == NULL, "Failed to allocate memory"); - fail_if(ldb_dn_compare(msg->dn, netgroup_dn) != 0, "Found wrong netgroup!\n"); - talloc_free(test_ctx); - } -@@ -4330,7 +4334,7 @@ START_TEST (test_sysdb_remove_netgroup_entry) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); - - ret = test_remove_netgroup_entry(data); -@@ -4354,7 +4358,7 @@ START_TEST (test_sysdb_remove_netgroup_by_name) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); - - ret = test_remove_netgroup_by_name(data); -@@ -4378,7 +4382,7 @@ START_TEST (test_sysdb_set_netgroup_attr) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->uid = _i; /* This is kinda abuse of uid, though */ - data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); - -@@ -4756,10 +4760,10 @@ START_TEST(test_SSS_LDB_SEARCH) - - groupname = test_asprintf_fqname(test_ctx, test_ctx->domain, - "test_group"); -- fail_if(groupname == NULL); -+ fail_if(groupname == NULL, "Failed to allocate memory"); - groupname_neg = test_asprintf_fqname(test_ctx, test_ctx->domain, - "non_existing_test_group"); -- fail_if(groupname_neg == NULL); -+ fail_if(groupname_neg == NULL, "Failed to allocate memory"); - - group_dn = sysdb_group_dn(test_ctx, test_ctx->domain, groupname); - fail_if(group_dn == NULL, "sysdb_group_dn failed"); -@@ -4857,16 +4861,18 @@ void services_check_match(struct sysdb_test_ctx *test_ctx, - strerror(ret)); - } - fail_if(res == NULL, "ENOMEM"); -- fail_if(res->count != 1); -+ ck_assert_int_eq(res->count, 1); - - /* Make sure the returned entry matches */ - msg = res->msgs[0]; - ret_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -- fail_if(ret_name == NULL); -- fail_unless(strcmp(ret_name, primary_name) == 0); -+ fail_if(ret_name == NULL, "Cannot find attribute: " SYSDB_NAME); -+ fail_unless(strcmp(ret_name, primary_name) == 0, -+ "Wrong value returned for attribute: %s. got: %s expected: %s", -+ SYSDB_NAME, ret_name, primary_name); - - ret_port = ldb_msg_find_attr_as_int(msg, SYSDB_SVC_PORT, 0); -- fail_if (ret_port != port); -+ ck_assert_int_eq(ret_port, port); - - el = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); - for (i = 0; i < el->num_values; i++) { -@@ -4917,27 +4923,27 @@ START_TEST(test_sysdb_add_services) - fail_if(ret != EOK, "Could not set up the test"); - - primary_name = talloc_asprintf(test_ctx, "test_service"); -- fail_if(primary_name == NULL); -+ fail_if(primary_name == NULL, "Failed to allocate memory"); - - aliases = talloc_array(test_ctx, const char *, 3); -- fail_if(aliases == NULL); -+ fail_if(aliases == NULL, "Failed to allocate memory"); - - aliases[0] = talloc_asprintf(aliases, "test_service_alias1"); -- fail_if(aliases[0] == NULL); -+ fail_if(aliases[0] == NULL, "Failed to allocate memory"); - - aliases[1] = talloc_asprintf(aliases, "test_service_alias2"); -- fail_if(aliases[1] == NULL); -+ fail_if(aliases[1] == NULL, "Failed to allocate memory"); - - aliases[2] = NULL; - - protocols = talloc_array(test_ctx, const char *, 3); -- fail_if(protocols == NULL); -+ fail_if(protocols == NULL, "Failed to allocate memory"); - - protocols[0] = talloc_asprintf(protocols, "tcp"); -- fail_if(protocols[0] == NULL); -+ fail_if(protocols[0] == NULL, "Failed to allocate memory"); - - protocols[1] = talloc_asprintf(protocols, "udp"); -- fail_if(protocols[1] == NULL); -+ fail_if(protocols[1] == NULL, "Failed to allocate memory"); - - protocols[2] = NULL; - -@@ -4992,24 +4998,24 @@ START_TEST(test_sysdb_store_services) - fail_if(ret != EOK, "Could not set up the test"); - - aliases = talloc_array(test_ctx, const char *, 3); -- fail_if(aliases == NULL); -+ fail_if(aliases == NULL, "Failed to allocate memory"); - - aliases[0] = talloc_asprintf(aliases, "test_service_alias1"); -- fail_if(aliases[0] == NULL); -+ fail_if(aliases[0] == NULL, "Failed to allocate memory"); - - aliases[1] = talloc_asprintf(aliases, "test_service_alias2"); -- fail_if(aliases[1] == NULL); -+ fail_if(aliases[1] == NULL, "Failed to allocate memory"); - - aliases[2] = NULL; - - protocols = talloc_array(test_ctx, const char *, 3); -- fail_if(protocols == NULL); -+ fail_if(protocols == NULL, "Failed to allocate memory"); - - protocols[0] = talloc_asprintf(protocols, "tcp"); -- fail_if(protocols[0] == NULL); -+ fail_if(protocols[0] == NULL, "Failed to allocate memory"); - - protocols[1] = talloc_asprintf(protocols, "udp"); -- fail_if(protocols[1] == NULL); -+ fail_if(protocols[1] == NULL, "Failed to allocate memory"); - - protocols[2] = NULL; - -@@ -5112,24 +5118,24 @@ START_TEST(test_sysdb_svc_remove_alias) - fail_if(ret != EOK, "Could not set up the test"); - - aliases = talloc_array(test_ctx, const char *, 3); -- fail_if(aliases == NULL); -+ fail_if(aliases == NULL, "Failed to allocate memory"); - - aliases[0] = talloc_asprintf(aliases, "remove_alias_alias1"); -- fail_if(aliases[0] == NULL); -+ fail_if(aliases[0] == NULL, "Failed to allocate memory"); - - aliases[1] = talloc_asprintf(aliases, "remove_alias_alias2"); -- fail_if(aliases[1] == NULL); -+ fail_if(aliases[1] == NULL, "Failed to allocate memory"); - - aliases[2] = NULL; - - protocols = talloc_array(test_ctx, const char *, 3); -- fail_if(protocols == NULL); -+ fail_if(protocols == NULL, "Failed to allocate memory"); - - protocols[0] = talloc_asprintf(protocols, "tcp"); -- fail_if(protocols[0] == NULL); -+ fail_if(protocols[0] == NULL, "Failed to allocate memory"); - - protocols[1] = talloc_asprintf(protocols, "udp"); -- fail_if(protocols[1] == NULL); -+ fail_if(protocols[1] == NULL, "Failed to allocate memory"); - - protocols[2] = NULL; - -@@ -5154,16 +5160,16 @@ START_TEST(test_sysdb_svc_remove_alias) - - /* Now remove an alias */ - dn = sysdb_svc_dn(test_ctx->sysdb, test_ctx, test_ctx->domain->name, primary_name); -- fail_if (dn == NULL); -+ fail_if (dn == NULL, "Failed to allocate memory"); - - ret = sysdb_svc_remove_alias(test_ctx->sysdb, dn, aliases[1]); - fail_if (ret != EOK, "[%s]", strerror(ret)); - - ret = sysdb_transaction_commit(test_ctx->sysdb); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "sysdb_transaction_commit failed with error: %d", ret); - - ret = sysdb_transaction_start(test_ctx->sysdb); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "sysdb_transaction_start failed with error: %d", ret); - - /* Set aliases[1] to NULL to perform validation checks */ - aliases[1] = NULL; -@@ -5313,7 +5319,7 @@ START_TEST(test_sysdb_attrs_get_string_array) - fail_unless(ret == EOK, "sysdb_attrs_get_el_ext failed"); - - list = sss_ldb_el_to_string_list(tmp_ctx, el); -- fail_if(list == NULL, ("sss_ldb_el_to_string_list failed\n")); -+ fail_if(list == NULL, "sss_ldb_el_to_string_list failed"); - - ck_assert_str_eq(list[0], "val1"); - ck_assert_str_eq(list[1], "val2"); -@@ -5545,7 +5551,7 @@ START_TEST (test_sysdb_search_return_ENOENT) - talloc_zfree(res); - - data = test_data_new_user(test_ctx, 1234); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->sid_str = "S-5-4-3-2-1"; - - /* Search user */ -@@ -5610,7 +5616,7 @@ START_TEST (test_sysdb_search_return_ENOENT) - /* Search group */ - talloc_zfree(data); - data = test_data_new_group(test_ctx, 1234); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->sid_str = "S-5-4-3-2-1"; - - ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, -@@ -5748,15 +5754,15 @@ START_TEST(test_sysdb_original_dn_case_insensitive) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->gid = 2900; - - data->groupname = test_asprintf_fqname(data, test_ctx->domain, - "case_sensitive_group1"); -- fail_if(data->groupname == NULL); -+ fail_if(data->groupname == NULL, "Failed to allocate memory"); - - data->orig_dn = talloc_asprintf(data, "cn=%s,cn=example,cn=com", data->groupname); -- fail_if(data->orig_dn == NULL); -+ fail_if(data->orig_dn == NULL, "Failed to allocate memory"); - - ret = test_add_incomplete_group(data); - fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", -@@ -5766,7 +5772,7 @@ START_TEST(test_sysdb_original_dn_case_insensitive) - data->gid = 2901; - data->groupname = test_asprintf_fqname(data, test_ctx->domain, - "case_sensitive_group2"); -- fail_if(data->groupname == NULL); -+ fail_if(data->groupname == NULL, "Failed to allocate memory"); - c = discard_const(data->orig_dn); - while(*c != '\0') { - *c = toupper(*c); -@@ -5809,10 +5815,10 @@ START_TEST(test_sysdb_search_groups_by_orig_dn) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new_group(test_ctx, 456789); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->orig_dn = talloc_asprintf(data, "cn=%s,cn=example,cn=com", data->groupname); -- fail_if(data->orig_dn == NULL); -+ fail_if(data->orig_dn == NULL, "Failed to allocate memory"); - - ret = test_add_incomplete_group(data); - fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", -@@ -5841,10 +5847,10 @@ START_TEST(test_sysdb_search_users_by_orig_dn) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new_user(test_ctx, 456789); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->orig_dn = talloc_asprintf(data, "cn=%s,cn=example,cn=com", data->username); -- fail_if(data->orig_dn == NULL); -+ fail_if(data->orig_dn == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_string(data->attrs, SYSDB_ORIG_DN, data->orig_dn); - fail_unless(ret == EOK, "sysdb_attrs_add_string failed with [%d][%s].", -@@ -5875,7 +5881,7 @@ START_TEST(test_sysdb_search_sid_str) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new_group(test_ctx, 2902); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->sid_str = "S-1-2-3-4"; - - ret = test_add_incomplete_group(data); -@@ -5905,9 +5911,8 @@ START_TEST(test_sysdb_search_sid_str) - talloc_zfree(data); - - data = test_data_new_user(test_ctx, 12345); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->sid_str = "S-1-2-3-4-5"; -- fail_if(data->sid_str == NULL); - - ret = sysdb_attrs_add_string(data->attrs, SYSDB_SID_STR, data->sid_str); - fail_unless(ret == EOK, "sysdb_attrs_add_string failed with [%d][%s].", -@@ -5947,7 +5952,7 @@ START_TEST(test_sysdb_search_object_by_id) - - /* test user search */ - data = test_data_new_user(test_ctx, id); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_user(data); - fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].", -@@ -5973,7 +5978,7 @@ START_TEST(test_sysdb_search_object_by_id) - - /* test group search */ - data = test_data_new_group(test_ctx, id); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_group(data); - fail_unless(ret == EOK, "sysdb_add_group failed with [%d][%s].", -@@ -5999,7 +6004,7 @@ START_TEST(test_sysdb_search_object_by_id) - - /* test for bad search filter bug #3283 */ - data = test_data_new_group(test_ctx, id); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_group(data); - fail_unless(ret == EOK, "sysdb_add_group failed with [%d][%s].", -@@ -6034,14 +6039,16 @@ START_TEST(test_sysdb_search_object_by_id) - - data->uid = 4001; - ret = test_remove_user_by_uid(data); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, -+ "test_remove_user_by_uid failed with error: %d", ret); - - data->uid = 4002; - ret = test_remove_user_by_uid(data); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, -+ "test_remove_user_by_uid failed with error: %d", ret); - - ret = test_remove_group(data); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_remove_group failed with error: %d", ret); - - talloc_free(test_ctx); - } -@@ -6060,7 +6067,7 @@ START_TEST(test_sysdb_search_object_by_uuid) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new_user(test_ctx, 123456); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - uuid = "11111111-2222-3333-4444-555555555555"; - -@@ -6117,7 +6124,7 @@ START_TEST(test_sysdb_search_object_by_name) - - /* test user search */ - data = test_data_new_user(test_ctx, 23456); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->username = user_name; - -@@ -6145,7 +6152,7 @@ START_TEST(test_sysdb_search_object_by_name) - - /* test group search */ - data = test_data_new_group(test_ctx, 23456); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->groupname = group_name; - -@@ -6173,16 +6180,17 @@ START_TEST(test_sysdb_search_object_by_name) - - /* test case insensitive search */ - data = test_data_new_group(test_ctx, 23456); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->groupname = group_name; - test_ctx->domain->case_sensitive = false; - - data->attrs = sysdb_new_attrs(test_ctx); -- fail_if(data->attrs == NULL); -+ fail_if(data->attrs == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_lc_name_alias(data->attrs, group_name); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, -+ "sysdb_attrs_add_lc_name_alias failed with error: %d", ret); - - ret = test_add_group(data); - fail_unless(ret == EOK, "sysdb_add_group failed with [%d][%s].", -@@ -6225,7 +6233,7 @@ START_TEST(test_sysdb_search_user_by_cert) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new_user(test_ctx, 234567); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - val.data = sss_base64_decode(test_ctx, TEST_USER_CERT_DERB64, &val.length); - fail_unless(val.data != NULL, "sss_base64_decode failed."); -@@ -6257,7 +6265,7 @@ START_TEST(test_sysdb_search_user_by_cert) - - /* Add a second user with the same certificate */ - data2 = test_data_new_user(test_ctx, 2345671); -- fail_if(data2 == NULL); -+ fail_if(data2 == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_val(data2->attrs, SYSDB_USER_MAPPED_CERT, &val); - fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].", -@@ -6274,9 +6282,9 @@ START_TEST(test_sysdb_search_user_by_cert) - fail_unless(res->count == 2, "Unexpected number of results, " - "expected [%u], get [%u].", 2, res->count); - name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, ""); -- fail_unless(name != NULL); -+ fail_unless(name != NULL, "Failed to find attribute: " SYSDB_NAME); - name2 = ldb_msg_find_attr_as_string(res->msgs[1], SYSDB_NAME, ""); -- fail_unless(name2 != NULL); -+ fail_unless(name2 != NULL, "Failed to find attribute: " SYSDB_NAME); - fail_unless(((strcmp(name, data->username) == 0 - && strcmp(name2, data2->username) == 0) - || (strcmp(name, data2->username) == 0 -@@ -6342,11 +6350,11 @@ START_TEST(test_sysdb_subdomain_store_user) - ret, strerror(ret)); - - data = test_data_new_user(test_ctx, 12345); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->username = test_asprintf_fqname(data, subdomain, "SubDomUser"); - - alias = test_asprintf_fqname(data, subdomain, "subdomuser"); -- fail_if(alias == NULL); -+ fail_if(alias == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_string(data->attrs, SYSDB_NAME_ALIAS, alias); - fail_unless(ret == EOK, "sysdb_store_user failed."); -@@ -6358,10 +6366,10 @@ START_TEST(test_sysdb_subdomain_store_user) - fail_unless(ret == EOK, "sysdb_store_user failed."); - - base_dn =ldb_dn_new(test_ctx, test_ctx->sysdb->ldb, "cn=sysdb"); -- fail_unless(base_dn != NULL); -+ fail_unless(base_dn != NULL, "Failed to allocate memory"); - - check_dn = sysdb_user_dn(data, subdomain, data->username); -- fail_unless(check_dn != NULL); -+ fail_unless(check_dn != NULL, "Failed to allocate memory"); - - ret = ldb_search(test_ctx->sysdb->ldb, test_ctx, &results, base_dn, - LDB_SCOPE_SUBTREE, NULL, "name=%s", data->username); -@@ -6420,11 +6428,11 @@ START_TEST(test_sysdb_subdomain_content_delete) - ret, strerror(ret)); - - data = test_data_new_user(test_ctx, 12345); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->username = test_asprintf_fqname(data, subdomain, "SubDomUser"); - - alias = test_asprintf_fqname(data, subdomain, "subdomuser"); -- fail_if(alias == NULL); -+ fail_if(alias == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_string(data->attrs, SYSDB_NAME_ALIAS, alias); - fail_unless(ret == EOK, "sysdb_store_user failed."); -@@ -6436,10 +6444,10 @@ START_TEST(test_sysdb_subdomain_content_delete) - fail_unless(ret == EOK, "sysdb_store_user failed."); - - base_dn =ldb_dn_new(test_ctx, test_ctx->sysdb->ldb, "cn=sysdb"); -- fail_unless(base_dn != NULL); -+ fail_unless(base_dn != NULL, "Failed to allocate memory"); - - check_dn = sysdb_user_dn(data, subdomain, data->username); -- fail_unless(check_dn != NULL); -+ fail_unless(check_dn != NULL, "Failed to allocate memory"); - - ret = ldb_search(test_ctx->sysdb->ldb, test_ctx, &results, base_dn, - LDB_SCOPE_SUBTREE, NULL, "name=%s", data->username); -@@ -6508,10 +6516,10 @@ START_TEST(test_sysdb_subdomain_user_ops) - ret, strerror(ret)); - - data = test_data_new_user(test_ctx, 12345); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->username = test_asprintf_fqname(data, subdomain, shortname); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = sysdb_store_user(subdomain, data->username, - NULL, data->uid, 0, "Sub Domain User", -@@ -6520,7 +6528,7 @@ START_TEST(test_sysdb_subdomain_user_ops) - fail_unless(ret == EOK, "sysdb_store_domuser failed."); - - check_dn = sysdb_user_dn(data, subdomain, data->username); -- fail_unless(check_dn != NULL); -+ fail_unless(check_dn != NULL, "Failed to allocate memory"); - - ret = sysdb_search_user_by_name(test_ctx, subdomain, - data->username, NULL, -@@ -6531,10 +6539,10 @@ START_TEST(test_sysdb_subdomain_user_ops) - "Unexpected DN returned"); - - name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -- fail_if(name == NULL); -+ fail_if(name == NULL, "Failed to find attribute: " SYSDB_NAME); - - ret = sss_parse_internal_fqname(data, name, &short_check, &dom_check); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "sss_parse_internal_fqname failed with error: %d", ret); - ck_assert_str_eq(short_check, shortname); - ck_assert_str_eq(dom_check, subdomain->name); - -@@ -6581,11 +6589,11 @@ START_TEST(test_sysdb_subdomain_group_ops) - ret, strerror(ret)); - - data = test_data_new_group(test_ctx, 12345); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->groupname = test_asprintf_fqname(data, subdomain, shortname); - - alias = test_asprintf_fqname(data, subdomain, "subdomgroup"); -- fail_if(alias == NULL); -+ fail_if(alias == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_string(data->attrs, SYSDB_NAME_ALIAS, alias); - fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); -@@ -6595,7 +6603,7 @@ START_TEST(test_sysdb_subdomain_group_ops) - fail_unless(ret == EOK, "sysdb_store_group failed."); - - check_dn = sysdb_group_dn(data, subdomain, data->groupname); -- fail_unless(check_dn != NULL); -+ fail_unless(check_dn != NULL, "Failed to allocate memory"); - - ret = sysdb_search_group_by_name(test_ctx, subdomain, data->groupname, NULL, - &msg); -@@ -6615,10 +6623,10 @@ START_TEST(test_sysdb_subdomain_group_ops) - "Unexpected DN returned"); - - name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -- fail_if(name == NULL); -+ fail_if(name == NULL, "Failed to find attribute: " SYSDB_NAME); - - ret = sss_parse_internal_fqname(data, name, &short_check, &dom_check); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "sss_parse_internal_fqname failed with error: %d", ret); - ck_assert_str_eq(short_check, shortname); - ck_assert_str_eq(dom_check, subdomain->name); - -@@ -7190,15 +7198,15 @@ START_TEST(test_gpo_store_retrieve) - - ret = sysdb_gpo_get_gpos(test_ctx, test_ctx->domain, &result); - fail_if(ret != EOK, "GPOs not in cache after store op"); -- fail_if(result == NULL); -- fail_if(result->count != 1); -+ fail_if(result == NULL, "Could not get GPOs"); -+ ck_assert_int_eq(result->count, 1); - - result = NULL; - ret = sysdb_gpo_get_gpo_by_guid(test_ctx, test_ctx->domain, - test_guid, &result); - fail_if(ret != EOK, "GPO not in cache after store op"); -- fail_if(result == NULL); -- fail_if(result->count != 1); -+ fail_if(result == NULL, "Could not get GPOs by guid: %s", test_guid); -+ ck_assert_int_eq(result->count, 1); - - guid = ldb_msg_find_attr_as_string(result->msgs[0], - SYSDB_GPO_GUID_ATTR, NULL); -@@ -7226,8 +7234,8 @@ START_TEST(test_gpo_replace) - ret = sysdb_gpo_get_gpo_by_guid(test_ctx, test_ctx->domain, - test_guid, &result); - fail_if(ret != EOK, "GPO not in cache after store op"); -- fail_if(result == NULL); -- fail_if(result->count != 1); -+ fail_if(result == NULL, "Could not get GPOs by guid: %s", test_guid); -+ ck_assert_int_eq(result->count, 1); - - guid = ldb_msg_find_attr_as_string(result->msgs[0], - SYSDB_GPO_GUID_ATTR, NULL); -@@ -7245,8 +7253,8 @@ START_TEST(test_gpo_replace) - ret = sysdb_gpo_get_gpo_by_guid(test_ctx, test_ctx->domain, - test_guid, &result); - fail_if(ret != EOK, "GPO not in cache after modify op"); -- fail_if(result == NULL); -- fail_if(result->count != 1); -+ fail_if(result == NULL, "Could not get GPOs by guid: %s", test_guid); -+ ck_assert_int_eq(result->count, 1); - - guid = ldb_msg_find_attr_as_string(result->msgs[0], - SYSDB_GPO_GUID_ATTR, NULL); -@@ -7299,7 +7307,8 @@ START_TEST(test_gpo_result) - ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, - deny_key, &value); - ck_assert_int_eq(ret, EOK); -- fail_unless(value == NULL); -+ fail_unless(value == NULL, "Unexpected value returned for deny key " -+ "from sysdb_gpo_get_gpo_result_setting"); - - /* Updating replaces the original value */ - ret = sysdb_gpo_store_gpo_result_setting(test_ctx->domain, -@@ -7319,7 +7328,8 @@ START_TEST(test_gpo_result) - ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, - allow_key, &value); - ck_assert_int_eq(ret, EOK); -- fail_unless(value == NULL); -+ fail_unless(value == NULL, "Unexpected value returned for allow key" -+ "from sysdb_gpo_get_gpo_result_setting" ); - - /* Delete the result */ - ret = sysdb_gpo_delete_gpo_result_object(test_ctx, test_ctx->domain); -@@ -7400,7 +7410,7 @@ START_TEST(test_sysdb_mark_entry_as_expired_ldb_dn) - - /* Add something to database to test against */ - data = test_data_new_user(test_ctx, 2000); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = sysdb_transaction_start(test_ctx->sysdb); - ck_assert_int_eq(ret, EOK); -@@ -7414,7 +7424,7 @@ START_TEST(test_sysdb_mark_entry_as_expired_ldb_dn) - filter = talloc_asprintf(data, - "("SYSDB_UIDNUM"=%llu)", - (unsigned long long) data->uid); -- fail_if(filter == NULL); -+ fail_if(filter == NULL, "Failed to allocate memory"); - - ret = sysdb_search_users(test_ctx, test_ctx->domain, - filter, attrs, &count, &msgs); -@@ -7442,7 +7452,7 @@ START_TEST(test_sysdb_mark_entry_as_expired_ldb_dn) - filter = talloc_asprintf(data, - "("SYSDB_UIDNUM"=%llu)", - (unsigned long long) data->uid); -- fail_if(filter == NULL); -+ fail_if(filter == NULL, "Failed to allocate memory"); - - ret = sysdb_search_users(test_ctx, test_ctx->domain, - filter, attrs, &count, &msgs); -@@ -7493,16 +7503,18 @@ void hosts_check_match(struct sysdb_test_ctx *test_ctx, - strerror(ret)); - } - fail_if(res == NULL, "ENOMEM"); -- fail_if(res->count != 1); -+ ck_assert_int_eq(res->count, 1); - - /* Make sure the returned entry matches */ - msg = res->msgs[0]; - ret_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -- fail_if(ret_name == NULL); -- fail_unless(strcmp(ret_name, primary_name) == 0); -+ fail_if(ret_name == NULL, "Failed to find attribute: " SYSDB_NAME); -+ fail_unless(strcmp(ret_name, primary_name) == 0, -+ "Wrong value returned for attribute: %s. got: %s expected: %s", -+ SYSDB_NAME, ret_name, primary_name); - - el = ldb_msg_find_element(msg, SYSDB_IP_HOST_ATTR_ADDRESS); -- fail_if(el == NULL); -+ fail_if(el == NULL, "Failed to find elemeny: " SYSDB_IP_HOST_ATTR_ADDRESS); - - len = talloc_array_length(addresses); - for (i = 0; i < el->num_values; i++) { -@@ -7511,7 +7523,8 @@ void hosts_check_match(struct sysdb_test_ctx *test_ctx, - char *canonical_address; - ret = sss_canonicalize_ip_address(test_ctx, addresses[j], - &canonical_address); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, -+ "sss_canonicalize_ip_address failed: %d", ret); - - if (strcmp(canonical_address, - (const char *)el->values[i].data) == 0) { -@@ -7524,7 +7537,7 @@ void hosts_check_match(struct sysdb_test_ctx *test_ctx, - } - - el = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); -- fail_if(el == NULL); -+ fail_if(el == NULL, "Failed to find element: " SYSDB_NAME_ALIAS); - - len = talloc_array_length(aliases); - for (i = 0; i < el->num_values; i++) { -@@ -7563,36 +7576,36 @@ START_TEST(test_sysdb_add_hosts) - fail_if(ret != EOK, "Could not set up the test"); - - primary_name = talloc_asprintf(test_ctx, "test.example.org"); -- fail_if(primary_name == NULL); -+ fail_if(primary_name == NULL, "Failed to allocate memory"); - - aliases = talloc_array(test_ctx, const char *, 3); -- fail_if(aliases == NULL); -+ fail_if(aliases == NULL, "Failed to allocate memory"); - - aliases[0] = talloc_asprintf(aliases, "alias1.example.org"); -- fail_if(aliases[0] == NULL); -+ fail_if(aliases[0] == NULL, "Failed to allocate memory"); - - aliases[1] = talloc_asprintf(aliases, "alias2.example.org"); -- fail_if(aliases[1] == NULL); -+ fail_if(aliases[1] == NULL, "Failed to allocate memory"); - - aliases[2] = NULL; - - addresses = talloc_array(test_ctx, const char *, 6); -- fail_if(addresses == NULL); -+ fail_if(addresses == NULL, "Failed to allocate memory"); - - addresses[0] = talloc_asprintf(addresses, "1.1.2.3"); -- fail_if(addresses[0] == NULL); -+ fail_if(addresses[0] == NULL, "Failed to allocate memory"); - - addresses[1] = talloc_asprintf(addresses, "10.11.22.33"); -- fail_if(addresses[1] == NULL); -+ fail_if(addresses[1] == NULL, "Failed to allocate memory"); - - addresses[2] = talloc_asprintf(addresses, "100.123.123.123"); -- fail_if(addresses[2] == NULL); -+ fail_if(addresses[2] == NULL, "Failed to allocate memory"); - - addresses[3] = talloc_asprintf(addresses, "2001:0db8:85a3:0000:0000:8a2e:0370:7334"); -- fail_if(addresses[3] == NULL); -+ fail_if(addresses[3] == NULL, "Failed to allocate memory"); - - addresses[4] = talloc_asprintf(addresses, "2001:db8:85a3:0:1:8a2e:370:7334"); -- fail_if(addresses[4] == NULL); -+ fail_if(addresses[4] == NULL, "Failed to allocate memory"); - - addresses[5] = NULL; - -@@ -7651,19 +7664,24 @@ void ipnetwork_check_match(struct sysdb_test_ctx *test_ctx, - bool matched; - - ret = sss_canonicalize_ip_address(test_ctx, address, &c_addr); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "sss_canonicalize_ip_address failed: %d", ret); - - ret_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -- fail_if(ret_name == NULL); -- fail_unless(strcmp(ret_name, primary_name) == 0); -+ fail_if(ret_name == NULL, "Failed to find attribue: " SYSDB_NAME); -+ fail_unless(strcmp(ret_name, primary_name) == 0, -+ "Wrong value returned for attribute: %s. got: %s expected: %s", -+ SYSDB_NAME, ret_name, primary_name); - - ret_addr = ldb_msg_find_attr_as_string(msg, SYSDB_IP_NETWORK_ATTR_NUMBER, - NULL); -- fail_if(ret_addr == NULL); -- fail_unless(strcmp(ret_addr, c_addr) == 0); -+ fail_if(ret_addr == NULL, -+ "Failed to find attribue: " SYSDB_IP_NETWORK_ATTR_NUMBER); -+ fail_unless(strcmp(ret_addr, c_addr) == 0, -+ "Wrong value returned for attribute: %s. got: %s expected: %s", -+ SYSDB_IP_NETWORK_ATTR_NUMBER, ret_addr, c_addr); - - el = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); -- fail_if(el == NULL); -+ fail_if(el == NULL, "Failed to find element: " SYSDB_NAME_ALIAS); - - len = talloc_array_length(aliases); - for (i = 0; i < el->num_values; i++) { -@@ -7692,7 +7710,7 @@ void ipnetwork_check_match_name(struct sysdb_test_ctx *test_ctx, - fail_if(ret != EOK, "sysdb_getipnetworkbyname error [%s]\n", - strerror(ret)); - fail_if(res == NULL, "ENOMEM"); -- fail_if(res->count != 1); -+ ck_assert_int_eq(res->count, 1); - - ipnetwork_check_match(test_ctx, res->msgs[0], primary_name, aliases, - address); -@@ -7712,7 +7730,7 @@ void ipnetwork_check_match_addr(struct sysdb_test_ctx *test_ctx, - fail_if(ret != EOK, "sysdb_getipnetworkbyaddr error [%s]\n", - strerror(ret)); - fail_if(res == NULL, "ENOMEM"); -- fail_if(res->count != 1); -+ ck_assert_int_eq(res->count, 1); - - ipnetwork_check_match(test_ctx, res->msgs[0], primary_name, aliases, - address); -@@ -7732,21 +7750,21 @@ START_TEST(test_sysdb_add_ipnetworks) - fail_if(ret != EOK, "Could not set up the test"); - - primary_name = talloc_asprintf(test_ctx, "network_1"); -- fail_if(primary_name == NULL); -+ fail_if(primary_name == NULL, "Failed to allocate memory"); - - aliases = talloc_array(test_ctx, const char *, 3); -- fail_if(aliases == NULL); -+ fail_if(aliases == NULL, "Failed to allocate memory"); - - aliases[0] = talloc_asprintf(aliases, "network_1_alias_1"); -- fail_if(aliases[0] == NULL); -+ fail_if(aliases[0] == NULL, "Failed to allocate memory"); - - aliases[1] = talloc_asprintf(aliases, "network_1_alias_2"); -- fail_if(aliases[1] == NULL); -+ fail_if(aliases[1] == NULL, "Failed to allocate memory"); - - aliases[2] = NULL; - - address = talloc_asprintf(test_ctx, "192.168.1.0"); -- fail_if(address == NULL); -+ fail_if(address == NULL, "Failed to allocate memory"); - - ret = sysdb_transaction_start(test_ctx->sysdb); - fail_if(ret != EOK, "[%s]", strerror(ret)); --- -2.28.0.rc2 - - -From 41e169ed5103ccb9d83842e69a8cbb21a96f587c Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:03 +0000 -Subject: [PATCH 03/19] SYSDB-TESTS: Fix format string - ---- - src/tests/sysdb-tests.c | 42 ++++++++++++++++++++--------------------- - 1 file changed, 21 insertions(+), 21 deletions(-) - -diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c -index b7e0e2389..4df921c8d 100644 ---- a/src/tests/sysdb-tests.c -+++ b/src/tests/sysdb-tests.c -@@ -1031,8 +1031,8 @@ START_TEST (test_sysdb_incomplete_group_rename) - "S-1-5-21-123-456-789-111", - NULL, true, 0); - fail_unless(ret == ERR_GID_DUPLICATED, -- "Did not catch a legitimate rename", -- ret, strerror(ret)); -+ "Did not catch a legitimate rename. ret: %d [%s]", -+ ret, sss_strerror(ret)); - } - END_TEST - -@@ -1926,7 +1926,7 @@ START_TEST (test_sysdb_search_custom_by_name) - fail_if(ret != EOK, "Could not search custom object"); - - fail_unless(data->msgs_count == 1, -- "Wrong number of objects, expected [1] got [%d]", -+ "Wrong number of objects, expected [1] got [%zd]", - data->msgs_count); - fail_unless(data->msgs[0]->num_elements == 1, - "Wrong number of results, expected [1] got [%d]", -@@ -2028,7 +2028,7 @@ START_TEST (test_sysdb_search_custom_update) - fail_if(ret != EOK, "Could not search custom object"); - - fail_unless(data->msgs_count == 1, -- "Wrong number of objects, expected [1] got [%d]", -+ "Wrong number of objects, expected [1] got [%zd]", - data->msgs_count); - fail_unless(data->msgs[0]->num_elements == 2, - "Wrong number of results, expected [2] got [%d]", -@@ -2091,7 +2091,7 @@ START_TEST (test_sysdb_search_custom) - fail_if(ret != EOK, "Could not search custom object"); - - fail_unless(data->msgs_count == 10, -- "Wrong number of objects, expected [10] got [%d]", -+ "Wrong number of objects, expected [10] got [%zd]", - data->msgs_count); - - talloc_free(test_ctx); -@@ -2229,10 +2229,10 @@ static void cached_authentication_without_expiration(uid_t uid, - "return expected result [%d].", - expected_result); - -- fail_unless(expire_date == 0, "Wrong expire date, expected [%d], got [%d]", -+ fail_unless(expire_date == 0, "Wrong expire date, expected [%d], got [%ld]", - 0, expire_date); - -- fail_unless(delayed_until == -1, "Wrong delay, expected [%d], got [%d]", -+ fail_unless(delayed_until == -1, "Wrong delay, expected [%d], got [%ld]", - -1, delayed_until); - - talloc_free(test_ctx); -@@ -2292,10 +2292,10 @@ static void cached_authentication_with_expiration(uid_t uid, - "result [%d], got [%d].", expected_result, ret); - - fail_unless(expire_date == expected_expire_date, -- "Wrong expire date, expected [%d], got [%d]", -+ "Wrong expire date, expected [%ld], got [%ld]", - expected_expire_date, expire_date); - -- fail_unless(delayed_until == -1, "Wrong delay, expected [%d], got [%d]", -+ fail_unless(delayed_until == -1, "Wrong delay, expected [%d], got [%ld]", - -1, delayed_until); - - talloc_free(test_ctx); -@@ -2386,7 +2386,7 @@ START_TEST (test_sysdb_asq_search) - fail_if(ret != EOK, "Failed to send ASQ search request.\n"); - - fail_unless(msgs_count == 10, "wrong number of results, " -- "found [%d] expected [10]", msgs_count); -+ "found [%zd] expected [10]", msgs_count); - - for (i = 0; i < msgs_count; i++) { - fail_unless(msgs[i]->num_elements == 1, "wrong number of elements, " -@@ -2403,7 +2403,7 @@ START_TEST (test_sysdb_asq_search) - (const char *) msgs[i]->elements[0].values[0].data, - msgs[i]->elements[0].values[0].length) == 0, - "wrong value, found [%.*s] expected [%s]", -- msgs[i]->elements[0].values[0].length, -+ (int) msgs[i]->elements[0].values[0].length, - msgs[i]->elements[0].values[0].data, gid_str); - } - -@@ -2440,7 +2440,7 @@ START_TEST (test_sysdb_search_all_users) - fail_if(ret != EOK, "Search failed"); - - fail_unless(data->msgs_count == 10, -- "wrong number of results, found [%d] expected [10]", -+ "wrong number of results, found [%zd] expected [10]", - data->msgs_count); - - for (i = 0; i < data->msgs_count; i++) { -@@ -2465,7 +2465,7 @@ START_TEST (test_sysdb_search_all_users) - (char *) data->msgs[i]->elements[0].values[0].data, - data->msgs[i]->elements[0].values[0].length) == 0, - "wrong value, found [%.*s] expected [%s]", -- data->msgs[i]->elements[0].values[0].length, -+ (int) data->msgs[i]->elements[0].values[0].length, - data->msgs[i]->elements[0].values[0].data, uid_str); - } - -@@ -2532,8 +2532,8 @@ START_TEST (test_sysdb_attrs_replace_name) - "expected [1] got [%d].", el->num_values); - fail_unless(strncmp("bar", (char *) el->values[0].data, - el->values[0].length) == 0, -- "Wrong value, expected [bar] got [%.*s]", el->values[0].length, -- el->values[0].data); -+ "Wrong value, expected [bar] got [%.*s]", -+ (int) el->values[0].length, el->values[0].data); - - talloc_free(attrs); - } -@@ -4160,8 +4160,8 @@ START_TEST (test_sysdb_update_members) - test_ctx->domain->name); - add_groups[1] = sss_create_internal_fqname(add_groups, "testgroup28002", - test_ctx->domain->name); -- fail_if(add_groups[1] == NULL, "Failed to create internal fqname for: %s" -- test_ctx->domain->name); -+ fail_if(add_groups[1] == NULL, "Failed to create internal fqname for: %s", -+ test_ctx->domain->name); - add_groups[2] = NULL; - - /* For later check */ -@@ -4546,7 +4546,7 @@ START_TEST (test_sysdb_netgr_to_entries) - ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count); - fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]", - ret, strerror(ret)); -- fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count); -+ fail_unless(netgroup_count == 1, "Received [%zd] triples", netgroup_count); - bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup); - fail_unless(bret == true, "Netgroup triples do not match"); - -@@ -4561,7 +4561,7 @@ START_TEST (test_sysdb_netgr_to_entries) - ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count); - fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]", - ret, strerror(ret)); -- fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count); -+ fail_unless(netgroup_count == 1, "Received [%zd] triples", netgroup_count); - bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup); - fail_unless(bret == true, "Netgroup triples do not match"); - } -@@ -6779,7 +6779,7 @@ START_TEST(test_autofs_retrieve_keys_by_map) - autofsmapname, &count, &entries); - fail_if(ret != EOK, "Cannot get autofs entries for map %s\n", - autofsmapname); -- fail_if(count != expected, "Expected to find %d entries, got %d\n", -+ fail_if(count != expected, "Expected to find %d entries, got %zd\n", - expected, count); - talloc_free(test_ctx); - } -@@ -6844,7 +6844,7 @@ START_TEST(test_autofs_get_duplicate_keys) - ret = sysdb_search_entry(test_ctx, test_ctx->sysdb, dn, LDB_SCOPE_SUBTREE, - filter, attrs, &count, &msgs); - fail_unless(ret == EOK, "sysdb_search_entry returned [%d]", ret); -- fail_if(count != expected, "Found %d entries with name %s, expected %d\n", -+ fail_if(count != expected, "Found %zd entries with name %s, expected %d\n", - count, autofskey, expected); - talloc_free(test_ctx); - } --- -2.28.0.rc2 - - -From ef5ab80c1868ecd45ecf77602c915e5f08030400 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:04 +0000 -Subject: [PATCH 04/19] STRTONUM-TESTS: Fix format string issues - ---- - src/tests/strtonum-tests.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tests/strtonum-tests.c b/src/tests/strtonum-tests.c -index eb7f1b58d..b726d2b20 100644 ---- a/src/tests/strtonum-tests.c -+++ b/src/tests/strtonum-tests.c -@@ -38,8 +38,8 @@ - - #define CHECK_RESULT(expected, actual) \ - do { \ -- fail_unless(actual == expected, "Expected %ld, got %ld", \ -- expected, actual); \ -+ fail_unless(actual == expected, "Expected %jd, got %jd", \ -+ (intmax_t)expected, (intmax_t)actual); \ - } while(0) - - #define CHECK_ERRNO(expected, actual) \ --- -2.28.0.rc2 - - -From f1a5f93923595d8a3c30f62cfdefc71e96be4a4a Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:05 +0000 -Subject: [PATCH 05/19] =?UTF-8?q?RESOLV-TESTS:=20Fix=20error=20too=20few?= - =?UTF-8?q?=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros -* convert assertions to different macros ---- - src/tests/resolv-tests.c | 128 +++++++++++++++++++++++---------------- - 1 file changed, 75 insertions(+), 53 deletions(-) - -diff --git a/src/tests/resolv-tests.c b/src/tests/resolv-tests.c -index bc4cd7cc1..59bda4373 100644 ---- a/src/tests/resolv-tests.c -+++ b/src/tests/resolv-tests.c -@@ -172,38 +172,58 @@ START_TEST(test_copy_hostent) - struct ares_addrttl attl[] = { { addr_1, ttl_1 }, { addr_2, ttl_2 } }; - - ctx = talloc_new(global_talloc_context); -- fail_if(ctx == NULL); -+ fail_if(ctx == NULL, "Failed to allocate memory"); - - ck_leaks_push(ctx); - - rhe = resolv_copy_hostent_ares(ctx, &he, AF_INET, &attl, 2); - -- fail_if(rhe == NULL); -- fail_if(strcmp(rhe->name, name)); -- fail_if(strcmp(rhe->aliases[0], alias_1)); -- fail_if(strcmp(rhe->aliases[1], alias_2)); -- fail_if(rhe->aliases[2] != NULL); -- fail_if(rhe->family != AF_INET); -- fail_if(memcmp(rhe->addr_list[0]->ipaddr, &addr_1, sizeof(addr_1))); -- fail_if(rhe->addr_list[0]->ttl != ttl_1); -- fail_if(memcmp(rhe->addr_list[1]->ipaddr, &addr_2, sizeof(addr_2))); -- fail_if(rhe->addr_list[1]->ttl != ttl_2); -- fail_if(rhe->addr_list[2] != NULL); -+ fail_if(rhe == NULL, "Failed to allocate memory"); -+ fail_if(strcmp(rhe->name, name), -+ "Unexpectag value for name. Got: %s expecting: %s", -+ rhe->name, name); -+ fail_if(strcmp(rhe->aliases[0], alias_1), -+ "Unexpectag value for 1st alias. Got: %s expecting: %s", -+ rhe->aliases[0], alias_1); -+ fail_if(strcmp(rhe->aliases[1], alias_2), -+ "Unexpectag value for 2nd alias. Got: %s expecting: %s", -+ rhe->aliases[1], alias_2); -+ fail_if(rhe->aliases[2] != NULL, -+ "Just 2 aliases are expected. Got: %s", rhe->aliases[2]); -+ ck_assert_int_eq(rhe->family, AF_INET); -+ fail_if(memcmp(rhe->addr_list[0]->ipaddr, &addr_1, sizeof(addr_1)), -+ "Unexpected binary value for addr_list[0]->ipaddr"); -+ ck_assert_int_eq(rhe->addr_list[0]->ttl, ttl_1); -+ fail_if(memcmp(rhe->addr_list[1]->ipaddr, &addr_2, sizeof(addr_2)), -+ "Unexpected binary value for rhe->addr_list[1]->ipaddr"); -+ ck_assert_int_eq(rhe->addr_list[1]->ttl, ttl_2); -+ fail_if(rhe->addr_list[2] != NULL, -+ "Just 2 ip addresses are expected. 3rd has to be NULL"); - - talloc_zfree(rhe); - - rhe = resolv_copy_hostent(ctx, &he); -- fail_if(rhe == NULL); -- fail_if(strcmp(rhe->name, name)); -- fail_if(strcmp(rhe->aliases[0], alias_1)); -- fail_if(strcmp(rhe->aliases[1], alias_2)); -- fail_if(rhe->aliases[2] != NULL); -- fail_if(rhe->family != AF_INET); -- fail_if(memcmp(rhe->addr_list[0]->ipaddr, &addr_2, sizeof(addr_1))); -- fail_if(rhe->addr_list[0]->ttl != RESOLV_DEFAULT_TTL); -- fail_if(memcmp(rhe->addr_list[1]->ipaddr, &addr_1, sizeof(addr_2))); -- fail_if(rhe->addr_list[1]->ttl != RESOLV_DEFAULT_TTL); -- fail_if(rhe->addr_list[2] != NULL); -+ fail_if(rhe == NULL, "Failed to allocate memory"); -+ fail_if(strcmp(rhe->name, name), -+ "Unexpectag value for name. Got: %s expecting: %s", -+ rhe->name, name); -+ fail_if(strcmp(rhe->aliases[0], alias_1), -+ "Unexpectag value for 1st alias. Got: %s expecting: %s", -+ rhe->aliases[0], alias_1); -+ fail_if(strcmp(rhe->aliases[1], alias_2), -+ "Unexpectag value for 2nd alias. Got: %s expecting: %s", -+ rhe->aliases[1], alias_2); -+ fail_if(rhe->aliases[2] != NULL, -+ "Just 2 aliases are expected. Got: %s", rhe->aliases[2]); -+ ck_assert_int_eq(rhe->family, AF_INET); -+ fail_if(memcmp(rhe->addr_list[0]->ipaddr, &addr_2, sizeof(addr_1)), -+ "Unexpected binary value for addr_list[0]->ipaddr"); -+ ck_assert_int_eq(rhe->addr_list[0]->ttl, RESOLV_DEFAULT_TTL); -+ fail_if(memcmp(rhe->addr_list[1]->ipaddr, &addr_1, sizeof(addr_2)), -+ "Unexpected binary value for addr_list[1]->ipaddr"); -+ ck_assert_int_eq(rhe->addr_list[1]->ttl, RESOLV_DEFAULT_TTL); -+ fail_if(rhe->addr_list[2] != NULL, -+ "Just 2 ip addresses are expected. 3rd has to be NULL"); - - talloc_free(rhe); - -@@ -219,36 +239,36 @@ START_TEST(test_address_to_string) - char *ptr_addr; - - ctx = talloc_new(global_talloc_context); -- fail_if(ctx == NULL); -+ fail_if(ctx == NULL, "Failed to allocate memory"); - ck_leaks_push(ctx); - - rhe = test_create_rhostent(ctx, "www.example.com", "1.2.3.4"); -- fail_if(rhe == NULL); -+ fail_if(rhe == NULL, "Failed to allocate memory"); - - str_addr = resolv_get_string_address_index(ctx, rhe, 0); -- fail_if(str_addr == NULL); -+ fail_if(str_addr == NULL, "Failed to allocate memory"); - fail_unless(strcmp(str_addr, "1.2.3.4") == 0, "Unexpected address\n"); - talloc_free(str_addr); - - ptr_addr = resolv_get_string_ptr_address(ctx, rhe->family, - rhe->addr_list[0]->ipaddr); -- fail_if(ptr_addr == NULL); -+ fail_if(ptr_addr == NULL, "Failed to allocate memory"); - fail_unless(strcmp(ptr_addr, "4.3.2.1.in-addr.arpa.") == 0, "Unexpected PTR address\n"); - talloc_free(ptr_addr); - - talloc_free(rhe); - - rhe = test_create_rhostent(ctx, "www6.example.com", "2607:f8b0:400c:c03::6a"); -- fail_if(rhe == NULL); -+ fail_if(rhe == NULL, "Failed to allocate memory"); - - str_addr = resolv_get_string_address_index(ctx, rhe, 0); -- fail_if(str_addr == NULL); -+ fail_if(str_addr == NULL, "resolv_get_string_address_index failed"); - fail_unless(strcmp(str_addr, "2607:f8b0:400c:c03::6a") == 0, "Unexpected address\n"); - talloc_free(str_addr); - - ptr_addr = resolv_get_string_ptr_address(ctx, rhe->family, - rhe->addr_list[0]->ipaddr); -- fail_if(ptr_addr == NULL); -+ fail_if(ptr_addr == NULL, "resolv_get_string_ptr_address failed"); - fail_unless(strcmp(ptr_addr, - "a.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.c.0.c.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa.") == 0, "Unexpected PTR address\n"); - talloc_free(ptr_addr); -@@ -322,7 +342,7 @@ START_TEST(test_resolv_ip_addr) - } - - ck_leaks_pop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - talloc_zfree(test_ctx); - } -@@ -392,7 +412,7 @@ START_TEST(test_resolv_localhost) - } - - ck_leaks_pop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - talloc_zfree(test_ctx); - } -@@ -451,8 +471,8 @@ START_TEST(test_resolv_negative) - - ck_leaks_pop(test_ctx); - -- fail_unless(ret != EOK); -- fail_unless(test_ctx->error == ARES_ENOTFOUND); -+ fail_unless(ret != EOK, "test_loop must failed but got: EOK"); -+ ck_assert_int_eq(test_ctx->error, ARES_ENOTFOUND); - talloc_zfree(test_ctx); - } - END_TEST -@@ -556,7 +576,7 @@ START_TEST(test_resolv_internet) - ret = test_loop(test_ctx); - } - -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - ck_leaks_pop(test_ctx); - talloc_zfree(test_ctx); - } -@@ -579,7 +599,7 @@ START_TEST(test_resolv_internet_txt) - - tevent_req_set_callback(req, test_internet, test_ctx); - ret = test_loop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - ck_leaks_pop(test_ctx); - -@@ -604,7 +624,7 @@ START_TEST(test_resolv_internet_srv) - - tevent_req_set_callback(req, test_internet, test_ctx); - ret = test_loop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - ck_leaks_pop(test_ctx); - -@@ -676,7 +696,7 @@ START_TEST(test_resolv_free_context) - } - - ret = test_loop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - done: - talloc_zfree(test_ctx); -@@ -713,7 +733,7 @@ START_TEST(test_resolv_sort_srv_reply) - /* prepare linked list with reversed values */ - for (i = 0; ipriority = num_replies-i; - r->weight = i; - -@@ -728,19 +748,19 @@ START_TEST(test_resolv_sort_srv_reply) - - /* do the sort */ - ret = resolv_sort_srv_reply(&replies); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "resolv_sort_srv_reply failed with error: %d", ret); - - /* check if the list is sorted */ - prev = NULL; - for (i = 1, r = replies; r; r=r->next, i++) { - talloc_zfree(prev); - prev = r; -- fail_unless(r->priority == i); -+ ck_assert_int_eq(r->priority, i); - } - talloc_zfree(prev); - - /* check if the list is complete */ -- fail_unless(i-1 == num_replies); -+ ck_assert_int_eq(i - 1, num_replies); - - /* test if the weighting algorithm runs..not much do - * deterministically test here since it is based on -@@ -748,7 +768,7 @@ START_TEST(test_resolv_sort_srv_reply) - replies = NULL; - for (i = 0; ipriority = i % 2 + 1; - r->weight = i; - -@@ -763,7 +783,7 @@ START_TEST(test_resolv_sort_srv_reply) - - /* do the sort */ - ret = resolv_sort_srv_reply(&replies); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "resolv_sort_srv_reply failed with error: %d", ret); - - /* clean up */ - prev = NULL; -@@ -800,7 +820,7 @@ START_TEST(test_resolv_sort_srv_reply_zero_weight) - /* prepare linked list */ - for (i = 0; i < num_replies; i++) { - r = talloc_zero(test_ctx, struct ares_srv_reply); -- fail_if(r == NULL); -+ fail_if(r == NULL, "Failed to allocate memory"); - - r->priority = 20; - r->priority = i <= 3 ? 10 : r->priority; -@@ -818,15 +838,17 @@ START_TEST(test_resolv_sort_srv_reply_zero_weight) - - /* do the sort */ - ret = resolv_sort_srv_reply(&replies); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "resolv_sort_srv_reply failed with error: %d", ret); - - /* check if the list contains all values and is sorted */ - for (i = 0, r = replies; r != NULL; r = r->next, i++) { - if (r->next != NULL) { -- fail_unless(r->priority <= r->next->priority); -+ fail_unless(r->priority <= r->next->priority, -+ "Got unsorted values. %d <= %d", -+ r->priority, r->next->priority); - } - } -- fail_unless(i == num_replies); -+ ck_assert_int_eq(i, num_replies); - - /* clean up */ - prev = NULL; -@@ -889,7 +911,7 @@ START_TEST(test_resolv_free_req) - - ret = test_loop(test_ctx); - ck_leaks_pop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - done: - talloc_zfree(test_ctx); -@@ -911,12 +933,12 @@ static void test_timeout(struct tevent_req *req) - tmp_ctx = talloc_new(test_ctx); - ck_leaks_push(tmp_ctx); - -- fail_unless(test_ctx->tested_function == TESTING_HOSTNAME); -+ ck_assert_int_eq(test_ctx->tested_function, TESTING_HOSTNAME); - recv_status = resolv_gethostbyname_recv(req, tmp_ctx, - &status, NULL, &rhostent); - talloc_zfree(req); -- fail_unless(recv_status == ETIMEDOUT); -- fail_unless(status == ARES_ETIMEOUT); -+ ck_assert_int_eq(recv_status, ETIMEDOUT); -+ ck_assert_int_eq(status, ARES_ETIMEOUT); - ck_leaks_pop(tmp_ctx); - talloc_free(tmp_ctx); - } -@@ -949,7 +971,7 @@ START_TEST(test_resolv_timeout) - ret = test_loop(test_ctx); - } - -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - talloc_zfree(test_ctx); - } - END_TEST --- -2.28.0.rc2 - - -From 372f34b46ef402f58c593c4bf01a6c5bd270b83f Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:06 +0000 -Subject: [PATCH 06/19] =?UTF-8?q?KRB5-UTILS-TESTS:=20Fix=20error=20too=20f?= - =?UTF-8?q?ew=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffail?= - =?UTF-8?q?ed=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros ---- - src/tests/krb5_utils-tests.c | 97 +++++++++++++++++++++++++----------- - 1 file changed, 67 insertions(+), 30 deletions(-) - -diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c -index bff42f848..b4b7ae819 100644 ---- a/src/tests/krb5_utils-tests.c -+++ b/src/tests/krb5_utils-tests.c -@@ -298,7 +298,7 @@ void setup_talloc_context(void) - fail_unless(pd != NULL, "Cannot create krb5_ctx structure."); - - pd->user = sss_create_internal_fqname(pd, USERNAME, DOMAIN_NAME); -- fail_unless(pd->user != NULL); -+ fail_unless(pd->user != NULL, "Failed to allocate memory"); - kr->uid = atoi(UID); - kr->upn = discard_const(PRINCIPAL_NAME); - pd->cli_pid = atoi(PID); -@@ -372,7 +372,7 @@ START_TEST(test_case_sensitive) - const char *expected_ci = BASE"_testuser"; - - kr->pd->user = sss_create_internal_fqname(kr, USERNAME_CASE, DOMAIN_NAME); -- fail_unless(kr->pd->user != NULL); -+ fail_unless(kr->pd->user != NULL, "Failed to allocate memory"); - ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, CCACHE_DIR); - fail_unless(ret == EOK, "Failed to set Ccache dir"); - -@@ -586,7 +586,8 @@ compare_map_id_name_to_krb_primary(struct map_id_name_to_krb_primary *a, - errno_t ret; - - while (a[i].id_name != NULL && a[i].krb_primary != NULL) { -- fail_unless(i < len); -+ fail_unless(i < len, -+ "Index: %d mus =t be lowwer than: %zd", i, len); - ret = sss_utf8_case_eq((const uint8_t*)a[i].id_name, - (const uint8_t*)str[i*2]); - fail_unless(ret == EOK, -@@ -613,30 +614,52 @@ START_TEST(test_parse_krb5_map_user) - { - check_leaks_push(mem_ctx); - ret = parse_krb5_map_user(mem_ctx, NULL, DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -- fail_unless(name_to_primary[0].id_name == NULL && -- name_to_primary[0].krb_primary == NULL); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); -+ fail_unless(name_to_primary[0].id_name == NULL, -+ "id_name must be NULL. Got: %s", -+ name_to_primary[0].id_name); -+ fail_unless(name_to_primary[0].krb_primary == NULL, -+ "krb_primary must be NULL. Got: %s", -+ name_to_primary[0].krb_primary); - talloc_free(name_to_primary); - - ret = parse_krb5_map_user(mem_ctx, "", DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -- fail_unless(name_to_primary[0].id_name == NULL && -- name_to_primary[0].krb_primary == NULL); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); -+ fail_unless(name_to_primary[0].id_name == NULL, -+ "id_name must be NULL. Got: %s", -+ name_to_primary[0].id_name); -+ fail_unless(name_to_primary[0].krb_primary == NULL, -+ "krb_primary must be NULL. Got: %s", -+ name_to_primary[0].krb_primary); - talloc_free(name_to_primary); - - ret = parse_krb5_map_user(mem_ctx, ",", DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -- fail_unless(name_to_primary[0].id_name == NULL && -- name_to_primary[0].krb_primary == NULL); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); -+ fail_unless(name_to_primary[0].id_name == NULL, -+ "id_name must be NULL. Got: %s", -+ name_to_primary[0].id_name); -+ fail_unless(name_to_primary[0].krb_primary == NULL, -+ "krb_primary must be NULL. Got: %s", -+ name_to_primary[0].krb_primary); - talloc_free(name_to_primary); - - ret = parse_krb5_map_user(mem_ctx, ",,", DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -- fail_unless(name_to_primary[0].id_name == NULL && -- name_to_primary[0].krb_primary == NULL); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); -+ fail_unless(name_to_primary[0].id_name == NULL, -+ "id_name must be NULL. Got: %s", -+ name_to_primary[0].id_name); -+ fail_unless(name_to_primary[0].krb_primary == NULL, -+ "krb_primary must be NULL. Got: %s", -+ name_to_primary[0].krb_primary); -+ - talloc_free(name_to_primary); - -- fail_unless(check_leaks_pop(mem_ctx)); -+ fail_unless(check_leaks_pop(mem_ctx), -+ "check_leaks_pop failed"); - } - /* valid input */ - { -@@ -647,46 +670,56 @@ START_TEST(test_parse_krb5_map_user) - "joe@testdomain", "juser@testdomain", - "jdoe@testdomain", "ßlack@testdomain" }; - ret = parse_krb5_map_user(mem_ctx, p, DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); - compare_map_id_name_to_krb_primary(name_to_primary, expected, - sizeof(expected)/sizeof(const char*)/2); - talloc_free(name_to_primary); - - ret = parse_krb5_map_user(mem_ctx, p2, DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); - compare_map_id_name_to_krb_primary(name_to_primary, expected, - sizeof(expected)/sizeof(const char*)/2); - talloc_free(name_to_primary); -- fail_unless(check_leaks_pop(mem_ctx)); -+ fail_unless(check_leaks_pop(mem_ctx), -+ "check_leaks_pop failed"); - } - /* invalid input */ - { - check_leaks_push(mem_ctx); - - ret = parse_krb5_map_user(mem_ctx, ":", DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - - ret = parse_krb5_map_user(mem_ctx, "joe:", DOMAIN_NAME, - &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - - ret = parse_krb5_map_user(mem_ctx, ":joe", DOMAIN_NAME, - &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - - ret = parse_krb5_map_user(mem_ctx, "joe:,", DOMAIN_NAME, - &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - - ret = parse_krb5_map_user(mem_ctx, ",joe", DOMAIN_NAME, - &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - - ret = parse_krb5_map_user(mem_ctx, "joe:j:user", DOMAIN_NAME, - &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - -- fail_unless(check_leaks_pop(mem_ctx)); -+ fail_unless(check_leaks_pop(mem_ctx), -+ "check_leaks_pop failed"); - } - - talloc_free(mem_ctx); -@@ -695,14 +728,18 @@ END_TEST - - START_TEST(test_sss_krb5_realm_has_proxy) - { -- fail_unless(sss_krb5_realm_has_proxy(NULL) == false); -+ fail_unless(sss_krb5_realm_has_proxy(NULL) == false, -+ "sss_krb5_realm_has_proxy did not return false"); - - setenv("KRB5_CONFIG", "/dev/null", 1); -- fail_unless(sss_krb5_realm_has_proxy("REALM") == false); -+ fail_unless(sss_krb5_realm_has_proxy("REALM") == false, -+ "sss_krb5_realm_has_proxy did not return false"); - - setenv("KRB5_CONFIG", ABS_SRC_DIR"/src/tests/krb5_proxy_check_test_data.conf", 1); -- fail_unless(sss_krb5_realm_has_proxy("REALM") == false); -- fail_unless(sss_krb5_realm_has_proxy("REALM_PROXY") == true); -+ fail_unless(sss_krb5_realm_has_proxy("REALM") == false, -+ "sss_krb5_realm_has_proxy did not return false"); -+ fail_unless(sss_krb5_realm_has_proxy("REALM_PROXY") == true, -+ "sss_krb5_realm_has_proxy did not return true"); - } - END_TEST - --- -2.28.0.rc2 - - -From fabbf90c7de4e837b9b50a64569086171bad4479 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:07 +0000 -Subject: [PATCH 07/19] KRB5-UTILS-TESTS: Fix format string issues - ---- - src/tests/krb5_utils-tests.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c -index b4b7ae819..540fc8012 100644 ---- a/src/tests/krb5_utils-tests.c -+++ b/src/tests/krb5_utils-tests.c -@@ -487,8 +487,9 @@ START_TEST(test_NULL) - - result = expand_ccname_template(tmp_ctx, kr, test_template, NULL, true, true); - -- fail_unless(result == NULL, "Expected NULL as a result for an empty input.", -- test_template); -+ fail_unless(result == NULL, -+ "Expected NULL as a result for an empty input for " -+ "NULL template"); - } - END_TEST - -@@ -599,7 +600,7 @@ compare_map_id_name_to_krb_primary(struct map_id_name_to_krb_primary *a, - a[i].krb_primary, str[i*2+1]); - i++; - } -- fail_unless(len == i, "%u != %u", len, i); -+ fail_unless(len == i, "%zu != %u", len, i); - } - - START_TEST(test_parse_krb5_map_user) --- -2.28.0.rc2 - - -From 7ad0af60d905167fe731c02825fc98e1dfa8497b Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:08 +0000 -Subject: [PATCH 08/19] CHECK-AND-OPEN-TESTS: Fix format string issues - ---- - src/tests/check_and_open-tests.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tests/check_and_open-tests.c b/src/tests/check_and_open-tests.c -index 525e28aed..ddc4acd50 100644 ---- a/src/tests/check_and_open-tests.c -+++ b/src/tests/check_and_open-tests.c -@@ -99,7 +99,7 @@ START_TEST(test_symlink) - - ret = snprintf(newpath, newpath_length, "%s%s", filename, SUFFIX); - fail_unless(ret == newpath_length - 1, -- "snprintf failed: expected [%d] got [%d]", newpath_length -1, -+ "snprintf failed: expected [%zd] got [%d]", newpath_length - 1, - ret); - - ret = symlink(filename, newpath); -@@ -126,7 +126,7 @@ START_TEST(test_follow_symlink) - - ret = snprintf(newpath, newpath_length, "%s%s", filename, SUFFIX); - fail_unless(ret == newpath_length - 1, -- "snprintf failed: expected [%d] got [%d]", newpath_length -1, -+ "snprintf failed: expected [%zd] got [%d]", newpath_length - 1, - ret); - - ret = symlink(filename, newpath); --- -2.28.0.rc2 - - -From 96dac929c1ff48729f60eb8aab8809dc925c1552 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:09 +0000 -Subject: [PATCH 09/19] =?UTF-8?q?REFCOUNT-TESTS:=20Fix=20error=20too=20few?= - =?UTF-8?q?=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros ---- - src/tests/refcount-tests.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/tests/refcount-tests.c b/src/tests/refcount-tests.c -index 232302f38..4907ab5fb 100644 ---- a/src/tests/refcount-tests.c -+++ b/src/tests/refcount-tests.c -@@ -90,29 +90,29 @@ START_TEST(test_refcount_basic) - - /* First allocate our global storage place. */ - global = talloc(NULL, struct container); -- fail_if(global == NULL); -+ fail_if(global == NULL, "Failed to allocate memory"); - - /* Allocate foo. */ - global->foo = rc_alloc(global, struct foo); -- fail_if(global->foo == NULL); -+ fail_if(global->foo == NULL, "Failed to allocate memory"); - SET_FILLER(global->foo); - REF_ASSERT(global->foo, 1); - - /* Allocate bar. */ - global->bar = rc_alloc(global, struct bar); -- fail_if(global->bar == NULL); -+ fail_if(global->bar == NULL, "Failed to allocate memory"); - SET_FILLER(global->bar); - REF_ASSERT(global->bar, 1); - - /* Allocate baz. */ - global->baz = rc_alloc(global, struct baz); -- fail_if(global->baz == NULL); -+ fail_if(global->baz == NULL, "Failed to allocate memory"); - SET_FILLER(global->baz); - REF_ASSERT(global->baz, 1); - - /* Try multiple attaches. */ - containers = talloc_array(NULL, struct container, 100); -- fail_if(containers == NULL); -+ fail_if(containers == NULL, "Failed to allocate memory"); - for (i = 0; i < 100; i++) { - containers[i].foo = rc_reference(containers, struct foo, global->foo); - containers[i].bar = rc_reference(containers, struct bar, global->bar); -@@ -153,15 +153,17 @@ START_TEST(test_refcount_swap) - - /* Allocate. */ - container1->foo = rc_alloc(container1, struct foo); -- fail_if(container1->foo == NULL); -+ fail_if(container1->foo == NULL, "Failed to allocate memory"); - SET_FILLER(container1->foo); - - /* Reference. */ - container2->foo = rc_reference(container2, struct foo, container1->foo); -- fail_if(container2->foo == NULL); -+ fail_if(container2->foo == NULL, "Failed to allocate memory"); - - /* Make sure everything is as it should be. */ -- fail_unless(container1->foo == container2->foo); -+ fail_unless(container1->foo == container2->foo, -+ "Values have to be equal. %p == %p", -+ container1->foo, container2->foo); - REF_ASSERT(container1->foo, 2); - - /* Free in reverse order. */ --- -2.28.0.rc2 - - -From 686d7c8f0432aeb7b36a807adaccf2173cfdf5cc Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:10 +0000 -Subject: [PATCH 10/19] =?UTF-8?q?FAIL-OVER-TESTS:=20Fix=20error=20too=20fe?= - =?UTF-8?q?w=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffaile?= - =?UTF-8?q?d=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros ---- - src/tests/fail_over-tests.c | 63 ++++++++++++++++++++++++------------- - 1 file changed, 42 insertions(+), 21 deletions(-) - -diff --git a/src/tests/fail_over-tests.c b/src/tests/fail_over-tests.c -index b2269ef3b..4afbc7933 100644 ---- a/src/tests/fail_over-tests.c -+++ b/src/tests/fail_over-tests.c -@@ -116,24 +116,30 @@ START_TEST(test_fo_new_service) - - ck_leaks_push(ctx); - ret = fo_new_service(ctx->fo_ctx, buf, NULL, &services[i]); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, -+ "fo_new_service failed with error: %d", ret); - } - - ret = fo_new_service(ctx->fo_ctx, "service_3", NULL, &service); -- fail_if(ret != EEXIST); -+ fail_if(ret != EEXIST, -+ "fo_new_service must return EEXIST. Got: %d", ret); - - for (i = 9; i >= 0; i--) { - char buf[16]; - sprintf(buf, "service_%d", i); - - ret = fo_get_service(ctx->fo_ctx, buf, &service); -- fail_if(ret != EOK); -- fail_if(service != services[i]); -+ fail_if(ret != EOK, -+ "fo_get_service failed with error: %d", ret); -+ fail_if(service != services[i], -+ "Unexpected service returned. %p != %p", -+ service, services[i]); - talloc_free(service); - ck_leaks_pop(ctx); - - ret = fo_get_service(ctx->fo_ctx, buf, &service); -- fail_if(ret != ENOENT); -+ fail_if(ret != ENOENT, -+ "fo_get_service must return ENOENT. Got: %d", ret); - } - - ck_leaks_pop(ctx); -@@ -162,7 +168,8 @@ test_resolve_service_callback(struct tevent_req *req) - task->location, task->recv, recv_status); - if (recv_status != EOK) - return; -- fail_if(server == NULL); -+ fail_if(server == NULL, -+ "fo_resolve_service_recv must not return NULL for server"); - port = fo_get_server_port(server); - fail_if(port != task->port, "%s: Expected port %d, got %d", task->location, - task->port, port); -@@ -179,7 +186,8 @@ test_resolve_service_callback(struct tevent_req *req) - char buf[256]; - - inet_ntop(he->family, he->addr_list[i]->ipaddr, buf, sizeof(buf)); -- fail_if(strcmp(buf, "127.0.0.1") != 0 && strcmp(buf, "::1") != 0); -+ fail_if(strcmp(buf, "127.0.0.1") != 0 && strcmp(buf, "::1") != 0, -+ "Expecting either '127.0.0.1' or '::1'. Got: %s", buf); - } - } - -@@ -204,7 +212,7 @@ _get_request(struct test_ctx *test_ctx, struct fo_service *service, - struct task *task; - - task = talloc(test_ctx, struct task); -- fail_if(task == NULL); -+ fail_if(task == NULL, "Failed to allocate memory"); - - task->test_ctx = test_ctx; - task->recv = expected_recv; -@@ -228,27 +236,40 @@ START_TEST(test_fo_resolve_service) - { - struct test_ctx *ctx; - struct fo_service *service[3]; -+ int ret; - - ctx = setup_test(); -- fail_if(ctx == NULL); -+ fail_if(ctx == NULL, "Failed to allocate memory"); - - /* Add service. */ -- fail_if(fo_new_service(ctx->fo_ctx, "http", NULL, &service[0]) != EOK); -+ ret = fo_new_service(ctx->fo_ctx, "http", NULL, &service[0]); -+ fail_if(ret != EOK, "fo_new_service failed with error: %d", ret); - -- fail_if(fo_new_service(ctx->fo_ctx, "ldap", NULL, &service[1]) != EOK); -+ ret = fo_new_service(ctx->fo_ctx, "ldap", NULL, &service[1]); -+ fail_if(ret != EOK, "fo_new_service failed with error: %d", ret); - -- fail_if(fo_new_service(ctx->fo_ctx, "ntp", NULL, &service[2]) != EOK); -+ ret = fo_new_service(ctx->fo_ctx, "ntp", NULL, &service[2]); -+ fail_if(ret != EOK, "fo_new_service failed with error: %d", ret); - - /* Add servers. */ -- fail_if(fo_add_server(service[0], "localhost", 20, NULL, true) != EOK); -- fail_if(fo_add_server(service[0], "127.0.0.1", 80, NULL, false) != EOK); -- -- fail_if(fo_add_server(service[1], "localhost", 30, NULL, false) != EOK); -- fail_if(fo_add_server(service[1], "127.0.0.1", 389, NULL, true) != EOK); -- fail_if(fo_add_server(service[1], "127.0.0.1", 389, NULL, true) != EEXIST); -- fail_if(fo_add_server(service[1], "127.0.0.1", 389, NULL, false) != EEXIST); -- -- fail_if(fo_add_server(service[2], NULL, 123, NULL, true) != EOK); -+ ret = fo_add_server(service[0], "localhost", 20, NULL, true); -+ fail_if(ret != EOK, "fo_add_server failed with error: %d", ret); -+ ret = fo_add_server(service[0], "127.0.0.1", 80, NULL, false); -+ fail_if(ret != EOK, "fo_add_server failed with error: %d", ret); -+ -+ ret = fo_add_server(service[1], "localhost", 30, NULL, false); -+ fail_if(ret != EOK, "fo_add_server failed with error: %d", ret); -+ ret = fo_add_server(service[1], "127.0.0.1", 389, NULL, true); -+ fail_if(ret != EOK, "fo_add_server failed with error: %d", ret); -+ ret = fo_add_server(service[1], "127.0.0.1", 389, NULL, true); -+ fail_if(ret != EEXIST, -+ "fo_add_server must fail with EEXIST. Got: %d", ret); -+ ret = fo_add_server(service[1], "127.0.0.1", 389, NULL, false); -+ fail_if(ret != EEXIST, -+ "fo_add_server must fail with EEXIST. Got: %d", ret); -+ -+ ret = fo_add_server(service[2], NULL, 123, NULL, true); -+ fail_if(ret != EOK, "fo_add_server failed with error: %d", ret); - - /* Make requests. */ - get_request(ctx, service[0], EOK, 20, PORT_WORKING, -1); --- -2.28.0.rc2 - - -From 0261117370d3d504a0aa0c95a2dc11b10429430c Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:11 +0000 -Subject: [PATCH 11/19] FAIL-OVER-TESTS: Fix format string issues - ---- - src/tests/fail_over-tests.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tests/fail_over-tests.c b/src/tests/fail_over-tests.c -index 4afbc7933..d7bd173d6 100644 ---- a/src/tests/fail_over-tests.c -+++ b/src/tests/fail_over-tests.c -@@ -164,7 +164,7 @@ test_resolve_service_callback(struct tevent_req *req) - - recv_status = fo_resolve_service_recv(req, req, &server); - talloc_free(req); -- fail_if(recv_status != task->recv, "%s: Expected return of %d, got %d", -+ fail_if(recv_status != task->recv, "%s: Expected return of %d, got %"PRIu64, - task->location, task->recv, recv_status); - if (recv_status != EOK) - return; --- -2.28.0.rc2 - - -From 45f1f0b2d0ac9fb98aff79a453b0228a81c35f7f Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:12 +0000 -Subject: [PATCH 12/19] AUTH-TESTS: Fix format string issues - ---- - src/tests/auth-tests.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tests/auth-tests.c b/src/tests/auth-tests.c -index 67c664882..69998706e 100644 ---- a/src/tests/auth-tests.c -+++ b/src/tests/auth-tests.c -@@ -203,7 +203,7 @@ static void do_failed_login_test(uint32_t failed_login_attempts, - - fail_unless(delayed_until == expected_delay, - "check_failed_login_attempts wrong delay, " -- "expected [%d], got [%d]", -+ "expected [%ld], got [%ld]", - expected_delay, delayed_until); - - talloc_free(test_ctx); --- -2.28.0.rc2 - - -From fb4a22c39b16899edebdf90d71ed16e0700597c6 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:13 +0000 -Subject: [PATCH 13/19] =?UTF-8?q?IPA-LDAP-OPT-TESTS:=20Fix=20error=20too?= - =?UTF-8?q?=20few=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5F?= - =?UTF-8?q?failed=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros -* convert assertions to different macros ---- - src/tests/ipa_ldap_opt-tests.c | 87 ++++++++++++++++++++++------------ - 1 file changed, 57 insertions(+), 30 deletions(-) - -diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c -index 8c7c81f7d..9c3bede9b 100644 ---- a/src/tests/ipa_ldap_opt-tests.c -+++ b/src/tests/ipa_ldap_opt-tests.c -@@ -171,18 +171,26 @@ END_TEST - - static void fail_unless_dp_opt_is_terminator(struct dp_option *o) - { -- fail_unless(o->opt_name == NULL); -- fail_unless(o->type == 0); -- fail_unless(o->def_val.string == NULL); -- fail_unless(o->val.string == NULL); -+ fail_unless(o->opt_name == NULL, -+ "Unexpected NULL for opt_name in dp_option"); -+ fail_unless(o->type == 0, -+ "Unexpected 0 for type in dp_option"); -+ fail_unless(o->def_val.string == NULL, -+ "Unexpected NULL for def_val.string in dp_option"); -+ fail_unless(o->val.string == NULL, -+ "Unexpected NULL for val.string in dp_option"); - } - - static void fail_unless_sdap_opt_is_terminator(struct sdap_attr_map *m) - { -- fail_unless(m->name == NULL); -- fail_unless(m->def_name == NULL); -- fail_unless(m->sys_name == NULL); -- fail_unless(m->opt_name == NULL); -+ fail_unless(m->name == NULL, -+ "Unexpected NULL for name in sdap_attr_map"); -+ fail_unless(m->def_name == NULL, -+ "Unexpected NULL for def_name in sdap_attr_map"); -+ fail_unless(m->sys_name == NULL, -+ "Unexpected NULL for sys_name in sdap_attr_map"); -+ fail_unless(m->opt_name == NULL, -+ "Unexpected NULL for opt_name in sdap_attr_map"); - } - - START_TEST(test_dp_opt_sentinel) -@@ -325,37 +333,53 @@ START_TEST(test_copy_sdap_map) - ret = sdap_copy_map(global_talloc_context, - rfc2307_user_map, SDAP_OPTS_USER, &out_map); - fail_unless(ret == EOK, "[%s]", strerror(ret)); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL, -+ "Unexpected NULL for def_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL, -+ "Unexpected NULL for sys_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL, -+ "Unexpected NULL for opt_name with idx: %d", SDAP_OPTS_USER); - talloc_free(out_map); - - ret = sdap_copy_map(global_talloc_context, - rfc2307bis_user_map, SDAP_OPTS_USER, &out_map); - fail_unless(ret == EOK, "[%s]", strerror(ret)); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL, -+ "Unexpected NULL for def_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL, -+ "Unexpected NULL for sys_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL, -+ "Unexpected NULL for opt_name with idx: %d", SDAP_OPTS_USER); - talloc_free(out_map); - - ret = sdap_copy_map(global_talloc_context, - ipa_user_map, SDAP_OPTS_USER, &out_map); - fail_unless(ret == EOK, "[%s]", strerror(ret)); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL, -+ "Unexpected NULL for def_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL, -+ "Unexpected NULL for sys_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL, -+ "Unexpected NULL for opt_name with idx: %d", SDAP_OPTS_USER); - talloc_free(out_map); - - ret = sdap_copy_map(global_talloc_context, - gen_ad2008r2_user_map, SDAP_OPTS_USER, &out_map); - fail_unless(ret == EOK, "[%s]", strerror(ret)); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL, -+ "Unexpected NULL for def_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL, -+ "Unexpected NULL for sys_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL, -+ "Unexpected NULL for opt_name with idx: %d", SDAP_OPTS_USER); - talloc_free(out_map); - } - END_TEST -@@ -382,14 +406,15 @@ START_TEST(test_extra_opts) - fail_unless(ret == EOK, "[%s]", sss_strerror(ret)); - - /* Two extra and sentinel */ -- fail_unless(new_size != SDAP_OPTS_USER + 3); -+ ck_assert_int_eq(new_size, SDAP_OPTS_USER + 3); - /* Foo would be saved to sysdb verbatim */ - ck_assert_str_eq(out_map[SDAP_OPTS_USER].name, "foo"); - ck_assert_str_eq(out_map[SDAP_OPTS_USER].sys_name, "foo"); - /* Bar would be saved to sysdb as baz */ - ck_assert_str_eq(out_map[SDAP_OPTS_USER+1].name, "bar"); - ck_assert_str_eq(out_map[SDAP_OPTS_USER+1].sys_name, "baz"); -- fail_unless(out_map[SDAP_OPTS_USER+2].name == NULL); -+ fail_unless(out_map[SDAP_OPTS_USER+2].name == NULL, -+ "Unexpected NULL for name with id: %d", SDAP_OPTS_USER + 2); - - talloc_free(out_map); - } -@@ -413,8 +438,9 @@ START_TEST(test_no_extra_opts) - &out_map, &new_size); - fail_unless(ret == EOK, "[%s]", sss_strerror(ret)); - /* Attributes and sentinel */ -- fail_unless(new_size != SDAP_OPTS_USER + 1); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -+ ck_assert_int_eq(new_size, SDAP_OPTS_USER + 1); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with id: %d", SDAP_OPTS_USER); - - talloc_free(out_map); - } -@@ -441,8 +467,9 @@ START_TEST(test_extra_opts_neg) - &out_map, &new_size); - fail_unless(ret == EOK, "[%s]", strerror(ret)); - /* The faulty attributes would be just skipped */ -- fail_unless(new_size != SDAP_OPTS_USER + 1); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -+ ck_assert_int_eq(new_size, SDAP_OPTS_USER + 1); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with id: %d", SDAP_OPTS_USER); - - talloc_free(out_map); - } --- -2.28.0.rc2 - - -From 9731df5ac6c7f7a9ad5bd50ba25598c4ffa79e46 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:14 +0000 -Subject: [PATCH 14/19] =?UTF-8?q?CRYPTO-TESTS:=20Fix=20error=20too=20few?= - =?UTF-8?q?=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros -* convert assertions to different macros ---- - src/tests/crypto-tests.c | 63 ++++++++++++++++++++++++---------------- - 1 file changed, 38 insertions(+), 25 deletions(-) - -diff --git a/src/tests/crypto-tests.c b/src/tests/crypto-tests.c -index 6f5e22a87..4af82b078 100644 ---- a/src/tests/crypto-tests.c -+++ b/src/tests/crypto-tests.c -@@ -40,10 +40,13 @@ START_TEST(test_nss_init) - int ret; - - ret = nspr_nss_init(); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, -+ "nspr_nss_init failed with error: %d", ret); -+ - - ret = nspr_nss_cleanup(); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, -+ "nspr_nss_cleanup failed with error: %d", ret); - } - END_TEST - #endif -@@ -67,18 +70,22 @@ START_TEST(test_sss_password_encrypt_decrypt) - #endif - - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - ck_leaks_push(test_ctx); - - for (i=0; password[i]; i++) { - ret = sss_password_encrypt(test_ctx, password[i], strlen(password[i])+1, - AES_256, &obfpwd); -- fail_if(ret != expected); -+ ck_assert_int_eq(ret, expected); - - ret = sss_password_decrypt(test_ctx, obfpwd, &ctpwd); -- fail_if(ret != expected); -+ ck_assert_int_eq(ret, expected); - -- fail_if(ctpwd && strcmp(password[i], ctpwd) != 0); -+ fail_if(ctpwd == NULL, -+ "sss_password_decrypt must not return NULL"); -+ fail_if(strcmp(password[i], ctpwd) != 0, -+ "Unexpected decrypted password. Expected: %s got: %s", -+ password[i], ctpwd); - - talloc_free(obfpwd); - talloc_free(ctpwd); -@@ -116,8 +123,10 @@ START_TEST(test_hmac_sha1) - ret = sss_hmac_sha1((const unsigned char *)keys[i], strlen(keys[i]), - (const unsigned char *)message, strlen(message), - out); -- fail_if(ret != expected); -- fail_if(ret == EOK && memcmp(out, results[i], SSS_SHA1_LENGTH) != 0); -+ ck_assert_int_eq(ret, expected); -+ ck_assert_int_eq(ret, EOK); -+ fail_if(memcmp(out, results[i], SSS_SHA1_LENGTH) != 0, -+ "Unexpected result for index: %d", i); - } - } - END_TEST -@@ -129,11 +138,13 @@ START_TEST(test_base64_encode) - char *obfpwd = NULL; - - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - /* Base64 encode the buffer */ - obfpwd = sss_base64_encode(test_ctx, obfbuf, strlen((const char*)obfbuf)); -- fail_if(obfpwd == NULL); -- fail_if(strcmp(obfpwd,expected) != 0); -+ fail_if(obfpwd == NULL, -+ "sss_base64_encode must not return NULL"); -+ fail_if(strcmp(obfpwd, expected) != 0, -+ "Got: %s expected value: %s", obfpwd, expected); - - talloc_free(test_ctx); - } -@@ -147,12 +158,14 @@ START_TEST(test_base64_decode) - const unsigned char expected[] = "test"; - - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - /* Base64 decode the buffer */ - obfbuf = sss_base64_decode(test_ctx, b64encoded, &obflen); -- fail_if(!obfbuf); -- fail_if(obflen != strlen((const char*)expected)); -- fail_if(memcmp(obfbuf, expected, obflen) != 0); -+ fail_if(obfbuf == NULL, -+ "sss_base64_decode must not return NULL"); -+ ck_assert_int_eq(obflen, strlen((const char*)expected)); -+ fail_if(memcmp(obfbuf, expected, obflen) != 0, -+ "Unexpected vale returned after sss_base64_decode"); - - talloc_free(test_ctx); - } -@@ -176,14 +189,14 @@ START_TEST(test_sss_encrypt_decrypt) - int ret; - - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - - ret = sss_encrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len, - (const uint8_t *)input_text, input_text_len, - &cipher_text, &cipher_text_len); - -- fail_if(ret != 0); -- fail_if(cipher_text_len == 0); -+ fail_if(ret != 0, "sss_encrypt failed with error: %d", ret); -+ fail_if(cipher_text_len == 0, "cipher_text_len must not be zero"); - - ret = memcmp(input_text, cipher_text, input_text_len); - fail_if(ret == 0, "Input and encrypted text has common prefix"); -@@ -191,8 +204,8 @@ START_TEST(test_sss_encrypt_decrypt) - ret = sss_decrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len, - cipher_text, cipher_text_len, - &plain_text, &plain_text_len); -- fail_if(ret != 0); -- fail_if(plain_text_len != input_text_len); -+ fail_if(ret != 0, "sss_decrypt failed with error: %d", ret); -+ ck_assert_int_eq(plain_text_len, input_text_len); - - ret = memcmp(plain_text, input_text, input_text_len); - fail_if(ret != 0, "input text is not the same as de-encrypted text"); -@@ -211,21 +224,21 @@ START_TEST(test_s3crypt_sha512) - const char *expected_hash = "$6$tU67Q/9h3tm5WJ.U$aL9gjCfiSZQewHTI6A4/MHCVWrMCiJZ.gNXEIw6HO39XGbg.s2nTyGlYXeoQyQtDll3XSbIZN41fJEC3v7ELy0"; - - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - - ret = s3crypt_gen_salt(test_ctx, &salt); -- fail_if(ret != 0); -+ fail_if(ret != 0, "s3crypt_gen_salt failed with error: %d", ret); - - ret = s3crypt_sha512(test_ctx, password, salt, &userhash); -- fail_if(ret != 0); -+ fail_if(ret != 0, "s3crypt_sha512 failed with error: %d", ret); - - ret = s3crypt_sha512(test_ctx, password, userhash, &comphash); -- fail_if(ret != 0); -+ fail_if(ret != 0, "s3crypt_sha512 failed with error: %d", ret); - ck_assert_str_eq(userhash, comphash); - talloc_free(comphash); - - ret = s3crypt_sha512(test_ctx, password, expected_hash, &comphash); -- fail_if(ret != 0); -+ fail_if(ret != 0, "s3crypt_sha512 failed with error: %d", ret); - ck_assert_str_eq(expected_hash, comphash); - - talloc_free(test_ctx); --- -2.28.0.rc2 - - -From bcc95a78395f5ec982ba90485eb6251e85b8678c Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:15 +0000 -Subject: [PATCH 15/19] =?UTF-8?q?UTIL-TESTS:=20Fix=20error=20too=20few=20a?= - =?UTF-8?q?rguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros -* convert assertions to different macros ---- - src/tests/util-tests.c | 52 +++++++++++++++++++++++++++--------------- - 1 file changed, 34 insertions(+), 18 deletions(-) - -diff --git a/src/tests/util-tests.c b/src/tests/util-tests.c -index e331f8260..11642d9b6 100644 ---- a/src/tests/util-tests.c -+++ b/src/tests/util-tests.c -@@ -445,15 +445,18 @@ START_TEST(test_fd_nonblocking) - errno_t ret; - - fd = open("/dev/null", O_RDONLY); -- fail_unless(fd > 0); -+ fail_unless(fd > 0, -+ "open failed with errno: %d", errno); - - flags = fcntl(fd, F_GETFL, 0); -- fail_if(flags & O_NONBLOCK); -+ fail_if(flags & O_NONBLOCK, -+ "Unexpected flag O_NONBLOCK[%x] in [%x]", O_NONBLOCK, flags); - - ret = sss_fd_nonblocking(fd); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "sss_fd_nonblocking failed with error: %d", ret); - flags = fcntl(fd, F_GETFL, 0); -- fail_unless(flags & O_NONBLOCK); -+ fail_unless(flags & O_NONBLOCK, -+ "Flag O_NONBLOCK[%x] is missing in [%x]", O_NONBLOCK, flags); - close(fd); - } - END_TEST -@@ -482,8 +485,9 @@ START_TEST(test_utf8_lowercase) - lcase = sss_utf8_tolower(munchen_utf8_upcase, - strlen((const char *)munchen_utf8_upcase), - &nlen); -- fail_if(strlen((const char *) munchen_utf8_upcase) != nlen); /* This is not true for utf8 strings in general */ -- fail_if(memcmp(lcase, munchen_utf8_lowcase, nlen)); -+ ck_assert_int_eq(strlen((const char *) munchen_utf8_upcase), nlen); /* This is not true for utf8 strings in general */ -+ fail_if(memcmp(lcase, munchen_utf8_lowcase, nlen), -+ "Unexpected binary values"); - sss_utf8_free(lcase); - } - END_TEST -@@ -497,12 +501,13 @@ START_TEST(test_utf8_talloc_lowercase) - - TALLOC_CTX *test_ctx; - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - - lcase = sss_tc_utf8_tolower(test_ctx, munchen_utf8_upcase, - strlen((const char *) munchen_utf8_upcase), - &nsize); -- fail_if(memcmp(lcase, munchen_utf8_lowcase, nsize)); -+ fail_if(memcmp(lcase, munchen_utf8_lowcase, nsize), -+ "Unexpected binary values"); - talloc_free(test_ctx); - } - END_TEST -@@ -515,10 +520,11 @@ START_TEST(test_utf8_talloc_str_lowercase) - - TALLOC_CTX *test_ctx; - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - - lcase = sss_tc_utf8_str_tolower(test_ctx, (const char *) munchen_utf8_upcase); -- fail_if(memcmp(lcase, munchen_utf8_lowcase, strlen(lcase))); -+ fail_if(memcmp(lcase, munchen_utf8_lowcase, strlen(lcase)), -+ "Unexpected binary values"); - talloc_free(test_ctx); - } - END_TEST -@@ -569,7 +575,9 @@ START_TEST(test_murmurhash3_check) - strlen(tests[i]), - 0xdeadbeef); - for (j = 0; j < i; j++) { -- fail_if(results[i] == results[j]); -+ fail_if(results[i] == results[j], -+ "Values have to be different. '%"PRIu32"' == '%"PRIu32"'", -+ results[i], results[j]); - } - } - } -@@ -599,7 +607,7 @@ START_TEST(test_murmurhash3_random) - - result1 = murmurhash3(test, len + 1, init_seed); - result2 = murmurhash3(test, len + 1, init_seed); -- fail_if(result1 != result2); -+ ck_assert_int_eq(result1, result2); - } - END_TEST - -@@ -1064,7 +1072,8 @@ static void convert_time_tz(const char* tz) - - if (tz) { - ret = setenv("TZ", tz, 1); -- fail_if(ret == -1); -+ fail_if(ret == -1, -+ "setenv failed with errno: %d", errno); - } - - ret = sss_utc_to_time_t("20140801115742Z", "%Y%m%d%H%M%SZ", &unix_time); -@@ -1072,9 +1081,12 @@ static void convert_time_tz(const char* tz) - /* restore */ - if (orig_tz != NULL) { - ret2 = setenv("TZ", orig_tz, 1); -- fail_if(ret2 == -1); -+ fail_if(ret2 == -1, -+ "setenv failed with errno: %d", errno); - } -- fail_unless(ret == EOK && difftime(1406894262, unix_time) == 0); -+ fail_unless(ret == EOK && difftime(1406894262, unix_time) == 0, -+ "Expecting 1406894262 got: ret[%d] unix_time[%ld]", -+ ret, unix_time); - } - - START_TEST(test_convert_time) -@@ -1084,11 +1096,15 @@ START_TEST(test_convert_time) - errno_t ret; - - ret = sss_utc_to_time_t("20150127133540P", format, &unix_time); -- fail_unless(ret == ERR_TIMESPEC_NOT_SUPPORTED); -+ fail_unless(ret == ERR_TIMESPEC_NOT_SUPPORTED, -+ "sss_utc_to_time_t must fail with %d. got: %d", -+ ERR_TIMESPEC_NOT_SUPPORTED, ret); - ret = sss_utc_to_time_t("0Z", format, &unix_time); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "sss_utc_to_time_t must fail with EINVAL. got: %d", ret); - ret = sss_utc_to_time_t("000001010000Z", format, &unix_time); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "sss_utc_to_time_t must fail with EINVAL. got: %d", ret); - - /* test that results are still same no matter what timezone is set */ - convert_time_tz(NULL); --- -2.28.0.rc2 - - -From deef3642e58ea3d2041732f59648b398c9a6838f Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:16 +0000 -Subject: [PATCH 16/19] UTIL-TESTS: Fix format string issues - ---- - src/tests/util-tests.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/src/tests/util-tests.c b/src/tests/util-tests.c -index 11642d9b6..bf9779a22 100644 ---- a/src/tests/util-tests.c -+++ b/src/tests/util-tests.c -@@ -659,7 +659,7 @@ START_TEST(test_atomicio_read_from_file) - - fail_unless(ret == 0, "Error %d while reading\n", ret); - fail_unless(numread == bufsize, -- "Read %d bytes expected %d\n", numread, bufsize); -+ "Read %zd bytes expected %zd\n", numread, bufsize); - close(fd); - } - END_TEST -@@ -681,7 +681,7 @@ START_TEST(test_atomicio_read_from_small_file) - - fail_unless(ret == 0, "Error %d while writing\n", ret); - fail_unless(numwritten == wsize, -- "Wrote %d bytes expected %d\n", numwritten, wsize); -+ "Wrote %zd bytes expected %zd\n", numwritten, wsize); - - fsync(atio_fd); - lseek(atio_fd, 0, SEEK_SET); -@@ -692,7 +692,7 @@ START_TEST(test_atomicio_read_from_small_file) - - fail_unless(ret == 0, "Error %d while reading\n", ret); - fail_unless(numread == numwritten, -- "Read %d bytes expected %d\n", numread, numwritten); -+ "Read %zd bytes expected %zd\n", numread, numwritten); - } - END_TEST - -@@ -714,7 +714,7 @@ START_TEST(test_atomicio_read_from_large_file) - - fail_unless(ret == 0, "Error %d while writing\n", ret); - fail_unless(numwritten == wsize, -- "Wrote %d bytes expected %d\n", numwritten, wsize); -+ "Wrote %zd bytes expected %zd\n", numwritten, wsize); - - fsync(atio_fd); - lseek(atio_fd, 0, SEEK_SET); -@@ -731,7 +731,7 @@ START_TEST(test_atomicio_read_from_large_file) - - fail_unless(ret == 0, "Error %d while reading\n", ret); - fail_unless(total == numwritten, -- "Read %d bytes expected %d\n", numread, numwritten); -+ "Read %zd bytes expected %zd\n", numread, numwritten); - } - END_TEST - -@@ -752,7 +752,7 @@ START_TEST(test_atomicio_read_exact_sized_file) - - fail_unless(ret == 0, "Error %d while writing\n", ret); - fail_unless(numwritten == wsize, -- "Wrote %d bytes expected %d\n", numwritten, wsize); -+ "Wrote %zd bytes expected %zd\n", numwritten, wsize); - - fsync(atio_fd); - lseek(atio_fd, 0, SEEK_SET); -@@ -763,7 +763,7 @@ START_TEST(test_atomicio_read_exact_sized_file) - - fail_unless(ret == 0, "Error %d while reading\n", ret); - fail_unless(numread == numwritten, -- "Read %d bytes expected %d\n", numread, numwritten); -+ "Read %zd bytes expected %zd\n", numread, numwritten); - - fail_unless(rbuf[8] == '\0', "String not NULL terminated?"); - fail_unless(strcmp(wbuf, rbuf) == 0, "Read something else than wrote?"); -@@ -794,7 +794,7 @@ START_TEST(test_atomicio_read_from_empty_file) - - fail_unless(ret == 0, "Error %d while reading\n", ret); - fail_unless(numread == 0, -- "Read %d bytes expected 0\n", numread); -+ "Read %zd bytes expected 0\n", numread); - close(fd); - } - END_TEST --- -2.28.0.rc2 - - -From 1bb674dfe22027d26e91fa8fc27ab9d1588fefbf Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:17 +0000 -Subject: [PATCH 17/19] =?UTF-8?q?IPA-HBAC-TESTS:=20Fix=20error=20too=20few?= - =?UTF-8?q?=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros ---- - src/tests/ipa_hbac-tests.c | 195 ++++++++++++++++++--------------- - src/tests/ipa_ldap_opt-tests.c | 12 +- - 2 files changed, 116 insertions(+), 91 deletions(-) - -diff --git a/src/tests/ipa_hbac-tests.c b/src/tests/ipa_hbac-tests.c -index c8ef7fe44..2d8f8a980 100644 ---- a/src/tests/ipa_hbac-tests.c -+++ b/src/tests/ipa_hbac-tests.c -@@ -75,30 +75,30 @@ static void get_allow_all_rule(TALLOC_CTX *mem_ctx, - * remote hosts. - */ - rule = talloc_zero(mem_ctx, struct hbac_rule); -- fail_if (rule == NULL); -+ fail_if (rule == NULL, "Failed to allocate memory"); - - rule->enabled = true; - - rule->services = talloc_zero(rule, struct hbac_rule_element); -- fail_if (rule->services == NULL); -+ fail_if (rule->services == NULL, "Failed to allocate memory"); - rule->services->category = HBAC_CATEGORY_ALL; - rule->services->names = NULL; - rule->services->groups = NULL; - - rule->users = talloc_zero(rule, struct hbac_rule_element); -- fail_if (rule->users == NULL); -+ fail_if (rule->users == NULL, "Failed to allocate memory"); - rule->users->category = HBAC_CATEGORY_ALL; - rule->users->names = NULL; - rule->users->groups = NULL; - - rule->targethosts = talloc_zero(rule, struct hbac_rule_element); -- fail_if (rule->targethosts == NULL); -+ fail_if (rule->targethosts == NULL, "Failed to allocate memory"); - rule->targethosts->category = HBAC_CATEGORY_ALL; - rule->targethosts->names = NULL; - rule->targethosts->groups = NULL; - - rule->srchosts = talloc_zero(rule, struct hbac_rule_element); -- fail_if (rule->srchosts == NULL); -+ fail_if (rule->srchosts == NULL, "Failed to allocate memory"); - rule->srchosts->category = HBAC_CATEGORY_ALL; - rule->srchosts->names = NULL; - rule->srchosts->groups = NULL; -@@ -112,19 +112,19 @@ static void get_test_user(TALLOC_CTX *mem_ctx, - struct hbac_request_element *new_user; - - new_user = talloc_zero(mem_ctx, struct hbac_request_element); -- fail_if (new_user == NULL); -+ fail_if (new_user == NULL, "Failed to allocate memory"); - - new_user->name = talloc_strdup(new_user, HBAC_TEST_USER); -- fail_if(new_user->name == NULL); -+ fail_if(new_user->name == NULL, "Failed to allocate memory"); - - new_user->groups = talloc_array(new_user, const char *, 3); -- fail_if(new_user->groups == NULL); -+ fail_if(new_user->groups == NULL, "Failed to allocate memory"); - - new_user->groups[0] = talloc_strdup(new_user->groups, HBAC_TEST_GROUP1); -- fail_if(new_user->groups[0] == NULL); -+ fail_if(new_user->groups[0] == NULL, "Failed to allocate memory"); - - new_user->groups[1] = talloc_strdup(new_user->groups, HBAC_TEST_GROUP2); -- fail_if(new_user->groups[1] == NULL); -+ fail_if(new_user->groups[1] == NULL, "Failed to allocate memory"); - - new_user->groups[2] = NULL; - -@@ -137,19 +137,19 @@ static void get_test_service(TALLOC_CTX *mem_ctx, - struct hbac_request_element *new_service; - - new_service = talloc_zero(mem_ctx, struct hbac_request_element); -- fail_if (new_service == NULL); -+ fail_if (new_service == NULL, "Failed to allocate memory"); - - new_service->name = talloc_strdup(new_service, HBAC_TEST_SERVICE); -- fail_if(new_service->name == NULL); -+ fail_if(new_service->name == NULL, "Failed to allocate memory"); - - new_service->groups = talloc_array(new_service, const char *, 3); -- fail_if(new_service->groups == NULL); -+ fail_if(new_service->groups == NULL, "Failed to allocate memory"); - - new_service->groups[0] = talloc_strdup(new_service->groups, HBAC_TEST_SERVICEGROUP1); -- fail_if(new_service->groups[0] == NULL); -+ fail_if(new_service->groups[0] == NULL, "Failed to allocate memory"); - - new_service->groups[1] = talloc_strdup(new_service->groups, HBAC_TEST_SERVICEGROUP2); -- fail_if(new_service->groups[1] == NULL); -+ fail_if(new_service->groups[1] == NULL, "Failed to allocate memory"); - - new_service->groups[2] = NULL; - -@@ -162,21 +162,21 @@ static void get_test_srchost(TALLOC_CTX *mem_ctx, - struct hbac_request_element *new_srchost; - - new_srchost = talloc_zero(mem_ctx, struct hbac_request_element); -- fail_if (new_srchost == NULL); -+ fail_if (new_srchost == NULL, "Failed to allocate memory"); - - new_srchost->name = talloc_strdup(new_srchost, HBAC_TEST_SRCHOST); -- fail_if(new_srchost->name == NULL); -+ fail_if(new_srchost->name == NULL, "Failed to allocate memory"); - - new_srchost->groups = talloc_array(new_srchost, const char *, 3); -- fail_if(new_srchost->groups == NULL); -+ fail_if(new_srchost->groups == NULL, "Failed to allocate memory"); - - new_srchost->groups[0] = talloc_strdup(new_srchost->groups, - HBAC_TEST_SRCHOSTGROUP1); -- fail_if(new_srchost->groups[0] == NULL); -+ fail_if(new_srchost->groups[0] == NULL, "Failed to allocate memory"); - - new_srchost->groups[1] = talloc_strdup(new_srchost->groups, - HBAC_TEST_SRCHOSTGROUP2); -- fail_if(new_srchost->groups[1] == NULL); -+ fail_if(new_srchost->groups[1] == NULL, "Failed to allocate memory"); - - new_srchost->groups[2] = NULL; - -@@ -197,7 +197,7 @@ START_TEST(ipa_hbac_test_allow_all) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -205,17 +205,18 @@ START_TEST(ipa_hbac_test_allow_all) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - rules[0]->name = talloc_strdup(rules[0], "Allow All"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[1] = NULL; - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -245,7 +246,7 @@ START_TEST(ipa_hbac_test_allow_user) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -253,17 +254,17 @@ START_TEST(ipa_hbac_test_allow_user) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a specific user */ - rules[0]->name = talloc_strdup(rules[0], "Allow user"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->users->category = HBAC_CATEGORY_NULL; - - rules[0]->users->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->users->names == NULL); -+ fail_if(rules[0]->users->names == NULL, "Failed to allocate memory"); - - rules[0]->users->names[0] = HBAC_TEST_USER; - rules[0]->users->names[1] = NULL; -@@ -272,8 +273,9 @@ START_TEST(ipa_hbac_test_allow_user) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -291,8 +293,9 @@ START_TEST(ipa_hbac_test_allow_user) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -323,7 +326,7 @@ START_TEST(ipa_hbac_test_allow_utf8) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -336,17 +339,17 @@ START_TEST(ipa_hbac_test_allow_utf8) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - rules[0]->name = talloc_strdup(rules[0], "Allow user"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->users->category = HBAC_CATEGORY_NULL; - - /* Modify the rule to allow only a specific user */ - rules[0]->users->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->users->names == NULL); -+ fail_if(rules[0]->users->names == NULL, "Failed to allocate memory"); - - rules[0]->users->names[0] = (const char *) &user_utf8_upcase; - rules[0]->users->names[1] = NULL; -@@ -355,7 +358,7 @@ START_TEST(ipa_hbac_test_allow_utf8) - rules[0]->services->category = HBAC_CATEGORY_NULL; - - rules[0]->services->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->services->names == NULL); -+ fail_if(rules[0]->services->names == NULL, "Failed to allocate memory"); - - rules[0]->services->names[0] = (const char *) &service_utf8_upcase; - rules[0]->services->names[1] = NULL; -@@ -364,7 +367,7 @@ START_TEST(ipa_hbac_test_allow_utf8) - rules[0]->srchosts->category = HBAC_CATEGORY_NULL; - - rules[0]->srchosts->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->services->names == NULL); -+ fail_if(rules[0]->services->names == NULL, "Failed to allocate memory"); - - rules[0]->srchosts->names[0] = (const char *) &srchost_utf8_upcase; - rules[0]->srchosts->names[1] = NULL; -@@ -373,8 +376,9 @@ START_TEST(ipa_hbac_test_allow_utf8) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -409,8 +413,9 @@ START_TEST(ipa_hbac_test_allow_utf8) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -441,7 +446,7 @@ START_TEST(ipa_hbac_test_allow_group) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -449,18 +454,18 @@ START_TEST(ipa_hbac_test_allow_group) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a group of users */ - rules[0]->name = talloc_strdup(rules[0], "Allow group"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->users->category = HBAC_CATEGORY_NULL; - - rules[0]->users->names = NULL; - rules[0]->users->groups = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->users->groups == NULL); -+ fail_if(rules[0]->users->groups == NULL, "Failed to allocate memory"); - - rules[0]->users->groups[0] = HBAC_TEST_GROUP1; - rules[0]->users->groups[1] = NULL; -@@ -469,8 +474,9 @@ START_TEST(ipa_hbac_test_allow_group) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -488,8 +494,9 @@ START_TEST(ipa_hbac_test_allow_group) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -520,7 +527,7 @@ START_TEST(ipa_hbac_test_allow_svc) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -528,17 +535,17 @@ START_TEST(ipa_hbac_test_allow_svc) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a specific service */ - rules[0]->name = talloc_strdup(rules[0], "Allow service"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->services->category = HBAC_CATEGORY_NULL; - - rules[0]->services->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->services->names == NULL); -+ fail_if(rules[0]->services->names == NULL, "Failed to allocate memory"); - - rules[0]->services->names[0] = HBAC_TEST_SERVICE; - rules[0]->services->names[1] = NULL; -@@ -547,8 +554,9 @@ START_TEST(ipa_hbac_test_allow_svc) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -566,8 +574,9 @@ START_TEST(ipa_hbac_test_allow_svc) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -598,7 +607,7 @@ START_TEST(ipa_hbac_test_allow_svcgroup) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -606,18 +615,18 @@ START_TEST(ipa_hbac_test_allow_svcgroup) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a group of users */ - rules[0]->name = talloc_strdup(rules[0], "Allow servicegroup"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->services->category = HBAC_CATEGORY_NULL; - - rules[0]->services->names = NULL; - rules[0]->services->groups = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->services->groups == NULL); -+ fail_if(rules[0]->services->groups == NULL, "Failed to allocate memory"); - - rules[0]->services->groups[0] = HBAC_TEST_SERVICEGROUP1; - rules[0]->services->groups[1] = NULL; -@@ -626,8 +635,9 @@ START_TEST(ipa_hbac_test_allow_svcgroup) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -645,8 +655,9 @@ START_TEST(ipa_hbac_test_allow_svcgroup) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -677,7 +688,7 @@ START_TEST(ipa_hbac_test_allow_srchost) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -685,17 +696,17 @@ START_TEST(ipa_hbac_test_allow_srchost) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a specific service */ - rules[0]->name = talloc_strdup(rules[0], "Allow srchost"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->srchosts->category = HBAC_CATEGORY_NULL; - - rules[0]->srchosts->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->srchosts->names == NULL); -+ fail_if(rules[0]->srchosts->names == NULL, "Failed to allocate memory"); - - rules[0]->srchosts->names[0] = HBAC_TEST_SRCHOST; - rules[0]->srchosts->names[1] = NULL; -@@ -704,8 +715,9 @@ START_TEST(ipa_hbac_test_allow_srchost) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -723,8 +735,9 @@ START_TEST(ipa_hbac_test_allow_srchost) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -755,7 +768,7 @@ START_TEST(ipa_hbac_test_allow_srchostgroup) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -763,18 +776,18 @@ START_TEST(ipa_hbac_test_allow_srchostgroup) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a group of users */ - rules[0]->name = talloc_strdup(rules[0], "Allow srchostgroup"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->srchosts->category = HBAC_CATEGORY_NULL; - - rules[0]->srchosts->names = NULL; - rules[0]->srchosts->groups = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->srchosts->groups == NULL); -+ fail_if(rules[0]->srchosts->groups == NULL, "Failed to allocate memory"); - - rules[0]->srchosts->groups[0] = HBAC_TEST_SRCHOSTGROUP1; - rules[0]->srchosts->groups[1] = NULL; -@@ -783,8 +796,9 @@ START_TEST(ipa_hbac_test_allow_srchostgroup) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -802,8 +816,9 @@ START_TEST(ipa_hbac_test_allow_srchostgroup) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -833,11 +848,15 @@ START_TEST(ipa_hbac_test_incomplete) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rule, &missing_attrs); -- fail_if(is_valid); -- fail_unless(missing_attrs | HBAC_RULE_ELEMENT_USERS); -- fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SERVICES); -- fail_unless(missing_attrs | HBAC_RULE_ELEMENT_TARGETHOSTS); -- fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SOURCEHOSTS); -+ fail_if(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs | HBAC_RULE_ELEMENT_USERS, -+ "missing_attrs failed for HBAC_RULE_ELEMENT_USERS"); -+ fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SERVICES, -+ "missing_attrs failed for HBAC_RULE_ELEMENT_SERVICES"); -+ fail_unless(missing_attrs | HBAC_RULE_ELEMENT_TARGETHOSTS, -+ "missing_attrs failed for HBAC_RULE_ELEMENT_TARGETHOSTS"); -+ fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SOURCEHOSTS, -+ "missing_attrs failed for HBAC_RULE_ELEMENT_SOURCEHOSTS"); - - talloc_free(test_ctx); - } -diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c -index 9c3bede9b..f3de4fadf 100644 ---- a/src/tests/ipa_ldap_opt-tests.c -+++ b/src/tests/ipa_ldap_opt-tests.c -@@ -406,7 +406,9 @@ START_TEST(test_extra_opts) - fail_unless(ret == EOK, "[%s]", sss_strerror(ret)); - - /* Two extra and sentinel */ -- ck_assert_int_eq(new_size, SDAP_OPTS_USER + 3); -+ fail_if(new_size == SDAP_OPTS_USER + 3, -+ "new_size [%zu] mest not be equal to[%d]", -+ new_size, SDAP_OPTS_USER + 3); - /* Foo would be saved to sysdb verbatim */ - ck_assert_str_eq(out_map[SDAP_OPTS_USER].name, "foo"); - ck_assert_str_eq(out_map[SDAP_OPTS_USER].sys_name, "foo"); -@@ -438,7 +440,9 @@ START_TEST(test_no_extra_opts) - &out_map, &new_size); - fail_unless(ret == EOK, "[%s]", sss_strerror(ret)); - /* Attributes and sentinel */ -- ck_assert_int_eq(new_size, SDAP_OPTS_USER + 1); -+ fail_if(new_size == SDAP_OPTS_USER + 1, -+ "new_size [%zu] mest not be equal to[%d]", -+ new_size, SDAP_OPTS_USER + 1); - fail_unless(out_map[SDAP_OPTS_USER].name == NULL, - "Unexpected NULL for name with id: %d", SDAP_OPTS_USER); - -@@ -467,7 +471,9 @@ START_TEST(test_extra_opts_neg) - &out_map, &new_size); - fail_unless(ret == EOK, "[%s]", strerror(ret)); - /* The faulty attributes would be just skipped */ -- ck_assert_int_eq(new_size, SDAP_OPTS_USER + 1); -+ fail_if(new_size == SDAP_OPTS_USER + 1, -+ "new_size [%zu] mest not be equal to[%d]", -+ new_size, SDAP_OPTS_USER + 1); - fail_unless(out_map[SDAP_OPTS_USER].name == NULL, - "Unexpected NULL for name with id: %d", SDAP_OPTS_USER); - --- -2.28.0.rc2 - - -From 9f2f908789552fdc07062a2d0b14ef38c1f6608b Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:18 +0000 -Subject: [PATCH 18/19] SSS-IDMAP-TESTS: Fix format string issues - ---- - src/tests/sss_idmap-tests.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tests/sss_idmap-tests.c b/src/tests/sss_idmap-tests.c -index e5f3f7041..3672d1c0c 100644 ---- a/src/tests/sss_idmap-tests.c -+++ b/src/tests/sss_idmap-tests.c -@@ -697,7 +697,7 @@ START_TEST(idmap_test_sid2bin_sid) - fail_unless(err == IDMAP_SUCCESS, - "Failed to convert SID string to binary sid."); - fail_unless(length == test_bin_sid_length, -- "Size of binary SIDs do not match, got [%d], expected [%d]", -+ "Size of binary SIDs do not match, got [%zu], expected [%zu]", - length, test_bin_sid_length); - fail_unless(memcmp(bin_sid, test_bin_sid, test_bin_sid_length) == 0, - "Binary SIDs do not match"); -@@ -756,7 +756,7 @@ START_TEST(idmap_test_smb_sid2bin_sid) - fail_unless(err == IDMAP_SUCCESS, - "Failed to convert samba dom_sid to binary sid."); - fail_unless(length == test_bin_sid_length, -- "Size of binary SIDs do not match, got [%d], expected [%d]", -+ "Size of binary SIDs do not match, got [%zu], expected [%zu]", - length, test_bin_sid_length); - fail_unless(memcmp(bin_sid, test_bin_sid, test_bin_sid_length) == 0, - "Binary SIDs do not match."); --- -2.28.0.rc2 - - -From 1c28c2233cc6230f68f5fc335b4490d2d5cfbc96 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:19 +0000 -Subject: [PATCH 19/19] RESPONDER-SOCKET-ACCESS-TESTS: Fix format string issues - ---- - src/tests/responder_socket_access-tests.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tests/responder_socket_access-tests.c b/src/tests/responder_socket_access-tests.c -index 8bb72e79c..70b90a758 100644 ---- a/src/tests/responder_socket_access-tests.c -+++ b/src/tests/responder_socket_access-tests.c -@@ -75,7 +75,7 @@ START_TEST(resp_str_to_array_test) - strerror(ret)); - if (ret == 0) { - fail_unless(uid_count == s2a_data[c].exp_count, -- "Wrong number of values, expected [%d], got [%d].", -+ "Wrong number of values, expected [%zu], got [%zu].", - s2a_data[c].exp_count, uid_count); - for (d = 0; d < s2a_data[c].exp_count; d++) { - fail_unless(uids[d] == s2a_data[c].exp_uids[d], --- -2.28.0.rc2 - diff --git a/0001-kcm-fix-typos-in-debug-messages.patch b/0001-kcm-fix-typos-in-debug-messages.patch new file mode 100644 index 0000000..399c6c6 --- /dev/null +++ b/0001-kcm-fix-typos-in-debug-messages.patch @@ -0,0 +1,53 @@ +From b768a37d3f908a37f4c490a30df6559bc14c7451 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 14 Sep 2020 12:44:57 +0200 +Subject: [PATCH 01/19] kcm: fix typos in debug messages + +--- + src/responder/kcm/kcmsrv_ccache_json.c | 2 +- + src/responder/kcm/kcmsrv_cmd.c | 2 +- + src/responder/kcm/kcmsrv_ops.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c +index f78e9f58cee750f13d1085c3eb4a76235a4bcbb5..38ec53c408c3b9d44f37d102c4a0c976ef32bdfe 100644 +--- a/src/responder/kcm/kcmsrv_ccache_json.c ++++ b/src/responder/kcm/kcmsrv_ccache_json.c +@@ -911,7 +911,7 @@ errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, + ret = sec_value_to_json(sec_value, &root); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Cannot store secret to JSN [%d]: %s\n", ++ "Cannot store secret to JSON [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } +diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c +index 421bf4bc5bb14d0ab9de6cd3be0e9d34d871ed9c..99980050f205730169f5907db4018e4fe57b046d 100644 +--- a/src/responder/kcm/kcmsrv_cmd.c ++++ b/src/responder/kcm/kcmsrv_cmd.c +@@ -314,7 +314,7 @@ static void kcm_reply_error(struct cli_ctx *cctx, + krb5_error_code kerr; + + DEBUG(SSSDBG_OP_FAILURE, +- "KCM operation returs failure [%d]: %s\n", ++ "KCM operation returns failure [%d]: %s\n", + retcode, sss_strerror(retcode)); + kerr = sss2krb5_error(retcode); + +diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c +index 6ac66c15090422ae83a2f51dbc80144a315a27f4..1e8e4d6a3b4feba5bac3eb0a5fa6a22a588ba985 100644 +--- a/src/responder/kcm/kcmsrv_ops.c ++++ b/src/responder/kcm/kcmsrv_ops.c +@@ -1468,7 +1468,7 @@ static void kcm_op_get_cache_by_uuid_done(struct tevent_req *subreq) + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +- "Cannot get ccahe by UUID [%d]: %s\n", ++ "Cannot get ccache by UUID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; +-- +2.25.4 + diff --git a/0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch b/0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch deleted file mode 100644 index b9b3e65..0000000 --- a/0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch +++ /dev/null @@ -1,293 +0,0 @@ -From cb9ad222358a84e2b2ea148c2950c2389f81de2c Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 27 Jul 2020 04:01:19 +0000 -Subject: [PATCH] DEBUG-TESTS: Fix warnings format not a string literal and no - format arguments -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -e.g. -src/tests/resolv-tests.c: In function ‘test_timeout’: -src/tests/resolv-tests.c:942:5: error: format not a string literal and no format arguments [-Werror=format-security] - 942 | ck_leaks_pop(tmp_ctx); - | - -src/tests/debug-tests.c:413:9: error: format not a string literal and no format arguments [-Werror=format-security] - 413 | fail_if(result == DEBUG_TEST_NOK_TS, msg); - | ^~~~~~~ - -src/tests/debug-tests.c: In function ‘test_debug_is_notset_timestamp_microseconds_fn’: -src/tests/debug-tests.c:603:13: error: format not a string literal and no format arguments [-Werror=format-security] - 603 | fail(error_msg); - | - -src/tests/debug-tests.c: In function ‘test_debug_is_set_false_fn’: -src/tests/debug-tests.c:671:9: error: format not a string literal and no format arguments [-Werror=format-security] - 671 | fail_unless(result == 0, msg); - | ---- - src/tests/common_check.h | 2 +- - src/tests/debug-tests.c | 128 +++++++++++++++------------------------ - 2 files changed, 49 insertions(+), 81 deletions(-) - -diff --git a/src/tests/common_check.h b/src/tests/common_check.h -index 51c3c3f49..ac92d0a74 100644 ---- a/src/tests/common_check.h -+++ b/src/tests/common_check.h -@@ -31,6 +31,6 @@ void ck_leak_check_setup(void); - void ck_leak_check_teardown(void); - - #define ck_leaks_push(ctx) check_leaks_push(ctx) --#define ck_leaks_pop(ctx) fail_unless(check_leaks_pop(ctx) == true, check_leaks_err_msg()) -+#define ck_leaks_pop(ctx) fail_unless(check_leaks_pop(ctx) == true, "%s", check_leaks_err_msg()) - - #endif /* __TESTS_COMMON_CHECK_H__ */ -diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c -index 1e78f506e..092ccf684 100644 ---- a/src/tests/debug-tests.c -+++ b/src/tests/debug-tests.c -@@ -55,10 +55,8 @@ START_TEST(test_debug_convert_old_level_old_format) - for (old_level = 0; old_level < N_ELEMENTS(levels); old_level++) { - expected_level |= levels[old_level]; - -- char *msg = NULL; -- msg = talloc_asprintf(NULL, "Invalid conversion of %d", old_level); -- fail_unless(debug_convert_old_level(old_level) == expected_level, msg); -- talloc_free(msg); -+ fail_unless(debug_convert_old_level(old_level) == expected_level, -+ "Invalid conversion of %d", old_level); - } - } - END_TEST -@@ -343,7 +341,6 @@ START_TEST(test_debug_is_set_single_no_timestamp) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 0; - debug_microseconds = 0; -@@ -357,15 +354,13 @@ START_TEST(test_debug_is_set_single_no_timestamp) - errno = 0; - result = test_helper_debug_check_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- char *msg = NULL; -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message don't match", -+ levels[i]); - } - } - END_TEST -@@ -387,7 +382,6 @@ START_TEST(test_debug_is_set_single_timestamp) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 1; - debug_microseconds = 0; -@@ -402,20 +396,16 @@ START_TEST(test_debug_is_set_single_timestamp) - errno = 0; - result = test_helper_debug_check_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -- -- char *msg = NULL; -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]); -- fail_if(result == DEBUG_TEST_NOK_TS, msg); -- talloc_free(msg); -+ fail_if(result == DEBUG_TEST_NOK_TS, -+ "Test of level %#.4x failed - invalid timestamp", levels[i]); - -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message don't match", -+ levels[i]); - } - } - END_TEST -@@ -437,7 +427,6 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 1; - debug_microseconds = 1; -@@ -452,20 +441,16 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds) - errno = 0; - result = test_helper_debug_check_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -- -- char *msg = NULL; -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]); -- fail_if(result == DEBUG_TEST_NOK_TS, msg); -- talloc_free(msg); -+ fail_if(result == DEBUG_TEST_NOK_TS, -+ "Test of level %#.4x failed - invalid timestamp", levels[i]); - -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message don't match", -+ levels[i]); - } - } - END_TEST -@@ -488,7 +473,6 @@ START_TEST(test_debug_is_notset_no_timestamp) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 0; - debug_microseconds = 0; -@@ -503,17 +487,13 @@ START_TEST(test_debug_is_notset_no_timestamp) - errno = 0; - result = test_helper_debug_is_empty_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- char *msg = NULL; -- msg = talloc_asprintf(NULL, -- "Test of level %#.4x failed - message has been written", -- levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message has been written", -+ levels[i]); - } - } - END_TEST -@@ -536,7 +516,6 @@ START_TEST(test_debug_is_notset_timestamp) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 0; - debug_microseconds = 0; -@@ -551,17 +530,13 @@ START_TEST(test_debug_is_notset_timestamp) - errno = 0; - result = test_helper_debug_is_empty_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- char *msg = NULL; -- msg = talloc_asprintf(NULL, -- "Test of level %#.4x failed - message has been written", -- levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message has been written", -+ levels[i]); - } - } - END_TEST -@@ -584,7 +559,6 @@ START_TEST(test_debug_is_notset_timestamp_microseconds) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 0; - debug_microseconds = 1; -@@ -598,17 +572,13 @@ START_TEST(test_debug_is_notset_timestamp_microseconds) - errno = 0; - result = test_helper_debug_is_empty_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- char *msg = NULL; -- msg = talloc_asprintf(NULL, -- "Test of level %#.4x failed - message has been written", -- levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message has been written", -+ levels[i]); - } - } - END_TEST -@@ -635,10 +605,9 @@ START_TEST(test_debug_is_set_true) - - for (i = 0; i < N_ELEMENTS(levels); i++) { - result = DEBUG_IS_SET(levels[i]); -- char *msg = NULL; -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result); -- fail_unless(result > 0, msg); -- talloc_free(msg); -+ fail_unless(result > 0, -+ "Test of level %#.4x failed - result is 0x%.4x", -+ levels[i], result); - } - } - END_TEST -@@ -666,10 +635,9 @@ START_TEST(test_debug_is_set_false) - debug_level = all_set & ~levels[i]; - - result = DEBUG_IS_SET(levels[i]); -- char *msg = NULL; -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result); -- fail_unless(result == 0, msg); -- talloc_free(msg); -+ fail_unless(result == 0, -+ "Test of level %#.4x failed - result is 0x%.4x", -+ levels[i], result); - } - } - END_TEST --- -2.28.0.rc2 - diff --git a/0002-kcm-avoid-name-confusion-in-GET_CRED_UUID_LIST-handl.patch b/0002-kcm-avoid-name-confusion-in-GET_CRED_UUID_LIST-handl.patch new file mode 100644 index 0000000..e686442 --- /dev/null +++ b/0002-kcm-avoid-name-confusion-in-GET_CRED_UUID_LIST-handl.patch @@ -0,0 +1,51 @@ +From a0e3759b733a5b5db82bea2ef35e1519ea8a9b1c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 16 Oct 2020 15:33:42 +0200 +Subject: [PATCH 02/19] kcm: avoid name confusion in GET_CRED_UUID_LIST + handlers + +The function name did not follow best practices and it got easily confused +with `kcm_op_get_cred_by_uuid_getbyname_done`. + +``` +kcm_op_get_cred_uuid_getbyname_done +kcm_op_get_cred_by_uuid_getbyname_done +``` +--- + src/responder/kcm/kcmsrv_ops.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c +index 1e8e4d6a3b4feba5bac3eb0a5fa6a22a588ba985..7fc3b0a5c4e123a398ef103f3ce92b45bc68f5cf 100644 +--- a/src/responder/kcm/kcmsrv_ops.c ++++ b/src/responder/kcm/kcmsrv_ops.c +@@ -1072,7 +1072,7 @@ static void kcm_op_get_principal_getbyname_done(struct tevent_req *subreq) + } + + /* (name) -> (uuid, ...) */ +-static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq); ++static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq); + + static struct tevent_req * + kcm_op_get_cred_uuid_list_send(TALLOC_CTX *mem_ctx, +@@ -1106,7 +1106,7 @@ kcm_op_get_cred_uuid_list_send(TALLOC_CTX *mem_ctx, + ret = ENOMEM; + goto immediate; + } +- tevent_req_set_callback(subreq, kcm_op_get_cred_uuid_getbyname_done, req); ++ tevent_req_set_callback(subreq, kcm_op_get_cred_uuid_list_getbyname_done, req); + return req; + + immediate: +@@ -1115,7 +1115,7 @@ immediate: + return req; + } + +-static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq) ++static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq) + { + errno_t ret; + struct kcm_ccache *cc; +-- +2.25.4 + diff --git a/0003-kcm-disable-encryption.patch b/0003-kcm-disable-encryption.patch new file mode 100644 index 0000000..882a018 --- /dev/null +++ b/0003-kcm-disable-encryption.patch @@ -0,0 +1,509 @@ +From 426947971cd94cc93dd120ca8ad9bcbeb47059c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 19 Oct 2020 12:59:48 +0200 +Subject: [PATCH 03/19] kcm: disable encryption + +Encryption was a huge bottleneck for the secdb backend. This is +backwards compatible and there is no need to destroy existing +ccache. It will be stored unencrypted at first write to the cache. + +Note that the encryption did not provide any security as the cache +is accessible only by root and the master key is stored together +with the cache. So once someone gains access to the file it can +be easily decrypted. Additionaly, there was also no encryption at +the memory level. + +Resolves: https://github.com/SSSD/sssd/issues/5349 +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 94 ++++----------- + src/responder/secrets/local.c | 2 +- + src/util/secrets/secrets.c | 149 +++++++++++++++++------- + src/util/secrets/secrets.h | 13 ++- + 4 files changed, 146 insertions(+), 112 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index ed1c8247febc0a49dfd35b99a788b60ce8dda109..e6f4f9b05d17956f771ed4db63dc4940be0a838b 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -35,15 +35,13 @@ + #define KCM_SECDB_CCACHE_FMT KCM_SECDB_BASE_FMT"ccache/" + #define KCM_SECDB_DFL_FMT KCM_SECDB_BASE_FMT"default" + +-static errno_t sec_get_b64(TALLOC_CTX *mem_ctx, +- struct sss_sec_req *req, +- struct sss_iobuf **_buf) ++static errno_t sec_get(TALLOC_CTX *mem_ctx, ++ struct sss_sec_req *req, ++ struct sss_iobuf **_buf) + { + errno_t ret; + TALLOC_CTX *tmp_ctx; +- char *b64_sec; +- uint8_t *data; +- size_t data_size; ++ char *secret; + struct sss_iobuf *buf; + + tmp_ctx = talloc_new(mem_ctx); +@@ -51,21 +49,15 @@ static errno_t sec_get_b64(TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- ret = sss_sec_get(tmp_ctx, req, &b64_sec); ++ ret = sss_sec_get(tmp_ctx, req, &secret); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + +- data = sss_base64_decode(tmp_ctx, b64_sec, &data_size); +- if (data == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n"); +- ret = EIO; +- goto done; +- } +- +- buf = sss_iobuf_init_readonly(tmp_ctx, data, data_size); ++ buf = sss_iobuf_init_readonly(tmp_ctx, (const uint8_t *)secret, ++ strlen(secret) + 1); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n"); + ret = EIO; +@@ -79,73 +71,35 @@ done: + return ret; + } + +-static errno_t sec_put_b64(TALLOC_CTX *mem_ctx, +- struct sss_sec_req *req, +- struct sss_iobuf *buf) ++static errno_t sec_put(TALLOC_CTX *mem_ctx, ++ struct sss_sec_req *req, ++ struct sss_iobuf *buf) + { + errno_t ret; +- TALLOC_CTX *tmp_ctx; +- char *secret; + +- tmp_ctx = talloc_new(mem_ctx); +- if (tmp_ctx == NULL) { +- return ENOMEM; +- } +- +- secret = sss_base64_encode(tmp_ctx, +- sss_iobuf_get_data(buf), +- sss_iobuf_get_size(buf)); +- if (secret == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot encode secret to base64\n"); +- ret = EIO; +- goto done; +- } +- +- ret = sss_sec_put(req, secret); ++ ret = sss_sec_put(req, (const char *)sss_iobuf_get_data(buf), ++ SSS_SEC_PLAINTEXT); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +- goto done; + } + +- ret = EOK; +-done: +- talloc_free(tmp_ctx); + return ret; + } + +-static errno_t sec_update_b64(TALLOC_CTX *mem_ctx, +- struct sss_sec_req *req, +- struct sss_iobuf *buf) ++static errno_t sec_update(TALLOC_CTX *mem_ctx, ++ struct sss_sec_req *req, ++ struct sss_iobuf *buf) + { + errno_t ret; +- TALLOC_CTX *tmp_ctx; +- char *secret; + +- tmp_ctx = talloc_new(mem_ctx); +- if (tmp_ctx == NULL) { +- return ENOMEM; +- } +- +- secret = sss_base64_encode(tmp_ctx, +- sss_iobuf_get_data(buf), +- sss_iobuf_get_size(buf)); +- if (secret == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot encode secret to base64\n"); +- ret = EIO; +- goto done; +- } +- +- ret = sss_sec_update(req, secret); ++ ret = sss_sec_update(req, (const char *)sss_iobuf_get_data(buf), ++ SSS_SEC_PLAINTEXT); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +- goto done; + } + +- ret = EOK; +-done: +- talloc_free(tmp_ctx); + return ret; + } + +@@ -493,7 +447,7 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = sec_get_b64(tmp_ctx, sreq, &ccbuf); ++ ret = sec_get(tmp_ctx, sreq, &ccbuf); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the secret [%d][%s]\n", ret, sss_strerror(ret)); +@@ -748,9 +702,9 @@ static struct tevent_req *ccdb_secdb_set_default_send(TALLOC_CTX *mem_ctx, + + ret = sss_sec_get(state, sreq, &cur_default); + if (ret == ENOENT) { +- ret = sec_put_b64(state, sreq, iobuf); ++ ret = sec_put(state, sreq, iobuf); + } else if (ret == EOK) { +- ret = sec_update_b64(state, sreq, iobuf); ++ ret = sec_update(state, sreq, iobuf); + } + + if (ret != EOK) { +@@ -804,7 +758,7 @@ static struct tevent_req *ccdb_secdb_get_default_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_get_b64(state, sreq, &dfl_iobuf); ++ ret = sec_get(state, sreq, &dfl_iobuf); + if (ret == ENOENT) { + uuid_clear(state->uuid); + ret = EOK; +@@ -1230,7 +1184,7 @@ static struct tevent_req *ccdb_secdb_create_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_put_b64(state, ccache_req, ccache_payload); ++ ret = sec_put(state, ccache_req, ccache_payload); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to add the payload\n"); + goto immediate; +@@ -1308,7 +1262,7 @@ static struct tevent_req *ccdb_secdb_mod_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_update_b64(state, sreq, payload); ++ ret = sec_update(state, sreq, payload); + if (ret != EOK) { + goto immediate; + } +@@ -1384,7 +1338,7 @@ static struct tevent_req *ccdb_secdb_store_cred_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_update_b64(state, sreq, payload); ++ ret = sec_update(state, sreq, payload); + if (ret != EOK) { + goto immediate; + } +diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c +index eb37c08b7337c6713c2e74a55363f79ecfefd8c0..815e7507ba6b3e210891c26dd243a2a67d8920f0 100644 +--- a/src/responder/secrets/local.c ++++ b/src/responder/secrets/local.c +@@ -168,7 +168,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + } + if (ret) goto done; + +- ret = sss_sec_put(ssec_req, secret); ++ ret = sss_sec_put(ssec_req, secret, SSS_SEC_MASTERKEY); + if (ret) goto done; + break; + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index d701face07aa3ea5dc62371066ba6947d7d496a9..b3d40fdcb4bc2aeeb6aae4e17654ae06b00db876 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -63,19 +63,53 @@ static struct sss_sec_quota default_kcm_quota = { + .containers_nest_level = DEFAULT_SEC_CONTAINERS_NEST_LEVEL, + }; + ++static const char *sss_sec_enctype_to_str(enum sss_sec_enctype enctype) ++{ ++ switch (enctype) { ++ case SSS_SEC_PLAINTEXT: ++ return "plaintext"; ++ case SSS_SEC_MASTERKEY: ++ return "masterkey"; ++ case SSS_SEC_BASE64: ++ return "base64"; ++ default: ++ DEBUG(SSSDBG_CRIT_FAILURE, "Bug: unknown encryption type %d\n", ++ enctype); ++ return "unknown"; ++ } ++} ++ ++static enum sss_sec_enctype sss_sec_str_to_enctype(const char *str) ++{ ++ if (strcmp("plaintext", str) == 0) { ++ return SSS_SEC_PLAINTEXT; ++ } ++ ++ if (strcmp("masterkey", str) == 0) { ++ return SSS_SEC_MASTERKEY; ++ } ++ ++ if (strcmp("base64", str) == 0) { ++ return SSS_SEC_BASE64; ++ } ++ ++ return SSS_SEC_ENCTYPE_SENTINEL; ++} ++ + static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, +- const char *secret, const char *enctype, ++ const char *secret, enum sss_sec_enctype enctype, + char **plain_secret) + { ++ struct sss_sec_data _secret; ++ size_t outlen; + char *output; ++ int ret; + +- if (enctype && strcmp(enctype, "masterkey") == 0) { +- DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n"); +- +- struct sss_sec_data _secret; +- size_t outlen; +- int ret; +- ++ switch (enctype) { ++ case SSS_SEC_PLAINTEXT: ++ output = talloc_strdup(mem_ctx, secret); ++ break; ++ case SSS_SEC_MASTERKEY: + _secret.data = (char *)sss_base64_decode(mem_ctx, secret, + &_secret.length); + if (!_secret.data) { +@@ -83,6 +117,7 @@ static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, + return EINVAL; + } + ++ DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n"); + ret = sss_decrypt(mem_ctx, AES256CBC_HMAC_SHA256, + (uint8_t *)sctx->master_key.data, + sctx->master_key.length, +@@ -102,10 +137,17 @@ static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, + talloc_free(output); + return EIO; + } +- } else { +- DEBUG(SSSDBG_TRACE_INTERNAL, "Unexpected enctype (not 'masterkey')\n"); +- output = talloc_strdup(mem_ctx, secret); +- if (!output) return ENOMEM; ++ break; ++ case SSS_SEC_BASE64: ++ output = (char *)sss_base64_decode(mem_ctx, secret, &_secret.length); ++ break; ++ default: ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); ++ return EINVAL; ++ } ++ ++ if (output == NULL) { ++ return ENOMEM; + } + + *plain_secret = output; +@@ -113,39 +155,46 @@ static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, + } + + static int local_encrypt(struct sss_sec_ctx *sec_ctx, TALLOC_CTX *mem_ctx, +- const char *secret, const char *enctype, ++ const char *secret, enum sss_sec_enctype enctype, + char **ciphertext) + { + struct sss_sec_data _secret; + char *output; + int ret; + +- if (enctype == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "No encryption type\n"); +- return EINVAL; +- } ++ switch (enctype) { ++ case SSS_SEC_PLAINTEXT: ++ output = talloc_strdup(mem_ctx, secret); ++ break; ++ case SSS_SEC_MASTERKEY: ++ ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, ++ (uint8_t *)sec_ctx->master_key.data, ++ sec_ctx->master_key.length, ++ (const uint8_t *)secret, strlen(secret) + 1, ++ (uint8_t **)&_secret.data, &_secret.length); ++ if (ret) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); ++ return ret; ++ } + +- if (strcmp(enctype, "masterkey") != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%s'\n", enctype); ++ output = sss_base64_encode(mem_ctx, (uint8_t *)_secret.data, ++ _secret.length); ++ talloc_free(_secret.data); ++ break; ++ case SSS_SEC_BASE64: ++ output = (char *)sss_base64_encode(mem_ctx, (const uint8_t *)secret, ++ strlen(secret) + 1); ++ break; ++ default: ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); + return EINVAL; + } + +- ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, +- (uint8_t *)sec_ctx->master_key.data, +- sec_ctx->master_key.length, +- (const uint8_t *)secret, strlen(secret) + 1, +- (uint8_t **)&_secret.data, &_secret.length); +- if (ret) { +- DEBUG(SSSDBG_OP_FAILURE, +- "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); +- return ret; ++ if (output == NULL) { ++ return ENOMEM; + } + +- output = sss_base64_encode(mem_ctx, +- (uint8_t *)_secret.data, _secret.length); +- talloc_free(_secret.data); +- if (!output) return ENOMEM; +- + *ciphertext = output; + return EOK; + } +@@ -958,6 +1007,7 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct ldb_result *res; + const char *attr_secret; + const char *attr_enctype; ++ enum sss_sec_enctype enctype; + int ret; + + if (req == NULL || _secret == NULL) { +@@ -1006,10 +1056,15 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", NULL); + + if (attr_enctype) { +- ret = local_decrypt(req->sctx, mem_ctx, attr_secret, attr_enctype, _secret); ++ enctype = sss_sec_str_to_enctype(attr_enctype); ++ ret = local_decrypt(req->sctx, mem_ctx, attr_secret, enctype, _secret); + if (ret) goto done; + } else { + *_secret = talloc_strdup(mem_ctx, attr_secret); ++ if (*_secret == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } + } + ret = EOK; + +@@ -1019,10 +1074,10 @@ done: + } + + errno_t sss_sec_put(struct sss_sec_req *req, +- const char *secret) ++ const char *secret, ++ enum sss_sec_enctype enctype) + { + struct ldb_message *msg; +- const char *enctype = "masterkey"; + char *enc_secret; + int ret; + +@@ -1087,7 +1142,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "enctype", enctype); ++ ret = ldb_msg_add_string(msg, "enctype", sss_sec_enctype_to_str(enctype)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding enctype [%d]: %s\n", +@@ -1132,10 +1187,10 @@ done: + } + + errno_t sss_sec_update(struct sss_sec_req *req, +- const char *secret) ++ const char *secret, ++ enum sss_sec_enctype enctype) + { + struct ldb_message *msg; +- const char *enctype = "masterkey"; + char *enc_secret; + int ret; + +@@ -1192,6 +1247,22 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + ++ ret = ldb_msg_add_empty(msg, "enctype", LDB_FLAG_MOD_REPLACE, NULL); ++ if (ret != LDB_SUCCESS) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); ++ ret = EIO; ++ goto done; ++ } ++ ++ ret = ldb_msg_add_string(msg, "enctype", sss_sec_enctype_to_str(enctype)); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "ldb_msg_add_string failed adding enctype [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ + /* FIXME - should we have a lastUpdate timestamp? */ + ret = ldb_msg_add_empty(msg, "secret", LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { +diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h +index 9cf3975162c40a27ec92691f732a5aca5a5a8473..73f40f7eb620904cec8f1cb7891765323ada08ad 100644 +--- a/src/util/secrets/secrets.h ++++ b/src/util/secrets/secrets.h +@@ -43,6 +43,13 @@ + #define DEFAULT_SEC_KCM_MAX_UID_SECRETS 64 + #define DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE 65536 + ++enum sss_sec_enctype { ++ SSS_SEC_PLAINTEXT, ++ SSS_SEC_MASTERKEY, ++ SSS_SEC_BASE64, ++ SSS_SEC_ENCTYPE_SENTINEL ++}; ++ + struct sss_sec_ctx; + + struct sss_sec_req; +@@ -91,10 +98,12 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + char **_secret); + + errno_t sss_sec_put(struct sss_sec_req *req, +- const char *secret); ++ const char *secret, ++ enum sss_sec_enctype enctype); + + errno_t sss_sec_update(struct sss_sec_req *req, +- const char *secret); ++ const char *secret, ++ enum sss_sec_enctype enctype); + + errno_t sss_sec_create_container(struct sss_sec_req *req); + +-- +2.25.4 + diff --git a/0004-kcm-avoid-multiple-debug-messages-if-sss_sec_put-fai.patch b/0004-kcm-avoid-multiple-debug-messages-if-sss_sec_put-fai.patch new file mode 100644 index 0000000..b1d810c --- /dev/null +++ b/0004-kcm-avoid-multiple-debug-messages-if-sss_sec_put-fai.patch @@ -0,0 +1,26 @@ +From b8dd3fa32cef423217859a1ef04ec30dfef30fb2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 27 Oct 2020 16:45:22 +0100 +Subject: [PATCH 04/19] kcm: avoid multiple debug messages if sss_sec_put fails + +sec_put() already logs a message if the underlaying function fails +so this debug message is really unnecessary. +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index e6f4f9b05d17956f771ed4db63dc4940be0a838b..f3b9af840381881e99bbead70ea7edabf945a8e2 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -1186,7 +1186,6 @@ static struct tevent_req *ccdb_secdb_create_send(TALLOC_CTX *mem_ctx, + + ret = sec_put(state, ccache_req, ccache_payload); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Failed to add the payload\n"); + goto immediate; + } + +-- +2.25.4 + diff --git a/0005-secrets-allow-to-specify-secret-s-data-format.patch b/0005-secrets-allow-to-specify-secret-s-data-format.patch new file mode 100644 index 0000000..9de5bf0 --- /dev/null +++ b/0005-secrets-allow-to-specify-secret-s-data-format.patch @@ -0,0 +1,225 @@ +From e05dfeca855986cd11674a64ef6333c2d67e9bc7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 22 Oct 2020 11:18:12 +0200 +Subject: [PATCH 05/19] secrets: allow to specify secret's data format + +Currently, both KCM and secrets responders store JSON formatted string +in the secrets database. One of the next commits makes KCM to store +binary format instead of JSON string to improve performance. We need +to be able to distinguish the formats to keep KCM update compatible +with existing ccache and also to keep secrets responder working. +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 8 ++-- + src/responder/secrets/local.c | 4 +- + src/util/secrets/secrets.c | 57 ++++++++++++++++++++----- + src/util/secrets/secrets.h | 9 ++-- + 4 files changed, 59 insertions(+), 19 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index f3b9af840381881e99bbead70ea7edabf945a8e2..8e5bd4f7376173fd075c1a64785a597bcf2f97ba 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -49,7 +49,7 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- ret = sss_sec_get(tmp_ctx, req, &secret); ++ ret = sss_sec_get(tmp_ctx, req, &secret, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -78,7 +78,7 @@ static errno_t sec_put(TALLOC_CTX *mem_ctx, + errno_t ret; + + ret = sss_sec_put(req, (const char *)sss_iobuf_get_data(buf), +- SSS_SEC_PLAINTEXT); ++ SSS_SEC_PLAINTEXT, "simple"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -94,7 +94,7 @@ static errno_t sec_update(TALLOC_CTX *mem_ctx, + errno_t ret; + + ret = sss_sec_update(req, (const char *)sss_iobuf_get_data(buf), +- SSS_SEC_PLAINTEXT); ++ SSS_SEC_PLAINTEXT, "simple"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -700,7 +700,7 @@ static struct tevent_req *ccdb_secdb_set_default_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sss_sec_get(state, sreq, &cur_default); ++ ret = sss_sec_get(state, sreq, &cur_default, NULL); + if (ret == ENOENT) { + ret = sec_put(state, sreq, iobuf); + } else if (ret == EOK) { +diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c +index 815e7507ba6b3e210891c26dd243a2a67d8920f0..fee52674d73f6f8071b4d66ac91bed3b210c8e23 100644 +--- a/src/responder/secrets/local.c ++++ b/src/responder/secrets/local.c +@@ -134,7 +134,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + break; + } + +- ret = sss_sec_get(state, ssec_req, &secret); ++ ret = sss_sec_get(state, ssec_req, &secret, NULL); + if (ret) goto done; + + if (body_is_json) { +@@ -168,7 +168,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + } + if (ret) goto done; + +- ret = sss_sec_put(ssec_req, secret, SSS_SEC_MASTERKEY); ++ ret = sss_sec_put(ssec_req, secret, SSS_SEC_MASTERKEY, "simple"); + if (ret) goto done; + break; + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index b3d40fdcb4bc2aeeb6aae4e17654ae06b00db876..51fc85fb09934c25290c625fe2a2d8090285117d 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -1000,14 +1000,18 @@ done: + + errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- char **_secret) ++ char **_secret, ++ char **_datatype) + { + TALLOC_CTX *tmp_ctx; +- static const char *attrs[] = { "secret", "enctype", NULL }; ++ static const char *attrs[] = { "secret", "enctype", "type", NULL }; + struct ldb_result *res; + const char *attr_secret; + const char *attr_enctype; ++ const char *attr_datatype; + enum sss_sec_enctype enctype; ++ char *datatype; ++ char *secret; + int ret; + + if (req == NULL || _secret == NULL) { +@@ -1057,15 +1061,30 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + + if (attr_enctype) { + enctype = sss_sec_str_to_enctype(attr_enctype); +- ret = local_decrypt(req->sctx, mem_ctx, attr_secret, enctype, _secret); ++ ret = local_decrypt(req->sctx, tmp_ctx, attr_secret, enctype, &secret); + if (ret) goto done; + } else { +- *_secret = talloc_strdup(mem_ctx, attr_secret); +- if (*_secret == NULL) { ++ secret = talloc_strdup(tmp_ctx, attr_secret); ++ if (secret == NULL) { + ret = ENOMEM; + goto done; + } + } ++ ++ if (_datatype != NULL) { ++ attr_datatype = ldb_msg_find_attr_as_string(res->msgs[0], "type", ++ "simple"); ++ datatype = talloc_strdup(tmp_ctx, attr_datatype); ++ if (datatype == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ *_datatype = talloc_steal(mem_ctx, datatype); ++ } ++ ++ *_secret = talloc_steal(mem_ctx, secret); ++ + ret = EOK; + + done: +@@ -1075,7 +1094,8 @@ done: + + errno_t sss_sec_put(struct sss_sec_req *req, + const char *secret, +- enum sss_sec_enctype enctype) ++ enum sss_sec_enctype enctype, ++ const char *datatype) + { + struct ldb_message *msg; + char *enc_secret; +@@ -1134,11 +1154,11 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "type", "simple"); ++ ret = ldb_msg_add_string(msg, "type", datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +- "ldb_msg_add_string failed adding type:simple [%d]: %s\n", +- ret, sss_strerror(ret)); ++ "ldb_msg_add_string failed adding type:%s [%d]: %s\n", ++ datatype, ret, sss_strerror(ret)); + goto done; + } + +@@ -1188,7 +1208,8 @@ done: + + errno_t sss_sec_update(struct sss_sec_req *req, + const char *secret, +- enum sss_sec_enctype enctype) ++ enum sss_sec_enctype enctype, ++ const char *datatype) + { + struct ldb_message *msg; + char *enc_secret; +@@ -1263,6 +1284,22 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + ++ ret = ldb_msg_add_empty(msg, "type", LDB_FLAG_MOD_REPLACE, NULL); ++ if (ret != LDB_SUCCESS) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); ++ ret = EIO; ++ goto done; ++ } ++ ++ ret = ldb_msg_add_string(msg, "type", datatype); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "ldb_msg_add_string failed adding type:%s [%d]: %s\n", ++ datatype, ret, sss_strerror(ret)); ++ goto done; ++ } ++ + /* FIXME - should we have a lastUpdate timestamp? */ + ret = ldb_msg_add_empty(msg, "secret", LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { +diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h +index 73f40f7eb620904cec8f1cb7891765323ada08ad..f73657629f1a0bb614ccd96728852da66cc18791 100644 +--- a/src/util/secrets/secrets.h ++++ b/src/util/secrets/secrets.h +@@ -95,15 +95,18 @@ errno_t sss_sec_list(TALLOC_CTX *mem_ctx, + + errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- char **_secret); ++ char **_secret, ++ char **_datatype); + + errno_t sss_sec_put(struct sss_sec_req *req, + const char *secret, +- enum sss_sec_enctype enctype); ++ enum sss_sec_enctype enctype, ++ const char *datatype); + + errno_t sss_sec_update(struct sss_sec_req *req, + const char *secret, +- enum sss_sec_enctype enctype); ++ enum sss_sec_enctype enctype, ++ const char *datatype); + + errno_t sss_sec_create_container(struct sss_sec_req *req); + +-- +2.25.4 + diff --git a/0006-secrets-accept-binary-data-instead-of-string.patch b/0006-secrets-accept-binary-data-instead-of-string.patch new file mode 100644 index 0000000..e92be25 --- /dev/null +++ b/0006-secrets-accept-binary-data-instead-of-string.patch @@ -0,0 +1,450 @@ +From 63cbb2aee2c6277ecd9e38fb32713e0ba3db4bb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 22 Oct 2020 12:18:38 +0200 +Subject: [PATCH 06/19] secrets: accept binary data instead of string + +Currently, both KCM and secrets responders store JSON formatted string +in the secrets database. One of the next commits makes KCM to store +binary format instead of JSON string to improve performance. We need +to be able to distinguish the formats to keep KCM update compatible +with existing ccache and also to keep secrets responder working. + +Secrets responder test had to be ammended to fit into a new maximum +payload which is now reduced by one byte for the secrets responder +to hold the ending zero of a secret string. + +This is a corner case in a long deprecated responder that is not even +built by default and has no known consumers so it is fine to fast fix +the test. +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 8 +- + src/responder/secrets/local.c | 5 +- + src/tests/intg/test_secrets.py | 3 +- + src/util/secrets/sec_pvt.h | 2 +- + src/util/secrets/secrets.c | 130 ++++++++++++++---------- + src/util/secrets/secrets.h | 9 +- + 6 files changed, 91 insertions(+), 66 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index 8e5bd4f7376173fd075c1a64785a597bcf2f97ba..f0143e686826e3bf637619efc799e0d2f0715ba4 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -49,7 +49,7 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- ret = sss_sec_get(tmp_ctx, req, &secret, NULL); ++ ret = sss_sec_get(tmp_ctx, req, (uint8_t **)&secret, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -77,7 +77,7 @@ static errno_t sec_put(TALLOC_CTX *mem_ctx, + { + errno_t ret; + +- ret = sss_sec_put(req, (const char *)sss_iobuf_get_data(buf), ++ ret = sss_sec_put(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), + SSS_SEC_PLAINTEXT, "simple"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -93,7 +93,7 @@ static errno_t sec_update(TALLOC_CTX *mem_ctx, + { + errno_t ret; + +- ret = sss_sec_update(req, (const char *)sss_iobuf_get_data(buf), ++ ret = sss_sec_update(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), + SSS_SEC_PLAINTEXT, "simple"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -700,7 +700,7 @@ static struct tevent_req *ccdb_secdb_set_default_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sss_sec_get(state, sreq, &cur_default, NULL); ++ ret = sss_sec_get(state, sreq, (uint8_t**)&cur_default, NULL, NULL); + if (ret == ENOENT) { + ret = sec_put(state, sreq, iobuf); + } else if (ret == EOK) { +diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c +index fee52674d73f6f8071b4d66ac91bed3b210c8e23..252ef3a1de7ff28b0e9f37479c658a6c59e830f7 100644 +--- a/src/responder/secrets/local.c ++++ b/src/responder/secrets/local.c +@@ -134,7 +134,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + break; + } + +- ret = sss_sec_get(state, ssec_req, &secret, NULL); ++ ret = sss_sec_get(state, ssec_req, (uint8_t**)&secret, NULL, NULL); + if (ret) goto done; + + if (body_is_json) { +@@ -168,7 +168,8 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + } + if (ret) goto done; + +- ret = sss_sec_put(ssec_req, secret, SSS_SEC_MASTERKEY, "simple"); ++ ret = sss_sec_put(ssec_req, (uint8_t *)secret, strlen(secret) + 1, ++ SSS_SEC_MASTERKEY, "simple"); + if (ret) goto done; + break; + +diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py +index 00933fb346516898448d4285c5c5c9373c48a2a9..18d722c13f36c58423e5caf81881f9ec167faa1e 100644 +--- a/src/tests/intg/test_secrets.py ++++ b/src/tests/intg/test_secrets.py +@@ -438,7 +438,8 @@ def run_quota_test(cli, max_secrets, max_payload_size): + KILOBYTE = 1024 + kb_payload_size = max_payload_size * KILOBYTE + +- sec_value = "x" * kb_payload_size ++ # Adjust payload size to hold terminal zero byte. ++ sec_value = "x" * (kb_payload_size - 1) + + cli.set_secret("foo", sec_value) + +diff --git a/src/util/secrets/sec_pvt.h b/src/util/secrets/sec_pvt.h +index 92e2b8b259fd7b20e974d5bd4dc41d96ea36ecf1..0e77a660e91ff9e18cce68a7994e3dbbf868c7aa 100644 +--- a/src/util/secrets/sec_pvt.h ++++ b/src/util/secrets/sec_pvt.h +@@ -33,7 +33,7 @@ + #define SSS_SEC_KCM_BASEPATH "/kcm/" + + struct sss_sec_data { +- char *data; ++ uint8_t *data; + size_t length; + }; + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 51fc85fb09934c25290c625fe2a2d8090285117d..2a7149ae8b1c88623784ffd4f3e7f908be15c662 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -96,22 +96,28 @@ static enum sss_sec_enctype sss_sec_str_to_enctype(const char *str) + return SSS_SEC_ENCTYPE_SENTINEL; + } + +-static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, +- const char *secret, enum sss_sec_enctype enctype, +- char **plain_secret) ++static int local_decrypt(struct sss_sec_ctx *sctx, ++ TALLOC_CTX *mem_ctx, ++ uint8_t *secret, ++ size_t secret_len, ++ enum sss_sec_enctype enctype, ++ uint8_t **_output, ++ size_t *_output_len) + { + struct sss_sec_data _secret; +- size_t outlen; +- char *output; ++ uint8_t *output; ++ size_t output_len; + int ret; + + switch (enctype) { + case SSS_SEC_PLAINTEXT: +- output = talloc_strdup(mem_ctx, secret); ++ output = talloc_memdup(mem_ctx, secret, secret_len); ++ output_len = secret_len; + break; + case SSS_SEC_MASTERKEY: +- _secret.data = (char *)sss_base64_decode(mem_ctx, secret, +- &_secret.length); ++ _secret.data = (uint8_t *)sss_base64_decode(mem_ctx, ++ (const char *)secret, ++ &_secret.length); + if (!_secret.data) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed\n"); + return EINVAL; +@@ -119,27 +125,20 @@ static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, + + DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n"); + ret = sss_decrypt(mem_ctx, AES256CBC_HMAC_SHA256, +- (uint8_t *)sctx->master_key.data, ++ sctx->master_key.data, + sctx->master_key.length, +- (uint8_t *)_secret.data, _secret.length, +- (uint8_t **)&output, &outlen); ++ _secret.data, _secret.length, ++ &output, &output_len); + talloc_free(_secret.data); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_decrypt failed [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } +- +- if (((strnlen(output, outlen) + 1) != outlen) || +- output[outlen - 1] != '\0') { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Output length mismatch or output not NULL-terminated\n"); +- talloc_free(output); +- return EIO; +- } + break; + case SSS_SEC_BASE64: +- output = (char *)sss_base64_decode(mem_ctx, secret, &_secret.length); ++ output = (uint8_t *)sss_base64_decode(mem_ctx, (const char *)secret, ++ &output_len); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); +@@ -150,41 +149,52 @@ static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- *plain_secret = output; ++ *_output = output; ++ *_output_len = output_len; ++ + return EOK; + } + +-static int local_encrypt(struct sss_sec_ctx *sec_ctx, TALLOC_CTX *mem_ctx, +- const char *secret, enum sss_sec_enctype enctype, +- char **ciphertext) ++static int local_encrypt(struct sss_sec_ctx *sec_ctx, ++ TALLOC_CTX *mem_ctx, ++ uint8_t *secret, ++ size_t secret_len, ++ enum sss_sec_enctype enctype, ++ uint8_t **_output, ++ size_t *_output_len) + { + struct sss_sec_data _secret; +- char *output; ++ uint8_t *output; ++ size_t output_len; ++ char *b64; + int ret; + + switch (enctype) { + case SSS_SEC_PLAINTEXT: +- output = talloc_strdup(mem_ctx, secret); ++ output = talloc_memdup(mem_ctx, secret, secret_len); ++ output_len = secret_len; + break; + case SSS_SEC_MASTERKEY: + ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, +- (uint8_t *)sec_ctx->master_key.data, +- sec_ctx->master_key.length, +- (const uint8_t *)secret, strlen(secret) + 1, +- (uint8_t **)&_secret.data, &_secret.length); ++ sec_ctx->master_key.data, ++ sec_ctx->master_key.length, ++ secret, secret_len, ++ &_secret.data, &_secret.length); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + +- output = sss_base64_encode(mem_ctx, (uint8_t *)_secret.data, +- _secret.length); ++ b64 = sss_base64_encode(mem_ctx, _secret.data, _secret.length); ++ output = (uint8_t*)b64; ++ output_len = strlen(b64) + 1; + talloc_free(_secret.data); + break; + case SSS_SEC_BASE64: +- output = (char *)sss_base64_encode(mem_ctx, (const uint8_t *)secret, +- strlen(secret) + 1); ++ b64 = sss_base64_encode(mem_ctx, secret, secret_len); ++ output = (uint8_t*)b64; ++ output_len = strlen(b64) + 1; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); +@@ -195,7 +205,9 @@ static int local_encrypt(struct sss_sec_ctx *sec_ctx, TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- *ciphertext = output; ++ *_output = output; ++ *_output_len = output_len; ++ + return EOK; + } + +@@ -1000,18 +1012,20 @@ done: + + errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- char **_secret, ++ uint8_t **_secret, ++ size_t *_secret_len, + char **_datatype) + { + TALLOC_CTX *tmp_ctx; + static const char *attrs[] = { "secret", "enctype", "type", NULL }; + struct ldb_result *res; +- const char *attr_secret; ++ const struct ldb_val *attr_secret; + const char *attr_enctype; + const char *attr_datatype; + enum sss_sec_enctype enctype; + char *datatype; +- char *secret; ++ uint8_t *secret; ++ size_t secret_len; + int ret; + + if (req == NULL || _secret == NULL) { +@@ -1050,7 +1064,7 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + goto done; + } + +- attr_secret = ldb_msg_find_attr_as_string(res->msgs[0], "secret", NULL); ++ attr_secret = ldb_msg_find_ldb_val(res->msgs[0], "secret"); + if (!attr_secret) { + DEBUG(SSSDBG_CRIT_FAILURE, "The 'secret' attribute is missing\n"); + ret = ENOENT; +@@ -1061,14 +1075,12 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + + if (attr_enctype) { + enctype = sss_sec_str_to_enctype(attr_enctype); +- ret = local_decrypt(req->sctx, tmp_ctx, attr_secret, enctype, &secret); ++ ret = local_decrypt(req->sctx, tmp_ctx, attr_secret->data, ++ attr_secret->length, enctype, &secret, &secret_len); + if (ret) goto done; + } else { +- secret = talloc_strdup(tmp_ctx, attr_secret); +- if (secret == NULL) { +- ret = ENOMEM; +- goto done; +- } ++ secret = talloc_steal(tmp_ctx, attr_secret->data); ++ secret_len = attr_secret->length; + } + + if (_datatype != NULL) { +@@ -1085,6 +1097,10 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + + *_secret = talloc_steal(mem_ctx, secret); + ++ if (_secret_len) { ++ *_secret_len = secret_len; ++ } ++ + ret = EOK; + + done: +@@ -1093,12 +1109,13 @@ done: + } + + errno_t sss_sec_put(struct sss_sec_req *req, +- const char *secret, ++ uint8_t *secret, ++ size_t secret_len, + enum sss_sec_enctype enctype, + const char *datatype) + { + struct ldb_message *msg; +- char *enc_secret; ++ struct ldb_val enc_secret; + int ret; + + if (req == NULL || secret == NULL) { +@@ -1139,7 +1156,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = local_check_max_payload_size(req, strlen(secret)); ++ ret = local_check_max_payload_size(req, secret_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_check_max_payload_size failed [%d]: %s\n", +@@ -1147,7 +1164,8 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = local_encrypt(req->sctx, msg, secret, enctype, &enc_secret); ++ ret = local_encrypt(req->sctx, msg, secret, secret_len, enctype, ++ &enc_secret.data, &enc_secret.length); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); +@@ -1170,7 +1188,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "secret", enc_secret); ++ ret = ldb_msg_add_value(msg, "secret", &enc_secret, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding secret [%d]: %s\n", +@@ -1207,12 +1225,13 @@ done: + } + + errno_t sss_sec_update(struct sss_sec_req *req, +- const char *secret, ++ uint8_t *secret, ++ size_t secret_len, + enum sss_sec_enctype enctype, + const char *datatype) + { + struct ldb_message *msg; +- char *enc_secret; ++ struct ldb_val enc_secret; + int ret; + + if (req == NULL || secret == NULL) { +@@ -1253,7 +1272,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = local_check_max_payload_size(req, strlen(secret)); ++ ret = local_check_max_payload_size(req, secret_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_check_max_payload_size failed [%d]: %s\n", +@@ -1261,7 +1280,8 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = local_encrypt(req->sctx, msg, secret, enctype, &enc_secret); ++ ret = local_encrypt(req->sctx, msg, secret, secret_len, enctype, ++ &enc_secret.data, &enc_secret.length); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); +@@ -1309,7 +1329,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "secret", enc_secret); ++ ret = ldb_msg_add_value(msg, "secret", &enc_secret, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_string failed: [%s]\n", ldb_strerror(ret)); +diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h +index f73657629f1a0bb614ccd96728852da66cc18791..f8caa53eec376bb0c8d52615ce9111efbbb26393 100644 +--- a/src/util/secrets/secrets.h ++++ b/src/util/secrets/secrets.h +@@ -95,16 +95,19 @@ errno_t sss_sec_list(TALLOC_CTX *mem_ctx, + + errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- char **_secret, ++ uint8_t **_secret, ++ size_t *_secret_len, + char **_datatype); + + errno_t sss_sec_put(struct sss_sec_req *req, +- const char *secret, ++ uint8_t *secret, ++ size_t secret_len, + enum sss_sec_enctype enctype, + const char *datatype); + + errno_t sss_sec_update(struct sss_sec_req *req, +- const char *secret, ++ uint8_t *secret, ++ size_t secret_len, + enum sss_sec_enctype enctype, + const char *datatype); + +-- +2.25.4 + diff --git a/0007-iobuf-add-more-iobuf-functions.patch b/0007-iobuf-add-more-iobuf-functions.patch new file mode 100644 index 0000000..6566cc8 --- /dev/null +++ b/0007-iobuf-add-more-iobuf-functions.patch @@ -0,0 +1,265 @@ +From 51c8dda998c5b7bfa08362a13915fcff265a6f8f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 23 Oct 2020 13:10:13 +0200 +Subject: [PATCH 07/19] iobuf: add more iobuf functions + +These will be used in later patches. +--- + src/shared/safealign.h | 4 ++ + src/util/sss_iobuf.c | 141 +++++++++++++++++++++++++++++++++++++++++ + src/util/sss_iobuf.h | 46 ++++++++++++++ + 3 files changed, 191 insertions(+) + +diff --git a/src/shared/safealign.h b/src/shared/safealign.h +index b00c37f5b98bd4bf7ff6cea8e1208d80c77f0228..35909faa25967cefd296808431620f51232f67e2 100644 +--- a/src/shared/safealign.h ++++ b/src/shared/safealign.h +@@ -97,6 +97,10 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) + #define SAFEALIGN_SETMEM_UINT16(dest, value, pctr) \ + SAFEALIGN_SETMEM_VALUE(dest, value, uint16_t, pctr) + ++/* SAFEALIGN_SETMEM_UINT8(void *dest, uint8_t value, size_t *pctr) */ ++#define SAFEALIGN_SETMEM_UINT8(dest, value, pctr) \ ++ SAFEALIGN_SETMEM_VALUE(dest, value, uint8_t, pctr) ++ + /* These macros are the same as their equivalents without _CHECK suffix, + * but additionally make the caller return EINVAL immediately if *pctr + * would exceed len. */ +diff --git a/src/util/sss_iobuf.c b/src/util/sss_iobuf.c +index 518713e4cc3dd99627a3a4450f235cbbc69ed3a2..3056a7b0db38746cfed154179787e53622e1a041 100644 +--- a/src/util/sss_iobuf.c ++++ b/src/util/sss_iobuf.c +@@ -66,6 +66,30 @@ struct sss_iobuf *sss_iobuf_init_readonly(TALLOC_CTX *mem_ctx, + return iobuf; + } + ++struct sss_iobuf *sss_iobuf_init_steal(TALLOC_CTX *mem_ctx, ++ uint8_t *data, ++ size_t size) ++{ ++ struct sss_iobuf *iobuf; ++ ++ iobuf = talloc_zero(mem_ctx, struct sss_iobuf); ++ if (iobuf == NULL) { ++ return NULL; ++ } ++ ++ iobuf->data = talloc_steal(iobuf, data); ++ iobuf->size = size; ++ iobuf->capacity = size; ++ iobuf->dp = 0; ++ ++ return iobuf; ++} ++ ++void sss_iobuf_cursor_reset(struct sss_iobuf *iobuf) ++{ ++ iobuf->dp = 0; ++} ++ + size_t sss_iobuf_get_len(struct sss_iobuf *iobuf) + { + if (iobuf == NULL) { +@@ -223,6 +247,109 @@ errno_t sss_iobuf_write_len(struct sss_iobuf *iobuf, + return EOK; + } + ++errno_t sss_iobuf_read_varlen(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ uint8_t **_out, ++ size_t *_len) ++{ ++ uint8_t *out; ++ uint32_t len; ++ size_t slen; ++ errno_t ret; ++ ++ if (iobuf == NULL || _out == NULL || _len == NULL) { ++ return EINVAL; ++ } ++ ++ ret = sss_iobuf_read_uint32(iobuf, &len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ if (len == 0) { ++ *_out = NULL; ++ *_len = 0; ++ return EOK; ++ } ++ ++ out = talloc_array(mem_ctx, uint8_t, len); ++ if (out == NULL) { ++ return ENOMEM; ++ } ++ ++ slen = len; ++ ret = sss_iobuf_read_len(iobuf, slen, out); ++ if (ret != EOK) { ++ talloc_free(out); ++ return ret; ++ } ++ ++ *_out = out; ++ *_len = slen; ++ ++ return EOK; ++} ++ ++errno_t sss_iobuf_write_varlen(struct sss_iobuf *iobuf, ++ uint8_t *data, ++ size_t len) ++{ ++ errno_t ret; ++ ++ if (iobuf == NULL || (data == NULL && len != 0)) { ++ return EINVAL; ++ } ++ ++ ret = sss_iobuf_write_uint32(iobuf, len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ if (len == 0) { ++ return EOK; ++ } ++ ++ return sss_iobuf_write_len(iobuf, data, len); ++} ++ ++errno_t sss_iobuf_read_iobuf(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ struct sss_iobuf **_out) ++{ ++ struct sss_iobuf *out; ++ uint8_t *data; ++ size_t len; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_varlen(NULL, iobuf, &data, &len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ out = sss_iobuf_init_steal(mem_ctx, data, len); ++ if (out == NULL) { ++ return ENOMEM; ++ } ++ ++ *_out = out; ++ ++ return EOK; ++} ++ ++errno_t sss_iobuf_write_iobuf(struct sss_iobuf *iobuf, ++ struct sss_iobuf *data) ++{ ++ return sss_iobuf_write_varlen(iobuf, data->data, data->size); ++} ++ ++errno_t sss_iobuf_read_uint8(struct sss_iobuf *iobuf, ++ uint8_t *_val) ++{ ++ SAFEALIGN_COPY_UINT8_CHECK(_val, iobuf_ptr(iobuf), ++ iobuf->capacity, &iobuf->dp); ++ return EOK; ++} ++ + errno_t sss_iobuf_read_uint32(struct sss_iobuf *iobuf, + uint32_t *_val) + { +@@ -239,6 +366,20 @@ errno_t sss_iobuf_read_int32(struct sss_iobuf *iobuf, + return EOK; + } + ++errno_t sss_iobuf_write_uint8(struct sss_iobuf *iobuf, ++ uint8_t val) ++{ ++ errno_t ret; ++ ++ ret = ensure_bytes(iobuf, sizeof(uint8_t)); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ SAFEALIGN_SETMEM_UINT8(iobuf_ptr(iobuf), val, &iobuf->dp); ++ return EOK; ++} ++ + errno_t sss_iobuf_write_uint32(struct sss_iobuf *iobuf, + uint32_t val) + { +diff --git a/src/util/sss_iobuf.h b/src/util/sss_iobuf.h +index cc3dfd1e98eeb49b979ac321bd0253bffa8a6dff..159fbc0b9ff756ca996722a84a1a13635d1aa8de 100644 +--- a/src/util/sss_iobuf.h ++++ b/src/util/sss_iobuf.h +@@ -50,6 +50,29 @@ struct sss_iobuf *sss_iobuf_init_readonly(TALLOC_CTX *mem_ctx, + const uint8_t *data, + size_t size); + ++/* ++ * @brief Allocate an IO buffer with a fixed size, stealing input data. ++ * ++ * This function is useful for parsing an input buffer from an existing ++ * buffer pointed to by data. ++ * ++ * The iobuf assumes ownership of the data buffer. ++ * ++ * @param[in] mem_ctx The talloc context that owns the iobuf ++ * @param[in] data The data to initialize the IO buffer with. ++ * @param[in] size The size of the data buffer ++ * ++ * @return The newly created buffer on success or NULL on an error. ++ */ ++struct sss_iobuf *sss_iobuf_init_steal(TALLOC_CTX *mem_ctx, ++ uint8_t *data, ++ size_t size); ++ ++/* ++ * @brief Reset internal cursor of the IO buffer (seek to the start) ++ */ ++void sss_iobuf_cursor_reset(struct sss_iobuf *iobuf); ++ + /* + * @brief Returns the number of bytes currently stored in the iobuf + * +@@ -131,6 +154,28 @@ errno_t sss_iobuf_write_len(struct sss_iobuf *iobuf, + uint8_t *buf, + size_t len); + ++errno_t sss_iobuf_read_varlen(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ uint8_t **_out, ++ size_t *_len); ++ ++errno_t sss_iobuf_write_varlen(struct sss_iobuf *iobuf, ++ uint8_t *data, ++ size_t len); ++ ++errno_t sss_iobuf_read_iobuf(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ struct sss_iobuf **_out); ++ ++errno_t sss_iobuf_write_iobuf(struct sss_iobuf *iobuf, ++ struct sss_iobuf *data); ++ ++errno_t sss_iobuf_read_uint8(struct sss_iobuf *iobuf, ++ uint8_t *_val); ++ ++errno_t sss_iobuf_write_uint8(struct sss_iobuf *iobuf, ++ uint8_t val); ++ + errno_t sss_iobuf_read_uint32(struct sss_iobuf *iobuf, + uint32_t *_val); + +@@ -148,4 +193,5 @@ errno_t sss_iobuf_read_stringz(struct sss_iobuf *iobuf, + + errno_t sss_iobuf_write_stringz(struct sss_iobuf *iobuf, + const char *str); ++ + #endif /* __SSS_IOBUF_H_ */ +-- +2.25.4 + diff --git a/0008-kcm-add-json-suffix-to-existing-searialization-funct.patch b/0008-kcm-add-json-suffix-to-existing-searialization-funct.patch new file mode 100644 index 0000000..dbaa796 --- /dev/null +++ b/0008-kcm-add-json-suffix-to-existing-searialization-funct.patch @@ -0,0 +1,292 @@ +From 27968f52eb57391ae64df57d29cf9911fc59d161 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 22 Oct 2020 13:34:52 +0200 +Subject: [PATCH 08/19] kcm: add json suffix to existing searialization + functions + +--- + Makefile.am | 10 ++--- + src/responder/kcm/kcmsrv_ccache.h | 18 ++++----- + src/responder/kcm/kcmsrv_ccache_json.c | 18 ++++----- + src/responder/kcm/kcmsrv_ccache_secdb.c | 14 +++---- + src/responder/kcm/kcmsrv_ccache_secrets.c | 9 ++--- + ...n_marshalling.c => test_kcm_marshalling.c} | 39 ++++++------------- + 6 files changed, 44 insertions(+), 64 deletions(-) + rename src/tests/cmocka/{test_kcm_json_marshalling.c => test_kcm_marshalling.c} (90%) + +diff --git a/Makefile.am b/Makefile.am +index 97aa1ec661268aaa7a3f09b5022c5677df19d9da..8ca46bf2f9add08155bfb824444437532c97909c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -311,7 +311,7 @@ endif # HAVE_INOTIFY + + if BUILD_KCM + non_interactive_cmocka_based_tests += \ +- test_kcm_json \ ++ test_kcm_marshalling \ + test_kcm_queue \ + $(NULL) + endif # BUILD_KCM +@@ -3927,18 +3927,18 @@ test_sssd_krb5_locator_plugin_LDADD = \ + $(NULL) + + if BUILD_KCM +-test_kcm_json_SOURCES = \ +- src/tests/cmocka/test_kcm_json_marshalling.c \ ++test_kcm_marshalling_SOURCES = \ ++ src/tests/cmocka/test_kcm_marshalling.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ + src/responder/kcm/kcmsrv_ccache.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + $(NULL) +-test_kcm_json_CFLAGS = \ ++test_kcm_marshalling_CFLAGS = \ + $(AM_CFLAGS) \ + $(UUID_CFLAGS) \ + $(NULL) +-test_kcm_json_LDADD = \ ++test_kcm_marshalling_LDADD = \ + $(JANSSON_LIBS) \ + $(UUID_LIBS) \ + $(KRB5_LIBS) \ +diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h +index d629923fa140bd30d8a59f56443dea7ce101c33e..5aaded0524d0765dea6bfb962a83cf625f0e85f4 100644 +--- a/src/responder/kcm/kcmsrv_ccache.h ++++ b/src/responder/kcm/kcmsrv_ccache.h +@@ -333,16 +333,16 @@ const char *sec_key_create(TALLOC_CTX *mem_ctx, + * sec_key is a concatenation of the ccache's UUID and name + * sec_value is the JSON dump of the ccache contents + */ +-errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, +- const char *sec_key, +- const char *sec_value, +- struct cli_creds *client, +- struct kcm_ccache **_cc); ++errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char *sec_value, ++ struct cli_creds *client, ++ struct kcm_ccache **_cc); + + /* Convert a kcm_ccache to a key-value pair to be stored in secrets */ +-errno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx, +- struct kcm_ccache *cc, +- struct cli_creds *client, +- struct sss_iobuf **_payload); ++errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct cli_creds *client, ++ struct sss_iobuf **_payload); + + #endif /* _KCMSRV_CCACHE_H_ */ +diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c +index 38ec53c408c3b9d44f37d102c4a0c976ef32bdfe..8101f5ddc148bfff83cc02cf9b19a3566209e781 100644 +--- a/src/responder/kcm/kcmsrv_ccache_json.c ++++ b/src/responder/kcm/kcmsrv_ccache_json.c +@@ -460,10 +460,10 @@ static errno_t ccache_to_sec_val(TALLOC_CTX *mem_ctx, + return EOK; + } + +-errno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx, +- struct kcm_ccache *cc, +- struct cli_creds *client, +- struct sss_iobuf **_payload) ++errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct cli_creds *client, ++ struct sss_iobuf **_payload) + { + errno_t ret; + const char *value; +@@ -897,11 +897,11 @@ static errno_t sec_json_value_to_ccache(struct kcm_ccache *cc, + * sec_key is a concatenation of the ccache's UUID and name + * sec_value is the JSON dump of the ccache contents + */ +-errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, +- const char *sec_key, +- const char *sec_value, +- struct cli_creds *client, +- struct kcm_ccache **_cc) ++errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char *sec_value, ++ struct cli_creds *client, ++ struct kcm_ccache **_cc) + { + errno_t ret; + json_t *root = NULL; +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index f0143e686826e3bf637619efc799e0d2f0715ba4..f5cfe47a7c6deac17031788105ac4235a6aaa9ff 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -160,7 +160,7 @@ static errno_t kcm_ccache_to_secdb_kv(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = kcm_ccache_to_sec_input(mem_ctx, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, client, &payload); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert ccache to a secret [%d][%s]\n", ret, sss_strerror(ret)); +@@ -454,11 +454,9 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = sec_kv_to_ccache(tmp_ctx, +- secdb_key, +- (const char *) sss_iobuf_get_data(ccbuf), +- client, +- &cc); ++ ret = sec_kv_to_ccache_json(tmp_ctx, secdb_key, ++ (const char *)sss_iobuf_get_data(ccbuf), ++ client, &cc); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot convert JSON keyval to ccache blob [%d]: %s\n", +@@ -1251,7 +1249,7 @@ static struct tevent_req *ccdb_secdb_mod_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = kcm_ccache_to_sec_input(state, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_json(state, cc, client, &payload); + if (ret != EOK) { + goto immediate; + } +@@ -1327,7 +1325,7 @@ static struct tevent_req *ccdb_secdb_store_cred_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = kcm_ccache_to_sec_input(state, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_json(state, cc, client, &payload); + if (ret != EOK) { + goto immediate; + } +diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c +index 440ab3bb99dd983ba0343f371c0c6470bbd53afc..9d1fe8cad2dc6ed3ab43e181d0db52673d4759cc 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secrets.c ++++ b/src/responder/kcm/kcmsrv_ccache_secrets.c +@@ -195,7 +195,7 @@ static errno_t kcm_ccache_to_sec_kv(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = kcm_ccache_to_sec_input(mem_ctx, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, client, &payload); + if (ret != EOK) { + goto done; + } +@@ -489,11 +489,8 @@ static void sec_get_done(struct tevent_req *subreq) + return; + } + +- ret = sec_kv_to_ccache(state, +- state->sec_key, +- sec_value, +- state->client, +- &state->cc); ++ ret = sec_kv_to_ccache_json(state, state->sec_key, sec_value, state->client, ++ &state->cc); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot convert JSON keyval to ccache blob [%d]: %s\n", +diff --git a/src/tests/cmocka/test_kcm_json_marshalling.c b/src/tests/cmocka/test_kcm_marshalling.c +similarity index 90% +rename from src/tests/cmocka/test_kcm_json_marshalling.c +rename to src/tests/cmocka/test_kcm_marshalling.c +index 48ee92bd675780b023b5c8275e5713b91388d06a..f82129974787bba6883662a732311f3370bcc4f1 100644 +--- a/src/tests/cmocka/test_kcm_json_marshalling.c ++++ b/src/tests/cmocka/test_kcm_marshalling.c +@@ -154,7 +154,7 @@ static void assert_cc_equal(struct kcm_ccache *cc1, + assert_cc_offset_equal(cc1, cc2); + } + +-static void test_kcm_ccache_marshall_unmarshall(void **state) ++static void test_kcm_ccache_marshall_unmarshall_json(void **state) + { + struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, + struct kcm_marshalling_test_ctx); +@@ -182,10 +182,7 @@ static void test_kcm_ccache_marshall_unmarshall(void **state) + &cc); + assert_int_equal(ret, EOK); + +- ret = kcm_ccache_to_sec_input(test_ctx, +- cc, +- &owner, +- &payload); ++ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &owner, &payload); + assert_int_equal(ret, EOK); + + data = sss_iobuf_get_data(payload); +@@ -196,25 +193,19 @@ static void test_kcm_ccache_marshall_unmarshall(void **state) + key = sec_key_create(test_ctx, name, uuid); + assert_non_null(key); + +- ret = sec_kv_to_ccache(test_ctx, +- key, +- (const char *) data, +- &owner, +- &cc2); ++ ret = sec_kv_to_ccache_json(test_ctx, key, (const char *)data, &owner, ++ &cc2); + assert_int_equal(ret, EOK); + + assert_cc_equal(cc, cc2); + + /* This key is exactly one byte shorter than it should be */ +- ret = sec_kv_to_ccache(test_ctx, +- TEST_UUID_STR"-", +- (const char *) data, +- &owner, +- &cc2); ++ ret = sec_kv_to_ccache_json(test_ctx, TEST_UUID_STR "-", (const char *)data, ++ &owner, &cc2); + assert_int_equal(ret, EINVAL); + } + +-static void test_kcm_ccache_no_princ(void **state) ++static void test_kcm_ccache_no_princ_json(void **state) + { + struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, + struct kcm_marshalling_test_ctx); +@@ -246,10 +237,7 @@ static void test_kcm_ccache_no_princ(void **state) + princ = kcm_cc_get_client_principal(cc); + assert_null(princ); + +- ret = kcm_ccache_to_sec_input(test_ctx, +- cc, +- &owner, +- &payload); ++ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &owner, &payload); + assert_int_equal(ret, EOK); + + data = sss_iobuf_get_data(payload); +@@ -260,11 +248,8 @@ static void test_kcm_ccache_no_princ(void **state) + key = sec_key_create(test_ctx, name, uuid); + assert_non_null(key); + +- ret = sec_kv_to_ccache(test_ctx, +- key, +- (const char *) data, +- &owner, +- &cc2); ++ ret = sec_kv_to_ccache_json(test_ctx, key, (const char *)data, &owner, ++ &cc2); + assert_int_equal(ret, EOK); + + assert_cc_equal(cc, cc2); +@@ -340,10 +325,10 @@ int main(int argc, const char *argv[]) + }; + + const struct CMUnitTest tests[] = { +- cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall, ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall_json, + setup_kcm_marshalling, + teardown_kcm_marshalling), +- cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ, ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ_json, + setup_kcm_marshalling, + teardown_kcm_marshalling), + cmocka_unit_test(test_sec_key_get_uuid), +-- +2.25.4 + diff --git a/0009-kcm-move-sec-key-parser-to-separate-file-so-it-can-b.patch b/0009-kcm-move-sec-key-parser-to-separate-file-so-it-can-b.patch new file mode 100644 index 0000000..fe14533 --- /dev/null +++ b/0009-kcm-move-sec-key-parser-to-separate-file-so-it-can-b.patch @@ -0,0 +1,404 @@ +From 23273319b546d034d31ffe3824b954659d20d104 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 27 Oct 2020 16:18:11 +0100 +Subject: [PATCH 09/19] kcm: move sec key parser to separate file so it can be + shared + +--- + Makefile.am | 2 + + src/responder/kcm/kcmsrv_ccache.c | 20 ++++ + src/responder/kcm/kcmsrv_ccache.h | 10 ++ + src/responder/kcm/kcmsrv_ccache_json.c | 130 +--------------------- + src/responder/kcm/kcmsrv_ccache_key.c | 145 +++++++++++++++++++++++++ + 5 files changed, 179 insertions(+), 128 deletions(-) + create mode 100644 src/responder/kcm/kcmsrv_ccache_key.c + +diff --git a/Makefile.am b/Makefile.am +index 8ca46bf2f9add08155bfb824444437532c97909c..ae9bc540a86f2e291dd5b5f66e1ce4f0aacbaf61 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1819,6 +1819,7 @@ sssd_kcm_SOURCES = \ + src/responder/kcm/kcmsrv_ccache.c \ + src/responder/kcm/kcmsrv_ccache_mem.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ ++ src/responder/kcm/kcmsrv_ccache_key.c \ + src/responder/kcm/kcmsrv_ccache_secdb.c \ + src/responder/kcm/kcmsrv_ops.c \ + src/responder/kcm/kcmsrv_op_queue.c \ +@@ -3930,6 +3931,7 @@ if BUILD_KCM + test_kcm_marshalling_SOURCES = \ + src/tests/cmocka/test_kcm_marshalling.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ ++ src/responder/kcm/kcmsrv_ccache_key.c \ + src/responder/kcm/kcmsrv_ccache.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ +diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c +index 66e2752ba755af3ef1c6c1b21036021a608a94c1..59f8a7293fa7422c199ca2916c8e6ae6039d9312 100644 +--- a/src/responder/kcm/kcmsrv_ccache.c ++++ b/src/responder/kcm/kcmsrv_ccache.c +@@ -213,6 +213,26 @@ errno_t kcm_cc_store_creds(struct kcm_ccache *cc, + return EOK; + } + ++errno_t kcm_cc_set_header(struct kcm_ccache *cc, ++ const char *sec_key, ++ struct cli_creds *client) ++{ ++ errno_t ret; ++ ++ ret = sec_key_parse(cc, sec_key, &cc->name, cc->uuid); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ /* We rely on sssd-secrets only searching the user's subtree so we ++ * set the ownership to the client ++ */ ++ cc->owner.uid = cli_creds_get_uid(client); ++ cc->owner.gid = cli_creds_get_gid(client); ++ ++ return EOK; ++} ++ + errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t _uuid) + { + if (crd == NULL) { +diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h +index 5aaded0524d0765dea6bfb962a83cf625f0e85f4..892067f3170b19c0e55ceaa75b0c01f772c49d3d 100644 +--- a/src/responder/kcm/kcmsrv_ccache.h ++++ b/src/responder/kcm/kcmsrv_ccache.h +@@ -100,6 +100,11 @@ struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx, + errno_t kcm_cc_store_creds(struct kcm_ccache *cc, + struct kcm_cred *crd); + ++/* Set cc header information from sec key and client */ ++errno_t kcm_cc_set_header(struct kcm_ccache *cc, ++ const char *sec_key, ++ struct cli_creds *client); ++ + errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t uuid); + + /* +@@ -320,6 +325,11 @@ bool sec_key_match_name(const char *sec_key, + bool sec_key_match_uuid(const char *sec_key, + uuid_t uuid); + ++errno_t sec_key_parse(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char **_name, ++ uuid_t uuid); ++ + const char *sec_key_get_name(const char *sec_key); + + errno_t sec_key_get_uuid(const char *sec_key, +diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c +index 8101f5ddc148bfff83cc02cf9b19a3566209e781..7f73b56bf6c27417271876a989695ff917c3886e 100644 +--- a/src/responder/kcm/kcmsrv_ccache_json.c ++++ b/src/responder/kcm/kcmsrv_ccache_json.c +@@ -37,12 +37,6 @@ + */ + #define KS_JSON_VERSION 1 + +-/* +- * The secrets store is a key-value store at heart. We store the UUID +- * and the name in the key to allow easy lookups be either key +- */ +-#define SEC_KEY_SEPARATOR '-' +- + /* Compat definition of json_array_foreach for older systems */ + #ifndef json_array_foreach + #define json_array_foreach(array, idx, value) \ +@@ -51,119 +45,6 @@ + idx++) + #endif + +-const char *sec_key_create(TALLOC_CTX *mem_ctx, +- const char *name, +- uuid_t uuid) +-{ +- char uuid_str[UUID_STR_SIZE]; +- +- uuid_unparse(uuid, uuid_str); +- return talloc_asprintf(mem_ctx, +- "%s%c%s", uuid_str, SEC_KEY_SEPARATOR, name); +-} +- +-static bool sec_key_valid(const char *sec_key) +-{ +- if (sec_key == NULL) { +- return false; +- } +- +- if (strlen(sec_key) < UUID_STR_SIZE + 1) { +- /* One char for separator (at UUID_STR_SIZE, because strlen doesn't +- * include the '\0', but UUID_STR_SIZE does) and at least one for +- * the name */ +- DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); +- return false; +- } +- +- if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); +- return false; +- } +- +- return true; +-} +- +-static errno_t sec_key_parse(TALLOC_CTX *mem_ctx, +- const char *sec_key, +- const char **_name, +- uuid_t uuid) +-{ +- char uuid_str[UUID_STR_SIZE]; +- +- if (!sec_key_valid(sec_key)) { +- return EINVAL; +- } +- +- strncpy(uuid_str, sec_key, sizeof(uuid_str)-1); +- if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); +- return EINVAL; +- } +- uuid_str[UUID_STR_SIZE-1] = '\0'; +- +- *_name = talloc_strdup(mem_ctx, sec_key + UUID_STR_SIZE); +- if (*_name == NULL) { +- return ENOMEM; +- } +- uuid_parse(uuid_str, uuid); +- +- return EOK; +-} +- +-errno_t sec_key_get_uuid(const char *sec_key, +- uuid_t uuid) +-{ +- char uuid_str[UUID_STR_SIZE]; +- +- if (!sec_key_valid(sec_key)) { +- return EINVAL; +- } +- +- strncpy(uuid_str, sec_key, UUID_STR_SIZE-1); +- uuid_str[UUID_STR_SIZE-1] = '\0'; +- uuid_parse(uuid_str, uuid); +- return EOK; +-} +- +-const char *sec_key_get_name(const char *sec_key) +-{ +- if (!sec_key_valid(sec_key)) { +- return NULL; +- } +- +- return sec_key + UUID_STR_SIZE; +-} +- +-bool sec_key_match_name(const char *sec_key, +- const char *name) +-{ +- if (!sec_key_valid(sec_key) || name == NULL) { +- return false; +- } +- +- return strcmp(sec_key + UUID_STR_SIZE, name) == 0; +-} +- +-bool sec_key_match_uuid(const char *sec_key, +- uuid_t uuid) +-{ +- errno_t ret; +- uuid_t key_uuid; +- +- /* `key_uuid` is output arg and isn't read in sec_key_get_uuid() but +- * since libuuid is opaque for cppcheck it generates false positive here +- */ +- /* cppcheck-suppress uninitvar */ +- ret = sec_key_get_uuid(sec_key, key_uuid); +- if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n"); +- return false; +- } +- +- return uuid_compare(key_uuid, uuid) == 0; +-} +- + /* + * Creates an array of principal elements that will be used later + * in the form of: +@@ -928,16 +809,9 @@ errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, + goto done; + } + +- /* We rely on sssd-secrets only searching the user's subtree so we +- * set the ownership to the client +- */ +- cc->owner.uid = cli_creds_get_uid(client); +- cc->owner.gid = cli_creds_get_gid(client); +- +- ret = sec_key_parse(cc, sec_key, &cc->name, cc->uuid); ++ ret = kcm_cc_set_header(cc, sec_key, client); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Cannt parse secret key [%d]: %s\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot store ccache header [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } +diff --git a/src/responder/kcm/kcmsrv_ccache_key.c b/src/responder/kcm/kcmsrv_ccache_key.c +new file mode 100644 +index 0000000000000000000000000000000000000000..ba64f2128c0bba62434b4f84d81514e6b52bc2b6 +--- /dev/null ++++ b/src/responder/kcm/kcmsrv_ccache_key.c +@@ -0,0 +1,145 @@ ++/* ++ SSSD ++ ++ Copyright (C) Red Hat, 2020 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "config.h" ++ ++#include ++#include ++ ++#include "util/util.h" ++#include "responder/kcm/kcmsrv_ccache_pvt.h" ++ ++/* ++ * The secrets store is a key-value store at heart. We store the UUID ++ * and the name in the key to allow easy lookups by either part. ++ */ ++#define SEC_KEY_SEPARATOR '-' ++ ++const char *sec_key_create(TALLOC_CTX *mem_ctx, ++ const char *name, ++ uuid_t uuid) ++{ ++ char uuid_str[UUID_STR_SIZE]; ++ ++ uuid_unparse(uuid, uuid_str); ++ return talloc_asprintf(mem_ctx, ++ "%s%c%s", uuid_str, SEC_KEY_SEPARATOR, name); ++} ++ ++static bool sec_key_valid(const char *sec_key) ++{ ++ if (sec_key == NULL) { ++ return false; ++ } ++ ++ if (strlen(sec_key) < UUID_STR_SIZE + 1) { ++ /* One char for separator (at UUID_STR_SIZE, because strlen doesn't ++ * include the '\0', but UUID_STR_SIZE does) and at least one for ++ * the name */ ++ DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); ++ return false; ++ } ++ ++ if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); ++ return false; ++ } ++ ++ return true; ++} ++ ++errno_t sec_key_parse(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char **_name, ++ uuid_t uuid) ++{ ++ char uuid_str[UUID_STR_SIZE]; ++ ++ if (!sec_key_valid(sec_key)) { ++ return EINVAL; ++ } ++ ++ strncpy(uuid_str, sec_key, sizeof(uuid_str)-1); ++ if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); ++ return EINVAL; ++ } ++ uuid_str[UUID_STR_SIZE-1] = '\0'; ++ ++ *_name = talloc_strdup(mem_ctx, sec_key + UUID_STR_SIZE); ++ if (*_name == NULL) { ++ return ENOMEM; ++ } ++ uuid_parse(uuid_str, uuid); ++ ++ return EOK; ++} ++ ++errno_t sec_key_get_uuid(const char *sec_key, ++ uuid_t uuid) ++{ ++ char uuid_str[UUID_STR_SIZE]; ++ ++ if (!sec_key_valid(sec_key)) { ++ return EINVAL; ++ } ++ ++ strncpy(uuid_str, sec_key, UUID_STR_SIZE-1); ++ uuid_str[UUID_STR_SIZE-1] = '\0'; ++ uuid_parse(uuid_str, uuid); ++ return EOK; ++} ++ ++const char *sec_key_get_name(const char *sec_key) ++{ ++ if (!sec_key_valid(sec_key)) { ++ return NULL; ++ } ++ ++ return sec_key + UUID_STR_SIZE; ++} ++ ++bool sec_key_match_name(const char *sec_key, ++ const char *name) ++{ ++ if (!sec_key_valid(sec_key) || name == NULL) { ++ return false; ++ } ++ ++ return strcmp(sec_key + UUID_STR_SIZE, name) == 0; ++} ++ ++bool sec_key_match_uuid(const char *sec_key, ++ uuid_t uuid) ++{ ++ errno_t ret; ++ uuid_t key_uuid; ++ ++ /* `key_uuid` is output arg and isn't read in sec_key_get_uuid() but ++ * since libuuid is opaque for cppcheck it generates false positive here ++ */ ++ /* cppcheck-suppress uninitvar */ ++ ret = sec_key_get_uuid(sec_key, key_uuid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n"); ++ return false; ++ } ++ ++ return uuid_compare(key_uuid, uuid) == 0; ++} +-- +2.25.4 + diff --git a/0010-kcm-avoid-suppression-of-cppcheck-warning.patch b/0010-kcm-avoid-suppression-of-cppcheck-warning.patch new file mode 100644 index 0000000..47eda0f --- /dev/null +++ b/0010-kcm-avoid-suppression-of-cppcheck-warning.patch @@ -0,0 +1,30 @@ +From efd57d2a6001b7015095f7ff5bbd0c55764e22ab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 27 Oct 2020 16:37:05 +0100 +Subject: [PATCH 10/19] kcm: avoid suppression of cppcheck warning + +--- + src/responder/kcm/kcmsrv_ccache_key.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_key.c b/src/responder/kcm/kcmsrv_ccache_key.c +index ba64f2128c0bba62434b4f84d81514e6b52bc2b6..4a24c38d45918632201740bfc82579a2449aa8f7 100644 +--- a/src/responder/kcm/kcmsrv_ccache_key.c ++++ b/src/responder/kcm/kcmsrv_ccache_key.c +@@ -131,10 +131,9 @@ bool sec_key_match_uuid(const char *sec_key, + errno_t ret; + uuid_t key_uuid; + +- /* `key_uuid` is output arg and isn't read in sec_key_get_uuid() but +- * since libuuid is opaque for cppcheck it generates false positive here +- */ +- /* cppcheck-suppress uninitvar */ ++ /* Clear uuid value to avoid cppcheck warning. */ ++ uuid_clear(key_uuid); ++ + ret = sec_key_get_uuid(sec_key, key_uuid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n"); +-- +2.25.4 + diff --git a/0011-kcm-add-spaces-around-operators-in-kcmsrv_ccache_key.patch b/0011-kcm-add-spaces-around-operators-in-kcmsrv_ccache_key.patch new file mode 100644 index 0000000..78a9458 --- /dev/null +++ b/0011-kcm-add-spaces-around-operators-in-kcmsrv_ccache_key.patch @@ -0,0 +1,42 @@ +From d51819e51fca80675b9915863e72d835c9e0a0fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 27 Oct 2020 17:09:43 +0100 +Subject: [PATCH 11/19] kcm: add spaces around operators in kcmsrv_ccache_key.c + +--- + src/responder/kcm/kcmsrv_ccache_key.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_key.c b/src/responder/kcm/kcmsrv_ccache_key.c +index 4a24c38d45918632201740bfc82579a2449aa8f7..59d60453c5d5e28ccda8f98c63125954640d0e8b 100644 +--- a/src/responder/kcm/kcmsrv_ccache_key.c ++++ b/src/responder/kcm/kcmsrv_ccache_key.c +@@ -75,12 +75,12 @@ errno_t sec_key_parse(TALLOC_CTX *mem_ctx, + return EINVAL; + } + +- strncpy(uuid_str, sec_key, sizeof(uuid_str)-1); ++ strncpy(uuid_str, sec_key, sizeof(uuid_str) - 1); + if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { + DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); + return EINVAL; + } +- uuid_str[UUID_STR_SIZE-1] = '\0'; ++ uuid_str[UUID_STR_SIZE - 1] = '\0'; + + *_name = talloc_strdup(mem_ctx, sec_key + UUID_STR_SIZE); + if (*_name == NULL) { +@@ -100,8 +100,8 @@ errno_t sec_key_get_uuid(const char *sec_key, + return EINVAL; + } + +- strncpy(uuid_str, sec_key, UUID_STR_SIZE-1); +- uuid_str[UUID_STR_SIZE-1] = '\0'; ++ strncpy(uuid_str, sec_key, UUID_STR_SIZE - 1); ++ uuid_str[UUID_STR_SIZE - 1] = '\0'; + uuid_parse(uuid_str, uuid); + return EOK; + } +-- +2.25.4 + diff --git a/0012-kcm-use-binary-format-to-store-ccache-instead-of-jso.patch b/0012-kcm-use-binary-format-to-store-ccache-instead-of-jso.patch new file mode 100644 index 0000000..a684f0b --- /dev/null +++ b/0012-kcm-use-binary-format-to-store-ccache-instead-of-jso.patch @@ -0,0 +1,741 @@ +From 94ceb85465dbf052f681bbd6c8ebced4d2d97f92 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 27 Oct 2020 16:21:31 +0100 +Subject: [PATCH 12/19] kcm: use binary format to store ccache instead of json + +JSON is computationally complex and the parser is a bottleneck which +consumes about 10% of time. It also create the ccache unnecessary +large because it requires lots of unneded character and base64 +encoding. + +Binary format is fast, simple and small. + +This is backwards compatible and there is no need to destroy existing +ccache. It will be stored in binary format at first write to the cache. + +Resolves: https://github.com/SSSD/sssd/issues/5349 +--- + Makefile.am | 2 + + src/responder/kcm/kcmsrv_ccache.h | 16 +- + src/responder/kcm/kcmsrv_ccache_binary.c | 308 ++++++++++++++++++++++ + src/responder/kcm/kcmsrv_ccache_json.c | 1 - + src/responder/kcm/kcmsrv_ccache_secdb.c | 49 ++-- + src/responder/kcm/kcmsrv_ccache_secrets.c | 2 +- + src/tests/cmocka/test_kcm_marshalling.c | 112 +++++++- + src/tests/multihost/basic/test_kcm.py | 12 +- + src/util/secrets/secrets.c | 2 +- + 9 files changed, 476 insertions(+), 28 deletions(-) + create mode 100644 src/responder/kcm/kcmsrv_ccache_binary.c + +diff --git a/Makefile.am b/Makefile.am +index ae9bc540a86f2e291dd5b5f66e1ce4f0aacbaf61..430b4e8424d6bde0c7de919c6aceabf3839e3a23 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1817,6 +1817,7 @@ sssd_kcm_SOURCES = \ + src/responder/kcm/kcm.c \ + src/responder/kcm/kcmsrv_cmd.c \ + src/responder/kcm/kcmsrv_ccache.c \ ++ src/responder/kcm/kcmsrv_ccache_binary.c \ + src/responder/kcm/kcmsrv_ccache_mem.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ + src/responder/kcm/kcmsrv_ccache_key.c \ +@@ -3930,6 +3931,7 @@ test_sssd_krb5_locator_plugin_LDADD = \ + if BUILD_KCM + test_kcm_marshalling_SOURCES = \ + src/tests/cmocka/test_kcm_marshalling.c \ ++ src/responder/kcm/kcmsrv_ccache_binary.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ + src/responder/kcm/kcmsrv_ccache_key.c \ + src/responder/kcm/kcmsrv_ccache.c \ +diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h +index 892067f3170b19c0e55ceaa75b0c01f772c49d3d..b0a7acb9fed8a8f89a3d0e2239ab28c7ce80fa23 100644 +--- a/src/responder/kcm/kcmsrv_ccache.h ++++ b/src/responder/kcm/kcmsrv_ccache.h +@@ -352,7 +352,21 @@ errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, + /* Convert a kcm_ccache to a key-value pair to be stored in secrets */ + errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, + struct kcm_ccache *cc, +- struct cli_creds *client, + struct sss_iobuf **_payload); + ++/* ++ * sec_key is a concatenation of the ccache's UUID and name ++ * sec_value is the binary representation of ccache. ++ */ ++errno_t sec_kv_to_ccache_binary(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ struct sss_iobuf *sec_value, ++ struct cli_creds *client, ++ struct kcm_ccache **_cc); ++ ++/* Convert a kcm_ccache to its binary representation. */ ++errno_t kcm_ccache_to_sec_input_binary(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct sss_iobuf **_payload); ++ + #endif /* _KCMSRV_CCACHE_H_ */ +diff --git a/src/responder/kcm/kcmsrv_ccache_binary.c b/src/responder/kcm/kcmsrv_ccache_binary.c +new file mode 100644 +index 0000000000000000000000000000000000000000..7bfdbf13bfeaa7d45de6352e7b51b781b713b8f2 +--- /dev/null ++++ b/src/responder/kcm/kcmsrv_ccache_binary.c +@@ -0,0 +1,308 @@ ++/* ++ Authors: ++ Pavel Březina ++ ++ Copyright (C) 2020 Red Hat ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "config.h" ++ ++#include ++#include ++ ++#include "util/util.h" ++#include "util/util_creds.h" ++#include "util/crypto/sss_crypto.h" ++#include "responder/kcm/kcmsrv_ccache_pvt.h" ++ ++static errno_t krb_data_to_bin(krb5_data *data, struct sss_iobuf *buf) ++{ ++ return sss_iobuf_write_varlen(buf, (uint8_t *)data->data, data->length); ++} ++ ++static errno_t princ_to_bin(krb5_principal princ, struct sss_iobuf *buf) ++{ ++ errno_t ret; ++ ++ if (princ == NULL) { ++ return sss_iobuf_write_uint8(buf, 0); ++ } ++ ++ /* Mark that principal is not empty. */ ++ ret = sss_iobuf_write_uint8(buf, 1); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = krb_data_to_bin(&princ->realm, buf); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_write_int32(buf, princ->type); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_write_int32(buf, princ->length); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ for (krb5_int32 i = 0; i < princ->length; i++) { ++ ret = krb_data_to_bin(&princ->data[i], buf); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ ++static errno_t creds_to_bin(struct kcm_cred *creds, struct sss_iobuf *buf) ++{ ++ struct kcm_cred *crd; ++ uint32_t count = 0; ++ errno_t ret; ++ ++ DLIST_FOR_EACH(crd, creds) { ++ count++; ++ } ++ ++ ret = sss_iobuf_write_uint32(buf, count); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ DLIST_FOR_EACH(crd, creds) { ++ ret = sss_iobuf_write_len(buf, (uint8_t *)crd->uuid, sizeof(uuid_t)); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_write_iobuf(buf, crd->cred_blob); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ ++errno_t kcm_ccache_to_sec_input_binary(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct sss_iobuf **_payload) ++{ ++ struct sss_iobuf *buf; ++ errno_t ret; ++ ++ buf = sss_iobuf_init_empty(mem_ctx, sizeof(krb5_principal_data), 0); ++ if (buf == NULL) { ++ return ENOMEM; ++ } ++ ++ ret = sss_iobuf_write_int32(buf, cc->kdc_offset); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = princ_to_bin(cc->client, buf); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = creds_to_bin(cc->creds, buf); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ *_payload = buf; ++ ++ ret = EOK; ++ ++done: ++ if (ret != EOK) { ++ talloc_free(buf); ++ } ++ ++ return ret; ++} ++ ++static errno_t bin_to_krb_data(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *buf, ++ krb5_data *out) ++{ ++ uint8_t *data; ++ size_t len; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_varlen(mem_ctx, buf, &data, &len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ out->magic = 0; ++ out->data = (char*)data; ++ out->length = len; ++ ++ return EOK; ++} ++ ++static errno_t bin_to_princ(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *buf, ++ krb5_principal *_princ) ++{ ++ krb5_principal princ; ++ uint8_t non_empty; ++ krb5_int32 i; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_uint8(buf, &non_empty); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ if (non_empty == 0) { ++ *_princ = NULL; ++ return EOK; ++ } ++ ++ princ = talloc_zero(mem_ctx, struct krb5_principal_data); ++ if (princ == NULL) { ++ return ENOMEM; ++ } ++ princ->magic = KV5M_PRINCIPAL; ++ ++ ret = bin_to_krb_data(princ, buf, &princ->realm); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_read_int32(buf, &princ->type); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_read_int32(buf, &princ->length); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ princ->data = talloc_zero_array(princ, krb5_data, princ->length); ++ if (princ->length > 0 && princ->data == NULL) { ++ return ENOMEM; ++ } ++ ++ for (i = 0; i < princ->length; i++) { ++ ret = bin_to_krb_data(princ, buf, &princ->data[i]); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ *_princ = princ; ++ ++ return EOK; ++} ++ ++static errno_t bin_to_creds(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *buf, ++ struct kcm_cred **_creds) ++{ ++ struct kcm_cred *creds = NULL; ++ struct kcm_cred *crd; ++ struct sss_iobuf *cred_blob; ++ uint32_t count; ++ uuid_t uuid; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_uint32(buf, &count); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ for (uint32_t i = 0; i < count; i++) { ++ ret = sss_iobuf_read_len(buf, sizeof(uuid_t), (uint8_t*)uuid); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_read_iobuf(NULL, buf, &cred_blob); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ crd = kcm_cred_new(mem_ctx, uuid, cred_blob); ++ if (crd == NULL) { ++ talloc_free(cred_blob); ++ return ENOMEM; ++ } ++ ++ DLIST_ADD(creds, crd); ++ } ++ ++ *_creds = creds; ++ ++ return EOK; ++} ++ ++errno_t sec_kv_to_ccache_binary(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ struct sss_iobuf *sec_value, ++ struct cli_creds *client, ++ struct kcm_ccache **_cc) ++{ ++ struct kcm_ccache *cc; ++ errno_t ret; ++ ++ cc = talloc_zero(mem_ctx, struct kcm_ccache); ++ if (cc == NULL) { ++ return ENOMEM; ++ } ++ ++ ret = kcm_cc_set_header(cc, sec_key, client); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot store ccache header [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ ++ ret = sss_iobuf_read_int32(sec_value, &cc->kdc_offset); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = bin_to_princ(cc, sec_value, &cc->client); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = bin_to_creds(cc, sec_value, &cc->creds); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ *_cc = cc; ++ ++ ret = EOK; ++ ++done: ++ if (ret != EOK) { ++ talloc_free(cc); ++ } ++ ++ return ret; ++} +diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c +index 7f73b56bf6c27417271876a989695ff917c3886e..e790cbea36d57d2ba0d4e25fc8fc249a4e653c3c 100644 +--- a/src/responder/kcm/kcmsrv_ccache_json.c ++++ b/src/responder/kcm/kcmsrv_ccache_json.c +@@ -343,7 +343,6 @@ static errno_t ccache_to_sec_val(TALLOC_CTX *mem_ctx, + + errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, + struct kcm_ccache *cc, +- struct cli_creds *client, + struct sss_iobuf **_payload) + { + errno_t ret; +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index f5cfe47a7c6deac17031788105ac4235a6aaa9ff..726711ac441c40a6bfc84045e9b3e5b85505c7e0 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -37,11 +37,14 @@ + + static errno_t sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- struct sss_iobuf **_buf) ++ struct sss_iobuf **_buf, ++ char **_datatype) + { + errno_t ret; + TALLOC_CTX *tmp_ctx; +- char *secret; ++ char *datatype; ++ uint8_t *data; ++ size_t len; + struct sss_iobuf *buf; + + tmp_ctx = talloc_new(mem_ctx); +@@ -49,23 +52,27 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- ret = sss_sec_get(tmp_ctx, req, (uint8_t **)&secret, NULL, NULL); ++ ret = sss_sec_get(tmp_ctx, req, &data, &len, &datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + +- buf = sss_iobuf_init_readonly(tmp_ctx, (const uint8_t *)secret, +- strlen(secret) + 1); ++ buf = sss_iobuf_init_steal(tmp_ctx, data, len); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n"); + ret = EIO; + goto done; + } + +- ret = EOK; + *_buf = talloc_steal(mem_ctx, buf); ++ if (_datatype != NULL) { ++ *_datatype = talloc_steal(mem_ctx, datatype); ++ } ++ ++ ret = EOK; ++ + done: + talloc_free(tmp_ctx); + return ret; +@@ -78,7 +85,7 @@ static errno_t sec_put(TALLOC_CTX *mem_ctx, + errno_t ret; + + ret = sss_sec_put(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), +- SSS_SEC_PLAINTEXT, "simple"); ++ SSS_SEC_PLAINTEXT, "binary"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -94,7 +101,7 @@ static errno_t sec_update(TALLOC_CTX *mem_ctx, + errno_t ret; + + ret = sss_sec_update(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), +- SSS_SEC_PLAINTEXT, "simple"); ++ SSS_SEC_PLAINTEXT, "binary"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -160,7 +167,7 @@ static errno_t kcm_ccache_to_secdb_kv(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_binary(mem_ctx, cc, &payload); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert ccache to a secret [%d][%s]\n", ret, sss_strerror(ret)); +@@ -434,6 +441,7 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, + struct kcm_ccache *cc = NULL; + struct sss_sec_req *sreq = NULL; + struct sss_iobuf *ccbuf; ++ char *datatype; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { +@@ -447,20 +455,23 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = sec_get(tmp_ctx, sreq, &ccbuf); ++ ret = sec_get(tmp_ctx, sreq, &ccbuf, &datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the secret [%d][%s]\n", ret, sss_strerror(ret)); + goto done; + } + +- ret = sec_kv_to_ccache_json(tmp_ctx, secdb_key, +- (const char *)sss_iobuf_get_data(ccbuf), +- client, &cc); ++ if (strcmp(datatype, "binary") == 0) { ++ ret = sec_kv_to_ccache_binary(tmp_ctx, secdb_key, ccbuf, client, &cc); ++ } else { ++ ret = sec_kv_to_ccache_json(tmp_ctx, secdb_key, ++ (const char *)sss_iobuf_get_data(ccbuf), ++ client, &cc); ++ } + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Cannot convert JSON keyval to ccache blob [%d]: %s\n", +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot convert %s data to ccache " ++ "[%d]: %s\n", datatype, ret, sss_strerror(ret)); + goto done; + } + +@@ -756,7 +767,7 @@ static struct tevent_req *ccdb_secdb_get_default_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_get(state, sreq, &dfl_iobuf); ++ ret = sec_get(state, sreq, &dfl_iobuf, NULL); + if (ret == ENOENT) { + uuid_clear(state->uuid); + ret = EOK; +@@ -1249,7 +1260,7 @@ static struct tevent_req *ccdb_secdb_mod_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = kcm_ccache_to_sec_input_json(state, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_binary(state, cc, &payload); + if (ret != EOK) { + goto immediate; + } +@@ -1325,7 +1336,7 @@ static struct tevent_req *ccdb_secdb_store_cred_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = kcm_ccache_to_sec_input_json(state, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_binary(state, cc, &payload); + if (ret != EOK) { + goto immediate; + } +diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c +index 9d1fe8cad2dc6ed3ab43e181d0db52673d4759cc..f3d69842cf8c230800aaf4fc6554495fcf03f57d 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secrets.c ++++ b/src/responder/kcm/kcmsrv_ccache_secrets.c +@@ -195,7 +195,7 @@ static errno_t kcm_ccache_to_sec_kv(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, &payload); + if (ret != EOK) { + goto done; + } +diff --git a/src/tests/cmocka/test_kcm_marshalling.c b/src/tests/cmocka/test_kcm_marshalling.c +index f82129974787bba6883662a732311f3370bcc4f1..cebebac804b0a8a109084b35f58d4aab21e28da2 100644 +--- a/src/tests/cmocka/test_kcm_marshalling.c ++++ b/src/tests/cmocka/test_kcm_marshalling.c +@@ -182,7 +182,7 @@ static void test_kcm_ccache_marshall_unmarshall_json(void **state) + &cc); + assert_int_equal(ret, EOK); + +- ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &owner, &payload); ++ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &payload); + assert_int_equal(ret, EOK); + + data = sss_iobuf_get_data(payload); +@@ -237,7 +237,7 @@ static void test_kcm_ccache_no_princ_json(void **state) + princ = kcm_cc_get_client_principal(cc); + assert_null(princ); + +- ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &owner, &payload); ++ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &payload); + assert_int_equal(ret, EOK); + + data = sss_iobuf_get_data(payload); +@@ -255,6 +255,108 @@ static void test_kcm_ccache_no_princ_json(void **state) + assert_cc_equal(cc, cc2); + } + ++static void test_kcm_ccache_marshall_unmarshall_binary(void **state) ++{ ++ struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, ++ struct kcm_marshalling_test_ctx); ++ errno_t ret; ++ struct cli_creds owner; ++ struct kcm_ccache *cc; ++ struct kcm_ccache *cc2; ++ struct sss_iobuf *payload; ++ const char *name; ++ const char *key; ++ uint8_t *data; ++ uuid_t uuid; ++ ++ owner.ucred.uid = getuid(); ++ owner.ucred.gid = getuid(); ++ ++ name = talloc_asprintf(test_ctx, "%"SPRIuid, getuid()); ++ assert_non_null(name); ++ ++ ret = kcm_cc_new(test_ctx, ++ test_ctx->kctx, ++ &owner, ++ name, ++ test_ctx->princ, ++ &cc); ++ assert_int_equal(ret, EOK); ++ ++ ret = kcm_ccache_to_sec_input_binary(test_ctx, cc, &payload); ++ assert_int_equal(ret, EOK); ++ ++ data = sss_iobuf_get_data(payload); ++ assert_non_null(data); ++ ++ ret = kcm_cc_get_uuid(cc, uuid); ++ assert_int_equal(ret, EOK); ++ key = sec_key_create(test_ctx, name, uuid); ++ assert_non_null(key); ++ ++ sss_iobuf_cursor_reset(payload); ++ ret = sec_kv_to_ccache_binary(test_ctx, key, payload, &owner, &cc2); ++ assert_int_equal(ret, EOK); ++ ++ assert_cc_equal(cc, cc2); ++ ++ /* This key is exactly one byte shorter than it should be */ ++ sss_iobuf_cursor_reset(payload); ++ ret = sec_kv_to_ccache_binary(test_ctx, TEST_UUID_STR "-", payload, &owner, ++ &cc2); ++ assert_int_equal(ret, EINVAL); ++} ++ ++static void test_kcm_ccache_no_princ_binary(void **state) ++{ ++ struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, ++ struct kcm_marshalling_test_ctx); ++ errno_t ret; ++ struct cli_creds owner; ++ const char *name; ++ struct kcm_ccache *cc; ++ krb5_principal princ; ++ struct kcm_ccache *cc2; ++ struct sss_iobuf *payload; ++ const char *key; ++ uint8_t *data; ++ uuid_t uuid; ++ ++ owner.ucred.uid = getuid(); ++ owner.ucred.gid = getuid(); ++ ++ name = talloc_asprintf(test_ctx, "%"SPRIuid, getuid()); ++ assert_non_null(name); ++ ++ ret = kcm_cc_new(test_ctx, ++ test_ctx->kctx, ++ &owner, ++ name, ++ NULL, ++ &cc); ++ assert_int_equal(ret, EOK); ++ ++ princ = kcm_cc_get_client_principal(cc); ++ assert_null(princ); ++ ++ ret = kcm_ccache_to_sec_input_binary(test_ctx, cc, &payload); ++ assert_int_equal(ret, EOK); ++ ++ data = sss_iobuf_get_data(payload); ++ assert_non_null(data); ++ ++ ret = kcm_cc_get_uuid(cc, uuid); ++ assert_int_equal(ret, EOK); ++ key = sec_key_create(test_ctx, name, uuid); ++ assert_non_null(key); ++ ++ sss_iobuf_cursor_reset(payload); ++ ret = sec_kv_to_ccache_binary(test_ctx, key, payload, &owner, &cc2); ++ assert_int_equal(ret, EOK); ++ ++ assert_cc_equal(cc, cc2); ++} ++ + void test_sec_key_get_uuid(void **state) + { + errno_t ret; +@@ -325,6 +427,12 @@ int main(int argc, const char *argv[]) + }; + + const struct CMUnitTest tests[] = { ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall_binary, ++ setup_kcm_marshalling, ++ teardown_kcm_marshalling), ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ_binary, ++ setup_kcm_marshalling, ++ teardown_kcm_marshalling), + cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall_json, + setup_kcm_marshalling, + teardown_kcm_marshalling), +diff --git a/src/tests/multihost/basic/test_kcm.py b/src/tests/multihost/basic/test_kcm.py +index e5d315827b31f205216d6a20768533ef50983537..6f65431f88b0e77110c3a89c24363d28027390f6 100644 +--- a/src/tests/multihost/basic/test_kcm.py ++++ b/src/tests/multihost/basic/test_kcm.py +@@ -310,6 +310,12 @@ class TestSanityKCM(object): + set_param(multihost, 'kcm', 'max_ccache_size', '1') + self._restart_kcm(multihost) + +- with pytest.raises(paramiko.ssh_exception.AuthenticationException): +- ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, +- username='foo3', password='Secret123') ++ # We use kinit to exceed the maximum ccache size as it creates payload ++ # of 1280 bytes by acquiring tgt and also some control credentials. ++ # SSH authentication is not sufficient as it stores only tgt. ++ ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, ++ username='foo3', password='Secret123') ++ (_, _, exit_status) = ssh_foo3.execute_cmd( ++ 'kinit foo3@EXAMPLE.TEST', 'Secret123' ++ ) ++ assert exit_status != 0 +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 2a7149ae8b1c88623784ffd4f3e7f908be15c662..6fd9e0af5bd9986052efdb8e244ddeb9e4fa50ff 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -36,7 +36,7 @@ + #define SECRETS_BASEDN "cn=secrets" + #define KCM_BASEDN "cn=kcm" + +-#define LOCAL_SIMPLE_FILTER "(type=simple)" ++#define LOCAL_SIMPLE_FILTER "(|(type=simple)(type=binary))" + #define LOCAL_CONTAINER_FILTER "(type=container)" + + typedef int (*url_mapper_fn)(TALLOC_CTX *mem_ctx, +-- +2.25.4 + diff --git a/0013-kcm-add-per-connection-data-to-be-shared-between-req.patch b/0013-kcm-add-per-connection-data-to-be-shared-between-req.patch new file mode 100644 index 0000000..a7ff7b2 --- /dev/null +++ b/0013-kcm-add-per-connection-data-to-be-shared-between-req.patch @@ -0,0 +1,131 @@ +From ae6898e7dc60d7067f0d71212c7ed28fc9e8e285 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 16 Oct 2020 15:36:51 +0200 +Subject: [PATCH 13/19] kcm: add per-connection data to be shared between + requests + +Resolves: https://github.com/SSSD/sssd/issues/5349 +--- + src/responder/kcm/kcmsrv_cmd.c | 21 +++++++++++++++++---- + src/responder/kcm/kcmsrv_ops.c | 3 +++ + src/responder/kcm/kcmsrv_ops.h | 5 +++++ + 3 files changed, 25 insertions(+), 4 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c +index 99980050f205730169f5907db4018e4fe57b046d..a1aa9aa20f7c2b5cd972bd944995286de5e7c1e2 100644 +--- a/src/responder/kcm/kcmsrv_cmd.c ++++ b/src/responder/kcm/kcmsrv_cmd.c +@@ -373,13 +373,16 @@ static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx, + { + struct tevent_req *req; + struct cli_ctx *cctx; ++ struct kcm_conn_data *conn_data; + + cctx = req_ctx->cctx; ++ conn_data = talloc_get_type(cctx->state_ctx, struct kcm_conn_data); + + req = kcm_cmd_send(req_ctx, + cctx->ev, + kctx->qctx, + req_ctx->kctx->kcm_data, ++ conn_data, + req_ctx->cctx->creds, + &req_ctx->op_io.request, + req_ctx->op_io.op); +@@ -492,7 +495,7 @@ static void kcm_recv(struct cli_ctx *cctx) + int ret; + + kctx = talloc_get_type(cctx->rctx->pvt_ctx, struct kcm_ctx); +- req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx); ++ req = talloc_get_type(cctx->protocol_ctx, struct kcm_req_ctx); + if (req == NULL) { + /* A new request comes in, setup data structures. */ + req = kcm_new_req(cctx, kctx); +@@ -503,7 +506,17 @@ static void kcm_recv(struct cli_ctx *cctx) + return; + } + +- cctx->state_ctx = req; ++ cctx->protocol_ctx = req; ++ } ++ ++ /* Shared data between requests that originates in the same connection. */ ++ if (cctx->state_ctx == NULL) { ++ cctx->state_ctx = talloc_zero(cctx, struct kcm_conn_data); ++ if (cctx->state_ctx == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up client state\n"); ++ talloc_free(cctx); ++ return; ++ } + } + + ret = kcm_recv_data(req, cctx->cfd, &req->reqbuf); +@@ -558,7 +571,7 @@ static int kcm_send_data(struct cli_ctx *cctx) + struct kcm_req_ctx *req; + errno_t ret; + +- req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx); ++ req = talloc_get_type(cctx->protocol_ctx, struct kcm_req_ctx); + + ret = kcm_write_iovec(cctx->cfd, &req->repbuf.v_len); + if (ret != EOK) { +@@ -604,7 +617,7 @@ static void kcm_send(struct cli_ctx *cctx) + DEBUG(SSSDBG_TRACE_INTERNAL, "All data sent!\n"); + TEVENT_FD_NOT_WRITEABLE(cctx->cfde); + TEVENT_FD_READABLE(cctx->cfde); +- talloc_zfree(cctx->state_ctx); ++ talloc_zfree(cctx->protocol_ctx); + return; + } + +diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c +index 7fc3b0a5c4e123a398ef103f3ce92b45bc68f5cf..6ae1f0c647f4d385477ddeadbad93287cba05c55 100644 +--- a/src/responder/kcm/kcmsrv_ops.c ++++ b/src/responder/kcm/kcmsrv_ops.c +@@ -38,6 +38,7 @@ + + struct kcm_op_ctx { + struct kcm_resp_ctx *kcm_data; ++ struct kcm_conn_data *conn_data; + struct cli_creds *client; + + struct sss_iobuf *input; +@@ -86,6 +87,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ops_queue_ctx *qctx, + struct kcm_resp_ctx *kcm_data, ++ struct kcm_conn_data *conn_data, + struct cli_creds *client, + struct kcm_data *input, + struct kcm_op *op) +@@ -135,6 +137,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + } + + state->op_ctx->kcm_data = kcm_data; ++ state->op_ctx->conn_data = conn_data; + state->op_ctx->client = client; + + state->op_ctx->input = sss_iobuf_init_readonly(state->op_ctx, +diff --git a/src/responder/kcm/kcmsrv_ops.h b/src/responder/kcm/kcmsrv_ops.h +index 67d9f86026bf949548471f2280c130ebefd2f865..fd2dd03c9da3660e0c1346752e4db59c7cbe2c41 100644 +--- a/src/responder/kcm/kcmsrv_ops.h ++++ b/src/responder/kcm/kcmsrv_ops.h +@@ -32,10 +32,15 @@ struct kcm_op; + struct kcm_op *kcm_get_opt(uint16_t opcode); + const char *kcm_opt_name(struct kcm_op *op); + ++struct kcm_conn_data { ++ void *data; ++}; ++ + struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ops_queue_ctx *qctx, + struct kcm_resp_ctx *kcm_data, ++ struct kcm_conn_data *conn_data, + struct cli_creds *client, + struct kcm_data *input, + struct kcm_op *op); +-- +2.25.4 + diff --git a/0014-sss_ptr_hash-fix-double-free-for-circular-dependenci.patch b/0014-sss_ptr_hash-fix-double-free-for-circular-dependenci.patch new file mode 100644 index 0000000..9f154fc --- /dev/null +++ b/0014-sss_ptr_hash-fix-double-free-for-circular-dependenci.patch @@ -0,0 +1,165 @@ +From f1db05d8839b39fd48471dcb29881c12ed27a434 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 29 Oct 2020 14:57:53 +0100 +Subject: [PATCH 14/19] sss_ptr_hash: fix double free for circular dependencies + +If the hash table delete callback deletes the stored item, +we can end up in double free in case when we try to override +an existing item (hash_enter(key) where key already exists). + +```c +static void delete_cb(hash_entry_t *item, + hash_destroy_enum deltype, + void *pvt) +{ + talloc_free(item->value.ptr); +} + +hash_enter(key); +hash_enter(key); +``` + +The doble free it self is fine, since it is done via talloc destructor +and talloc can cope with that. However, the hash table fails to store +the new entry because hash_delete is called twice. + +``` +_sss_ptr_hash_add -> hash_enter -> hash_delete(old) -> delete_cb -> sss_ptr_hash_value_destructor -> hash_delete +``` +--- + src/tests/cmocka/test_sss_ptr_hash.c | 39 ++++++++++++++++++++++++++++ + src/tests/cmocka/test_utils.c | 3 +++ + src/tests/cmocka/test_utils.h | 1 + + src/util/sss_ptr_hash.c | 20 ++++++++++++++ + 4 files changed, 63 insertions(+) + +diff --git a/src/tests/cmocka/test_sss_ptr_hash.c b/src/tests/cmocka/test_sss_ptr_hash.c +index 1458238f537970d0ecde80bd36830b28970ca364..31cf8b705367498822094f8811b393c1b35e12bc 100644 +--- a/src/tests/cmocka/test_sss_ptr_hash.c ++++ b/src/tests/cmocka/test_sss_ptr_hash.c +@@ -91,6 +91,45 @@ void test_sss_ptr_hash_with_free_cb(void **state) + assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT*2); + } + ++void test_sss_ptr_hash_overwrite_with_free_cb(void **state) ++{ ++ hash_table_t *table; ++ int free_counter = 0; ++ unsigned long count; ++ char *payload; ++ char *value; ++ errno_t ret; ++ ++ table = sss_ptr_hash_create(global_talloc_context, ++ free_payload_cb, ++ &free_counter); ++ assert_non_null(table); ++ ++ payload = talloc_strdup(table, "test_value1"); ++ assert_non_null(payload); ++ talloc_set_name_const(payload, "char"); ++ ret = sss_ptr_hash_add_or_override(table, "test", payload, char); ++ assert_int_equal(ret, 0); ++ count = hash_count(table); ++ assert_int_equal(count, 1); ++ value = sss_ptr_hash_lookup(table, "test", char); ++ assert_ptr_equal(value, payload); ++ ++ ++ payload = talloc_strdup(table, "test_value2"); ++ assert_non_null(payload); ++ talloc_set_name_const(payload, "char"); ++ ret = sss_ptr_hash_add_or_override(table, "test", payload, char); ++ assert_int_equal(ret, 0); ++ count = hash_count(table); ++ assert_int_equal(count, 1); ++ value = sss_ptr_hash_lookup(table, "test", char); ++ assert_ptr_equal(value, payload); ++ ++ talloc_free(table); ++ assert_int_equal(free_counter, 2); ++} ++ + struct table_wrapper + { + hash_table_t **table; +diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c +index d77a972c1bc93638085c3d49131247fefb333d56..d258622fb50e849a3efabb123960db410eb399e1 100644 +--- a/src/tests/cmocka/test_utils.c ++++ b/src/tests/cmocka/test_utils.c +@@ -2144,6 +2144,9 @@ int main(int argc, const char *argv[]) + cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_free_cb, + setup_leak_tests, + teardown_leak_tests), ++ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_overwrite_with_free_cb, ++ setup_leak_tests, ++ teardown_leak_tests), + cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_lookup_cb, + setup_leak_tests, + teardown_leak_tests), +diff --git a/src/tests/cmocka/test_utils.h b/src/tests/cmocka/test_utils.h +index 44b9479f965ee830ea0937c0fd89b87e35796598..458bcb750569c1f5f346917f29aa8b5500891988 100644 +--- a/src/tests/cmocka/test_utils.h ++++ b/src/tests/cmocka/test_utils.h +@@ -35,6 +35,7 @@ void test_concatenate_string_array(void **state); + + /* from src/tests/cmocka/test_sss_ptr_hash.c */ + void test_sss_ptr_hash_with_free_cb(void **state); ++void test_sss_ptr_hash_overwrite_with_free_cb(void **state); + void test_sss_ptr_hash_with_lookup_cb(void **state); + void test_sss_ptr_hash_without_cb(void **state); + +diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c +index 6409236c782bac729ec51502019c04c83bce7cab..e3805dac4052b587d395b7163f5c45e1ba0aa6dc 100644 +--- a/src/util/sss_ptr_hash.c ++++ b/src/util/sss_ptr_hash.c +@@ -54,6 +54,7 @@ struct sss_ptr_hash_value { + hash_table_t *table; + const char *key; + void *payload; ++ bool delete_in_progress; + }; + + static int +@@ -61,12 +62,22 @@ sss_ptr_hash_value_destructor(struct sss_ptr_hash_value *value) + { + hash_key_t table_key; + ++ /* Do not call hash_delete() if we got here from hash delete callback when ++ * the callback calls talloc_free(payload) which frees the value. This ++ * should not happen since talloc will avoid circular free but let's be ++ * over protective here. */ ++ if (value->delete_in_progress) { ++ return 0; ++ } ++ ++ value->delete_in_progress = true; + if (value->table && value->key) { + table_key.type = HASH_KEY_STRING; + table_key.str = discard_const_p(char, value->key); + if (hash_delete(value->table, &table_key) != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "failed to delete entry with key '%s'\n", value->key); ++ value->delete_in_progress = false; + } + } + +@@ -127,6 +138,15 @@ sss_ptr_hash_delete_cb(hash_entry_t *item, + callback_entry.key = item->key; + callback_entry.value.type = HASH_VALUE_PTR; + callback_entry.value.ptr = value->payload; ++ ++ /* Delete the value in case this callback has been called directly ++ * from dhash (overwriting existing entry) instead of hash_delete() ++ * in value's destructor. */ ++ if (!value->delete_in_progress) { ++ talloc_set_destructor(value, NULL); ++ talloc_free(value); ++ } ++ + /* Even if execution is already in the context of + * talloc_free(payload) -> talloc_free(value) -> ... + * there still might be legitimate reasons to execute callback. +-- +2.25.4 + diff --git a/0015-kcm-store-credentials-list-in-hash-table-to-avoid-ca.patch b/0015-kcm-store-credentials-list-in-hash-table-to-avoid-ca.patch new file mode 100644 index 0000000..da81b49 --- /dev/null +++ b/0015-kcm-store-credentials-list-in-hash-table-to-avoid-ca.patch @@ -0,0 +1,551 @@ +From 9ffc2c6447f2177ff406a9f4d17d8413967ab7ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 19 Oct 2020 12:40:07 +0200 +Subject: [PATCH 15/19] kcm: store credentials list in hash table to avoid + cache lookups + +Iteration over ccache requires CRED_UUID_LIST and then calling +CRED_BY_UUID for each uuid in the obtained list. Each CRED_BY_UUID +operation invoked ldb_search and decryption. This was a substantional +bottle neck. + +Resolves: https://github.com/SSSD/sssd/issues/5349 + +:fixes: KCM performance has improved dramatically for cases where + large amount of credentials are stored in the ccache. +--- + src/responder/kcm/kcmsrv_ccache.c | 46 +++++ + src/responder/kcm/kcmsrv_ccache.h | 7 + + src/responder/kcm/kcmsrv_ccache_mem.c | 30 ++-- + src/responder/kcm/kcmsrv_ops.c | 245 +++++++++++++++++++------- + src/responder/kcm/kcmsrv_ops.h | 5 +- + 5 files changed, 249 insertions(+), 84 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c +index 59f8a7293fa7422c199ca2916c8e6ae6039d9312..60eacd4516b1269168caea744d91377686ab03f6 100644 +--- a/src/responder/kcm/kcmsrv_ccache.c ++++ b/src/responder/kcm/kcmsrv_ccache.c +@@ -28,6 +28,9 @@ + #include "responder/kcm/kcmsrv_ccache_pvt.h" + #include "responder/kcm/kcmsrv_ccache_be.h" + ++static struct kcm_cred *kcm_cred_dup(TALLOC_CTX *mem_ctx, ++ struct kcm_cred *crd); ++ + static int kcm_cc_destructor(struct kcm_ccache *cc) + { + if (cc == NULL) { +@@ -94,6 +97,33 @@ done: + return ret; + } + ++struct kcm_ccache *kcm_cc_dup(TALLOC_CTX *mem_ctx, ++ const struct kcm_ccache *cc) ++{ ++ struct kcm_ccache *dup; ++ struct kcm_cred *crd_dup; ++ struct kcm_cred *crd; ++ ++ dup = talloc_zero(mem_ctx, struct kcm_ccache); ++ if (dup == NULL) { ++ return NULL; ++ } ++ memcpy(dup, cc, sizeof(struct kcm_ccache)); ++ ++ dup->creds = NULL; ++ DLIST_FOR_EACH(crd, cc->creds) { ++ crd_dup = kcm_cred_dup(dup, crd); ++ if (crd_dup == NULL) { ++ talloc_free(dup); ++ return NULL; ++ } ++ ++ DLIST_ADD(dup->creds, crd_dup); ++ } ++ ++ return dup; ++} ++ + const char *kcm_cc_get_name(struct kcm_ccache *cc) + { + return cc ? cc->name : NULL; +@@ -204,6 +234,22 @@ struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx, + return kcreds; + } + ++static struct kcm_cred *kcm_cred_dup(TALLOC_CTX *mem_ctx, ++ struct kcm_cred *crd) ++{ ++ struct kcm_cred *dup; ++ ++ dup = talloc_zero(mem_ctx, struct kcm_cred); ++ if (dup == NULL) { ++ return NULL; ++ } ++ ++ uuid_copy(dup->uuid, crd->uuid); ++ dup->cred_blob = crd->cred_blob; ++ ++ return dup; ++} ++ + /* Add a cred to ccache */ + errno_t kcm_cc_store_creds(struct kcm_ccache *cc, + struct kcm_cred *crd) +diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h +index b0a7acb9fed8a8f89a3d0e2239ab28c7ce80fa23..77cf8f61d563d29afe00d8a04e8053b24547746d 100644 +--- a/src/responder/kcm/kcmsrv_ccache.h ++++ b/src/responder/kcm/kcmsrv_ccache.h +@@ -72,6 +72,13 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx, + krb5_principal princ, + struct kcm_ccache **_cc); + ++/* ++ * Duplicate the ccache. Only ccache and credentials are duplicated, ++ * but their data are a shallow copy. ++ */ ++struct kcm_ccache *kcm_cc_dup(TALLOC_CTX *mem_ctx, ++ const struct kcm_ccache *cc); ++ + /* + * Returns true if a client can access a ccache. + * +diff --git a/src/responder/kcm/kcmsrv_ccache_mem.c b/src/responder/kcm/kcmsrv_ccache_mem.c +index baa698054fa4c6952b41b0f25dfdfa825f8e675b..0e3a7b239eda83c9fdec3b116231d4ec1444ef10 100644 +--- a/src/responder/kcm/kcmsrv_ccache_mem.c ++++ b/src/responder/kcm/kcmsrv_ccache_mem.c +@@ -49,24 +49,6 @@ struct ccdb_mem { + unsigned int nextid; + }; + +-/* In order to provide a consistent interface, we need to let the caller +- * of getbyXXX own the ccache, therefore the memory back end returns a shallow +- * copy of the ccache +- */ +-static struct kcm_ccache *kcm_ccache_dup(TALLOC_CTX *mem_ctx, +- struct kcm_ccache *in) +-{ +- struct kcm_ccache *out; +- +- out = talloc_zero(mem_ctx, struct kcm_ccache); +- if (out == NULL) { +- return NULL; +- } +- memcpy(out, in, sizeof(struct kcm_ccache)); +- +- return out; +-} +- + static struct ccache_mem_wrap *memdb_get_by_uuid(struct ccdb_mem *memdb, + struct cli_creds *client, + uuid_t uuid) +@@ -417,7 +399,11 @@ static struct tevent_req *ccdb_mem_getbyuuid_send(TALLOC_CTX *mem_ctx, + + ccwrap = memdb_get_by_uuid(memdb, client, uuid); + if (ccwrap != NULL) { +- state->cc = kcm_ccache_dup(state, ccwrap->cc); ++ /* In order to provide a consistent interface, we need to let the caller ++ * of getbyXXX own the ccache, therefore the memory back end returns a shallow ++ * copy of the ccache ++ */ ++ state->cc = kcm_cc_dup(state, ccwrap->cc); + if (state->cc == NULL) { + ret = ENOMEM; + goto immediate; +@@ -470,7 +456,11 @@ static struct tevent_req *ccdb_mem_getbyname_send(TALLOC_CTX *mem_ctx, + + ccwrap = memdb_get_by_name(memdb, client, name); + if (ccwrap != NULL) { +- state->cc = kcm_ccache_dup(state, ccwrap->cc); ++ /* In order to provide a consistent interface, we need to let the caller ++ * of getbyXXX own the ccache, therefore the memory back end returns a shallow ++ * copy of the ccache ++ */ ++ state->cc = kcm_cc_dup(state, ccwrap->cc); + if (state->cc == NULL) { + ret = ENOMEM; + goto immediate; +diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c +index 6ae1f0c647f4d385477ddeadbad93287cba05c55..f458c724b0eaa3d43df4ad30baa3f896b8d87965 100644 +--- a/src/responder/kcm/kcmsrv_ops.c ++++ b/src/responder/kcm/kcmsrv_ops.c +@@ -22,9 +22,11 @@ + #include "config.h" + + #include ++#include + + #include "util/sss_iobuf.h" + #include "util/sss_krb5.h" ++#include "util/sss_ptr_hash.h" + #include "util/util_creds.h" + #include "responder/kcm/kcm.h" + #include "responder/kcm/kcmsrv_pvt.h" +@@ -1074,6 +1076,73 @@ static void kcm_op_get_principal_getbyname_done(struct tevent_req *subreq) + tevent_req_done(req); + } + ++static void ++kcm_creds_table_delete_cb(hash_entry_t *item, ++ hash_destroy_enum deltype, ++ void *pvt) ++{ ++ /* Delete the old credential if it is being overwritten. */ ++ talloc_free(item->value.ptr); ++} ++ ++/* Store credentials in a hash table. ++ * ++ * If the table already exist we add the new credentials to the table and ++ * overwrite the ones that already exist. This allows us to correctly serve ++ * also parallel GET_CRED_UUID_LIST requests from the same connection since ++ * it will have its own uuid list and cursor on the client side and we make ++ * all uuid (old, updated and newly added) available. ++ */ ++static errno_t ++kcm_creds_to_table(TALLOC_CTX *mem_ctx, ++ struct kcm_cred *creds, ++ hash_table_t **_table) ++{ ++ char str[UUID_STR_SIZE]; ++ uuid_t uuid; ++ errno_t ret; ++ ++ if (*_table == NULL) { ++ *_table = sss_ptr_hash_create(mem_ctx, kcm_creds_table_delete_cb, NULL); ++ if (*_table == NULL) { ++ return ENOMEM; ++ } ++ } ++ ++ for (struct kcm_cred *crd = creds; ++ crd != NULL; ++ crd = kcm_cc_next_cred(crd)) { ++ ret = kcm_cred_get_uuid(crd, uuid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Credential has no UUID, skipping\n"); ++ continue; ++ } ++ uuid_unparse(uuid, str); ++ ++ ret = sss_ptr_hash_add_or_override(*_table, str, crd, struct kcm_cred); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ talloc_steal(*_table, crd); ++ } ++ ++ return EOK; ++} ++ ++static struct kcm_cred * ++kcm_creds_lookup(hash_table_t *table, uuid_t uuid) ++{ ++ char str[UUID_STR_SIZE]; ++ ++ if (uuid == NULL) { ++ return NULL; ++ } ++ ++ uuid_unparse(uuid, str); ++ return sss_ptr_hash_lookup(table, str, struct kcm_cred); ++} ++ + /* (name) -> (uuid, ...) */ + static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq); + +@@ -1123,12 +1192,15 @@ static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq) + errno_t ret; + struct kcm_ccache *cc; + struct kcm_cred *crd; ++ struct kcm_conn_data *conn_data; + uuid_t uuid; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + ++ conn_data = state->op_ctx->conn_data; ++ + ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); + talloc_zfree(subreq); + if (ret != EOK) { +@@ -1140,12 +1212,20 @@ static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq) + } + + if (cc == NULL) { +- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); ++ DEBUG(SSSDBG_MINOR_FAILURE, "No ccache by that name\n"); + state->op_ret = ERR_NO_CREDS; + tevent_req_done(req); + return; + } + ++ ret = kcm_creds_to_table(conn_data, kcm_cc_get_cred(cc), &conn_data->creds); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Unable to build credentials hash table " ++ "[%d]: %s\n", ret, sss_strerror(ret)); ++ tevent_req_error(req, ret); ++ return; ++ } ++ + for (crd = kcm_cc_get_cred(cc); + crd != NULL; + crd = kcm_cc_next_cred(crd)) { +@@ -1172,6 +1252,34 @@ static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq) + tevent_req_done(req); + } + ++static errno_t ++kcm_op_get_cred_by_uuid_reply(struct kcm_cred *crd, ++ struct sss_iobuf *reply) ++{ ++ struct sss_iobuf *cred_blob; ++ errno_t ret; ++ ++ cred_blob = kcm_cred_get_creds(crd); ++ if (cred_blob == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Credentials lack the creds blob\n"); ++ return ERR_NO_CREDS; ++ } ++ ++ ret = sss_iobuf_write_len(reply, sss_iobuf_get_data(cred_blob), ++ sss_iobuf_get_size(cred_blob)); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot write ccache blob [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ } ++ ++ return ret; ++} ++ ++struct kcm_op_get_cred_by_uuid_state { ++ struct kcm_op_common_state common; ++ uuid_t uuid; ++}; ++ + /* (name, uuid) -> (cred) */ + static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq); + +@@ -1182,20 +1290,51 @@ kcm_op_get_cred_by_uuid_send(TALLOC_CTX *mem_ctx, + { + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; +- struct kcm_op_common_state *state = NULL; ++ struct kcm_op_get_cred_by_uuid_state *state; ++ struct kcm_cred *crd; + errno_t ret; + const char *name; + +- req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); ++ req = tevent_req_create(mem_ctx, &state, ++ struct kcm_op_get_cred_by_uuid_state); + if (req == NULL) { + return NULL; + } +- state->op_ctx = op_ctx; ++ state->common.op_ctx = op_ctx; + + ret = sss_iobuf_read_stringz(op_ctx->input, &name); + if (ret != EOK) { + goto immediate; + } ++ ++ ret = sss_iobuf_read_len(state->common.op_ctx->input, UUID_BYTES, ++ state->uuid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot read input UUID [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto immediate; ++ } ++ ++ if (op_ctx->conn_data->creds != NULL) { ++ crd = kcm_creds_lookup(op_ctx->conn_data->creds, state->uuid); ++ if (crd == NULL) { ++ /* This should not happen, it can only happen if wrong UUID was ++ * requested which suggests bug in the caller application. */ ++ DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); ++ kcm_debug_uuid(state->uuid); ++ state->common.op_ret = ERR_KCM_CC_END; ++ ret = EOK; ++ goto immediate; ++ } else { ++ ret = kcm_op_get_cred_by_uuid_reply(crd, op_ctx->reply); ++ if (ret == ERR_NO_CREDS) { ++ state->common.op_ret = ret; ++ ret = EOK; ++ } ++ goto immediate; ++ } ++ } ++ + DEBUG(SSSDBG_TRACE_LIBS, "Returning creds by UUID for %s\n", name); + + subreq = kcm_ccdb_getbyname_send(state, ev, +@@ -1210,7 +1349,11 @@ kcm_op_get_cred_by_uuid_send(TALLOC_CTX *mem_ctx, + return req; + + immediate: +- tevent_req_error(req, ret); ++ if (ret == EOK) { ++ tevent_req_done(req); ++ } else { ++ tevent_req_error(req, ret); ++ } + tevent_req_post(req, ev); + return req; + } +@@ -1219,14 +1362,14 @@ static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq) + { + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); +- struct kcm_op_common_state *state = tevent_req_data(req, +- struct kcm_op_common_state); ++ struct kcm_op_get_cred_by_uuid_state *state = tevent_req_data(req, ++ struct kcm_op_get_cred_by_uuid_state); + errno_t ret; + struct kcm_ccache *cc; + struct kcm_cred *crd; +- uuid_t uuid_in; +- uuid_t uuid; +- struct sss_iobuf *cred_blob; ++ struct kcm_conn_data *conn_data; ++ ++ conn_data = state->common.op_ctx->conn_data; + + ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); + talloc_zfree(subreq); +@@ -1238,69 +1381,45 @@ static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq) + return; + } + +- if (cc == NULL) { +- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that name\n"); +- state->op_ret = ERR_NO_MATCHING_CREDS; +- tevent_req_done(req); +- return; +- } +- +- ret = sss_iobuf_read_len(state->op_ctx->input, +- UUID_BYTES, uuid_in); ++ ret = kcm_creds_to_table(conn_data, kcm_cc_get_cred(cc), &conn_data->creds); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Cannot read input UUID [%d]: %s\n", +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_OP_FAILURE, "Unable to build credentials hash table " ++ "[%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + +- for (crd = kcm_cc_get_cred(cc); +- crd != NULL; +- crd = kcm_cc_next_cred(crd)) { +- ret = kcm_cred_get_uuid(crd, uuid); +- if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, +- "Cannot get UUID from creds, skipping\n"); +- continue; +- } +- +- if (uuid_compare(uuid, uuid_in) == 0) { +- break; ++ if (conn_data->creds != NULL) { ++ crd = kcm_creds_lookup(conn_data->creds, state->uuid); ++ if (crd == NULL) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); ++ kcm_debug_uuid(state->uuid); ++ state->common.op_ret = ERR_KCM_CC_END; ++ } else { ++ ret = kcm_op_get_cred_by_uuid_reply(crd, state->common.op_ctx->reply); ++ if (ret != EOK && ret != ERR_NO_CREDS) { ++ tevent_req_error(req, ret); ++ return; ++ } ++ state->common.op_ret = ret; + } +- kcm_debug_uuid(uuid); +- } +- +- if (crd == NULL) { +- state->op_ret = ERR_KCM_CC_END; +- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); +- tevent_req_done(req); +- return; +- } +- +- cred_blob = kcm_cred_get_creds(crd); +- if (cred_blob == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Credentials lack the creds blob\n"); +- state->op_ret = ERR_NO_CREDS; +- tevent_req_done(req); +- return; +- } +- +- ret = sss_iobuf_write_len(state->op_ctx->reply, +- sss_iobuf_get_data(cred_blob), +- sss_iobuf_get_size(cred_blob)); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Cannot write ccache blob [%d]: %s\n", +- ret, sss_strerror(ret)); +- tevent_req_error(req, ret); +- return; + } + +- state->op_ret = EOK; + tevent_req_done(req); + } + ++static errno_t kcm_op_get_cred_by_uuid_recv(struct tevent_req *req, ++ uint32_t *_op_ret) ++{ ++ struct kcm_op_get_cred_by_uuid_state *state; ++ ++ state = tevent_req_data(req, struct kcm_op_get_cred_by_uuid_state); ++ ++ TEVENT_REQ_RETURN_ON_ERROR(req); ++ *_op_ret = state->common.op_ret; ++ return EOK; ++} ++ + /* (name, flags, credtag) -> () */ + /* FIXME */ + static struct tevent_req * +@@ -2156,7 +2275,7 @@ static struct kcm_op kcm_optable[] = { + { "RETRIEVE", NULL, NULL }, + { "GET_PRINCIPAL", kcm_op_get_principal_send, NULL }, + { "GET_CRED_UUID_LIST", kcm_op_get_cred_uuid_list_send, NULL }, +- { "GET_CRED_BY_UUID", kcm_op_get_cred_by_uuid_send, NULL }, ++ { "GET_CRED_BY_UUID", kcm_op_get_cred_by_uuid_send, kcm_op_get_cred_by_uuid_recv }, + { "REMOVE_CRED", kcm_op_remove_cred_send, NULL }, + { "SET_FLAGS", NULL, NULL }, + { "CHOWN", NULL, NULL }, +diff --git a/src/responder/kcm/kcmsrv_ops.h b/src/responder/kcm/kcmsrv_ops.h +index fd2dd03c9da3660e0c1346752e4db59c7cbe2c41..ab6c13791baa43837cf84ebd523735b622a24020 100644 +--- a/src/responder/kcm/kcmsrv_ops.h ++++ b/src/responder/kcm/kcmsrv_ops.h +@@ -24,6 +24,7 @@ + + #include "config.h" + ++#include + #include + #include "util/sss_iobuf.h" + #include "responder/kcm/kcmsrv_pvt.h" +@@ -33,7 +34,9 @@ struct kcm_op *kcm_get_opt(uint16_t opcode); + const char *kcm_opt_name(struct kcm_op *op); + + struct kcm_conn_data { +- void *data; ++ /* Credentials obtained by GET_CRED_UUID_LIST. We use to improve performance ++ * by avoiding ccache lookups in GET_CRED_BY_UUID. */ ++ hash_table_t *creds; + }; + + struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, +-- +2.25.4 + diff --git a/0016-secrets-fix-may_payload_size-exceeded-debug-message.patch b/0016-secrets-fix-may_payload_size-exceeded-debug-message.patch new file mode 100644 index 0000000..e3ee22d --- /dev/null +++ b/0016-secrets-fix-may_payload_size-exceeded-debug-message.patch @@ -0,0 +1,38 @@ +From 24a6888e38fb9d11bf173eb06e400678388bce49 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 3 Nov 2020 13:35:33 +0100 +Subject: [PATCH 16/19] secrets: fix may_payload_size exceeded debug message + +The unit is bytes (B) not bits (b) and the conversion of the input +payload size to KiB was wrong (multiplying bytes * 1024). +--- + src/util/secrets/secrets.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 6fd9e0af5bd9986052efdb8e244ddeb9e4fa50ff..1000757228bea75bb2d5c48aceb717c9bfe35ffb 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -399,14 +399,14 @@ static int local_check_max_payload_size(struct sss_sec_req *req, + return EOK; + } + +- max_payload_size = req->quota->max_payload_size * 1024; /* kb */ ++ max_payload_size = req->quota->max_payload_size * 1024; /* KiB */ + if (payload_size > max_payload_size) { + DEBUG(SSSDBG_OP_FAILURE, +- "Secrets' payload size [%d kb (%d)] exceeds the maximum allowed " +- "payload size [%d kb (%d)]\n", +- payload_size * 1024, /* kb */ ++ "Secrets' payload size [%d KiB (%d B)] exceeds the maximum " ++ "allowed payload size [%d KiB (%d B)]\n", ++ payload_size / 1024, /* KiB */ + payload_size, +- req->quota->max_payload_size, /* kb */ ++ req->quota->max_payload_size, /* KiB */ + max_payload_size); + + return ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE; +-- +2.25.4 + diff --git a/0017-secrets-default-to-plaintext-if-enctype-attr-is-miss.patch b/0017-secrets-default-to-plaintext-if-enctype-attr-is-miss.patch new file mode 100644 index 0000000..13efbcd --- /dev/null +++ b/0017-secrets-default-to-plaintext-if-enctype-attr-is-miss.patch @@ -0,0 +1,43 @@ +From 36e4dc6c9a48ee62345839a9df14e0494c99bf59 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 26 Nov 2020 11:47:24 +0100 +Subject: [PATCH 17/19] secrets: default to "plaintext" if "enctype" attr is + missing + +This is a sane fallback behavior, however it should not happen since +the attribute should be always present. +--- + src/util/secrets/secrets.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 1000757228bea75bb2d5c48aceb717c9bfe35ffb..58c96e18f03865df0249c4c899ad88e385b782c8 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -1071,17 +1071,12 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + goto done; + } + +- attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", NULL); +- +- if (attr_enctype) { +- enctype = sss_sec_str_to_enctype(attr_enctype); +- ret = local_decrypt(req->sctx, tmp_ctx, attr_secret->data, +- attr_secret->length, enctype, &secret, &secret_len); +- if (ret) goto done; +- } else { +- secret = talloc_steal(tmp_ctx, attr_secret->data); +- secret_len = attr_secret->length; +- } ++ attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", ++ "plaintext"); ++ enctype = sss_sec_str_to_enctype(attr_enctype); ++ ret = local_decrypt(req->sctx, tmp_ctx, attr_secret->data, ++ attr_secret->length, enctype, &secret, &secret_len); ++ if (ret) goto done; + + if (_datatype != NULL) { + attr_datatype = ldb_msg_find_attr_as_string(res->msgs[0], "type", +-- +2.25.4 + diff --git a/0018-secrets-move-attrs-names-to-macros.patch b/0018-secrets-move-attrs-names-to-macros.patch new file mode 100644 index 0000000..a03eca3 --- /dev/null +++ b/0018-secrets-move-attrs-names-to-macros.patch @@ -0,0 +1,183 @@ +From b18f0f87948d44f1d99dd4da0ac1affcbb8c53e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 26 Nov 2020 11:55:39 +0100 +Subject: [PATCH 18/19] secrets: move attrs names to macros + +--- + src/util/secrets/secrets.c | 42 +++++++++++++++++++++++--------------- + 1 file changed, 25 insertions(+), 17 deletions(-) + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 58c96e18f03865df0249c4c899ad88e385b782c8..ae9c7c83f335c8c2d9d97a736700fbcdaf0d36af 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -39,6 +39,11 @@ + #define LOCAL_SIMPLE_FILTER "(|(type=simple)(type=binary))" + #define LOCAL_CONTAINER_FILTER "(type=container)" + ++#define SEC_ATTR_SECRET "secret" ++#define SEC_ATTR_ENCTYPE "enctype" ++#define SEC_ATTR_TYPE "type" ++#define SEC_ATTR_CTIME "creationTime" ++ + typedef int (*url_mapper_fn)(TALLOC_CTX *mem_ctx, + const char *url, + uid_t client, +@@ -465,7 +470,7 @@ static int local_db_create(struct sss_sec_req *req) + ret = local_db_check_containers_nest_level(req, msg->dn); + if (ret != EOK) goto done; + +- ret = ldb_msg_add_string(msg, "type", "container"); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, "container"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding type:container [%d]: %s\n", +@@ -473,7 +478,7 @@ static int local_db_create(struct sss_sec_req *req) + goto done; + } + +- ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL)); ++ ret = ldb_msg_add_fmt(msg, SEC_ATTR_CTIME, "%lu", time(NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding creationTime [%d]: %s\n", +@@ -953,7 +958,7 @@ errno_t sss_sec_list(TALLOC_CTX *mem_ctx, + size_t *_num_keys) + { + TALLOC_CTX *tmp_ctx; +- static const char *attrs[] = { "secret", NULL }; ++ static const char *attrs[] = { SEC_ATTR_SECRET, NULL }; + struct ldb_result *res; + char **keys; + int ret; +@@ -1017,7 +1022,8 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + char **_datatype) + { + TALLOC_CTX *tmp_ctx; +- static const char *attrs[] = { "secret", "enctype", "type", NULL }; ++ static const char *attrs[] = { SEC_ATTR_SECRET, SEC_ATTR_ENCTYPE, ++ SEC_ATTR_TYPE, NULL }; + struct ldb_result *res; + const struct ldb_val *attr_secret; + const char *attr_enctype; +@@ -1064,14 +1070,14 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + goto done; + } + +- attr_secret = ldb_msg_find_ldb_val(res->msgs[0], "secret"); ++ attr_secret = ldb_msg_find_ldb_val(res->msgs[0], SEC_ATTR_SECRET); + if (!attr_secret) { + DEBUG(SSSDBG_CRIT_FAILURE, "The 'secret' attribute is missing\n"); + ret = ENOENT; + goto done; + } + +- attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", ++ attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], SEC_ATTR_ENCTYPE, + "plaintext"); + enctype = sss_sec_str_to_enctype(attr_enctype); + ret = local_decrypt(req->sctx, tmp_ctx, attr_secret->data, +@@ -1079,7 +1085,7 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + if (ret) goto done; + + if (_datatype != NULL) { +- attr_datatype = ldb_msg_find_attr_as_string(res->msgs[0], "type", ++ attr_datatype = ldb_msg_find_attr_as_string(res->msgs[0], SEC_ATTR_TYPE, + "simple"); + datatype = talloc_strdup(tmp_ctx, attr_datatype); + if (datatype == NULL) { +@@ -1167,7 +1173,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "type", datatype); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding type:%s [%d]: %s\n", +@@ -1175,7 +1181,8 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "enctype", sss_sec_enctype_to_str(enctype)); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_ENCTYPE, ++ sss_sec_enctype_to_str(enctype)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding enctype [%d]: %s\n", +@@ -1183,7 +1190,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_value(msg, "secret", &enc_secret, NULL); ++ ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &enc_secret, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding secret [%d]: %s\n", +@@ -1191,7 +1198,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL)); ++ ret = ldb_msg_add_fmt(msg, SEC_ATTR_CTIME, "%lu", time(NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding creationTime [%d]: %s\n", +@@ -1283,7 +1290,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_empty(msg, "enctype", LDB_FLAG_MOD_REPLACE, NULL); ++ ret = ldb_msg_add_empty(msg, SEC_ATTR_ENCTYPE, LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); +@@ -1291,7 +1298,8 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "enctype", sss_sec_enctype_to_str(enctype)); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_ENCTYPE, ++ sss_sec_enctype_to_str(enctype)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding enctype [%d]: %s\n", +@@ -1299,7 +1307,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_empty(msg, "type", LDB_FLAG_MOD_REPLACE, NULL); ++ ret = ldb_msg_add_empty(msg, SEC_ATTR_TYPE, LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); +@@ -1307,7 +1315,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "type", datatype); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding type:%s [%d]: %s\n", +@@ -1316,7 +1324,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + } + + /* FIXME - should we have a lastUpdate timestamp? */ +- ret = ldb_msg_add_empty(msg, "secret", LDB_FLAG_MOD_REPLACE, NULL); ++ ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); +@@ -1324,7 +1332,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_value(msg, "secret", &enc_secret, NULL); ++ ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &enc_secret, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_string failed: [%s]\n", ldb_strerror(ret)); +-- +2.25.4 + diff --git a/0019-secrets-remove-base64-enctype.patch b/0019-secrets-remove-base64-enctype.patch new file mode 100644 index 0000000..915d049 --- /dev/null +++ b/0019-secrets-remove-base64-enctype.patch @@ -0,0 +1,75 @@ +From bca694200748354c7ee3e51084586d30b9b0164b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 26 Nov 2020 12:07:06 +0100 +Subject: [PATCH 19/19] secrets: remove base64 enctype + +This was added as part of KCM performance improvements but never used. +Ldb is fully capable of holding binary data without the need for base64 +encoding so this is not needed. +--- + src/util/secrets/secrets.c | 15 --------------- + src/util/secrets/secrets.h | 1 - + 2 files changed, 16 deletions(-) + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index ae9c7c83f335c8c2d9d97a736700fbcdaf0d36af..c6310b58526d6f4c063d028cd0e78b5e4f2e12db 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -75,8 +75,6 @@ static const char *sss_sec_enctype_to_str(enum sss_sec_enctype enctype) + return "plaintext"; + case SSS_SEC_MASTERKEY: + return "masterkey"; +- case SSS_SEC_BASE64: +- return "base64"; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: unknown encryption type %d\n", + enctype); +@@ -94,10 +92,6 @@ static enum sss_sec_enctype sss_sec_str_to_enctype(const char *str) + return SSS_SEC_MASTERKEY; + } + +- if (strcmp("base64", str) == 0) { +- return SSS_SEC_BASE64; +- } +- + return SSS_SEC_ENCTYPE_SENTINEL; + } + +@@ -141,10 +135,6 @@ static int local_decrypt(struct sss_sec_ctx *sctx, + return ret; + } + break; +- case SSS_SEC_BASE64: +- output = (uint8_t *)sss_base64_decode(mem_ctx, (const char *)secret, +- &output_len); +- break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); + return EINVAL; +@@ -196,11 +186,6 @@ static int local_encrypt(struct sss_sec_ctx *sec_ctx, + output_len = strlen(b64) + 1; + talloc_free(_secret.data); + break; +- case SSS_SEC_BASE64: +- b64 = sss_base64_encode(mem_ctx, secret, secret_len); +- output = (uint8_t*)b64; +- output_len = strlen(b64) + 1; +- break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); + return EINVAL; +diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h +index f8caa53eec376bb0c8d52615ce9111efbbb26393..f79bfaa4b9dc2df577a815c03b86770e3066de75 100644 +--- a/src/util/secrets/secrets.h ++++ b/src/util/secrets/secrets.h +@@ -46,7 +46,6 @@ + enum sss_sec_enctype { + SSS_SEC_PLAINTEXT, + SSS_SEC_MASTERKEY, +- SSS_SEC_BASE64, + SSS_SEC_ENCTYPE_SENTINEL + }; + +-- +2.25.4 + diff --git a/sssd.spec b/sssd.spec index 375215d..f5371de 100644 --- a/sssd.spec +++ b/sssd.spec @@ -29,13 +29,32 @@ Name: sssd Version: 2.4.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/sssd-2_4_0/sssd-2.4.0.tar.gz ### Patches ### +Patch0001: 0001-kcm-fix-typos-in-debug-messages.patch +Patch0002: 0002-kcm-avoid-name-confusion-in-GET_CRED_UUID_LIST-handl.patch +Patch0003: 0003-kcm-disable-encryption.patch +Patch0004: 0004-kcm-avoid-multiple-debug-messages-if-sss_sec_put-fai.patch +Patch0005: 0005-secrets-allow-to-specify-secret-s-data-format.patch +Patch0006: 0006-secrets-accept-binary-data-instead-of-string.patch +Patch0007: 0007-iobuf-add-more-iobuf-functions.patch +Patch0008: 0008-kcm-add-json-suffix-to-existing-searialization-funct.patch +Patch0009: 0009-kcm-move-sec-key-parser-to-separate-file-so-it-can-b.patch +Patch0010: 0010-kcm-avoid-suppression-of-cppcheck-warning.patch +Patch0011: 0011-kcm-add-spaces-around-operators-in-kcmsrv_ccache_key.patch +Patch0012: 0012-kcm-use-binary-format-to-store-ccache-instead-of-jso.patch +Patch0013: 0013-kcm-add-per-connection-data-to-be-shared-between-req.patch +Patch0014: 0014-sss_ptr_hash-fix-double-free-for-circular-dependenci.patch +Patch0015: 0015-kcm-store-credentials-list-in-hash-table-to-avoid-ca.patch +Patch0016: 0016-secrets-fix-may_payload_size-exceeded-debug-message.patch +Patch0017: 0017-secrets-default-to-plaintext-if-enctype-attr-is-miss.patch +Patch0018: 0018-secrets-move-attrs-names-to-macros.patch +Patch0019: 0019-secrets-remove-base64-enctype.patch ### Downstream only patches ### Patch0502: 0502-SYSTEMD-Use-capabilities.patch @@ -1014,6 +1033,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Dec 7 2020 Pavel Březina - 2.4.0-5 +- Improve sssd-kcm performance (rhbz#1645624) + * Mon Nov 30 2020 Stephen Gallagher - 2.4.0-4 - Rebuild for Fedora ELN