From 6601f5da29587d043025f71654c0f6562dbb3a37 Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Tue, 15 Dec 2020 17:48:41 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/sssd.git#968f95e90a4d63bd05e611cefa05e574507024fa --- 0001-fix-compilation-with-check-0.15.1.patch | 4005 ----------------- 0001-kcm-fix-typos-in-debug-messages.patch | 53 + ...warnings-format-not-a-string-literal.patch | 293 -- ...onfusion-in-GET_CRED_UUID_LIST-handl.patch | 51 + 0003-kcm-disable-encryption.patch | 509 +++ ...le-debug-messages-if-sss_sec_put-fai.patch | 26 + ...llow-to-specify-secret-s-data-format.patch | 225 + ...accept-binary-data-instead-of-string.patch | 450 ++ 0007-iobuf-add-more-iobuf-functions.patch | 265 ++ ...fix-to-existing-searialization-funct.patch | 292 ++ ...-parser-to-separate-file-so-it-can-b.patch | 404 ++ ...void-suppression-of-cppcheck-warning.patch | 30 + ...round-operators-in-kcmsrv_ccache_key.patch | 42 + ...ormat-to-store-ccache-instead-of-jso.patch | 741 +++ ...ection-data-to-be-shared-between-req.patch | 131 + ...-double-free-for-circular-dependenci.patch | 165 + ...tials-list-in-hash-table-to-avoid-ca.patch | 551 +++ ..._payload_size-exceeded-debug-message.patch | 38 + ...to-plaintext-if-enctype-attr-is-miss.patch | 43 + 0018-secrets-move-attrs-names-to-macros.patch | 183 + 0019-secrets-remove-base64-enctype.patch | 75 + ...ase64-encoded-secret-on-upgrade-path.patch | 43 + sssd.spec | 29 +- 23 files changed, 4345 insertions(+), 4299 deletions(-) delete mode 100644 0001-fix-compilation-with-check-0.15.1.patch create mode 100644 0001-kcm-fix-typos-in-debug-messages.patch delete mode 100644 0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch create mode 100644 0002-kcm-avoid-name-confusion-in-GET_CRED_UUID_LIST-handl.patch create mode 100644 0003-kcm-disable-encryption.patch create mode 100644 0004-kcm-avoid-multiple-debug-messages-if-sss_sec_put-fai.patch create mode 100644 0005-secrets-allow-to-specify-secret-s-data-format.patch create mode 100644 0006-secrets-accept-binary-data-instead-of-string.patch create mode 100644 0007-iobuf-add-more-iobuf-functions.patch create mode 100644 0008-kcm-add-json-suffix-to-existing-searialization-funct.patch create mode 100644 0009-kcm-move-sec-key-parser-to-separate-file-so-it-can-b.patch create mode 100644 0010-kcm-avoid-suppression-of-cppcheck-warning.patch create mode 100644 0011-kcm-add-spaces-around-operators-in-kcmsrv_ccache_key.patch create mode 100644 0012-kcm-use-binary-format-to-store-ccache-instead-of-jso.patch create mode 100644 0013-kcm-add-per-connection-data-to-be-shared-between-req.patch create mode 100644 0014-sss_ptr_hash-fix-double-free-for-circular-dependenci.patch create mode 100644 0015-kcm-store-credentials-list-in-hash-table-to-avoid-ca.patch create mode 100644 0016-secrets-fix-may_payload_size-exceeded-debug-message.patch create mode 100644 0017-secrets-default-to-plaintext-if-enctype-attr-is-miss.patch create mode 100644 0018-secrets-move-attrs-names-to-macros.patch create mode 100644 0019-secrets-remove-base64-enctype.patch create mode 100644 0020-kcm-decode-base64-encoded-secret-on-upgrade-path.patch diff --git a/0001-fix-compilation-with-check-0.15.1.patch b/0001-fix-compilation-with-check-0.15.1.patch deleted file mode 100644 index 5a2a880..0000000 --- a/0001-fix-compilation-with-check-0.15.1.patch +++ /dev/null @@ -1,4005 +0,0 @@ -From ae92ebec5ab0535d0a24c983b36026f615a60b5e Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:01 +0000 -Subject: [PATCH 01/19] =?UTF-8?q?DLOPEN-TESTS:=20Fix=20error=20too=20few?= - =?UTF-8?q?=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros ---- - src/tests/dlopen-tests.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c -index 4727e7cd9..4acaba2a4 100644 ---- a/src/tests/dlopen-tests.c -+++ b/src/tests/dlopen-tests.c -@@ -194,13 +194,13 @@ static char **get_so_files(size_t *_list_size) - char **libraries; - - n = scandir(LIBPFX, &namelist, file_so_filter, alphasort); -- fail_unless(n > 0); -+ fail_unless(n > 0, "Failed to scan dirrectory: " LIBPFX); - - libraries = calloc(n + 1, sizeof(char *)); - - for (int i = 0; i < n; ++i) { - libraries[i] = strdup(namelist[i]->d_name); -- fail_if(libraries[i] == NULL); -+ fail_if(libraries[i] == NULL, "Failed to allocate memory"); - - free(namelist[i]); - } -@@ -250,7 +250,7 @@ START_TEST(test_dlopen_base) - } - free(found_libraries); - -- fail_if(unchecked_library); -+ fail_if(unchecked_library, "Unchecked library found"); - } - END_TEST - --- -2.28.0.rc2 - - -From 23849dfb089c0cbd877feaa3fbb4df94f3d62ebb Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:02 +0000 -Subject: [PATCH 02/19] =?UTF-8?q?SYSDB-TESTS:=20Fix=20error=20too=20few=20?= - =?UTF-8?q?arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros -* convert assertions to different macros - -e.g. -src/tests/sysdb-tests.c:6622:5: error: too few arguments to function ‘_ck_assert_failed’ - 6622 | fail_if(ret != EOK); ---- - src/tests/sysdb-tests.c | 454 +++++++++++++++++++++------------------- - 1 file changed, 236 insertions(+), 218 deletions(-) - -diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c -index 5381b9a17..b7e0e2389 100644 ---- a/src/tests/sysdb-tests.c -+++ b/src/tests/sysdb-tests.c -@@ -694,13 +694,13 @@ START_TEST (test_sysdb_user_new_id) - fqname = sss_create_internal_fqname(test_ctx, - username, - test_ctx->domain->name); -- fail_if(fqname == NULL); -+ fail_if(fqname == NULL, "Failed to allocate memory"); - - attrs = sysdb_new_attrs(test_ctx); -- fail_if(attrs == NULL); -+ fail_if(attrs == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_string(attrs, SYSDB_DESCRIPTION, desc_in); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "Failed to add attribute: " SYSDB_DESCRIPTION); - - ret = sysdb_add_user(test_ctx->domain, fqname, - 1234, 1234, fqname, "/", "/bin/bash", -@@ -713,7 +713,7 @@ START_TEST (test_sysdb_user_new_id) - fail_if(ret != EOK, "Could not retrieve user %s", fqname); - - desc = ldb_msg_find_attr_as_string(msg, SYSDB_DESCRIPTION, NULL); -- fail_unless(desc != NULL); -+ fail_unless(desc != NULL, "Failed to find attribute: " SYSDB_DESCRIPTION); - ck_assert_str_eq(desc, desc_in); - - ret = sysdb_delete_user(test_ctx->domain, fqname, 0); -@@ -738,7 +738,7 @@ START_TEST (test_sysdb_store_user) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_store_user(data); - -@@ -761,7 +761,7 @@ START_TEST (test_sysdb_store_user_existing) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->shell = "/bin/ksh"; - - ret = test_store_user(data); -@@ -831,7 +831,7 @@ START_TEST (test_sysdb_remove_local_user_by_uid) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->uid = _i; - - ret = test_remove_user_by_uid(data); -@@ -855,7 +855,7 @@ START_TEST (test_sysdb_remove_local_group) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_remove_group(data); - -@@ -878,7 +878,7 @@ START_TEST (test_sysdb_remove_local_group_by_gid) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - null_ctx_get_size(data->ctx); - ret = test_remove_group_by_gid(data); -@@ -903,7 +903,7 @@ START_TEST (test_sysdb_add_user) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_user(data); - -@@ -926,7 +926,7 @@ START_TEST (test_sysdb_add_group) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_group(data); - -@@ -951,7 +951,7 @@ START_TEST (test_sysdb_add_group_with_ghosts) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - for (j = MBO_GROUP_BASE; j < _i; j++) { - member_fqname = test_asprintf_fqname(data, data->ctx->domain, -@@ -983,7 +983,7 @@ START_TEST (test_sysdb_add_incomplete_group) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_incomplete_group(data); - -@@ -1053,7 +1053,7 @@ START_TEST (test_sysdb_getpwnam) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - res = test_getpwnam(data); - fail_if(res->count != 1, -@@ -1069,7 +1069,6 @@ START_TEST (test_sysdb_getpwnam) - data->username = test_asprintf_fqname(data, test_ctx->domain, - "TESTUSER%d", _i); - fail_if(data->username == NULL, "OOM"); -- fail_if(ret != EOK); - - res = test_getpwnam(data); - fail_if(res->count != 0, -@@ -1101,15 +1100,16 @@ START_TEST(test_user_group_by_name) - test_ctx->domain->mpg_mode = MPG_ENABLED; - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = sysdb_search_group_by_name(data, - data->ctx->domain, - data->username, /* we're searching for the private group */ - NULL, - &msg); -- fail_if(ret != EOK); -- fail_if(msg == NULL); -+ fail_if(ret != EOK, -+ "sysdb_search_group_by_name failed with error: %d", ret); -+ fail_if(msg == NULL, "Failed to find group: %s", data->username); - - groupname = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); - ck_assert_str_eq(groupname, data->username); -@@ -1131,14 +1131,15 @@ START_TEST(test_user_group_by_name_local) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = sysdb_search_group_by_name(data, - data->ctx->domain, - data->username, /* we're searching for the private group */ - NULL, - &msg); -- fail_if(ret != ENOENT); -+ fail_if(ret != ENOENT, -+ "sysdb_search_group_by_name must return ENOENT got: %d", ret); - } - END_TEST - -@@ -1159,7 +1160,7 @@ START_TEST (test_sysdb_getgrnam) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - res = test_getgrnam(data); - fail_if(res->count != 1, -@@ -1176,7 +1177,6 @@ START_TEST (test_sysdb_getgrnam) - data->groupname = test_asprintf_fqname(data, test_ctx->domain, - "TESTGROUP%d", _i); - fail_if(data->groupname == NULL, "OOM"); -- fail_if(ret != EOK); - - res = test_getgrnam(data); - fail_if(res->count != 0, -@@ -1302,7 +1302,7 @@ START_TEST (test_sysdb_getpwuid) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = sysdb_getpwuid(test_ctx, - test_ctx->domain, -@@ -1397,7 +1397,7 @@ START_TEST (test_sysdb_set_user_attr) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrs = sysdb_new_attrs(test_ctx); - if (ret != EOK) { -@@ -1506,7 +1506,7 @@ START_TEST (test_sysdb_get_user_attr) - } - - data = test_data_new_user(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username, attrs, - &res); -@@ -1601,7 +1601,7 @@ START_TEST (test_sysdb_add_nonposix_user) - fail_if(fq_name == NULL, "Failed to create fq name."); - - user_attrs = sysdb_new_attrs(test_ctx); -- fail_if(user_attrs == NULL); -+ fail_if(user_attrs == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_bool(user_attrs, SYSDB_POSIX, false); - fail_if(ret != EOK, "Could not add attribute"); -@@ -1691,12 +1691,12 @@ START_TEST (test_sysdb_add_group_member) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = _i - 1000; /* the UID of user to add */ - data->username = test_asprintf_fqname(data, test_ctx->domain, - "testuser%d", data->uid); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = test_add_group_member(data); - -@@ -1771,12 +1771,12 @@ START_TEST (test_sysdb_remove_group_member) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = _i - 1000; /* the UID of user to remove */ - data->username = test_asprintf_fqname(data, test_ctx->domain, - "testuser%d", data->uid); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = test_remove_group_member(data); - fail_if(ret != EOK, "Remove group member failed: %d", ret); -@@ -1799,7 +1799,7 @@ START_TEST (test_sysdb_remove_nonexistent_user) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->uid = 12345; - - ret = test_remove_user_by_uid(data); -@@ -1823,7 +1823,7 @@ START_TEST (test_sysdb_remove_nonexistent_group) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->gid = 12345; - - ret = test_remove_group_by_gid(data); -@@ -1866,7 +1866,7 @@ START_TEST (test_sysdb_store_custom) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = _i; - data->attrs = sysdb_new_attrs(test_ctx); -@@ -1905,7 +1905,7 @@ START_TEST (test_sysdb_search_custom_by_name) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(test_ctx, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed"); -@@ -1958,7 +1958,7 @@ START_TEST (test_sysdb_update_custom) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = 29010; - data->attrs = sysdb_new_attrs(test_ctx); -@@ -2006,7 +2006,7 @@ START_TEST (test_sysdb_search_custom_update) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(test_ctx, const char *, 3); - fail_unless(data->attrlist != NULL, "talloc_array failed"); -@@ -2074,7 +2074,7 @@ START_TEST (test_sysdb_search_custom) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(test_ctx, const char *, 3); - fail_unless(data->attrlist != NULL, "talloc_array failed"); -@@ -2112,7 +2112,7 @@ START_TEST (test_sysdb_delete_custom) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_delete_custom(data); - -@@ -2209,7 +2209,7 @@ static void cached_authentication_without_expiration(uid_t uid, - fail_unless(ret == EOK, "Could not set up the test"); - - data = test_data_new_user(test_ctx, uid); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - val[0] = "0"; - ret = confdb_add_param(test_ctx->confdb, true, CONFDB_PAM_CONF_ENTRY, -@@ -2257,7 +2257,7 @@ static void cached_authentication_with_expiration(uid_t uid, - fail_unless(ret == EOK, "Could not set up the test"); - - data = test_data_new_user(test_ctx, uid); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - val[0] = "1"; - ret = confdb_add_param(test_ctx->confdb, true, CONFDB_PAM_CONF_ENTRY, -@@ -2336,12 +2336,12 @@ START_TEST (test_sysdb_prepare_asq_test_user) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = ASQ_TEST_USER_UID; - data->username = test_asprintf_fqname(data, test_ctx->domain, - "testuser%u", data->uid); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = test_add_group_member(data); - -@@ -2369,7 +2369,7 @@ START_TEST (test_sysdb_asq_search) - } - - data = test_data_new_user(test_ctx, ASQ_TEST_USER_UID); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed"); -@@ -2428,7 +2428,7 @@ START_TEST (test_sysdb_search_all_users) - } - - data = test_data_new(test_ctx); -- fail_unless(data != NULL); -+ fail_unless(data != NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed"); -@@ -2487,7 +2487,7 @@ START_TEST (test_sysdb_delete_recursive) - } - - data = test_data_new(test_ctx); -- fail_unless(data != NULL); -+ fail_unless(data != NULL, "Failed to allocate memory"); - - ret = test_delete_recursive(data); - -@@ -2553,7 +2553,7 @@ START_TEST (test_sysdb_memberof_store_group) - } - - data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - if (_i == 0) { - data->attrlist = NULL; -@@ -2563,7 +2563,7 @@ START_TEST (test_sysdb_memberof_store_group) - data->attrlist[0] = test_asprintf_fqname(data, data->ctx->domain, - "testgroup%d", data->gid - 1); - data->attrlist[1] = NULL; -- fail_if(data->attrlist[0] == NULL); -+ fail_if(data->attrlist[0] == NULL, "Failed to allocate memory"); - } - - ret = test_memberof_store_group(data); -@@ -2587,7 +2587,7 @@ START_TEST (test_sysdb_memberof_store_group_with_ghosts) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - if (_i == 0 || _i == MBO_GROUP_BASE) { - data->attrlist = NULL; -@@ -2597,7 +2597,7 @@ START_TEST (test_sysdb_memberof_store_group_with_ghosts) - data->attrlist[0] = test_asprintf_fqname(data, data->ctx->domain, - "testgroup%d", data->gid - 1); - data->attrlist[1] = NULL; -- fail_if(data->attrlist[0] == NULL); -+ fail_if(data->attrlist[0] == NULL, "Failed to allocate memory"); - } - - data->ghostlist = talloc_array(data, char *, 2); -@@ -2605,7 +2605,7 @@ START_TEST (test_sysdb_memberof_store_group_with_ghosts) - data->ghostlist[0] = test_asprintf_fqname(data, data->ctx->domain, - "testuser%d", data->gid); - data->ghostlist[1] = NULL; -- fail_if(data->ghostlist[0] == NULL); -+ fail_if(data->ghostlist[0] == NULL, "Failed to allocate memory"); - - ret = test_memberof_store_group_with_ghosts(data); - -@@ -2628,7 +2628,7 @@ START_TEST (test_sysdb_memberof_store_group_with_double_ghosts) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - if (_i == 0) { - data->attrlist = NULL; -@@ -2673,7 +2673,7 @@ START_TEST (test_sysdb_memberof_mod_add) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ghostname = test_asprintf_fqname(data, test_ctx->domain, - "testghost%d", _i); -@@ -2755,7 +2755,7 @@ START_TEST (test_sysdb_memberof_mod_replace) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - /* The test replaces the testuser%i attribute with testghost%i */ - ghostname_del = test_asprintf_fqname(data, test_ctx->domain, -@@ -2842,7 +2842,7 @@ START_TEST (test_sysdb_memberof_mod_replace_keep) - } - - data = test_data_new_group(test_ctx, MBO_GROUP_BASE + 10 - _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - /* The test replaces the attributes (testusera$gid, testuserb$gid) with - * just testusera$gid. The result should be not only testusera, but also -@@ -3021,7 +3021,7 @@ START_TEST (test_sysdb_memberof_store_user) - } - - data = test_data_new_user(test_ctx, MBO_USER_BASE + _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_store_user(data); - fail_if(ret != EOK, "Could not store user %s", data->username); -@@ -3043,12 +3043,12 @@ START_TEST (test_sysdb_memberof_add_group_member) - } - - data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->uid = MBO_USER_BASE + _i; - data->username = test_asprintf_fqname(data, test_ctx->domain, - "testuser%d", data->uid); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = test_add_group_member(data); - fail_if(ret != EOK, "Could not modify group %s", data->groupname); -@@ -3071,7 +3071,7 @@ START_TEST (test_sysdb_memberof_check_memberuid_without_group_5) - } - - data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "tallo_array failed."); -@@ -3120,7 +3120,7 @@ START_TEST (test_sysdb_memberof_check_memberuid) - } - - data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3160,7 +3160,7 @@ START_TEST (test_sysdb_memberof_check_memberuid_loop) - } - - data = test_data_new_group(test_ctx, _i + MBO_GROUP_BASE); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3200,7 +3200,7 @@ START_TEST (test_sysdb_memberof_check_memberuid_loop_without_group_5) - } - - data = test_data_new_group(test_ctx, _i + MBO_GROUP_BASE); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "tallo_array failed."); -@@ -3249,7 +3249,7 @@ START_TEST (test_sysdb_memberof_check_nested_ghosts) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3284,7 +3284,7 @@ START_TEST (test_sysdb_memberof_check_nested_double_ghosts) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3321,7 +3321,7 @@ START_TEST (test_sysdb_memberof_remove_child_group_and_check_ghost) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - delgid = data->gid - 1; - - data->attrlist = talloc_array(data, const char *, 2); -@@ -3383,7 +3383,7 @@ START_TEST (test_sysdb_memberof_mod_del) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ghostname = test_asprintf_fqname(data, test_ctx->domain, "testuser%d", _i); - fail_unless(ghostname != NULL, "Out of memory\n"); -@@ -3462,7 +3462,7 @@ START_TEST (test_sysdb_memberof_check_ghost) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 2); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3499,7 +3499,9 @@ START_TEST (test_sysdb_memberof_check_ghost) - expected = test_asprintf_fqname(data, test_ctx->domain, "testghost%d", j); - fail_if(expected == NULL, "OOM\n"); - fail_unless(strcmp(expected, -- (const char *) data->msg->elements[0].values[j-MBO_GROUP_BASE].data) == 0); -+ (const char *) data->msg->elements[0].values[j-MBO_GROUP_BASE].data) == 0, -+ "Expecting: %s dot: %s", expected, -+ (const char *) data->msg->elements[0].values[j-MBO_GROUP_BASE].data); - talloc_free(expected); - } - -@@ -3521,10 +3523,10 @@ START_TEST (test_sysdb_memberof_convert_to_real_users) - } - - data = test_data_new_user(test_ctx, _i * 2); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->username = test_asprintf_fqname(data, test_ctx->domain, - "testghost%d", _i); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = test_store_user(data); - fail_if(ret != EOK, "Cannot add user %s\n", data->username); -@@ -3550,7 +3552,7 @@ START_TEST (test_sysdb_memberof_check_convert) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->attrlist = talloc_array(data, const char *, 3); - fail_unless(data->attrlist != NULL, "talloc_array failed."); -@@ -3613,7 +3615,7 @@ START_TEST (test_sysdb_memberof_ghost_replace) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - /* The test replaces the testghost%i attribute with testuser%i */ - ghostname_del = test_asprintf_fqname(data, test_ctx->domain, -@@ -3687,7 +3689,7 @@ START_TEST (test_sysdb_memberof_ghost_replace_noop) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - /* The test replaces the testghost%i attribute with testuser%i */ - ghostname_del = test_asprintf_fqname(data, test_ctx->domain, -@@ -3757,7 +3759,7 @@ START_TEST (test_sysdb_memberof_user_cleanup) - } - - data = test_data_new_user(test_ctx, _i * 2); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_remove_user_by_uid(data); - -@@ -3782,7 +3784,7 @@ START_TEST (test_sysdb_set_get_bool) - } - - dn = sysdb_domain_dn(test_ctx, test_ctx->domain); -- fail_unless(dn != NULL); -+ fail_unless(dn != NULL, "Failed to allocate memory"); - - /* attribute is not created yet */ - ret = sysdb_get_bool(test_ctx->sysdb, dn, attr_val, -@@ -3794,19 +3796,19 @@ START_TEST (test_sysdb_set_get_bool) - /* add attribute */ - ret = sysdb_set_bool(test_ctx->sysdb, dn, test_ctx->domain->name, - attr_val, true); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "sysdb_set_bool failed with error: %d", ret); - - /* successfully obtain attribute */ - ret = sysdb_get_bool(test_ctx->sysdb, dn, attr_val, - &value); - fail_unless(ret == EOK, "sysdb_get_bool failed %d:[%s]", - ret, sss_strerror(ret)); -- fail_unless(value == true); -+ fail_unless(value == true, "sysdb_get_bool must return true"); - - /* use non-existing DN */ - ne_dn = ldb_dn_new_fmt(test_ctx, test_ctx->sysdb->ldb, SYSDB_DOM_BASE, - "non-existing domain"); -- fail_unless(ne_dn != NULL); -+ fail_unless(ne_dn != NULL, "Failed to allocate memory"); - ret = sysdb_get_bool(test_ctx->sysdb, ne_dn, attr_val, - &value); - fail_unless(ret == ENOENT, -@@ -3835,7 +3837,7 @@ START_TEST (test_sysdb_set_get_uint) - } - - dn = sysdb_domain_dn(test_ctx, test_ctx->domain); -- fail_unless(dn != NULL); -+ fail_unless(dn != NULL, "Failed to allocate memory"); - - /* attribute is not created yet */ - ret = sysdb_get_uint(test_ctx->sysdb, dn, attr_val, -@@ -3847,19 +3849,19 @@ START_TEST (test_sysdb_set_get_uint) - /* add attribute */ - ret = sysdb_set_uint(test_ctx->sysdb, dn, test_ctx->domain->name, - attr_val, 0xCAFEBABE); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "sysdb_set_uint failed with error: %d", ret); - - /* successfully obtain attribute */ - ret = sysdb_get_uint(test_ctx->sysdb, dn, attr_val, - &value); - fail_unless(ret == EOK, "sysdb_get_uint failed %d:[%s]", - ret, sss_strerror(ret)); -- fail_unless(value == 0xCAFEBABE); -+ ck_assert_int_eq(value, 0xCAFEBABE); - - /* use non-existing DN */ - ne_dn = ldb_dn_new_fmt(test_ctx, test_ctx->sysdb->ldb, SYSDB_DOM_BASE, - "non-existing domain"); -- fail_unless(ne_dn != NULL); -+ fail_unless(ne_dn != NULL, "Failed to allocate memory"); - ret = sysdb_get_uint(test_ctx->sysdb, ne_dn, attr_val, - &value); - fail_unless(ret == ENOENT, -@@ -4147,22 +4149,24 @@ START_TEST (test_sysdb_update_members) - fail_if(user_fqname == NULL, "user_fqname returned NULL"); - - ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); -- fail_if(ret != EOK); -- fail_unless(res->count == 1); /* only the user itself */ -+ fail_if(ret != EOK, "sysdb_initgroups failed with error: %d", ret); -+ ck_assert_int_eq(res->count, 1); /* only the user itself */ - - /* Add a user to two groups */ - add_groups = talloc_array(test_ctx, char *, 3); - add_groups[0] = sss_create_internal_fqname(add_groups, "testgroup28001", - test_ctx->domain->name); -- fail_if(add_groups[0] == NULL); -+ fail_if(add_groups[0] == NULL, "Failed to create internal fqname for: %s", -+ test_ctx->domain->name); - add_groups[1] = sss_create_internal_fqname(add_groups, "testgroup28002", - test_ctx->domain->name); -- fail_if(add_groups[1] == NULL); -+ fail_if(add_groups[1] == NULL, "Failed to create internal fqname for: %s" -+ test_ctx->domain->name); - add_groups[2] = NULL; - - /* For later check */ - group_fqname = talloc_strdup(test_ctx, add_groups[1]); -- fail_if(group_fqname == NULL); -+ fail_if(group_fqname == NULL, "Failed to allocate memory"); - - ret = sysdb_update_members(test_ctx->domain, user_fqname, - SYSDB_MEMBER_USER, -@@ -4170,8 +4174,8 @@ START_TEST (test_sysdb_update_members) - fail_unless(ret == EOK, "Could not add groups"); - - ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); -- fail_if(ret != EOK); -- fail_unless(res->count == 3); -+ fail_if(ret != EOK, "sysdb_initgroups failed with error: %d", ret); -+ ck_assert_int_eq(res->count, 3); - - check_fqname = ldb_msg_find_attr_as_string(res->msgs[1], SYSDB_NAME, NULL); - ck_assert_str_eq(check_fqname, add_groups[0]); -@@ -4196,8 +4200,8 @@ START_TEST (test_sysdb_update_members) - fail_unless(ret == EOK, "Group replace failed"); - - ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); -- fail_if(ret != EOK); -- fail_unless(res->count == 3); -+ fail_if(ret != EOK, "sysdb_initgroups failed with error: %d", ret); -+ ck_assert_int_eq(res->count, 3); - - check_fqname = ldb_msg_find_attr_as_string(res->msgs[1], SYSDB_NAME, NULL); - ck_assert_str_eq(check_fqname, group_fqname); -@@ -4208,8 +4212,8 @@ START_TEST (test_sysdb_update_members) - talloc_zfree(del_groups); - - ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); -- fail_if(ret != EOK); -- fail_unless(res->count == 3); -+ fail_if(ret != EOK, "sysdb_initgroups failed with error: %d", ret); -+ ck_assert_int_eq(res->count, 3); - - /* Remove a user from two groups */ - del_groups = talloc_array(test_ctx, char *, 3); -@@ -4224,8 +4228,8 @@ START_TEST (test_sysdb_update_members) - fail_unless(ret == EOK, "Could not remove groups"); - - ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); -- fail_if(ret != EOK); -- fail_unless(res->count == 1); /* only the user itself */ -+ fail_if(ret != EOK, "sysdb_initgroups failed with error: %d", ret); -+ ck_assert_int_eq(res->count, 1); /* only the user itself */ - - talloc_zfree(test_ctx); - } -@@ -4248,7 +4252,7 @@ START_TEST (test_sysdb_group_dn_name) - } - - data = test_data_new_group(test_ctx, _i); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - group_dn = sysdb_group_dn(test_ctx, test_ctx->domain, data->groupname); - fail_if(group_dn == NULL, "OOM"); -@@ -4277,7 +4281,7 @@ START_TEST (test_sysdb_add_basic_netgroup) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->uid = _i; /* This is kinda abuse of uid, though */ - data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); - -@@ -4310,7 +4314,7 @@ START_TEST (test_sysdb_search_netgroup_by_name) - fail_if(ret != EOK, "Could not find netgroup with name %s", netgrname); - - netgroup_dn = sysdb_netgroup_dn(test_ctx, test_ctx->domain, netgrname); -- fail_if(netgroup_dn == NULL); -+ fail_if(netgroup_dn == NULL, "Failed to allocate memory"); - fail_if(ldb_dn_compare(msg->dn, netgroup_dn) != 0, "Found wrong netgroup!\n"); - talloc_free(test_ctx); - } -@@ -4330,7 +4334,7 @@ START_TEST (test_sysdb_remove_netgroup_entry) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); - - ret = test_remove_netgroup_entry(data); -@@ -4354,7 +4358,7 @@ START_TEST (test_sysdb_remove_netgroup_by_name) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); - - ret = test_remove_netgroup_by_name(data); -@@ -4378,7 +4382,7 @@ START_TEST (test_sysdb_set_netgroup_attr) - } - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->uid = _i; /* This is kinda abuse of uid, though */ - data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); - -@@ -4756,10 +4760,10 @@ START_TEST(test_SSS_LDB_SEARCH) - - groupname = test_asprintf_fqname(test_ctx, test_ctx->domain, - "test_group"); -- fail_if(groupname == NULL); -+ fail_if(groupname == NULL, "Failed to allocate memory"); - groupname_neg = test_asprintf_fqname(test_ctx, test_ctx->domain, - "non_existing_test_group"); -- fail_if(groupname_neg == NULL); -+ fail_if(groupname_neg == NULL, "Failed to allocate memory"); - - group_dn = sysdb_group_dn(test_ctx, test_ctx->domain, groupname); - fail_if(group_dn == NULL, "sysdb_group_dn failed"); -@@ -4857,16 +4861,18 @@ void services_check_match(struct sysdb_test_ctx *test_ctx, - strerror(ret)); - } - fail_if(res == NULL, "ENOMEM"); -- fail_if(res->count != 1); -+ ck_assert_int_eq(res->count, 1); - - /* Make sure the returned entry matches */ - msg = res->msgs[0]; - ret_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -- fail_if(ret_name == NULL); -- fail_unless(strcmp(ret_name, primary_name) == 0); -+ fail_if(ret_name == NULL, "Cannot find attribute: " SYSDB_NAME); -+ fail_unless(strcmp(ret_name, primary_name) == 0, -+ "Wrong value returned for attribute: %s. got: %s expected: %s", -+ SYSDB_NAME, ret_name, primary_name); - - ret_port = ldb_msg_find_attr_as_int(msg, SYSDB_SVC_PORT, 0); -- fail_if (ret_port != port); -+ ck_assert_int_eq(ret_port, port); - - el = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); - for (i = 0; i < el->num_values; i++) { -@@ -4917,27 +4923,27 @@ START_TEST(test_sysdb_add_services) - fail_if(ret != EOK, "Could not set up the test"); - - primary_name = talloc_asprintf(test_ctx, "test_service"); -- fail_if(primary_name == NULL); -+ fail_if(primary_name == NULL, "Failed to allocate memory"); - - aliases = talloc_array(test_ctx, const char *, 3); -- fail_if(aliases == NULL); -+ fail_if(aliases == NULL, "Failed to allocate memory"); - - aliases[0] = talloc_asprintf(aliases, "test_service_alias1"); -- fail_if(aliases[0] == NULL); -+ fail_if(aliases[0] == NULL, "Failed to allocate memory"); - - aliases[1] = talloc_asprintf(aliases, "test_service_alias2"); -- fail_if(aliases[1] == NULL); -+ fail_if(aliases[1] == NULL, "Failed to allocate memory"); - - aliases[2] = NULL; - - protocols = talloc_array(test_ctx, const char *, 3); -- fail_if(protocols == NULL); -+ fail_if(protocols == NULL, "Failed to allocate memory"); - - protocols[0] = talloc_asprintf(protocols, "tcp"); -- fail_if(protocols[0] == NULL); -+ fail_if(protocols[0] == NULL, "Failed to allocate memory"); - - protocols[1] = talloc_asprintf(protocols, "udp"); -- fail_if(protocols[1] == NULL); -+ fail_if(protocols[1] == NULL, "Failed to allocate memory"); - - protocols[2] = NULL; - -@@ -4992,24 +4998,24 @@ START_TEST(test_sysdb_store_services) - fail_if(ret != EOK, "Could not set up the test"); - - aliases = talloc_array(test_ctx, const char *, 3); -- fail_if(aliases == NULL); -+ fail_if(aliases == NULL, "Failed to allocate memory"); - - aliases[0] = talloc_asprintf(aliases, "test_service_alias1"); -- fail_if(aliases[0] == NULL); -+ fail_if(aliases[0] == NULL, "Failed to allocate memory"); - - aliases[1] = talloc_asprintf(aliases, "test_service_alias2"); -- fail_if(aliases[1] == NULL); -+ fail_if(aliases[1] == NULL, "Failed to allocate memory"); - - aliases[2] = NULL; - - protocols = talloc_array(test_ctx, const char *, 3); -- fail_if(protocols == NULL); -+ fail_if(protocols == NULL, "Failed to allocate memory"); - - protocols[0] = talloc_asprintf(protocols, "tcp"); -- fail_if(protocols[0] == NULL); -+ fail_if(protocols[0] == NULL, "Failed to allocate memory"); - - protocols[1] = talloc_asprintf(protocols, "udp"); -- fail_if(protocols[1] == NULL); -+ fail_if(protocols[1] == NULL, "Failed to allocate memory"); - - protocols[2] = NULL; - -@@ -5112,24 +5118,24 @@ START_TEST(test_sysdb_svc_remove_alias) - fail_if(ret != EOK, "Could not set up the test"); - - aliases = talloc_array(test_ctx, const char *, 3); -- fail_if(aliases == NULL); -+ fail_if(aliases == NULL, "Failed to allocate memory"); - - aliases[0] = talloc_asprintf(aliases, "remove_alias_alias1"); -- fail_if(aliases[0] == NULL); -+ fail_if(aliases[0] == NULL, "Failed to allocate memory"); - - aliases[1] = talloc_asprintf(aliases, "remove_alias_alias2"); -- fail_if(aliases[1] == NULL); -+ fail_if(aliases[1] == NULL, "Failed to allocate memory"); - - aliases[2] = NULL; - - protocols = talloc_array(test_ctx, const char *, 3); -- fail_if(protocols == NULL); -+ fail_if(protocols == NULL, "Failed to allocate memory"); - - protocols[0] = talloc_asprintf(protocols, "tcp"); -- fail_if(protocols[0] == NULL); -+ fail_if(protocols[0] == NULL, "Failed to allocate memory"); - - protocols[1] = talloc_asprintf(protocols, "udp"); -- fail_if(protocols[1] == NULL); -+ fail_if(protocols[1] == NULL, "Failed to allocate memory"); - - protocols[2] = NULL; - -@@ -5154,16 +5160,16 @@ START_TEST(test_sysdb_svc_remove_alias) - - /* Now remove an alias */ - dn = sysdb_svc_dn(test_ctx->sysdb, test_ctx, test_ctx->domain->name, primary_name); -- fail_if (dn == NULL); -+ fail_if (dn == NULL, "Failed to allocate memory"); - - ret = sysdb_svc_remove_alias(test_ctx->sysdb, dn, aliases[1]); - fail_if (ret != EOK, "[%s]", strerror(ret)); - - ret = sysdb_transaction_commit(test_ctx->sysdb); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "sysdb_transaction_commit failed with error: %d", ret); - - ret = sysdb_transaction_start(test_ctx->sysdb); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "sysdb_transaction_start failed with error: %d", ret); - - /* Set aliases[1] to NULL to perform validation checks */ - aliases[1] = NULL; -@@ -5313,7 +5319,7 @@ START_TEST(test_sysdb_attrs_get_string_array) - fail_unless(ret == EOK, "sysdb_attrs_get_el_ext failed"); - - list = sss_ldb_el_to_string_list(tmp_ctx, el); -- fail_if(list == NULL, ("sss_ldb_el_to_string_list failed\n")); -+ fail_if(list == NULL, "sss_ldb_el_to_string_list failed"); - - ck_assert_str_eq(list[0], "val1"); - ck_assert_str_eq(list[1], "val2"); -@@ -5545,7 +5551,7 @@ START_TEST (test_sysdb_search_return_ENOENT) - talloc_zfree(res); - - data = test_data_new_user(test_ctx, 1234); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->sid_str = "S-5-4-3-2-1"; - - /* Search user */ -@@ -5610,7 +5616,7 @@ START_TEST (test_sysdb_search_return_ENOENT) - /* Search group */ - talloc_zfree(data); - data = test_data_new_group(test_ctx, 1234); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->sid_str = "S-5-4-3-2-1"; - - ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, -@@ -5748,15 +5754,15 @@ START_TEST(test_sysdb_original_dn_case_insensitive) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new(test_ctx); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->gid = 2900; - - data->groupname = test_asprintf_fqname(data, test_ctx->domain, - "case_sensitive_group1"); -- fail_if(data->groupname == NULL); -+ fail_if(data->groupname == NULL, "Failed to allocate memory"); - - data->orig_dn = talloc_asprintf(data, "cn=%s,cn=example,cn=com", data->groupname); -- fail_if(data->orig_dn == NULL); -+ fail_if(data->orig_dn == NULL, "Failed to allocate memory"); - - ret = test_add_incomplete_group(data); - fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", -@@ -5766,7 +5772,7 @@ START_TEST(test_sysdb_original_dn_case_insensitive) - data->gid = 2901; - data->groupname = test_asprintf_fqname(data, test_ctx->domain, - "case_sensitive_group2"); -- fail_if(data->groupname == NULL); -+ fail_if(data->groupname == NULL, "Failed to allocate memory"); - c = discard_const(data->orig_dn); - while(*c != '\0') { - *c = toupper(*c); -@@ -5809,10 +5815,10 @@ START_TEST(test_sysdb_search_groups_by_orig_dn) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new_group(test_ctx, 456789); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->orig_dn = talloc_asprintf(data, "cn=%s,cn=example,cn=com", data->groupname); -- fail_if(data->orig_dn == NULL); -+ fail_if(data->orig_dn == NULL, "Failed to allocate memory"); - - ret = test_add_incomplete_group(data); - fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", -@@ -5841,10 +5847,10 @@ START_TEST(test_sysdb_search_users_by_orig_dn) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new_user(test_ctx, 456789); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->orig_dn = talloc_asprintf(data, "cn=%s,cn=example,cn=com", data->username); -- fail_if(data->orig_dn == NULL); -+ fail_if(data->orig_dn == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_string(data->attrs, SYSDB_ORIG_DN, data->orig_dn); - fail_unless(ret == EOK, "sysdb_attrs_add_string failed with [%d][%s].", -@@ -5875,7 +5881,7 @@ START_TEST(test_sysdb_search_sid_str) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new_group(test_ctx, 2902); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->sid_str = "S-1-2-3-4"; - - ret = test_add_incomplete_group(data); -@@ -5905,9 +5911,8 @@ START_TEST(test_sysdb_search_sid_str) - talloc_zfree(data); - - data = test_data_new_user(test_ctx, 12345); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->sid_str = "S-1-2-3-4-5"; -- fail_if(data->sid_str == NULL); - - ret = sysdb_attrs_add_string(data->attrs, SYSDB_SID_STR, data->sid_str); - fail_unless(ret == EOK, "sysdb_attrs_add_string failed with [%d][%s].", -@@ -5947,7 +5952,7 @@ START_TEST(test_sysdb_search_object_by_id) - - /* test user search */ - data = test_data_new_user(test_ctx, id); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_user(data); - fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].", -@@ -5973,7 +5978,7 @@ START_TEST(test_sysdb_search_object_by_id) - - /* test group search */ - data = test_data_new_group(test_ctx, id); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_group(data); - fail_unless(ret == EOK, "sysdb_add_group failed with [%d][%s].", -@@ -5999,7 +6004,7 @@ START_TEST(test_sysdb_search_object_by_id) - - /* test for bad search filter bug #3283 */ - data = test_data_new_group(test_ctx, id); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = test_add_group(data); - fail_unless(ret == EOK, "sysdb_add_group failed with [%d][%s].", -@@ -6034,14 +6039,16 @@ START_TEST(test_sysdb_search_object_by_id) - - data->uid = 4001; - ret = test_remove_user_by_uid(data); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, -+ "test_remove_user_by_uid failed with error: %d", ret); - - data->uid = 4002; - ret = test_remove_user_by_uid(data); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, -+ "test_remove_user_by_uid failed with error: %d", ret); - - ret = test_remove_group(data); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_remove_group failed with error: %d", ret); - - talloc_free(test_ctx); - } -@@ -6060,7 +6067,7 @@ START_TEST(test_sysdb_search_object_by_uuid) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new_user(test_ctx, 123456); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - uuid = "11111111-2222-3333-4444-555555555555"; - -@@ -6117,7 +6124,7 @@ START_TEST(test_sysdb_search_object_by_name) - - /* test user search */ - data = test_data_new_user(test_ctx, 23456); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->username = user_name; - -@@ -6145,7 +6152,7 @@ START_TEST(test_sysdb_search_object_by_name) - - /* test group search */ - data = test_data_new_group(test_ctx, 23456); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->groupname = group_name; - -@@ -6173,16 +6180,17 @@ START_TEST(test_sysdb_search_object_by_name) - - /* test case insensitive search */ - data = test_data_new_group(test_ctx, 23456); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->groupname = group_name; - test_ctx->domain->case_sensitive = false; - - data->attrs = sysdb_new_attrs(test_ctx); -- fail_if(data->attrs == NULL); -+ fail_if(data->attrs == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_lc_name_alias(data->attrs, group_name); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, -+ "sysdb_attrs_add_lc_name_alias failed with error: %d", ret); - - ret = test_add_group(data); - fail_unless(ret == EOK, "sysdb_add_group failed with [%d][%s].", -@@ -6225,7 +6233,7 @@ START_TEST(test_sysdb_search_user_by_cert) - fail_if(ret != EOK, "Could not set up the test"); - - data = test_data_new_user(test_ctx, 234567); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - val.data = sss_base64_decode(test_ctx, TEST_USER_CERT_DERB64, &val.length); - fail_unless(val.data != NULL, "sss_base64_decode failed."); -@@ -6257,7 +6265,7 @@ START_TEST(test_sysdb_search_user_by_cert) - - /* Add a second user with the same certificate */ - data2 = test_data_new_user(test_ctx, 2345671); -- fail_if(data2 == NULL); -+ fail_if(data2 == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_val(data2->attrs, SYSDB_USER_MAPPED_CERT, &val); - fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].", -@@ -6274,9 +6282,9 @@ START_TEST(test_sysdb_search_user_by_cert) - fail_unless(res->count == 2, "Unexpected number of results, " - "expected [%u], get [%u].", 2, res->count); - name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, ""); -- fail_unless(name != NULL); -+ fail_unless(name != NULL, "Failed to find attribute: " SYSDB_NAME); - name2 = ldb_msg_find_attr_as_string(res->msgs[1], SYSDB_NAME, ""); -- fail_unless(name2 != NULL); -+ fail_unless(name2 != NULL, "Failed to find attribute: " SYSDB_NAME); - fail_unless(((strcmp(name, data->username) == 0 - && strcmp(name2, data2->username) == 0) - || (strcmp(name, data2->username) == 0 -@@ -6342,11 +6350,11 @@ START_TEST(test_sysdb_subdomain_store_user) - ret, strerror(ret)); - - data = test_data_new_user(test_ctx, 12345); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->username = test_asprintf_fqname(data, subdomain, "SubDomUser"); - - alias = test_asprintf_fqname(data, subdomain, "subdomuser"); -- fail_if(alias == NULL); -+ fail_if(alias == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_string(data->attrs, SYSDB_NAME_ALIAS, alias); - fail_unless(ret == EOK, "sysdb_store_user failed."); -@@ -6358,10 +6366,10 @@ START_TEST(test_sysdb_subdomain_store_user) - fail_unless(ret == EOK, "sysdb_store_user failed."); - - base_dn =ldb_dn_new(test_ctx, test_ctx->sysdb->ldb, "cn=sysdb"); -- fail_unless(base_dn != NULL); -+ fail_unless(base_dn != NULL, "Failed to allocate memory"); - - check_dn = sysdb_user_dn(data, subdomain, data->username); -- fail_unless(check_dn != NULL); -+ fail_unless(check_dn != NULL, "Failed to allocate memory"); - - ret = ldb_search(test_ctx->sysdb->ldb, test_ctx, &results, base_dn, - LDB_SCOPE_SUBTREE, NULL, "name=%s", data->username); -@@ -6420,11 +6428,11 @@ START_TEST(test_sysdb_subdomain_content_delete) - ret, strerror(ret)); - - data = test_data_new_user(test_ctx, 12345); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->username = test_asprintf_fqname(data, subdomain, "SubDomUser"); - - alias = test_asprintf_fqname(data, subdomain, "subdomuser"); -- fail_if(alias == NULL); -+ fail_if(alias == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_string(data->attrs, SYSDB_NAME_ALIAS, alias); - fail_unless(ret == EOK, "sysdb_store_user failed."); -@@ -6436,10 +6444,10 @@ START_TEST(test_sysdb_subdomain_content_delete) - fail_unless(ret == EOK, "sysdb_store_user failed."); - - base_dn =ldb_dn_new(test_ctx, test_ctx->sysdb->ldb, "cn=sysdb"); -- fail_unless(base_dn != NULL); -+ fail_unless(base_dn != NULL, "Failed to allocate memory"); - - check_dn = sysdb_user_dn(data, subdomain, data->username); -- fail_unless(check_dn != NULL); -+ fail_unless(check_dn != NULL, "Failed to allocate memory"); - - ret = ldb_search(test_ctx->sysdb->ldb, test_ctx, &results, base_dn, - LDB_SCOPE_SUBTREE, NULL, "name=%s", data->username); -@@ -6508,10 +6516,10 @@ START_TEST(test_sysdb_subdomain_user_ops) - ret, strerror(ret)); - - data = test_data_new_user(test_ctx, 12345); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - data->username = test_asprintf_fqname(data, subdomain, shortname); -- fail_if(data->username == NULL); -+ fail_if(data->username == NULL, "Failed to allocate memory"); - - ret = sysdb_store_user(subdomain, data->username, - NULL, data->uid, 0, "Sub Domain User", -@@ -6520,7 +6528,7 @@ START_TEST(test_sysdb_subdomain_user_ops) - fail_unless(ret == EOK, "sysdb_store_domuser failed."); - - check_dn = sysdb_user_dn(data, subdomain, data->username); -- fail_unless(check_dn != NULL); -+ fail_unless(check_dn != NULL, "Failed to allocate memory"); - - ret = sysdb_search_user_by_name(test_ctx, subdomain, - data->username, NULL, -@@ -6531,10 +6539,10 @@ START_TEST(test_sysdb_subdomain_user_ops) - "Unexpected DN returned"); - - name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -- fail_if(name == NULL); -+ fail_if(name == NULL, "Failed to find attribute: " SYSDB_NAME); - - ret = sss_parse_internal_fqname(data, name, &short_check, &dom_check); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "sss_parse_internal_fqname failed with error: %d", ret); - ck_assert_str_eq(short_check, shortname); - ck_assert_str_eq(dom_check, subdomain->name); - -@@ -6581,11 +6589,11 @@ START_TEST(test_sysdb_subdomain_group_ops) - ret, strerror(ret)); - - data = test_data_new_group(test_ctx, 12345); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - data->groupname = test_asprintf_fqname(data, subdomain, shortname); - - alias = test_asprintf_fqname(data, subdomain, "subdomgroup"); -- fail_if(alias == NULL); -+ fail_if(alias == NULL, "Failed to allocate memory"); - - ret = sysdb_attrs_add_string(data->attrs, SYSDB_NAME_ALIAS, alias); - fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); -@@ -6595,7 +6603,7 @@ START_TEST(test_sysdb_subdomain_group_ops) - fail_unless(ret == EOK, "sysdb_store_group failed."); - - check_dn = sysdb_group_dn(data, subdomain, data->groupname); -- fail_unless(check_dn != NULL); -+ fail_unless(check_dn != NULL, "Failed to allocate memory"); - - ret = sysdb_search_group_by_name(test_ctx, subdomain, data->groupname, NULL, - &msg); -@@ -6615,10 +6623,10 @@ START_TEST(test_sysdb_subdomain_group_ops) - "Unexpected DN returned"); - - name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -- fail_if(name == NULL); -+ fail_if(name == NULL, "Failed to find attribute: " SYSDB_NAME); - - ret = sss_parse_internal_fqname(data, name, &short_check, &dom_check); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "sss_parse_internal_fqname failed with error: %d", ret); - ck_assert_str_eq(short_check, shortname); - ck_assert_str_eq(dom_check, subdomain->name); - -@@ -7190,15 +7198,15 @@ START_TEST(test_gpo_store_retrieve) - - ret = sysdb_gpo_get_gpos(test_ctx, test_ctx->domain, &result); - fail_if(ret != EOK, "GPOs not in cache after store op"); -- fail_if(result == NULL); -- fail_if(result->count != 1); -+ fail_if(result == NULL, "Could not get GPOs"); -+ ck_assert_int_eq(result->count, 1); - - result = NULL; - ret = sysdb_gpo_get_gpo_by_guid(test_ctx, test_ctx->domain, - test_guid, &result); - fail_if(ret != EOK, "GPO not in cache after store op"); -- fail_if(result == NULL); -- fail_if(result->count != 1); -+ fail_if(result == NULL, "Could not get GPOs by guid: %s", test_guid); -+ ck_assert_int_eq(result->count, 1); - - guid = ldb_msg_find_attr_as_string(result->msgs[0], - SYSDB_GPO_GUID_ATTR, NULL); -@@ -7226,8 +7234,8 @@ START_TEST(test_gpo_replace) - ret = sysdb_gpo_get_gpo_by_guid(test_ctx, test_ctx->domain, - test_guid, &result); - fail_if(ret != EOK, "GPO not in cache after store op"); -- fail_if(result == NULL); -- fail_if(result->count != 1); -+ fail_if(result == NULL, "Could not get GPOs by guid: %s", test_guid); -+ ck_assert_int_eq(result->count, 1); - - guid = ldb_msg_find_attr_as_string(result->msgs[0], - SYSDB_GPO_GUID_ATTR, NULL); -@@ -7245,8 +7253,8 @@ START_TEST(test_gpo_replace) - ret = sysdb_gpo_get_gpo_by_guid(test_ctx, test_ctx->domain, - test_guid, &result); - fail_if(ret != EOK, "GPO not in cache after modify op"); -- fail_if(result == NULL); -- fail_if(result->count != 1); -+ fail_if(result == NULL, "Could not get GPOs by guid: %s", test_guid); -+ ck_assert_int_eq(result->count, 1); - - guid = ldb_msg_find_attr_as_string(result->msgs[0], - SYSDB_GPO_GUID_ATTR, NULL); -@@ -7299,7 +7307,8 @@ START_TEST(test_gpo_result) - ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, - deny_key, &value); - ck_assert_int_eq(ret, EOK); -- fail_unless(value == NULL); -+ fail_unless(value == NULL, "Unexpected value returned for deny key " -+ "from sysdb_gpo_get_gpo_result_setting"); - - /* Updating replaces the original value */ - ret = sysdb_gpo_store_gpo_result_setting(test_ctx->domain, -@@ -7319,7 +7328,8 @@ START_TEST(test_gpo_result) - ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, - allow_key, &value); - ck_assert_int_eq(ret, EOK); -- fail_unless(value == NULL); -+ fail_unless(value == NULL, "Unexpected value returned for allow key" -+ "from sysdb_gpo_get_gpo_result_setting" ); - - /* Delete the result */ - ret = sysdb_gpo_delete_gpo_result_object(test_ctx, test_ctx->domain); -@@ -7400,7 +7410,7 @@ START_TEST(test_sysdb_mark_entry_as_expired_ldb_dn) - - /* Add something to database to test against */ - data = test_data_new_user(test_ctx, 2000); -- fail_if(data == NULL); -+ fail_if(data == NULL, "Failed to allocate memory"); - - ret = sysdb_transaction_start(test_ctx->sysdb); - ck_assert_int_eq(ret, EOK); -@@ -7414,7 +7424,7 @@ START_TEST(test_sysdb_mark_entry_as_expired_ldb_dn) - filter = talloc_asprintf(data, - "("SYSDB_UIDNUM"=%llu)", - (unsigned long long) data->uid); -- fail_if(filter == NULL); -+ fail_if(filter == NULL, "Failed to allocate memory"); - - ret = sysdb_search_users(test_ctx, test_ctx->domain, - filter, attrs, &count, &msgs); -@@ -7442,7 +7452,7 @@ START_TEST(test_sysdb_mark_entry_as_expired_ldb_dn) - filter = talloc_asprintf(data, - "("SYSDB_UIDNUM"=%llu)", - (unsigned long long) data->uid); -- fail_if(filter == NULL); -+ fail_if(filter == NULL, "Failed to allocate memory"); - - ret = sysdb_search_users(test_ctx, test_ctx->domain, - filter, attrs, &count, &msgs); -@@ -7493,16 +7503,18 @@ void hosts_check_match(struct sysdb_test_ctx *test_ctx, - strerror(ret)); - } - fail_if(res == NULL, "ENOMEM"); -- fail_if(res->count != 1); -+ ck_assert_int_eq(res->count, 1); - - /* Make sure the returned entry matches */ - msg = res->msgs[0]; - ret_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -- fail_if(ret_name == NULL); -- fail_unless(strcmp(ret_name, primary_name) == 0); -+ fail_if(ret_name == NULL, "Failed to find attribute: " SYSDB_NAME); -+ fail_unless(strcmp(ret_name, primary_name) == 0, -+ "Wrong value returned for attribute: %s. got: %s expected: %s", -+ SYSDB_NAME, ret_name, primary_name); - - el = ldb_msg_find_element(msg, SYSDB_IP_HOST_ATTR_ADDRESS); -- fail_if(el == NULL); -+ fail_if(el == NULL, "Failed to find elemeny: " SYSDB_IP_HOST_ATTR_ADDRESS); - - len = talloc_array_length(addresses); - for (i = 0; i < el->num_values; i++) { -@@ -7511,7 +7523,8 @@ void hosts_check_match(struct sysdb_test_ctx *test_ctx, - char *canonical_address; - ret = sss_canonicalize_ip_address(test_ctx, addresses[j], - &canonical_address); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, -+ "sss_canonicalize_ip_address failed: %d", ret); - - if (strcmp(canonical_address, - (const char *)el->values[i].data) == 0) { -@@ -7524,7 +7537,7 @@ void hosts_check_match(struct sysdb_test_ctx *test_ctx, - } - - el = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); -- fail_if(el == NULL); -+ fail_if(el == NULL, "Failed to find element: " SYSDB_NAME_ALIAS); - - len = talloc_array_length(aliases); - for (i = 0; i < el->num_values; i++) { -@@ -7563,36 +7576,36 @@ START_TEST(test_sysdb_add_hosts) - fail_if(ret != EOK, "Could not set up the test"); - - primary_name = talloc_asprintf(test_ctx, "test.example.org"); -- fail_if(primary_name == NULL); -+ fail_if(primary_name == NULL, "Failed to allocate memory"); - - aliases = talloc_array(test_ctx, const char *, 3); -- fail_if(aliases == NULL); -+ fail_if(aliases == NULL, "Failed to allocate memory"); - - aliases[0] = talloc_asprintf(aliases, "alias1.example.org"); -- fail_if(aliases[0] == NULL); -+ fail_if(aliases[0] == NULL, "Failed to allocate memory"); - - aliases[1] = talloc_asprintf(aliases, "alias2.example.org"); -- fail_if(aliases[1] == NULL); -+ fail_if(aliases[1] == NULL, "Failed to allocate memory"); - - aliases[2] = NULL; - - addresses = talloc_array(test_ctx, const char *, 6); -- fail_if(addresses == NULL); -+ fail_if(addresses == NULL, "Failed to allocate memory"); - - addresses[0] = talloc_asprintf(addresses, "1.1.2.3"); -- fail_if(addresses[0] == NULL); -+ fail_if(addresses[0] == NULL, "Failed to allocate memory"); - - addresses[1] = talloc_asprintf(addresses, "10.11.22.33"); -- fail_if(addresses[1] == NULL); -+ fail_if(addresses[1] == NULL, "Failed to allocate memory"); - - addresses[2] = talloc_asprintf(addresses, "100.123.123.123"); -- fail_if(addresses[2] == NULL); -+ fail_if(addresses[2] == NULL, "Failed to allocate memory"); - - addresses[3] = talloc_asprintf(addresses, "2001:0db8:85a3:0000:0000:8a2e:0370:7334"); -- fail_if(addresses[3] == NULL); -+ fail_if(addresses[3] == NULL, "Failed to allocate memory"); - - addresses[4] = talloc_asprintf(addresses, "2001:db8:85a3:0:1:8a2e:370:7334"); -- fail_if(addresses[4] == NULL); -+ fail_if(addresses[4] == NULL, "Failed to allocate memory"); - - addresses[5] = NULL; - -@@ -7651,19 +7664,24 @@ void ipnetwork_check_match(struct sysdb_test_ctx *test_ctx, - bool matched; - - ret = sss_canonicalize_ip_address(test_ctx, address, &c_addr); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "sss_canonicalize_ip_address failed: %d", ret); - - ret_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -- fail_if(ret_name == NULL); -- fail_unless(strcmp(ret_name, primary_name) == 0); -+ fail_if(ret_name == NULL, "Failed to find attribue: " SYSDB_NAME); -+ fail_unless(strcmp(ret_name, primary_name) == 0, -+ "Wrong value returned for attribute: %s. got: %s expected: %s", -+ SYSDB_NAME, ret_name, primary_name); - - ret_addr = ldb_msg_find_attr_as_string(msg, SYSDB_IP_NETWORK_ATTR_NUMBER, - NULL); -- fail_if(ret_addr == NULL); -- fail_unless(strcmp(ret_addr, c_addr) == 0); -+ fail_if(ret_addr == NULL, -+ "Failed to find attribue: " SYSDB_IP_NETWORK_ATTR_NUMBER); -+ fail_unless(strcmp(ret_addr, c_addr) == 0, -+ "Wrong value returned for attribute: %s. got: %s expected: %s", -+ SYSDB_IP_NETWORK_ATTR_NUMBER, ret_addr, c_addr); - - el = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); -- fail_if(el == NULL); -+ fail_if(el == NULL, "Failed to find element: " SYSDB_NAME_ALIAS); - - len = talloc_array_length(aliases); - for (i = 0; i < el->num_values; i++) { -@@ -7692,7 +7710,7 @@ void ipnetwork_check_match_name(struct sysdb_test_ctx *test_ctx, - fail_if(ret != EOK, "sysdb_getipnetworkbyname error [%s]\n", - strerror(ret)); - fail_if(res == NULL, "ENOMEM"); -- fail_if(res->count != 1); -+ ck_assert_int_eq(res->count, 1); - - ipnetwork_check_match(test_ctx, res->msgs[0], primary_name, aliases, - address); -@@ -7712,7 +7730,7 @@ void ipnetwork_check_match_addr(struct sysdb_test_ctx *test_ctx, - fail_if(ret != EOK, "sysdb_getipnetworkbyaddr error [%s]\n", - strerror(ret)); - fail_if(res == NULL, "ENOMEM"); -- fail_if(res->count != 1); -+ ck_assert_int_eq(res->count, 1); - - ipnetwork_check_match(test_ctx, res->msgs[0], primary_name, aliases, - address); -@@ -7732,21 +7750,21 @@ START_TEST(test_sysdb_add_ipnetworks) - fail_if(ret != EOK, "Could not set up the test"); - - primary_name = talloc_asprintf(test_ctx, "network_1"); -- fail_if(primary_name == NULL); -+ fail_if(primary_name == NULL, "Failed to allocate memory"); - - aliases = talloc_array(test_ctx, const char *, 3); -- fail_if(aliases == NULL); -+ fail_if(aliases == NULL, "Failed to allocate memory"); - - aliases[0] = talloc_asprintf(aliases, "network_1_alias_1"); -- fail_if(aliases[0] == NULL); -+ fail_if(aliases[0] == NULL, "Failed to allocate memory"); - - aliases[1] = talloc_asprintf(aliases, "network_1_alias_2"); -- fail_if(aliases[1] == NULL); -+ fail_if(aliases[1] == NULL, "Failed to allocate memory"); - - aliases[2] = NULL; - - address = talloc_asprintf(test_ctx, "192.168.1.0"); -- fail_if(address == NULL); -+ fail_if(address == NULL, "Failed to allocate memory"); - - ret = sysdb_transaction_start(test_ctx->sysdb); - fail_if(ret != EOK, "[%s]", strerror(ret)); --- -2.28.0.rc2 - - -From 41e169ed5103ccb9d83842e69a8cbb21a96f587c Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:03 +0000 -Subject: [PATCH 03/19] SYSDB-TESTS: Fix format string - ---- - src/tests/sysdb-tests.c | 42 ++++++++++++++++++++--------------------- - 1 file changed, 21 insertions(+), 21 deletions(-) - -diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c -index b7e0e2389..4df921c8d 100644 ---- a/src/tests/sysdb-tests.c -+++ b/src/tests/sysdb-tests.c -@@ -1031,8 +1031,8 @@ START_TEST (test_sysdb_incomplete_group_rename) - "S-1-5-21-123-456-789-111", - NULL, true, 0); - fail_unless(ret == ERR_GID_DUPLICATED, -- "Did not catch a legitimate rename", -- ret, strerror(ret)); -+ "Did not catch a legitimate rename. ret: %d [%s]", -+ ret, sss_strerror(ret)); - } - END_TEST - -@@ -1926,7 +1926,7 @@ START_TEST (test_sysdb_search_custom_by_name) - fail_if(ret != EOK, "Could not search custom object"); - - fail_unless(data->msgs_count == 1, -- "Wrong number of objects, expected [1] got [%d]", -+ "Wrong number of objects, expected [1] got [%zd]", - data->msgs_count); - fail_unless(data->msgs[0]->num_elements == 1, - "Wrong number of results, expected [1] got [%d]", -@@ -2028,7 +2028,7 @@ START_TEST (test_sysdb_search_custom_update) - fail_if(ret != EOK, "Could not search custom object"); - - fail_unless(data->msgs_count == 1, -- "Wrong number of objects, expected [1] got [%d]", -+ "Wrong number of objects, expected [1] got [%zd]", - data->msgs_count); - fail_unless(data->msgs[0]->num_elements == 2, - "Wrong number of results, expected [2] got [%d]", -@@ -2091,7 +2091,7 @@ START_TEST (test_sysdb_search_custom) - fail_if(ret != EOK, "Could not search custom object"); - - fail_unless(data->msgs_count == 10, -- "Wrong number of objects, expected [10] got [%d]", -+ "Wrong number of objects, expected [10] got [%zd]", - data->msgs_count); - - talloc_free(test_ctx); -@@ -2229,10 +2229,10 @@ static void cached_authentication_without_expiration(uid_t uid, - "return expected result [%d].", - expected_result); - -- fail_unless(expire_date == 0, "Wrong expire date, expected [%d], got [%d]", -+ fail_unless(expire_date == 0, "Wrong expire date, expected [%d], got [%ld]", - 0, expire_date); - -- fail_unless(delayed_until == -1, "Wrong delay, expected [%d], got [%d]", -+ fail_unless(delayed_until == -1, "Wrong delay, expected [%d], got [%ld]", - -1, delayed_until); - - talloc_free(test_ctx); -@@ -2292,10 +2292,10 @@ static void cached_authentication_with_expiration(uid_t uid, - "result [%d], got [%d].", expected_result, ret); - - fail_unless(expire_date == expected_expire_date, -- "Wrong expire date, expected [%d], got [%d]", -+ "Wrong expire date, expected [%ld], got [%ld]", - expected_expire_date, expire_date); - -- fail_unless(delayed_until == -1, "Wrong delay, expected [%d], got [%d]", -+ fail_unless(delayed_until == -1, "Wrong delay, expected [%d], got [%ld]", - -1, delayed_until); - - talloc_free(test_ctx); -@@ -2386,7 +2386,7 @@ START_TEST (test_sysdb_asq_search) - fail_if(ret != EOK, "Failed to send ASQ search request.\n"); - - fail_unless(msgs_count == 10, "wrong number of results, " -- "found [%d] expected [10]", msgs_count); -+ "found [%zd] expected [10]", msgs_count); - - for (i = 0; i < msgs_count; i++) { - fail_unless(msgs[i]->num_elements == 1, "wrong number of elements, " -@@ -2403,7 +2403,7 @@ START_TEST (test_sysdb_asq_search) - (const char *) msgs[i]->elements[0].values[0].data, - msgs[i]->elements[0].values[0].length) == 0, - "wrong value, found [%.*s] expected [%s]", -- msgs[i]->elements[0].values[0].length, -+ (int) msgs[i]->elements[0].values[0].length, - msgs[i]->elements[0].values[0].data, gid_str); - } - -@@ -2440,7 +2440,7 @@ START_TEST (test_sysdb_search_all_users) - fail_if(ret != EOK, "Search failed"); - - fail_unless(data->msgs_count == 10, -- "wrong number of results, found [%d] expected [10]", -+ "wrong number of results, found [%zd] expected [10]", - data->msgs_count); - - for (i = 0; i < data->msgs_count; i++) { -@@ -2465,7 +2465,7 @@ START_TEST (test_sysdb_search_all_users) - (char *) data->msgs[i]->elements[0].values[0].data, - data->msgs[i]->elements[0].values[0].length) == 0, - "wrong value, found [%.*s] expected [%s]", -- data->msgs[i]->elements[0].values[0].length, -+ (int) data->msgs[i]->elements[0].values[0].length, - data->msgs[i]->elements[0].values[0].data, uid_str); - } - -@@ -2532,8 +2532,8 @@ START_TEST (test_sysdb_attrs_replace_name) - "expected [1] got [%d].", el->num_values); - fail_unless(strncmp("bar", (char *) el->values[0].data, - el->values[0].length) == 0, -- "Wrong value, expected [bar] got [%.*s]", el->values[0].length, -- el->values[0].data); -+ "Wrong value, expected [bar] got [%.*s]", -+ (int) el->values[0].length, el->values[0].data); - - talloc_free(attrs); - } -@@ -4160,8 +4160,8 @@ START_TEST (test_sysdb_update_members) - test_ctx->domain->name); - add_groups[1] = sss_create_internal_fqname(add_groups, "testgroup28002", - test_ctx->domain->name); -- fail_if(add_groups[1] == NULL, "Failed to create internal fqname for: %s" -- test_ctx->domain->name); -+ fail_if(add_groups[1] == NULL, "Failed to create internal fqname for: %s", -+ test_ctx->domain->name); - add_groups[2] = NULL; - - /* For later check */ -@@ -4546,7 +4546,7 @@ START_TEST (test_sysdb_netgr_to_entries) - ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count); - fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]", - ret, strerror(ret)); -- fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count); -+ fail_unless(netgroup_count == 1, "Received [%zd] triples", netgroup_count); - bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup); - fail_unless(bret == true, "Netgroup triples do not match"); - -@@ -4561,7 +4561,7 @@ START_TEST (test_sysdb_netgr_to_entries) - ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count); - fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]", - ret, strerror(ret)); -- fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count); -+ fail_unless(netgroup_count == 1, "Received [%zd] triples", netgroup_count); - bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup); - fail_unless(bret == true, "Netgroup triples do not match"); - } -@@ -6779,7 +6779,7 @@ START_TEST(test_autofs_retrieve_keys_by_map) - autofsmapname, &count, &entries); - fail_if(ret != EOK, "Cannot get autofs entries for map %s\n", - autofsmapname); -- fail_if(count != expected, "Expected to find %d entries, got %d\n", -+ fail_if(count != expected, "Expected to find %d entries, got %zd\n", - expected, count); - talloc_free(test_ctx); - } -@@ -6844,7 +6844,7 @@ START_TEST(test_autofs_get_duplicate_keys) - ret = sysdb_search_entry(test_ctx, test_ctx->sysdb, dn, LDB_SCOPE_SUBTREE, - filter, attrs, &count, &msgs); - fail_unless(ret == EOK, "sysdb_search_entry returned [%d]", ret); -- fail_if(count != expected, "Found %d entries with name %s, expected %d\n", -+ fail_if(count != expected, "Found %zd entries with name %s, expected %d\n", - count, autofskey, expected); - talloc_free(test_ctx); - } --- -2.28.0.rc2 - - -From ef5ab80c1868ecd45ecf77602c915e5f08030400 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:04 +0000 -Subject: [PATCH 04/19] STRTONUM-TESTS: Fix format string issues - ---- - src/tests/strtonum-tests.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tests/strtonum-tests.c b/src/tests/strtonum-tests.c -index eb7f1b58d..b726d2b20 100644 ---- a/src/tests/strtonum-tests.c -+++ b/src/tests/strtonum-tests.c -@@ -38,8 +38,8 @@ - - #define CHECK_RESULT(expected, actual) \ - do { \ -- fail_unless(actual == expected, "Expected %ld, got %ld", \ -- expected, actual); \ -+ fail_unless(actual == expected, "Expected %jd, got %jd", \ -+ (intmax_t)expected, (intmax_t)actual); \ - } while(0) - - #define CHECK_ERRNO(expected, actual) \ --- -2.28.0.rc2 - - -From f1a5f93923595d8a3c30f62cfdefc71e96be4a4a Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:05 +0000 -Subject: [PATCH 05/19] =?UTF-8?q?RESOLV-TESTS:=20Fix=20error=20too=20few?= - =?UTF-8?q?=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros -* convert assertions to different macros ---- - src/tests/resolv-tests.c | 128 +++++++++++++++++++++++---------------- - 1 file changed, 75 insertions(+), 53 deletions(-) - -diff --git a/src/tests/resolv-tests.c b/src/tests/resolv-tests.c -index bc4cd7cc1..59bda4373 100644 ---- a/src/tests/resolv-tests.c -+++ b/src/tests/resolv-tests.c -@@ -172,38 +172,58 @@ START_TEST(test_copy_hostent) - struct ares_addrttl attl[] = { { addr_1, ttl_1 }, { addr_2, ttl_2 } }; - - ctx = talloc_new(global_talloc_context); -- fail_if(ctx == NULL); -+ fail_if(ctx == NULL, "Failed to allocate memory"); - - ck_leaks_push(ctx); - - rhe = resolv_copy_hostent_ares(ctx, &he, AF_INET, &attl, 2); - -- fail_if(rhe == NULL); -- fail_if(strcmp(rhe->name, name)); -- fail_if(strcmp(rhe->aliases[0], alias_1)); -- fail_if(strcmp(rhe->aliases[1], alias_2)); -- fail_if(rhe->aliases[2] != NULL); -- fail_if(rhe->family != AF_INET); -- fail_if(memcmp(rhe->addr_list[0]->ipaddr, &addr_1, sizeof(addr_1))); -- fail_if(rhe->addr_list[0]->ttl != ttl_1); -- fail_if(memcmp(rhe->addr_list[1]->ipaddr, &addr_2, sizeof(addr_2))); -- fail_if(rhe->addr_list[1]->ttl != ttl_2); -- fail_if(rhe->addr_list[2] != NULL); -+ fail_if(rhe == NULL, "Failed to allocate memory"); -+ fail_if(strcmp(rhe->name, name), -+ "Unexpectag value for name. Got: %s expecting: %s", -+ rhe->name, name); -+ fail_if(strcmp(rhe->aliases[0], alias_1), -+ "Unexpectag value for 1st alias. Got: %s expecting: %s", -+ rhe->aliases[0], alias_1); -+ fail_if(strcmp(rhe->aliases[1], alias_2), -+ "Unexpectag value for 2nd alias. Got: %s expecting: %s", -+ rhe->aliases[1], alias_2); -+ fail_if(rhe->aliases[2] != NULL, -+ "Just 2 aliases are expected. Got: %s", rhe->aliases[2]); -+ ck_assert_int_eq(rhe->family, AF_INET); -+ fail_if(memcmp(rhe->addr_list[0]->ipaddr, &addr_1, sizeof(addr_1)), -+ "Unexpected binary value for addr_list[0]->ipaddr"); -+ ck_assert_int_eq(rhe->addr_list[0]->ttl, ttl_1); -+ fail_if(memcmp(rhe->addr_list[1]->ipaddr, &addr_2, sizeof(addr_2)), -+ "Unexpected binary value for rhe->addr_list[1]->ipaddr"); -+ ck_assert_int_eq(rhe->addr_list[1]->ttl, ttl_2); -+ fail_if(rhe->addr_list[2] != NULL, -+ "Just 2 ip addresses are expected. 3rd has to be NULL"); - - talloc_zfree(rhe); - - rhe = resolv_copy_hostent(ctx, &he); -- fail_if(rhe == NULL); -- fail_if(strcmp(rhe->name, name)); -- fail_if(strcmp(rhe->aliases[0], alias_1)); -- fail_if(strcmp(rhe->aliases[1], alias_2)); -- fail_if(rhe->aliases[2] != NULL); -- fail_if(rhe->family != AF_INET); -- fail_if(memcmp(rhe->addr_list[0]->ipaddr, &addr_2, sizeof(addr_1))); -- fail_if(rhe->addr_list[0]->ttl != RESOLV_DEFAULT_TTL); -- fail_if(memcmp(rhe->addr_list[1]->ipaddr, &addr_1, sizeof(addr_2))); -- fail_if(rhe->addr_list[1]->ttl != RESOLV_DEFAULT_TTL); -- fail_if(rhe->addr_list[2] != NULL); -+ fail_if(rhe == NULL, "Failed to allocate memory"); -+ fail_if(strcmp(rhe->name, name), -+ "Unexpectag value for name. Got: %s expecting: %s", -+ rhe->name, name); -+ fail_if(strcmp(rhe->aliases[0], alias_1), -+ "Unexpectag value for 1st alias. Got: %s expecting: %s", -+ rhe->aliases[0], alias_1); -+ fail_if(strcmp(rhe->aliases[1], alias_2), -+ "Unexpectag value for 2nd alias. Got: %s expecting: %s", -+ rhe->aliases[1], alias_2); -+ fail_if(rhe->aliases[2] != NULL, -+ "Just 2 aliases are expected. Got: %s", rhe->aliases[2]); -+ ck_assert_int_eq(rhe->family, AF_INET); -+ fail_if(memcmp(rhe->addr_list[0]->ipaddr, &addr_2, sizeof(addr_1)), -+ "Unexpected binary value for addr_list[0]->ipaddr"); -+ ck_assert_int_eq(rhe->addr_list[0]->ttl, RESOLV_DEFAULT_TTL); -+ fail_if(memcmp(rhe->addr_list[1]->ipaddr, &addr_1, sizeof(addr_2)), -+ "Unexpected binary value for addr_list[1]->ipaddr"); -+ ck_assert_int_eq(rhe->addr_list[1]->ttl, RESOLV_DEFAULT_TTL); -+ fail_if(rhe->addr_list[2] != NULL, -+ "Just 2 ip addresses are expected. 3rd has to be NULL"); - - talloc_free(rhe); - -@@ -219,36 +239,36 @@ START_TEST(test_address_to_string) - char *ptr_addr; - - ctx = talloc_new(global_talloc_context); -- fail_if(ctx == NULL); -+ fail_if(ctx == NULL, "Failed to allocate memory"); - ck_leaks_push(ctx); - - rhe = test_create_rhostent(ctx, "www.example.com", "1.2.3.4"); -- fail_if(rhe == NULL); -+ fail_if(rhe == NULL, "Failed to allocate memory"); - - str_addr = resolv_get_string_address_index(ctx, rhe, 0); -- fail_if(str_addr == NULL); -+ fail_if(str_addr == NULL, "Failed to allocate memory"); - fail_unless(strcmp(str_addr, "1.2.3.4") == 0, "Unexpected address\n"); - talloc_free(str_addr); - - ptr_addr = resolv_get_string_ptr_address(ctx, rhe->family, - rhe->addr_list[0]->ipaddr); -- fail_if(ptr_addr == NULL); -+ fail_if(ptr_addr == NULL, "Failed to allocate memory"); - fail_unless(strcmp(ptr_addr, "4.3.2.1.in-addr.arpa.") == 0, "Unexpected PTR address\n"); - talloc_free(ptr_addr); - - talloc_free(rhe); - - rhe = test_create_rhostent(ctx, "www6.example.com", "2607:f8b0:400c:c03::6a"); -- fail_if(rhe == NULL); -+ fail_if(rhe == NULL, "Failed to allocate memory"); - - str_addr = resolv_get_string_address_index(ctx, rhe, 0); -- fail_if(str_addr == NULL); -+ fail_if(str_addr == NULL, "resolv_get_string_address_index failed"); - fail_unless(strcmp(str_addr, "2607:f8b0:400c:c03::6a") == 0, "Unexpected address\n"); - talloc_free(str_addr); - - ptr_addr = resolv_get_string_ptr_address(ctx, rhe->family, - rhe->addr_list[0]->ipaddr); -- fail_if(ptr_addr == NULL); -+ fail_if(ptr_addr == NULL, "resolv_get_string_ptr_address failed"); - fail_unless(strcmp(ptr_addr, - "a.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.c.0.c.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa.") == 0, "Unexpected PTR address\n"); - talloc_free(ptr_addr); -@@ -322,7 +342,7 @@ START_TEST(test_resolv_ip_addr) - } - - ck_leaks_pop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - talloc_zfree(test_ctx); - } -@@ -392,7 +412,7 @@ START_TEST(test_resolv_localhost) - } - - ck_leaks_pop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - talloc_zfree(test_ctx); - } -@@ -451,8 +471,8 @@ START_TEST(test_resolv_negative) - - ck_leaks_pop(test_ctx); - -- fail_unless(ret != EOK); -- fail_unless(test_ctx->error == ARES_ENOTFOUND); -+ fail_unless(ret != EOK, "test_loop must failed but got: EOK"); -+ ck_assert_int_eq(test_ctx->error, ARES_ENOTFOUND); - talloc_zfree(test_ctx); - } - END_TEST -@@ -556,7 +576,7 @@ START_TEST(test_resolv_internet) - ret = test_loop(test_ctx); - } - -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - ck_leaks_pop(test_ctx); - talloc_zfree(test_ctx); - } -@@ -579,7 +599,7 @@ START_TEST(test_resolv_internet_txt) - - tevent_req_set_callback(req, test_internet, test_ctx); - ret = test_loop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - ck_leaks_pop(test_ctx); - -@@ -604,7 +624,7 @@ START_TEST(test_resolv_internet_srv) - - tevent_req_set_callback(req, test_internet, test_ctx); - ret = test_loop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - ck_leaks_pop(test_ctx); - -@@ -676,7 +696,7 @@ START_TEST(test_resolv_free_context) - } - - ret = test_loop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - done: - talloc_zfree(test_ctx); -@@ -713,7 +733,7 @@ START_TEST(test_resolv_sort_srv_reply) - /* prepare linked list with reversed values */ - for (i = 0; ipriority = num_replies-i; - r->weight = i; - -@@ -728,19 +748,19 @@ START_TEST(test_resolv_sort_srv_reply) - - /* do the sort */ - ret = resolv_sort_srv_reply(&replies); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "resolv_sort_srv_reply failed with error: %d", ret); - - /* check if the list is sorted */ - prev = NULL; - for (i = 1, r = replies; r; r=r->next, i++) { - talloc_zfree(prev); - prev = r; -- fail_unless(r->priority == i); -+ ck_assert_int_eq(r->priority, i); - } - talloc_zfree(prev); - - /* check if the list is complete */ -- fail_unless(i-1 == num_replies); -+ ck_assert_int_eq(i - 1, num_replies); - - /* test if the weighting algorithm runs..not much do - * deterministically test here since it is based on -@@ -748,7 +768,7 @@ START_TEST(test_resolv_sort_srv_reply) - replies = NULL; - for (i = 0; ipriority = i % 2 + 1; - r->weight = i; - -@@ -763,7 +783,7 @@ START_TEST(test_resolv_sort_srv_reply) - - /* do the sort */ - ret = resolv_sort_srv_reply(&replies); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "resolv_sort_srv_reply failed with error: %d", ret); - - /* clean up */ - prev = NULL; -@@ -800,7 +820,7 @@ START_TEST(test_resolv_sort_srv_reply_zero_weight) - /* prepare linked list */ - for (i = 0; i < num_replies; i++) { - r = talloc_zero(test_ctx, struct ares_srv_reply); -- fail_if(r == NULL); -+ fail_if(r == NULL, "Failed to allocate memory"); - - r->priority = 20; - r->priority = i <= 3 ? 10 : r->priority; -@@ -818,15 +838,17 @@ START_TEST(test_resolv_sort_srv_reply_zero_weight) - - /* do the sort */ - ret = resolv_sort_srv_reply(&replies); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, "resolv_sort_srv_reply failed with error: %d", ret); - - /* check if the list contains all values and is sorted */ - for (i = 0, r = replies; r != NULL; r = r->next, i++) { - if (r->next != NULL) { -- fail_unless(r->priority <= r->next->priority); -+ fail_unless(r->priority <= r->next->priority, -+ "Got unsorted values. %d <= %d", -+ r->priority, r->next->priority); - } - } -- fail_unless(i == num_replies); -+ ck_assert_int_eq(i, num_replies); - - /* clean up */ - prev = NULL; -@@ -889,7 +911,7 @@ START_TEST(test_resolv_free_req) - - ret = test_loop(test_ctx); - ck_leaks_pop(test_ctx); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - - done: - talloc_zfree(test_ctx); -@@ -911,12 +933,12 @@ static void test_timeout(struct tevent_req *req) - tmp_ctx = talloc_new(test_ctx); - ck_leaks_push(tmp_ctx); - -- fail_unless(test_ctx->tested_function == TESTING_HOSTNAME); -+ ck_assert_int_eq(test_ctx->tested_function, TESTING_HOSTNAME); - recv_status = resolv_gethostbyname_recv(req, tmp_ctx, - &status, NULL, &rhostent); - talloc_zfree(req); -- fail_unless(recv_status == ETIMEDOUT); -- fail_unless(status == ARES_ETIMEOUT); -+ ck_assert_int_eq(recv_status, ETIMEDOUT); -+ ck_assert_int_eq(status, ARES_ETIMEOUT); - ck_leaks_pop(tmp_ctx); - talloc_free(tmp_ctx); - } -@@ -949,7 +971,7 @@ START_TEST(test_resolv_timeout) - ret = test_loop(test_ctx); - } - -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "test_loop failed with error: %d", ret); - talloc_zfree(test_ctx); - } - END_TEST --- -2.28.0.rc2 - - -From 372f34b46ef402f58c593c4bf01a6c5bd270b83f Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:06 +0000 -Subject: [PATCH 06/19] =?UTF-8?q?KRB5-UTILS-TESTS:=20Fix=20error=20too=20f?= - =?UTF-8?q?ew=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffail?= - =?UTF-8?q?ed=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros ---- - src/tests/krb5_utils-tests.c | 97 +++++++++++++++++++++++++----------- - 1 file changed, 67 insertions(+), 30 deletions(-) - -diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c -index bff42f848..b4b7ae819 100644 ---- a/src/tests/krb5_utils-tests.c -+++ b/src/tests/krb5_utils-tests.c -@@ -298,7 +298,7 @@ void setup_talloc_context(void) - fail_unless(pd != NULL, "Cannot create krb5_ctx structure."); - - pd->user = sss_create_internal_fqname(pd, USERNAME, DOMAIN_NAME); -- fail_unless(pd->user != NULL); -+ fail_unless(pd->user != NULL, "Failed to allocate memory"); - kr->uid = atoi(UID); - kr->upn = discard_const(PRINCIPAL_NAME); - pd->cli_pid = atoi(PID); -@@ -372,7 +372,7 @@ START_TEST(test_case_sensitive) - const char *expected_ci = BASE"_testuser"; - - kr->pd->user = sss_create_internal_fqname(kr, USERNAME_CASE, DOMAIN_NAME); -- fail_unless(kr->pd->user != NULL); -+ fail_unless(kr->pd->user != NULL, "Failed to allocate memory"); - ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, CCACHE_DIR); - fail_unless(ret == EOK, "Failed to set Ccache dir"); - -@@ -586,7 +586,8 @@ compare_map_id_name_to_krb_primary(struct map_id_name_to_krb_primary *a, - errno_t ret; - - while (a[i].id_name != NULL && a[i].krb_primary != NULL) { -- fail_unless(i < len); -+ fail_unless(i < len, -+ "Index: %d mus =t be lowwer than: %zd", i, len); - ret = sss_utf8_case_eq((const uint8_t*)a[i].id_name, - (const uint8_t*)str[i*2]); - fail_unless(ret == EOK, -@@ -613,30 +614,52 @@ START_TEST(test_parse_krb5_map_user) - { - check_leaks_push(mem_ctx); - ret = parse_krb5_map_user(mem_ctx, NULL, DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -- fail_unless(name_to_primary[0].id_name == NULL && -- name_to_primary[0].krb_primary == NULL); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); -+ fail_unless(name_to_primary[0].id_name == NULL, -+ "id_name must be NULL. Got: %s", -+ name_to_primary[0].id_name); -+ fail_unless(name_to_primary[0].krb_primary == NULL, -+ "krb_primary must be NULL. Got: %s", -+ name_to_primary[0].krb_primary); - talloc_free(name_to_primary); - - ret = parse_krb5_map_user(mem_ctx, "", DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -- fail_unless(name_to_primary[0].id_name == NULL && -- name_to_primary[0].krb_primary == NULL); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); -+ fail_unless(name_to_primary[0].id_name == NULL, -+ "id_name must be NULL. Got: %s", -+ name_to_primary[0].id_name); -+ fail_unless(name_to_primary[0].krb_primary == NULL, -+ "krb_primary must be NULL. Got: %s", -+ name_to_primary[0].krb_primary); - talloc_free(name_to_primary); - - ret = parse_krb5_map_user(mem_ctx, ",", DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -- fail_unless(name_to_primary[0].id_name == NULL && -- name_to_primary[0].krb_primary == NULL); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); -+ fail_unless(name_to_primary[0].id_name == NULL, -+ "id_name must be NULL. Got: %s", -+ name_to_primary[0].id_name); -+ fail_unless(name_to_primary[0].krb_primary == NULL, -+ "krb_primary must be NULL. Got: %s", -+ name_to_primary[0].krb_primary); - talloc_free(name_to_primary); - - ret = parse_krb5_map_user(mem_ctx, ",,", DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -- fail_unless(name_to_primary[0].id_name == NULL && -- name_to_primary[0].krb_primary == NULL); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); -+ fail_unless(name_to_primary[0].id_name == NULL, -+ "id_name must be NULL. Got: %s", -+ name_to_primary[0].id_name); -+ fail_unless(name_to_primary[0].krb_primary == NULL, -+ "krb_primary must be NULL. Got: %s", -+ name_to_primary[0].krb_primary); -+ - talloc_free(name_to_primary); - -- fail_unless(check_leaks_pop(mem_ctx)); -+ fail_unless(check_leaks_pop(mem_ctx), -+ "check_leaks_pop failed"); - } - /* valid input */ - { -@@ -647,46 +670,56 @@ START_TEST(test_parse_krb5_map_user) - "joe@testdomain", "juser@testdomain", - "jdoe@testdomain", "ßlack@testdomain" }; - ret = parse_krb5_map_user(mem_ctx, p, DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); - compare_map_id_name_to_krb_primary(name_to_primary, expected, - sizeof(expected)/sizeof(const char*)/2); - talloc_free(name_to_primary); - - ret = parse_krb5_map_user(mem_ctx, p2, DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, -+ "parse_krb5_map_user failed with error: %d", ret); - compare_map_id_name_to_krb_primary(name_to_primary, expected, - sizeof(expected)/sizeof(const char*)/2); - talloc_free(name_to_primary); -- fail_unless(check_leaks_pop(mem_ctx)); -+ fail_unless(check_leaks_pop(mem_ctx), -+ "check_leaks_pop failed"); - } - /* invalid input */ - { - check_leaks_push(mem_ctx); - - ret = parse_krb5_map_user(mem_ctx, ":", DOMAIN_NAME, &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - - ret = parse_krb5_map_user(mem_ctx, "joe:", DOMAIN_NAME, - &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - - ret = parse_krb5_map_user(mem_ctx, ":joe", DOMAIN_NAME, - &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - - ret = parse_krb5_map_user(mem_ctx, "joe:,", DOMAIN_NAME, - &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - - ret = parse_krb5_map_user(mem_ctx, ",joe", DOMAIN_NAME, - &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - - ret = parse_krb5_map_user(mem_ctx, "joe:j:user", DOMAIN_NAME, - &name_to_primary); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "parse_krb5_map_user must fail with EINVAL got: %d", ret); - -- fail_unless(check_leaks_pop(mem_ctx)); -+ fail_unless(check_leaks_pop(mem_ctx), -+ "check_leaks_pop failed"); - } - - talloc_free(mem_ctx); -@@ -695,14 +728,18 @@ END_TEST - - START_TEST(test_sss_krb5_realm_has_proxy) - { -- fail_unless(sss_krb5_realm_has_proxy(NULL) == false); -+ fail_unless(sss_krb5_realm_has_proxy(NULL) == false, -+ "sss_krb5_realm_has_proxy did not return false"); - - setenv("KRB5_CONFIG", "/dev/null", 1); -- fail_unless(sss_krb5_realm_has_proxy("REALM") == false); -+ fail_unless(sss_krb5_realm_has_proxy("REALM") == false, -+ "sss_krb5_realm_has_proxy did not return false"); - - setenv("KRB5_CONFIG", ABS_SRC_DIR"/src/tests/krb5_proxy_check_test_data.conf", 1); -- fail_unless(sss_krb5_realm_has_proxy("REALM") == false); -- fail_unless(sss_krb5_realm_has_proxy("REALM_PROXY") == true); -+ fail_unless(sss_krb5_realm_has_proxy("REALM") == false, -+ "sss_krb5_realm_has_proxy did not return false"); -+ fail_unless(sss_krb5_realm_has_proxy("REALM_PROXY") == true, -+ "sss_krb5_realm_has_proxy did not return true"); - } - END_TEST - --- -2.28.0.rc2 - - -From fabbf90c7de4e837b9b50a64569086171bad4479 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:07 +0000 -Subject: [PATCH 07/19] KRB5-UTILS-TESTS: Fix format string issues - ---- - src/tests/krb5_utils-tests.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c -index b4b7ae819..540fc8012 100644 ---- a/src/tests/krb5_utils-tests.c -+++ b/src/tests/krb5_utils-tests.c -@@ -487,8 +487,9 @@ START_TEST(test_NULL) - - result = expand_ccname_template(tmp_ctx, kr, test_template, NULL, true, true); - -- fail_unless(result == NULL, "Expected NULL as a result for an empty input.", -- test_template); -+ fail_unless(result == NULL, -+ "Expected NULL as a result for an empty input for " -+ "NULL template"); - } - END_TEST - -@@ -599,7 +600,7 @@ compare_map_id_name_to_krb_primary(struct map_id_name_to_krb_primary *a, - a[i].krb_primary, str[i*2+1]); - i++; - } -- fail_unless(len == i, "%u != %u", len, i); -+ fail_unless(len == i, "%zu != %u", len, i); - } - - START_TEST(test_parse_krb5_map_user) --- -2.28.0.rc2 - - -From 7ad0af60d905167fe731c02825fc98e1dfa8497b Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:08 +0000 -Subject: [PATCH 08/19] CHECK-AND-OPEN-TESTS: Fix format string issues - ---- - src/tests/check_and_open-tests.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tests/check_and_open-tests.c b/src/tests/check_and_open-tests.c -index 525e28aed..ddc4acd50 100644 ---- a/src/tests/check_and_open-tests.c -+++ b/src/tests/check_and_open-tests.c -@@ -99,7 +99,7 @@ START_TEST(test_symlink) - - ret = snprintf(newpath, newpath_length, "%s%s", filename, SUFFIX); - fail_unless(ret == newpath_length - 1, -- "snprintf failed: expected [%d] got [%d]", newpath_length -1, -+ "snprintf failed: expected [%zd] got [%d]", newpath_length - 1, - ret); - - ret = symlink(filename, newpath); -@@ -126,7 +126,7 @@ START_TEST(test_follow_symlink) - - ret = snprintf(newpath, newpath_length, "%s%s", filename, SUFFIX); - fail_unless(ret == newpath_length - 1, -- "snprintf failed: expected [%d] got [%d]", newpath_length -1, -+ "snprintf failed: expected [%zd] got [%d]", newpath_length - 1, - ret); - - ret = symlink(filename, newpath); --- -2.28.0.rc2 - - -From 96dac929c1ff48729f60eb8aab8809dc925c1552 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:09 +0000 -Subject: [PATCH 09/19] =?UTF-8?q?REFCOUNT-TESTS:=20Fix=20error=20too=20few?= - =?UTF-8?q?=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros ---- - src/tests/refcount-tests.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/tests/refcount-tests.c b/src/tests/refcount-tests.c -index 232302f38..4907ab5fb 100644 ---- a/src/tests/refcount-tests.c -+++ b/src/tests/refcount-tests.c -@@ -90,29 +90,29 @@ START_TEST(test_refcount_basic) - - /* First allocate our global storage place. */ - global = talloc(NULL, struct container); -- fail_if(global == NULL); -+ fail_if(global == NULL, "Failed to allocate memory"); - - /* Allocate foo. */ - global->foo = rc_alloc(global, struct foo); -- fail_if(global->foo == NULL); -+ fail_if(global->foo == NULL, "Failed to allocate memory"); - SET_FILLER(global->foo); - REF_ASSERT(global->foo, 1); - - /* Allocate bar. */ - global->bar = rc_alloc(global, struct bar); -- fail_if(global->bar == NULL); -+ fail_if(global->bar == NULL, "Failed to allocate memory"); - SET_FILLER(global->bar); - REF_ASSERT(global->bar, 1); - - /* Allocate baz. */ - global->baz = rc_alloc(global, struct baz); -- fail_if(global->baz == NULL); -+ fail_if(global->baz == NULL, "Failed to allocate memory"); - SET_FILLER(global->baz); - REF_ASSERT(global->baz, 1); - - /* Try multiple attaches. */ - containers = talloc_array(NULL, struct container, 100); -- fail_if(containers == NULL); -+ fail_if(containers == NULL, "Failed to allocate memory"); - for (i = 0; i < 100; i++) { - containers[i].foo = rc_reference(containers, struct foo, global->foo); - containers[i].bar = rc_reference(containers, struct bar, global->bar); -@@ -153,15 +153,17 @@ START_TEST(test_refcount_swap) - - /* Allocate. */ - container1->foo = rc_alloc(container1, struct foo); -- fail_if(container1->foo == NULL); -+ fail_if(container1->foo == NULL, "Failed to allocate memory"); - SET_FILLER(container1->foo); - - /* Reference. */ - container2->foo = rc_reference(container2, struct foo, container1->foo); -- fail_if(container2->foo == NULL); -+ fail_if(container2->foo == NULL, "Failed to allocate memory"); - - /* Make sure everything is as it should be. */ -- fail_unless(container1->foo == container2->foo); -+ fail_unless(container1->foo == container2->foo, -+ "Values have to be equal. %p == %p", -+ container1->foo, container2->foo); - REF_ASSERT(container1->foo, 2); - - /* Free in reverse order. */ --- -2.28.0.rc2 - - -From 686d7c8f0432aeb7b36a807adaccf2173cfdf5cc Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:10 +0000 -Subject: [PATCH 10/19] =?UTF-8?q?FAIL-OVER-TESTS:=20Fix=20error=20too=20fe?= - =?UTF-8?q?w=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffaile?= - =?UTF-8?q?d=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros ---- - src/tests/fail_over-tests.c | 63 ++++++++++++++++++++++++------------- - 1 file changed, 42 insertions(+), 21 deletions(-) - -diff --git a/src/tests/fail_over-tests.c b/src/tests/fail_over-tests.c -index b2269ef3b..4afbc7933 100644 ---- a/src/tests/fail_over-tests.c -+++ b/src/tests/fail_over-tests.c -@@ -116,24 +116,30 @@ START_TEST(test_fo_new_service) - - ck_leaks_push(ctx); - ret = fo_new_service(ctx->fo_ctx, buf, NULL, &services[i]); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, -+ "fo_new_service failed with error: %d", ret); - } - - ret = fo_new_service(ctx->fo_ctx, "service_3", NULL, &service); -- fail_if(ret != EEXIST); -+ fail_if(ret != EEXIST, -+ "fo_new_service must return EEXIST. Got: %d", ret); - - for (i = 9; i >= 0; i--) { - char buf[16]; - sprintf(buf, "service_%d", i); - - ret = fo_get_service(ctx->fo_ctx, buf, &service); -- fail_if(ret != EOK); -- fail_if(service != services[i]); -+ fail_if(ret != EOK, -+ "fo_get_service failed with error: %d", ret); -+ fail_if(service != services[i], -+ "Unexpected service returned. %p != %p", -+ service, services[i]); - talloc_free(service); - ck_leaks_pop(ctx); - - ret = fo_get_service(ctx->fo_ctx, buf, &service); -- fail_if(ret != ENOENT); -+ fail_if(ret != ENOENT, -+ "fo_get_service must return ENOENT. Got: %d", ret); - } - - ck_leaks_pop(ctx); -@@ -162,7 +168,8 @@ test_resolve_service_callback(struct tevent_req *req) - task->location, task->recv, recv_status); - if (recv_status != EOK) - return; -- fail_if(server == NULL); -+ fail_if(server == NULL, -+ "fo_resolve_service_recv must not return NULL for server"); - port = fo_get_server_port(server); - fail_if(port != task->port, "%s: Expected port %d, got %d", task->location, - task->port, port); -@@ -179,7 +186,8 @@ test_resolve_service_callback(struct tevent_req *req) - char buf[256]; - - inet_ntop(he->family, he->addr_list[i]->ipaddr, buf, sizeof(buf)); -- fail_if(strcmp(buf, "127.0.0.1") != 0 && strcmp(buf, "::1") != 0); -+ fail_if(strcmp(buf, "127.0.0.1") != 0 && strcmp(buf, "::1") != 0, -+ "Expecting either '127.0.0.1' or '::1'. Got: %s", buf); - } - } - -@@ -204,7 +212,7 @@ _get_request(struct test_ctx *test_ctx, struct fo_service *service, - struct task *task; - - task = talloc(test_ctx, struct task); -- fail_if(task == NULL); -+ fail_if(task == NULL, "Failed to allocate memory"); - - task->test_ctx = test_ctx; - task->recv = expected_recv; -@@ -228,27 +236,40 @@ START_TEST(test_fo_resolve_service) - { - struct test_ctx *ctx; - struct fo_service *service[3]; -+ int ret; - - ctx = setup_test(); -- fail_if(ctx == NULL); -+ fail_if(ctx == NULL, "Failed to allocate memory"); - - /* Add service. */ -- fail_if(fo_new_service(ctx->fo_ctx, "http", NULL, &service[0]) != EOK); -+ ret = fo_new_service(ctx->fo_ctx, "http", NULL, &service[0]); -+ fail_if(ret != EOK, "fo_new_service failed with error: %d", ret); - -- fail_if(fo_new_service(ctx->fo_ctx, "ldap", NULL, &service[1]) != EOK); -+ ret = fo_new_service(ctx->fo_ctx, "ldap", NULL, &service[1]); -+ fail_if(ret != EOK, "fo_new_service failed with error: %d", ret); - -- fail_if(fo_new_service(ctx->fo_ctx, "ntp", NULL, &service[2]) != EOK); -+ ret = fo_new_service(ctx->fo_ctx, "ntp", NULL, &service[2]); -+ fail_if(ret != EOK, "fo_new_service failed with error: %d", ret); - - /* Add servers. */ -- fail_if(fo_add_server(service[0], "localhost", 20, NULL, true) != EOK); -- fail_if(fo_add_server(service[0], "127.0.0.1", 80, NULL, false) != EOK); -- -- fail_if(fo_add_server(service[1], "localhost", 30, NULL, false) != EOK); -- fail_if(fo_add_server(service[1], "127.0.0.1", 389, NULL, true) != EOK); -- fail_if(fo_add_server(service[1], "127.0.0.1", 389, NULL, true) != EEXIST); -- fail_if(fo_add_server(service[1], "127.0.0.1", 389, NULL, false) != EEXIST); -- -- fail_if(fo_add_server(service[2], NULL, 123, NULL, true) != EOK); -+ ret = fo_add_server(service[0], "localhost", 20, NULL, true); -+ fail_if(ret != EOK, "fo_add_server failed with error: %d", ret); -+ ret = fo_add_server(service[0], "127.0.0.1", 80, NULL, false); -+ fail_if(ret != EOK, "fo_add_server failed with error: %d", ret); -+ -+ ret = fo_add_server(service[1], "localhost", 30, NULL, false); -+ fail_if(ret != EOK, "fo_add_server failed with error: %d", ret); -+ ret = fo_add_server(service[1], "127.0.0.1", 389, NULL, true); -+ fail_if(ret != EOK, "fo_add_server failed with error: %d", ret); -+ ret = fo_add_server(service[1], "127.0.0.1", 389, NULL, true); -+ fail_if(ret != EEXIST, -+ "fo_add_server must fail with EEXIST. Got: %d", ret); -+ ret = fo_add_server(service[1], "127.0.0.1", 389, NULL, false); -+ fail_if(ret != EEXIST, -+ "fo_add_server must fail with EEXIST. Got: %d", ret); -+ -+ ret = fo_add_server(service[2], NULL, 123, NULL, true); -+ fail_if(ret != EOK, "fo_add_server failed with error: %d", ret); - - /* Make requests. */ - get_request(ctx, service[0], EOK, 20, PORT_WORKING, -1); --- -2.28.0.rc2 - - -From 0261117370d3d504a0aa0c95a2dc11b10429430c Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:11 +0000 -Subject: [PATCH 11/19] FAIL-OVER-TESTS: Fix format string issues - ---- - src/tests/fail_over-tests.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tests/fail_over-tests.c b/src/tests/fail_over-tests.c -index 4afbc7933..d7bd173d6 100644 ---- a/src/tests/fail_over-tests.c -+++ b/src/tests/fail_over-tests.c -@@ -164,7 +164,7 @@ test_resolve_service_callback(struct tevent_req *req) - - recv_status = fo_resolve_service_recv(req, req, &server); - talloc_free(req); -- fail_if(recv_status != task->recv, "%s: Expected return of %d, got %d", -+ fail_if(recv_status != task->recv, "%s: Expected return of %d, got %"PRIu64, - task->location, task->recv, recv_status); - if (recv_status != EOK) - return; --- -2.28.0.rc2 - - -From 45f1f0b2d0ac9fb98aff79a453b0228a81c35f7f Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:12 +0000 -Subject: [PATCH 12/19] AUTH-TESTS: Fix format string issues - ---- - src/tests/auth-tests.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tests/auth-tests.c b/src/tests/auth-tests.c -index 67c664882..69998706e 100644 ---- a/src/tests/auth-tests.c -+++ b/src/tests/auth-tests.c -@@ -203,7 +203,7 @@ static void do_failed_login_test(uint32_t failed_login_attempts, - - fail_unless(delayed_until == expected_delay, - "check_failed_login_attempts wrong delay, " -- "expected [%d], got [%d]", -+ "expected [%ld], got [%ld]", - expected_delay, delayed_until); - - talloc_free(test_ctx); --- -2.28.0.rc2 - - -From fb4a22c39b16899edebdf90d71ed16e0700597c6 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:13 +0000 -Subject: [PATCH 13/19] =?UTF-8?q?IPA-LDAP-OPT-TESTS:=20Fix=20error=20too?= - =?UTF-8?q?=20few=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5F?= - =?UTF-8?q?failed=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros -* convert assertions to different macros ---- - src/tests/ipa_ldap_opt-tests.c | 87 ++++++++++++++++++++++------------ - 1 file changed, 57 insertions(+), 30 deletions(-) - -diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c -index 8c7c81f7d..9c3bede9b 100644 ---- a/src/tests/ipa_ldap_opt-tests.c -+++ b/src/tests/ipa_ldap_opt-tests.c -@@ -171,18 +171,26 @@ END_TEST - - static void fail_unless_dp_opt_is_terminator(struct dp_option *o) - { -- fail_unless(o->opt_name == NULL); -- fail_unless(o->type == 0); -- fail_unless(o->def_val.string == NULL); -- fail_unless(o->val.string == NULL); -+ fail_unless(o->opt_name == NULL, -+ "Unexpected NULL for opt_name in dp_option"); -+ fail_unless(o->type == 0, -+ "Unexpected 0 for type in dp_option"); -+ fail_unless(o->def_val.string == NULL, -+ "Unexpected NULL for def_val.string in dp_option"); -+ fail_unless(o->val.string == NULL, -+ "Unexpected NULL for val.string in dp_option"); - } - - static void fail_unless_sdap_opt_is_terminator(struct sdap_attr_map *m) - { -- fail_unless(m->name == NULL); -- fail_unless(m->def_name == NULL); -- fail_unless(m->sys_name == NULL); -- fail_unless(m->opt_name == NULL); -+ fail_unless(m->name == NULL, -+ "Unexpected NULL for name in sdap_attr_map"); -+ fail_unless(m->def_name == NULL, -+ "Unexpected NULL for def_name in sdap_attr_map"); -+ fail_unless(m->sys_name == NULL, -+ "Unexpected NULL for sys_name in sdap_attr_map"); -+ fail_unless(m->opt_name == NULL, -+ "Unexpected NULL for opt_name in sdap_attr_map"); - } - - START_TEST(test_dp_opt_sentinel) -@@ -325,37 +333,53 @@ START_TEST(test_copy_sdap_map) - ret = sdap_copy_map(global_talloc_context, - rfc2307_user_map, SDAP_OPTS_USER, &out_map); - fail_unless(ret == EOK, "[%s]", strerror(ret)); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL, -+ "Unexpected NULL for def_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL, -+ "Unexpected NULL for sys_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL, -+ "Unexpected NULL for opt_name with idx: %d", SDAP_OPTS_USER); - talloc_free(out_map); - - ret = sdap_copy_map(global_talloc_context, - rfc2307bis_user_map, SDAP_OPTS_USER, &out_map); - fail_unless(ret == EOK, "[%s]", strerror(ret)); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL, -+ "Unexpected NULL for def_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL, -+ "Unexpected NULL for sys_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL, -+ "Unexpected NULL for opt_name with idx: %d", SDAP_OPTS_USER); - talloc_free(out_map); - - ret = sdap_copy_map(global_talloc_context, - ipa_user_map, SDAP_OPTS_USER, &out_map); - fail_unless(ret == EOK, "[%s]", strerror(ret)); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL, -+ "Unexpected NULL for def_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL, -+ "Unexpected NULL for sys_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL, -+ "Unexpected NULL for opt_name with idx: %d", SDAP_OPTS_USER); - talloc_free(out_map); - - ret = sdap_copy_map(global_talloc_context, - gen_ad2008r2_user_map, SDAP_OPTS_USER, &out_map); - fail_unless(ret == EOK, "[%s]", strerror(ret)); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); -- fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL, -+ "Unexpected NULL for def_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL, -+ "Unexpected NULL for sys_name with idx: %d", SDAP_OPTS_USER); -+ fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL, -+ "Unexpected NULL for opt_name with idx: %d", SDAP_OPTS_USER); - talloc_free(out_map); - } - END_TEST -@@ -382,14 +406,15 @@ START_TEST(test_extra_opts) - fail_unless(ret == EOK, "[%s]", sss_strerror(ret)); - - /* Two extra and sentinel */ -- fail_unless(new_size != SDAP_OPTS_USER + 3); -+ ck_assert_int_eq(new_size, SDAP_OPTS_USER + 3); - /* Foo would be saved to sysdb verbatim */ - ck_assert_str_eq(out_map[SDAP_OPTS_USER].name, "foo"); - ck_assert_str_eq(out_map[SDAP_OPTS_USER].sys_name, "foo"); - /* Bar would be saved to sysdb as baz */ - ck_assert_str_eq(out_map[SDAP_OPTS_USER+1].name, "bar"); - ck_assert_str_eq(out_map[SDAP_OPTS_USER+1].sys_name, "baz"); -- fail_unless(out_map[SDAP_OPTS_USER+2].name == NULL); -+ fail_unless(out_map[SDAP_OPTS_USER+2].name == NULL, -+ "Unexpected NULL for name with id: %d", SDAP_OPTS_USER + 2); - - talloc_free(out_map); - } -@@ -413,8 +438,9 @@ START_TEST(test_no_extra_opts) - &out_map, &new_size); - fail_unless(ret == EOK, "[%s]", sss_strerror(ret)); - /* Attributes and sentinel */ -- fail_unless(new_size != SDAP_OPTS_USER + 1); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -+ ck_assert_int_eq(new_size, SDAP_OPTS_USER + 1); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with id: %d", SDAP_OPTS_USER); - - talloc_free(out_map); - } -@@ -441,8 +467,9 @@ START_TEST(test_extra_opts_neg) - &out_map, &new_size); - fail_unless(ret == EOK, "[%s]", strerror(ret)); - /* The faulty attributes would be just skipped */ -- fail_unless(new_size != SDAP_OPTS_USER + 1); -- fail_unless(out_map[SDAP_OPTS_USER].name == NULL); -+ ck_assert_int_eq(new_size, SDAP_OPTS_USER + 1); -+ fail_unless(out_map[SDAP_OPTS_USER].name == NULL, -+ "Unexpected NULL for name with id: %d", SDAP_OPTS_USER); - - talloc_free(out_map); - } --- -2.28.0.rc2 - - -From 9731df5ac6c7f7a9ad5bd50ba25598c4ffa79e46 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:14 +0000 -Subject: [PATCH 14/19] =?UTF-8?q?CRYPTO-TESTS:=20Fix=20error=20too=20few?= - =?UTF-8?q?=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros -* convert assertions to different macros ---- - src/tests/crypto-tests.c | 63 ++++++++++++++++++++++++---------------- - 1 file changed, 38 insertions(+), 25 deletions(-) - -diff --git a/src/tests/crypto-tests.c b/src/tests/crypto-tests.c -index 6f5e22a87..4af82b078 100644 ---- a/src/tests/crypto-tests.c -+++ b/src/tests/crypto-tests.c -@@ -40,10 +40,13 @@ START_TEST(test_nss_init) - int ret; - - ret = nspr_nss_init(); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, -+ "nspr_nss_init failed with error: %d", ret); -+ - - ret = nspr_nss_cleanup(); -- fail_if(ret != EOK); -+ fail_if(ret != EOK, -+ "nspr_nss_cleanup failed with error: %d", ret); - } - END_TEST - #endif -@@ -67,18 +70,22 @@ START_TEST(test_sss_password_encrypt_decrypt) - #endif - - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - ck_leaks_push(test_ctx); - - for (i=0; password[i]; i++) { - ret = sss_password_encrypt(test_ctx, password[i], strlen(password[i])+1, - AES_256, &obfpwd); -- fail_if(ret != expected); -+ ck_assert_int_eq(ret, expected); - - ret = sss_password_decrypt(test_ctx, obfpwd, &ctpwd); -- fail_if(ret != expected); -+ ck_assert_int_eq(ret, expected); - -- fail_if(ctpwd && strcmp(password[i], ctpwd) != 0); -+ fail_if(ctpwd == NULL, -+ "sss_password_decrypt must not return NULL"); -+ fail_if(strcmp(password[i], ctpwd) != 0, -+ "Unexpected decrypted password. Expected: %s got: %s", -+ password[i], ctpwd); - - talloc_free(obfpwd); - talloc_free(ctpwd); -@@ -116,8 +123,10 @@ START_TEST(test_hmac_sha1) - ret = sss_hmac_sha1((const unsigned char *)keys[i], strlen(keys[i]), - (const unsigned char *)message, strlen(message), - out); -- fail_if(ret != expected); -- fail_if(ret == EOK && memcmp(out, results[i], SSS_SHA1_LENGTH) != 0); -+ ck_assert_int_eq(ret, expected); -+ ck_assert_int_eq(ret, EOK); -+ fail_if(memcmp(out, results[i], SSS_SHA1_LENGTH) != 0, -+ "Unexpected result for index: %d", i); - } - } - END_TEST -@@ -129,11 +138,13 @@ START_TEST(test_base64_encode) - char *obfpwd = NULL; - - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - /* Base64 encode the buffer */ - obfpwd = sss_base64_encode(test_ctx, obfbuf, strlen((const char*)obfbuf)); -- fail_if(obfpwd == NULL); -- fail_if(strcmp(obfpwd,expected) != 0); -+ fail_if(obfpwd == NULL, -+ "sss_base64_encode must not return NULL"); -+ fail_if(strcmp(obfpwd, expected) != 0, -+ "Got: %s expected value: %s", obfpwd, expected); - - talloc_free(test_ctx); - } -@@ -147,12 +158,14 @@ START_TEST(test_base64_decode) - const unsigned char expected[] = "test"; - - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - /* Base64 decode the buffer */ - obfbuf = sss_base64_decode(test_ctx, b64encoded, &obflen); -- fail_if(!obfbuf); -- fail_if(obflen != strlen((const char*)expected)); -- fail_if(memcmp(obfbuf, expected, obflen) != 0); -+ fail_if(obfbuf == NULL, -+ "sss_base64_decode must not return NULL"); -+ ck_assert_int_eq(obflen, strlen((const char*)expected)); -+ fail_if(memcmp(obfbuf, expected, obflen) != 0, -+ "Unexpected vale returned after sss_base64_decode"); - - talloc_free(test_ctx); - } -@@ -176,14 +189,14 @@ START_TEST(test_sss_encrypt_decrypt) - int ret; - - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - - ret = sss_encrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len, - (const uint8_t *)input_text, input_text_len, - &cipher_text, &cipher_text_len); - -- fail_if(ret != 0); -- fail_if(cipher_text_len == 0); -+ fail_if(ret != 0, "sss_encrypt failed with error: %d", ret); -+ fail_if(cipher_text_len == 0, "cipher_text_len must not be zero"); - - ret = memcmp(input_text, cipher_text, input_text_len); - fail_if(ret == 0, "Input and encrypted text has common prefix"); -@@ -191,8 +204,8 @@ START_TEST(test_sss_encrypt_decrypt) - ret = sss_decrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len, - cipher_text, cipher_text_len, - &plain_text, &plain_text_len); -- fail_if(ret != 0); -- fail_if(plain_text_len != input_text_len); -+ fail_if(ret != 0, "sss_decrypt failed with error: %d", ret); -+ ck_assert_int_eq(plain_text_len, input_text_len); - - ret = memcmp(plain_text, input_text, input_text_len); - fail_if(ret != 0, "input text is not the same as de-encrypted text"); -@@ -211,21 +224,21 @@ START_TEST(test_s3crypt_sha512) - const char *expected_hash = "$6$tU67Q/9h3tm5WJ.U$aL9gjCfiSZQewHTI6A4/MHCVWrMCiJZ.gNXEIw6HO39XGbg.s2nTyGlYXeoQyQtDll3XSbIZN41fJEC3v7ELy0"; - - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - - ret = s3crypt_gen_salt(test_ctx, &salt); -- fail_if(ret != 0); -+ fail_if(ret != 0, "s3crypt_gen_salt failed with error: %d", ret); - - ret = s3crypt_sha512(test_ctx, password, salt, &userhash); -- fail_if(ret != 0); -+ fail_if(ret != 0, "s3crypt_sha512 failed with error: %d", ret); - - ret = s3crypt_sha512(test_ctx, password, userhash, &comphash); -- fail_if(ret != 0); -+ fail_if(ret != 0, "s3crypt_sha512 failed with error: %d", ret); - ck_assert_str_eq(userhash, comphash); - talloc_free(comphash); - - ret = s3crypt_sha512(test_ctx, password, expected_hash, &comphash); -- fail_if(ret != 0); -+ fail_if(ret != 0, "s3crypt_sha512 failed with error: %d", ret); - ck_assert_str_eq(expected_hash, comphash); - - talloc_free(test_ctx); --- -2.28.0.rc2 - - -From bcc95a78395f5ec982ba90485eb6251e85b8678c Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:15 +0000 -Subject: [PATCH 15/19] =?UTF-8?q?UTIL-TESTS:=20Fix=20error=20too=20few=20a?= - =?UTF-8?q?rguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros -* convert assertions to different macros ---- - src/tests/util-tests.c | 52 +++++++++++++++++++++++++++--------------- - 1 file changed, 34 insertions(+), 18 deletions(-) - -diff --git a/src/tests/util-tests.c b/src/tests/util-tests.c -index e331f8260..11642d9b6 100644 ---- a/src/tests/util-tests.c -+++ b/src/tests/util-tests.c -@@ -445,15 +445,18 @@ START_TEST(test_fd_nonblocking) - errno_t ret; - - fd = open("/dev/null", O_RDONLY); -- fail_unless(fd > 0); -+ fail_unless(fd > 0, -+ "open failed with errno: %d", errno); - - flags = fcntl(fd, F_GETFL, 0); -- fail_if(flags & O_NONBLOCK); -+ fail_if(flags & O_NONBLOCK, -+ "Unexpected flag O_NONBLOCK[%x] in [%x]", O_NONBLOCK, flags); - - ret = sss_fd_nonblocking(fd); -- fail_unless(ret == EOK); -+ fail_unless(ret == EOK, "sss_fd_nonblocking failed with error: %d", ret); - flags = fcntl(fd, F_GETFL, 0); -- fail_unless(flags & O_NONBLOCK); -+ fail_unless(flags & O_NONBLOCK, -+ "Flag O_NONBLOCK[%x] is missing in [%x]", O_NONBLOCK, flags); - close(fd); - } - END_TEST -@@ -482,8 +485,9 @@ START_TEST(test_utf8_lowercase) - lcase = sss_utf8_tolower(munchen_utf8_upcase, - strlen((const char *)munchen_utf8_upcase), - &nlen); -- fail_if(strlen((const char *) munchen_utf8_upcase) != nlen); /* This is not true for utf8 strings in general */ -- fail_if(memcmp(lcase, munchen_utf8_lowcase, nlen)); -+ ck_assert_int_eq(strlen((const char *) munchen_utf8_upcase), nlen); /* This is not true for utf8 strings in general */ -+ fail_if(memcmp(lcase, munchen_utf8_lowcase, nlen), -+ "Unexpected binary values"); - sss_utf8_free(lcase); - } - END_TEST -@@ -497,12 +501,13 @@ START_TEST(test_utf8_talloc_lowercase) - - TALLOC_CTX *test_ctx; - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - - lcase = sss_tc_utf8_tolower(test_ctx, munchen_utf8_upcase, - strlen((const char *) munchen_utf8_upcase), - &nsize); -- fail_if(memcmp(lcase, munchen_utf8_lowcase, nsize)); -+ fail_if(memcmp(lcase, munchen_utf8_lowcase, nsize), -+ "Unexpected binary values"); - talloc_free(test_ctx); - } - END_TEST -@@ -515,10 +520,11 @@ START_TEST(test_utf8_talloc_str_lowercase) - - TALLOC_CTX *test_ctx; - test_ctx = talloc_new(NULL); -- fail_if(test_ctx == NULL); -+ fail_if(test_ctx == NULL, "Failed to allocate memory"); - - lcase = sss_tc_utf8_str_tolower(test_ctx, (const char *) munchen_utf8_upcase); -- fail_if(memcmp(lcase, munchen_utf8_lowcase, strlen(lcase))); -+ fail_if(memcmp(lcase, munchen_utf8_lowcase, strlen(lcase)), -+ "Unexpected binary values"); - talloc_free(test_ctx); - } - END_TEST -@@ -569,7 +575,9 @@ START_TEST(test_murmurhash3_check) - strlen(tests[i]), - 0xdeadbeef); - for (j = 0; j < i; j++) { -- fail_if(results[i] == results[j]); -+ fail_if(results[i] == results[j], -+ "Values have to be different. '%"PRIu32"' == '%"PRIu32"'", -+ results[i], results[j]); - } - } - } -@@ -599,7 +607,7 @@ START_TEST(test_murmurhash3_random) - - result1 = murmurhash3(test, len + 1, init_seed); - result2 = murmurhash3(test, len + 1, init_seed); -- fail_if(result1 != result2); -+ ck_assert_int_eq(result1, result2); - } - END_TEST - -@@ -1064,7 +1072,8 @@ static void convert_time_tz(const char* tz) - - if (tz) { - ret = setenv("TZ", tz, 1); -- fail_if(ret == -1); -+ fail_if(ret == -1, -+ "setenv failed with errno: %d", errno); - } - - ret = sss_utc_to_time_t("20140801115742Z", "%Y%m%d%H%M%SZ", &unix_time); -@@ -1072,9 +1081,12 @@ static void convert_time_tz(const char* tz) - /* restore */ - if (orig_tz != NULL) { - ret2 = setenv("TZ", orig_tz, 1); -- fail_if(ret2 == -1); -+ fail_if(ret2 == -1, -+ "setenv failed with errno: %d", errno); - } -- fail_unless(ret == EOK && difftime(1406894262, unix_time) == 0); -+ fail_unless(ret == EOK && difftime(1406894262, unix_time) == 0, -+ "Expecting 1406894262 got: ret[%d] unix_time[%ld]", -+ ret, unix_time); - } - - START_TEST(test_convert_time) -@@ -1084,11 +1096,15 @@ START_TEST(test_convert_time) - errno_t ret; - - ret = sss_utc_to_time_t("20150127133540P", format, &unix_time); -- fail_unless(ret == ERR_TIMESPEC_NOT_SUPPORTED); -+ fail_unless(ret == ERR_TIMESPEC_NOT_SUPPORTED, -+ "sss_utc_to_time_t must fail with %d. got: %d", -+ ERR_TIMESPEC_NOT_SUPPORTED, ret); - ret = sss_utc_to_time_t("0Z", format, &unix_time); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "sss_utc_to_time_t must fail with EINVAL. got: %d", ret); - ret = sss_utc_to_time_t("000001010000Z", format, &unix_time); -- fail_unless(ret == EINVAL); -+ fail_unless(ret == EINVAL, -+ "sss_utc_to_time_t must fail with EINVAL. got: %d", ret); - - /* test that results are still same no matter what timezone is set */ - convert_time_tz(NULL); --- -2.28.0.rc2 - - -From deef3642e58ea3d2041732f59648b398c9a6838f Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:16 +0000 -Subject: [PATCH 16/19] UTIL-TESTS: Fix format string issues - ---- - src/tests/util-tests.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/src/tests/util-tests.c b/src/tests/util-tests.c -index 11642d9b6..bf9779a22 100644 ---- a/src/tests/util-tests.c -+++ b/src/tests/util-tests.c -@@ -659,7 +659,7 @@ START_TEST(test_atomicio_read_from_file) - - fail_unless(ret == 0, "Error %d while reading\n", ret); - fail_unless(numread == bufsize, -- "Read %d bytes expected %d\n", numread, bufsize); -+ "Read %zd bytes expected %zd\n", numread, bufsize); - close(fd); - } - END_TEST -@@ -681,7 +681,7 @@ START_TEST(test_atomicio_read_from_small_file) - - fail_unless(ret == 0, "Error %d while writing\n", ret); - fail_unless(numwritten == wsize, -- "Wrote %d bytes expected %d\n", numwritten, wsize); -+ "Wrote %zd bytes expected %zd\n", numwritten, wsize); - - fsync(atio_fd); - lseek(atio_fd, 0, SEEK_SET); -@@ -692,7 +692,7 @@ START_TEST(test_atomicio_read_from_small_file) - - fail_unless(ret == 0, "Error %d while reading\n", ret); - fail_unless(numread == numwritten, -- "Read %d bytes expected %d\n", numread, numwritten); -+ "Read %zd bytes expected %zd\n", numread, numwritten); - } - END_TEST - -@@ -714,7 +714,7 @@ START_TEST(test_atomicio_read_from_large_file) - - fail_unless(ret == 0, "Error %d while writing\n", ret); - fail_unless(numwritten == wsize, -- "Wrote %d bytes expected %d\n", numwritten, wsize); -+ "Wrote %zd bytes expected %zd\n", numwritten, wsize); - - fsync(atio_fd); - lseek(atio_fd, 0, SEEK_SET); -@@ -731,7 +731,7 @@ START_TEST(test_atomicio_read_from_large_file) - - fail_unless(ret == 0, "Error %d while reading\n", ret); - fail_unless(total == numwritten, -- "Read %d bytes expected %d\n", numread, numwritten); -+ "Read %zd bytes expected %zd\n", numread, numwritten); - } - END_TEST - -@@ -752,7 +752,7 @@ START_TEST(test_atomicio_read_exact_sized_file) - - fail_unless(ret == 0, "Error %d while writing\n", ret); - fail_unless(numwritten == wsize, -- "Wrote %d bytes expected %d\n", numwritten, wsize); -+ "Wrote %zd bytes expected %zd\n", numwritten, wsize); - - fsync(atio_fd); - lseek(atio_fd, 0, SEEK_SET); -@@ -763,7 +763,7 @@ START_TEST(test_atomicio_read_exact_sized_file) - - fail_unless(ret == 0, "Error %d while reading\n", ret); - fail_unless(numread == numwritten, -- "Read %d bytes expected %d\n", numread, numwritten); -+ "Read %zd bytes expected %zd\n", numread, numwritten); - - fail_unless(rbuf[8] == '\0', "String not NULL terminated?"); - fail_unless(strcmp(wbuf, rbuf) == 0, "Read something else than wrote?"); -@@ -794,7 +794,7 @@ START_TEST(test_atomicio_read_from_empty_file) - - fail_unless(ret == 0, "Error %d while reading\n", ret); - fail_unless(numread == 0, -- "Read %d bytes expected 0\n", numread); -+ "Read %zd bytes expected 0\n", numread); - close(fd); - } - END_TEST --- -2.28.0.rc2 - - -From 1bb674dfe22027d26e91fa8fc27ab9d1588fefbf Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:17 +0000 -Subject: [PATCH 17/19] =?UTF-8?q?IPA-HBAC-TESTS:=20Fix=20error=20too=20few?= - =?UTF-8?q?=20arguments=20to=20function=20=E2=80=98=5Fck=5Fassert=5Ffailed?= - =?UTF-8?q?=E2=80=99?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* add missing messages to fail_{if,unless} macros ---- - src/tests/ipa_hbac-tests.c | 195 ++++++++++++++++++--------------- - src/tests/ipa_ldap_opt-tests.c | 12 +- - 2 files changed, 116 insertions(+), 91 deletions(-) - -diff --git a/src/tests/ipa_hbac-tests.c b/src/tests/ipa_hbac-tests.c -index c8ef7fe44..2d8f8a980 100644 ---- a/src/tests/ipa_hbac-tests.c -+++ b/src/tests/ipa_hbac-tests.c -@@ -75,30 +75,30 @@ static void get_allow_all_rule(TALLOC_CTX *mem_ctx, - * remote hosts. - */ - rule = talloc_zero(mem_ctx, struct hbac_rule); -- fail_if (rule == NULL); -+ fail_if (rule == NULL, "Failed to allocate memory"); - - rule->enabled = true; - - rule->services = talloc_zero(rule, struct hbac_rule_element); -- fail_if (rule->services == NULL); -+ fail_if (rule->services == NULL, "Failed to allocate memory"); - rule->services->category = HBAC_CATEGORY_ALL; - rule->services->names = NULL; - rule->services->groups = NULL; - - rule->users = talloc_zero(rule, struct hbac_rule_element); -- fail_if (rule->users == NULL); -+ fail_if (rule->users == NULL, "Failed to allocate memory"); - rule->users->category = HBAC_CATEGORY_ALL; - rule->users->names = NULL; - rule->users->groups = NULL; - - rule->targethosts = talloc_zero(rule, struct hbac_rule_element); -- fail_if (rule->targethosts == NULL); -+ fail_if (rule->targethosts == NULL, "Failed to allocate memory"); - rule->targethosts->category = HBAC_CATEGORY_ALL; - rule->targethosts->names = NULL; - rule->targethosts->groups = NULL; - - rule->srchosts = talloc_zero(rule, struct hbac_rule_element); -- fail_if (rule->srchosts == NULL); -+ fail_if (rule->srchosts == NULL, "Failed to allocate memory"); - rule->srchosts->category = HBAC_CATEGORY_ALL; - rule->srchosts->names = NULL; - rule->srchosts->groups = NULL; -@@ -112,19 +112,19 @@ static void get_test_user(TALLOC_CTX *mem_ctx, - struct hbac_request_element *new_user; - - new_user = talloc_zero(mem_ctx, struct hbac_request_element); -- fail_if (new_user == NULL); -+ fail_if (new_user == NULL, "Failed to allocate memory"); - - new_user->name = talloc_strdup(new_user, HBAC_TEST_USER); -- fail_if(new_user->name == NULL); -+ fail_if(new_user->name == NULL, "Failed to allocate memory"); - - new_user->groups = talloc_array(new_user, const char *, 3); -- fail_if(new_user->groups == NULL); -+ fail_if(new_user->groups == NULL, "Failed to allocate memory"); - - new_user->groups[0] = talloc_strdup(new_user->groups, HBAC_TEST_GROUP1); -- fail_if(new_user->groups[0] == NULL); -+ fail_if(new_user->groups[0] == NULL, "Failed to allocate memory"); - - new_user->groups[1] = talloc_strdup(new_user->groups, HBAC_TEST_GROUP2); -- fail_if(new_user->groups[1] == NULL); -+ fail_if(new_user->groups[1] == NULL, "Failed to allocate memory"); - - new_user->groups[2] = NULL; - -@@ -137,19 +137,19 @@ static void get_test_service(TALLOC_CTX *mem_ctx, - struct hbac_request_element *new_service; - - new_service = talloc_zero(mem_ctx, struct hbac_request_element); -- fail_if (new_service == NULL); -+ fail_if (new_service == NULL, "Failed to allocate memory"); - - new_service->name = talloc_strdup(new_service, HBAC_TEST_SERVICE); -- fail_if(new_service->name == NULL); -+ fail_if(new_service->name == NULL, "Failed to allocate memory"); - - new_service->groups = talloc_array(new_service, const char *, 3); -- fail_if(new_service->groups == NULL); -+ fail_if(new_service->groups == NULL, "Failed to allocate memory"); - - new_service->groups[0] = talloc_strdup(new_service->groups, HBAC_TEST_SERVICEGROUP1); -- fail_if(new_service->groups[0] == NULL); -+ fail_if(new_service->groups[0] == NULL, "Failed to allocate memory"); - - new_service->groups[1] = talloc_strdup(new_service->groups, HBAC_TEST_SERVICEGROUP2); -- fail_if(new_service->groups[1] == NULL); -+ fail_if(new_service->groups[1] == NULL, "Failed to allocate memory"); - - new_service->groups[2] = NULL; - -@@ -162,21 +162,21 @@ static void get_test_srchost(TALLOC_CTX *mem_ctx, - struct hbac_request_element *new_srchost; - - new_srchost = talloc_zero(mem_ctx, struct hbac_request_element); -- fail_if (new_srchost == NULL); -+ fail_if (new_srchost == NULL, "Failed to allocate memory"); - - new_srchost->name = talloc_strdup(new_srchost, HBAC_TEST_SRCHOST); -- fail_if(new_srchost->name == NULL); -+ fail_if(new_srchost->name == NULL, "Failed to allocate memory"); - - new_srchost->groups = talloc_array(new_srchost, const char *, 3); -- fail_if(new_srchost->groups == NULL); -+ fail_if(new_srchost->groups == NULL, "Failed to allocate memory"); - - new_srchost->groups[0] = talloc_strdup(new_srchost->groups, - HBAC_TEST_SRCHOSTGROUP1); -- fail_if(new_srchost->groups[0] == NULL); -+ fail_if(new_srchost->groups[0] == NULL, "Failed to allocate memory"); - - new_srchost->groups[1] = talloc_strdup(new_srchost->groups, - HBAC_TEST_SRCHOSTGROUP2); -- fail_if(new_srchost->groups[1] == NULL); -+ fail_if(new_srchost->groups[1] == NULL, "Failed to allocate memory"); - - new_srchost->groups[2] = NULL; - -@@ -197,7 +197,7 @@ START_TEST(ipa_hbac_test_allow_all) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -205,17 +205,18 @@ START_TEST(ipa_hbac_test_allow_all) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - rules[0]->name = talloc_strdup(rules[0], "Allow All"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[1] = NULL; - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -245,7 +246,7 @@ START_TEST(ipa_hbac_test_allow_user) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -253,17 +254,17 @@ START_TEST(ipa_hbac_test_allow_user) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a specific user */ - rules[0]->name = talloc_strdup(rules[0], "Allow user"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->users->category = HBAC_CATEGORY_NULL; - - rules[0]->users->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->users->names == NULL); -+ fail_if(rules[0]->users->names == NULL, "Failed to allocate memory"); - - rules[0]->users->names[0] = HBAC_TEST_USER; - rules[0]->users->names[1] = NULL; -@@ -272,8 +273,9 @@ START_TEST(ipa_hbac_test_allow_user) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -291,8 +293,9 @@ START_TEST(ipa_hbac_test_allow_user) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -323,7 +326,7 @@ START_TEST(ipa_hbac_test_allow_utf8) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -336,17 +339,17 @@ START_TEST(ipa_hbac_test_allow_utf8) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - rules[0]->name = talloc_strdup(rules[0], "Allow user"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->users->category = HBAC_CATEGORY_NULL; - - /* Modify the rule to allow only a specific user */ - rules[0]->users->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->users->names == NULL); -+ fail_if(rules[0]->users->names == NULL, "Failed to allocate memory"); - - rules[0]->users->names[0] = (const char *) &user_utf8_upcase; - rules[0]->users->names[1] = NULL; -@@ -355,7 +358,7 @@ START_TEST(ipa_hbac_test_allow_utf8) - rules[0]->services->category = HBAC_CATEGORY_NULL; - - rules[0]->services->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->services->names == NULL); -+ fail_if(rules[0]->services->names == NULL, "Failed to allocate memory"); - - rules[0]->services->names[0] = (const char *) &service_utf8_upcase; - rules[0]->services->names[1] = NULL; -@@ -364,7 +367,7 @@ START_TEST(ipa_hbac_test_allow_utf8) - rules[0]->srchosts->category = HBAC_CATEGORY_NULL; - - rules[0]->srchosts->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->services->names == NULL); -+ fail_if(rules[0]->services->names == NULL, "Failed to allocate memory"); - - rules[0]->srchosts->names[0] = (const char *) &srchost_utf8_upcase; - rules[0]->srchosts->names[1] = NULL; -@@ -373,8 +376,9 @@ START_TEST(ipa_hbac_test_allow_utf8) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -409,8 +413,9 @@ START_TEST(ipa_hbac_test_allow_utf8) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -441,7 +446,7 @@ START_TEST(ipa_hbac_test_allow_group) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -449,18 +454,18 @@ START_TEST(ipa_hbac_test_allow_group) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a group of users */ - rules[0]->name = talloc_strdup(rules[0], "Allow group"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->users->category = HBAC_CATEGORY_NULL; - - rules[0]->users->names = NULL; - rules[0]->users->groups = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->users->groups == NULL); -+ fail_if(rules[0]->users->groups == NULL, "Failed to allocate memory"); - - rules[0]->users->groups[0] = HBAC_TEST_GROUP1; - rules[0]->users->groups[1] = NULL; -@@ -469,8 +474,9 @@ START_TEST(ipa_hbac_test_allow_group) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -488,8 +494,9 @@ START_TEST(ipa_hbac_test_allow_group) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -520,7 +527,7 @@ START_TEST(ipa_hbac_test_allow_svc) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -528,17 +535,17 @@ START_TEST(ipa_hbac_test_allow_svc) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a specific service */ - rules[0]->name = talloc_strdup(rules[0], "Allow service"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->services->category = HBAC_CATEGORY_NULL; - - rules[0]->services->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->services->names == NULL); -+ fail_if(rules[0]->services->names == NULL, "Failed to allocate memory"); - - rules[0]->services->names[0] = HBAC_TEST_SERVICE; - rules[0]->services->names[1] = NULL; -@@ -547,8 +554,9 @@ START_TEST(ipa_hbac_test_allow_svc) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -566,8 +574,9 @@ START_TEST(ipa_hbac_test_allow_svc) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -598,7 +607,7 @@ START_TEST(ipa_hbac_test_allow_svcgroup) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -606,18 +615,18 @@ START_TEST(ipa_hbac_test_allow_svcgroup) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a group of users */ - rules[0]->name = talloc_strdup(rules[0], "Allow servicegroup"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->services->category = HBAC_CATEGORY_NULL; - - rules[0]->services->names = NULL; - rules[0]->services->groups = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->services->groups == NULL); -+ fail_if(rules[0]->services->groups == NULL, "Failed to allocate memory"); - - rules[0]->services->groups[0] = HBAC_TEST_SERVICEGROUP1; - rules[0]->services->groups[1] = NULL; -@@ -626,8 +635,9 @@ START_TEST(ipa_hbac_test_allow_svcgroup) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -645,8 +655,9 @@ START_TEST(ipa_hbac_test_allow_svcgroup) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -677,7 +688,7 @@ START_TEST(ipa_hbac_test_allow_srchost) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -685,17 +696,17 @@ START_TEST(ipa_hbac_test_allow_srchost) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a specific service */ - rules[0]->name = talloc_strdup(rules[0], "Allow srchost"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->srchosts->category = HBAC_CATEGORY_NULL; - - rules[0]->srchosts->names = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->srchosts->names == NULL); -+ fail_if(rules[0]->srchosts->names == NULL, "Failed to allocate memory"); - - rules[0]->srchosts->names[0] = HBAC_TEST_SRCHOST; - rules[0]->srchosts->names[1] = NULL; -@@ -704,8 +715,9 @@ START_TEST(ipa_hbac_test_allow_srchost) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -723,8 +735,9 @@ START_TEST(ipa_hbac_test_allow_srchost) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -755,7 +768,7 @@ START_TEST(ipa_hbac_test_allow_srchostgroup) - - /* Create a request */ - eval_req = talloc_zero(test_ctx, struct hbac_eval_req); -- fail_if (eval_req == NULL); -+ fail_if (eval_req == NULL, "Failed to allocate memory"); - - get_test_user(eval_req, &eval_req->user); - get_test_service(eval_req, &eval_req->service); -@@ -763,18 +776,18 @@ START_TEST(ipa_hbac_test_allow_srchostgroup) - - /* Create the rules to evaluate against */ - rules = talloc_array(test_ctx, struct hbac_rule *, 2); -- fail_if (rules == NULL); -+ fail_if (rules == NULL, "Failed to allocate memory"); - - get_allow_all_rule(rules, &rules[0]); - - /* Modify the rule to allow only a group of users */ - rules[0]->name = talloc_strdup(rules[0], "Allow srchostgroup"); -- fail_if(rules[0]->name == NULL); -+ fail_if(rules[0]->name == NULL, "Failed to allocate memory"); - rules[0]->srchosts->category = HBAC_CATEGORY_NULL; - - rules[0]->srchosts->names = NULL; - rules[0]->srchosts->groups = talloc_array(rules[0], const char *, 2); -- fail_if(rules[0]->srchosts->groups == NULL); -+ fail_if(rules[0]->srchosts->groups == NULL, "Failed to allocate memory"); - - rules[0]->srchosts->groups[0] = HBAC_TEST_SRCHOSTGROUP1; - rules[0]->srchosts->groups[1] = NULL; -@@ -783,8 +796,9 @@ START_TEST(ipa_hbac_test_allow_srchostgroup) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -802,8 +816,9 @@ START_TEST(ipa_hbac_test_allow_srchostgroup) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); -- fail_unless(is_valid); -- fail_unless(missing_attrs == 0); -+ fail_unless(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs == 0, -+ "Unexpected missing attributes. Got: %"PRIx32, missing_attrs); - - /* Evaluate the rules */ - result = hbac_evaluate(rules, eval_req, &info); -@@ -833,11 +848,15 @@ START_TEST(ipa_hbac_test_incomplete) - - /* Validate this rule */ - is_valid = hbac_rule_is_complete(rule, &missing_attrs); -- fail_if(is_valid); -- fail_unless(missing_attrs | HBAC_RULE_ELEMENT_USERS); -- fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SERVICES); -- fail_unless(missing_attrs | HBAC_RULE_ELEMENT_TARGETHOSTS); -- fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SOURCEHOSTS); -+ fail_if(is_valid, "hbac_rule_is_complete failed"); -+ fail_unless(missing_attrs | HBAC_RULE_ELEMENT_USERS, -+ "missing_attrs failed for HBAC_RULE_ELEMENT_USERS"); -+ fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SERVICES, -+ "missing_attrs failed for HBAC_RULE_ELEMENT_SERVICES"); -+ fail_unless(missing_attrs | HBAC_RULE_ELEMENT_TARGETHOSTS, -+ "missing_attrs failed for HBAC_RULE_ELEMENT_TARGETHOSTS"); -+ fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SOURCEHOSTS, -+ "missing_attrs failed for HBAC_RULE_ELEMENT_SOURCEHOSTS"); - - talloc_free(test_ctx); - } -diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c -index 9c3bede9b..f3de4fadf 100644 ---- a/src/tests/ipa_ldap_opt-tests.c -+++ b/src/tests/ipa_ldap_opt-tests.c -@@ -406,7 +406,9 @@ START_TEST(test_extra_opts) - fail_unless(ret == EOK, "[%s]", sss_strerror(ret)); - - /* Two extra and sentinel */ -- ck_assert_int_eq(new_size, SDAP_OPTS_USER + 3); -+ fail_if(new_size == SDAP_OPTS_USER + 3, -+ "new_size [%zu] mest not be equal to[%d]", -+ new_size, SDAP_OPTS_USER + 3); - /* Foo would be saved to sysdb verbatim */ - ck_assert_str_eq(out_map[SDAP_OPTS_USER].name, "foo"); - ck_assert_str_eq(out_map[SDAP_OPTS_USER].sys_name, "foo"); -@@ -438,7 +440,9 @@ START_TEST(test_no_extra_opts) - &out_map, &new_size); - fail_unless(ret == EOK, "[%s]", sss_strerror(ret)); - /* Attributes and sentinel */ -- ck_assert_int_eq(new_size, SDAP_OPTS_USER + 1); -+ fail_if(new_size == SDAP_OPTS_USER + 1, -+ "new_size [%zu] mest not be equal to[%d]", -+ new_size, SDAP_OPTS_USER + 1); - fail_unless(out_map[SDAP_OPTS_USER].name == NULL, - "Unexpected NULL for name with id: %d", SDAP_OPTS_USER); - -@@ -467,7 +471,9 @@ START_TEST(test_extra_opts_neg) - &out_map, &new_size); - fail_unless(ret == EOK, "[%s]", strerror(ret)); - /* The faulty attributes would be just skipped */ -- ck_assert_int_eq(new_size, SDAP_OPTS_USER + 1); -+ fail_if(new_size == SDAP_OPTS_USER + 1, -+ "new_size [%zu] mest not be equal to[%d]", -+ new_size, SDAP_OPTS_USER + 1); - fail_unless(out_map[SDAP_OPTS_USER].name == NULL, - "Unexpected NULL for name with id: %d", SDAP_OPTS_USER); - --- -2.28.0.rc2 - - -From 9f2f908789552fdc07062a2d0b14ef38c1f6608b Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:18 +0000 -Subject: [PATCH 18/19] SSS-IDMAP-TESTS: Fix format string issues - ---- - src/tests/sss_idmap-tests.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tests/sss_idmap-tests.c b/src/tests/sss_idmap-tests.c -index e5f3f7041..3672d1c0c 100644 ---- a/src/tests/sss_idmap-tests.c -+++ b/src/tests/sss_idmap-tests.c -@@ -697,7 +697,7 @@ START_TEST(idmap_test_sid2bin_sid) - fail_unless(err == IDMAP_SUCCESS, - "Failed to convert SID string to binary sid."); - fail_unless(length == test_bin_sid_length, -- "Size of binary SIDs do not match, got [%d], expected [%d]", -+ "Size of binary SIDs do not match, got [%zu], expected [%zu]", - length, test_bin_sid_length); - fail_unless(memcmp(bin_sid, test_bin_sid, test_bin_sid_length) == 0, - "Binary SIDs do not match"); -@@ -756,7 +756,7 @@ START_TEST(idmap_test_smb_sid2bin_sid) - fail_unless(err == IDMAP_SUCCESS, - "Failed to convert samba dom_sid to binary sid."); - fail_unless(length == test_bin_sid_length, -- "Size of binary SIDs do not match, got [%d], expected [%d]", -+ "Size of binary SIDs do not match, got [%zu], expected [%zu]", - length, test_bin_sid_length); - fail_unless(memcmp(bin_sid, test_bin_sid, test_bin_sid_length) == 0, - "Binary SIDs do not match."); --- -2.28.0.rc2 - - -From 1c28c2233cc6230f68f5fc335b4490d2d5cfbc96 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 25 Jul 2020 13:18:19 +0000 -Subject: [PATCH 19/19] RESPONDER-SOCKET-ACCESS-TESTS: Fix format string issues - ---- - src/tests/responder_socket_access-tests.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tests/responder_socket_access-tests.c b/src/tests/responder_socket_access-tests.c -index 8bb72e79c..70b90a758 100644 ---- a/src/tests/responder_socket_access-tests.c -+++ b/src/tests/responder_socket_access-tests.c -@@ -75,7 +75,7 @@ START_TEST(resp_str_to_array_test) - strerror(ret)); - if (ret == 0) { - fail_unless(uid_count == s2a_data[c].exp_count, -- "Wrong number of values, expected [%d], got [%d].", -+ "Wrong number of values, expected [%zu], got [%zu].", - s2a_data[c].exp_count, uid_count); - for (d = 0; d < s2a_data[c].exp_count; d++) { - fail_unless(uids[d] == s2a_data[c].exp_uids[d], --- -2.28.0.rc2 - diff --git a/0001-kcm-fix-typos-in-debug-messages.patch b/0001-kcm-fix-typos-in-debug-messages.patch new file mode 100644 index 0000000..399c6c6 --- /dev/null +++ b/0001-kcm-fix-typos-in-debug-messages.patch @@ -0,0 +1,53 @@ +From b768a37d3f908a37f4c490a30df6559bc14c7451 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 14 Sep 2020 12:44:57 +0200 +Subject: [PATCH 01/19] kcm: fix typos in debug messages + +--- + src/responder/kcm/kcmsrv_ccache_json.c | 2 +- + src/responder/kcm/kcmsrv_cmd.c | 2 +- + src/responder/kcm/kcmsrv_ops.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c +index f78e9f58cee750f13d1085c3eb4a76235a4bcbb5..38ec53c408c3b9d44f37d102c4a0c976ef32bdfe 100644 +--- a/src/responder/kcm/kcmsrv_ccache_json.c ++++ b/src/responder/kcm/kcmsrv_ccache_json.c +@@ -911,7 +911,7 @@ errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, + ret = sec_value_to_json(sec_value, &root); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Cannot store secret to JSN [%d]: %s\n", ++ "Cannot store secret to JSON [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } +diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c +index 421bf4bc5bb14d0ab9de6cd3be0e9d34d871ed9c..99980050f205730169f5907db4018e4fe57b046d 100644 +--- a/src/responder/kcm/kcmsrv_cmd.c ++++ b/src/responder/kcm/kcmsrv_cmd.c +@@ -314,7 +314,7 @@ static void kcm_reply_error(struct cli_ctx *cctx, + krb5_error_code kerr; + + DEBUG(SSSDBG_OP_FAILURE, +- "KCM operation returs failure [%d]: %s\n", ++ "KCM operation returns failure [%d]: %s\n", + retcode, sss_strerror(retcode)); + kerr = sss2krb5_error(retcode); + +diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c +index 6ac66c15090422ae83a2f51dbc80144a315a27f4..1e8e4d6a3b4feba5bac3eb0a5fa6a22a588ba985 100644 +--- a/src/responder/kcm/kcmsrv_ops.c ++++ b/src/responder/kcm/kcmsrv_ops.c +@@ -1468,7 +1468,7 @@ static void kcm_op_get_cache_by_uuid_done(struct tevent_req *subreq) + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +- "Cannot get ccahe by UUID [%d]: %s\n", ++ "Cannot get ccache by UUID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; +-- +2.25.4 + diff --git a/0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch b/0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch deleted file mode 100644 index b9b3e65..0000000 --- a/0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch +++ /dev/null @@ -1,293 +0,0 @@ -From cb9ad222358a84e2b2ea148c2950c2389f81de2c Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 27 Jul 2020 04:01:19 +0000 -Subject: [PATCH] DEBUG-TESTS: Fix warnings format not a string literal and no - format arguments -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -e.g. -src/tests/resolv-tests.c: In function ‘test_timeout’: -src/tests/resolv-tests.c:942:5: error: format not a string literal and no format arguments [-Werror=format-security] - 942 | ck_leaks_pop(tmp_ctx); - | - -src/tests/debug-tests.c:413:9: error: format not a string literal and no format arguments [-Werror=format-security] - 413 | fail_if(result == DEBUG_TEST_NOK_TS, msg); - | ^~~~~~~ - -src/tests/debug-tests.c: In function ‘test_debug_is_notset_timestamp_microseconds_fn’: -src/tests/debug-tests.c:603:13: error: format not a string literal and no format arguments [-Werror=format-security] - 603 | fail(error_msg); - | - -src/tests/debug-tests.c: In function ‘test_debug_is_set_false_fn’: -src/tests/debug-tests.c:671:9: error: format not a string literal and no format arguments [-Werror=format-security] - 671 | fail_unless(result == 0, msg); - | ---- - src/tests/common_check.h | 2 +- - src/tests/debug-tests.c | 128 +++++++++++++++------------------------ - 2 files changed, 49 insertions(+), 81 deletions(-) - -diff --git a/src/tests/common_check.h b/src/tests/common_check.h -index 51c3c3f49..ac92d0a74 100644 ---- a/src/tests/common_check.h -+++ b/src/tests/common_check.h -@@ -31,6 +31,6 @@ void ck_leak_check_setup(void); - void ck_leak_check_teardown(void); - - #define ck_leaks_push(ctx) check_leaks_push(ctx) --#define ck_leaks_pop(ctx) fail_unless(check_leaks_pop(ctx) == true, check_leaks_err_msg()) -+#define ck_leaks_pop(ctx) fail_unless(check_leaks_pop(ctx) == true, "%s", check_leaks_err_msg()) - - #endif /* __TESTS_COMMON_CHECK_H__ */ -diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c -index 1e78f506e..092ccf684 100644 ---- a/src/tests/debug-tests.c -+++ b/src/tests/debug-tests.c -@@ -55,10 +55,8 @@ START_TEST(test_debug_convert_old_level_old_format) - for (old_level = 0; old_level < N_ELEMENTS(levels); old_level++) { - expected_level |= levels[old_level]; - -- char *msg = NULL; -- msg = talloc_asprintf(NULL, "Invalid conversion of %d", old_level); -- fail_unless(debug_convert_old_level(old_level) == expected_level, msg); -- talloc_free(msg); -+ fail_unless(debug_convert_old_level(old_level) == expected_level, -+ "Invalid conversion of %d", old_level); - } - } - END_TEST -@@ -343,7 +341,6 @@ START_TEST(test_debug_is_set_single_no_timestamp) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 0; - debug_microseconds = 0; -@@ -357,15 +354,13 @@ START_TEST(test_debug_is_set_single_no_timestamp) - errno = 0; - result = test_helper_debug_check_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- char *msg = NULL; -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message don't match", -+ levels[i]); - } - } - END_TEST -@@ -387,7 +382,6 @@ START_TEST(test_debug_is_set_single_timestamp) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 1; - debug_microseconds = 0; -@@ -402,20 +396,16 @@ START_TEST(test_debug_is_set_single_timestamp) - errno = 0; - result = test_helper_debug_check_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -- -- char *msg = NULL; -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]); -- fail_if(result == DEBUG_TEST_NOK_TS, msg); -- talloc_free(msg); -+ fail_if(result == DEBUG_TEST_NOK_TS, -+ "Test of level %#.4x failed - invalid timestamp", levels[i]); - -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message don't match", -+ levels[i]); - } - } - END_TEST -@@ -437,7 +427,6 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 1; - debug_microseconds = 1; -@@ -452,20 +441,16 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds) - errno = 0; - result = test_helper_debug_check_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -- -- char *msg = NULL; -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]); -- fail_if(result == DEBUG_TEST_NOK_TS, msg); -- talloc_free(msg); -+ fail_if(result == DEBUG_TEST_NOK_TS, -+ "Test of level %#.4x failed - invalid timestamp", levels[i]); - -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message don't match", -+ levels[i]); - } - } - END_TEST -@@ -488,7 +473,6 @@ START_TEST(test_debug_is_notset_no_timestamp) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 0; - debug_microseconds = 0; -@@ -503,17 +487,13 @@ START_TEST(test_debug_is_notset_no_timestamp) - errno = 0; - result = test_helper_debug_is_empty_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- char *msg = NULL; -- msg = talloc_asprintf(NULL, -- "Test of level %#.4x failed - message has been written", -- levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message has been written", -+ levels[i]); - } - } - END_TEST -@@ -536,7 +516,6 @@ START_TEST(test_debug_is_notset_timestamp) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 0; - debug_microseconds = 0; -@@ -551,17 +530,13 @@ START_TEST(test_debug_is_notset_timestamp) - errno = 0; - result = test_helper_debug_is_empty_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- char *msg = NULL; -- msg = talloc_asprintf(NULL, -- "Test of level %#.4x failed - message has been written", -- levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message has been written", -+ levels[i]); - } - } - END_TEST -@@ -584,7 +559,6 @@ START_TEST(test_debug_is_notset_timestamp_microseconds) - SSSDBG_TRACE_ALL, - SSSDBG_TRACE_LDB - }; -- char *error_msg; - - debug_timestamps = 0; - debug_microseconds = 1; -@@ -598,17 +572,13 @@ START_TEST(test_debug_is_notset_timestamp_microseconds) - errno = 0; - result = test_helper_debug_is_empty_message(levels[i]); - -- if (result == DEBUG_TEST_ERROR) { -- error_msg = strerror(errno); -- fail(error_msg); -- } -+ fail_if(result == DEBUG_TEST_ERROR, -+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s", -+ result, strerror(errno)); - -- char *msg = NULL; -- msg = talloc_asprintf(NULL, -- "Test of level %#.4x failed - message has been written", -- levels[i]); -- fail_unless(result == EOK, msg); -- talloc_free(msg); -+ fail_unless(result == EOK, -+ "Test of level %#.4x failed - message has been written", -+ levels[i]); - } - } - END_TEST -@@ -635,10 +605,9 @@ START_TEST(test_debug_is_set_true) - - for (i = 0; i < N_ELEMENTS(levels); i++) { - result = DEBUG_IS_SET(levels[i]); -- char *msg = NULL; -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result); -- fail_unless(result > 0, msg); -- talloc_free(msg); -+ fail_unless(result > 0, -+ "Test of level %#.4x failed - result is 0x%.4x", -+ levels[i], result); - } - } - END_TEST -@@ -666,10 +635,9 @@ START_TEST(test_debug_is_set_false) - debug_level = all_set & ~levels[i]; - - result = DEBUG_IS_SET(levels[i]); -- char *msg = NULL; -- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result); -- fail_unless(result == 0, msg); -- talloc_free(msg); -+ fail_unless(result == 0, -+ "Test of level %#.4x failed - result is 0x%.4x", -+ levels[i], result); - } - } - END_TEST --- -2.28.0.rc2 - diff --git a/0002-kcm-avoid-name-confusion-in-GET_CRED_UUID_LIST-handl.patch b/0002-kcm-avoid-name-confusion-in-GET_CRED_UUID_LIST-handl.patch new file mode 100644 index 0000000..e686442 --- /dev/null +++ b/0002-kcm-avoid-name-confusion-in-GET_CRED_UUID_LIST-handl.patch @@ -0,0 +1,51 @@ +From a0e3759b733a5b5db82bea2ef35e1519ea8a9b1c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 16 Oct 2020 15:33:42 +0200 +Subject: [PATCH 02/19] kcm: avoid name confusion in GET_CRED_UUID_LIST + handlers + +The function name did not follow best practices and it got easily confused +with `kcm_op_get_cred_by_uuid_getbyname_done`. + +``` +kcm_op_get_cred_uuid_getbyname_done +kcm_op_get_cred_by_uuid_getbyname_done +``` +--- + src/responder/kcm/kcmsrv_ops.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c +index 1e8e4d6a3b4feba5bac3eb0a5fa6a22a588ba985..7fc3b0a5c4e123a398ef103f3ce92b45bc68f5cf 100644 +--- a/src/responder/kcm/kcmsrv_ops.c ++++ b/src/responder/kcm/kcmsrv_ops.c +@@ -1072,7 +1072,7 @@ static void kcm_op_get_principal_getbyname_done(struct tevent_req *subreq) + } + + /* (name) -> (uuid, ...) */ +-static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq); ++static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq); + + static struct tevent_req * + kcm_op_get_cred_uuid_list_send(TALLOC_CTX *mem_ctx, +@@ -1106,7 +1106,7 @@ kcm_op_get_cred_uuid_list_send(TALLOC_CTX *mem_ctx, + ret = ENOMEM; + goto immediate; + } +- tevent_req_set_callback(subreq, kcm_op_get_cred_uuid_getbyname_done, req); ++ tevent_req_set_callback(subreq, kcm_op_get_cred_uuid_list_getbyname_done, req); + return req; + + immediate: +@@ -1115,7 +1115,7 @@ immediate: + return req; + } + +-static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq) ++static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq) + { + errno_t ret; + struct kcm_ccache *cc; +-- +2.25.4 + diff --git a/0003-kcm-disable-encryption.patch b/0003-kcm-disable-encryption.patch new file mode 100644 index 0000000..882a018 --- /dev/null +++ b/0003-kcm-disable-encryption.patch @@ -0,0 +1,509 @@ +From 426947971cd94cc93dd120ca8ad9bcbeb47059c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 19 Oct 2020 12:59:48 +0200 +Subject: [PATCH 03/19] kcm: disable encryption + +Encryption was a huge bottleneck for the secdb backend. This is +backwards compatible and there is no need to destroy existing +ccache. It will be stored unencrypted at first write to the cache. + +Note that the encryption did not provide any security as the cache +is accessible only by root and the master key is stored together +with the cache. So once someone gains access to the file it can +be easily decrypted. Additionaly, there was also no encryption at +the memory level. + +Resolves: https://github.com/SSSD/sssd/issues/5349 +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 94 ++++----------- + src/responder/secrets/local.c | 2 +- + src/util/secrets/secrets.c | 149 +++++++++++++++++------- + src/util/secrets/secrets.h | 13 ++- + 4 files changed, 146 insertions(+), 112 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index ed1c8247febc0a49dfd35b99a788b60ce8dda109..e6f4f9b05d17956f771ed4db63dc4940be0a838b 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -35,15 +35,13 @@ + #define KCM_SECDB_CCACHE_FMT KCM_SECDB_BASE_FMT"ccache/" + #define KCM_SECDB_DFL_FMT KCM_SECDB_BASE_FMT"default" + +-static errno_t sec_get_b64(TALLOC_CTX *mem_ctx, +- struct sss_sec_req *req, +- struct sss_iobuf **_buf) ++static errno_t sec_get(TALLOC_CTX *mem_ctx, ++ struct sss_sec_req *req, ++ struct sss_iobuf **_buf) + { + errno_t ret; + TALLOC_CTX *tmp_ctx; +- char *b64_sec; +- uint8_t *data; +- size_t data_size; ++ char *secret; + struct sss_iobuf *buf; + + tmp_ctx = talloc_new(mem_ctx); +@@ -51,21 +49,15 @@ static errno_t sec_get_b64(TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- ret = sss_sec_get(tmp_ctx, req, &b64_sec); ++ ret = sss_sec_get(tmp_ctx, req, &secret); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + +- data = sss_base64_decode(tmp_ctx, b64_sec, &data_size); +- if (data == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n"); +- ret = EIO; +- goto done; +- } +- +- buf = sss_iobuf_init_readonly(tmp_ctx, data, data_size); ++ buf = sss_iobuf_init_readonly(tmp_ctx, (const uint8_t *)secret, ++ strlen(secret) + 1); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n"); + ret = EIO; +@@ -79,73 +71,35 @@ done: + return ret; + } + +-static errno_t sec_put_b64(TALLOC_CTX *mem_ctx, +- struct sss_sec_req *req, +- struct sss_iobuf *buf) ++static errno_t sec_put(TALLOC_CTX *mem_ctx, ++ struct sss_sec_req *req, ++ struct sss_iobuf *buf) + { + errno_t ret; +- TALLOC_CTX *tmp_ctx; +- char *secret; + +- tmp_ctx = talloc_new(mem_ctx); +- if (tmp_ctx == NULL) { +- return ENOMEM; +- } +- +- secret = sss_base64_encode(tmp_ctx, +- sss_iobuf_get_data(buf), +- sss_iobuf_get_size(buf)); +- if (secret == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot encode secret to base64\n"); +- ret = EIO; +- goto done; +- } +- +- ret = sss_sec_put(req, secret); ++ ret = sss_sec_put(req, (const char *)sss_iobuf_get_data(buf), ++ SSS_SEC_PLAINTEXT); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +- goto done; + } + +- ret = EOK; +-done: +- talloc_free(tmp_ctx); + return ret; + } + +-static errno_t sec_update_b64(TALLOC_CTX *mem_ctx, +- struct sss_sec_req *req, +- struct sss_iobuf *buf) ++static errno_t sec_update(TALLOC_CTX *mem_ctx, ++ struct sss_sec_req *req, ++ struct sss_iobuf *buf) + { + errno_t ret; +- TALLOC_CTX *tmp_ctx; +- char *secret; + +- tmp_ctx = talloc_new(mem_ctx); +- if (tmp_ctx == NULL) { +- return ENOMEM; +- } +- +- secret = sss_base64_encode(tmp_ctx, +- sss_iobuf_get_data(buf), +- sss_iobuf_get_size(buf)); +- if (secret == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot encode secret to base64\n"); +- ret = EIO; +- goto done; +- } +- +- ret = sss_sec_update(req, secret); ++ ret = sss_sec_update(req, (const char *)sss_iobuf_get_data(buf), ++ SSS_SEC_PLAINTEXT); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +- goto done; + } + +- ret = EOK; +-done: +- talloc_free(tmp_ctx); + return ret; + } + +@@ -493,7 +447,7 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = sec_get_b64(tmp_ctx, sreq, &ccbuf); ++ ret = sec_get(tmp_ctx, sreq, &ccbuf); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the secret [%d][%s]\n", ret, sss_strerror(ret)); +@@ -748,9 +702,9 @@ static struct tevent_req *ccdb_secdb_set_default_send(TALLOC_CTX *mem_ctx, + + ret = sss_sec_get(state, sreq, &cur_default); + if (ret == ENOENT) { +- ret = sec_put_b64(state, sreq, iobuf); ++ ret = sec_put(state, sreq, iobuf); + } else if (ret == EOK) { +- ret = sec_update_b64(state, sreq, iobuf); ++ ret = sec_update(state, sreq, iobuf); + } + + if (ret != EOK) { +@@ -804,7 +758,7 @@ static struct tevent_req *ccdb_secdb_get_default_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_get_b64(state, sreq, &dfl_iobuf); ++ ret = sec_get(state, sreq, &dfl_iobuf); + if (ret == ENOENT) { + uuid_clear(state->uuid); + ret = EOK; +@@ -1230,7 +1184,7 @@ static struct tevent_req *ccdb_secdb_create_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_put_b64(state, ccache_req, ccache_payload); ++ ret = sec_put(state, ccache_req, ccache_payload); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to add the payload\n"); + goto immediate; +@@ -1308,7 +1262,7 @@ static struct tevent_req *ccdb_secdb_mod_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_update_b64(state, sreq, payload); ++ ret = sec_update(state, sreq, payload); + if (ret != EOK) { + goto immediate; + } +@@ -1384,7 +1338,7 @@ static struct tevent_req *ccdb_secdb_store_cred_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_update_b64(state, sreq, payload); ++ ret = sec_update(state, sreq, payload); + if (ret != EOK) { + goto immediate; + } +diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c +index eb37c08b7337c6713c2e74a55363f79ecfefd8c0..815e7507ba6b3e210891c26dd243a2a67d8920f0 100644 +--- a/src/responder/secrets/local.c ++++ b/src/responder/secrets/local.c +@@ -168,7 +168,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + } + if (ret) goto done; + +- ret = sss_sec_put(ssec_req, secret); ++ ret = sss_sec_put(ssec_req, secret, SSS_SEC_MASTERKEY); + if (ret) goto done; + break; + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index d701face07aa3ea5dc62371066ba6947d7d496a9..b3d40fdcb4bc2aeeb6aae4e17654ae06b00db876 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -63,19 +63,53 @@ static struct sss_sec_quota default_kcm_quota = { + .containers_nest_level = DEFAULT_SEC_CONTAINERS_NEST_LEVEL, + }; + ++static const char *sss_sec_enctype_to_str(enum sss_sec_enctype enctype) ++{ ++ switch (enctype) { ++ case SSS_SEC_PLAINTEXT: ++ return "plaintext"; ++ case SSS_SEC_MASTERKEY: ++ return "masterkey"; ++ case SSS_SEC_BASE64: ++ return "base64"; ++ default: ++ DEBUG(SSSDBG_CRIT_FAILURE, "Bug: unknown encryption type %d\n", ++ enctype); ++ return "unknown"; ++ } ++} ++ ++static enum sss_sec_enctype sss_sec_str_to_enctype(const char *str) ++{ ++ if (strcmp("plaintext", str) == 0) { ++ return SSS_SEC_PLAINTEXT; ++ } ++ ++ if (strcmp("masterkey", str) == 0) { ++ return SSS_SEC_MASTERKEY; ++ } ++ ++ if (strcmp("base64", str) == 0) { ++ return SSS_SEC_BASE64; ++ } ++ ++ return SSS_SEC_ENCTYPE_SENTINEL; ++} ++ + static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, +- const char *secret, const char *enctype, ++ const char *secret, enum sss_sec_enctype enctype, + char **plain_secret) + { ++ struct sss_sec_data _secret; ++ size_t outlen; + char *output; ++ int ret; + +- if (enctype && strcmp(enctype, "masterkey") == 0) { +- DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n"); +- +- struct sss_sec_data _secret; +- size_t outlen; +- int ret; +- ++ switch (enctype) { ++ case SSS_SEC_PLAINTEXT: ++ output = talloc_strdup(mem_ctx, secret); ++ break; ++ case SSS_SEC_MASTERKEY: + _secret.data = (char *)sss_base64_decode(mem_ctx, secret, + &_secret.length); + if (!_secret.data) { +@@ -83,6 +117,7 @@ static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, + return EINVAL; + } + ++ DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n"); + ret = sss_decrypt(mem_ctx, AES256CBC_HMAC_SHA256, + (uint8_t *)sctx->master_key.data, + sctx->master_key.length, +@@ -102,10 +137,17 @@ static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, + talloc_free(output); + return EIO; + } +- } else { +- DEBUG(SSSDBG_TRACE_INTERNAL, "Unexpected enctype (not 'masterkey')\n"); +- output = talloc_strdup(mem_ctx, secret); +- if (!output) return ENOMEM; ++ break; ++ case SSS_SEC_BASE64: ++ output = (char *)sss_base64_decode(mem_ctx, secret, &_secret.length); ++ break; ++ default: ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); ++ return EINVAL; ++ } ++ ++ if (output == NULL) { ++ return ENOMEM; + } + + *plain_secret = output; +@@ -113,39 +155,46 @@ static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, + } + + static int local_encrypt(struct sss_sec_ctx *sec_ctx, TALLOC_CTX *mem_ctx, +- const char *secret, const char *enctype, ++ const char *secret, enum sss_sec_enctype enctype, + char **ciphertext) + { + struct sss_sec_data _secret; + char *output; + int ret; + +- if (enctype == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "No encryption type\n"); +- return EINVAL; +- } ++ switch (enctype) { ++ case SSS_SEC_PLAINTEXT: ++ output = talloc_strdup(mem_ctx, secret); ++ break; ++ case SSS_SEC_MASTERKEY: ++ ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, ++ (uint8_t *)sec_ctx->master_key.data, ++ sec_ctx->master_key.length, ++ (const uint8_t *)secret, strlen(secret) + 1, ++ (uint8_t **)&_secret.data, &_secret.length); ++ if (ret) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); ++ return ret; ++ } + +- if (strcmp(enctype, "masterkey") != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%s'\n", enctype); ++ output = sss_base64_encode(mem_ctx, (uint8_t *)_secret.data, ++ _secret.length); ++ talloc_free(_secret.data); ++ break; ++ case SSS_SEC_BASE64: ++ output = (char *)sss_base64_encode(mem_ctx, (const uint8_t *)secret, ++ strlen(secret) + 1); ++ break; ++ default: ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); + return EINVAL; + } + +- ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, +- (uint8_t *)sec_ctx->master_key.data, +- sec_ctx->master_key.length, +- (const uint8_t *)secret, strlen(secret) + 1, +- (uint8_t **)&_secret.data, &_secret.length); +- if (ret) { +- DEBUG(SSSDBG_OP_FAILURE, +- "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); +- return ret; ++ if (output == NULL) { ++ return ENOMEM; + } + +- output = sss_base64_encode(mem_ctx, +- (uint8_t *)_secret.data, _secret.length); +- talloc_free(_secret.data); +- if (!output) return ENOMEM; +- + *ciphertext = output; + return EOK; + } +@@ -958,6 +1007,7 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct ldb_result *res; + const char *attr_secret; + const char *attr_enctype; ++ enum sss_sec_enctype enctype; + int ret; + + if (req == NULL || _secret == NULL) { +@@ -1006,10 +1056,15 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", NULL); + + if (attr_enctype) { +- ret = local_decrypt(req->sctx, mem_ctx, attr_secret, attr_enctype, _secret); ++ enctype = sss_sec_str_to_enctype(attr_enctype); ++ ret = local_decrypt(req->sctx, mem_ctx, attr_secret, enctype, _secret); + if (ret) goto done; + } else { + *_secret = talloc_strdup(mem_ctx, attr_secret); ++ if (*_secret == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } + } + ret = EOK; + +@@ -1019,10 +1074,10 @@ done: + } + + errno_t sss_sec_put(struct sss_sec_req *req, +- const char *secret) ++ const char *secret, ++ enum sss_sec_enctype enctype) + { + struct ldb_message *msg; +- const char *enctype = "masterkey"; + char *enc_secret; + int ret; + +@@ -1087,7 +1142,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "enctype", enctype); ++ ret = ldb_msg_add_string(msg, "enctype", sss_sec_enctype_to_str(enctype)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding enctype [%d]: %s\n", +@@ -1132,10 +1187,10 @@ done: + } + + errno_t sss_sec_update(struct sss_sec_req *req, +- const char *secret) ++ const char *secret, ++ enum sss_sec_enctype enctype) + { + struct ldb_message *msg; +- const char *enctype = "masterkey"; + char *enc_secret; + int ret; + +@@ -1192,6 +1247,22 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + ++ ret = ldb_msg_add_empty(msg, "enctype", LDB_FLAG_MOD_REPLACE, NULL); ++ if (ret != LDB_SUCCESS) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); ++ ret = EIO; ++ goto done; ++ } ++ ++ ret = ldb_msg_add_string(msg, "enctype", sss_sec_enctype_to_str(enctype)); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "ldb_msg_add_string failed adding enctype [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ + /* FIXME - should we have a lastUpdate timestamp? */ + ret = ldb_msg_add_empty(msg, "secret", LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { +diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h +index 9cf3975162c40a27ec92691f732a5aca5a5a8473..73f40f7eb620904cec8f1cb7891765323ada08ad 100644 +--- a/src/util/secrets/secrets.h ++++ b/src/util/secrets/secrets.h +@@ -43,6 +43,13 @@ + #define DEFAULT_SEC_KCM_MAX_UID_SECRETS 64 + #define DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE 65536 + ++enum sss_sec_enctype { ++ SSS_SEC_PLAINTEXT, ++ SSS_SEC_MASTERKEY, ++ SSS_SEC_BASE64, ++ SSS_SEC_ENCTYPE_SENTINEL ++}; ++ + struct sss_sec_ctx; + + struct sss_sec_req; +@@ -91,10 +98,12 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + char **_secret); + + errno_t sss_sec_put(struct sss_sec_req *req, +- const char *secret); ++ const char *secret, ++ enum sss_sec_enctype enctype); + + errno_t sss_sec_update(struct sss_sec_req *req, +- const char *secret); ++ const char *secret, ++ enum sss_sec_enctype enctype); + + errno_t sss_sec_create_container(struct sss_sec_req *req); + +-- +2.25.4 + diff --git a/0004-kcm-avoid-multiple-debug-messages-if-sss_sec_put-fai.patch b/0004-kcm-avoid-multiple-debug-messages-if-sss_sec_put-fai.patch new file mode 100644 index 0000000..b1d810c --- /dev/null +++ b/0004-kcm-avoid-multiple-debug-messages-if-sss_sec_put-fai.patch @@ -0,0 +1,26 @@ +From b8dd3fa32cef423217859a1ef04ec30dfef30fb2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 27 Oct 2020 16:45:22 +0100 +Subject: [PATCH 04/19] kcm: avoid multiple debug messages if sss_sec_put fails + +sec_put() already logs a message if the underlaying function fails +so this debug message is really unnecessary. +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index e6f4f9b05d17956f771ed4db63dc4940be0a838b..f3b9af840381881e99bbead70ea7edabf945a8e2 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -1186,7 +1186,6 @@ static struct tevent_req *ccdb_secdb_create_send(TALLOC_CTX *mem_ctx, + + ret = sec_put(state, ccache_req, ccache_payload); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Failed to add the payload\n"); + goto immediate; + } + +-- +2.25.4 + diff --git a/0005-secrets-allow-to-specify-secret-s-data-format.patch b/0005-secrets-allow-to-specify-secret-s-data-format.patch new file mode 100644 index 0000000..9de5bf0 --- /dev/null +++ b/0005-secrets-allow-to-specify-secret-s-data-format.patch @@ -0,0 +1,225 @@ +From e05dfeca855986cd11674a64ef6333c2d67e9bc7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 22 Oct 2020 11:18:12 +0200 +Subject: [PATCH 05/19] secrets: allow to specify secret's data format + +Currently, both KCM and secrets responders store JSON formatted string +in the secrets database. One of the next commits makes KCM to store +binary format instead of JSON string to improve performance. We need +to be able to distinguish the formats to keep KCM update compatible +with existing ccache and also to keep secrets responder working. +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 8 ++-- + src/responder/secrets/local.c | 4 +- + src/util/secrets/secrets.c | 57 ++++++++++++++++++++----- + src/util/secrets/secrets.h | 9 ++-- + 4 files changed, 59 insertions(+), 19 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index f3b9af840381881e99bbead70ea7edabf945a8e2..8e5bd4f7376173fd075c1a64785a597bcf2f97ba 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -49,7 +49,7 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- ret = sss_sec_get(tmp_ctx, req, &secret); ++ ret = sss_sec_get(tmp_ctx, req, &secret, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -78,7 +78,7 @@ static errno_t sec_put(TALLOC_CTX *mem_ctx, + errno_t ret; + + ret = sss_sec_put(req, (const char *)sss_iobuf_get_data(buf), +- SSS_SEC_PLAINTEXT); ++ SSS_SEC_PLAINTEXT, "simple"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -94,7 +94,7 @@ static errno_t sec_update(TALLOC_CTX *mem_ctx, + errno_t ret; + + ret = sss_sec_update(req, (const char *)sss_iobuf_get_data(buf), +- SSS_SEC_PLAINTEXT); ++ SSS_SEC_PLAINTEXT, "simple"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -700,7 +700,7 @@ static struct tevent_req *ccdb_secdb_set_default_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sss_sec_get(state, sreq, &cur_default); ++ ret = sss_sec_get(state, sreq, &cur_default, NULL); + if (ret == ENOENT) { + ret = sec_put(state, sreq, iobuf); + } else if (ret == EOK) { +diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c +index 815e7507ba6b3e210891c26dd243a2a67d8920f0..fee52674d73f6f8071b4d66ac91bed3b210c8e23 100644 +--- a/src/responder/secrets/local.c ++++ b/src/responder/secrets/local.c +@@ -134,7 +134,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + break; + } + +- ret = sss_sec_get(state, ssec_req, &secret); ++ ret = sss_sec_get(state, ssec_req, &secret, NULL); + if (ret) goto done; + + if (body_is_json) { +@@ -168,7 +168,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + } + if (ret) goto done; + +- ret = sss_sec_put(ssec_req, secret, SSS_SEC_MASTERKEY); ++ ret = sss_sec_put(ssec_req, secret, SSS_SEC_MASTERKEY, "simple"); + if (ret) goto done; + break; + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index b3d40fdcb4bc2aeeb6aae4e17654ae06b00db876..51fc85fb09934c25290c625fe2a2d8090285117d 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -1000,14 +1000,18 @@ done: + + errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- char **_secret) ++ char **_secret, ++ char **_datatype) + { + TALLOC_CTX *tmp_ctx; +- static const char *attrs[] = { "secret", "enctype", NULL }; ++ static const char *attrs[] = { "secret", "enctype", "type", NULL }; + struct ldb_result *res; + const char *attr_secret; + const char *attr_enctype; ++ const char *attr_datatype; + enum sss_sec_enctype enctype; ++ char *datatype; ++ char *secret; + int ret; + + if (req == NULL || _secret == NULL) { +@@ -1057,15 +1061,30 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + + if (attr_enctype) { + enctype = sss_sec_str_to_enctype(attr_enctype); +- ret = local_decrypt(req->sctx, mem_ctx, attr_secret, enctype, _secret); ++ ret = local_decrypt(req->sctx, tmp_ctx, attr_secret, enctype, &secret); + if (ret) goto done; + } else { +- *_secret = talloc_strdup(mem_ctx, attr_secret); +- if (*_secret == NULL) { ++ secret = talloc_strdup(tmp_ctx, attr_secret); ++ if (secret == NULL) { + ret = ENOMEM; + goto done; + } + } ++ ++ if (_datatype != NULL) { ++ attr_datatype = ldb_msg_find_attr_as_string(res->msgs[0], "type", ++ "simple"); ++ datatype = talloc_strdup(tmp_ctx, attr_datatype); ++ if (datatype == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ *_datatype = talloc_steal(mem_ctx, datatype); ++ } ++ ++ *_secret = talloc_steal(mem_ctx, secret); ++ + ret = EOK; + + done: +@@ -1075,7 +1094,8 @@ done: + + errno_t sss_sec_put(struct sss_sec_req *req, + const char *secret, +- enum sss_sec_enctype enctype) ++ enum sss_sec_enctype enctype, ++ const char *datatype) + { + struct ldb_message *msg; + char *enc_secret; +@@ -1134,11 +1154,11 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "type", "simple"); ++ ret = ldb_msg_add_string(msg, "type", datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +- "ldb_msg_add_string failed adding type:simple [%d]: %s\n", +- ret, sss_strerror(ret)); ++ "ldb_msg_add_string failed adding type:%s [%d]: %s\n", ++ datatype, ret, sss_strerror(ret)); + goto done; + } + +@@ -1188,7 +1208,8 @@ done: + + errno_t sss_sec_update(struct sss_sec_req *req, + const char *secret, +- enum sss_sec_enctype enctype) ++ enum sss_sec_enctype enctype, ++ const char *datatype) + { + struct ldb_message *msg; + char *enc_secret; +@@ -1263,6 +1284,22 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + ++ ret = ldb_msg_add_empty(msg, "type", LDB_FLAG_MOD_REPLACE, NULL); ++ if (ret != LDB_SUCCESS) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); ++ ret = EIO; ++ goto done; ++ } ++ ++ ret = ldb_msg_add_string(msg, "type", datatype); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "ldb_msg_add_string failed adding type:%s [%d]: %s\n", ++ datatype, ret, sss_strerror(ret)); ++ goto done; ++ } ++ + /* FIXME - should we have a lastUpdate timestamp? */ + ret = ldb_msg_add_empty(msg, "secret", LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { +diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h +index 73f40f7eb620904cec8f1cb7891765323ada08ad..f73657629f1a0bb614ccd96728852da66cc18791 100644 +--- a/src/util/secrets/secrets.h ++++ b/src/util/secrets/secrets.h +@@ -95,15 +95,18 @@ errno_t sss_sec_list(TALLOC_CTX *mem_ctx, + + errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- char **_secret); ++ char **_secret, ++ char **_datatype); + + errno_t sss_sec_put(struct sss_sec_req *req, + const char *secret, +- enum sss_sec_enctype enctype); ++ enum sss_sec_enctype enctype, ++ const char *datatype); + + errno_t sss_sec_update(struct sss_sec_req *req, + const char *secret, +- enum sss_sec_enctype enctype); ++ enum sss_sec_enctype enctype, ++ const char *datatype); + + errno_t sss_sec_create_container(struct sss_sec_req *req); + +-- +2.25.4 + diff --git a/0006-secrets-accept-binary-data-instead-of-string.patch b/0006-secrets-accept-binary-data-instead-of-string.patch new file mode 100644 index 0000000..e92be25 --- /dev/null +++ b/0006-secrets-accept-binary-data-instead-of-string.patch @@ -0,0 +1,450 @@ +From 63cbb2aee2c6277ecd9e38fb32713e0ba3db4bb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 22 Oct 2020 12:18:38 +0200 +Subject: [PATCH 06/19] secrets: accept binary data instead of string + +Currently, both KCM and secrets responders store JSON formatted string +in the secrets database. One of the next commits makes KCM to store +binary format instead of JSON string to improve performance. We need +to be able to distinguish the formats to keep KCM update compatible +with existing ccache and also to keep secrets responder working. + +Secrets responder test had to be ammended to fit into a new maximum +payload which is now reduced by one byte for the secrets responder +to hold the ending zero of a secret string. + +This is a corner case in a long deprecated responder that is not even +built by default and has no known consumers so it is fine to fast fix +the test. +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 8 +- + src/responder/secrets/local.c | 5 +- + src/tests/intg/test_secrets.py | 3 +- + src/util/secrets/sec_pvt.h | 2 +- + src/util/secrets/secrets.c | 130 ++++++++++++++---------- + src/util/secrets/secrets.h | 9 +- + 6 files changed, 91 insertions(+), 66 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index 8e5bd4f7376173fd075c1a64785a597bcf2f97ba..f0143e686826e3bf637619efc799e0d2f0715ba4 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -49,7 +49,7 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- ret = sss_sec_get(tmp_ctx, req, &secret, NULL); ++ ret = sss_sec_get(tmp_ctx, req, (uint8_t **)&secret, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -77,7 +77,7 @@ static errno_t sec_put(TALLOC_CTX *mem_ctx, + { + errno_t ret; + +- ret = sss_sec_put(req, (const char *)sss_iobuf_get_data(buf), ++ ret = sss_sec_put(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), + SSS_SEC_PLAINTEXT, "simple"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -93,7 +93,7 @@ static errno_t sec_update(TALLOC_CTX *mem_ctx, + { + errno_t ret; + +- ret = sss_sec_update(req, (const char *)sss_iobuf_get_data(buf), ++ ret = sss_sec_update(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), + SSS_SEC_PLAINTEXT, "simple"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -700,7 +700,7 @@ static struct tevent_req *ccdb_secdb_set_default_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sss_sec_get(state, sreq, &cur_default, NULL); ++ ret = sss_sec_get(state, sreq, (uint8_t**)&cur_default, NULL, NULL); + if (ret == ENOENT) { + ret = sec_put(state, sreq, iobuf); + } else if (ret == EOK) { +diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c +index fee52674d73f6f8071b4d66ac91bed3b210c8e23..252ef3a1de7ff28b0e9f37479c658a6c59e830f7 100644 +--- a/src/responder/secrets/local.c ++++ b/src/responder/secrets/local.c +@@ -134,7 +134,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + break; + } + +- ret = sss_sec_get(state, ssec_req, &secret, NULL); ++ ret = sss_sec_get(state, ssec_req, (uint8_t**)&secret, NULL, NULL); + if (ret) goto done; + + if (body_is_json) { +@@ -168,7 +168,8 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + } + if (ret) goto done; + +- ret = sss_sec_put(ssec_req, secret, SSS_SEC_MASTERKEY, "simple"); ++ ret = sss_sec_put(ssec_req, (uint8_t *)secret, strlen(secret) + 1, ++ SSS_SEC_MASTERKEY, "simple"); + if (ret) goto done; + break; + +diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py +index 00933fb346516898448d4285c5c5c9373c48a2a9..18d722c13f36c58423e5caf81881f9ec167faa1e 100644 +--- a/src/tests/intg/test_secrets.py ++++ b/src/tests/intg/test_secrets.py +@@ -438,7 +438,8 @@ def run_quota_test(cli, max_secrets, max_payload_size): + KILOBYTE = 1024 + kb_payload_size = max_payload_size * KILOBYTE + +- sec_value = "x" * kb_payload_size ++ # Adjust payload size to hold terminal zero byte. ++ sec_value = "x" * (kb_payload_size - 1) + + cli.set_secret("foo", sec_value) + +diff --git a/src/util/secrets/sec_pvt.h b/src/util/secrets/sec_pvt.h +index 92e2b8b259fd7b20e974d5bd4dc41d96ea36ecf1..0e77a660e91ff9e18cce68a7994e3dbbf868c7aa 100644 +--- a/src/util/secrets/sec_pvt.h ++++ b/src/util/secrets/sec_pvt.h +@@ -33,7 +33,7 @@ + #define SSS_SEC_KCM_BASEPATH "/kcm/" + + struct sss_sec_data { +- char *data; ++ uint8_t *data; + size_t length; + }; + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 51fc85fb09934c25290c625fe2a2d8090285117d..2a7149ae8b1c88623784ffd4f3e7f908be15c662 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -96,22 +96,28 @@ static enum sss_sec_enctype sss_sec_str_to_enctype(const char *str) + return SSS_SEC_ENCTYPE_SENTINEL; + } + +-static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, +- const char *secret, enum sss_sec_enctype enctype, +- char **plain_secret) ++static int local_decrypt(struct sss_sec_ctx *sctx, ++ TALLOC_CTX *mem_ctx, ++ uint8_t *secret, ++ size_t secret_len, ++ enum sss_sec_enctype enctype, ++ uint8_t **_output, ++ size_t *_output_len) + { + struct sss_sec_data _secret; +- size_t outlen; +- char *output; ++ uint8_t *output; ++ size_t output_len; + int ret; + + switch (enctype) { + case SSS_SEC_PLAINTEXT: +- output = talloc_strdup(mem_ctx, secret); ++ output = talloc_memdup(mem_ctx, secret, secret_len); ++ output_len = secret_len; + break; + case SSS_SEC_MASTERKEY: +- _secret.data = (char *)sss_base64_decode(mem_ctx, secret, +- &_secret.length); ++ _secret.data = (uint8_t *)sss_base64_decode(mem_ctx, ++ (const char *)secret, ++ &_secret.length); + if (!_secret.data) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed\n"); + return EINVAL; +@@ -119,27 +125,20 @@ static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, + + DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n"); + ret = sss_decrypt(mem_ctx, AES256CBC_HMAC_SHA256, +- (uint8_t *)sctx->master_key.data, ++ sctx->master_key.data, + sctx->master_key.length, +- (uint8_t *)_secret.data, _secret.length, +- (uint8_t **)&output, &outlen); ++ _secret.data, _secret.length, ++ &output, &output_len); + talloc_free(_secret.data); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_decrypt failed [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } +- +- if (((strnlen(output, outlen) + 1) != outlen) || +- output[outlen - 1] != '\0') { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Output length mismatch or output not NULL-terminated\n"); +- talloc_free(output); +- return EIO; +- } + break; + case SSS_SEC_BASE64: +- output = (char *)sss_base64_decode(mem_ctx, secret, &_secret.length); ++ output = (uint8_t *)sss_base64_decode(mem_ctx, (const char *)secret, ++ &output_len); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); +@@ -150,41 +149,52 @@ static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- *plain_secret = output; ++ *_output = output; ++ *_output_len = output_len; ++ + return EOK; + } + +-static int local_encrypt(struct sss_sec_ctx *sec_ctx, TALLOC_CTX *mem_ctx, +- const char *secret, enum sss_sec_enctype enctype, +- char **ciphertext) ++static int local_encrypt(struct sss_sec_ctx *sec_ctx, ++ TALLOC_CTX *mem_ctx, ++ uint8_t *secret, ++ size_t secret_len, ++ enum sss_sec_enctype enctype, ++ uint8_t **_output, ++ size_t *_output_len) + { + struct sss_sec_data _secret; +- char *output; ++ uint8_t *output; ++ size_t output_len; ++ char *b64; + int ret; + + switch (enctype) { + case SSS_SEC_PLAINTEXT: +- output = talloc_strdup(mem_ctx, secret); ++ output = talloc_memdup(mem_ctx, secret, secret_len); ++ output_len = secret_len; + break; + case SSS_SEC_MASTERKEY: + ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, +- (uint8_t *)sec_ctx->master_key.data, +- sec_ctx->master_key.length, +- (const uint8_t *)secret, strlen(secret) + 1, +- (uint8_t **)&_secret.data, &_secret.length); ++ sec_ctx->master_key.data, ++ sec_ctx->master_key.length, ++ secret, secret_len, ++ &_secret.data, &_secret.length); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + +- output = sss_base64_encode(mem_ctx, (uint8_t *)_secret.data, +- _secret.length); ++ b64 = sss_base64_encode(mem_ctx, _secret.data, _secret.length); ++ output = (uint8_t*)b64; ++ output_len = strlen(b64) + 1; + talloc_free(_secret.data); + break; + case SSS_SEC_BASE64: +- output = (char *)sss_base64_encode(mem_ctx, (const uint8_t *)secret, +- strlen(secret) + 1); ++ b64 = sss_base64_encode(mem_ctx, secret, secret_len); ++ output = (uint8_t*)b64; ++ output_len = strlen(b64) + 1; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); +@@ -195,7 +205,9 @@ static int local_encrypt(struct sss_sec_ctx *sec_ctx, TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- *ciphertext = output; ++ *_output = output; ++ *_output_len = output_len; ++ + return EOK; + } + +@@ -1000,18 +1012,20 @@ done: + + errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- char **_secret, ++ uint8_t **_secret, ++ size_t *_secret_len, + char **_datatype) + { + TALLOC_CTX *tmp_ctx; + static const char *attrs[] = { "secret", "enctype", "type", NULL }; + struct ldb_result *res; +- const char *attr_secret; ++ const struct ldb_val *attr_secret; + const char *attr_enctype; + const char *attr_datatype; + enum sss_sec_enctype enctype; + char *datatype; +- char *secret; ++ uint8_t *secret; ++ size_t secret_len; + int ret; + + if (req == NULL || _secret == NULL) { +@@ -1050,7 +1064,7 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + goto done; + } + +- attr_secret = ldb_msg_find_attr_as_string(res->msgs[0], "secret", NULL); ++ attr_secret = ldb_msg_find_ldb_val(res->msgs[0], "secret"); + if (!attr_secret) { + DEBUG(SSSDBG_CRIT_FAILURE, "The 'secret' attribute is missing\n"); + ret = ENOENT; +@@ -1061,14 +1075,12 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + + if (attr_enctype) { + enctype = sss_sec_str_to_enctype(attr_enctype); +- ret = local_decrypt(req->sctx, tmp_ctx, attr_secret, enctype, &secret); ++ ret = local_decrypt(req->sctx, tmp_ctx, attr_secret->data, ++ attr_secret->length, enctype, &secret, &secret_len); + if (ret) goto done; + } else { +- secret = talloc_strdup(tmp_ctx, attr_secret); +- if (secret == NULL) { +- ret = ENOMEM; +- goto done; +- } ++ secret = talloc_steal(tmp_ctx, attr_secret->data); ++ secret_len = attr_secret->length; + } + + if (_datatype != NULL) { +@@ -1085,6 +1097,10 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + + *_secret = talloc_steal(mem_ctx, secret); + ++ if (_secret_len) { ++ *_secret_len = secret_len; ++ } ++ + ret = EOK; + + done: +@@ -1093,12 +1109,13 @@ done: + } + + errno_t sss_sec_put(struct sss_sec_req *req, +- const char *secret, ++ uint8_t *secret, ++ size_t secret_len, + enum sss_sec_enctype enctype, + const char *datatype) + { + struct ldb_message *msg; +- char *enc_secret; ++ struct ldb_val enc_secret; + int ret; + + if (req == NULL || secret == NULL) { +@@ -1139,7 +1156,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = local_check_max_payload_size(req, strlen(secret)); ++ ret = local_check_max_payload_size(req, secret_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_check_max_payload_size failed [%d]: %s\n", +@@ -1147,7 +1164,8 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = local_encrypt(req->sctx, msg, secret, enctype, &enc_secret); ++ ret = local_encrypt(req->sctx, msg, secret, secret_len, enctype, ++ &enc_secret.data, &enc_secret.length); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); +@@ -1170,7 +1188,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "secret", enc_secret); ++ ret = ldb_msg_add_value(msg, "secret", &enc_secret, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding secret [%d]: %s\n", +@@ -1207,12 +1225,13 @@ done: + } + + errno_t sss_sec_update(struct sss_sec_req *req, +- const char *secret, ++ uint8_t *secret, ++ size_t secret_len, + enum sss_sec_enctype enctype, + const char *datatype) + { + struct ldb_message *msg; +- char *enc_secret; ++ struct ldb_val enc_secret; + int ret; + + if (req == NULL || secret == NULL) { +@@ -1253,7 +1272,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = local_check_max_payload_size(req, strlen(secret)); ++ ret = local_check_max_payload_size(req, secret_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_check_max_payload_size failed [%d]: %s\n", +@@ -1261,7 +1280,8 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = local_encrypt(req->sctx, msg, secret, enctype, &enc_secret); ++ ret = local_encrypt(req->sctx, msg, secret, secret_len, enctype, ++ &enc_secret.data, &enc_secret.length); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); +@@ -1309,7 +1329,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "secret", enc_secret); ++ ret = ldb_msg_add_value(msg, "secret", &enc_secret, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_string failed: [%s]\n", ldb_strerror(ret)); +diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h +index f73657629f1a0bb614ccd96728852da66cc18791..f8caa53eec376bb0c8d52615ce9111efbbb26393 100644 +--- a/src/util/secrets/secrets.h ++++ b/src/util/secrets/secrets.h +@@ -95,16 +95,19 @@ errno_t sss_sec_list(TALLOC_CTX *mem_ctx, + + errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- char **_secret, ++ uint8_t **_secret, ++ size_t *_secret_len, + char **_datatype); + + errno_t sss_sec_put(struct sss_sec_req *req, +- const char *secret, ++ uint8_t *secret, ++ size_t secret_len, + enum sss_sec_enctype enctype, + const char *datatype); + + errno_t sss_sec_update(struct sss_sec_req *req, +- const char *secret, ++ uint8_t *secret, ++ size_t secret_len, + enum sss_sec_enctype enctype, + const char *datatype); + +-- +2.25.4 + diff --git a/0007-iobuf-add-more-iobuf-functions.patch b/0007-iobuf-add-more-iobuf-functions.patch new file mode 100644 index 0000000..6566cc8 --- /dev/null +++ b/0007-iobuf-add-more-iobuf-functions.patch @@ -0,0 +1,265 @@ +From 51c8dda998c5b7bfa08362a13915fcff265a6f8f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 23 Oct 2020 13:10:13 +0200 +Subject: [PATCH 07/19] iobuf: add more iobuf functions + +These will be used in later patches. +--- + src/shared/safealign.h | 4 ++ + src/util/sss_iobuf.c | 141 +++++++++++++++++++++++++++++++++++++++++ + src/util/sss_iobuf.h | 46 ++++++++++++++ + 3 files changed, 191 insertions(+) + +diff --git a/src/shared/safealign.h b/src/shared/safealign.h +index b00c37f5b98bd4bf7ff6cea8e1208d80c77f0228..35909faa25967cefd296808431620f51232f67e2 100644 +--- a/src/shared/safealign.h ++++ b/src/shared/safealign.h +@@ -97,6 +97,10 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) + #define SAFEALIGN_SETMEM_UINT16(dest, value, pctr) \ + SAFEALIGN_SETMEM_VALUE(dest, value, uint16_t, pctr) + ++/* SAFEALIGN_SETMEM_UINT8(void *dest, uint8_t value, size_t *pctr) */ ++#define SAFEALIGN_SETMEM_UINT8(dest, value, pctr) \ ++ SAFEALIGN_SETMEM_VALUE(dest, value, uint8_t, pctr) ++ + /* These macros are the same as their equivalents without _CHECK suffix, + * but additionally make the caller return EINVAL immediately if *pctr + * would exceed len. */ +diff --git a/src/util/sss_iobuf.c b/src/util/sss_iobuf.c +index 518713e4cc3dd99627a3a4450f235cbbc69ed3a2..3056a7b0db38746cfed154179787e53622e1a041 100644 +--- a/src/util/sss_iobuf.c ++++ b/src/util/sss_iobuf.c +@@ -66,6 +66,30 @@ struct sss_iobuf *sss_iobuf_init_readonly(TALLOC_CTX *mem_ctx, + return iobuf; + } + ++struct sss_iobuf *sss_iobuf_init_steal(TALLOC_CTX *mem_ctx, ++ uint8_t *data, ++ size_t size) ++{ ++ struct sss_iobuf *iobuf; ++ ++ iobuf = talloc_zero(mem_ctx, struct sss_iobuf); ++ if (iobuf == NULL) { ++ return NULL; ++ } ++ ++ iobuf->data = talloc_steal(iobuf, data); ++ iobuf->size = size; ++ iobuf->capacity = size; ++ iobuf->dp = 0; ++ ++ return iobuf; ++} ++ ++void sss_iobuf_cursor_reset(struct sss_iobuf *iobuf) ++{ ++ iobuf->dp = 0; ++} ++ + size_t sss_iobuf_get_len(struct sss_iobuf *iobuf) + { + if (iobuf == NULL) { +@@ -223,6 +247,109 @@ errno_t sss_iobuf_write_len(struct sss_iobuf *iobuf, + return EOK; + } + ++errno_t sss_iobuf_read_varlen(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ uint8_t **_out, ++ size_t *_len) ++{ ++ uint8_t *out; ++ uint32_t len; ++ size_t slen; ++ errno_t ret; ++ ++ if (iobuf == NULL || _out == NULL || _len == NULL) { ++ return EINVAL; ++ } ++ ++ ret = sss_iobuf_read_uint32(iobuf, &len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ if (len == 0) { ++ *_out = NULL; ++ *_len = 0; ++ return EOK; ++ } ++ ++ out = talloc_array(mem_ctx, uint8_t, len); ++ if (out == NULL) { ++ return ENOMEM; ++ } ++ ++ slen = len; ++ ret = sss_iobuf_read_len(iobuf, slen, out); ++ if (ret != EOK) { ++ talloc_free(out); ++ return ret; ++ } ++ ++ *_out = out; ++ *_len = slen; ++ ++ return EOK; ++} ++ ++errno_t sss_iobuf_write_varlen(struct sss_iobuf *iobuf, ++ uint8_t *data, ++ size_t len) ++{ ++ errno_t ret; ++ ++ if (iobuf == NULL || (data == NULL && len != 0)) { ++ return EINVAL; ++ } ++ ++ ret = sss_iobuf_write_uint32(iobuf, len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ if (len == 0) { ++ return EOK; ++ } ++ ++ return sss_iobuf_write_len(iobuf, data, len); ++} ++ ++errno_t sss_iobuf_read_iobuf(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ struct sss_iobuf **_out) ++{ ++ struct sss_iobuf *out; ++ uint8_t *data; ++ size_t len; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_varlen(NULL, iobuf, &data, &len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ out = sss_iobuf_init_steal(mem_ctx, data, len); ++ if (out == NULL) { ++ return ENOMEM; ++ } ++ ++ *_out = out; ++ ++ return EOK; ++} ++ ++errno_t sss_iobuf_write_iobuf(struct sss_iobuf *iobuf, ++ struct sss_iobuf *data) ++{ ++ return sss_iobuf_write_varlen(iobuf, data->data, data->size); ++} ++ ++errno_t sss_iobuf_read_uint8(struct sss_iobuf *iobuf, ++ uint8_t *_val) ++{ ++ SAFEALIGN_COPY_UINT8_CHECK(_val, iobuf_ptr(iobuf), ++ iobuf->capacity, &iobuf->dp); ++ return EOK; ++} ++ + errno_t sss_iobuf_read_uint32(struct sss_iobuf *iobuf, + uint32_t *_val) + { +@@ -239,6 +366,20 @@ errno_t sss_iobuf_read_int32(struct sss_iobuf *iobuf, + return EOK; + } + ++errno_t sss_iobuf_write_uint8(struct sss_iobuf *iobuf, ++ uint8_t val) ++{ ++ errno_t ret; ++ ++ ret = ensure_bytes(iobuf, sizeof(uint8_t)); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ SAFEALIGN_SETMEM_UINT8(iobuf_ptr(iobuf), val, &iobuf->dp); ++ return EOK; ++} ++ + errno_t sss_iobuf_write_uint32(struct sss_iobuf *iobuf, + uint32_t val) + { +diff --git a/src/util/sss_iobuf.h b/src/util/sss_iobuf.h +index cc3dfd1e98eeb49b979ac321bd0253bffa8a6dff..159fbc0b9ff756ca996722a84a1a13635d1aa8de 100644 +--- a/src/util/sss_iobuf.h ++++ b/src/util/sss_iobuf.h +@@ -50,6 +50,29 @@ struct sss_iobuf *sss_iobuf_init_readonly(TALLOC_CTX *mem_ctx, + const uint8_t *data, + size_t size); + ++/* ++ * @brief Allocate an IO buffer with a fixed size, stealing input data. ++ * ++ * This function is useful for parsing an input buffer from an existing ++ * buffer pointed to by data. ++ * ++ * The iobuf assumes ownership of the data buffer. ++ * ++ * @param[in] mem_ctx The talloc context that owns the iobuf ++ * @param[in] data The data to initialize the IO buffer with. ++ * @param[in] size The size of the data buffer ++ * ++ * @return The newly created buffer on success or NULL on an error. ++ */ ++struct sss_iobuf *sss_iobuf_init_steal(TALLOC_CTX *mem_ctx, ++ uint8_t *data, ++ size_t size); ++ ++/* ++ * @brief Reset internal cursor of the IO buffer (seek to the start) ++ */ ++void sss_iobuf_cursor_reset(struct sss_iobuf *iobuf); ++ + /* + * @brief Returns the number of bytes currently stored in the iobuf + * +@@ -131,6 +154,28 @@ errno_t sss_iobuf_write_len(struct sss_iobuf *iobuf, + uint8_t *buf, + size_t len); + ++errno_t sss_iobuf_read_varlen(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ uint8_t **_out, ++ size_t *_len); ++ ++errno_t sss_iobuf_write_varlen(struct sss_iobuf *iobuf, ++ uint8_t *data, ++ size_t len); ++ ++errno_t sss_iobuf_read_iobuf(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ struct sss_iobuf **_out); ++ ++errno_t sss_iobuf_write_iobuf(struct sss_iobuf *iobuf, ++ struct sss_iobuf *data); ++ ++errno_t sss_iobuf_read_uint8(struct sss_iobuf *iobuf, ++ uint8_t *_val); ++ ++errno_t sss_iobuf_write_uint8(struct sss_iobuf *iobuf, ++ uint8_t val); ++ + errno_t sss_iobuf_read_uint32(struct sss_iobuf *iobuf, + uint32_t *_val); + +@@ -148,4 +193,5 @@ errno_t sss_iobuf_read_stringz(struct sss_iobuf *iobuf, + + errno_t sss_iobuf_write_stringz(struct sss_iobuf *iobuf, + const char *str); ++ + #endif /* __SSS_IOBUF_H_ */ +-- +2.25.4 + diff --git a/0008-kcm-add-json-suffix-to-existing-searialization-funct.patch b/0008-kcm-add-json-suffix-to-existing-searialization-funct.patch new file mode 100644 index 0000000..dbaa796 --- /dev/null +++ b/0008-kcm-add-json-suffix-to-existing-searialization-funct.patch @@ -0,0 +1,292 @@ +From 27968f52eb57391ae64df57d29cf9911fc59d161 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 22 Oct 2020 13:34:52 +0200 +Subject: [PATCH 08/19] kcm: add json suffix to existing searialization + functions + +--- + Makefile.am | 10 ++--- + src/responder/kcm/kcmsrv_ccache.h | 18 ++++----- + src/responder/kcm/kcmsrv_ccache_json.c | 18 ++++----- + src/responder/kcm/kcmsrv_ccache_secdb.c | 14 +++---- + src/responder/kcm/kcmsrv_ccache_secrets.c | 9 ++--- + ...n_marshalling.c => test_kcm_marshalling.c} | 39 ++++++------------- + 6 files changed, 44 insertions(+), 64 deletions(-) + rename src/tests/cmocka/{test_kcm_json_marshalling.c => test_kcm_marshalling.c} (90%) + +diff --git a/Makefile.am b/Makefile.am +index 97aa1ec661268aaa7a3f09b5022c5677df19d9da..8ca46bf2f9add08155bfb824444437532c97909c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -311,7 +311,7 @@ endif # HAVE_INOTIFY + + if BUILD_KCM + non_interactive_cmocka_based_tests += \ +- test_kcm_json \ ++ test_kcm_marshalling \ + test_kcm_queue \ + $(NULL) + endif # BUILD_KCM +@@ -3927,18 +3927,18 @@ test_sssd_krb5_locator_plugin_LDADD = \ + $(NULL) + + if BUILD_KCM +-test_kcm_json_SOURCES = \ +- src/tests/cmocka/test_kcm_json_marshalling.c \ ++test_kcm_marshalling_SOURCES = \ ++ src/tests/cmocka/test_kcm_marshalling.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ + src/responder/kcm/kcmsrv_ccache.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + $(NULL) +-test_kcm_json_CFLAGS = \ ++test_kcm_marshalling_CFLAGS = \ + $(AM_CFLAGS) \ + $(UUID_CFLAGS) \ + $(NULL) +-test_kcm_json_LDADD = \ ++test_kcm_marshalling_LDADD = \ + $(JANSSON_LIBS) \ + $(UUID_LIBS) \ + $(KRB5_LIBS) \ +diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h +index d629923fa140bd30d8a59f56443dea7ce101c33e..5aaded0524d0765dea6bfb962a83cf625f0e85f4 100644 +--- a/src/responder/kcm/kcmsrv_ccache.h ++++ b/src/responder/kcm/kcmsrv_ccache.h +@@ -333,16 +333,16 @@ const char *sec_key_create(TALLOC_CTX *mem_ctx, + * sec_key is a concatenation of the ccache's UUID and name + * sec_value is the JSON dump of the ccache contents + */ +-errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, +- const char *sec_key, +- const char *sec_value, +- struct cli_creds *client, +- struct kcm_ccache **_cc); ++errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char *sec_value, ++ struct cli_creds *client, ++ struct kcm_ccache **_cc); + + /* Convert a kcm_ccache to a key-value pair to be stored in secrets */ +-errno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx, +- struct kcm_ccache *cc, +- struct cli_creds *client, +- struct sss_iobuf **_payload); ++errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct cli_creds *client, ++ struct sss_iobuf **_payload); + + #endif /* _KCMSRV_CCACHE_H_ */ +diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c +index 38ec53c408c3b9d44f37d102c4a0c976ef32bdfe..8101f5ddc148bfff83cc02cf9b19a3566209e781 100644 +--- a/src/responder/kcm/kcmsrv_ccache_json.c ++++ b/src/responder/kcm/kcmsrv_ccache_json.c +@@ -460,10 +460,10 @@ static errno_t ccache_to_sec_val(TALLOC_CTX *mem_ctx, + return EOK; + } + +-errno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx, +- struct kcm_ccache *cc, +- struct cli_creds *client, +- struct sss_iobuf **_payload) ++errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct cli_creds *client, ++ struct sss_iobuf **_payload) + { + errno_t ret; + const char *value; +@@ -897,11 +897,11 @@ static errno_t sec_json_value_to_ccache(struct kcm_ccache *cc, + * sec_key is a concatenation of the ccache's UUID and name + * sec_value is the JSON dump of the ccache contents + */ +-errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, +- const char *sec_key, +- const char *sec_value, +- struct cli_creds *client, +- struct kcm_ccache **_cc) ++errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char *sec_value, ++ struct cli_creds *client, ++ struct kcm_ccache **_cc) + { + errno_t ret; + json_t *root = NULL; +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index f0143e686826e3bf637619efc799e0d2f0715ba4..f5cfe47a7c6deac17031788105ac4235a6aaa9ff 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -160,7 +160,7 @@ static errno_t kcm_ccache_to_secdb_kv(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = kcm_ccache_to_sec_input(mem_ctx, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, client, &payload); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert ccache to a secret [%d][%s]\n", ret, sss_strerror(ret)); +@@ -454,11 +454,9 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = sec_kv_to_ccache(tmp_ctx, +- secdb_key, +- (const char *) sss_iobuf_get_data(ccbuf), +- client, +- &cc); ++ ret = sec_kv_to_ccache_json(tmp_ctx, secdb_key, ++ (const char *)sss_iobuf_get_data(ccbuf), ++ client, &cc); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot convert JSON keyval to ccache blob [%d]: %s\n", +@@ -1251,7 +1249,7 @@ static struct tevent_req *ccdb_secdb_mod_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = kcm_ccache_to_sec_input(state, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_json(state, cc, client, &payload); + if (ret != EOK) { + goto immediate; + } +@@ -1327,7 +1325,7 @@ static struct tevent_req *ccdb_secdb_store_cred_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = kcm_ccache_to_sec_input(state, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_json(state, cc, client, &payload); + if (ret != EOK) { + goto immediate; + } +diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c +index 440ab3bb99dd983ba0343f371c0c6470bbd53afc..9d1fe8cad2dc6ed3ab43e181d0db52673d4759cc 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secrets.c ++++ b/src/responder/kcm/kcmsrv_ccache_secrets.c +@@ -195,7 +195,7 @@ static errno_t kcm_ccache_to_sec_kv(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = kcm_ccache_to_sec_input(mem_ctx, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, client, &payload); + if (ret != EOK) { + goto done; + } +@@ -489,11 +489,8 @@ static void sec_get_done(struct tevent_req *subreq) + return; + } + +- ret = sec_kv_to_ccache(state, +- state->sec_key, +- sec_value, +- state->client, +- &state->cc); ++ ret = sec_kv_to_ccache_json(state, state->sec_key, sec_value, state->client, ++ &state->cc); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot convert JSON keyval to ccache blob [%d]: %s\n", +diff --git a/src/tests/cmocka/test_kcm_json_marshalling.c b/src/tests/cmocka/test_kcm_marshalling.c +similarity index 90% +rename from src/tests/cmocka/test_kcm_json_marshalling.c +rename to src/tests/cmocka/test_kcm_marshalling.c +index 48ee92bd675780b023b5c8275e5713b91388d06a..f82129974787bba6883662a732311f3370bcc4f1 100644 +--- a/src/tests/cmocka/test_kcm_json_marshalling.c ++++ b/src/tests/cmocka/test_kcm_marshalling.c +@@ -154,7 +154,7 @@ static void assert_cc_equal(struct kcm_ccache *cc1, + assert_cc_offset_equal(cc1, cc2); + } + +-static void test_kcm_ccache_marshall_unmarshall(void **state) ++static void test_kcm_ccache_marshall_unmarshall_json(void **state) + { + struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, + struct kcm_marshalling_test_ctx); +@@ -182,10 +182,7 @@ static void test_kcm_ccache_marshall_unmarshall(void **state) + &cc); + assert_int_equal(ret, EOK); + +- ret = kcm_ccache_to_sec_input(test_ctx, +- cc, +- &owner, +- &payload); ++ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &owner, &payload); + assert_int_equal(ret, EOK); + + data = sss_iobuf_get_data(payload); +@@ -196,25 +193,19 @@ static void test_kcm_ccache_marshall_unmarshall(void **state) + key = sec_key_create(test_ctx, name, uuid); + assert_non_null(key); + +- ret = sec_kv_to_ccache(test_ctx, +- key, +- (const char *) data, +- &owner, +- &cc2); ++ ret = sec_kv_to_ccache_json(test_ctx, key, (const char *)data, &owner, ++ &cc2); + assert_int_equal(ret, EOK); + + assert_cc_equal(cc, cc2); + + /* This key is exactly one byte shorter than it should be */ +- ret = sec_kv_to_ccache(test_ctx, +- TEST_UUID_STR"-", +- (const char *) data, +- &owner, +- &cc2); ++ ret = sec_kv_to_ccache_json(test_ctx, TEST_UUID_STR "-", (const char *)data, ++ &owner, &cc2); + assert_int_equal(ret, EINVAL); + } + +-static void test_kcm_ccache_no_princ(void **state) ++static void test_kcm_ccache_no_princ_json(void **state) + { + struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, + struct kcm_marshalling_test_ctx); +@@ -246,10 +237,7 @@ static void test_kcm_ccache_no_princ(void **state) + princ = kcm_cc_get_client_principal(cc); + assert_null(princ); + +- ret = kcm_ccache_to_sec_input(test_ctx, +- cc, +- &owner, +- &payload); ++ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &owner, &payload); + assert_int_equal(ret, EOK); + + data = sss_iobuf_get_data(payload); +@@ -260,11 +248,8 @@ static void test_kcm_ccache_no_princ(void **state) + key = sec_key_create(test_ctx, name, uuid); + assert_non_null(key); + +- ret = sec_kv_to_ccache(test_ctx, +- key, +- (const char *) data, +- &owner, +- &cc2); ++ ret = sec_kv_to_ccache_json(test_ctx, key, (const char *)data, &owner, ++ &cc2); + assert_int_equal(ret, EOK); + + assert_cc_equal(cc, cc2); +@@ -340,10 +325,10 @@ int main(int argc, const char *argv[]) + }; + + const struct CMUnitTest tests[] = { +- cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall, ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall_json, + setup_kcm_marshalling, + teardown_kcm_marshalling), +- cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ, ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ_json, + setup_kcm_marshalling, + teardown_kcm_marshalling), + cmocka_unit_test(test_sec_key_get_uuid), +-- +2.25.4 + diff --git a/0009-kcm-move-sec-key-parser-to-separate-file-so-it-can-b.patch b/0009-kcm-move-sec-key-parser-to-separate-file-so-it-can-b.patch new file mode 100644 index 0000000..fe14533 --- /dev/null +++ b/0009-kcm-move-sec-key-parser-to-separate-file-so-it-can-b.patch @@ -0,0 +1,404 @@ +From 23273319b546d034d31ffe3824b954659d20d104 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 27 Oct 2020 16:18:11 +0100 +Subject: [PATCH 09/19] kcm: move sec key parser to separate file so it can be + shared + +--- + Makefile.am | 2 + + src/responder/kcm/kcmsrv_ccache.c | 20 ++++ + src/responder/kcm/kcmsrv_ccache.h | 10 ++ + src/responder/kcm/kcmsrv_ccache_json.c | 130 +--------------------- + src/responder/kcm/kcmsrv_ccache_key.c | 145 +++++++++++++++++++++++++ + 5 files changed, 179 insertions(+), 128 deletions(-) + create mode 100644 src/responder/kcm/kcmsrv_ccache_key.c + +diff --git a/Makefile.am b/Makefile.am +index 8ca46bf2f9add08155bfb824444437532c97909c..ae9bc540a86f2e291dd5b5f66e1ce4f0aacbaf61 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1819,6 +1819,7 @@ sssd_kcm_SOURCES = \ + src/responder/kcm/kcmsrv_ccache.c \ + src/responder/kcm/kcmsrv_ccache_mem.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ ++ src/responder/kcm/kcmsrv_ccache_key.c \ + src/responder/kcm/kcmsrv_ccache_secdb.c \ + src/responder/kcm/kcmsrv_ops.c \ + src/responder/kcm/kcmsrv_op_queue.c \ +@@ -3930,6 +3931,7 @@ if BUILD_KCM + test_kcm_marshalling_SOURCES = \ + src/tests/cmocka/test_kcm_marshalling.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ ++ src/responder/kcm/kcmsrv_ccache_key.c \ + src/responder/kcm/kcmsrv_ccache.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ +diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c +index 66e2752ba755af3ef1c6c1b21036021a608a94c1..59f8a7293fa7422c199ca2916c8e6ae6039d9312 100644 +--- a/src/responder/kcm/kcmsrv_ccache.c ++++ b/src/responder/kcm/kcmsrv_ccache.c +@@ -213,6 +213,26 @@ errno_t kcm_cc_store_creds(struct kcm_ccache *cc, + return EOK; + } + ++errno_t kcm_cc_set_header(struct kcm_ccache *cc, ++ const char *sec_key, ++ struct cli_creds *client) ++{ ++ errno_t ret; ++ ++ ret = sec_key_parse(cc, sec_key, &cc->name, cc->uuid); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ /* We rely on sssd-secrets only searching the user's subtree so we ++ * set the ownership to the client ++ */ ++ cc->owner.uid = cli_creds_get_uid(client); ++ cc->owner.gid = cli_creds_get_gid(client); ++ ++ return EOK; ++} ++ + errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t _uuid) + { + if (crd == NULL) { +diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h +index 5aaded0524d0765dea6bfb962a83cf625f0e85f4..892067f3170b19c0e55ceaa75b0c01f772c49d3d 100644 +--- a/src/responder/kcm/kcmsrv_ccache.h ++++ b/src/responder/kcm/kcmsrv_ccache.h +@@ -100,6 +100,11 @@ struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx, + errno_t kcm_cc_store_creds(struct kcm_ccache *cc, + struct kcm_cred *crd); + ++/* Set cc header information from sec key and client */ ++errno_t kcm_cc_set_header(struct kcm_ccache *cc, ++ const char *sec_key, ++ struct cli_creds *client); ++ + errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t uuid); + + /* +@@ -320,6 +325,11 @@ bool sec_key_match_name(const char *sec_key, + bool sec_key_match_uuid(const char *sec_key, + uuid_t uuid); + ++errno_t sec_key_parse(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char **_name, ++ uuid_t uuid); ++ + const char *sec_key_get_name(const char *sec_key); + + errno_t sec_key_get_uuid(const char *sec_key, +diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c +index 8101f5ddc148bfff83cc02cf9b19a3566209e781..7f73b56bf6c27417271876a989695ff917c3886e 100644 +--- a/src/responder/kcm/kcmsrv_ccache_json.c ++++ b/src/responder/kcm/kcmsrv_ccache_json.c +@@ -37,12 +37,6 @@ + */ + #define KS_JSON_VERSION 1 + +-/* +- * The secrets store is a key-value store at heart. We store the UUID +- * and the name in the key to allow easy lookups be either key +- */ +-#define SEC_KEY_SEPARATOR '-' +- + /* Compat definition of json_array_foreach for older systems */ + #ifndef json_array_foreach + #define json_array_foreach(array, idx, value) \ +@@ -51,119 +45,6 @@ + idx++) + #endif + +-const char *sec_key_create(TALLOC_CTX *mem_ctx, +- const char *name, +- uuid_t uuid) +-{ +- char uuid_str[UUID_STR_SIZE]; +- +- uuid_unparse(uuid, uuid_str); +- return talloc_asprintf(mem_ctx, +- "%s%c%s", uuid_str, SEC_KEY_SEPARATOR, name); +-} +- +-static bool sec_key_valid(const char *sec_key) +-{ +- if (sec_key == NULL) { +- return false; +- } +- +- if (strlen(sec_key) < UUID_STR_SIZE + 1) { +- /* One char for separator (at UUID_STR_SIZE, because strlen doesn't +- * include the '\0', but UUID_STR_SIZE does) and at least one for +- * the name */ +- DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); +- return false; +- } +- +- if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); +- return false; +- } +- +- return true; +-} +- +-static errno_t sec_key_parse(TALLOC_CTX *mem_ctx, +- const char *sec_key, +- const char **_name, +- uuid_t uuid) +-{ +- char uuid_str[UUID_STR_SIZE]; +- +- if (!sec_key_valid(sec_key)) { +- return EINVAL; +- } +- +- strncpy(uuid_str, sec_key, sizeof(uuid_str)-1); +- if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); +- return EINVAL; +- } +- uuid_str[UUID_STR_SIZE-1] = '\0'; +- +- *_name = talloc_strdup(mem_ctx, sec_key + UUID_STR_SIZE); +- if (*_name == NULL) { +- return ENOMEM; +- } +- uuid_parse(uuid_str, uuid); +- +- return EOK; +-} +- +-errno_t sec_key_get_uuid(const char *sec_key, +- uuid_t uuid) +-{ +- char uuid_str[UUID_STR_SIZE]; +- +- if (!sec_key_valid(sec_key)) { +- return EINVAL; +- } +- +- strncpy(uuid_str, sec_key, UUID_STR_SIZE-1); +- uuid_str[UUID_STR_SIZE-1] = '\0'; +- uuid_parse(uuid_str, uuid); +- return EOK; +-} +- +-const char *sec_key_get_name(const char *sec_key) +-{ +- if (!sec_key_valid(sec_key)) { +- return NULL; +- } +- +- return sec_key + UUID_STR_SIZE; +-} +- +-bool sec_key_match_name(const char *sec_key, +- const char *name) +-{ +- if (!sec_key_valid(sec_key) || name == NULL) { +- return false; +- } +- +- return strcmp(sec_key + UUID_STR_SIZE, name) == 0; +-} +- +-bool sec_key_match_uuid(const char *sec_key, +- uuid_t uuid) +-{ +- errno_t ret; +- uuid_t key_uuid; +- +- /* `key_uuid` is output arg and isn't read in sec_key_get_uuid() but +- * since libuuid is opaque for cppcheck it generates false positive here +- */ +- /* cppcheck-suppress uninitvar */ +- ret = sec_key_get_uuid(sec_key, key_uuid); +- if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n"); +- return false; +- } +- +- return uuid_compare(key_uuid, uuid) == 0; +-} +- + /* + * Creates an array of principal elements that will be used later + * in the form of: +@@ -928,16 +809,9 @@ errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, + goto done; + } + +- /* We rely on sssd-secrets only searching the user's subtree so we +- * set the ownership to the client +- */ +- cc->owner.uid = cli_creds_get_uid(client); +- cc->owner.gid = cli_creds_get_gid(client); +- +- ret = sec_key_parse(cc, sec_key, &cc->name, cc->uuid); ++ ret = kcm_cc_set_header(cc, sec_key, client); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Cannt parse secret key [%d]: %s\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot store ccache header [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } +diff --git a/src/responder/kcm/kcmsrv_ccache_key.c b/src/responder/kcm/kcmsrv_ccache_key.c +new file mode 100644 +index 0000000000000000000000000000000000000000..ba64f2128c0bba62434b4f84d81514e6b52bc2b6 +--- /dev/null ++++ b/src/responder/kcm/kcmsrv_ccache_key.c +@@ -0,0 +1,145 @@ ++/* ++ SSSD ++ ++ Copyright (C) Red Hat, 2020 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "config.h" ++ ++#include ++#include ++ ++#include "util/util.h" ++#include "responder/kcm/kcmsrv_ccache_pvt.h" ++ ++/* ++ * The secrets store is a key-value store at heart. We store the UUID ++ * and the name in the key to allow easy lookups by either part. ++ */ ++#define SEC_KEY_SEPARATOR '-' ++ ++const char *sec_key_create(TALLOC_CTX *mem_ctx, ++ const char *name, ++ uuid_t uuid) ++{ ++ char uuid_str[UUID_STR_SIZE]; ++ ++ uuid_unparse(uuid, uuid_str); ++ return talloc_asprintf(mem_ctx, ++ "%s%c%s", uuid_str, SEC_KEY_SEPARATOR, name); ++} ++ ++static bool sec_key_valid(const char *sec_key) ++{ ++ if (sec_key == NULL) { ++ return false; ++ } ++ ++ if (strlen(sec_key) < UUID_STR_SIZE + 1) { ++ /* One char for separator (at UUID_STR_SIZE, because strlen doesn't ++ * include the '\0', but UUID_STR_SIZE does) and at least one for ++ * the name */ ++ DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); ++ return false; ++ } ++ ++ if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); ++ return false; ++ } ++ ++ return true; ++} ++ ++errno_t sec_key_parse(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char **_name, ++ uuid_t uuid) ++{ ++ char uuid_str[UUID_STR_SIZE]; ++ ++ if (!sec_key_valid(sec_key)) { ++ return EINVAL; ++ } ++ ++ strncpy(uuid_str, sec_key, sizeof(uuid_str)-1); ++ if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); ++ return EINVAL; ++ } ++ uuid_str[UUID_STR_SIZE-1] = '\0'; ++ ++ *_name = talloc_strdup(mem_ctx, sec_key + UUID_STR_SIZE); ++ if (*_name == NULL) { ++ return ENOMEM; ++ } ++ uuid_parse(uuid_str, uuid); ++ ++ return EOK; ++} ++ ++errno_t sec_key_get_uuid(const char *sec_key, ++ uuid_t uuid) ++{ ++ char uuid_str[UUID_STR_SIZE]; ++ ++ if (!sec_key_valid(sec_key)) { ++ return EINVAL; ++ } ++ ++ strncpy(uuid_str, sec_key, UUID_STR_SIZE-1); ++ uuid_str[UUID_STR_SIZE-1] = '\0'; ++ uuid_parse(uuid_str, uuid); ++ return EOK; ++} ++ ++const char *sec_key_get_name(const char *sec_key) ++{ ++ if (!sec_key_valid(sec_key)) { ++ return NULL; ++ } ++ ++ return sec_key + UUID_STR_SIZE; ++} ++ ++bool sec_key_match_name(const char *sec_key, ++ const char *name) ++{ ++ if (!sec_key_valid(sec_key) || name == NULL) { ++ return false; ++ } ++ ++ return strcmp(sec_key + UUID_STR_SIZE, name) == 0; ++} ++ ++bool sec_key_match_uuid(const char *sec_key, ++ uuid_t uuid) ++{ ++ errno_t ret; ++ uuid_t key_uuid; ++ ++ /* `key_uuid` is output arg and isn't read in sec_key_get_uuid() but ++ * since libuuid is opaque for cppcheck it generates false positive here ++ */ ++ /* cppcheck-suppress uninitvar */ ++ ret = sec_key_get_uuid(sec_key, key_uuid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n"); ++ return false; ++ } ++ ++ return uuid_compare(key_uuid, uuid) == 0; ++} +-- +2.25.4 + diff --git a/0010-kcm-avoid-suppression-of-cppcheck-warning.patch b/0010-kcm-avoid-suppression-of-cppcheck-warning.patch new file mode 100644 index 0000000..47eda0f --- /dev/null +++ b/0010-kcm-avoid-suppression-of-cppcheck-warning.patch @@ -0,0 +1,30 @@ +From efd57d2a6001b7015095f7ff5bbd0c55764e22ab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 27 Oct 2020 16:37:05 +0100 +Subject: [PATCH 10/19] kcm: avoid suppression of cppcheck warning + +--- + src/responder/kcm/kcmsrv_ccache_key.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_key.c b/src/responder/kcm/kcmsrv_ccache_key.c +index ba64f2128c0bba62434b4f84d81514e6b52bc2b6..4a24c38d45918632201740bfc82579a2449aa8f7 100644 +--- a/src/responder/kcm/kcmsrv_ccache_key.c ++++ b/src/responder/kcm/kcmsrv_ccache_key.c +@@ -131,10 +131,9 @@ bool sec_key_match_uuid(const char *sec_key, + errno_t ret; + uuid_t key_uuid; + +- /* `key_uuid` is output arg and isn't read in sec_key_get_uuid() but +- * since libuuid is opaque for cppcheck it generates false positive here +- */ +- /* cppcheck-suppress uninitvar */ ++ /* Clear uuid value to avoid cppcheck warning. */ ++ uuid_clear(key_uuid); ++ + ret = sec_key_get_uuid(sec_key, key_uuid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n"); +-- +2.25.4 + diff --git a/0011-kcm-add-spaces-around-operators-in-kcmsrv_ccache_key.patch b/0011-kcm-add-spaces-around-operators-in-kcmsrv_ccache_key.patch new file mode 100644 index 0000000..78a9458 --- /dev/null +++ b/0011-kcm-add-spaces-around-operators-in-kcmsrv_ccache_key.patch @@ -0,0 +1,42 @@ +From d51819e51fca80675b9915863e72d835c9e0a0fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 27 Oct 2020 17:09:43 +0100 +Subject: [PATCH 11/19] kcm: add spaces around operators in kcmsrv_ccache_key.c + +--- + src/responder/kcm/kcmsrv_ccache_key.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_key.c b/src/responder/kcm/kcmsrv_ccache_key.c +index 4a24c38d45918632201740bfc82579a2449aa8f7..59d60453c5d5e28ccda8f98c63125954640d0e8b 100644 +--- a/src/responder/kcm/kcmsrv_ccache_key.c ++++ b/src/responder/kcm/kcmsrv_ccache_key.c +@@ -75,12 +75,12 @@ errno_t sec_key_parse(TALLOC_CTX *mem_ctx, + return EINVAL; + } + +- strncpy(uuid_str, sec_key, sizeof(uuid_str)-1); ++ strncpy(uuid_str, sec_key, sizeof(uuid_str) - 1); + if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { + DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); + return EINVAL; + } +- uuid_str[UUID_STR_SIZE-1] = '\0'; ++ uuid_str[UUID_STR_SIZE - 1] = '\0'; + + *_name = talloc_strdup(mem_ctx, sec_key + UUID_STR_SIZE); + if (*_name == NULL) { +@@ -100,8 +100,8 @@ errno_t sec_key_get_uuid(const char *sec_key, + return EINVAL; + } + +- strncpy(uuid_str, sec_key, UUID_STR_SIZE-1); +- uuid_str[UUID_STR_SIZE-1] = '\0'; ++ strncpy(uuid_str, sec_key, UUID_STR_SIZE - 1); ++ uuid_str[UUID_STR_SIZE - 1] = '\0'; + uuid_parse(uuid_str, uuid); + return EOK; + } +-- +2.25.4 + diff --git a/0012-kcm-use-binary-format-to-store-ccache-instead-of-jso.patch b/0012-kcm-use-binary-format-to-store-ccache-instead-of-jso.patch new file mode 100644 index 0000000..a684f0b --- /dev/null +++ b/0012-kcm-use-binary-format-to-store-ccache-instead-of-jso.patch @@ -0,0 +1,741 @@ +From 94ceb85465dbf052f681bbd6c8ebced4d2d97f92 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 27 Oct 2020 16:21:31 +0100 +Subject: [PATCH 12/19] kcm: use binary format to store ccache instead of json + +JSON is computationally complex and the parser is a bottleneck which +consumes about 10% of time. It also create the ccache unnecessary +large because it requires lots of unneded character and base64 +encoding. + +Binary format is fast, simple and small. + +This is backwards compatible and there is no need to destroy existing +ccache. It will be stored in binary format at first write to the cache. + +Resolves: https://github.com/SSSD/sssd/issues/5349 +--- + Makefile.am | 2 + + src/responder/kcm/kcmsrv_ccache.h | 16 +- + src/responder/kcm/kcmsrv_ccache_binary.c | 308 ++++++++++++++++++++++ + src/responder/kcm/kcmsrv_ccache_json.c | 1 - + src/responder/kcm/kcmsrv_ccache_secdb.c | 49 ++-- + src/responder/kcm/kcmsrv_ccache_secrets.c | 2 +- + src/tests/cmocka/test_kcm_marshalling.c | 112 +++++++- + src/tests/multihost/basic/test_kcm.py | 12 +- + src/util/secrets/secrets.c | 2 +- + 9 files changed, 476 insertions(+), 28 deletions(-) + create mode 100644 src/responder/kcm/kcmsrv_ccache_binary.c + +diff --git a/Makefile.am b/Makefile.am +index ae9bc540a86f2e291dd5b5f66e1ce4f0aacbaf61..430b4e8424d6bde0c7de919c6aceabf3839e3a23 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1817,6 +1817,7 @@ sssd_kcm_SOURCES = \ + src/responder/kcm/kcm.c \ + src/responder/kcm/kcmsrv_cmd.c \ + src/responder/kcm/kcmsrv_ccache.c \ ++ src/responder/kcm/kcmsrv_ccache_binary.c \ + src/responder/kcm/kcmsrv_ccache_mem.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ + src/responder/kcm/kcmsrv_ccache_key.c \ +@@ -3930,6 +3931,7 @@ test_sssd_krb5_locator_plugin_LDADD = \ + if BUILD_KCM + test_kcm_marshalling_SOURCES = \ + src/tests/cmocka/test_kcm_marshalling.c \ ++ src/responder/kcm/kcmsrv_ccache_binary.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ + src/responder/kcm/kcmsrv_ccache_key.c \ + src/responder/kcm/kcmsrv_ccache.c \ +diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h +index 892067f3170b19c0e55ceaa75b0c01f772c49d3d..b0a7acb9fed8a8f89a3d0e2239ab28c7ce80fa23 100644 +--- a/src/responder/kcm/kcmsrv_ccache.h ++++ b/src/responder/kcm/kcmsrv_ccache.h +@@ -352,7 +352,21 @@ errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, + /* Convert a kcm_ccache to a key-value pair to be stored in secrets */ + errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, + struct kcm_ccache *cc, +- struct cli_creds *client, + struct sss_iobuf **_payload); + ++/* ++ * sec_key is a concatenation of the ccache's UUID and name ++ * sec_value is the binary representation of ccache. ++ */ ++errno_t sec_kv_to_ccache_binary(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ struct sss_iobuf *sec_value, ++ struct cli_creds *client, ++ struct kcm_ccache **_cc); ++ ++/* Convert a kcm_ccache to its binary representation. */ ++errno_t kcm_ccache_to_sec_input_binary(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct sss_iobuf **_payload); ++ + #endif /* _KCMSRV_CCACHE_H_ */ +diff --git a/src/responder/kcm/kcmsrv_ccache_binary.c b/src/responder/kcm/kcmsrv_ccache_binary.c +new file mode 100644 +index 0000000000000000000000000000000000000000..7bfdbf13bfeaa7d45de6352e7b51b781b713b8f2 +--- /dev/null ++++ b/src/responder/kcm/kcmsrv_ccache_binary.c +@@ -0,0 +1,308 @@ ++/* ++ Authors: ++ Pavel Březina ++ ++ Copyright (C) 2020 Red Hat ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "config.h" ++ ++#include ++#include ++ ++#include "util/util.h" ++#include "util/util_creds.h" ++#include "util/crypto/sss_crypto.h" ++#include "responder/kcm/kcmsrv_ccache_pvt.h" ++ ++static errno_t krb_data_to_bin(krb5_data *data, struct sss_iobuf *buf) ++{ ++ return sss_iobuf_write_varlen(buf, (uint8_t *)data->data, data->length); ++} ++ ++static errno_t princ_to_bin(krb5_principal princ, struct sss_iobuf *buf) ++{ ++ errno_t ret; ++ ++ if (princ == NULL) { ++ return sss_iobuf_write_uint8(buf, 0); ++ } ++ ++ /* Mark that principal is not empty. */ ++ ret = sss_iobuf_write_uint8(buf, 1); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = krb_data_to_bin(&princ->realm, buf); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_write_int32(buf, princ->type); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_write_int32(buf, princ->length); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ for (krb5_int32 i = 0; i < princ->length; i++) { ++ ret = krb_data_to_bin(&princ->data[i], buf); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ ++static errno_t creds_to_bin(struct kcm_cred *creds, struct sss_iobuf *buf) ++{ ++ struct kcm_cred *crd; ++ uint32_t count = 0; ++ errno_t ret; ++ ++ DLIST_FOR_EACH(crd, creds) { ++ count++; ++ } ++ ++ ret = sss_iobuf_write_uint32(buf, count); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ DLIST_FOR_EACH(crd, creds) { ++ ret = sss_iobuf_write_len(buf, (uint8_t *)crd->uuid, sizeof(uuid_t)); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_write_iobuf(buf, crd->cred_blob); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ ++errno_t kcm_ccache_to_sec_input_binary(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct sss_iobuf **_payload) ++{ ++ struct sss_iobuf *buf; ++ errno_t ret; ++ ++ buf = sss_iobuf_init_empty(mem_ctx, sizeof(krb5_principal_data), 0); ++ if (buf == NULL) { ++ return ENOMEM; ++ } ++ ++ ret = sss_iobuf_write_int32(buf, cc->kdc_offset); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = princ_to_bin(cc->client, buf); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = creds_to_bin(cc->creds, buf); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ *_payload = buf; ++ ++ ret = EOK; ++ ++done: ++ if (ret != EOK) { ++ talloc_free(buf); ++ } ++ ++ return ret; ++} ++ ++static errno_t bin_to_krb_data(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *buf, ++ krb5_data *out) ++{ ++ uint8_t *data; ++ size_t len; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_varlen(mem_ctx, buf, &data, &len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ out->magic = 0; ++ out->data = (char*)data; ++ out->length = len; ++ ++ return EOK; ++} ++ ++static errno_t bin_to_princ(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *buf, ++ krb5_principal *_princ) ++{ ++ krb5_principal princ; ++ uint8_t non_empty; ++ krb5_int32 i; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_uint8(buf, &non_empty); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ if (non_empty == 0) { ++ *_princ = NULL; ++ return EOK; ++ } ++ ++ princ = talloc_zero(mem_ctx, struct krb5_principal_data); ++ if (princ == NULL) { ++ return ENOMEM; ++ } ++ princ->magic = KV5M_PRINCIPAL; ++ ++ ret = bin_to_krb_data(princ, buf, &princ->realm); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_read_int32(buf, &princ->type); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_read_int32(buf, &princ->length); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ princ->data = talloc_zero_array(princ, krb5_data, princ->length); ++ if (princ->length > 0 && princ->data == NULL) { ++ return ENOMEM; ++ } ++ ++ for (i = 0; i < princ->length; i++) { ++ ret = bin_to_krb_data(princ, buf, &princ->data[i]); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ *_princ = princ; ++ ++ return EOK; ++} ++ ++static errno_t bin_to_creds(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *buf, ++ struct kcm_cred **_creds) ++{ ++ struct kcm_cred *creds = NULL; ++ struct kcm_cred *crd; ++ struct sss_iobuf *cred_blob; ++ uint32_t count; ++ uuid_t uuid; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_uint32(buf, &count); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ for (uint32_t i = 0; i < count; i++) { ++ ret = sss_iobuf_read_len(buf, sizeof(uuid_t), (uint8_t*)uuid); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_read_iobuf(NULL, buf, &cred_blob); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ crd = kcm_cred_new(mem_ctx, uuid, cred_blob); ++ if (crd == NULL) { ++ talloc_free(cred_blob); ++ return ENOMEM; ++ } ++ ++ DLIST_ADD(creds, crd); ++ } ++ ++ *_creds = creds; ++ ++ return EOK; ++} ++ ++errno_t sec_kv_to_ccache_binary(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ struct sss_iobuf *sec_value, ++ struct cli_creds *client, ++ struct kcm_ccache **_cc) ++{ ++ struct kcm_ccache *cc; ++ errno_t ret; ++ ++ cc = talloc_zero(mem_ctx, struct kcm_ccache); ++ if (cc == NULL) { ++ return ENOMEM; ++ } ++ ++ ret = kcm_cc_set_header(cc, sec_key, client); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot store ccache header [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ ++ ret = sss_iobuf_read_int32(sec_value, &cc->kdc_offset); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = bin_to_princ(cc, sec_value, &cc->client); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = bin_to_creds(cc, sec_value, &cc->creds); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ *_cc = cc; ++ ++ ret = EOK; ++ ++done: ++ if (ret != EOK) { ++ talloc_free(cc); ++ } ++ ++ return ret; ++} +diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c +index 7f73b56bf6c27417271876a989695ff917c3886e..e790cbea36d57d2ba0d4e25fc8fc249a4e653c3c 100644 +--- a/src/responder/kcm/kcmsrv_ccache_json.c ++++ b/src/responder/kcm/kcmsrv_ccache_json.c +@@ -343,7 +343,6 @@ static errno_t ccache_to_sec_val(TALLOC_CTX *mem_ctx, + + errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, + struct kcm_ccache *cc, +- struct cli_creds *client, + struct sss_iobuf **_payload) + { + errno_t ret; +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index f5cfe47a7c6deac17031788105ac4235a6aaa9ff..726711ac441c40a6bfc84045e9b3e5b85505c7e0 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -37,11 +37,14 @@ + + static errno_t sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- struct sss_iobuf **_buf) ++ struct sss_iobuf **_buf, ++ char **_datatype) + { + errno_t ret; + TALLOC_CTX *tmp_ctx; +- char *secret; ++ char *datatype; ++ uint8_t *data; ++ size_t len; + struct sss_iobuf *buf; + + tmp_ctx = talloc_new(mem_ctx); +@@ -49,23 +52,27 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- ret = sss_sec_get(tmp_ctx, req, (uint8_t **)&secret, NULL, NULL); ++ ret = sss_sec_get(tmp_ctx, req, &data, &len, &datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + +- buf = sss_iobuf_init_readonly(tmp_ctx, (const uint8_t *)secret, +- strlen(secret) + 1); ++ buf = sss_iobuf_init_steal(tmp_ctx, data, len); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n"); + ret = EIO; + goto done; + } + +- ret = EOK; + *_buf = talloc_steal(mem_ctx, buf); ++ if (_datatype != NULL) { ++ *_datatype = talloc_steal(mem_ctx, datatype); ++ } ++ ++ ret = EOK; ++ + done: + talloc_free(tmp_ctx); + return ret; +@@ -78,7 +85,7 @@ static errno_t sec_put(TALLOC_CTX *mem_ctx, + errno_t ret; + + ret = sss_sec_put(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), +- SSS_SEC_PLAINTEXT, "simple"); ++ SSS_SEC_PLAINTEXT, "binary"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -94,7 +101,7 @@ static errno_t sec_update(TALLOC_CTX *mem_ctx, + errno_t ret; + + ret = sss_sec_update(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), +- SSS_SEC_PLAINTEXT, "simple"); ++ SSS_SEC_PLAINTEXT, "binary"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +@@ -160,7 +167,7 @@ static errno_t kcm_ccache_to_secdb_kv(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_binary(mem_ctx, cc, &payload); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert ccache to a secret [%d][%s]\n", ret, sss_strerror(ret)); +@@ -434,6 +441,7 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, + struct kcm_ccache *cc = NULL; + struct sss_sec_req *sreq = NULL; + struct sss_iobuf *ccbuf; ++ char *datatype; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { +@@ -447,20 +455,23 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = sec_get(tmp_ctx, sreq, &ccbuf); ++ ret = sec_get(tmp_ctx, sreq, &ccbuf, &datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the secret [%d][%s]\n", ret, sss_strerror(ret)); + goto done; + } + +- ret = sec_kv_to_ccache_json(tmp_ctx, secdb_key, +- (const char *)sss_iobuf_get_data(ccbuf), +- client, &cc); ++ if (strcmp(datatype, "binary") == 0) { ++ ret = sec_kv_to_ccache_binary(tmp_ctx, secdb_key, ccbuf, client, &cc); ++ } else { ++ ret = sec_kv_to_ccache_json(tmp_ctx, secdb_key, ++ (const char *)sss_iobuf_get_data(ccbuf), ++ client, &cc); ++ } + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Cannot convert JSON keyval to ccache blob [%d]: %s\n", +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot convert %s data to ccache " ++ "[%d]: %s\n", datatype, ret, sss_strerror(ret)); + goto done; + } + +@@ -756,7 +767,7 @@ static struct tevent_req *ccdb_secdb_get_default_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_get(state, sreq, &dfl_iobuf); ++ ret = sec_get(state, sreq, &dfl_iobuf, NULL); + if (ret == ENOENT) { + uuid_clear(state->uuid); + ret = EOK; +@@ -1249,7 +1260,7 @@ static struct tevent_req *ccdb_secdb_mod_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = kcm_ccache_to_sec_input_json(state, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_binary(state, cc, &payload); + if (ret != EOK) { + goto immediate; + } +@@ -1325,7 +1336,7 @@ static struct tevent_req *ccdb_secdb_store_cred_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = kcm_ccache_to_sec_input_json(state, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_binary(state, cc, &payload); + if (ret != EOK) { + goto immediate; + } +diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c +index 9d1fe8cad2dc6ed3ab43e181d0db52673d4759cc..f3d69842cf8c230800aaf4fc6554495fcf03f57d 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secrets.c ++++ b/src/responder/kcm/kcmsrv_ccache_secrets.c +@@ -195,7 +195,7 @@ static errno_t kcm_ccache_to_sec_kv(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, &payload); + if (ret != EOK) { + goto done; + } +diff --git a/src/tests/cmocka/test_kcm_marshalling.c b/src/tests/cmocka/test_kcm_marshalling.c +index f82129974787bba6883662a732311f3370bcc4f1..cebebac804b0a8a109084b35f58d4aab21e28da2 100644 +--- a/src/tests/cmocka/test_kcm_marshalling.c ++++ b/src/tests/cmocka/test_kcm_marshalling.c +@@ -182,7 +182,7 @@ static void test_kcm_ccache_marshall_unmarshall_json(void **state) + &cc); + assert_int_equal(ret, EOK); + +- ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &owner, &payload); ++ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &payload); + assert_int_equal(ret, EOK); + + data = sss_iobuf_get_data(payload); +@@ -237,7 +237,7 @@ static void test_kcm_ccache_no_princ_json(void **state) + princ = kcm_cc_get_client_principal(cc); + assert_null(princ); + +- ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &owner, &payload); ++ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &payload); + assert_int_equal(ret, EOK); + + data = sss_iobuf_get_data(payload); +@@ -255,6 +255,108 @@ static void test_kcm_ccache_no_princ_json(void **state) + assert_cc_equal(cc, cc2); + } + ++static void test_kcm_ccache_marshall_unmarshall_binary(void **state) ++{ ++ struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, ++ struct kcm_marshalling_test_ctx); ++ errno_t ret; ++ struct cli_creds owner; ++ struct kcm_ccache *cc; ++ struct kcm_ccache *cc2; ++ struct sss_iobuf *payload; ++ const char *name; ++ const char *key; ++ uint8_t *data; ++ uuid_t uuid; ++ ++ owner.ucred.uid = getuid(); ++ owner.ucred.gid = getuid(); ++ ++ name = talloc_asprintf(test_ctx, "%"SPRIuid, getuid()); ++ assert_non_null(name); ++ ++ ret = kcm_cc_new(test_ctx, ++ test_ctx->kctx, ++ &owner, ++ name, ++ test_ctx->princ, ++ &cc); ++ assert_int_equal(ret, EOK); ++ ++ ret = kcm_ccache_to_sec_input_binary(test_ctx, cc, &payload); ++ assert_int_equal(ret, EOK); ++ ++ data = sss_iobuf_get_data(payload); ++ assert_non_null(data); ++ ++ ret = kcm_cc_get_uuid(cc, uuid); ++ assert_int_equal(ret, EOK); ++ key = sec_key_create(test_ctx, name, uuid); ++ assert_non_null(key); ++ ++ sss_iobuf_cursor_reset(payload); ++ ret = sec_kv_to_ccache_binary(test_ctx, key, payload, &owner, &cc2); ++ assert_int_equal(ret, EOK); ++ ++ assert_cc_equal(cc, cc2); ++ ++ /* This key is exactly one byte shorter than it should be */ ++ sss_iobuf_cursor_reset(payload); ++ ret = sec_kv_to_ccache_binary(test_ctx, TEST_UUID_STR "-", payload, &owner, ++ &cc2); ++ assert_int_equal(ret, EINVAL); ++} ++ ++static void test_kcm_ccache_no_princ_binary(void **state) ++{ ++ struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, ++ struct kcm_marshalling_test_ctx); ++ errno_t ret; ++ struct cli_creds owner; ++ const char *name; ++ struct kcm_ccache *cc; ++ krb5_principal princ; ++ struct kcm_ccache *cc2; ++ struct sss_iobuf *payload; ++ const char *key; ++ uint8_t *data; ++ uuid_t uuid; ++ ++ owner.ucred.uid = getuid(); ++ owner.ucred.gid = getuid(); ++ ++ name = talloc_asprintf(test_ctx, "%"SPRIuid, getuid()); ++ assert_non_null(name); ++ ++ ret = kcm_cc_new(test_ctx, ++ test_ctx->kctx, ++ &owner, ++ name, ++ NULL, ++ &cc); ++ assert_int_equal(ret, EOK); ++ ++ princ = kcm_cc_get_client_principal(cc); ++ assert_null(princ); ++ ++ ret = kcm_ccache_to_sec_input_binary(test_ctx, cc, &payload); ++ assert_int_equal(ret, EOK); ++ ++ data = sss_iobuf_get_data(payload); ++ assert_non_null(data); ++ ++ ret = kcm_cc_get_uuid(cc, uuid); ++ assert_int_equal(ret, EOK); ++ key = sec_key_create(test_ctx, name, uuid); ++ assert_non_null(key); ++ ++ sss_iobuf_cursor_reset(payload); ++ ret = sec_kv_to_ccache_binary(test_ctx, key, payload, &owner, &cc2); ++ assert_int_equal(ret, EOK); ++ ++ assert_cc_equal(cc, cc2); ++} ++ + void test_sec_key_get_uuid(void **state) + { + errno_t ret; +@@ -325,6 +427,12 @@ int main(int argc, const char *argv[]) + }; + + const struct CMUnitTest tests[] = { ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall_binary, ++ setup_kcm_marshalling, ++ teardown_kcm_marshalling), ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ_binary, ++ setup_kcm_marshalling, ++ teardown_kcm_marshalling), + cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall_json, + setup_kcm_marshalling, + teardown_kcm_marshalling), +diff --git a/src/tests/multihost/basic/test_kcm.py b/src/tests/multihost/basic/test_kcm.py +index e5d315827b31f205216d6a20768533ef50983537..6f65431f88b0e77110c3a89c24363d28027390f6 100644 +--- a/src/tests/multihost/basic/test_kcm.py ++++ b/src/tests/multihost/basic/test_kcm.py +@@ -310,6 +310,12 @@ class TestSanityKCM(object): + set_param(multihost, 'kcm', 'max_ccache_size', '1') + self._restart_kcm(multihost) + +- with pytest.raises(paramiko.ssh_exception.AuthenticationException): +- ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, +- username='foo3', password='Secret123') ++ # We use kinit to exceed the maximum ccache size as it creates payload ++ # of 1280 bytes by acquiring tgt and also some control credentials. ++ # SSH authentication is not sufficient as it stores only tgt. ++ ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, ++ username='foo3', password='Secret123') ++ (_, _, exit_status) = ssh_foo3.execute_cmd( ++ 'kinit foo3@EXAMPLE.TEST', 'Secret123' ++ ) ++ assert exit_status != 0 +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 2a7149ae8b1c88623784ffd4f3e7f908be15c662..6fd9e0af5bd9986052efdb8e244ddeb9e4fa50ff 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -36,7 +36,7 @@ + #define SECRETS_BASEDN "cn=secrets" + #define KCM_BASEDN "cn=kcm" + +-#define LOCAL_SIMPLE_FILTER "(type=simple)" ++#define LOCAL_SIMPLE_FILTER "(|(type=simple)(type=binary))" + #define LOCAL_CONTAINER_FILTER "(type=container)" + + typedef int (*url_mapper_fn)(TALLOC_CTX *mem_ctx, +-- +2.25.4 + diff --git a/0013-kcm-add-per-connection-data-to-be-shared-between-req.patch b/0013-kcm-add-per-connection-data-to-be-shared-between-req.patch new file mode 100644 index 0000000..a7ff7b2 --- /dev/null +++ b/0013-kcm-add-per-connection-data-to-be-shared-between-req.patch @@ -0,0 +1,131 @@ +From ae6898e7dc60d7067f0d71212c7ed28fc9e8e285 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 16 Oct 2020 15:36:51 +0200 +Subject: [PATCH 13/19] kcm: add per-connection data to be shared between + requests + +Resolves: https://github.com/SSSD/sssd/issues/5349 +--- + src/responder/kcm/kcmsrv_cmd.c | 21 +++++++++++++++++---- + src/responder/kcm/kcmsrv_ops.c | 3 +++ + src/responder/kcm/kcmsrv_ops.h | 5 +++++ + 3 files changed, 25 insertions(+), 4 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c +index 99980050f205730169f5907db4018e4fe57b046d..a1aa9aa20f7c2b5cd972bd944995286de5e7c1e2 100644 +--- a/src/responder/kcm/kcmsrv_cmd.c ++++ b/src/responder/kcm/kcmsrv_cmd.c +@@ -373,13 +373,16 @@ static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx, + { + struct tevent_req *req; + struct cli_ctx *cctx; ++ struct kcm_conn_data *conn_data; + + cctx = req_ctx->cctx; ++ conn_data = talloc_get_type(cctx->state_ctx, struct kcm_conn_data); + + req = kcm_cmd_send(req_ctx, + cctx->ev, + kctx->qctx, + req_ctx->kctx->kcm_data, ++ conn_data, + req_ctx->cctx->creds, + &req_ctx->op_io.request, + req_ctx->op_io.op); +@@ -492,7 +495,7 @@ static void kcm_recv(struct cli_ctx *cctx) + int ret; + + kctx = talloc_get_type(cctx->rctx->pvt_ctx, struct kcm_ctx); +- req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx); ++ req = talloc_get_type(cctx->protocol_ctx, struct kcm_req_ctx); + if (req == NULL) { + /* A new request comes in, setup data structures. */ + req = kcm_new_req(cctx, kctx); +@@ -503,7 +506,17 @@ static void kcm_recv(struct cli_ctx *cctx) + return; + } + +- cctx->state_ctx = req; ++ cctx->protocol_ctx = req; ++ } ++ ++ /* Shared data between requests that originates in the same connection. */ ++ if (cctx->state_ctx == NULL) { ++ cctx->state_ctx = talloc_zero(cctx, struct kcm_conn_data); ++ if (cctx->state_ctx == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up client state\n"); ++ talloc_free(cctx); ++ return; ++ } + } + + ret = kcm_recv_data(req, cctx->cfd, &req->reqbuf); +@@ -558,7 +571,7 @@ static int kcm_send_data(struct cli_ctx *cctx) + struct kcm_req_ctx *req; + errno_t ret; + +- req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx); ++ req = talloc_get_type(cctx->protocol_ctx, struct kcm_req_ctx); + + ret = kcm_write_iovec(cctx->cfd, &req->repbuf.v_len); + if (ret != EOK) { +@@ -604,7 +617,7 @@ static void kcm_send(struct cli_ctx *cctx) + DEBUG(SSSDBG_TRACE_INTERNAL, "All data sent!\n"); + TEVENT_FD_NOT_WRITEABLE(cctx->cfde); + TEVENT_FD_READABLE(cctx->cfde); +- talloc_zfree(cctx->state_ctx); ++ talloc_zfree(cctx->protocol_ctx); + return; + } + +diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c +index 7fc3b0a5c4e123a398ef103f3ce92b45bc68f5cf..6ae1f0c647f4d385477ddeadbad93287cba05c55 100644 +--- a/src/responder/kcm/kcmsrv_ops.c ++++ b/src/responder/kcm/kcmsrv_ops.c +@@ -38,6 +38,7 @@ + + struct kcm_op_ctx { + struct kcm_resp_ctx *kcm_data; ++ struct kcm_conn_data *conn_data; + struct cli_creds *client; + + struct sss_iobuf *input; +@@ -86,6 +87,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ops_queue_ctx *qctx, + struct kcm_resp_ctx *kcm_data, ++ struct kcm_conn_data *conn_data, + struct cli_creds *client, + struct kcm_data *input, + struct kcm_op *op) +@@ -135,6 +137,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + } + + state->op_ctx->kcm_data = kcm_data; ++ state->op_ctx->conn_data = conn_data; + state->op_ctx->client = client; + + state->op_ctx->input = sss_iobuf_init_readonly(state->op_ctx, +diff --git a/src/responder/kcm/kcmsrv_ops.h b/src/responder/kcm/kcmsrv_ops.h +index 67d9f86026bf949548471f2280c130ebefd2f865..fd2dd03c9da3660e0c1346752e4db59c7cbe2c41 100644 +--- a/src/responder/kcm/kcmsrv_ops.h ++++ b/src/responder/kcm/kcmsrv_ops.h +@@ -32,10 +32,15 @@ struct kcm_op; + struct kcm_op *kcm_get_opt(uint16_t opcode); + const char *kcm_opt_name(struct kcm_op *op); + ++struct kcm_conn_data { ++ void *data; ++}; ++ + struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ops_queue_ctx *qctx, + struct kcm_resp_ctx *kcm_data, ++ struct kcm_conn_data *conn_data, + struct cli_creds *client, + struct kcm_data *input, + struct kcm_op *op); +-- +2.25.4 + diff --git a/0014-sss_ptr_hash-fix-double-free-for-circular-dependenci.patch b/0014-sss_ptr_hash-fix-double-free-for-circular-dependenci.patch new file mode 100644 index 0000000..9f154fc --- /dev/null +++ b/0014-sss_ptr_hash-fix-double-free-for-circular-dependenci.patch @@ -0,0 +1,165 @@ +From f1db05d8839b39fd48471dcb29881c12ed27a434 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 29 Oct 2020 14:57:53 +0100 +Subject: [PATCH 14/19] sss_ptr_hash: fix double free for circular dependencies + +If the hash table delete callback deletes the stored item, +we can end up in double free in case when we try to override +an existing item (hash_enter(key) where key already exists). + +```c +static void delete_cb(hash_entry_t *item, + hash_destroy_enum deltype, + void *pvt) +{ + talloc_free(item->value.ptr); +} + +hash_enter(key); +hash_enter(key); +``` + +The doble free it self is fine, since it is done via talloc destructor +and talloc can cope with that. However, the hash table fails to store +the new entry because hash_delete is called twice. + +``` +_sss_ptr_hash_add -> hash_enter -> hash_delete(old) -> delete_cb -> sss_ptr_hash_value_destructor -> hash_delete +``` +--- + src/tests/cmocka/test_sss_ptr_hash.c | 39 ++++++++++++++++++++++++++++ + src/tests/cmocka/test_utils.c | 3 +++ + src/tests/cmocka/test_utils.h | 1 + + src/util/sss_ptr_hash.c | 20 ++++++++++++++ + 4 files changed, 63 insertions(+) + +diff --git a/src/tests/cmocka/test_sss_ptr_hash.c b/src/tests/cmocka/test_sss_ptr_hash.c +index 1458238f537970d0ecde80bd36830b28970ca364..31cf8b705367498822094f8811b393c1b35e12bc 100644 +--- a/src/tests/cmocka/test_sss_ptr_hash.c ++++ b/src/tests/cmocka/test_sss_ptr_hash.c +@@ -91,6 +91,45 @@ void test_sss_ptr_hash_with_free_cb(void **state) + assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT*2); + } + ++void test_sss_ptr_hash_overwrite_with_free_cb(void **state) ++{ ++ hash_table_t *table; ++ int free_counter = 0; ++ unsigned long count; ++ char *payload; ++ char *value; ++ errno_t ret; ++ ++ table = sss_ptr_hash_create(global_talloc_context, ++ free_payload_cb, ++ &free_counter); ++ assert_non_null(table); ++ ++ payload = talloc_strdup(table, "test_value1"); ++ assert_non_null(payload); ++ talloc_set_name_const(payload, "char"); ++ ret = sss_ptr_hash_add_or_override(table, "test", payload, char); ++ assert_int_equal(ret, 0); ++ count = hash_count(table); ++ assert_int_equal(count, 1); ++ value = sss_ptr_hash_lookup(table, "test", char); ++ assert_ptr_equal(value, payload); ++ ++ ++ payload = talloc_strdup(table, "test_value2"); ++ assert_non_null(payload); ++ talloc_set_name_const(payload, "char"); ++ ret = sss_ptr_hash_add_or_override(table, "test", payload, char); ++ assert_int_equal(ret, 0); ++ count = hash_count(table); ++ assert_int_equal(count, 1); ++ value = sss_ptr_hash_lookup(table, "test", char); ++ assert_ptr_equal(value, payload); ++ ++ talloc_free(table); ++ assert_int_equal(free_counter, 2); ++} ++ + struct table_wrapper + { + hash_table_t **table; +diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c +index d77a972c1bc93638085c3d49131247fefb333d56..d258622fb50e849a3efabb123960db410eb399e1 100644 +--- a/src/tests/cmocka/test_utils.c ++++ b/src/tests/cmocka/test_utils.c +@@ -2144,6 +2144,9 @@ int main(int argc, const char *argv[]) + cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_free_cb, + setup_leak_tests, + teardown_leak_tests), ++ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_overwrite_with_free_cb, ++ setup_leak_tests, ++ teardown_leak_tests), + cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_lookup_cb, + setup_leak_tests, + teardown_leak_tests), +diff --git a/src/tests/cmocka/test_utils.h b/src/tests/cmocka/test_utils.h +index 44b9479f965ee830ea0937c0fd89b87e35796598..458bcb750569c1f5f346917f29aa8b5500891988 100644 +--- a/src/tests/cmocka/test_utils.h ++++ b/src/tests/cmocka/test_utils.h +@@ -35,6 +35,7 @@ void test_concatenate_string_array(void **state); + + /* from src/tests/cmocka/test_sss_ptr_hash.c */ + void test_sss_ptr_hash_with_free_cb(void **state); ++void test_sss_ptr_hash_overwrite_with_free_cb(void **state); + void test_sss_ptr_hash_with_lookup_cb(void **state); + void test_sss_ptr_hash_without_cb(void **state); + +diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c +index 6409236c782bac729ec51502019c04c83bce7cab..e3805dac4052b587d395b7163f5c45e1ba0aa6dc 100644 +--- a/src/util/sss_ptr_hash.c ++++ b/src/util/sss_ptr_hash.c +@@ -54,6 +54,7 @@ struct sss_ptr_hash_value { + hash_table_t *table; + const char *key; + void *payload; ++ bool delete_in_progress; + }; + + static int +@@ -61,12 +62,22 @@ sss_ptr_hash_value_destructor(struct sss_ptr_hash_value *value) + { + hash_key_t table_key; + ++ /* Do not call hash_delete() if we got here from hash delete callback when ++ * the callback calls talloc_free(payload) which frees the value. This ++ * should not happen since talloc will avoid circular free but let's be ++ * over protective here. */ ++ if (value->delete_in_progress) { ++ return 0; ++ } ++ ++ value->delete_in_progress = true; + if (value->table && value->key) { + table_key.type = HASH_KEY_STRING; + table_key.str = discard_const_p(char, value->key); + if (hash_delete(value->table, &table_key) != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "failed to delete entry with key '%s'\n", value->key); ++ value->delete_in_progress = false; + } + } + +@@ -127,6 +138,15 @@ sss_ptr_hash_delete_cb(hash_entry_t *item, + callback_entry.key = item->key; + callback_entry.value.type = HASH_VALUE_PTR; + callback_entry.value.ptr = value->payload; ++ ++ /* Delete the value in case this callback has been called directly ++ * from dhash (overwriting existing entry) instead of hash_delete() ++ * in value's destructor. */ ++ if (!value->delete_in_progress) { ++ talloc_set_destructor(value, NULL); ++ talloc_free(value); ++ } ++ + /* Even if execution is already in the context of + * talloc_free(payload) -> talloc_free(value) -> ... + * there still might be legitimate reasons to execute callback. +-- +2.25.4 + diff --git a/0015-kcm-store-credentials-list-in-hash-table-to-avoid-ca.patch b/0015-kcm-store-credentials-list-in-hash-table-to-avoid-ca.patch new file mode 100644 index 0000000..da81b49 --- /dev/null +++ b/0015-kcm-store-credentials-list-in-hash-table-to-avoid-ca.patch @@ -0,0 +1,551 @@ +From 9ffc2c6447f2177ff406a9f4d17d8413967ab7ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 19 Oct 2020 12:40:07 +0200 +Subject: [PATCH 15/19] kcm: store credentials list in hash table to avoid + cache lookups + +Iteration over ccache requires CRED_UUID_LIST and then calling +CRED_BY_UUID for each uuid in the obtained list. Each CRED_BY_UUID +operation invoked ldb_search and decryption. This was a substantional +bottle neck. + +Resolves: https://github.com/SSSD/sssd/issues/5349 + +:fixes: KCM performance has improved dramatically for cases where + large amount of credentials are stored in the ccache. +--- + src/responder/kcm/kcmsrv_ccache.c | 46 +++++ + src/responder/kcm/kcmsrv_ccache.h | 7 + + src/responder/kcm/kcmsrv_ccache_mem.c | 30 ++-- + src/responder/kcm/kcmsrv_ops.c | 245 +++++++++++++++++++------- + src/responder/kcm/kcmsrv_ops.h | 5 +- + 5 files changed, 249 insertions(+), 84 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c +index 59f8a7293fa7422c199ca2916c8e6ae6039d9312..60eacd4516b1269168caea744d91377686ab03f6 100644 +--- a/src/responder/kcm/kcmsrv_ccache.c ++++ b/src/responder/kcm/kcmsrv_ccache.c +@@ -28,6 +28,9 @@ + #include "responder/kcm/kcmsrv_ccache_pvt.h" + #include "responder/kcm/kcmsrv_ccache_be.h" + ++static struct kcm_cred *kcm_cred_dup(TALLOC_CTX *mem_ctx, ++ struct kcm_cred *crd); ++ + static int kcm_cc_destructor(struct kcm_ccache *cc) + { + if (cc == NULL) { +@@ -94,6 +97,33 @@ done: + return ret; + } + ++struct kcm_ccache *kcm_cc_dup(TALLOC_CTX *mem_ctx, ++ const struct kcm_ccache *cc) ++{ ++ struct kcm_ccache *dup; ++ struct kcm_cred *crd_dup; ++ struct kcm_cred *crd; ++ ++ dup = talloc_zero(mem_ctx, struct kcm_ccache); ++ if (dup == NULL) { ++ return NULL; ++ } ++ memcpy(dup, cc, sizeof(struct kcm_ccache)); ++ ++ dup->creds = NULL; ++ DLIST_FOR_EACH(crd, cc->creds) { ++ crd_dup = kcm_cred_dup(dup, crd); ++ if (crd_dup == NULL) { ++ talloc_free(dup); ++ return NULL; ++ } ++ ++ DLIST_ADD(dup->creds, crd_dup); ++ } ++ ++ return dup; ++} ++ + const char *kcm_cc_get_name(struct kcm_ccache *cc) + { + return cc ? cc->name : NULL; +@@ -204,6 +234,22 @@ struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx, + return kcreds; + } + ++static struct kcm_cred *kcm_cred_dup(TALLOC_CTX *mem_ctx, ++ struct kcm_cred *crd) ++{ ++ struct kcm_cred *dup; ++ ++ dup = talloc_zero(mem_ctx, struct kcm_cred); ++ if (dup == NULL) { ++ return NULL; ++ } ++ ++ uuid_copy(dup->uuid, crd->uuid); ++ dup->cred_blob = crd->cred_blob; ++ ++ return dup; ++} ++ + /* Add a cred to ccache */ + errno_t kcm_cc_store_creds(struct kcm_ccache *cc, + struct kcm_cred *crd) +diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h +index b0a7acb9fed8a8f89a3d0e2239ab28c7ce80fa23..77cf8f61d563d29afe00d8a04e8053b24547746d 100644 +--- a/src/responder/kcm/kcmsrv_ccache.h ++++ b/src/responder/kcm/kcmsrv_ccache.h +@@ -72,6 +72,13 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx, + krb5_principal princ, + struct kcm_ccache **_cc); + ++/* ++ * Duplicate the ccache. Only ccache and credentials are duplicated, ++ * but their data are a shallow copy. ++ */ ++struct kcm_ccache *kcm_cc_dup(TALLOC_CTX *mem_ctx, ++ const struct kcm_ccache *cc); ++ + /* + * Returns true if a client can access a ccache. + * +diff --git a/src/responder/kcm/kcmsrv_ccache_mem.c b/src/responder/kcm/kcmsrv_ccache_mem.c +index baa698054fa4c6952b41b0f25dfdfa825f8e675b..0e3a7b239eda83c9fdec3b116231d4ec1444ef10 100644 +--- a/src/responder/kcm/kcmsrv_ccache_mem.c ++++ b/src/responder/kcm/kcmsrv_ccache_mem.c +@@ -49,24 +49,6 @@ struct ccdb_mem { + unsigned int nextid; + }; + +-/* In order to provide a consistent interface, we need to let the caller +- * of getbyXXX own the ccache, therefore the memory back end returns a shallow +- * copy of the ccache +- */ +-static struct kcm_ccache *kcm_ccache_dup(TALLOC_CTX *mem_ctx, +- struct kcm_ccache *in) +-{ +- struct kcm_ccache *out; +- +- out = talloc_zero(mem_ctx, struct kcm_ccache); +- if (out == NULL) { +- return NULL; +- } +- memcpy(out, in, sizeof(struct kcm_ccache)); +- +- return out; +-} +- + static struct ccache_mem_wrap *memdb_get_by_uuid(struct ccdb_mem *memdb, + struct cli_creds *client, + uuid_t uuid) +@@ -417,7 +399,11 @@ static struct tevent_req *ccdb_mem_getbyuuid_send(TALLOC_CTX *mem_ctx, + + ccwrap = memdb_get_by_uuid(memdb, client, uuid); + if (ccwrap != NULL) { +- state->cc = kcm_ccache_dup(state, ccwrap->cc); ++ /* In order to provide a consistent interface, we need to let the caller ++ * of getbyXXX own the ccache, therefore the memory back end returns a shallow ++ * copy of the ccache ++ */ ++ state->cc = kcm_cc_dup(state, ccwrap->cc); + if (state->cc == NULL) { + ret = ENOMEM; + goto immediate; +@@ -470,7 +456,11 @@ static struct tevent_req *ccdb_mem_getbyname_send(TALLOC_CTX *mem_ctx, + + ccwrap = memdb_get_by_name(memdb, client, name); + if (ccwrap != NULL) { +- state->cc = kcm_ccache_dup(state, ccwrap->cc); ++ /* In order to provide a consistent interface, we need to let the caller ++ * of getbyXXX own the ccache, therefore the memory back end returns a shallow ++ * copy of the ccache ++ */ ++ state->cc = kcm_cc_dup(state, ccwrap->cc); + if (state->cc == NULL) { + ret = ENOMEM; + goto immediate; +diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c +index 6ae1f0c647f4d385477ddeadbad93287cba05c55..f458c724b0eaa3d43df4ad30baa3f896b8d87965 100644 +--- a/src/responder/kcm/kcmsrv_ops.c ++++ b/src/responder/kcm/kcmsrv_ops.c +@@ -22,9 +22,11 @@ + #include "config.h" + + #include ++#include + + #include "util/sss_iobuf.h" + #include "util/sss_krb5.h" ++#include "util/sss_ptr_hash.h" + #include "util/util_creds.h" + #include "responder/kcm/kcm.h" + #include "responder/kcm/kcmsrv_pvt.h" +@@ -1074,6 +1076,73 @@ static void kcm_op_get_principal_getbyname_done(struct tevent_req *subreq) + tevent_req_done(req); + } + ++static void ++kcm_creds_table_delete_cb(hash_entry_t *item, ++ hash_destroy_enum deltype, ++ void *pvt) ++{ ++ /* Delete the old credential if it is being overwritten. */ ++ talloc_free(item->value.ptr); ++} ++ ++/* Store credentials in a hash table. ++ * ++ * If the table already exist we add the new credentials to the table and ++ * overwrite the ones that already exist. This allows us to correctly serve ++ * also parallel GET_CRED_UUID_LIST requests from the same connection since ++ * it will have its own uuid list and cursor on the client side and we make ++ * all uuid (old, updated and newly added) available. ++ */ ++static errno_t ++kcm_creds_to_table(TALLOC_CTX *mem_ctx, ++ struct kcm_cred *creds, ++ hash_table_t **_table) ++{ ++ char str[UUID_STR_SIZE]; ++ uuid_t uuid; ++ errno_t ret; ++ ++ if (*_table == NULL) { ++ *_table = sss_ptr_hash_create(mem_ctx, kcm_creds_table_delete_cb, NULL); ++ if (*_table == NULL) { ++ return ENOMEM; ++ } ++ } ++ ++ for (struct kcm_cred *crd = creds; ++ crd != NULL; ++ crd = kcm_cc_next_cred(crd)) { ++ ret = kcm_cred_get_uuid(crd, uuid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Credential has no UUID, skipping\n"); ++ continue; ++ } ++ uuid_unparse(uuid, str); ++ ++ ret = sss_ptr_hash_add_or_override(*_table, str, crd, struct kcm_cred); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ talloc_steal(*_table, crd); ++ } ++ ++ return EOK; ++} ++ ++static struct kcm_cred * ++kcm_creds_lookup(hash_table_t *table, uuid_t uuid) ++{ ++ char str[UUID_STR_SIZE]; ++ ++ if (uuid == NULL) { ++ return NULL; ++ } ++ ++ uuid_unparse(uuid, str); ++ return sss_ptr_hash_lookup(table, str, struct kcm_cred); ++} ++ + /* (name) -> (uuid, ...) */ + static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq); + +@@ -1123,12 +1192,15 @@ static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq) + errno_t ret; + struct kcm_ccache *cc; + struct kcm_cred *crd; ++ struct kcm_conn_data *conn_data; + uuid_t uuid; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + ++ conn_data = state->op_ctx->conn_data; ++ + ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); + talloc_zfree(subreq); + if (ret != EOK) { +@@ -1140,12 +1212,20 @@ static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq) + } + + if (cc == NULL) { +- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); ++ DEBUG(SSSDBG_MINOR_FAILURE, "No ccache by that name\n"); + state->op_ret = ERR_NO_CREDS; + tevent_req_done(req); + return; + } + ++ ret = kcm_creds_to_table(conn_data, kcm_cc_get_cred(cc), &conn_data->creds); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Unable to build credentials hash table " ++ "[%d]: %s\n", ret, sss_strerror(ret)); ++ tevent_req_error(req, ret); ++ return; ++ } ++ + for (crd = kcm_cc_get_cred(cc); + crd != NULL; + crd = kcm_cc_next_cred(crd)) { +@@ -1172,6 +1252,34 @@ static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq) + tevent_req_done(req); + } + ++static errno_t ++kcm_op_get_cred_by_uuid_reply(struct kcm_cred *crd, ++ struct sss_iobuf *reply) ++{ ++ struct sss_iobuf *cred_blob; ++ errno_t ret; ++ ++ cred_blob = kcm_cred_get_creds(crd); ++ if (cred_blob == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Credentials lack the creds blob\n"); ++ return ERR_NO_CREDS; ++ } ++ ++ ret = sss_iobuf_write_len(reply, sss_iobuf_get_data(cred_blob), ++ sss_iobuf_get_size(cred_blob)); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot write ccache blob [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ } ++ ++ return ret; ++} ++ ++struct kcm_op_get_cred_by_uuid_state { ++ struct kcm_op_common_state common; ++ uuid_t uuid; ++}; ++ + /* (name, uuid) -> (cred) */ + static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq); + +@@ -1182,20 +1290,51 @@ kcm_op_get_cred_by_uuid_send(TALLOC_CTX *mem_ctx, + { + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; +- struct kcm_op_common_state *state = NULL; ++ struct kcm_op_get_cred_by_uuid_state *state; ++ struct kcm_cred *crd; + errno_t ret; + const char *name; + +- req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); ++ req = tevent_req_create(mem_ctx, &state, ++ struct kcm_op_get_cred_by_uuid_state); + if (req == NULL) { + return NULL; + } +- state->op_ctx = op_ctx; ++ state->common.op_ctx = op_ctx; + + ret = sss_iobuf_read_stringz(op_ctx->input, &name); + if (ret != EOK) { + goto immediate; + } ++ ++ ret = sss_iobuf_read_len(state->common.op_ctx->input, UUID_BYTES, ++ state->uuid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot read input UUID [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto immediate; ++ } ++ ++ if (op_ctx->conn_data->creds != NULL) { ++ crd = kcm_creds_lookup(op_ctx->conn_data->creds, state->uuid); ++ if (crd == NULL) { ++ /* This should not happen, it can only happen if wrong UUID was ++ * requested which suggests bug in the caller application. */ ++ DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); ++ kcm_debug_uuid(state->uuid); ++ state->common.op_ret = ERR_KCM_CC_END; ++ ret = EOK; ++ goto immediate; ++ } else { ++ ret = kcm_op_get_cred_by_uuid_reply(crd, op_ctx->reply); ++ if (ret == ERR_NO_CREDS) { ++ state->common.op_ret = ret; ++ ret = EOK; ++ } ++ goto immediate; ++ } ++ } ++ + DEBUG(SSSDBG_TRACE_LIBS, "Returning creds by UUID for %s\n", name); + + subreq = kcm_ccdb_getbyname_send(state, ev, +@@ -1210,7 +1349,11 @@ kcm_op_get_cred_by_uuid_send(TALLOC_CTX *mem_ctx, + return req; + + immediate: +- tevent_req_error(req, ret); ++ if (ret == EOK) { ++ tevent_req_done(req); ++ } else { ++ tevent_req_error(req, ret); ++ } + tevent_req_post(req, ev); + return req; + } +@@ -1219,14 +1362,14 @@ static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq) + { + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); +- struct kcm_op_common_state *state = tevent_req_data(req, +- struct kcm_op_common_state); ++ struct kcm_op_get_cred_by_uuid_state *state = tevent_req_data(req, ++ struct kcm_op_get_cred_by_uuid_state); + errno_t ret; + struct kcm_ccache *cc; + struct kcm_cred *crd; +- uuid_t uuid_in; +- uuid_t uuid; +- struct sss_iobuf *cred_blob; ++ struct kcm_conn_data *conn_data; ++ ++ conn_data = state->common.op_ctx->conn_data; + + ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); + talloc_zfree(subreq); +@@ -1238,69 +1381,45 @@ static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq) + return; + } + +- if (cc == NULL) { +- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that name\n"); +- state->op_ret = ERR_NO_MATCHING_CREDS; +- tevent_req_done(req); +- return; +- } +- +- ret = sss_iobuf_read_len(state->op_ctx->input, +- UUID_BYTES, uuid_in); ++ ret = kcm_creds_to_table(conn_data, kcm_cc_get_cred(cc), &conn_data->creds); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Cannot read input UUID [%d]: %s\n", +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_OP_FAILURE, "Unable to build credentials hash table " ++ "[%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + +- for (crd = kcm_cc_get_cred(cc); +- crd != NULL; +- crd = kcm_cc_next_cred(crd)) { +- ret = kcm_cred_get_uuid(crd, uuid); +- if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, +- "Cannot get UUID from creds, skipping\n"); +- continue; +- } +- +- if (uuid_compare(uuid, uuid_in) == 0) { +- break; ++ if (conn_data->creds != NULL) { ++ crd = kcm_creds_lookup(conn_data->creds, state->uuid); ++ if (crd == NULL) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); ++ kcm_debug_uuid(state->uuid); ++ state->common.op_ret = ERR_KCM_CC_END; ++ } else { ++ ret = kcm_op_get_cred_by_uuid_reply(crd, state->common.op_ctx->reply); ++ if (ret != EOK && ret != ERR_NO_CREDS) { ++ tevent_req_error(req, ret); ++ return; ++ } ++ state->common.op_ret = ret; + } +- kcm_debug_uuid(uuid); +- } +- +- if (crd == NULL) { +- state->op_ret = ERR_KCM_CC_END; +- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); +- tevent_req_done(req); +- return; +- } +- +- cred_blob = kcm_cred_get_creds(crd); +- if (cred_blob == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Credentials lack the creds blob\n"); +- state->op_ret = ERR_NO_CREDS; +- tevent_req_done(req); +- return; +- } +- +- ret = sss_iobuf_write_len(state->op_ctx->reply, +- sss_iobuf_get_data(cred_blob), +- sss_iobuf_get_size(cred_blob)); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Cannot write ccache blob [%d]: %s\n", +- ret, sss_strerror(ret)); +- tevent_req_error(req, ret); +- return; + } + +- state->op_ret = EOK; + tevent_req_done(req); + } + ++static errno_t kcm_op_get_cred_by_uuid_recv(struct tevent_req *req, ++ uint32_t *_op_ret) ++{ ++ struct kcm_op_get_cred_by_uuid_state *state; ++ ++ state = tevent_req_data(req, struct kcm_op_get_cred_by_uuid_state); ++ ++ TEVENT_REQ_RETURN_ON_ERROR(req); ++ *_op_ret = state->common.op_ret; ++ return EOK; ++} ++ + /* (name, flags, credtag) -> () */ + /* FIXME */ + static struct tevent_req * +@@ -2156,7 +2275,7 @@ static struct kcm_op kcm_optable[] = { + { "RETRIEVE", NULL, NULL }, + { "GET_PRINCIPAL", kcm_op_get_principal_send, NULL }, + { "GET_CRED_UUID_LIST", kcm_op_get_cred_uuid_list_send, NULL }, +- { "GET_CRED_BY_UUID", kcm_op_get_cred_by_uuid_send, NULL }, ++ { "GET_CRED_BY_UUID", kcm_op_get_cred_by_uuid_send, kcm_op_get_cred_by_uuid_recv }, + { "REMOVE_CRED", kcm_op_remove_cred_send, NULL }, + { "SET_FLAGS", NULL, NULL }, + { "CHOWN", NULL, NULL }, +diff --git a/src/responder/kcm/kcmsrv_ops.h b/src/responder/kcm/kcmsrv_ops.h +index fd2dd03c9da3660e0c1346752e4db59c7cbe2c41..ab6c13791baa43837cf84ebd523735b622a24020 100644 +--- a/src/responder/kcm/kcmsrv_ops.h ++++ b/src/responder/kcm/kcmsrv_ops.h +@@ -24,6 +24,7 @@ + + #include "config.h" + ++#include + #include + #include "util/sss_iobuf.h" + #include "responder/kcm/kcmsrv_pvt.h" +@@ -33,7 +34,9 @@ struct kcm_op *kcm_get_opt(uint16_t opcode); + const char *kcm_opt_name(struct kcm_op *op); + + struct kcm_conn_data { +- void *data; ++ /* Credentials obtained by GET_CRED_UUID_LIST. We use to improve performance ++ * by avoiding ccache lookups in GET_CRED_BY_UUID. */ ++ hash_table_t *creds; + }; + + struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, +-- +2.25.4 + diff --git a/0016-secrets-fix-may_payload_size-exceeded-debug-message.patch b/0016-secrets-fix-may_payload_size-exceeded-debug-message.patch new file mode 100644 index 0000000..e3ee22d --- /dev/null +++ b/0016-secrets-fix-may_payload_size-exceeded-debug-message.patch @@ -0,0 +1,38 @@ +From 24a6888e38fb9d11bf173eb06e400678388bce49 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 3 Nov 2020 13:35:33 +0100 +Subject: [PATCH 16/19] secrets: fix may_payload_size exceeded debug message + +The unit is bytes (B) not bits (b) and the conversion of the input +payload size to KiB was wrong (multiplying bytes * 1024). +--- + src/util/secrets/secrets.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 6fd9e0af5bd9986052efdb8e244ddeb9e4fa50ff..1000757228bea75bb2d5c48aceb717c9bfe35ffb 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -399,14 +399,14 @@ static int local_check_max_payload_size(struct sss_sec_req *req, + return EOK; + } + +- max_payload_size = req->quota->max_payload_size * 1024; /* kb */ ++ max_payload_size = req->quota->max_payload_size * 1024; /* KiB */ + if (payload_size > max_payload_size) { + DEBUG(SSSDBG_OP_FAILURE, +- "Secrets' payload size [%d kb (%d)] exceeds the maximum allowed " +- "payload size [%d kb (%d)]\n", +- payload_size * 1024, /* kb */ ++ "Secrets' payload size [%d KiB (%d B)] exceeds the maximum " ++ "allowed payload size [%d KiB (%d B)]\n", ++ payload_size / 1024, /* KiB */ + payload_size, +- req->quota->max_payload_size, /* kb */ ++ req->quota->max_payload_size, /* KiB */ + max_payload_size); + + return ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE; +-- +2.25.4 + diff --git a/0017-secrets-default-to-plaintext-if-enctype-attr-is-miss.patch b/0017-secrets-default-to-plaintext-if-enctype-attr-is-miss.patch new file mode 100644 index 0000000..13efbcd --- /dev/null +++ b/0017-secrets-default-to-plaintext-if-enctype-attr-is-miss.patch @@ -0,0 +1,43 @@ +From 36e4dc6c9a48ee62345839a9df14e0494c99bf59 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 26 Nov 2020 11:47:24 +0100 +Subject: [PATCH 17/19] secrets: default to "plaintext" if "enctype" attr is + missing + +This is a sane fallback behavior, however it should not happen since +the attribute should be always present. +--- + src/util/secrets/secrets.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 1000757228bea75bb2d5c48aceb717c9bfe35ffb..58c96e18f03865df0249c4c899ad88e385b782c8 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -1071,17 +1071,12 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + goto done; + } + +- attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", NULL); +- +- if (attr_enctype) { +- enctype = sss_sec_str_to_enctype(attr_enctype); +- ret = local_decrypt(req->sctx, tmp_ctx, attr_secret->data, +- attr_secret->length, enctype, &secret, &secret_len); +- if (ret) goto done; +- } else { +- secret = talloc_steal(tmp_ctx, attr_secret->data); +- secret_len = attr_secret->length; +- } ++ attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", ++ "plaintext"); ++ enctype = sss_sec_str_to_enctype(attr_enctype); ++ ret = local_decrypt(req->sctx, tmp_ctx, attr_secret->data, ++ attr_secret->length, enctype, &secret, &secret_len); ++ if (ret) goto done; + + if (_datatype != NULL) { + attr_datatype = ldb_msg_find_attr_as_string(res->msgs[0], "type", +-- +2.25.4 + diff --git a/0018-secrets-move-attrs-names-to-macros.patch b/0018-secrets-move-attrs-names-to-macros.patch new file mode 100644 index 0000000..a03eca3 --- /dev/null +++ b/0018-secrets-move-attrs-names-to-macros.patch @@ -0,0 +1,183 @@ +From b18f0f87948d44f1d99dd4da0ac1affcbb8c53e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 26 Nov 2020 11:55:39 +0100 +Subject: [PATCH 18/19] secrets: move attrs names to macros + +--- + src/util/secrets/secrets.c | 42 +++++++++++++++++++++++--------------- + 1 file changed, 25 insertions(+), 17 deletions(-) + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 58c96e18f03865df0249c4c899ad88e385b782c8..ae9c7c83f335c8c2d9d97a736700fbcdaf0d36af 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -39,6 +39,11 @@ + #define LOCAL_SIMPLE_FILTER "(|(type=simple)(type=binary))" + #define LOCAL_CONTAINER_FILTER "(type=container)" + ++#define SEC_ATTR_SECRET "secret" ++#define SEC_ATTR_ENCTYPE "enctype" ++#define SEC_ATTR_TYPE "type" ++#define SEC_ATTR_CTIME "creationTime" ++ + typedef int (*url_mapper_fn)(TALLOC_CTX *mem_ctx, + const char *url, + uid_t client, +@@ -465,7 +470,7 @@ static int local_db_create(struct sss_sec_req *req) + ret = local_db_check_containers_nest_level(req, msg->dn); + if (ret != EOK) goto done; + +- ret = ldb_msg_add_string(msg, "type", "container"); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, "container"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding type:container [%d]: %s\n", +@@ -473,7 +478,7 @@ static int local_db_create(struct sss_sec_req *req) + goto done; + } + +- ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL)); ++ ret = ldb_msg_add_fmt(msg, SEC_ATTR_CTIME, "%lu", time(NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding creationTime [%d]: %s\n", +@@ -953,7 +958,7 @@ errno_t sss_sec_list(TALLOC_CTX *mem_ctx, + size_t *_num_keys) + { + TALLOC_CTX *tmp_ctx; +- static const char *attrs[] = { "secret", NULL }; ++ static const char *attrs[] = { SEC_ATTR_SECRET, NULL }; + struct ldb_result *res; + char **keys; + int ret; +@@ -1017,7 +1022,8 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + char **_datatype) + { + TALLOC_CTX *tmp_ctx; +- static const char *attrs[] = { "secret", "enctype", "type", NULL }; ++ static const char *attrs[] = { SEC_ATTR_SECRET, SEC_ATTR_ENCTYPE, ++ SEC_ATTR_TYPE, NULL }; + struct ldb_result *res; + const struct ldb_val *attr_secret; + const char *attr_enctype; +@@ -1064,14 +1070,14 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + goto done; + } + +- attr_secret = ldb_msg_find_ldb_val(res->msgs[0], "secret"); ++ attr_secret = ldb_msg_find_ldb_val(res->msgs[0], SEC_ATTR_SECRET); + if (!attr_secret) { + DEBUG(SSSDBG_CRIT_FAILURE, "The 'secret' attribute is missing\n"); + ret = ENOENT; + goto done; + } + +- attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", ++ attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], SEC_ATTR_ENCTYPE, + "plaintext"); + enctype = sss_sec_str_to_enctype(attr_enctype); + ret = local_decrypt(req->sctx, tmp_ctx, attr_secret->data, +@@ -1079,7 +1085,7 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + if (ret) goto done; + + if (_datatype != NULL) { +- attr_datatype = ldb_msg_find_attr_as_string(res->msgs[0], "type", ++ attr_datatype = ldb_msg_find_attr_as_string(res->msgs[0], SEC_ATTR_TYPE, + "simple"); + datatype = talloc_strdup(tmp_ctx, attr_datatype); + if (datatype == NULL) { +@@ -1167,7 +1173,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "type", datatype); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding type:%s [%d]: %s\n", +@@ -1175,7 +1181,8 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "enctype", sss_sec_enctype_to_str(enctype)); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_ENCTYPE, ++ sss_sec_enctype_to_str(enctype)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding enctype [%d]: %s\n", +@@ -1183,7 +1190,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_value(msg, "secret", &enc_secret, NULL); ++ ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &enc_secret, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding secret [%d]: %s\n", +@@ -1191,7 +1198,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL)); ++ ret = ldb_msg_add_fmt(msg, SEC_ATTR_CTIME, "%lu", time(NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding creationTime [%d]: %s\n", +@@ -1283,7 +1290,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_empty(msg, "enctype", LDB_FLAG_MOD_REPLACE, NULL); ++ ret = ldb_msg_add_empty(msg, SEC_ATTR_ENCTYPE, LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); +@@ -1291,7 +1298,8 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "enctype", sss_sec_enctype_to_str(enctype)); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_ENCTYPE, ++ sss_sec_enctype_to_str(enctype)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding enctype [%d]: %s\n", +@@ -1299,7 +1307,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_empty(msg, "type", LDB_FLAG_MOD_REPLACE, NULL); ++ ret = ldb_msg_add_empty(msg, SEC_ATTR_TYPE, LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); +@@ -1307,7 +1315,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "type", datatype); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding type:%s [%d]: %s\n", +@@ -1316,7 +1324,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + } + + /* FIXME - should we have a lastUpdate timestamp? */ +- ret = ldb_msg_add_empty(msg, "secret", LDB_FLAG_MOD_REPLACE, NULL); ++ ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); +@@ -1324,7 +1332,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_value(msg, "secret", &enc_secret, NULL); ++ ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &enc_secret, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_string failed: [%s]\n", ldb_strerror(ret)); +-- +2.25.4 + diff --git a/0019-secrets-remove-base64-enctype.patch b/0019-secrets-remove-base64-enctype.patch new file mode 100644 index 0000000..915d049 --- /dev/null +++ b/0019-secrets-remove-base64-enctype.patch @@ -0,0 +1,75 @@ +From bca694200748354c7ee3e51084586d30b9b0164b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 26 Nov 2020 12:07:06 +0100 +Subject: [PATCH 19/19] secrets: remove base64 enctype + +This was added as part of KCM performance improvements but never used. +Ldb is fully capable of holding binary data without the need for base64 +encoding so this is not needed. +--- + src/util/secrets/secrets.c | 15 --------------- + src/util/secrets/secrets.h | 1 - + 2 files changed, 16 deletions(-) + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index ae9c7c83f335c8c2d9d97a736700fbcdaf0d36af..c6310b58526d6f4c063d028cd0e78b5e4f2e12db 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -75,8 +75,6 @@ static const char *sss_sec_enctype_to_str(enum sss_sec_enctype enctype) + return "plaintext"; + case SSS_SEC_MASTERKEY: + return "masterkey"; +- case SSS_SEC_BASE64: +- return "base64"; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: unknown encryption type %d\n", + enctype); +@@ -94,10 +92,6 @@ static enum sss_sec_enctype sss_sec_str_to_enctype(const char *str) + return SSS_SEC_MASTERKEY; + } + +- if (strcmp("base64", str) == 0) { +- return SSS_SEC_BASE64; +- } +- + return SSS_SEC_ENCTYPE_SENTINEL; + } + +@@ -141,10 +135,6 @@ static int local_decrypt(struct sss_sec_ctx *sctx, + return ret; + } + break; +- case SSS_SEC_BASE64: +- output = (uint8_t *)sss_base64_decode(mem_ctx, (const char *)secret, +- &output_len); +- break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); + return EINVAL; +@@ -196,11 +186,6 @@ static int local_encrypt(struct sss_sec_ctx *sec_ctx, + output_len = strlen(b64) + 1; + talloc_free(_secret.data); + break; +- case SSS_SEC_BASE64: +- b64 = sss_base64_encode(mem_ctx, secret, secret_len); +- output = (uint8_t*)b64; +- output_len = strlen(b64) + 1; +- break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); + return EINVAL; +diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h +index f8caa53eec376bb0c8d52615ce9111efbbb26393..f79bfaa4b9dc2df577a815c03b86770e3066de75 100644 +--- a/src/util/secrets/secrets.h ++++ b/src/util/secrets/secrets.h +@@ -46,7 +46,6 @@ + enum sss_sec_enctype { + SSS_SEC_PLAINTEXT, + SSS_SEC_MASTERKEY, +- SSS_SEC_BASE64, + SSS_SEC_ENCTYPE_SENTINEL + }; + +-- +2.25.4 + diff --git a/0020-kcm-decode-base64-encoded-secret-on-upgrade-path.patch b/0020-kcm-decode-base64-encoded-secret-on-upgrade-path.patch new file mode 100644 index 0000000..6c45514 --- /dev/null +++ b/0020-kcm-decode-base64-encoded-secret-on-upgrade-path.patch @@ -0,0 +1,43 @@ +From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 9 Dec 2020 14:07:22 +0100 +Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path + +Previous unefficient code encoded the secret multiple times: + secret -> base64 -> masterkey -> base64 + +To allow smooth upgrade for already existant ccache we need to also decode +the secret if it is still in the old format (type == simple). Otherwise +users are not able to log in. + +Resolves: https://github.com/SSSD/sssd/issues/5349 + +Reviewed-by: Alexey Tikhonov +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index 726711ac441c40a6bfc84045e9b3e5b85505c7e0..ea5c8f9ee36ddc6008ea80693d3e28c4de5a00c1 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, + goto done; + } + ++ if (strcmp(datatype, "simple") == 0) { ++ /* The secret is stored in b64 encoding, we need to decode it first. */ ++ data = sss_base64_decode(tmp_ctx, (const char*)data, &len); ++ if (data == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n"); ++ ret = EIO; ++ goto done; ++ } ++ } ++ + buf = sss_iobuf_init_steal(tmp_ctx, data, len); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n"); +-- +2.25.4 + diff --git a/sssd.spec b/sssd.spec index 375215d..f73e535 100644 --- a/sssd.spec +++ b/sssd.spec @@ -29,13 +29,34 @@ Name: sssd Version: 2.4.0 -Release: 4%{?dist} +Release: 6%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/sssd-2_4_0/sssd-2.4.0.tar.gz ### Patches ### +Patch0001: 0001-kcm-fix-typos-in-debug-messages.patch +Patch0002: 0002-kcm-avoid-name-confusion-in-GET_CRED_UUID_LIST-handl.patch +Patch0003: 0003-kcm-disable-encryption.patch +Patch0004: 0004-kcm-avoid-multiple-debug-messages-if-sss_sec_put-fai.patch +Patch0005: 0005-secrets-allow-to-specify-secret-s-data-format.patch +Patch0006: 0006-secrets-accept-binary-data-instead-of-string.patch +Patch0007: 0007-iobuf-add-more-iobuf-functions.patch +Patch0008: 0008-kcm-add-json-suffix-to-existing-searialization-funct.patch +Patch0009: 0009-kcm-move-sec-key-parser-to-separate-file-so-it-can-b.patch +Patch0010: 0010-kcm-avoid-suppression-of-cppcheck-warning.patch +Patch0011: 0011-kcm-add-spaces-around-operators-in-kcmsrv_ccache_key.patch +Patch0012: 0012-kcm-use-binary-format-to-store-ccache-instead-of-jso.patch +Patch0013: 0013-kcm-add-per-connection-data-to-be-shared-between-req.patch +Patch0014: 0014-sss_ptr_hash-fix-double-free-for-circular-dependenci.patch +Patch0015: 0015-kcm-store-credentials-list-in-hash-table-to-avoid-ca.patch +Patch0016: 0016-secrets-fix-may_payload_size-exceeded-debug-message.patch +Patch0017: 0017-secrets-default-to-plaintext-if-enctype-attr-is-miss.patch +Patch0018: 0018-secrets-move-attrs-names-to-macros.patch +Patch0019: 0019-secrets-remove-base64-enctype.patch +Patch0020: 0020-kcm-decode-base64-encoded-secret-on-upgrade-path.patch + ### Downstream only patches ### Patch0502: 0502-SYSTEMD-Use-capabilities.patch @@ -1014,6 +1035,12 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Fri Dec 11 2020 Pavel Březina - 2.4.0-6 +- Improve sssd-kcm performance, fix upgrade with existing credentials (rhbz#1645624) + +* Mon Dec 7 2020 Pavel Březina - 2.4.0-5 +- Improve sssd-kcm performance (rhbz#1645624) + * Mon Nov 30 2020 Stephen Gallagher - 2.4.0-4 - Rebuild for Fedora ELN