krb5 commit: Add test KDB module

Greg Hudson ghudson at mit.edu
Tue Mar 10 14:48:53 EDT 2015


https://github.com/krb5/krb5/commit/c8608c52646a10503b1a950f8df5072d0a583604
commit c8608c52646a10503b1a950f8df5072d0a583604
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Feb 23 15:47:21 2015 -0500

    Add test KDB module
    
    Add a simple read-only KDB module which can be used to exercise KDB
    behavior which the DB2 module cannot reach.  Right now it supports
    very basic get_principal functionality, aliases, and delegation
    policy; in the future it could issue referrals or sign authdata.

 src/Makefile.in                   |    1 +
 src/configure.in                  |    1 +
 src/plugins/kdb/test/Makefile.in  |   21 ++
 src/plugins/kdb/test/kdb_test.c   |  522 +++++++++++++++++++++++++++++++++++++
 src/plugins/kdb/test/test.exports |    1 +
 5 files changed, 546 insertions(+), 0 deletions(-)

diff --git a/src/Makefile.in b/src/Makefile.in
index 31bb54a..65951c5 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -18,6 +18,7 @@ SUBDIRS=util include lib \
 	plugins/pwqual/test \
 	plugins/kdb/db2 \
 	@ldap_plugin_dir@ \
+	plugins/kdb/test \
 	plugins/preauth/otp \
 	plugins/preauth/pkinit \
 	plugins/tls/k5tls \
diff --git a/src/configure.in b/src/configure.in
index 1a79ee2..f1ba570 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1446,6 +1446,7 @@ dnl	ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
 	plugins/kdb/db2/libdb2/recno
 	plugins/kdb/db2/libdb2/test
 	plugins/kdb/hdb
+	plugins/kdb/test
 	plugins/preauth/cksum_body
 	plugins/preauth/otp
 	plugins/preauth/securid_sam2
diff --git a/src/plugins/kdb/test/Makefile.in b/src/plugins/kdb/test/Makefile.in
new file mode 100644
index 0000000..f9578a3
--- /dev/null
+++ b/src/plugins/kdb/test/Makefile.in
@@ -0,0 +1,21 @@
+mydir=plugins$(S)kdb$(S)test
+BUILDTOP=$(REL)..$(S)..$(S)..
+
+LIBBASE=test
+LIBMAJOR=0
+LIBMINOR=0
+RELDIR=../plugins/kdb/test
+SHLIB_EXPDEPS=$(KADMSRV_DEPLIB) $(KRB5_BASE_DEPLIBS)
+SHLIB_EXPLIBS=$(KADMSRV_LIBS) $(KRB5_BASE_LIBS)
+LOCALINCLUDES=-I../../../lib/kdb -I$(srcdir)/../../../lib/kdb
+
+SRCS = $(srcdir)/kdb_test.c
+
+STLIBOBJS = kdb_test.o
+
+all-unix:: all-liblinks
+install-unix::
+clean-unix:: clean-liblinks clean-libs clean-libobjs
+
+ at libnover_frag@
+ at libobj_frag@
diff --git a/src/plugins/kdb/test/deps b/src/plugins/kdb/test/deps
new file mode 100644
index 0000000..e69de29
diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c
new file mode 100644
index 0000000..acb1d76
--- /dev/null
+++ b/src/plugins/kdb/test/kdb_test.c
@@ -0,0 +1,522 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* plugins/kdb/test/kdb_test.c - Test KDB module */
+/*
+ * Copyright (C) 2015 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This is a read-only KDB module intended to help test KDC behavior which
+ * cannot be exercised with the DB2 module.  Responses are read from the
+ * dbmodules subsection according to this example:
+ *
+ *     [dbmodules]
+ *         test = {
+ *             alias = {
+ *                 aliasname = canonname
+ *             }
+ *             princs = {
+ *                 krbtgt/KRBTEST.COM = {
+ *                     flags = +preauth +ok-to-auth-as-delegate
+ *                     maxlife = 1d
+ *                     maxrenewlife = 7d
+ *                     expiration = 14d # relative to current time
+ *                     pwexpiration = 1h
+ *                     # Initial number is kvno; defaults to 1.
+ *                     keys = 3 aes256-cts aes128-cts:normal
+ *                     keys = 2 rc4-hmac
+ *                 }
+ *             }
+ *             delegation = {
+ *                 intermediate_service = target_service
+ *             }
+ *         }
+ *
+ * Key values are generated using a hash of the kvno, enctype, salt type, and
+ * principal name.  This module does not use master key encryption, so it
+ * serves as a partial test of the DAL's ability to avoid that.
+ */
+
+#include "k5-int.h"
+#include "kdb5.h"
+#include "adm_proto.h"
+#include <ctype.h>
+
+typedef struct {
+    void *profile;
+    char *section;
+    const char *names[6];
+} *testhandle;
+
+static void *
+ealloc(size_t sz)
+{
+    void *p = calloc(sz, 1);
+
+    if (p == NULL)
+        abort();
+    return p;
+}
+
+static char *
+estrdup(const char *s)
+{
+    char *copy = strdup(s);
+
+    if (copy == NULL)
+        abort();
+    return copy;
+}
+
+static void
+check(krb5_error_code code)
+{
+    if (code != 0)
+        abort();
+}
+
+/* Set up for a profile query using h->names.  Look up s1 -> s2 -> s3 (some of
+ * which may be NULL) within this database's dbmodules section. */
+static void
+set_names(testhandle h, const char *s1, const char *s2, const char *s3)
+{
+    h->names[0] = KDB_MODULE_SECTION;
+    h->names[1] = h->section;
+    h->names[2] = s1;
+    h->names[3] = s2;
+    h->names[4] = s3;
+    h->names[5] = NULL;
+}
+
+/* Look up a string within this database's dbmodules section. */
+static char *
+get_string(testhandle h, const char *s1, const char *s2, const char *s3)
+{
+    krb5_error_code ret;
+    char **values, *val;
+
+    set_names(h, s1, s2, s3);
+    ret = profile_get_values(h->profile, h->names, &values);
+    if (ret == PROF_NO_RELATION)
+        return NULL;
+    if (ret)
+        abort();
+    val = estrdup(values[0]);
+    profile_free_list(values);
+    return val;
+}
+
+/* Look up a duration within this database's dbmodules section. */
+static krb5_deltat
+get_duration(testhandle h, const char *s1, const char *s2, const char *s3)
+{
+    char *strval = get_string(h, s1, s2, s3);
+    krb5_deltat val;
+
+    if (strval == NULL)
+        return 0;
+    check(krb5_string_to_deltat(strval, &val));
+    free(strval);
+    return val;
+}
+
+/* Look up an absolute time within this database's dbmodules section.  The time
+ * is expressed in the profile as an interval relative to the current time. */
+static krb5_timestamp
+get_time(testhandle h, const char *s1, const char *s2, const char *s3)
+{
+    char *strval = get_string(h, s1, s2, s3);
+    krb5_deltat val;
+
+    if (strval == NULL)
+        return 0;
+    check(krb5_string_to_deltat(strval, &val));
+    free(strval);
+    return val + time(NULL);
+}
+
+/* Initialize kb_out with a key of type etype, using a hash of kvno, etype,
+ * salttype, and princstr for the key bytes. */
+static void
+make_keyblock(krb5_kvno kvno, krb5_enctype etype, int32_t salttype,
+              const char *princstr, krb5_keyblock *kb_out)
+{
+    size_t keybytes, keylength, pos, n;
+    char *hashstr;
+    krb5_data d, rndin;
+    krb5_checksum cksum;
+
+    check(krb5_c_keylengths(NULL, etype, &keybytes, &keylength));
+    alloc_data(&rndin, keybytes);
+
+    /* Hash the kvno, enctype, salt type, and principal name together. */
+    if (asprintf(&hashstr, "%d %d %d %s", (int)kvno, (int)etype,
+                 (int)salttype, princstr) < 0)
+        abort();
+    d = string2data(hashstr);
+    check(krb5_c_make_checksum(NULL, CKSUMTYPE_NIST_SHA, NULL, 0, &d, &cksum));
+
+    /* Make the appropriate number of input bytes from the hash result. */
+    for (pos = 0; pos < keybytes; pos += n) {
+        n = (cksum.length < keybytes - pos) ? cksum.length : keybytes - pos;
+        memcpy(rndin.data + pos, cksum.contents, n);
+    }
+
+    kb_out->enctype = etype;
+    kb_out->length = keylength;
+    kb_out->contents = ealloc(keylength);
+    check(krb5_c_random_to_key(NULL, etype, &rndin, kb_out));
+    free(cksum.contents);
+    free(rndin.data);
+    free(hashstr);
+}
+
+/* Return key data for the given key/salt tuple strings, using hashes of the
+ * enctypes, salts, and princstr for the key contents. */
+static void
+make_keys(char **strings, const char *princstr, krb5_db_entry *ent)
+{
+    krb5_key_data *key_data, *kd;
+    krb5_keyblock kb;
+    int32_t *ks_list_sizes, nstrings, nkeys, i, j;
+    krb5_key_salt_tuple **ks_lists, *ks;
+    krb5_kvno *kvnos;
+    char *s;
+
+    for (nstrings = 0; strings[nstrings] != NULL; nstrings++);
+    ks_lists = ealloc(nstrings * sizeof(*ks_lists));
+    ks_list_sizes = ealloc(nstrings * sizeof(*ks_list_sizes));
+    kvnos = ealloc(nstrings * sizeof(*kvnos));
+
+    /* Convert each string into a key/salt tuple list and count the total
+     * number of key data structures needed. */
+    nkeys = 0;
+    for (i = 0; i < nstrings; i++) {
+        s = strings[i];
+        /* Read a leading kvno if present; otherwise assume kvno 1. */
+        if (isdigit(*s)) {
+            kvnos[i] = strtol(s, &s, 10);
+            while (isspace(*s))
+                s++;
+        } else {
+            kvnos[i] = 1;
+        }
+        check(krb5_string_to_keysalts(s, NULL, NULL, FALSE, &ks_lists[i],
+                                      &ks_list_sizes[i]));
+        nkeys += ks_list_sizes[i];
+    }
+
+    /* Turn each key/salt tuple into a key data entry. */
+    kd = key_data = ealloc(nkeys * sizeof(*kd));
+    for (i = 0; i < nstrings; i++) {
+        ks = ks_lists[i];
+        for (j = 0; j < ks_list_sizes[i]; j++) {
+            make_keyblock(kvnos[i], ks[j].ks_enctype, ks[j].ks_salttype,
+                          princstr, &kb);
+            kd->key_data_ver = 2;
+            kd->key_data_kvno = kvnos[i];
+            kd->key_data_type[0] = ks[j].ks_enctype;
+            kd->key_data_length[0] = kb.length;
+            kd->key_data_contents[0] = kb.contents;
+            kd->key_data_type[1] = ks[j].ks_salttype;
+            kd++;
+        }
+    }
+
+    for (i = 0; i < nstrings; i++)
+        free(ks_lists[i]);
+    free(ks_lists);
+    free(ks_list_sizes);
+    free(kvnos);
+    ent->key_data = key_data;
+    ent->n_key_data = nkeys;
+}
+
+static krb5_error_code
+test_init()
+{
+    return 0;
+}
+
+static krb5_error_code
+test_cleanup()
+{
+    return 0;
+}
+
+static krb5_error_code
+test_open(krb5_context context, char *conf_section, char **db_args, int mode)
+{
+    testhandle h;
+
+    h = ealloc(sizeof(*h));
+    h->profile = context->profile;
+    h->section = estrdup(conf_section);
+    context->dal_handle->db_context = h;
+    return 0;
+}
+
+static krb5_error_code
+test_close(krb5_context context)
+{
+    testhandle h = context->dal_handle->db_context;
+
+    free(h->section);
+    free(h);
+    return 0;
+}
+
+static krb5_error_code
+test_get_principal(krb5_context context, krb5_const_principal search_for,
+                   unsigned int flags, krb5_db_entry **entry)
+{
+    krb5_error_code ret;
+    krb5_principal_data empty_princ = { KV5M_PRINCIPAL };
+    testhandle h = context->dal_handle->db_context;
+    char *search_name, *canon, *flagstr, **names, **key_strings;
+    const char *ename;
+    krb5_db_entry *ent;
+
+    *entry = NULL;
+
+    check(krb5_unparse_name_flags(context, search_for,
+                                  KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+                                  &search_name));
+    canon = get_string(h, "alias", search_name, NULL);
+    ename = (canon != NULL) ? canon : search_name;
+
+    /* Check that the entry exists. */
+    set_names(h, "princs", ename, NULL);
+    ret = profile_get_relation_names(h->profile, h->names, &names);
+    if (ret == PROF_NO_RELATION) {
+        free(canon);
+        return KRB5_KDB_NOENTRY;
+    }
+    profile_free_list(names);
+
+    ent = ealloc(sizeof(*ent));
+
+    check(krb5_parse_name(context, ename, &ent->princ));
+
+    flagstr = get_string(h, "princs", ename, "flags");
+    if (flagstr != NULL)
+        check(krb5_string_to_flags(flagstr, "+", "-", &ent->attributes));
+    free(flagstr);
+
+    ent->max_life = get_duration(h, "princs", ename, "maxlife");
+    ent->max_renewable_life = get_duration(h, "princs", ename, "maxrenewlife");
+    ent->expiration = get_time(h, "princs", ename, "expiration");
+    ent->pw_expiration = get_time(h, "princs", ename, "pwexpiration");
+
+    /* Leave last_success, last_failed, fail_auth_count zeroed. */
+    /* Leave tl_data and e_data empty. */
+
+    set_names(h, "princs", ename, "keys");
+    ret = profile_get_values(h->profile, h->names, &key_strings);
+    if (ret != PROF_NO_RELATION) {
+        make_keys(key_strings, ename, ent);
+        profile_free_list(key_strings);
+    }
+
+    /* We must include mod-princ data or kadm5_get_principal() won't work and
+     * we can't extract keys with kadmin.local. */
+    check(krb5_dbe_update_mod_princ_data(context, ent, 0, &empty_princ));
+
+    *entry = ent;
+    free(canon);
+    return 0;
+}
+
+static void
+test_free_principal(krb5_context context, krb5_db_entry *entry)
+{
+    krb5_tl_data *tl, *next;
+    int i, j;
+
+    if (entry == NULL)
+        return;
+    free(entry->e_data);
+    krb5_free_principal(context, entry->princ);
+    for (tl = entry->tl_data; tl != NULL; tl = next) {
+        next = tl->tl_data_next;
+        free(tl->tl_data_contents);
+        free(tl);
+    }
+    for (i = 0; i < entry->n_key_data; i++) {
+        for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
+            if (entry->key_data[i].key_data_length[j]) {
+                zapfree(entry->key_data[i].key_data_contents[j],
+                        entry->key_data[i].key_data_length[j]);
+            }
+            entry->key_data[i].key_data_contents[j] = NULL;
+            entry->key_data[i].key_data_length[j] = 0;
+            entry->key_data[i].key_data_type[j] = 0;
+        }
+    }
+    free(entry->key_data);
+    free(entry);
+}
+
+static void *
+test_alloc(krb5_context context, void *ptr, size_t size)
+{
+    return realloc(ptr, size);
+}
+
+static void
+test_free(krb5_context context, void *ptr)
+{
+    free(ptr);
+}
+
+static krb5_error_code
+test_fetch_master_key(krb5_context context, krb5_principal mname,
+                      krb5_keyblock *key_out, krb5_kvno *kvno_out,
+                      char *db_args)
+{
+    memset(key_out, 0, sizeof(*key_out));
+    *kvno_out = 0;
+    return 0;
+}
+
+static krb5_error_code
+test_fetch_master_key_list(krb5_context context, krb5_principal mname,
+                           const krb5_keyblock *key,
+                           krb5_keylist_node **mkeys_out)
+{
+    /* krb5_dbe_get_mkvno() returns an error if we produce NULL, so return an
+     * empty node to make kadm5_get_principal() work. */
+    *mkeys_out = ealloc(sizeof(**mkeys_out));
+    return 0;
+}
+
+static krb5_error_code
+test_decrypt_key_data(krb5_context context, const krb5_keyblock *mkey,
+                      const krb5_key_data *kd, krb5_keyblock *key_out,
+                      krb5_keysalt *salt_out)
+{
+    key_out->magic = KV5M_KEYBLOCK;
+    key_out->enctype = kd->key_data_type[0];
+    key_out->length = kd->key_data_length[0];
+    key_out->contents = ealloc(key_out->length);
+    memcpy(key_out->contents, kd->key_data_contents[0], key_out->length);
+    if (salt_out != NULL) {
+        salt_out->type = (kd->key_data_ver > 1) ? kd->key_data_type[1] :
+            KRB5_KDB_SALTTYPE_NORMAL;
+        salt_out->data = empty_data();
+    }
+    return 0;
+}
+
+static krb5_error_code
+test_encrypt_key_data(krb5_context context, const krb5_keyblock *mkey,
+                      const krb5_keyblock *key, const krb5_keysalt *salt,
+                      int kvno, krb5_key_data *kd_out)
+{
+    memset(kd_out, 0, sizeof(*kd_out));
+    kd_out->key_data_ver = 2;
+    kd_out->key_data_kvno = kvno;
+    kd_out->key_data_type[0] = key->enctype;
+    kd_out->key_data_length[0] = key->length;
+    kd_out->key_data_contents[0] = ealloc(key->length);
+    memcpy(kd_out->key_data_contents[0], key->contents, key->length);
+    kd_out->key_data_type[1] = (salt != NULL) ? salt->type :
+        KRB5_KDB_SALTTYPE_NORMAL;
+    return 0;
+}
+
+static krb5_error_code
+test_check_allowed_to_delegate(krb5_context context,
+                               krb5_const_principal client,
+                               const krb5_db_entry *server,
+                               krb5_const_principal proxy)
+{
+    krb5_error_code ret;
+    testhandle h = context->dal_handle->db_context;
+    char *sprinc, *tprinc, **values, **v;
+    krb5_boolean found = FALSE;
+
+    check(krb5_unparse_name_flags(context, server->princ,
+                                  KRB5_PRINCIPAL_UNPARSE_NO_REALM, &sprinc));
+    check(krb5_unparse_name_flags(context, proxy,
+                                  KRB5_PRINCIPAL_UNPARSE_NO_REALM, &tprinc));
+    set_names(h, "delegation", sprinc, NULL);
+    ret = profile_get_values(h->profile, h->names, &values);
+    if (ret == PROF_NO_RELATION)
+        return KRB5KDC_ERR_POLICY;
+    for (v = values; *v != NULL; v++) {
+        if (strcmp(*v, tprinc) == 0) {
+            found = TRUE;
+            break;
+        }
+    }
+    profile_free_list(values);
+    return found ? 0 : KRB5KDC_ERR_POLICY;
+}
+
+kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_test, kdb_function_table) = {
+    KRB5_KDB_DAL_MAJOR_VERSION,             /* major version number */
+    0,                                      /* minor version number 0 */
+    test_init,
+    test_cleanup,
+    test_open,
+    test_close,
+    NULL, /* create */
+    NULL, /* destroy */
+    NULL, /* get_age */
+    NULL, /* lock */
+    NULL, /* unlock */
+    test_get_principal,
+    test_free_principal,
+    NULL, /* put_principal */
+    NULL, /* delete_principal */
+    NULL, /* iterate */
+    NULL, /* create_policy */
+    NULL, /* get_policy */
+    NULL, /* put_policy */
+    NULL, /* iter_policy */
+    NULL, /* delete_policy */
+    NULL, /* free_policy */
+    test_alloc,
+    test_free,
+    test_fetch_master_key,
+    test_fetch_master_key_list,
+    NULL, /* store_master_key_list */
+    NULL, /* dbe_search_enctype */
+    NULL, /* change_pwd */
+    NULL, /* promote_db */
+    test_decrypt_key_data,
+    test_encrypt_key_data,
+    NULL, /* sign_authdata */
+    NULL, /* check_transited_realms */
+    NULL, /* check_policy_as */
+    NULL, /* check_policy_tgs */
+    NULL, /* audit_as_req */
+    NULL, /* refresh_config */
+    test_check_allowed_to_delegate
+};
diff --git a/src/plugins/kdb/test/test.exports b/src/plugins/kdb/test/test.exports
new file mode 100644
index 0000000..f2b7c11
--- /dev/null
+++ b/src/plugins/kdb/test/test.exports
@@ -0,0 +1 @@
+kdb_function_table


More information about the cvs-krb5 mailing list