rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   bac5982b8b841fe5c1e67a0cb613fa4023938d67
  2.   SOURCES
  3.   0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch
Blob History Raw
bac598 
From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001
bac598 
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
bac598 
Date: Wed, 9 Dec 2020 14:07:22 +0100
bac598 
Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path
bac598
bac598 
Previous unefficient code encoded the secret multiple times:
bac598 
  secret -> base64 -> masterkey -> base64
bac598
bac598 
To allow smooth upgrade for already existant ccache we need to also decode
bac598 
the secret if it is still in the old format (type == simple). Otherwise
bac598 
users are not able to log in.
bac598
bac598 
Resolves: https://github.com/SSSD/sssd/issues/5349
bac598
bac598 
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
bac598 
---
bac598 
 src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++
bac598 
 1 file changed, 10 insertions(+)
bac598
bac598 
diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
bac598 
index 726711ac4..ea5c8f9ee 100644
bac598 
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
bac598 
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
bac598 
@@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx,
bac598 
         goto done;
bac598 
     }
bac598
bac598 
+    if (strcmp(datatype, "simple") == 0) {
bac598 
+        /* The secret is stored in b64 encoding, we need to decode it first. */
bac598 
+        data = sss_base64_decode(tmp_ctx, (const char*)data, &len;;
bac598 
+        if (data == NULL) {
bac598 
+            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n");
bac598 
+            ret = EIO;
bac598 
+            goto done;
bac598 
+        }
bac598 
+    }
bac598 
+
bac598 
     buf = sss_iobuf_init_steal(tmp_ctx, data, len);
bac598 
     if (buf == NULL) {
bac598 
         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n");
bac598 
--
bac598 
2.21.3
bac598

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation