From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>

Date: Wed, 9 Dec 2020 14:07:22 +0100

Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path

Previous unefficient code encoded the secret multiple times:

  secret -> base64 -> masterkey -> base64

To allow smooth upgrade for already existant ccache we need to also decode

the secret if it is still in the old format (type == simple). Otherwise

users are not able to log in.

Resolves: https://github.com/SSSD/sssd/issues/5349

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

---

 src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++

 1 file changed, 10 insertions(+)

diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c

index 726711ac4..ea5c8f9ee 100644

--- a/src/responder/kcm/kcmsrv_ccache_secdb.c

+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c

@@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx,

         goto done;

     }

+    if (strcmp(datatype, "simple") == 0) {

+        /* The secret is stored in b64 encoding, we need to decode it first. */

+        data = sss_base64_decode(tmp_ctx, (const char*)data, &len;;

+        if (data == NULL) {

+            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n");

+            ret = EIO;

+            goto done;

+        }

+    }

+

     buf = sss_iobuf_init_steal(tmp_ctx, data, len);

     if (buf == NULL) {

         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n");

-- 

2.21.3