From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 9 Dec 2020 14:07:22 +0100
Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path
Previous unefficient code encoded the secret multiple times:
secret -> base64 -> masterkey -> base64
To allow smooth upgrade for already existant ccache we need to also decode
the secret if it is still in the old format (type == simple). Otherwise
users are not able to log in.
Resolves: https://github.com/SSSD/sssd/issues/5349
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
index 726711ac4..ea5c8f9ee 100644
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
@@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx,
goto done;
}
+ if (strcmp(datatype, "simple") == 0) {
+ /* The secret is stored in b64 encoding, we need to decode it first. */
+ data = sss_base64_decode(tmp_ctx, (const char*)data, &len);
+ if (data == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n");
+ ret = EIO;
+ goto done;
+ }
+ }
+
buf = sss_iobuf_init_steal(tmp_ctx, data, len);
if (buf == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n");
--
2.21.3