From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Wed, 9 Dec 2020 14:07:22 +0100 Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path Previous unefficient code encoded the secret multiple times: secret -> base64 -> masterkey -> base64 To allow smooth upgrade for already existant ccache we need to also decode the secret if it is still in the old format (type == simple). Otherwise users are not able to log in. Resolves: https://github.com/SSSD/sssd/issues/5349 Reviewed-by: Alexey Tikhonov --- src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c index 726711ac4..ea5c8f9ee 100644 --- a/src/responder/kcm/kcmsrv_ccache_secdb.c +++ b/src/responder/kcm/kcmsrv_ccache_secdb.c @@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, goto done; } + if (strcmp(datatype, "simple") == 0) { + /* The secret is stored in b64 encoding, we need to decode it first. */ + data = sss_base64_decode(tmp_ctx, (const char*)data, &len); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n"); + ret = EIO; + goto done; + } + } + buf = sss_iobuf_init_steal(tmp_ctx, data, len); if (buf == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n"); -- 2.21.3