sssd-2.5.0-2: Fix KCM regression on long upgrade path

Resolves: rhbz#1962006

0001-KCM-return-KRB5_FCC_INTERNAL-for-unknown-or-not-impl.patch

@@ -0,0 +1,49 @@
+From 9b017dbc80cf09b3a2d7e09f771faf70d4538b4f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 13 May 2021 12:18:24 +0200
+Subject: [PATCH 1/5] KCM: return KRB5_FCC_INTERNAL for unknown or not
+ implemented operation
+
+sssd-kcm should follow Heimdal's return codes. Heimdal returns `KRB5_FCC_INTERNAL`
+for cases where operation code is not known or not implemented. See:
+
+* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1785
+* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1792
+
+We returned different codes before this patch which makes Kerberos to differentiate
+between Heimdal and sssd implementation. This leads to errors like:
+
+* https://github.com/krb5/krb5/pull/1178#issuecomment-838289703
+
+Resolves: https://github.com/SSSD/sssd/issues/5628
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+---
+ src/responder/kcm/kcmsrv_cmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
+index 6b11b184124c7cb17be2c7858afda3d56a4dcea6..3ad17ef431bb3d42b39f56d04c97acfc25f06d2f 100644
+--- a/src/responder/kcm/kcmsrv_cmd.c
++++ b/src/responder/kcm/kcmsrv_cmd.c
+@@ -197,7 +197,7 @@ static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf,
+     if (op_io->op == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE,
+               "Did not find a KCM operation handler for the requested opcode\n");
+-        return ERR_KCM_MALFORMED_IN_PKT;
++        return ERR_KCM_OP_NOT_IMPLEMENTED;
+     }
+ 
+     /* The operation only receives the payload, not the opcode or the protocol info */
+@@ -643,7 +643,7 @@ krb5_error_code sss2krb5_error(errno_t err)
+     case EACCES:
+         return KRB5_FCC_PERM;
+     case ERR_KCM_OP_NOT_IMPLEMENTED:
+-        return KRB5_CC_NOSUPP;
++        return KRB5_FCC_INTERNAL;
+     case ERR_WRONG_NAME_FORMAT:
+         return KRB5_CC_BADNAME;
+     case ERR_NO_MATCHING_CREDS:
+-- 
+2.30.2
+

0002-SECRETS-Resolve-mkey-path-correctly.patch

@@ -0,0 +1,104 @@
+From dbde4e692e34d3ff8233ac17a5eae5a062637e48 Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Wed, 19 May 2021 10:54:52 -0400
+Subject: [PATCH 2/5] SECRETS: Resolve mkey path correctly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use the correct master key path for the secrets database,
+fixing an issue on upgrade.
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/tests/cmocka/test_kcm_renewals.c |  3 ++-
+ src/util/secrets/secrets.c           | 10 ++++++----
+ src/util/secrets/secrets.h           |  1 +
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/tests/cmocka/test_kcm_renewals.c b/src/tests/cmocka/test_kcm_renewals.c
+index f508bab005ff916a8f2a453670c137a56ac9ba46..53ce558be22cffb486d593bbc8c021b91e8fb2fa 100644
+--- a/src/tests/cmocka/test_kcm_renewals.c
++++ b/src/tests/cmocka/test_kcm_renewals.c
+@@ -37,6 +37,7 @@
+ #define TESTS_PATH "tp_" BASE_FILE_STEM
+ #define TEST_CONF_DB "test_kcm_renewals_conf.ldb"
+ #define TEST_DB_FULL_PATH  TESTS_PATH "/secrets.ldb"
++#define TEST_MKEY_FULL_PATH  TESTS_PATH "/.secrets.mkey"
+ 
+ errno_t kcm_renew_all_tgts(TALLOC_CTX *mem_ctx,
+                            struct kcm_renew_tgt_ctx *renew_tgt_ctx,
+@@ -199,7 +200,7 @@ static void test_kcm_renewals_tgt(void **state)
+     open(TEST_DB_FULL_PATH, O_CREAT|O_EXCL|O_WRONLY, 0600);
+ 
+     ret = sss_sec_init_with_path(test_ctx->ccdb, NULL, TEST_DB_FULL_PATH,
+-                                 &secdb->sctx);
++                                 TEST_MKEY_FULL_PATH, &secdb->sctx);
+ 
+     /* Create renew ctx */
+     renew_tgt_ctx = talloc_zero(test_ctx, struct kcm_renew_tgt_ctx);
+diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c
+index 42df14aa9c6265cbd723f826ce47f35529c4be10..2801eb24263ef8116a7afc294ee91a863295f5be 100644
+--- a/src/util/secrets/secrets.c
++++ b/src/util/secrets/secrets.c
+@@ -634,13 +634,13 @@ static int generate_master_key(const char *filename, size_t size)
+ }
+ 
+ static errno_t lcl_read_mkey(TALLOC_CTX *mem_ctx,
+-                             const char *dbpath,
++                             const char *mkeypath,
+                              struct sss_sec_data *master_key)
+ {
+     int mfd;
+     ssize_t size;
+     errno_t ret;
+-    const char *mkey = dbpath;
++    const char *mkey = mkeypath;
+ 
+     master_key->data = talloc_size(mem_ctx, MKEY_SIZE);
+     if (master_key->data == NULL) {
+@@ -703,6 +703,7 @@ static int set_quotas(struct sss_sec_ctx *sec_ctx,
+ errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx,
+                                struct sss_sec_hive_config **config_list,
+                                const char *dbpath,
++                               const char *mkeypath,
+                                struct sss_sec_ctx **_sec_ctx)
+ {
+     struct sss_sec_ctx *sec_ctx;
+@@ -746,7 +747,7 @@ errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx,
+         goto done;
+     }
+ 
+-    ret = lcl_read_mkey(sec_ctx, dbpath, &sec_ctx->master_key);
++    ret = lcl_read_mkey(sec_ctx, mkeypath, &sec_ctx->master_key);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE, "Cannot get the master key\n");
+         goto done;
+@@ -764,9 +765,10 @@ errno_t sss_sec_init(TALLOC_CTX *mem_ctx,
+                      struct sss_sec_ctx **_sec_ctx)
+ {
+     const char *dbpath = SECRETS_DB_PATH"/secrets.ldb";
++    const char *mkeypath = SECRETS_DB_PATH"/.secrets.mkey";
+     errno_t ret;
+ 
+-    ret = sss_sec_init_with_path(mem_ctx, config_list, dbpath, _sec_ctx);
++    ret = sss_sec_init_with_path(mem_ctx, config_list, dbpath, mkeypath, _sec_ctx);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize secdb [%d]: %s\n",
+                                    ret, sss_strerror(ret));
+diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h
+index a15b99ffec6d1810e0c0cf815ed48d118ba2a08c..958f0824b5c89d8cafc249c7ac123ed999931347 100644
+--- a/src/util/secrets/secrets.h
++++ b/src/util/secrets/secrets.h
+@@ -83,6 +83,7 @@ errno_t sss_sec_init(TALLOC_CTX *mem_ctx,
+ errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx,
+                                struct sss_sec_hive_config **config_list,
+                                const char *dbpath,
++                               const char *mkeypath,
+                                struct sss_sec_ctx **_sec_ctx);
+ 
+ errno_t sss_sec_new_req(TALLOC_CTX *mem_ctx,
+-- 
+2.30.2
+

0003-UTIL-SECRETS-mistype-fix.patch

@@ -0,0 +1,51 @@
+From 9777427facccbbe45c855b0319258335dffb986a Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Tue, 18 May 2021 12:04:01 +0200
+Subject: [PATCH 3/5] UTIL/SECRETS: mistype fix
+
+Wrong variable was tested after mem allocation.
+
+Also fixes following covscan issues:
+```
+Error: DEADCODE (CWE-561):
+sssd-2.5.0/src/util/secrets/secrets.c:1004: cond_notnull: Condition "uuid_list == NULL", taking false branch. Now the value of "uuid_list" is not "NULL".
+sssd-2.5.0/src/util/secrets/secrets.c:1010: notnull: At condition "uuid_list == NULL", the value of "uuid_list" cannot be "NULL".
+sssd-2.5.0/src/util/secrets/secrets.c:1010: dead_error_condition: The condition "uuid_list == NULL" cannot be true.
+sssd-2.5.0/src/util/secrets/secrets.c:1011: dead_error_begin: Execution cannot reach this statement: "ret = 12;".
+ # 1009|   	uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
+ # 1010|       if (uuid_list == NULL) {
+ # 1011|->         ret = ENOMEM;
+ # 1012|           goto done;
+ # 1013|       }
+```
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+---
+ src/util/secrets/secrets.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c
+index 2801eb24263ef8116a7afc294ee91a863295f5be..6e99e291dd355cc69b0d872f53624ca3446e18ad 100644
+--- a/src/util/secrets/secrets.c
++++ b/src/util/secrets/secrets.c
+@@ -1002,14 +1002,14 @@ errno_t sss_sec_list_cc_uuids(TALLOC_CTX *mem_ctx,
+         goto done;
+     }
+ 
+-	uuid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
++    uuid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
+     if (uuid_list == NULL) {
+         ret = ENOMEM;
+         goto done;
+     }
+ 
+-	uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
+-    if (uuid_list == NULL) {
++    uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
++    if (uid_list == NULL) {
+         ret = ENOMEM;
+         goto done;
+     }
+-- 
+2.30.2
+

sssd.spec

@@ -27,7 +27,7 @@
 
 Name: sssd
 Version: 2.5.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
@@ -35,6 +35,10 @@ Source0: https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz
 
 ### Patches ###
 
+Patch0001: 0001-KCM-return-KRB5_FCC_INTERNAL-for-unknown-or-not-impl.patch
+Patch0002: 0002-SECRETS-Resolve-mkey-path-correctly.patch
+Patch0003: 0003-UTIL-SECRETS-mistype-fix.patch
+
 ### Dependencies ###
 
 Requires: sssd-ad = %{version}-%{release}
@@ -998,6 +1002,10 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Wed May 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-2
+- Fix regression in sssd-kcm when upgrading from 2.4.0 directly to 2.5.0
+- Return correct error code for unknown/unsupported operations in sssd-kcm
+
 * Mon May 10 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-1
 - Rebase to SSSD 2.5.0