sssd/SOURCES/0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch

From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 9 Dec 2020 14:07:22 +0100
Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path

Previous unefficient code encoded the secret multiple times:
  secret -> base64 -> masterkey -> base64

To allow smooth upgrade for already existant ccache we need to also decode
the secret if it is still in the old format (type == simple). Otherwise
users are not able to log in.

Resolves: https://github.com/SSSD/sssd/issues/5349

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
 src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
index 726711ac4..ea5c8f9ee 100644
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
@@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
+    if (strcmp(datatype, "simple") == 0) {
+        /* The secret is stored in b64 encoding, we need to decode it first. */
+        data = sss_base64_decode(tmp_ctx, (const char*)data, &len);
+        if (data == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n");
+            ret = EIO;
+            goto done;
+        }
+    }
+
     buf = sss_iobuf_init_steal(tmp_ctx, data, len);
     if (buf == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n");
-- 
2.21.3