diff --git a/0001-KCM-return-KRB5_FCC_INTERNAL-for-unknown-or-not-impl.patch b/0001-KCM-return-KRB5_FCC_INTERNAL-for-unknown-or-not-impl.patch new file mode 100644 index 0000000..7dc4f76 --- /dev/null +++ b/0001-KCM-return-KRB5_FCC_INTERNAL-for-unknown-or-not-impl.patch @@ -0,0 +1,49 @@ +From 9b017dbc80cf09b3a2d7e09f771faf70d4538b4f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 13 May 2021 12:18:24 +0200 +Subject: [PATCH 1/5] KCM: return KRB5_FCC_INTERNAL for unknown or not + implemented operation + +sssd-kcm should follow Heimdal's return codes. Heimdal returns `KRB5_FCC_INTERNAL` +for cases where operation code is not known or not implemented. See: + +* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1785 +* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1792 + +We returned different codes before this patch which makes Kerberos to differentiate +between Heimdal and sssd implementation. This leads to errors like: + +* https://github.com/krb5/krb5/pull/1178#issuecomment-838289703 + +Resolves: https://github.com/SSSD/sssd/issues/5628 + +Reviewed-by: Justin Stephenson +--- + src/responder/kcm/kcmsrv_cmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c +index 6b11b184124c7cb17be2c7858afda3d56a4dcea6..3ad17ef431bb3d42b39f56d04c97acfc25f06d2f 100644 +--- a/src/responder/kcm/kcmsrv_cmd.c ++++ b/src/responder/kcm/kcmsrv_cmd.c +@@ -197,7 +197,7 @@ static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf, + if (op_io->op == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Did not find a KCM operation handler for the requested opcode\n"); +- return ERR_KCM_MALFORMED_IN_PKT; ++ return ERR_KCM_OP_NOT_IMPLEMENTED; + } + + /* The operation only receives the payload, not the opcode or the protocol info */ +@@ -643,7 +643,7 @@ krb5_error_code sss2krb5_error(errno_t err) + case EACCES: + return KRB5_FCC_PERM; + case ERR_KCM_OP_NOT_IMPLEMENTED: +- return KRB5_CC_NOSUPP; ++ return KRB5_FCC_INTERNAL; + case ERR_WRONG_NAME_FORMAT: + return KRB5_CC_BADNAME; + case ERR_NO_MATCHING_CREDS: +-- +2.30.2 + diff --git a/0002-SECRETS-Resolve-mkey-path-correctly.patch b/0002-SECRETS-Resolve-mkey-path-correctly.patch new file mode 100644 index 0000000..1e7f330 --- /dev/null +++ b/0002-SECRETS-Resolve-mkey-path-correctly.patch @@ -0,0 +1,104 @@ +From dbde4e692e34d3ff8233ac17a5eae5a062637e48 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Wed, 19 May 2021 10:54:52 -0400 +Subject: [PATCH 2/5] SECRETS: Resolve mkey path correctly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use the correct master key path for the secrets database, +fixing an issue on upgrade. + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +--- + src/tests/cmocka/test_kcm_renewals.c | 3 ++- + src/util/secrets/secrets.c | 10 ++++++---- + src/util/secrets/secrets.h | 1 + + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/tests/cmocka/test_kcm_renewals.c b/src/tests/cmocka/test_kcm_renewals.c +index f508bab005ff916a8f2a453670c137a56ac9ba46..53ce558be22cffb486d593bbc8c021b91e8fb2fa 100644 +--- a/src/tests/cmocka/test_kcm_renewals.c ++++ b/src/tests/cmocka/test_kcm_renewals.c +@@ -37,6 +37,7 @@ + #define TESTS_PATH "tp_" BASE_FILE_STEM + #define TEST_CONF_DB "test_kcm_renewals_conf.ldb" + #define TEST_DB_FULL_PATH TESTS_PATH "/secrets.ldb" ++#define TEST_MKEY_FULL_PATH TESTS_PATH "/.secrets.mkey" + + errno_t kcm_renew_all_tgts(TALLOC_CTX *mem_ctx, + struct kcm_renew_tgt_ctx *renew_tgt_ctx, +@@ -199,7 +200,7 @@ static void test_kcm_renewals_tgt(void **state) + open(TEST_DB_FULL_PATH, O_CREAT|O_EXCL|O_WRONLY, 0600); + + ret = sss_sec_init_with_path(test_ctx->ccdb, NULL, TEST_DB_FULL_PATH, +- &secdb->sctx); ++ TEST_MKEY_FULL_PATH, &secdb->sctx); + + /* Create renew ctx */ + renew_tgt_ctx = talloc_zero(test_ctx, struct kcm_renew_tgt_ctx); +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 42df14aa9c6265cbd723f826ce47f35529c4be10..2801eb24263ef8116a7afc294ee91a863295f5be 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -634,13 +634,13 @@ static int generate_master_key(const char *filename, size_t size) + } + + static errno_t lcl_read_mkey(TALLOC_CTX *mem_ctx, +- const char *dbpath, ++ const char *mkeypath, + struct sss_sec_data *master_key) + { + int mfd; + ssize_t size; + errno_t ret; +- const char *mkey = dbpath; ++ const char *mkey = mkeypath; + + master_key->data = talloc_size(mem_ctx, MKEY_SIZE); + if (master_key->data == NULL) { +@@ -703,6 +703,7 @@ static int set_quotas(struct sss_sec_ctx *sec_ctx, + errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx, + struct sss_sec_hive_config **config_list, + const char *dbpath, ++ const char *mkeypath, + struct sss_sec_ctx **_sec_ctx) + { + struct sss_sec_ctx *sec_ctx; +@@ -746,7 +747,7 @@ errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = lcl_read_mkey(sec_ctx, dbpath, &sec_ctx->master_key); ++ ret = lcl_read_mkey(sec_ctx, mkeypath, &sec_ctx->master_key); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get the master key\n"); + goto done; +@@ -764,9 +765,10 @@ errno_t sss_sec_init(TALLOC_CTX *mem_ctx, + struct sss_sec_ctx **_sec_ctx) + { + const char *dbpath = SECRETS_DB_PATH"/secrets.ldb"; ++ const char *mkeypath = SECRETS_DB_PATH"/.secrets.mkey"; + errno_t ret; + +- ret = sss_sec_init_with_path(mem_ctx, config_list, dbpath, _sec_ctx); ++ ret = sss_sec_init_with_path(mem_ctx, config_list, dbpath, mkeypath, _sec_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize secdb [%d]: %s\n", + ret, sss_strerror(ret)); +diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h +index a15b99ffec6d1810e0c0cf815ed48d118ba2a08c..958f0824b5c89d8cafc249c7ac123ed999931347 100644 +--- a/src/util/secrets/secrets.h ++++ b/src/util/secrets/secrets.h +@@ -83,6 +83,7 @@ errno_t sss_sec_init(TALLOC_CTX *mem_ctx, + errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx, + struct sss_sec_hive_config **config_list, + const char *dbpath, ++ const char *mkeypath, + struct sss_sec_ctx **_sec_ctx); + + errno_t sss_sec_new_req(TALLOC_CTX *mem_ctx, +-- +2.30.2 + diff --git a/0003-UTIL-SECRETS-mistype-fix.patch b/0003-UTIL-SECRETS-mistype-fix.patch new file mode 100644 index 0000000..bd4a187 --- /dev/null +++ b/0003-UTIL-SECRETS-mistype-fix.patch @@ -0,0 +1,51 @@ +From 9777427facccbbe45c855b0319258335dffb986a Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 18 May 2021 12:04:01 +0200 +Subject: [PATCH 3/5] UTIL/SECRETS: mistype fix + +Wrong variable was tested after mem allocation. + +Also fixes following covscan issues: +``` +Error: DEADCODE (CWE-561): +sssd-2.5.0/src/util/secrets/secrets.c:1004: cond_notnull: Condition "uuid_list == NULL", taking false branch. Now the value of "uuid_list" is not "NULL". +sssd-2.5.0/src/util/secrets/secrets.c:1010: notnull: At condition "uuid_list == NULL", the value of "uuid_list" cannot be "NULL". +sssd-2.5.0/src/util/secrets/secrets.c:1010: dead_error_condition: The condition "uuid_list == NULL" cannot be true. +sssd-2.5.0/src/util/secrets/secrets.c:1011: dead_error_begin: Execution cannot reach this statement: "ret = 12;". + # 1009| uid_list = talloc_zero_array(tmp_ctx, const char *, res->count); + # 1010| if (uuid_list == NULL) { + # 1011|-> ret = ENOMEM; + # 1012| goto done; + # 1013| } +``` + +Reviewed-by: Justin Stephenson +--- + src/util/secrets/secrets.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 2801eb24263ef8116a7afc294ee91a863295f5be..6e99e291dd355cc69b0d872f53624ca3446e18ad 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -1002,14 +1002,14 @@ errno_t sss_sec_list_cc_uuids(TALLOC_CTX *mem_ctx, + goto done; + } + +- uuid_list = talloc_zero_array(tmp_ctx, const char *, res->count); ++ uuid_list = talloc_zero_array(tmp_ctx, const char *, res->count); + if (uuid_list == NULL) { + ret = ENOMEM; + goto done; + } + +- uid_list = talloc_zero_array(tmp_ctx, const char *, res->count); +- if (uuid_list == NULL) { ++ uid_list = talloc_zero_array(tmp_ctx, const char *, res->count); ++ if (uid_list == NULL) { + ret = ENOMEM; + goto done; + } +-- +2.30.2 + diff --git a/sssd.spec b/sssd.spec index 5edc6e2..7353b6c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -27,7 +27,7 @@ Name: sssd Version: 2.5.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ @@ -35,6 +35,10 @@ Source0: https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz ### Patches ### +Patch0001: 0001-KCM-return-KRB5_FCC_INTERNAL-for-unknown-or-not-impl.patch +Patch0002: 0002-SECRETS-Resolve-mkey-path-correctly.patch +Patch0003: 0003-UTIL-SECRETS-mistype-fix.patch + ### Dependencies ### Requires: sssd-ad = %{version}-%{release} @@ -998,6 +1002,10 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Wed May 19 2021 Pavel Březina - 2.5.0-2 +- Fix regression in sssd-kcm when upgrading from 2.4.0 directly to 2.5.0 +- Return correct error code for unknown/unsupported operations in sssd-kcm + * Mon May 10 2021 Pavel Březina - 2.5.0-1 - Rebase to SSSD 2.5.0