From 968f95e90a4d63bd05e611cefa05e574507024fa Mon Sep 17 00:00:00 2001
From: Pavel Březina <pbrezina@redhat.com>
Date: Dec 11 2020 10:30:39 +0000
Subject: sssd-2.4.0-6 - improve kcm performance


---

diff --git a/0020-kcm-decode-base64-encoded-secret-on-upgrade-path.patch b/0020-kcm-decode-base64-encoded-secret-on-upgrade-path.patch
new file mode 100644
index 0000000..6c45514
--- /dev/null
+++ b/0020-kcm-decode-base64-encoded-secret-on-upgrade-path.patch
@@ -0,0 +1,43 @@
+From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 9 Dec 2020 14:07:22 +0100
+Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path
+
+Previous unefficient code encoded the secret multiple times:
+  secret -> base64 -> masterkey -> base64
+
+To allow smooth upgrade for already existant ccache we need to also decode
+the secret if it is still in the old format (type == simple). Otherwise
+users are not able to log in.
+
+Resolves: https://github.com/SSSD/sssd/issues/5349
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
+index 726711ac441c40a6bfc84045e9b3e5b85505c7e0..ea5c8f9ee36ddc6008ea80693d3e28c4de5a00c1 100644
+--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
+@@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx,
+         goto done;
+     }
+ 
++    if (strcmp(datatype, "simple") == 0) {
++        /* The secret is stored in b64 encoding, we need to decode it first. */
++        data = sss_base64_decode(tmp_ctx, (const char*)data, &len);
++        if (data == NULL) {
++            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n");
++            ret = EIO;
++            goto done;
++        }
++    }
++
+     buf = sss_iobuf_init_steal(tmp_ctx, data, len);
+     if (buf == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n");
+-- 
+2.25.4
+
diff --git a/sssd.spec b/sssd.spec
index f5371de..f73e535 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -29,7 +29,7 @@
 
 Name: sssd
 Version: 2.4.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
@@ -55,6 +55,8 @@ Patch0016:  0016-secrets-fix-may_payload_size-exceeded-debug-message.patch
 Patch0017:  0017-secrets-default-to-plaintext-if-enctype-attr-is-miss.patch
 Patch0018:  0018-secrets-move-attrs-names-to-macros.patch
 Patch0019:  0019-secrets-remove-base64-enctype.patch
+Patch0020:  0020-kcm-decode-base64-encoded-secret-on-upgrade-path.patch
+
 
 ### Downstream only patches ###
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@@ -1033,6 +1035,9 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Fri Dec 11 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-6
+- Improve sssd-kcm performance, fix upgrade with existing credentials (rhbz#1645624)
+
 * Mon Dec 7 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-5
 - Improve sssd-kcm performance (rhbz#1645624)