CRYPTO: Do not call NSS_Shutdown after every operation Calling setup and teardown on every encryption cases issues like the one described in https://bugzilla.redhat.com/show_bug.cgi?id=1456151 eventually. Similarly to other crypto functions, don't tear down NSS by calling NSS_Shutdown. Let the OS reclaim the resources. Resolves: https://pagure.io/SSSD/sssd/issue/3424 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Secrets: Add encryption at rest Generates a master key file if it doesn't exist and encrypts secrets using the master key contained in the file. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

CRYPTO: Fix access to uninitialized data The size of output buffer(obufsize) was longer than initialised data. In calculation, uint32_t was used for length of the cryptotext, but uint16_t was written into buffer. The end of buffer was not initialised and it caused valgrind warning. Use of uninitialised value of size 8 at 0x37AE40F363: pl_base64_encode_buffer (nssb64e.c:180) by 0x37AE40F6ED: NSSBase64_EncodeItem_Util (nssb64e.c:482) by 0x37AE40F87A: BTOA_DataToAscii_Util (nssb64e.c:721) by 0x40208A: sss_base64_encode (nss_base64.c:47) by 0x403305: sss_password_encrypt (nss_obfuscate.c:358) Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Check for correct variable name https://fedorahosted.org/sssd/ticket/1864

UTIL: Provide base64 encoding and decoding functions

Cleanup: Remove unused parameters

Multiline macro cleanup This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.

Set _GNU_SOURCE globally

Fix uninitialized value error

NSS obfuscation code cleanup https://fedorahosted.org/sssd/ticket/752

Fix parameter order when initializing decryption

Password obfuscation utility functions Adds two utility functions to obfuscate a password and inverse to extract the cleartext password back. So far, only NSS-based implementation is provided.