diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-10-14 14:07:19 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-10-14 14:07:19 -0400 |
commit | 822059250ed700d2a5b69af466c6a54479ce7797 (patch) | |
tree | a6669118363dacf5038fe4f015eb790955e92f54 | |
parent | 37f8b28f7dd408784b377bbad818ac5a33d2512d (diff) | |
download | krb5-822059250ed700d2a5b69af466c6a54479ce7797.tar.gz krb5-822059250ed700d2a5b69af466c6a54479ce7797.tar.xz krb5-822059250ed700d2a5b69af466c6a54479ce7797.zip |
Use the prompter callback for PEM files
- backport the callback to use the libkrb5 prompter when we can't load
PEM files for PKINIT (RT#7590, includes part of #965721/#1016690)
-rw-r--r-- | krb5-1.11.3-prompter1.patch | 91 | ||||
-rw-r--r-- | krb5.spec | 8 |
2 files changed, 98 insertions, 1 deletions
diff --git a/krb5-1.11.3-prompter1.patch b/krb5-1.11.3-prompter1.patch new file mode 100644 index 0000000..e8d393d --- /dev/null +++ b/krb5-1.11.3-prompter1.patch @@ -0,0 +1,91 @@ +commit a8eec52a13ba108b8855aef8cf9dafeb37811d2e +Author: Nalin Dahyabhai <nalin@redhat.com> +Date: Fri Mar 15 12:05:56 2013 -0400 + + Add PEM password prompter callback in PKINIT + + Supply a callack to PEM_read_bio_PrivateKey() using the prompter to + request a password for encrypted PEM data. Otherwise OpenSSL will use + the controlling terminal. + + [ghudson@mit.edu: minor style cleanup, commit message] + + ticket: 7590 + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 6dbda9b..7186ce8 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -656,11 +656,50 @@ cleanup: + return retval; + } + ++struct get_key_cb_data { ++ krb5_context context; ++ pkinit_identity_crypto_context id_cryptoctx; ++ char *filename; ++}; ++ ++static int ++get_key_cb(char *buf, int size, int rwflag, void *userdata) ++{ ++ struct get_key_cb_data *data = userdata; ++ pkinit_identity_crypto_context id_cryptoctx; ++ krb5_data rdat; ++ krb5_prompt kprompt; ++ krb5_prompt_type prompt_type; ++ krb5_error_code retval; ++ char *prompt; ++ ++ if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0) ++ return -1; ++ rdat.data = buf; ++ rdat.length = size; ++ kprompt.prompt = prompt; ++ kprompt.hidden = 1; ++ kprompt.reply = &rdat; ++ prompt_type = KRB5_PROMPT_TYPE_PREAUTH; ++ ++ /* PROMPTER_INVOCATION */ ++ k5int_set_prompt_types(data->context, &prompt_type); ++ id_cryptoctx = data->id_cryptoctx; ++ retval = data->id_cryptoctx->prompter(data->context, ++ id_cryptoctx->prompter_data, NULL, ++ NULL, 1, &kprompt); ++ k5int_set_prompt_types(data->context, 0); ++ free(prompt); ++ return retval ? -1 : (int)rdat.length; ++} ++ + static krb5_error_code +-get_key(char *filename, EVP_PKEY **retkey) ++get_key(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, ++ char *filename, EVP_PKEY **retkey) + { + EVP_PKEY *pkey = NULL; + BIO *tmp = NULL; ++ struct get_key_cb_data cb_data; + int code; + krb5_error_code retval; + +@@ -676,7 +715,10 @@ get_key(char *filename, EVP_PKEY **retkey) + retval = errno; + goto cleanup; + } +- pkey = (EVP_PKEY *) PEM_read_bio_PrivateKey(tmp, NULL, NULL, NULL); ++ cb_data.context = context; ++ cb_data.id_cryptoctx = id_cryptoctx; ++ cb_data.filename = filename; ++ pkey = PEM_read_bio_PrivateKey(tmp, NULL, get_key_cb, &cb_data); + if (pkey == NULL) { + retval = EIO; + pkiDebug("failed to read private key from %s\n", filename); +@@ -4333,7 +4375,7 @@ pkinit_load_fs_cert_and_key(krb5_context context, + pkiDebug("failed to load user's certificate from '%s'\n", certname); + goto cleanup; + } +- retval = get_key(keyname, &y); ++ retval = get_key(context, id_cryptoctx, keyname, &y); + if (retval != 0 || y == NULL) { + pkiDebug("failed to load user's private key from '%s'\n", keyname); + goto cleanup; @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.11.3 -Release: 23%{?dist} +Release: 24%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar Source0: krb5-%{version}.tar.gz @@ -106,6 +106,7 @@ Patch132: krb5-1.11-gss-methods1.patch Patch133: krb5-1.11-gss-methods2.patch Patch134: krb5-1.11-kpasswdtest.patch Patch135: krb5-1.11-check_transited.patch +Patch136: krb5-1.11.3-prompter1.patch # Patches for otp plugin backport Patch201: krb5-1.11.2-keycheck.patch @@ -349,6 +350,7 @@ ln -s NOTICE LICENSE %patch133 -p1 -b .gss-methods2 %patch134 -p1 -b .kpasswdtest %patch135 -p1 -b .check_transited +%patch136 -p1 -b .prompter1 %patch201 -p1 -b .keycheck %patch202 -p1 -b .otp @@ -994,6 +996,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Oct 14 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-24 +- backport the callback to use the libkrb5 prompter when we can't load PEM + files for PKINIT (RT#7590, includes part of #965721/#1016690) + * Mon Oct 14 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-23 - fix trigger scriptlet's invocation of sed (#1016945) |