diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-10-15 17:31:49 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-11-19 17:38:54 -0500 |
commit | 00cf6df3e6e8bd359d5c1c4f4f79f416039d5b09 (patch) | |
tree | 1f3778bf72192f6a34b554113786e6298ac4adbc | |
parent | 19bc209a190ea8166cacb92576925c0031da6eb5 (diff) | |
download | krb5-00cf6df3e6e8bd359d5c1c4f4f79f416039d5b09.tar.gz krb5-00cf6df3e6e8bd359d5c1c4f4f79f416039d5b09.tar.xz krb5-00cf6df3e6e8bd359d5c1c4f4f79f416039d5b09.zip |
Drop backport for RT#7590 and partial for RT#7680
-rw-r--r-- | krb5-1.11.3-prompter1.patch | 91 | ||||
-rw-r--r-- | krb5-1.11.3-prompter2.patch | 55 | ||||
-rw-r--r-- | krb5.spec | 5 |
3 files changed, 1 insertions, 150 deletions
diff --git a/krb5-1.11.3-prompter1.patch b/krb5-1.11.3-prompter1.patch deleted file mode 100644 index e8d393d..0000000 --- a/krb5-1.11.3-prompter1.patch +++ /dev/null @@ -1,91 +0,0 @@ -commit a8eec52a13ba108b8855aef8cf9dafeb37811d2e -Author: Nalin Dahyabhai <nalin@redhat.com> -Date: Fri Mar 15 12:05:56 2013 -0400 - - Add PEM password prompter callback in PKINIT - - Supply a callack to PEM_read_bio_PrivateKey() using the prompter to - request a password for encrypted PEM data. Otherwise OpenSSL will use - the controlling terminal. - - [ghudson@mit.edu: minor style cleanup, commit message] - - ticket: 7590 - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 6dbda9b..7186ce8 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -656,11 +656,50 @@ cleanup: - return retval; - } - -+struct get_key_cb_data { -+ krb5_context context; -+ pkinit_identity_crypto_context id_cryptoctx; -+ char *filename; -+}; -+ -+static int -+get_key_cb(char *buf, int size, int rwflag, void *userdata) -+{ -+ struct get_key_cb_data *data = userdata; -+ pkinit_identity_crypto_context id_cryptoctx; -+ krb5_data rdat; -+ krb5_prompt kprompt; -+ krb5_prompt_type prompt_type; -+ krb5_error_code retval; -+ char *prompt; -+ -+ if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0) -+ return -1; -+ rdat.data = buf; -+ rdat.length = size; -+ kprompt.prompt = prompt; -+ kprompt.hidden = 1; -+ kprompt.reply = &rdat; -+ prompt_type = KRB5_PROMPT_TYPE_PREAUTH; -+ -+ /* PROMPTER_INVOCATION */ -+ k5int_set_prompt_types(data->context, &prompt_type); -+ id_cryptoctx = data->id_cryptoctx; -+ retval = data->id_cryptoctx->prompter(data->context, -+ id_cryptoctx->prompter_data, NULL, -+ NULL, 1, &kprompt); -+ k5int_set_prompt_types(data->context, 0); -+ free(prompt); -+ return retval ? -1 : (int)rdat.length; -+} -+ - static krb5_error_code --get_key(char *filename, EVP_PKEY **retkey) -+get_key(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, -+ char *filename, EVP_PKEY **retkey) - { - EVP_PKEY *pkey = NULL; - BIO *tmp = NULL; -+ struct get_key_cb_data cb_data; - int code; - krb5_error_code retval; - -@@ -676,7 +715,10 @@ get_key(char *filename, EVP_PKEY **retkey) - retval = errno; - goto cleanup; - } -- pkey = (EVP_PKEY *) PEM_read_bio_PrivateKey(tmp, NULL, NULL, NULL); -+ cb_data.context = context; -+ cb_data.id_cryptoctx = id_cryptoctx; -+ cb_data.filename = filename; -+ pkey = PEM_read_bio_PrivateKey(tmp, NULL, get_key_cb, &cb_data); - if (pkey == NULL) { - retval = EIO; - pkiDebug("failed to read private key from %s\n", filename); -@@ -4333,7 +4375,7 @@ pkinit_load_fs_cert_and_key(krb5_context context, - pkiDebug("failed to load user's certificate from '%s'\n", certname); - goto cleanup; - } -- retval = get_key(keyname, &y); -+ retval = get_key(context, id_cryptoctx, keyname, &y); - if (retval != 0 || y == NULL) { - pkiDebug("failed to load user's private key from '%s'\n", keyname); - goto cleanup; diff --git a/krb5-1.11.3-prompter2.patch b/krb5-1.11.3-prompter2.patch deleted file mode 100644 index 015284d..0000000 --- a/krb5-1.11.3-prompter2.patch +++ /dev/null @@ -1,55 +0,0 @@ -Don't call a prompter function if it's NULL, as it can be, depending on -which code path we were called from. Part of the larger responder retrofit -coming in 1.12 (RT#7680). - ---- krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -673,6 +673,8 @@ get_key_cb(char *buf, int size, int rwfl - krb5_error_code retval; - char *prompt; - -+ if (data->id_cryptoctx->prompter == NULL) -+ return -1; - if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0) - return -1; - rdat.data = buf; -@@ -3739,10 +3741,15 @@ pkinit_login(krb5_context context, - prompt_type = KRB5_PROMPT_TYPE_PREAUTH; - - /* PROMPTER_INVOCATION */ -- k5int_set_prompt_types(context, &prompt_type); -- r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, -- NULL, NULL, 1, &kprompt); -- k5int_set_prompt_types(context, 0); -+ if (id_cryptoctx->prompter == NULL) { -+ r = KRB5_LIBOS_CANTREADPWD; -+ rdat.data = NULL; -+ } else { -+ k5int_set_prompt_types(context, &prompt_type); -+ r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, -+ NULL, NULL, 1, &kprompt); -+ k5int_set_prompt_types(context, 0); -+ } - free(prompt); - } - -@@ -4307,10 +4314,15 @@ pkinit_get_certs_pkcs12(krb5_context con - prompt_type = KRB5_PROMPT_TYPE_PREAUTH; - - /* PROMPTER_INVOCATION */ -- k5int_set_prompt_types(context, &prompt_type); -- r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, -- NULL, NULL, 1, &kprompt); -- k5int_set_prompt_types(context, 0); -+ if (*id_cryptoctx->prompter == NULL) { -+ retval = KRB5_LIBOS_CANTREADPWD; -+ goto cleanup; -+ } else { -+ k5int_set_prompt_types(context, &prompt_type); -+ r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, -+ NULL, NULL, 1, &kprompt); -+ k5int_set_prompt_types(context, 0); -+ } - - ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL); - if (ret == 0) { @@ -93,8 +93,6 @@ Patch126: krb5-1.11.2-skew2.patch Patch129: krb5-1.11-run_user_0.patch Patch131: krb5-1.11.3-skew3.patch Patch134: krb5-1.11-kpasswdtest.patch -Patch136: krb5-1.11.3-prompter1.patch -Patch137: krb5-1.11.3-prompter2.patch Patch138: krb5-master-keyring-offsets.patch Patch139: krb5-master-keyring-expiration.patch @@ -320,8 +318,6 @@ ln -s NOTICE LICENSE %patch131 -p1 -b .skew3 %patch134 -p1 -b .kpasswdtest -%patch136 -p1 -b .prompter1 -%patch137 -p1 -b .prompter2 %patch138 -p1 -b .keyring-offsets %patch139 -p1 -b .keyring-expiration @@ -1023,6 +1019,7 @@ exit 0 often give us trouble, too; obsolete - drop backports for RT#7682 - drop backport for RT#7709 + - drop backport for RT#7590 and partial backport for RT#7680 * Wed Oct 16 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-26 - create and own /etc/gss (#1019937) |