diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-10-14 14:07:56 -0400 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-10-14 14:07:56 -0400 |
| commit | 84fe7d69da04d0075771836c85f6845b40ffc9a4 (patch) | |
| tree | 40deeca473570668be14ddab1b8982f07152bd22 | |
| parent | 822059250ed700d2a5b69af466c6a54479ce7797 (diff) | |
| download | krb5-84fe7d69da04d0075771836c85f6845b40ffc9a4.tar.gz krb5-84fe7d69da04d0075771836c85f6845b40ffc9a4.tar.xz krb5-84fe7d69da04d0075771836c85f6845b40ffc9a4.zip | |
Finish fixing the don't-call-NULL-prompters bugkrb5-1.11.3-24.fc21krb5-1.11.3-24.fc20
- extract the rest of the fix #965721/#1016690 from the changes for RT#7680
| -rw-r--r-- | krb5-1.11.3-prompter2.patch | 55 | ||||
| -rw-r--r-- | krb5.spec | 3 |
2 files changed, 58 insertions, 0 deletions
diff --git a/krb5-1.11.3-prompter2.patch b/krb5-1.11.3-prompter2.patch new file mode 100644 index 0000000..015284d --- /dev/null +++ b/krb5-1.11.3-prompter2.patch @@ -0,0 +1,55 @@ +Don't call a prompter function if it's NULL, as it can be, depending on +which code path we were called from. Part of the larger responder retrofit +coming in 1.12 (RT#7680). + +--- krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -673,6 +673,8 @@ get_key_cb(char *buf, int size, int rwfl + krb5_error_code retval; + char *prompt; + ++ if (data->id_cryptoctx->prompter == NULL) ++ return -1; + if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0) + return -1; + rdat.data = buf; +@@ -3739,10 +3741,15 @@ pkinit_login(krb5_context context, + prompt_type = KRB5_PROMPT_TYPE_PREAUTH; + + /* PROMPTER_INVOCATION */ +- k5int_set_prompt_types(context, &prompt_type); +- r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, +- NULL, NULL, 1, &kprompt); +- k5int_set_prompt_types(context, 0); ++ if (id_cryptoctx->prompter == NULL) { ++ r = KRB5_LIBOS_CANTREADPWD; ++ rdat.data = NULL; ++ } else { ++ k5int_set_prompt_types(context, &prompt_type); ++ r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, ++ NULL, NULL, 1, &kprompt); ++ k5int_set_prompt_types(context, 0); ++ } + free(prompt); + } + +@@ -4307,10 +4314,15 @@ pkinit_get_certs_pkcs12(krb5_context con + prompt_type = KRB5_PROMPT_TYPE_PREAUTH; + + /* PROMPTER_INVOCATION */ +- k5int_set_prompt_types(context, &prompt_type); +- r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, +- NULL, NULL, 1, &kprompt); +- k5int_set_prompt_types(context, 0); ++ if (*id_cryptoctx->prompter == NULL) { ++ retval = KRB5_LIBOS_CANTREADPWD; ++ goto cleanup; ++ } else { ++ k5int_set_prompt_types(context, &prompt_type); ++ r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, ++ NULL, NULL, 1, &kprompt); ++ k5int_set_prompt_types(context, 0); ++ } + + ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL); + if (ret == 0) { @@ -107,6 +107,7 @@ Patch133: krb5-1.11-gss-methods2.patch Patch134: krb5-1.11-kpasswdtest.patch Patch135: krb5-1.11-check_transited.patch Patch136: krb5-1.11.3-prompter1.patch +Patch137: krb5-1.11.3-prompter2.patch # Patches for otp plugin backport Patch201: krb5-1.11.2-keycheck.patch @@ -351,6 +352,7 @@ ln -s NOTICE LICENSE %patch134 -p1 -b .kpasswdtest %patch135 -p1 -b .check_transited %patch136 -p1 -b .prompter1 +%patch137 -p1 -b .prompter2 %patch201 -p1 -b .keycheck %patch202 -p1 -b .otp @@ -999,6 +1001,7 @@ exit 0 * Mon Oct 14 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-24 - backport the callback to use the libkrb5 prompter when we can't load PEM files for PKINIT (RT#7590, includes part of #965721/#1016690) +- extract the rest of the fix #965721/#1016690 from the changes for RT#7680 * Mon Oct 14 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-23 - fix trigger scriptlet's invocation of sed (#1016945) |