Drop backport for RT#7590 and partial for RT#7680
This commit is contained in:
parent
19bc209a19
commit
00cf6df3e6
@ -1,91 +0,0 @@
|
||||
commit a8eec52a13ba108b8855aef8cf9dafeb37811d2e
|
||||
Author: Nalin Dahyabhai <nalin@redhat.com>
|
||||
Date: Fri Mar 15 12:05:56 2013 -0400
|
||||
|
||||
Add PEM password prompter callback in PKINIT
|
||||
|
||||
Supply a callack to PEM_read_bio_PrivateKey() using the prompter to
|
||||
request a password for encrypted PEM data. Otherwise OpenSSL will use
|
||||
the controlling terminal.
|
||||
|
||||
[ghudson@mit.edu: minor style cleanup, commit message]
|
||||
|
||||
ticket: 7590
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index 6dbda9b..7186ce8 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -656,11 +656,50 @@ cleanup:
|
||||
return retval;
|
||||
}
|
||||
|
||||
+struct get_key_cb_data {
|
||||
+ krb5_context context;
|
||||
+ pkinit_identity_crypto_context id_cryptoctx;
|
||||
+ char *filename;
|
||||
+};
|
||||
+
|
||||
+static int
|
||||
+get_key_cb(char *buf, int size, int rwflag, void *userdata)
|
||||
+{
|
||||
+ struct get_key_cb_data *data = userdata;
|
||||
+ pkinit_identity_crypto_context id_cryptoctx;
|
||||
+ krb5_data rdat;
|
||||
+ krb5_prompt kprompt;
|
||||
+ krb5_prompt_type prompt_type;
|
||||
+ krb5_error_code retval;
|
||||
+ char *prompt;
|
||||
+
|
||||
+ if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0)
|
||||
+ return -1;
|
||||
+ rdat.data = buf;
|
||||
+ rdat.length = size;
|
||||
+ kprompt.prompt = prompt;
|
||||
+ kprompt.hidden = 1;
|
||||
+ kprompt.reply = &rdat;
|
||||
+ prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
|
||||
+
|
||||
+ /* PROMPTER_INVOCATION */
|
||||
+ k5int_set_prompt_types(data->context, &prompt_type);
|
||||
+ id_cryptoctx = data->id_cryptoctx;
|
||||
+ retval = data->id_cryptoctx->prompter(data->context,
|
||||
+ id_cryptoctx->prompter_data, NULL,
|
||||
+ NULL, 1, &kprompt);
|
||||
+ k5int_set_prompt_types(data->context, 0);
|
||||
+ free(prompt);
|
||||
+ return retval ? -1 : (int)rdat.length;
|
||||
+}
|
||||
+
|
||||
static krb5_error_code
|
||||
-get_key(char *filename, EVP_PKEY **retkey)
|
||||
+get_key(krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
|
||||
+ char *filename, EVP_PKEY **retkey)
|
||||
{
|
||||
EVP_PKEY *pkey = NULL;
|
||||
BIO *tmp = NULL;
|
||||
+ struct get_key_cb_data cb_data;
|
||||
int code;
|
||||
krb5_error_code retval;
|
||||
|
||||
@@ -676,7 +715,10 @@ get_key(char *filename, EVP_PKEY **retkey)
|
||||
retval = errno;
|
||||
goto cleanup;
|
||||
}
|
||||
- pkey = (EVP_PKEY *) PEM_read_bio_PrivateKey(tmp, NULL, NULL, NULL);
|
||||
+ cb_data.context = context;
|
||||
+ cb_data.id_cryptoctx = id_cryptoctx;
|
||||
+ cb_data.filename = filename;
|
||||
+ pkey = PEM_read_bio_PrivateKey(tmp, NULL, get_key_cb, &cb_data);
|
||||
if (pkey == NULL) {
|
||||
retval = EIO;
|
||||
pkiDebug("failed to read private key from %s\n", filename);
|
||||
@@ -4333,7 +4375,7 @@ pkinit_load_fs_cert_and_key(krb5_context context,
|
||||
pkiDebug("failed to load user's certificate from '%s'\n", certname);
|
||||
goto cleanup;
|
||||
}
|
||||
- retval = get_key(keyname, &y);
|
||||
+ retval = get_key(context, id_cryptoctx, keyname, &y);
|
||||
if (retval != 0 || y == NULL) {
|
||||
pkiDebug("failed to load user's private key from '%s'\n", keyname);
|
||||
goto cleanup;
|
@ -1,55 +0,0 @@
|
||||
Don't call a prompter function if it's NULL, as it can be, depending on
|
||||
which code path we were called from. Part of the larger responder retrofit
|
||||
coming in 1.12 (RT#7680).
|
||||
|
||||
--- krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -673,6 +673,8 @@ get_key_cb(char *buf, int size, int rwfl
|
||||
krb5_error_code retval;
|
||||
char *prompt;
|
||||
|
||||
+ if (data->id_cryptoctx->prompter == NULL)
|
||||
+ return -1;
|
||||
if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0)
|
||||
return -1;
|
||||
rdat.data = buf;
|
||||
@@ -3739,10 +3741,15 @@ pkinit_login(krb5_context context,
|
||||
prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
|
||||
|
||||
/* PROMPTER_INVOCATION */
|
||||
- k5int_set_prompt_types(context, &prompt_type);
|
||||
- r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
|
||||
- NULL, NULL, 1, &kprompt);
|
||||
- k5int_set_prompt_types(context, 0);
|
||||
+ if (id_cryptoctx->prompter == NULL) {
|
||||
+ r = KRB5_LIBOS_CANTREADPWD;
|
||||
+ rdat.data = NULL;
|
||||
+ } else {
|
||||
+ k5int_set_prompt_types(context, &prompt_type);
|
||||
+ r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
|
||||
+ NULL, NULL, 1, &kprompt);
|
||||
+ k5int_set_prompt_types(context, 0);
|
||||
+ }
|
||||
free(prompt);
|
||||
}
|
||||
|
||||
@@ -4307,10 +4314,15 @@ pkinit_get_certs_pkcs12(krb5_context con
|
||||
prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
|
||||
|
||||
/* PROMPTER_INVOCATION */
|
||||
- k5int_set_prompt_types(context, &prompt_type);
|
||||
- r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
|
||||
- NULL, NULL, 1, &kprompt);
|
||||
- k5int_set_prompt_types(context, 0);
|
||||
+ if (*id_cryptoctx->prompter == NULL) {
|
||||
+ retval = KRB5_LIBOS_CANTREADPWD;
|
||||
+ goto cleanup;
|
||||
+ } else {
|
||||
+ k5int_set_prompt_types(context, &prompt_type);
|
||||
+ r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
|
||||
+ NULL, NULL, 1, &kprompt);
|
||||
+ k5int_set_prompt_types(context, 0);
|
||||
+ }
|
||||
|
||||
ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL);
|
||||
if (ret == 0) {
|
@ -93,8 +93,6 @@ Patch126: krb5-1.11.2-skew2.patch
|
||||
Patch129: krb5-1.11-run_user_0.patch
|
||||
Patch131: krb5-1.11.3-skew3.patch
|
||||
Patch134: krb5-1.11-kpasswdtest.patch
|
||||
Patch136: krb5-1.11.3-prompter1.patch
|
||||
Patch137: krb5-1.11.3-prompter2.patch
|
||||
Patch138: krb5-master-keyring-offsets.patch
|
||||
Patch139: krb5-master-keyring-expiration.patch
|
||||
|
||||
@ -320,8 +318,6 @@ ln -s NOTICE LICENSE
|
||||
|
||||
%patch131 -p1 -b .skew3
|
||||
%patch134 -p1 -b .kpasswdtest
|
||||
%patch136 -p1 -b .prompter1
|
||||
%patch137 -p1 -b .prompter2
|
||||
%patch138 -p1 -b .keyring-offsets
|
||||
%patch139 -p1 -b .keyring-expiration
|
||||
|
||||
@ -1023,6 +1019,7 @@ exit 0
|
||||
often give us trouble, too; obsolete
|
||||
- drop backports for RT#7682
|
||||
- drop backport for RT#7709
|
||||
- drop backport for RT#7590 and partial backport for RT#7680
|
||||
|
||||
* Wed Oct 16 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-26
|
||||
- create and own /etc/gss (#1019937)
|
||||
|
Loading…
Reference in New Issue
Block a user