rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Use the prompter callback for PEM files

Browse Source 
- backport the callback to use the libkrb5 prompter when we can't load
  PEM files for PKINIT (RT#7590, includes part of #965721/#1016690)
This commit is contained in:
Nalin Dahyabhai 2013-10-14 14:07:19 -04:00
parent 37f8b28f7d
commit 822059250e
2 changed files with 98 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
krb5-1.11.3-prompter1.patch Normal file
View File

@ -0,0 +1,91 @@
commit a8eec52a13ba108b8855aef8cf9dafeb37811d2e
Author: Nalin Dahyabhai <nalin@redhat.com>
Date: Fri Mar 15 12:05:56 2013 -0400
Add PEM password prompter callback in PKINIT
Supply a callack to PEM_read_bio_PrivateKey() using the prompter to
request a password for encrypted PEM data. Otherwise OpenSSL will use
the controlling terminal.
[ghudson@mit.edu: minor style cleanup, commit message]
ticket: 7590
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 6dbda9b..7186ce8 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -656,11 +656,50 @@ cleanup:
return retval;
}
+struct get_key_cb_data {
+ krb5_context context;
+ pkinit_identity_crypto_context id_cryptoctx;
+ char *filename;
+};
+
+static int
+get_key_cb(char *buf, int size, int rwflag, void *userdata)
+{
+ struct get_key_cb_data *data = userdata;
+ pkinit_identity_crypto_context id_cryptoctx;
+ krb5_data rdat;
+ krb5_prompt kprompt;
+ krb5_prompt_type prompt_type;
+ krb5_error_code retval;
+ char *prompt;
+
+ if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0)
+ return -1;
+ rdat.data = buf;
+ rdat.length = size;
+ kprompt.prompt = prompt;
+ kprompt.hidden = 1;
+ kprompt.reply = &rdat;
+ prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
+
+ /* PROMPTER_INVOCATION */
+ k5int_set_prompt_types(data->context, &prompt_type);
+ id_cryptoctx = data->id_cryptoctx;
+ retval = data->id_cryptoctx->prompter(data->context,
+ id_cryptoctx->prompter_data, NULL,
+ NULL, 1, &kprompt);
+ k5int_set_prompt_types(data->context, 0);
+ free(prompt);
+ return retval ? -1 : (int)rdat.length;
+}
+
static krb5_error_code
-get_key(char *filename, EVP_PKEY **retkey)
+get_key(krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
+ char *filename, EVP_PKEY **retkey)
{
EVP_PKEY *pkey = NULL;
BIO *tmp = NULL;
+ struct get_key_cb_data cb_data;
int code;
krb5_error_code retval;
@@ -676,7 +715,10 @@ get_key(char *filename, EVP_PKEY **retkey)
retval = errno;
goto cleanup;
}
- pkey = (EVP_PKEY *) PEM_read_bio_PrivateKey(tmp, NULL, NULL, NULL);
+ cb_data.context = context;
+ cb_data.id_cryptoctx = id_cryptoctx;
+ cb_data.filename = filename;
+ pkey = PEM_read_bio_PrivateKey(tmp, NULL, get_key_cb, &cb_data);
if (pkey == NULL) {
retval = EIO;
pkiDebug("failed to read private key from %s\n", filename);
@@ -4333,7 +4375,7 @@ pkinit_load_fs_cert_and_key(krb5_context context,
pkiDebug("failed to load user's certificate from '%s'\n", certname);
goto cleanup;
}
- retval = get_key(keyname, &y);
+ retval = get_key(context, id_cryptoctx, keyname, &y);
if (retval != 0 || y == NULL) {
pkiDebug("failed to load user's private key from '%s'\n", keyname);
goto cleanup;

8
krb5.spec
View File

@ -41,7 +41,7 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.11.3 Version: 1.11.3
Release: 23%{?dist} Release: 24%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead? # Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
Source0: krb5-%{version}.tar.gz Source0: krb5-%{version}.tar.gz
@ -106,6 +106,7 @@ Patch132: krb5-1.11-gss-methods1.patch
Patch133: krb5-1.11-gss-methods2.patch Patch133: krb5-1.11-gss-methods2.patch
Patch134: krb5-1.11-kpasswdtest.patch Patch134: krb5-1.11-kpasswdtest.patch
Patch135: krb5-1.11-check_transited.patch Patch135: krb5-1.11-check_transited.patch
Patch136: krb5-1.11.3-prompter1.patch
# Patches for otp plugin backport # Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch Patch201: krb5-1.11.2-keycheck.patch
@ -349,6 +350,7 @@ ln -s NOTICE LICENSE
%patch133 -p1 -b .gss-methods2 %patch133 -p1 -b .gss-methods2
%patch134 -p1 -b .kpasswdtest %patch134 -p1 -b .kpasswdtest
%patch135 -p1 -b .check_transited %patch135 -p1 -b .check_transited
%patch136 -p1 -b .prompter1
%patch201 -p1 -b .keycheck %patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp %patch202 -p1 -b .otp
@ -994,6 +996,10 @@ exit 0
%{_sbindir}/uuserver %{_sbindir}/uuserver
%changelog %changelog
* Mon Oct 14 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-24
- backport the callback to use the libkrb5 prompter when we can't load PEM
files for PKINIT (RT#7590, includes part of #965721/#1016690)
* Mon Oct 14 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-23 * Mon Oct 14 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-23
- fix trigger scriptlet's invocation of sed (#1016945) - fix trigger scriptlet's invocation of sed (#1016945)