From 84fe7d69da04d0075771836c85f6845b40ffc9a4 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 14 Oct 2013 14:07:56 -0400 Subject: [PATCH] Finish fixing the don't-call-NULL-prompters bug - extract the rest of the fix #965721/#1016690 from the changes for RT#7680 --- krb5-1.11.3-prompter2.patch | 55 +++++++++++++++++++++++++++++++++++++ krb5.spec | 3 ++ 2 files changed, 58 insertions(+) create mode 100644 krb5-1.11.3-prompter2.patch diff --git a/krb5-1.11.3-prompter2.patch b/krb5-1.11.3-prompter2.patch new file mode 100644 index 0000000..015284d --- /dev/null +++ b/krb5-1.11.3-prompter2.patch @@ -0,0 +1,55 @@ +Don't call a prompter function if it's NULL, as it can be, depending on +which code path we were called from. Part of the larger responder retrofit +coming in 1.12 (RT#7680). + +--- krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -673,6 +673,8 @@ get_key_cb(char *buf, int size, int rwfl + krb5_error_code retval; + char *prompt; + ++ if (data->id_cryptoctx->prompter == NULL) ++ return -1; + if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0) + return -1; + rdat.data = buf; +@@ -3739,10 +3741,15 @@ pkinit_login(krb5_context context, + prompt_type = KRB5_PROMPT_TYPE_PREAUTH; + + /* PROMPTER_INVOCATION */ +- k5int_set_prompt_types(context, &prompt_type); +- r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, +- NULL, NULL, 1, &kprompt); +- k5int_set_prompt_types(context, 0); ++ if (id_cryptoctx->prompter == NULL) { ++ r = KRB5_LIBOS_CANTREADPWD; ++ rdat.data = NULL; ++ } else { ++ k5int_set_prompt_types(context, &prompt_type); ++ r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, ++ NULL, NULL, 1, &kprompt); ++ k5int_set_prompt_types(context, 0); ++ } + free(prompt); + } + +@@ -4307,10 +4314,15 @@ pkinit_get_certs_pkcs12(krb5_context con + prompt_type = KRB5_PROMPT_TYPE_PREAUTH; + + /* PROMPTER_INVOCATION */ +- k5int_set_prompt_types(context, &prompt_type); +- r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, +- NULL, NULL, 1, &kprompt); +- k5int_set_prompt_types(context, 0); ++ if (*id_cryptoctx->prompter == NULL) { ++ retval = KRB5_LIBOS_CANTREADPWD; ++ goto cleanup; ++ } else { ++ k5int_set_prompt_types(context, &prompt_type); ++ r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, ++ NULL, NULL, 1, &kprompt); ++ k5int_set_prompt_types(context, 0); ++ } + + ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL); + if (ret == 0) { diff --git a/krb5.spec b/krb5.spec index b4129b5..b8f346e 100644 --- a/krb5.spec +++ b/krb5.spec @@ -107,6 +107,7 @@ Patch133: krb5-1.11-gss-methods2.patch Patch134: krb5-1.11-kpasswdtest.patch Patch135: krb5-1.11-check_transited.patch Patch136: krb5-1.11.3-prompter1.patch +Patch137: krb5-1.11.3-prompter2.patch # Patches for otp plugin backport Patch201: krb5-1.11.2-keycheck.patch @@ -351,6 +352,7 @@ ln -s NOTICE LICENSE %patch134 -p1 -b .kpasswdtest %patch135 -p1 -b .check_transited %patch136 -p1 -b .prompter1 +%patch137 -p1 -b .prompter2 %patch201 -p1 -b .keycheck %patch202 -p1 -b .otp @@ -999,6 +1001,7 @@ exit 0 * Mon Oct 14 2013 Nalin Dahyabhai - 1.11.3-24 - backport the callback to use the libkrb5 prompter when we can't load PEM files for PKINIT (RT#7590, includes part of #965721/#1016690) +- extract the rest of the fix #965721/#1016690 from the changes for RT#7680 * Mon Oct 14 2013 Nalin Dahyabhai - 1.11.3-23 - fix trigger scriptlet's invocation of sed (#1016945)