Finish fixing the don't-call-NULL-prompters bug

- extract the rest of the fix #965721/#1016690 from the changes for RT#7680
2013-10-14 14:07:56 -04:00 · 2013-10-14 14:07:56 -04:00 · 84fe7d69da
commit 84fe7d69da
parent 822059250e
2 changed files with 58 additions and 0 deletions
--- a/krb5-1.11.3-prompter2.patch
+++ b/krb5-1.11.3-prompter2.patch
@ -0,0 +1,55 @@
+Don't call a prompter function if it's NULL, as it can be, depending on
+which code path we were called from.  Part of the larger responder retrofit
+coming in 1.12 (RT#7680).
+
+--- krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -673,6 +673,8 @@ get_key_cb(char *buf, int size, int rwfl
+     krb5_error_code retval;
+     char *prompt;
+ 
+    if (data->id_cryptoctx->prompter == NULL)
+        return -1;
+     if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0)
+         return -1;
+     rdat.data = buf;
+@@ -3739,10 +3741,15 @@ pkinit_login(krb5_context context,
+         prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
+ 
+         /* PROMPTER_INVOCATION */
+-        k5int_set_prompt_types(context, &prompt_type);
+-        r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
+-                                      NULL, NULL, 1, &kprompt);
+-        k5int_set_prompt_types(context, 0);
+        if (id_cryptoctx->prompter == NULL) {
+            r = KRB5_LIBOS_CANTREADPWD;
+            rdat.data = NULL;
+        } else {
+            k5int_set_prompt_types(context, &prompt_type);
+            r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
+                                          NULL, NULL, 1, &kprompt);
+            k5int_set_prompt_types(context, 0);
+        }
+         free(prompt);
+     }
+ 
+@@ -4307,10 +4314,15 @@ pkinit_get_certs_pkcs12(krb5_context con
+         prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
+ 
+         /* PROMPTER_INVOCATION */
+-        k5int_set_prompt_types(context, &prompt_type);
+-        r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
+-                                      NULL, NULL, 1, &kprompt);
+-        k5int_set_prompt_types(context, 0);
+        if (*id_cryptoctx->prompter == NULL) {
+            retval = KRB5_LIBOS_CANTREADPWD;
+            goto cleanup;
+        } else {
+            k5int_set_prompt_types(context, &prompt_type);
+            r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
+                                          NULL, NULL, 1, &kprompt);
+            k5int_set_prompt_types(context, 0);
+        }
+ 
+         ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL);
+         if (ret == 0) {
--- a/krb5.spec
+++ b/krb5.spec
@ -107,6 +107,7 @@ Patch133: krb5-1.11-gss-methods2.patch
 Patch134: krb5-1.11-kpasswdtest.patch
 Patch135: krb5-1.11-check_transited.patch
 Patch136: krb5-1.11.3-prompter1.patch
+Patch137: krb5-1.11.3-prompter2.patch

 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@ -351,6 +352,7 @@ ln -s NOTICE LICENSE
 %patch134 -p1 -b .kpasswdtest
 %patch135 -p1 -b .check_transited
 %patch136 -p1 -b .prompter1
+%patch137 -p1 -b .prompter2

 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@ -999,6 +1001,7 @@ exit 0
 * Mon Oct 14 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-24
 - backport the callback to use the libkrb5 prompter when we can't load PEM
  files for PKINIT (RT#7590, includes part of #965721/#1016690)
+- extract the rest of the fix #965721/#1016690 from the changes for RT#7680

 * Mon Oct 14 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-23
 - fix trigger scriptlet's invocation of sed (#1016945)