822059250e
- backport the callback to use the libkrb5 prompter when we can't load PEM files for PKINIT (RT#7590, includes part of #965721/#1016690)
92 lines
3.1 KiB
Diff
92 lines
3.1 KiB
Diff
commit a8eec52a13ba108b8855aef8cf9dafeb37811d2e
|
|
Author: Nalin Dahyabhai <nalin@redhat.com>
|
|
Date: Fri Mar 15 12:05:56 2013 -0400
|
|
|
|
Add PEM password prompter callback in PKINIT
|
|
|
|
Supply a callack to PEM_read_bio_PrivateKey() using the prompter to
|
|
request a password for encrypted PEM data. Otherwise OpenSSL will use
|
|
the controlling terminal.
|
|
|
|
[ghudson@mit.edu: minor style cleanup, commit message]
|
|
|
|
ticket: 7590
|
|
|
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
index 6dbda9b..7186ce8 100644
|
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
@@ -656,11 +656,50 @@ cleanup:
|
|
return retval;
|
|
}
|
|
|
|
+struct get_key_cb_data {
|
|
+ krb5_context context;
|
|
+ pkinit_identity_crypto_context id_cryptoctx;
|
|
+ char *filename;
|
|
+};
|
|
+
|
|
+static int
|
|
+get_key_cb(char *buf, int size, int rwflag, void *userdata)
|
|
+{
|
|
+ struct get_key_cb_data *data = userdata;
|
|
+ pkinit_identity_crypto_context id_cryptoctx;
|
|
+ krb5_data rdat;
|
|
+ krb5_prompt kprompt;
|
|
+ krb5_prompt_type prompt_type;
|
|
+ krb5_error_code retval;
|
|
+ char *prompt;
|
|
+
|
|
+ if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0)
|
|
+ return -1;
|
|
+ rdat.data = buf;
|
|
+ rdat.length = size;
|
|
+ kprompt.prompt = prompt;
|
|
+ kprompt.hidden = 1;
|
|
+ kprompt.reply = &rdat;
|
|
+ prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
|
|
+
|
|
+ /* PROMPTER_INVOCATION */
|
|
+ k5int_set_prompt_types(data->context, &prompt_type);
|
|
+ id_cryptoctx = data->id_cryptoctx;
|
|
+ retval = data->id_cryptoctx->prompter(data->context,
|
|
+ id_cryptoctx->prompter_data, NULL,
|
|
+ NULL, 1, &kprompt);
|
|
+ k5int_set_prompt_types(data->context, 0);
|
|
+ free(prompt);
|
|
+ return retval ? -1 : (int)rdat.length;
|
|
+}
|
|
+
|
|
static krb5_error_code
|
|
-get_key(char *filename, EVP_PKEY **retkey)
|
|
+get_key(krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
|
|
+ char *filename, EVP_PKEY **retkey)
|
|
{
|
|
EVP_PKEY *pkey = NULL;
|
|
BIO *tmp = NULL;
|
|
+ struct get_key_cb_data cb_data;
|
|
int code;
|
|
krb5_error_code retval;
|
|
|
|
@@ -676,7 +715,10 @@ get_key(char *filename, EVP_PKEY **retkey)
|
|
retval = errno;
|
|
goto cleanup;
|
|
}
|
|
- pkey = (EVP_PKEY *) PEM_read_bio_PrivateKey(tmp, NULL, NULL, NULL);
|
|
+ cb_data.context = context;
|
|
+ cb_data.id_cryptoctx = id_cryptoctx;
|
|
+ cb_data.filename = filename;
|
|
+ pkey = PEM_read_bio_PrivateKey(tmp, NULL, get_key_cb, &cb_data);
|
|
if (pkey == NULL) {
|
|
retval = EIO;
|
|
pkiDebug("failed to read private key from %s\n", filename);
|
|
@@ -4333,7 +4375,7 @@ pkinit_load_fs_cert_and_key(krb5_context context,
|
|
pkiDebug("failed to load user's certificate from '%s'\n", certname);
|
|
goto cleanup;
|
|
}
|
|
- retval = get_key(keyname, &y);
|
|
+ retval = get_key(context, id_cryptoctx, keyname, &y);
|
|
if (retval != 0 || y == NULL) {
|
|
pkiDebug("failed to load user's private key from '%s'\n", keyname);
|
|
goto cleanup;
|