[krb5] Use the prompter callback for PEM files

Mon Oct 14 18:15:49 UTC 2013

commit 822059250ed700d2a5b69af466c6a54479ce7797
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Mon Oct 14 14:07:19 2013 -0400

    Use the prompter callback for PEM files
    
    - backport the callback to use the libkrb5 prompter when we can't load
      PEM files for PKINIT (RT#7590, includes part of #965721/#1016690)

 krb5-1.11.3-prompter1.patch |   91 +++++++++++++++++++++++++++++++++++++++++++
 krb5.spec                   |    8 +++-
 2 files changed, 98 insertions(+), 1 deletions(-)
---

diff --git a/krb5-1.11.3-prompter1.patch b/krb5-1.11.3-prompter1.patch
new file mode 100644
index 0000000..e8d393d
--- /dev/null
+++ b/krb5-1.11.3-prompter1.patch
@@ -0,0 +1,91 @@
+commit a8eec52a13ba108b8855aef8cf9dafeb37811d2e
+Author: Nalin Dahyabhai <nalin at redhat.com>
+Date:   Fri Mar 15 12:05:56 2013 -0400
+
+    Add PEM password prompter callback in PKINIT
+    
+    Supply a callack to PEM_read_bio_PrivateKey() using the prompter to
+    request a password for encrypted PEM data.  Otherwise OpenSSL will use
+    the controlling terminal.
+    
+    [ghudson at mit.edu: minor style cleanup, commit message]
+    
+    ticket: 7590
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 6dbda9b..7186ce8 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -656,11 +656,50 @@ cleanup:
+     return retval;
+ }
+ 
++struct get_key_cb_data {
++    krb5_context context;
++    pkinit_identity_crypto_context id_cryptoctx;
++    char *filename;
++};
++
++static int
++get_key_cb(char *buf, int size, int rwflag, void *userdata)
++{
++    struct get_key_cb_data *data = userdata;
++    pkinit_identity_crypto_context id_cryptoctx;
++    krb5_data rdat;
++    krb5_prompt kprompt;
++    krb5_prompt_type prompt_type;
++    krb5_error_code retval;
++    char *prompt;
++
++    if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0)
++        return -1;
++    rdat.data = buf;
++    rdat.length = size;
++    kprompt.prompt = prompt;
++    kprompt.hidden = 1;
++    kprompt.reply = &rdat;
++    prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
++
++    /* PROMPTER_INVOCATION */
++    k5int_set_prompt_types(data->context, &prompt_type);
++    id_cryptoctx = data->id_cryptoctx;
++    retval = data->id_cryptoctx->prompter(data->context,
++                                          id_cryptoctx->prompter_data, NULL,
++                                          NULL, 1, &kprompt);
++    k5int_set_prompt_types(data->context, 0);
++    free(prompt);
++    return retval ? -1 : (int)rdat.length;
++}
++
+ static krb5_error_code
+-get_key(char *filename, EVP_PKEY **retkey)
++get_key(krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
++        char *filename, EVP_PKEY **retkey)
+ {
+     EVP_PKEY *pkey = NULL;
+     BIO *tmp = NULL;
++    struct get_key_cb_data cb_data;
+     int code;
+     krb5_error_code retval;
+ 
+@@ -676,7 +715,10 @@ get_key(char *filename, EVP_PKEY **retkey)
+         retval = errno;
+         goto cleanup;
+     }
+-    pkey = (EVP_PKEY *) PEM_read_bio_PrivateKey(tmp, NULL, NULL, NULL);
++    cb_data.context = context;
++    cb_data.id_cryptoctx = id_cryptoctx;
++    cb_data.filename = filename;
++    pkey = PEM_read_bio_PrivateKey(tmp, NULL, get_key_cb, &cb_data);
+     if (pkey == NULL) {
+         retval = EIO;
+         pkiDebug("failed to read private key from %s\n", filename);
+@@ -4333,7 +4375,7 @@ pkinit_load_fs_cert_and_key(krb5_context context,
+         pkiDebug("failed to load user's certificate from '%s'\n", certname);
+         goto cleanup;
+     }
+-    retval = get_key(keyname, &y);
++    retval = get_key(context, id_cryptoctx, keyname, &y);
+     if (retval != 0 || y == NULL) {
+         pkiDebug("failed to load user's private key from '%s'\n", keyname);
+         goto cleanup;
diff --git a/krb5.spec b/krb5.spec
index f8658ca..b4129b5 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.3
-Release: 23%{?dist}
+Release: 24%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -106,6 +106,7 @@ Patch132: krb5-1.11-gss-methods1.patch
 Patch133: krb5-1.11-gss-methods2.patch 
 Patch134: krb5-1.11-kpasswdtest.patch
 Patch135: krb5-1.11-check_transited.patch
+Patch136: krb5-1.11.3-prompter1.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -349,6 +350,7 @@ ln -s NOTICE LICENSE
 %patch133 -p1 -b .gss-methods2
 %patch134 -p1 -b .kpasswdtest
 %patch135 -p1 -b .check_transited
+%patch136 -p1 -b .prompter1
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -994,6 +996,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Mon Oct 14 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-24
+- backport the callback to use the libkrb5 prompter when we can't load PEM
+  files for PKINIT (RT#7590, includes part of #965721/#1016690)
+
 * Mon Oct 14 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-23
 - fix trigger scriptlet's invocation of sed (#1016945)
 
