[krb5] Finish fixing the don't-call-NULL-prompters bug
Nalin Dahyabhai
nalin at fedoraproject.org
Mon Oct 14 18:15:54 UTC 2013
commit 84fe7d69da04d0075771836c85f6845b40ffc9a4
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Mon Oct 14 14:07:56 2013 -0400
Finish fixing the don't-call-NULL-prompters bug
- extract the rest of the fix #965721/#1016690 from the changes for RT#7680
krb5-1.11.3-prompter2.patch | 55 +++++++++++++++++++++++++++++++++++++++++++
krb5.spec | 3 ++
2 files changed, 58 insertions(+), 0 deletions(-)
---
diff --git a/krb5-1.11.3-prompter2.patch b/krb5-1.11.3-prompter2.patch
new file mode 100644
index 0000000..015284d
--- /dev/null
+++ b/krb5-1.11.3-prompter2.patch
@@ -0,0 +1,55 @@
+Don't call a prompter function if it's NULL, as it can be, depending on
+which code path we were called from. Part of the larger responder retrofit
+coming in 1.12 (RT#7680).
+
+--- krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -673,6 +673,8 @@ get_key_cb(char *buf, int size, int rwfl
+ krb5_error_code retval;
+ char *prompt;
+
++ if (data->id_cryptoctx->prompter == NULL)
++ return -1;
+ if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0)
+ return -1;
+ rdat.data = buf;
+@@ -3739,10 +3741,15 @@ pkinit_login(krb5_context context,
+ prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
+
+ /* PROMPTER_INVOCATION */
+- k5int_set_prompt_types(context, &prompt_type);
+- r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
+- NULL, NULL, 1, &kprompt);
+- k5int_set_prompt_types(context, 0);
++ if (id_cryptoctx->prompter == NULL) {
++ r = KRB5_LIBOS_CANTREADPWD;
++ rdat.data = NULL;
++ } else {
++ k5int_set_prompt_types(context, &prompt_type);
++ r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
++ NULL, NULL, 1, &kprompt);
++ k5int_set_prompt_types(context, 0);
++ }
+ free(prompt);
+ }
+
+@@ -4307,10 +4314,15 @@ pkinit_get_certs_pkcs12(krb5_context con
+ prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
+
+ /* PROMPTER_INVOCATION */
+- k5int_set_prompt_types(context, &prompt_type);
+- r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
+- NULL, NULL, 1, &kprompt);
+- k5int_set_prompt_types(context, 0);
++ if (*id_cryptoctx->prompter == NULL) {
++ retval = KRB5_LIBOS_CANTREADPWD;
++ goto cleanup;
++ } else {
++ k5int_set_prompt_types(context, &prompt_type);
++ r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
++ NULL, NULL, 1, &kprompt);
++ k5int_set_prompt_types(context, 0);
++ }
+
+ ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL);
+ if (ret == 0) {
diff --git a/krb5.spec b/krb5.spec
index b4129b5..b8f346e 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -107,6 +107,7 @@ Patch133: krb5-1.11-gss-methods2.patch
Patch134: krb5-1.11-kpasswdtest.patch
Patch135: krb5-1.11-check_transited.patch
Patch136: krb5-1.11.3-prompter1.patch
+Patch137: krb5-1.11.3-prompter2.patch
# Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch
@@ -351,6 +352,7 @@ ln -s NOTICE LICENSE
%patch134 -p1 -b .kpasswdtest
%patch135 -p1 -b .check_transited
%patch136 -p1 -b .prompter1
+%patch137 -p1 -b .prompter2
%patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp
@@ -999,6 +1001,7 @@ exit 0
* Mon Oct 14 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-24
- backport the callback to use the libkrb5 prompter when we can't load PEM
files for PKINIT (RT#7590, includes part of #965721/#1016690)
+- extract the rest of the fix #965721/#1016690 from the changes for RT#7680
* Mon Oct 14 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-23
- fix trigger scriptlet's invocation of sed (#1016945)
More information about the scm-commits
mailing list