[krbdev.mit.edu #7590] PKINIT needs to use the prompter callback for PEM files

The RT System itself via RT rt-comment at krbdev.mit.edu
Tue Mar 12 02:22:42 EDT 2013 

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Tue Mar 12 02:22:35 2013
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id C998C59062;
	Tue, 12 Mar 2013 02:22:34 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r2C6MYa7018651;
	Tue, 12 Mar 2013 02:22:34 -0400
Received: from mailhub-dmz-3.mit.edu (MAILHUB-DMZ-3.MIT.EDU [18.9.21.42])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r2C59Mgw011049
	for <krb5-bugs-incoming at PCH.mit.edu>; Tue, 12 Mar 2013 01:09:22 -0400
Received: from dmz-mailsec-scanner-6.mit.edu (DMZ-MAILSEC-SCANNER-6.MIT.EDU
	[18.7.68.35])
	by mailhub-dmz-3.mit.edu (8.13.8/8.9.2) with ESMTP id r2C59C05031611
	for <krb5-bugs at mit.edu>; Tue, 12 Mar 2013 01:09:21 -0400
X-AuditID: 12074423-b7f5b6d000007e03-6d-513eb87e2371
Authentication-Results: symauth.service.identifier; spf=pass; senderid=pass
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
	by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP
	id DB.34.32259.E78BE315; Tue, 12 Mar 2013 01:09:19 -0400 (EDT)
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
	(int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r2C59Hsk022629
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <krb5-bugs at mit.edu>; Tue, 12 Mar 2013 01:09:17 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.184.36])
	by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id r2C59GoE021676
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <krb5-bugs at mit.edu>; Tue, 12 Mar 2013 01:09:17 -0400
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
	by blade.bos.redhat.com (8.14.6/8.14.5) with ESMTP id r2C59GhX008401
	for <krb5-bugs at mit.edu>; Tue, 12 Mar 2013 01:09:16 -0400
Received: (from nalin at localhost)
	by blade.bos.redhat.com (8.14.6/8.14.6/Submit) id r2C59GMA008400;
	Tue, 12 Mar 2013 01:09:16 -0400
Date: Tue, 12 Mar 2013 01:09:16 -0400
From: Nalin Dahyabhai <nalin at redhat.com>
Message-Id: <201303120509.r2C59GMA008400 at blade.bos.redhat.com>
To: krb5-bugs at mit.edu
Subject: PKINIT needs to use the prompter callback for PEM files
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrJIsWRWlGSWpSXmKPExsVysWW7jG79DrtAg5XfeS0aHh5nd2D0aDpz
	lDmAMYrLJiU1J7MstUjfLoEr48IbsYKfMhWPF/9ibGB8JNrFyMkhIWAiseXTOjYQm1HAW+LN
	1ePsEHExiQv31gPFuTiEBE4wSmxrnM8M4Wxikri56A6Us5RJ4s/Cs0wQzklGiTP9s6EybYwS
	jfefMoEMYxFQldixpA1sMJuAhsSx1t2sXYwcHLwCdhJb9omDhEUERCVe/j3GAmILCzhIPL95
	FsxmFmCR+PNmAwvETeISO7afhrpPW+Jz80yWCYwCCxgZVjHKpuRW6eYmZuYUpybrFicn5uWl
	Fuma6eVmluilppRuYgSGkxC7i/IOxj8HlQ4xCnAwKvHwKnyzDRRiTSwrrsw9xCjJwaQkytu7
	zS5QiC8pP6UyI7E4I76oNCe1+BCjBAezkghvxmagHG9KYmVValE+TEqag0VJnPdayk1/IYH0
	xJLU7NTUgtQimCwTB/shRhkODiUJXr7tQN2CRanpqRVpmTklyGo4QQQXyBoeoDVmIIW8xQWJ
	ucWZ6RBFpxgVpcR52UESAiCJjNI8uAGwFHCJUVZKmJeRgYFBiAfoAqDHUeVfMYoDPS3MawMy
	hSczrwRu+iugxUxAi/WcbEAWlyQipKQaGFN02gMFbd/3b1K+f9XnwiuxHjc2G8ZXeXt+NKn9
	kTJI/sulWLZlzkJXu1yr3FexEzLUpxfclDqmJ3J62dduy4X/1mZKGt41k3+qV/Jwl8kWg+h9
	36y7u5f2tOybE/hRUofl0dPWygLJyh3PhSelvjj35prGgcyOp495JzPU7zmV+cyh6Sl/sBJL
	cUaioRZzUXEiAEUhy4r8AgAA
X-Mailman-Approved-At: Tue, 12 Mar 2013 02:22:32 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu

>Submitter-Id:	net
>Originator:	
>Organization:
>Confidential:	no
>Synopsis:	PKINIT needs to use the prompter callback for PEM files
>Severity:	non-critical
>Priority:	low
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.11.1
>Environment:
	
System: Linux blade.bos.redhat.com 3.8.1-201.fc18.x86_64 #1 SMP Thu Feb 28 19:23:08 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

>Description:
	When using client identity information stored in PEM files and
	specified either as FILE: or DIR: locations, PKINIT doesn't supply a
	password callback to PEM_read_bio_PrivateKey() for OpenSSL to use.  If
	the PEM data is encrypted, OpenSSL will use its built-in default
	password prompting callback, which asks for a password using the
	controlling terminal.
>Fix:
Here's a suggested patch:

--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -656,11 +656,56 @@ cleanup:
     return retval;
 }
 
+struct get_key_cb_data {
+    krb5_context context;
+    pkinit_identity_crypto_context id_cryptoctx;
+    char *filename;
+};
+
+static int
+get_key_cb(char *buf, int size, int rwflag, void *userdata)
+{
+    struct get_key_cb_data *data = userdata;
+    pkinit_identity_crypto_context id_cryptoctx;
+    krb5_data rdat;
+    krb5_prompt kprompt;
+    krb5_prompt_type prompt_type;
+    char prompt_reply[128];
+    krb5_error_code retval;
+    char *prompt;
+
+    if (userdata == NULL)
+        return -1;
+    if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0)
+        return -1;
+    rdat.data = prompt_reply;
+    rdat.length = sizeof(prompt_reply);
+    kprompt.prompt = prompt;
+    kprompt.hidden = 1;
+    kprompt.reply = &rdat;
+    prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
+
+    /* PROMPTER_INVOCATION */
+    k5int_set_prompt_types(data->context, &prompt_type);
+    id_cryptoctx = data->id_cryptoctx;
+    retval = (data->id_cryptoctx->prompter)(data->context,
+                                            id_cryptoctx->prompter_data,
+                                            NULL, NULL, 1, &kprompt);
+    k5int_set_prompt_types(data->context, 0);
+    free(prompt);
+    if (retval != 0)
+        return -1;
+    snprintf(buf, size, "%.*s", (int) rdat.length, rdat.data);
+    return strlen(buf);
+}
+
 static krb5_error_code
-get_key(char *filename, EVP_PKEY **retkey)
+get_key(krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
+        char *filename, EVP_PKEY **retkey)
 {
     EVP_PKEY *pkey = NULL;
     BIO *tmp = NULL;
+    struct get_key_cb_data cb_data;
     int code;
     krb5_error_code retval;
 
@@ -676,7 +721,11 @@ get_key(char *filename, EVP_PKEY **retkey)
         retval = errno;
         goto cleanup;
     }
-    pkey = (EVP_PKEY *) PEM_read_bio_PrivateKey(tmp, NULL, NULL, NULL);
+    cb_data.context = context;
+    cb_data.id_cryptoctx = id_cryptoctx;
+    cb_data.filename = filename;
+    pkey = (EVP_PKEY *) PEM_read_bio_PrivateKey(tmp, NULL, get_key_cb,
+                                                &cb_data);
     if (pkey == NULL) {
         retval = EIO;
         pkiDebug("failed to read private key from %s\n", filename);
@@ -4333,7 +4382,7 @@ pkinit_load_fs_cert_and_key(krb5_context context,
         pkiDebug("failed to load user's certificate from '%s'\n", certname);
         goto cleanup;
     }
-    retval = get_key(keyname, &y);
+    retval = get_key(context, id_cryptoctx, keyname, &y);
     if (retval != 0 || y == NULL) {
         pkiDebug("failed to load user's private key from '%s'\n", keyname);
         goto cleanup;

More information about the krb5-bugs mailing list