Browse Source

[mod_gnutls] use only pin callback, don't pass pin as parameter

- also check for number of attempts instead of flags,
  the same the gnutls internal callback is doing when a
  password is passed

Change-Id: I84f5a0c7a4e3aea6f55b7b28c2f57019128351c7
personal/stbuehler/wip
Stefan Bühler 5 years ago
parent
commit
7fb0148348
  1. 39
      src/modules/mod_gnutls.c

39
src/modules/mod_gnutls.c

@ -95,13 +95,13 @@ static void mod_gnutls_context_acquire(mod_context *ctx);
static int pin_callback(void *user, int attempt, const char *token_url, const char *token_label, unsigned int flags, char *pin, size_t pin_max) {
GString *pinString = user;
size_t saved_pin_len;
UNUSED(attempt);
UNUSED(flags);
UNUSED(token_url);
UNUSED(token_label);
if (NULL == pinString) return -1;
if (flags & GNUTLS_PIN_WRONG) return -1;
if (0 != attempt) return -1;
/* include terminating 0 */
saved_pin_len = 1 + pinString->len;
@ -127,15 +127,11 @@ static gnutls_certificate_credentials_t creds_from_gstring(mod_context *ctx, GSt
#if defined(HAVE_PIN)
gnutls_certificate_set_pin_function(creds, pin_callback, ctx->pin);
#endif
if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_mem2(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM, ctx->pin ? ctx->pin->str : NULL, 0))) {
goto error_free_creds;
}
#else
if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_mem(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM))) {
goto error_free_creds;
}
#endif
gnutls_certificate_set_dh_params(creds, ctx->dh_params);
@ -629,7 +625,7 @@ static void gnutls_setup_listen_cb(liServer *srv, int fd, gpointer data) {
srv_sock->release_cb = mod_gnutls_sock_release;
}
static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_t creds, liValue *pemfile, GString *pin) {
static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_t creds, liValue *pemfile) {
const char *keyfile = NULL;
const char *certfile = NULL;
int r;
@ -689,25 +685,12 @@ static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_
return FALSE;
}
#if defined(HAVE_PIN)
gnutls_certificate_set_pin_function(creds, pin_callback, pin);
if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_file2(creds, certfile, keyfile, GNUTLS_X509_FMT_PEM, pin ? pin->str : NULL, 0))) {
ERROR(srv, "gnutls_certificate_set_x509_key_file2 failed(certfile '%s', keyfile '%s', PEM) (%s): %s",
certfile, keyfile,
gnutls_strerror_name(r), gnutls_strerror(r));
return FALSE;
}
#else
UNUSED(pin);
if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_file(creds, certfile, keyfile, GNUTLS_X509_FMT_PEM))) {
ERROR(srv, "gnutls_certificate_set_x509_key_file failed(certfile '%s', keyfile '%s', PEM) (%s): %s",
certfile, keyfile,
gnutls_strerror_name(r), gnutls_strerror(r));
return FALSE;
}
#endif
return TRUE;
}
@ -728,7 +711,9 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
#endif
gboolean protect_against_beast = FALSE;
gint64 session_db_size = 256;
#if defined(HAVE_PIN)
liValue *pin = NULL;
#endif
UNUSED(p); UNUSED(userdata);
@ -861,7 +846,11 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
if (!(ctx = mod_gnutls_context_new(srv))) return FALSE;
ctx->protect_against_beast = protect_against_beast;
#if defined(HAVE_PIN)
ctx->pin = li_value_extract_string(pin);
gnutls_certificate_set_pin_function(ctx->server_cert, pin_callback, ctx->pin);
#endif
#ifdef USE_SNI
if (NULL != sni_backend) {
@ -882,7 +871,11 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
goto error_free_ctx;
}
if (!creds_add_pemfile(srv, ctx->sni_fallback_cert, sni_fallback_pemfile, ctx->pin)) {
#if defined(HAVE_PIN)
gnutls_certificate_set_pin_function(ctx->sni_fallback_cert, pin_callback, ctx->pin);
#endif
if (!creds_add_pemfile(srv, ctx->sni_fallback_cert, sni_fallback_pemfile)) {
goto error_free_ctx;
}
}
@ -898,7 +891,7 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
if (g_str_equal(entryKeyStr->str, "pemfile")) {
if (!creds_add_pemfile(srv, ctx->server_cert, entryValue, ctx->pin)) {
if (!creds_add_pemfile(srv, ctx->server_cert, entryValue)) {
goto error_free_ctx;
}
}

Loading…
Cancel
Save