Browse Source

[mod_gnutls] use only pin callback, don't pass pin as parameter

- also check for number of attempts instead of flags,
  the same the gnutls internal callback is doing when a
  password is passed

Change-Id: I84f5a0c7a4e3aea6f55b7b28c2f57019128351c7
master
Stefan Bühler 4 years ago
parent
commit
7fb0148348
1 changed files with 16 additions and 23 deletions
  1. +16
    -23
      src/modules/mod_gnutls.c

+ 16
- 23
src/modules/mod_gnutls.c View File

@@ -95,13 +95,13 @@ static void mod_gnutls_context_acquire(mod_context *ctx);
static int pin_callback(void *user, int attempt, const char *token_url, const char *token_label, unsigned int flags, char *pin, size_t pin_max) {
GString *pinString = user;
size_t saved_pin_len;
UNUSED(attempt);
UNUSED(flags);
UNUSED(token_url);
UNUSED(token_label);

if (NULL == pinString) return -1;

if (flags & GNUTLS_PIN_WRONG) return -1;
if (0 != attempt) return -1;

/* include terminating 0 */
saved_pin_len = 1 + pinString->len;
@@ -127,15 +127,11 @@ static gnutls_certificate_credentials_t creds_from_gstring(mod_context *ctx, GSt

#if defined(HAVE_PIN)
gnutls_certificate_set_pin_function(creds, pin_callback, ctx->pin);
#endif

if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_mem2(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM, ctx->pin ? ctx->pin->str : NULL, 0))) {
goto error_free_creds;
}
#else
if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_mem(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM))) {
goto error_free_creds;
}
#endif

gnutls_certificate_set_dh_params(creds, ctx->dh_params);

@@ -629,7 +625,7 @@ static void gnutls_setup_listen_cb(liServer *srv, int fd, gpointer data) {
srv_sock->release_cb = mod_gnutls_sock_release;
}

static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_t creds, liValue *pemfile, GString *pin) {
static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_t creds, liValue *pemfile) {
const char *keyfile = NULL;
const char *certfile = NULL;
int r;
@@ -689,25 +685,12 @@ static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_
return FALSE;
}

#if defined(HAVE_PIN)
gnutls_certificate_set_pin_function(creds, pin_callback, pin);

if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_file2(creds, certfile, keyfile, GNUTLS_X509_FMT_PEM, pin ? pin->str : NULL, 0))) {
ERROR(srv, "gnutls_certificate_set_x509_key_file2 failed(certfile '%s', keyfile '%s', PEM) (%s): %s",
certfile, keyfile,
gnutls_strerror_name(r), gnutls_strerror(r));
return FALSE;
}
#else
UNUSED(pin);

if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_file(creds, certfile, keyfile, GNUTLS_X509_FMT_PEM))) {
ERROR(srv, "gnutls_certificate_set_x509_key_file failed(certfile '%s', keyfile '%s', PEM) (%s): %s",
certfile, keyfile,
gnutls_strerror_name(r), gnutls_strerror(r));
return FALSE;
}
#endif

return TRUE;
}
@@ -728,7 +711,9 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
#endif
gboolean protect_against_beast = FALSE;
gint64 session_db_size = 256;
#if defined(HAVE_PIN)
liValue *pin = NULL;
#endif

UNUSED(p); UNUSED(userdata);

@@ -861,7 +846,11 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
if (!(ctx = mod_gnutls_context_new(srv))) return FALSE;

ctx->protect_against_beast = protect_against_beast;

#if defined(HAVE_PIN)
ctx->pin = li_value_extract_string(pin);
gnutls_certificate_set_pin_function(ctx->server_cert, pin_callback, ctx->pin);
#endif

#ifdef USE_SNI
if (NULL != sni_backend) {
@@ -882,7 +871,11 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
goto error_free_ctx;
}

if (!creds_add_pemfile(srv, ctx->sni_fallback_cert, sni_fallback_pemfile, ctx->pin)) {
#if defined(HAVE_PIN)
gnutls_certificate_set_pin_function(ctx->sni_fallback_cert, pin_callback, ctx->pin);
#endif

if (!creds_add_pemfile(srv, ctx->sni_fallback_cert, sni_fallback_pemfile)) {
goto error_free_ctx;
}
}
@@ -898,7 +891,7 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer

if (g_str_equal(entryKeyStr->str, "pemfile")) {

if (!creds_add_pemfile(srv, ctx->server_cert, entryValue, ctx->pin)) {
if (!creds_add_pemfile(srv, ctx->server_cert, entryValue)) {
goto error_free_ctx;
}
}


Loading…
Cancel
Save