lighttpd
/
lighttpd2
2
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

[mod_gnutls] use only pin callback, don't pass pin as parameter 

- also check for number of attempts instead of flags,
  the same the gnutls internal callback is doing when a
  password is passed

Change-Id: I84f5a0c7a4e3aea6f55b7b28c2f57019128351c7
personal/stbuehler/wip
Stefan Bühler 5 years ago
parent
6a0e57ec8f
commit
7fb0148348
1 changed files with 16 additions and 23 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 39
      src/modules/mod_gnutls.c

39
src/modules/mod_gnutls.c
View File

@ -95,13 +95,13 @@ static void mod_gnutls_context_acquire(mod_context *ctx);
static int pin_callback(void *user, int attempt, const char *token_url, const char *token_label, unsigned int flags, char *pin, size_t pin_max) {
GString *pinString = user;
size_t saved_pin_len;
UNUSED(attempt);
UNUSED(flags);
UNUSED(token_url);
UNUSED(token_label);
if (NULL == pinString) return -1;
if (flags & GNUTLS_PIN_WRONG) return -1;
if (0 != attempt) return -1;
/* include terminating 0 */
saved_pin_len = 1 + pinString->len;
@ -127,15 +127,11 @@ static gnutls_certificate_credentials_t creds_from_gstring(mod_context *ctx, GSt
#if defined(HAVE_PIN)
gnutls_certificate_set_pin_function(creds, pin_callback, ctx->pin);
#endif
if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_mem2(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM, ctx->pin ? ctx->pin->str : NULL, 0))) {
goto error_free_creds;
}
#else
if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_mem(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM))) {
goto error_free_creds;
}
#endif
gnutls_certificate_set_dh_params(creds, ctx->dh_params);
@ -629,7 +625,7 @@ static void gnutls_setup_listen_cb(liServer *srv, int fd, gpointer data) {
srv_sock->release_cb = mod_gnutls_sock_release;
}
static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_t creds, liValue *pemfile, GString *pin) {
static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_t creds, liValue *pemfile) {
const char *keyfile = NULL;
const char *certfile = NULL;
int r;
@ -689,25 +685,12 @@ static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_
return FALSE;
}
#if defined(HAVE_PIN)
gnutls_certificate_set_pin_function(creds, pin_callback, pin);
if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_file2(creds, certfile, keyfile, GNUTLS_X509_FMT_PEM, pin ? pin->str : NULL, 0))) {
ERROR(srv, "gnutls_certificate_set_x509_key_file2 failed(certfile '%s', keyfile '%s', PEM) (%s): %s",
certfile, keyfile,
gnutls_strerror_name(r), gnutls_strerror(r));
return FALSE;
}
#else
UNUSED(pin);
if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_file(creds, certfile, keyfile, GNUTLS_X509_FMT_PEM))) {
ERROR(srv, "gnutls_certificate_set_x509_key_file failed(certfile '%s', keyfile '%s', PEM) (%s): %s",
certfile, keyfile,
gnutls_strerror_name(r), gnutls_strerror(r));
return FALSE;
}
#endif
return TRUE;
}
@ -728,7 +711,9 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
#endif
gboolean protect_against_beast = FALSE;
gint64 session_db_size = 256;
#if defined(HAVE_PIN)
liValue *pin = NULL;
#endif
UNUSED(p); UNUSED(userdata);
@ -861,7 +846,11 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
if (!(ctx = mod_gnutls_context_new(srv))) return FALSE;
ctx->protect_against_beast = protect_against_beast;
#if defined(HAVE_PIN)
ctx->pin = li_value_extract_string(pin);
gnutls_certificate_set_pin_function(ctx->server_cert, pin_callback, ctx->pin);
#endif
#ifdef USE_SNI
if (NULL != sni_backend) {
@ -882,7 +871,11 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
goto error_free_ctx;
}
if (!creds_add_pemfile(srv, ctx->sni_fallback_cert, sni_fallback_pemfile, ctx->pin)) {
#if defined(HAVE_PIN)
gnutls_certificate_set_pin_function(ctx->sni_fallback_cert, pin_callback, ctx->pin);
#endif
if (!creds_add_pemfile(srv, ctx->sni_fallback_cert, sni_fallback_pemfile)) {
goto error_free_ctx;
}
}
@ -898,7 +891,7 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
if (g_str_equal(entryKeyStr->str, "pemfile")) {
if (!creds_add_pemfile(srv, ctx->server_cert, entryValue, ctx->pin)) {
if (!creds_add_pemfile(srv, ctx->server_cert, entryValue)) {
goto error_free_ctx;
}
}

Write Preview
Loading…
Cancel
Save