Browse Source
[mod_gnutls] use only pin callback, don't pass pin as parameter
- also check for number of attempts instead of flags, the same the gnutls internal callback is doing when a password is passed Change-Id: I84f5a0c7a4e3aea6f55b7b28c2f57019128351c7master
1 changed files with 16 additions and 23 deletions
Split View
Diff Options
-
+16 -23src/modules/mod_gnutls.c
+ 16
- 23
src/modules/mod_gnutls.c
View File
| @@ -95,13 +95,13 @@ static void mod_gnutls_context_acquire(mod_context *ctx); | |||
| static int pin_callback(void *user, int attempt, const char *token_url, const char *token_label, unsigned int flags, char *pin, size_t pin_max) { | |||
| GString *pinString = user; | |||
| size_t saved_pin_len; | |||
| UNUSED(attempt); | |||
| UNUSED(flags); | |||
| UNUSED(token_url); | |||
| UNUSED(token_label); | |||
| if (NULL == pinString) return -1; | |||
| if (flags & GNUTLS_PIN_WRONG) return -1; | |||
| if (0 != attempt) return -1; | |||
| /* include terminating 0 */ | |||
| saved_pin_len = 1 + pinString->len; | |||
| @@ -127,15 +127,11 @@ static gnutls_certificate_credentials_t creds_from_gstring(mod_context *ctx, GSt | |||
| #if defined(HAVE_PIN) | |||
| gnutls_certificate_set_pin_function(creds, pin_callback, ctx->pin); | |||
| #endif | |||
| if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_mem2(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM, ctx->pin ? ctx->pin->str : NULL, 0))) { | |||
| goto error_free_creds; | |||
| } | |||
| #else | |||
| if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_mem(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM))) { | |||
| goto error_free_creds; | |||
| } | |||
| #endif | |||
| gnutls_certificate_set_dh_params(creds, ctx->dh_params); | |||
| @@ -629,7 +625,7 @@ static void gnutls_setup_listen_cb(liServer *srv, int fd, gpointer data) { | |||
| srv_sock->release_cb = mod_gnutls_sock_release; | |||
| } | |||
| static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_t creds, liValue *pemfile, GString *pin) { | |||
| static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_t creds, liValue *pemfile) { | |||
| const char *keyfile = NULL; | |||
| const char *certfile = NULL; | |||
| int r; | |||
| @@ -689,25 +685,12 @@ static gboolean creds_add_pemfile(liServer *srv, gnutls_certificate_credentials_ | |||
| return FALSE; | |||
| } | |||
| #if defined(HAVE_PIN) | |||
| gnutls_certificate_set_pin_function(creds, pin_callback, pin); | |||
| if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_file2(creds, certfile, keyfile, GNUTLS_X509_FMT_PEM, pin ? pin->str : NULL, 0))) { | |||
| ERROR(srv, "gnutls_certificate_set_x509_key_file2 failed(certfile '%s', keyfile '%s', PEM) (%s): %s", | |||
| certfile, keyfile, | |||
| gnutls_strerror_name(r), gnutls_strerror(r)); | |||
| return FALSE; | |||
| } | |||
| #else | |||
| UNUSED(pin); | |||
| if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_file(creds, certfile, keyfile, GNUTLS_X509_FMT_PEM))) { | |||
| ERROR(srv, "gnutls_certificate_set_x509_key_file failed(certfile '%s', keyfile '%s', PEM) (%s): %s", | |||
| certfile, keyfile, | |||
| gnutls_strerror_name(r), gnutls_strerror(r)); | |||
| return FALSE; | |||
| } | |||
| #endif | |||
| return TRUE; | |||
| } | |||
| @@ -728,7 +711,9 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer | |||
| #endif | |||
| gboolean protect_against_beast = FALSE; | |||
| gint64 session_db_size = 256; | |||
| #if defined(HAVE_PIN) | |||
| liValue *pin = NULL; | |||
| #endif | |||
| UNUSED(p); UNUSED(userdata); | |||
| @@ -861,7 +846,11 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer | |||
| if (!(ctx = mod_gnutls_context_new(srv))) return FALSE; | |||
| ctx->protect_against_beast = protect_against_beast; | |||
| #if defined(HAVE_PIN) | |||
| ctx->pin = li_value_extract_string(pin); | |||
| gnutls_certificate_set_pin_function(ctx->server_cert, pin_callback, ctx->pin); | |||
| #endif | |||
| #ifdef USE_SNI | |||
| if (NULL != sni_backend) { | |||
| @@ -882,7 +871,11 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer | |||
| goto error_free_ctx; | |||
| } | |||
| if (!creds_add_pemfile(srv, ctx->sni_fallback_cert, sni_fallback_pemfile, ctx->pin)) { | |||
| #if defined(HAVE_PIN) | |||
| gnutls_certificate_set_pin_function(ctx->sni_fallback_cert, pin_callback, ctx->pin); | |||
| #endif | |||
| if (!creds_add_pemfile(srv, ctx->sni_fallback_cert, sni_fallback_pemfile)) { | |||
| goto error_free_ctx; | |||
| } | |||
| } | |||
| @@ -898,7 +891,7 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer | |||
| if (g_str_equal(entryKeyStr->str, "pemfile")) { | |||
| if (!creds_add_pemfile(srv, ctx->server_cert, entryValue, ctx->pin)) { | |||
| if (!creds_add_pemfile(srv, ctx->server_cert, entryValue)) { | |||
| goto error_free_ctx; | |||
| } | |||
| } | |||