Changeset f21d2a6 in mod_gnutls for src/gnutls_hooks.c

Timestamp:

Sep 16, 2015, 2:37:11 PM (8 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, jessie-backports, main, master, proxy-ticket, upstream

Children:

746e993

Parents:

efd3cfe

git-author:

Nikos Mavrogiannopoulos <nmav@…> (09/15/15 12:20:30)

git-committer:

Thomas Klute <thomas2.klute@…> (09/16/15 14:37:11)

Message:

Changed the semantics of GnuTLSP11Module

That setting instructs gnutls to load only the specified modules. That
protects mod_gnutls from loading unintended PKCS #11 modules.

File:

• src/gnutls_hooks.c (modified) (1 diff)

src/gnutls_hooks.c

@@ -326 +326 @@
     if (sc_base->p11_module != NULL)
     {
-        rv = gnutls_pkcs11_add_provider(sc_base->p11_module, NULL);
-        if (rv != GNUTLS_E_SUCCESS)
+        rv = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+        if (rv < 0) {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Loading PKCS #11 provider module %s "
+                         "GnuTLS: Initializing PKCS #11 "
                          "failed: %s (%d).",
-                         sc_base->p11_module, gnutls_strerror(rv), rv);
+                         gnutls_strerror(rv), rv);
+        } else {
+            rv = gnutls_pkcs11_add_provider(sc_base->p11_module, NULL);
+            if (rv != GNUTLS_E_SUCCESS)
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Loading PKCS #11 provider module %s "
+                             "failed: %s (%d).",
+                             sc_base->p11_module, gnutls_strerror(rv), rv);
+        }
     }