Don't unregister p11-kit PIN callback until vpninfo is finished with

Unregistering in openconnect_close_https() meant that when we reconnect to
the server, we lose the PIN callback. And then when we connect again, if
GnuTLS is asking us for the PIN on every attempt to touch the key, we fail
because there's no PIN handler.

So add a 'final' flag to openconnect_close_https(). Use this to clean up
library.c::openconnect_close_https() a little, too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/cstp.c b/cstp.c
index d799f15f03ea14a4cde540f87ea735be06a3e88a..792c17e925cd079851102ebcecb7ea1e1d4cbb42 100644 (file)
--- a/cstp.c
+++ b/cstp.c
@@ -230,7 +230,7 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
                             _("Error fetching HTTPS response\n"));
                if (!retried) {
                        retried = 1;
-                       openconnect_close_https(vpninfo);
+                       openconnect_close_https(vpninfo, 0);
 
                        if (openconnect_open_https(vpninfo)) {
                                vpn_progress(vpninfo, PRG_ERR,
@@ -526,7 +526,7 @@ int cstp_reconnect(struct openconnect_info *vpninfo)
        int timeout;
        int interval;
 
-       openconnect_close_https(vpninfo);
+       openconnect_close_https(vpninfo, 0);
 
        /* Requeue the original packet that was deflated */
        if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt) {

diff --git a/gnutls.c b/gnutls.c
index eaa427522936a14122c204e7e6a10fd53ea4c066..7476564a05b02efed7dec1b92c1277861facebe5 100644 (file)
--- a/gnutls.c
+++ b/gnutls.c
@@ -1056,17 +1056,8 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
        return 0;
 }
 
-void openconnect_close_https(struct openconnect_info *vpninfo)
+void openconnect_close_https(struct openconnect_info *vpninfo, int final)
 {
-#ifdef HAVE_P11KIT
-       if (!strncmp(vpninfo->cert, "pkcs11:", 7)) {
-               char pin_source[40];
-
-               sprintf(pin_source, "openconnect:%p", vpninfo);
-               p11_kit_pin_unregister_callback(pin_source, pin_callback, vpninfo);
-       }
-#endif
-
        if (vpninfo->peer_cert) {
                gnutls_x509_crt_deinit(vpninfo->peer_cert);
                vpninfo->peer_cert = NULL;
@@ -1082,6 +1073,18 @@ void openconnect_close_https(struct openconnect_info *vpninfo)
                FD_CLR(vpninfo->ssl_fd, &vpninfo->select_efds);
                vpninfo->ssl_fd = -1;
        }
+       if (final && vpninfo->https_cred) {
+               gnutls_certificate_free_credentials(vpninfo->https_cred);
+               vpninfo->https_cred = NULL;
+#ifdef HAVE_P11KIT
+               if (!strncmp(vpninfo->cert, "pkcs11:", 7)) {
+                       char pin_source[40];
+
+                       sprintf(pin_source, "openconnect:%p", vpninfo);
+                       p11_kit_pin_unregister_callback(pin_source, pin_callback, vpninfo);
+               }
+#endif
+       }
 }
 
 void openconnect_init_ssl(void)

diff --git a/http.c b/http.c
index 68a15a3acab088fa8e279f0193cdb9d6b017505f..e8ef020d05b06dea52a755ac7204dc381e713df1 100644 (file)
--- a/http.c
+++ b/http.c
@@ -335,7 +335,7 @@ static int process_http_response(struct openconnect_info *vpninfo, int *result,
        }
 
        if (closeconn || vpninfo->no_http_keepalive)
-               openconnect_close_https(vpninfo);
+               openconnect_close_https(vpninfo, 0);
 
        if (body)
                body[done] = 0;
@@ -728,7 +728,7 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
                                /* Kill the existing connection, and a new one will happen */
                                free(vpninfo->peer_addr);
                                vpninfo->peer_addr = NULL;
-                               openconnect_close_https(vpninfo);
+                               openconnect_close_https(vpninfo, 0);
 
                                for (opt = vpninfo->cookies; opt; opt = next) {
                                        next = opt->next;

diff --git a/library.c b/library.c
index 0b4eae83096e60593a0b7342902d555ef59e6c3e..92b7c25350922aa19284e840dfba69a2e4788d88 100644 (file)
--- a/library.c
+++ b/library.c
@@ -171,23 +171,11 @@ void openconnect_clear_cookie (struct openconnect_info *vpninfo)
 
 void openconnect_reset_ssl (struct openconnect_info *vpninfo)
 {
-       openconnect_close_https(vpninfo);
+       openconnect_close_https(vpninfo, 1);
        if (vpninfo->peer_addr) {
                free(vpninfo->peer_addr);
                vpninfo->peer_addr = NULL;
        }
-#if defined (OPENCONNECT_OPENSSL)
-       if (vpninfo->https_ctx) {
-               SSL_CTX_free(vpninfo->https_ctx);
-               vpninfo->https_ctx = NULL;
-       }
-#elif defined (OPENCONNECT_GNUTLS)
-       if (vpninfo->https_cred) {
-               gnutls_certificate_free_credentials(vpninfo->https_cred);
-               vpninfo->https_cred = NULL;
-       }
-#endif
-
 }
 
 int openconnect_parse_url (struct openconnect_info *vpninfo, char *url)

diff --git a/openconnect-internal.h b/openconnect-internal.h
index fafd8f3294ce63ddcade86b54ecc2b9965ec9a1d..ac6ffe44615b60580913ce79cf254f88b15aa856 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -321,7 +321,7 @@ int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len
 int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t len);
 int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len);
 int openconnect_open_https(struct openconnect_info *vpninfo);
-void openconnect_close_https(struct openconnect_info *vpninfo);
+void openconnect_close_https(struct openconnect_info *vpninfo, int final);
 int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, OPENCONNECT_X509 *cert,
                             char *buf);
 /* This one is actually OpenSSL-specific */

diff --git a/openssl.c b/openssl.c
index 5765358827e85b529898b7b666a7d1508a95cdd1..ab18cf9826136c79458ff25b24be2164ba1743a1 100644 (file)
--- a/openssl.c
+++ b/openssl.c
@@ -1283,7 +1283,7 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
        return 0;
 }
 
-void openconnect_close_https(struct openconnect_info *vpninfo)
+void openconnect_close_https(struct openconnect_info *vpninfo, int final)
 {
        if (vpninfo->peer_cert) {
                X509_free(vpninfo->peer_cert);
@@ -1300,6 +1300,10 @@ void openconnect_close_https(struct openconnect_info *vpninfo)
                FD_CLR(vpninfo->ssl_fd, &vpninfo->select_efds);
                vpninfo->ssl_fd = -1;
        }
+       if (final && vpninfo->https_ctx) {
+               SSL_CTX_free(vpninfo->https_ctx);
+               vpninfo->https_ctx = NULL;
+       }
 }
 
 void openconnect_init_ssl(void)