From ed80bfacf6baa17a6f5f4a5ec7e11aee541cba95 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 10 May 2021 10:21:01 +0100 Subject: [PATCH] GnuTLS: Fix user-visible strings and dialog auth_id for multicert Signed-off-by: David Woodhouse --- gnutls.c | 51 ++++++++++++++++++++++++++++++++-------------- gnutls_tpm.c | 8 ++++++-- gnutls_tpm2_esys.c | 23 +++++++++++++++------ gnutls_tpm2_ibm.c | 27 ++++++++++++++++-------- 4 files changed, 78 insertions(+), 31 deletions(-) diff --git a/gnutls.c b/gnutls.c index 0694002a..8624f3b8 100644 --- a/gnutls.c +++ b/gnutls.c @@ -366,7 +366,8 @@ int ssl_nonblock_write(struct openconnect_info *vpninfo, int dtls, void *buf, in return -1; } -static int check_certificate_expiry(struct openconnect_info *vpninfo, gnutls_x509_crt_t cert) +static int check_certificate_expiry(struct openconnect_info *vpninfo, struct cert_info *certinfo, + gnutls_x509_crt_t cert) { const char *reason = NULL; time_t expires = gnutls_x509_crt_get_expiration_time(cert); @@ -379,9 +380,11 @@ static int check_certificate_expiry(struct openconnect_info *vpninfo, gnutls_x50 } if (expires < now) - reason = _("Client certificate has expired at"); + reason = certinfo_string(certinfo, _("Client certificate has expired at"), + _("Secondary client certificate has expired at")); else if (expires < now + vpninfo->cert_expire_warning) - reason = _("Client certificate expires soon at"); + reason = certinfo_string(certinfo, _("Client certificate expires soon at"), + _("Secondary client certificate expires soon at")); if (reason) { char buf[80]; @@ -525,8 +528,12 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo, _("Failed to decrypt PKCS#12 certificate file\n")); free_pass(&pass); certinfo->password = NULL; - err = request_passphrase(vpninfo, "openconnect_pkcs12", &pass, - _("Enter PKCS#12 pass phrase:")); + err = request_passphrase(vpninfo, + certinfo_string(certinfo, "openconnect_pkcs12", + "openconnect_secondary_pkcs12"), + &pass, + certinfo_string(certinfo, _("Enter PKCS#12 pass phrase:"), + _("Enter secondary PKCS#12 pass phrase:"))); if (err) { gnutls_pkcs12_deinit(p12); return -EINVAL; @@ -561,7 +568,8 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo, gnutls_pkcs12_deinit(p12); if (err) { vpn_progress(vpninfo, PRG_ERR, - _("Failed to load PKCS#12 certificate: %s\n"), + certinfo_string(certinfo, _("Failed to load PKCS#12 certificate: %s\n"), + _("Failed to load secondary PKCS#12 certificate: %s\n")), gnutls_strerror(err)); return -EINVAL; } @@ -886,8 +894,12 @@ static int import_openssl_pem(struct openconnect_info *vpninfo, struct cert_info vpn_progress(vpninfo, PRG_ERR, _("Decrypting PEM key failed\n")); free_pass(&pass); } - err = request_passphrase(vpninfo, "openconnect_pem", - &pass, _("Enter PEM pass phrase:")); + err = request_passphrase(vpninfo, + certinfo_string(certinfo, "openconnect_pem", + "openconnect_secondary_pem"), + &pass, + certinfo_string(certinfo, _("Enter PEM pass phrase:"), + _("Enter secondary PEM pass phrase:"))); if (err) { ret = -EINVAL; goto out; @@ -1068,7 +1080,9 @@ static int load_certificate(struct openconnect_info *vpninfo, struct cert_info * /* OK, not a PKCS#11 certificate so it must be coming from a file... */ vpn_progress(vpninfo, PRG_DEBUG, - _("Using certificate file %s\n"), certinfo->cert); + certinfo_string(certinfo, _("Using certificate file %s\n"), + _("Using secondary certificate file %s\n")), + certinfo->cert); /* Load file contents */ ret = load_datum(vpninfo, &fdata, certinfo->cert); @@ -1127,7 +1141,8 @@ static int load_certificate(struct openconnect_info *vpninfo, struct cert_info * reason = gnutls_strerror(err); vpn_progress(vpninfo, PRG_ERR, - _("Loading certificate failed: %s\n"), + certinfo_string(certinfo, _("Loading certificate failed: %s\n"), + _("Loading secondary certificate failed: %s\n")), reason); nr_extra_certs = 0; ret = -EINVAL; @@ -1142,7 +1157,9 @@ static int load_certificate(struct openconnect_info *vpninfo, struct cert_info * #ifdef HAVE_GNUTLS_SYSTEM_KEYS if (key_is_sys) { vpn_progress(vpninfo, PRG_DEBUG, - _("Using system key %s\n"), certinfo->key); + certinfo_string(certinfo, _("Using system key %s\n"), + _("Using secondary system key %s\n")), + certinfo->key); err = gnutls_privkey_init(&gci->pkey); if (err) { @@ -1580,7 +1597,8 @@ static int load_certificate(struct openconnect_info *vpninfo, struct cert_info * /* We shouldn't reach this. It means that we didn't find *any* matching cert */ vpn_progress(vpninfo, PRG_ERR, - _("No SSL certificate found to match private key\n")); + certinfo_string(certinfo, _("No SSL certificate found to match private key\n"), + _("No secondary certificate found to match private key\n"))); ret = -EINVAL; goto out; @@ -1589,9 +1607,11 @@ static int load_certificate(struct openconnect_info *vpninfo, struct cert_info * /* Now we have a key in either 'key' or 'pkey', a matching cert in 'cert', and potentially a list of other certs in 'extra_certs[]'. If we loaded a PKCS#12 file we may have a trust chain in 'gci->certs[]' too. */ - check_certificate_expiry(vpninfo, cert); + check_certificate_expiry(vpninfo, certinfo, cert); get_cert_name(cert, name, sizeof(name)); - vpn_progress(vpninfo, PRG_INFO, _("Using client certificate '%s'\n"), + vpn_progress(vpninfo, PRG_INFO, + certinfo_string(certinfo, _("Using client certificate '%s'\n"), + _("Using secondary certificate '%s'\n")), name); /* OpenSSL has problems with certificate chains — if there are @@ -2574,7 +2594,8 @@ static int gnutls_pin_callback(void *priv, int attempt, const char *uri, } memset(&f, 0, sizeof(f)); - f.auth_id = (char *)"pkcs11_pin"; + f.auth_id = (char *)certinfo_string(certinfo, "pkcs11_pin", + "secondary_pkcs11_pin"); f.opts = &o; message[sizeof(message)-1] = 0; diff --git a/gnutls_tpm.c b/gnutls_tpm.c index 2a9ffb1c..9eaf9327 100644 --- a/gnutls_tpm.c +++ b/gnutls_tpm.c @@ -237,8 +237,12 @@ int load_tpm1_key(struct openconnect_info *vpninfo, struct cert_info *certinfo, goto out_key_policy; } } - err = request_passphrase(vpninfo, "openconnect_tpm_key", - &pass, _("Enter TPM key PIN:")); + err = request_passphrase(vpninfo, + certinfo_string(certinfo, "openconnect_tpm_key", + "openconnect_secondary_tpm_key"), + &pass, + certinfo_string(certinfo, _("Enter TPM key PIN:"), + _("Enter secondary key TPM PIN:"))); if (err) goto out_key_policy; diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c index 5d847056..5ae7390d 100644 --- a/gnutls_tpm2_esys.c +++ b/gnutls_tpm2_esys.c @@ -201,8 +201,11 @@ static int init_tpm2_primary(struct openconnect_info *vpninfo, struct cert_info reauth: if (certinfo->tpm2->need_ownerauth) { char *pass = NULL; - if (request_passphrase(vpninfo, "openconnect_tpm2_hierarchy", &pass, - _("Enter TPM2 %s hierarchy password:"), hierarchy_name)) + if (request_passphrase(vpninfo, + certinfo_string(certinfo, "openconnect_tpm2_hierarchy", + "openconnect_secondary_tpm2_hierarchy"), + &pass, + _("Enter TPM2 %s hierarchy password:"), hierarchy_name)) return -EPERM; install_tpm_passphrase(vpninfo, &certinfo->tpm2->ownerauth, pass); certinfo->tpm2->need_ownerauth = 0; @@ -295,8 +298,12 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle, reauth: if (certinfo->tpm2->need_ownerauth) { char *pass = NULL; - if (request_passphrase(vpninfo, "openconnect_tpm2_parent", &pass, - _("Enter TPM2 parent key password:"))) + if (request_passphrase(vpninfo, + certinfo_string(certinfo, "openconnect_tpm2_parent", + "openconnect_secondary_tpm2_parent"), + &pass, + certinfo_string(certinfo, _("Enter TPM2 parent key password:"), + _("Enter secondary TPM2 parent key password:")))) return -EPERM; install_tpm_passphrase(vpninfo, &certinfo->tpm2->ownerauth, pass); certinfo->tpm2->need_ownerauth = 0; @@ -364,8 +371,12 @@ static int auth_tpm2_key(struct openconnect_info *vpninfo, struct cert_info *cer pass = certinfo->password; certinfo->password = NULL; } else { - int err = request_passphrase(vpninfo, "openconnect_tpm2_key", - &pass, _("Enter TPM2 key password:")); + int err = request_passphrase(vpninfo, + certinfo_string(certinfo, "openconnect_tpm2_key", + "openconnect_secondary_tpm2_key"), + &pass, + certinfo_string(certinfo, _("Enter TPM2 key password:"), + _("Enter secondary TPM2 key password:"))); if (err) return err; } diff --git a/gnutls_tpm2_ibm.c b/gnutls_tpm2_ibm.c index ad57afe2..0232e314 100644 --- a/gnutls_tpm2_ibm.c +++ b/gnutls_tpm2_ibm.c @@ -219,7 +219,7 @@ static TPM_RC tpm2_load_srk(struct openconnect_info *vpninfo, TSS_CONTEXT *tssCo } -static TPM_HANDLE tpm2_load_key(struct openconnect_info *vpninfo, TSS_CONTEXT **tsscp) +static TPM_HANDLE tpm2_load_key(struct openconnect_info *vpninfo, struct cert_info *certinfo, TSS_CONTEXT **tsscp) { TSS_CONTEXT *tssContext; Load_In in; @@ -258,7 +258,10 @@ static TPM_HANDLE tpm2_load_key(struct openconnect_info *vpninfo, TSS_CONTEXT ** rc = tpm2_load_srk(vpninfo, tssContext, &in.parentHandle, pass, certinfo->tpm2->parent, certinfo->tpm2->legacy_srk); if (rc == KEY_AUTH_FAILED) { free_pass(&pass); - if (!request_passphrase(vpninfo, "openconnect_tpm2_hierarchy", &pass, + if (!request_passphrase(vpninfo, + certinfo_string(certinfo, "openconnect_tpm2_hierarchy", + "openconnect_secondary_tpm2_hierarchy"), + &pass, _("Enter TPM2 %s hierarchy password:"), "owner")) { goto reauth_srk; } @@ -274,8 +277,12 @@ static TPM_HANDLE tpm2_load_key(struct openconnect_info *vpninfo, TSS_CONTEXT ** memcpy(&in.inPrivate, &certinfo->tpm2->priv, sizeof(in.inPrivate)); if (need_pw && !pass) { reauth_parent: - if (request_passphrase(vpninfo, "openconnect_tpm2_parent", &pass, - _("Enter TPM2 parent key password:"))) { + if (request_passphrase(vpninfo, + certinfo_string(certinfo, "openconnect_tpm2_parent", + "openconnect_secondary_tpm2_parent"), + &pass, + certinfo_string(certinfo, _("Enter TPM2 parent key password:"), + _("Enter secondary TPM2 parent key password:")))) { tpm2_flush_handle(tssContext, session); goto out_flush_srk; } @@ -341,7 +348,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, return GNUTLS_E_PK_SIGN_FAILED; in.inScheme.scheme = TPM_ALG_NULL; - in.keyHandle = tpm2_load_key(vpninfo, &tssContext); + in.keyHandle = tpm2_load_key(vpninfo, certinfo, &tssContext); in.label.t.size = 0; if (!in.keyHandle) return GNUTLS_E_PK_SIGN_FAILED; @@ -360,8 +367,12 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, TPM_RH_NULL, NULL, 0); if (rc == KEY_AUTH_FAILED) { free_pass(&pass); - if (!request_passphrase(vpninfo, "openconnect_tpm2_key", - &pass, _("Enter TPM2 key password:"))) + if (!request_passphrase(vpninfo, + certinfo_string(certinfo, "openconnect_tpm2_key", + "openconnect_secondary_tpm2_key"), + &pass, + certinfo_string(certinfo, _("Enter TPM2 key password:"), + _("Enter secondary TPM2 key password:")))) goto reauth; } if (rc) { @@ -430,7 +441,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, in.validation.hierarchy = TPM_RH_NULL; in.validation.digest.t.size = 0; - in.keyHandle = tpm2_load_key(vpninfo, &tssContext); + in.keyHandle = tpm2_load_key(vpninfo, certinfo, &tssContext); if (!in.keyHandle) return GNUTLS_E_PK_SIGN_FAILED; -- 2.50.1