]> source.dussan.org Git - tigervnc.git/commitdiff
projects / tigervnc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c43a03a)
Make sure we handle all certificate issues
authorPierre Ossman <ossman@cendio.se>
Wed, 5 Jul 2023 08:22:42 +0000 (10:22 +0200)
committerPierre Ossman <ossman@cendio.se>
Wed, 5 Jul 2023 08:22:42 +0000 (10:22 +0200)
We don't want to proceed unless we've made sure the user has approved
the issues with the certificate. So add an extra check that all status
flags have been dealt with.

common/rfb/CSecurityTLS.cxx patch | blob | history

diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 06bd0bb84cef6db7b82bd82e1ae886982d16d8df..735bdb6ca3cedb1e2e447e051c81732dac5c4fdb 100644 (file)
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -435,6 +435,10 @@ void CSecurityTLS::checkSession()
                            "Unknown certificate issuer",
                            text.c_str()))
         throw AuthFailureException("Unknown certificate issuer");
+
+      status &= ~(GNUTLS_CERT_INVALID |
+                  GNUTLS_CERT_SIGNER_NOT_FOUND |
+                  GNUTLS_CERT_SIGNER_NOT_CA);
     }
 
     if (status & GNUTLS_CERT_EXPIRED) {
@@ -452,6 +456,13 @@ void CSecurityTLS::checkSession()
                            "Expired certificate",
                            text.c_str()))
         throw AuthFailureException("Expired certificate");
+
+      status &= ~GNUTLS_CERT_EXPIRED;
+    }
+
+    if (status != 0) {
+      vlog.error("Unhandled certificate problems: 0x%x", status);
+      throw AuthFailureException("Unhandled certificate problems");
     }
   } else if (err == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) {
     std::string text;
@@ -478,6 +489,10 @@ void CSecurityTLS::checkSession()
                            "Unexpected server certificate",
                            text.c_str()))
         throw AuthFailureException("Unexpected server certificate");
+
+      status &= ~(GNUTLS_CERT_INVALID |
+                  GNUTLS_CERT_SIGNER_NOT_FOUND |
+                  GNUTLS_CERT_SIGNER_NOT_CA);
     }
 
     if (status & GNUTLS_CERT_EXPIRED) {
@@ -497,6 +512,13 @@ void CSecurityTLS::checkSession()
                            "Unexpected server certificate",
                            text.c_str()))
         throw AuthFailureException("Unexpected server certificate");
+
+      status &= ~GNUTLS_CERT_EXPIRED;
+    }
+
+    if (status != 0) {
+      vlog.error("Unhandled certificate problems: 0x%x", status);
+      throw AuthFailureException("Unhandled certificate problems");
     }
   }
 
High performance, multi-platform VNC client and server: https://github.com/TigerVNC/tigervnc