From: Pierre Ossman Date: Wed, 5 Jul 2023 08:22:42 +0000 (+0200) Subject: Make sure we handle all certificate issues X-Git-Tag: v1.13.90~68^2~6 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=77e7e2fafe2cd978e57e2ae8d74e6027623e2d07;p=tigervnc.git Make sure we handle all certificate issues We don't want to proceed unless we've made sure the user has approved the issues with the certificate. So add an extra check that all status flags have been dealt with. --- diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx index 06bd0bb8..735bdb6c 100644 --- a/common/rfb/CSecurityTLS.cxx +++ b/common/rfb/CSecurityTLS.cxx @@ -435,6 +435,10 @@ void CSecurityTLS::checkSession() "Unknown certificate issuer", text.c_str())) throw AuthFailureException("Unknown certificate issuer"); + + status &= ~(GNUTLS_CERT_INVALID | + GNUTLS_CERT_SIGNER_NOT_FOUND | + GNUTLS_CERT_SIGNER_NOT_CA); } if (status & GNUTLS_CERT_EXPIRED) { @@ -452,6 +456,13 @@ void CSecurityTLS::checkSession() "Expired certificate", text.c_str())) throw AuthFailureException("Expired certificate"); + + status &= ~GNUTLS_CERT_EXPIRED; + } + + if (status != 0) { + vlog.error("Unhandled certificate problems: 0x%x", status); + throw AuthFailureException("Unhandled certificate problems"); } } else if (err == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) { std::string text; @@ -478,6 +489,10 @@ void CSecurityTLS::checkSession() "Unexpected server certificate", text.c_str())) throw AuthFailureException("Unexpected server certificate"); + + status &= ~(GNUTLS_CERT_INVALID | + GNUTLS_CERT_SIGNER_NOT_FOUND | + GNUTLS_CERT_SIGNER_NOT_CA); } if (status & GNUTLS_CERT_EXPIRED) { @@ -497,6 +512,13 @@ void CSecurityTLS::checkSession() "Unexpected server certificate", text.c_str())) throw AuthFailureException("Unexpected server certificate"); + + status &= ~GNUTLS_CERT_EXPIRED; + } + + if (status != 0) { + vlog.error("Unhandled certificate problems: 0x%x", status); + throw AuthFailureException("Unhandled certificate problems"); } }