From: Pierre Ossman <ossman@cendio.se>
Date: Wed, 5 Jul 2023 09:07:31 +0000 (+0200)
Subject: Allow exception for weak certificate algorithms
X-Git-Tag: v1.13.90~68^2~3
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=af3dae278cc8974b980a72fa0c7679a5182c4a04;p=tigervnc.git

Allow exception for weak certificate algorithms

The browsers let you add an exception for this case, so we should as
well.
---

diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 08b45da6..6bdf720a 100644
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -290,7 +290,8 @@ void CSecurityTLS::checkSession()
 				  GNUTLS_CERT_SIGNER_NOT_FOUND |
 				  GNUTLS_CERT_SIGNER_NOT_CA |
 				  GNUTLS_CERT_NOT_ACTIVATED |
-				  GNUTLS_CERT_EXPIRED;
+				  GNUTLS_CERT_EXPIRED |
+				  GNUTLS_CERT_INSECURE_ALGORITHM;
   unsigned int status;
   const gnutls_datum_t *cert_list;
   unsigned int cert_list_size = 0;
@@ -356,9 +357,8 @@ void CSecurityTLS::checkSession()
     vlog.debug("server certificate has not yet been activated");
   if (status & GNUTLS_CERT_EXPIRED)
     vlog.debug("server certificate has expired");
-
   if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
-    throw AuthFailureException("The server certificate uses an insecure algorithm");
+    vlog.debug("server certificate uses an insecure algorithm");
 
   if ((status & (~allowed_errors)) != 0) {
     /* No other errors are allowed */
@@ -471,6 +471,25 @@ void CSecurityTLS::checkSession()
       status &= ~GNUTLS_CERT_EXPIRED;
     }
 
+    if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
+      text = format("This certificate uses an insecure algorithm:\n"
+                    "\n"
+                    "%s\n"
+                    "\n"
+                    "Someone could be trying to impersonate the site "
+                    "and you should not continue.\n"
+                    "\n"
+                    "Do you want to make an exception for this "
+                    "server?", info.data);
+
+      if (!msg->showMsgBox(UserMsgBox::M_YESNO,
+                           "Insecure certificate algorithm",
+                           text.c_str()))
+        throw AuthFailureException("Insecure certificate algorithm");
+
+      status &= ~GNUTLS_CERT_INSECURE_ALGORITHM;
+    }
+
     if (status != 0) {
       vlog.error("Unhandled certificate problems: 0x%x", status);
       throw AuthFailureException("Unhandled certificate problems");
@@ -548,6 +567,27 @@ void CSecurityTLS::checkSession()
       status &= ~GNUTLS_CERT_EXPIRED;
     }
 
+    if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
+      text = format("This host is previously known with a different "
+                    "certificate, and the new certificate uses an "
+                    "insecure algorithm:\n"
+                    "\n"
+                    "%s\n"
+                    "\n"
+                    "Someone could be trying to impersonate the site "
+                    "and you should not continue.\n"
+                    "\n"
+                    "Do you want to make an exception for this "
+                    "server?", info.data);
+
+      if (!msg->showMsgBox(UserMsgBox::M_YESNO,
+                           "Unexpected server certificate",
+                           text.c_str()))
+        throw AuthFailureException("Unexpected server certificate");
+
+      status &= ~GNUTLS_CERT_INSECURE_ALGORITHM;
+    }
+
     if (status != 0) {
       vlog.error("Unhandled certificate problems: 0x%x", status);
       throw AuthFailureException("Unhandled certificate problems");