From 77e7e2fafe2cd978e57e2ae8d74e6027623e2d07 Mon Sep 17 00:00:00 2001 From: Pierre Ossman Date: Wed, 5 Jul 2023 10:22:42 +0200 Subject: [PATCH] Make sure we handle all certificate issues We don't want to proceed unless we've made sure the user has approved the issues with the certificate. So add an extra check that all status flags have been dealt with. --- common/rfb/CSecurityTLS.cxx | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx index 06bd0bb8..735bdb6c 100644 --- a/common/rfb/CSecurityTLS.cxx +++ b/common/rfb/CSecurityTLS.cxx @@ -435,6 +435,10 @@ void CSecurityTLS::checkSession() "Unknown certificate issuer", text.c_str())) throw AuthFailureException("Unknown certificate issuer"); + + status &= ~(GNUTLS_CERT_INVALID | + GNUTLS_CERT_SIGNER_NOT_FOUND | + GNUTLS_CERT_SIGNER_NOT_CA); } if (status & GNUTLS_CERT_EXPIRED) { @@ -452,6 +456,13 @@ void CSecurityTLS::checkSession() "Expired certificate", text.c_str())) throw AuthFailureException("Expired certificate"); + + status &= ~GNUTLS_CERT_EXPIRED; + } + + if (status != 0) { + vlog.error("Unhandled certificate problems: 0x%x", status); + throw AuthFailureException("Unhandled certificate problems"); } } else if (err == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) { std::string text; @@ -478,6 +489,10 @@ void CSecurityTLS::checkSession() "Unexpected server certificate", text.c_str())) throw AuthFailureException("Unexpected server certificate"); + + status &= ~(GNUTLS_CERT_INVALID | + GNUTLS_CERT_SIGNER_NOT_FOUND | + GNUTLS_CERT_SIGNER_NOT_CA); } if (status & GNUTLS_CERT_EXPIRED) { @@ -497,6 +512,13 @@ void CSecurityTLS::checkSession() "Unexpected server certificate", text.c_str())) throw AuthFailureException("Unexpected server certificate"); + + status &= ~GNUTLS_CERT_EXPIRED; + } + + if (status != 0) { + vlog.error("Unhandled certificate problems: 0x%x", status); + throw AuthFailureException("Unhandled certificate problems"); } } -- 2.39.5