|
|
@@ -309,7 +309,8 @@ void CSecurityTLS::checkSession() |
|
|
|
{ |
|
|
|
const unsigned allowed_errors = GNUTLS_CERT_INVALID | |
|
|
|
GNUTLS_CERT_SIGNER_NOT_FOUND | |
|
|
|
GNUTLS_CERT_SIGNER_NOT_CA; |
|
|
|
GNUTLS_CERT_SIGNER_NOT_CA | |
|
|
|
GNUTLS_CERT_EXPIRED; |
|
|
|
unsigned int status; |
|
|
|
const gnutls_datum_t *cert_list; |
|
|
|
unsigned int cert_list_size = 0; |
|
|
@@ -381,6 +382,8 @@ void CSecurityTLS::checkSession() |
|
|
|
vlog.debug("server cert signer not found"); |
|
|
|
if (status & GNUTLS_CERT_SIGNER_NOT_CA) |
|
|
|
vlog.debug("server cert signer not CA"); |
|
|
|
if (status & GNUTLS_CERT_EXPIRED) |
|
|
|
vlog.debug("server certificate has expired"); |
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_INSECURE_ALGORITHM) |
|
|
|
throw AuthFailureException("The server certificate uses an insecure algorithm"); |
|
|
@@ -435,33 +438,65 @@ void CSecurityTLS::checkSession() |
|
|
|
vlog.debug("Server host not previously known"); |
|
|
|
vlog.debug("%s", info.data); |
|
|
|
|
|
|
|
text.format("This certificate has been signed by an unknown " |
|
|
|
"authority:\n\n%s\n\nSomeone could be trying to " |
|
|
|
"impersonate the site and you should not " |
|
|
|
"continue.\n\nDo you want to make an exception " |
|
|
|
"for this server?", info.data); |
|
|
|
if (status & (GNUTLS_CERT_SIGNER_NOT_FOUND | |
|
|
|
GNUTLS_CERT_SIGNER_NOT_CA)) { |
|
|
|
text.format("This certificate has been signed by an unknown " |
|
|
|
"authority:\n\n%s\n\nSomeone could be trying to " |
|
|
|
"impersonate the site and you should not " |
|
|
|
"continue.\n\nDo you want to make an exception " |
|
|
|
"for this server?", info.data); |
|
|
|
|
|
|
|
if (!msg->showMsgBox(UserMsgBox::M_YESNO, |
|
|
|
"Unknown certificate issuer", |
|
|
|
text.buf)) |
|
|
|
throw AuthFailureException("Unknown certificate issuer"); |
|
|
|
} |
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_EXPIRED) { |
|
|
|
text.format("This certificate has expired:\n\n%s\n\nSomeone " |
|
|
|
"could be trying to impersonate the site and you " |
|
|
|
"should not continue.\n\nDo you want to make an " |
|
|
|
"exception for this server?", info.data); |
|
|
|
|
|
|
|
if (!msg->showMsgBox(UserMsgBox::M_YESNO, |
|
|
|
"Unknown certificate issuer", |
|
|
|
text.buf)) |
|
|
|
throw AuthFailureException("Unknown certificate issuer"); |
|
|
|
if (!msg->showMsgBox(UserMsgBox::M_YESNO, |
|
|
|
"Expired certificate", |
|
|
|
text.buf)) |
|
|
|
throw AuthFailureException("Expired certificate"); |
|
|
|
} |
|
|
|
} else if (err == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) { |
|
|
|
CharArray text; |
|
|
|
|
|
|
|
vlog.debug("Server host key mismatch"); |
|
|
|
vlog.debug("%s", info.data); |
|
|
|
|
|
|
|
text.format("This host is previously known with a different " |
|
|
|
"certificate, and the new certificate has been " |
|
|
|
"signed by an unknown authority:\n\n%s\n\nSomeone " |
|
|
|
"could be trying to impersonate the site and you " |
|
|
|
"should not continue.\n\nDo you want to make an " |
|
|
|
"exception for this server?", info.data); |
|
|
|
if (status & (GNUTLS_CERT_SIGNER_NOT_FOUND | |
|
|
|
GNUTLS_CERT_SIGNER_NOT_CA)) { |
|
|
|
text.format("This host is previously known with a different " |
|
|
|
"certificate, and the new certificate has been " |
|
|
|
"signed by an unknown authority:\n\n%s\n\nSomeone " |
|
|
|
"could be trying to impersonate the site and you " |
|
|
|
"should not continue.\n\nDo you want to make an " |
|
|
|
"exception for this server?", info.data); |
|
|
|
|
|
|
|
if (!msg->showMsgBox(UserMsgBox::M_YESNO, |
|
|
|
"Unexpected server certificate", |
|
|
|
text.buf)) |
|
|
|
throw AuthFailureException("Unexpected server certificate"); |
|
|
|
} |
|
|
|
|
|
|
|
if (!msg->showMsgBox(UserMsgBox::M_YESNO, |
|
|
|
"Unexpected server certificate", |
|
|
|
text.buf)) |
|
|
|
throw AuthFailureException("Unexpected server certificate"); |
|
|
|
if (status & GNUTLS_CERT_EXPIRED) { |
|
|
|
text.format("This host is previously known with a different " |
|
|
|
"certificate, and the new certificate has expired:" |
|
|
|
"\n\n%s\n\nSomeone could be trying to impersonate " |
|
|
|
"the site and you should not continue.\n\nDo you " |
|
|
|
"want to make an exception for this server?", |
|
|
|
info.data); |
|
|
|
|
|
|
|
if (!msg->showMsgBox(UserMsgBox::M_YESNO, |
|
|
|
"Unexpected server certificate", |
|
|
|
text.buf)) |
|
|
|
throw AuthFailureException("Unexpected server certificate"); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
if (gnutls_store_pubkey(dbPath.buf, NULL, client->getServerName(), |