diff options
| author | Pierre Ossman <ossman@cendio.se> | 2023-07-05 10:21:56 +0200 |
|---|---|---|
| committer | Pierre Ossman <ossman@cendio.se> | 2023-07-05 10:21:56 +0200 |
| commit | c43a03a2b22a436668e8ea4703501844196ce49f (patch) | |
| tree | 4cad97370e23995ae969e7f818925f12a0b9abf1 | |
| parent | e453d4d9db9090313aa9d8f94d0793248b915e61 (diff) | |
| download | tigervnc-c43a03a2b22a436668e8ea4703501844196ce49f.tar.gz tigervnc-c43a03a2b22a436668e8ea4703501844196ce49f.zip | |
Handle GNUTLS_CERT_INVALID in TOFU code
GnuTLS should hopefully never set just this flag, but let's be fully
prepared for all scenarios.
| -rw-r--r-- | common/rfb/CSecurityTLS.cxx | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx index 7748938b..06bd0bb8 100644 --- a/common/rfb/CSecurityTLS.cxx +++ b/common/rfb/CSecurityTLS.cxx @@ -417,7 +417,8 @@ void CSecurityTLS::checkSession() vlog.debug("Server host not previously known"); vlog.debug("%s", info.data); - if (status & (GNUTLS_CERT_SIGNER_NOT_FOUND | + if (status & (GNUTLS_CERT_INVALID | + GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_SIGNER_NOT_CA)) { text = format("This certificate has been signed by an unknown " "authority:\n" @@ -458,7 +459,8 @@ void CSecurityTLS::checkSession() vlog.debug("Server host key mismatch"); vlog.debug("%s", info.data); - if (status & (GNUTLS_CERT_SIGNER_NOT_FOUND | + if (status & (GNUTLS_CERT_INVALID | + GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_SIGNER_NOT_CA)) { text = format("This host is previously known with a different " "certificate, and the new certificate has been " |