Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_tigervnc / 1b7463478e30c6855ea62db1f5647630f0acd24b / . / common / rfb / CSecurityTLS.cxx
blob: 7ca01d5795d933a42c0238251438f4185e0a6c61 [file] [log] [blame]
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame]1/*
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]2 * Copyright (C) 2004 Red Hat Inc.
3 * Copyright (C) 2005 Martin Koegler
4 * Copyright (C) 2010 TigerVNC Team
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]5 * Copyright (C) 2010 m-privacy GmbH
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]6 *
7 * This is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This software is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this software; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
20 * USA.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include <config.h>
25#endif
26
Adam Tkac43958232010-07-21 09:06:59 +0000[diff] [blame]27#ifndef HAVE_GNUTLS
28#error "This header should not be compiled without HAVE_GNUTLS defined"
29#endif
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]30
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]31#include <stdlib.h>
Adam Tkacc4674db2011-01-19 14:11:16 +0000[diff] [blame]32#ifndef WIN32
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]33#include <unistd.h>
Adam Tkacc4674db2011-01-19 14:11:16 +0000[diff] [blame]34#endif
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]35
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]36#include <rfb/CSecurityTLS.h>
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]37#include <rfb/SSecurityVeNCrypt.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]38#include <rfb/CConnection.h>
39#include <rfb/LogWriter.h>
40#include <rfb/Exception.h>
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]41#include <rfb/UserMsgBox.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]42#include <rdr/TLSInStream.h>
43#include <rdr/TLSOutStream.h>
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]44#include <os/os.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]45
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]46#include <gnutls/x509.h>
47
Adam Tkac68481c12011-02-09 14:15:09 +0000[diff] [blame]48/*
49 * GNUTLS 2.6.5 and older didn't have some variables defined so don't use them.
50 * GNUTLS 1.X.X defined LIBGNUTLS_VERSION_NUMBER so treat it as "old" gnutls as
51 * well
52 */
53#if (defined(GNUTLS_VERSION_NUMBER) && GNUTLS_VERSION_NUMBER < 0x020606) || \
54 defined(LIBGNUTLS_VERSION_NUMBER)
55#define WITHOUT_X509_TIMES
DRCb7ab54f2011-02-09 03:27:26 +0000[diff] [blame]56#endif
57
Adam Tkacb4864232011-02-09 15:38:37 +0000[diff] [blame]58/* Ancient GNUTLS... */
59#if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER)
60#define WITHOUT_X509_TIMES
61#endif
62
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]63using namespace rfb;
64
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame]65StringParameter CSecurityTLS::X509CA("X509CA", "X509 CA certificate", "", ConfViewer);
66StringParameter CSecurityTLS::X509CRL("X509CRL", "X509 CRL file", "", ConfViewer);
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]67
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]68static LogWriter vlog("TLS");
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]69
Pierre Ossmanad2b3c42018-09-21 15:31:11 +0200[diff] [blame]70CSecurityTLS::CSecurityTLS(CConnection* cc, bool _anon)
71 : CSecurity(cc), session(NULL), anon_cred(NULL), cert_cred(NULL),
Pierre Ossman1b746342018-09-21 15:33:30 +0200[diff] [blame^]72 anon(_anon), tlsis(NULL), tlsos(NULL)
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]73{
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame]74 cafile = X509CA.getData();
75 crlfile = X509CRL.getData();
Pierre Ossman8aa4bc52016-08-23 17:02:58 +0200[diff] [blame]76
77 if (gnutls_global_init() != GNUTLS_E_SUCCESS)
78 throw AuthFailureException("gnutls_global_init failed");
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]79}
80
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]81void CSecurityTLS::setDefaults()
82{
83 char* homeDir = NULL;
84
Adam Tkacaf081722011-02-07 10:45:15 +0000[diff] [blame]85 if (getvnchomedir(&homeDir) == -1) {
86 vlog.error("Could not obtain VNC home directory path");
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]87 return;
88 }
89
Adam Tkacaf081722011-02-07 10:45:15 +0000[diff] [blame]90 int len = strlen(homeDir) + 1;
Adam Tkac437b0c22011-02-07 10:46:16 +0000[diff] [blame]91 CharArray caDefault(len + 11);
92 CharArray crlDefault(len + 12);
93 sprintf(caDefault.buf, "%sx509_ca.pem", homeDir);
94 sprintf(crlDefault.buf, "%s509_crl.pem", homeDir);
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]95 delete [] homeDir;
96
Adam Tkacf16a4212011-02-07 10:47:07 +0000[diff] [blame]97 if (!fileexists(caDefault.buf))
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame]98 X509CA.setDefaultStr(strdup(caDefault.buf));
Adam Tkacf16a4212011-02-07 10:47:07 +0000[diff] [blame]99 if (!fileexists(crlDefault.buf))
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame]100 X509CRL.setDefaultStr(strdup(crlDefault.buf));
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]101}
102
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame]103void CSecurityTLS::shutdown(bool needbye)
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]104{
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame]105 if (session && needbye)
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]106 if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS)
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame]107 vlog.error("gnutls_bye failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]108
109 if (anon_cred) {
110 gnutls_anon_free_client_credentials(anon_cred);
111 anon_cred = 0;
112 }
113
114 if (cert_cred) {
115 gnutls_certificate_free_credentials(cert_cred);
116 cert_cred = 0;
117 }
118
Pierre Ossman1b746342018-09-21 15:33:30 +0200[diff] [blame^]119 if (tlsis) {
120 delete tlsis;
121 tlsis = NULL;
122 }
123 if (tlsos) {
124 delete tlsos;
125 tlsos = NULL;
126 }
127
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]128 if (session) {
129 gnutls_deinit(session);
130 session = 0;
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]131 }
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]132}
133
134
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]135CSecurityTLS::~CSecurityTLS()
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]136{
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame]137 shutdown(true);
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]138
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]139 delete[] cafile;
140 delete[] crlfile;
Pierre Ossman8aa4bc52016-08-23 17:02:58 +0200[diff] [blame]141
142 gnutls_global_deinit();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]143}
144
Pierre Ossmanad2b3c42018-09-21 15:31:11 +0200[diff] [blame]145bool CSecurityTLS::processMsg()
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]146{
147 rdr::InStream* is = cc->getInStream();
148 rdr::OutStream* os = cc->getOutStream();
149 client = cc;
150
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]151 if (!session) {
152 if (!is->checkNoWait(1))
153 return false;
154
Adam Tkacce6c8b02011-05-10 08:54:57 +0000[diff] [blame]155 if (is->readU8() == 0) {
156 rdr::U32 result = is->readU32();
157 CharArray reason;
158 if (result == secResultFailed || result == secResultTooMany)
159 reason.buf = is->readString();
160 else
Pierre Ossman19225502017-10-12 15:05:07 +0200[diff] [blame]161 reason.buf = strDup("protocol error");
Adam Tkacce6c8b02011-05-10 08:54:57 +0000[diff] [blame]162 throw AuthFailureException(reason.buf);
163 }
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]164
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]165 if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS)
166 throw AuthFailureException("gnutls_init failed");
167
168 if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)
169 throw AuthFailureException("gnutls_set_default_priority failed");
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]170
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]171 setParam();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]172
Pierre Ossman1b746342018-09-21 15:33:30 +0200[diff] [blame^]173 // Create these early as they set up the push/pull functions
174 // for GnuTLS
175 tlsis = new rdr::TLSInStream(is, session);
176 tlsos = new rdr::TLSOutStream(os, session);
177 }
Pierre Ossmanfe48cd42012-07-03 14:43:38 +0000[diff] [blame]178
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]179 int err;
180 err = gnutls_handshake(session);
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]181 if (err != GNUTLS_E_SUCCESS) {
Pierre Ossmanfe48cd42012-07-03 14:43:38 +0000[diff] [blame]182 if (!gnutls_error_is_fatal(err))
183 return false;
184
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]185 vlog.error("TLS Handshake failed: %s\n", gnutls_strerror (err));
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame]186 shutdown(false);
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]187 throw AuthFailureException("TLS Handshake failed");
188 }
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]189
190 checkSession();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]191
Pierre Ossman1b746342018-09-21 15:33:30 +0200[diff] [blame^]192 cc->setStreams(tlsis, tlsos);
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]193
194 return true;
195}
196
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]197void CSecurityTLS::setParam()
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]198{
Pierre Ossman27eb55e2015-01-29 13:31:06 +0100[diff] [blame]199 static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH";
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame]200
201 int ret;
Pierre Ossman27eb55e2015-01-29 13:31:06 +0100[diff] [blame]202 char *prio;
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame]203 const char *err;
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]204
Pierre Ossman27eb55e2015-01-29 13:31:06 +0100[diff] [blame]205 prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
206 strlen(kx_anon_priority) + 1);
207 if (prio == NULL)
208 throw AuthFailureException("Not enough memory for GnuTLS priority string");
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]209
Pierre Ossman27eb55e2015-01-29 13:31:06 +0100[diff] [blame]210 strcpy(prio, Security::GnuTLSPriority);
211 if (anon)
212 strcat(prio, kx_anon_priority);
213
214 ret = gnutls_priority_set_direct(session, prio, &err);
215
216 free(prio);
217
218 if (ret != GNUTLS_E_SUCCESS) {
219 if (ret == GNUTLS_E_INVALID_REQUEST)
220 vlog.error("GnuTLS priority syntax error at: %s", err);
221 throw AuthFailureException("gnutls_set_priority_direct failed");
222 }
223
224 if (anon) {
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]225 if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
226 throw AuthFailureException("gnutls_anon_allocate_client_credentials failed");
227
228 if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred) != GNUTLS_E_SUCCESS)
229 throw AuthFailureException("gnutls_credentials_set failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]230
231 vlog.debug("Anonymous session has been set");
232 } else {
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]233 if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
234 throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]235
Pierre Ossmanc04f7562018-08-16 13:28:37 +0200[diff] [blame]236 if (gnutls_certificate_set_x509_system_trust(cert_cred) != GNUTLS_E_SUCCESS)
237 vlog.error("Could not load system certificate trust store");
238
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]239 if (*cafile && gnutls_certificate_set_x509_trust_file(cert_cred,cafile,GNUTLS_X509_FMT_PEM) < 0)
240 throw AuthFailureException("load of CA cert failed");
241
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]242 /* Load previously saved certs */
243 char *homeDir = NULL;
244 int err;
245 if (getvnchomedir(&homeDir) == -1)
246 vlog.error("Could not obtain VNC home directory path");
247 else {
248 CharArray caSave(strlen(homeDir) + 19 + 1);
249 sprintf(caSave.buf, "%sx509_savedcerts.pem", homeDir);
250 delete [] homeDir;
251
252 err = gnutls_certificate_set_x509_trust_file(cert_cred, caSave.buf,
253 GNUTLS_X509_FMT_PEM);
254 if (err < 0)
255 vlog.debug("Failed to load saved server certificates from %s", caSave.buf);
256 }
257
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]258 if (*crlfile && gnutls_certificate_set_x509_crl_file(cert_cred,crlfile,GNUTLS_X509_FMT_PEM) < 0)
259 throw AuthFailureException("load of CRL failed");
260
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]261 if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred) != GNUTLS_E_SUCCESS)
262 throw AuthFailureException("gnutls_credentials_set failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]263
Pierre Ossman894f2c52017-09-08 15:28:39 +0200[diff] [blame]264 if (gnutls_server_name_set(session, GNUTLS_NAME_DNS,
265 client->getServerName(),
266 strlen(client->getServerName())) != GNUTLS_E_SUCCESS)
267 vlog.error("Failed to configure the server name for TLS handshake");
268
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]269 vlog.debug("X509 session has been set");
270 }
271}
272
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]273void CSecurityTLS::checkSession()
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]274{
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]275 const unsigned allowed_errors = GNUTLS_CERT_INVALID |
276 GNUTLS_CERT_SIGNER_NOT_FOUND |
277 GNUTLS_CERT_SIGNER_NOT_CA;
278 unsigned int status;
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame]279 const gnutls_datum_t *cert_list;
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]280 unsigned int cert_list_size = 0;
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]281 int err;
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame]282 gnutls_datum_t info;
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]283
284 if (anon)
285 return;
286
287 if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509)
288 throw AuthFailureException("unsupported certificate type");
289
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]290 err = gnutls_certificate_verify_peers2(session, &status);
291 if (err != 0) {
292 vlog.error("server certificate verification failed: %s", gnutls_strerror(err));
293 throw AuthFailureException("server certificate verification failed");
294 }
295
296 if (status & GNUTLS_CERT_REVOKED)
297 throw AuthFailureException("server certificate has been revoked");
298
Adam Tkac68481c12011-02-09 14:15:09 +0000[diff] [blame]299#ifndef WITHOUT_X509_TIMES
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]300 if (status & GNUTLS_CERT_NOT_ACTIVATED)
301 throw AuthFailureException("server certificate has not been activated");
302
303 if (status & GNUTLS_CERT_EXPIRED) {
304 vlog.debug("server certificate has expired");
305 if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certificate has expired",
306 "The certificate of the server has expired, "
307 "do you want to continue?"))
308 throw AuthFailureException("server certificate has expired");
309 }
Adam Tkac68481c12011-02-09 14:15:09 +0000[diff] [blame]310#endif
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]311 /* Process other errors later */
312
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]313 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
314 if (!cert_list_size)
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]315 throw AuthFailureException("empty certificate chain");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]316
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]317 /* Process only server's certificate, not issuer's certificate */
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame]318 gnutls_x509_crt_t crt;
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]319 gnutls_x509_crt_init(&crt);
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]320
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]321 if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
322 throw AuthFailureException("decoding of certificate failed");
323
324 if (gnutls_x509_crt_check_hostname(crt, client->getServerName()) == 0) {
325 char buf[255];
326 vlog.debug("hostname mismatch");
327 snprintf(buf, sizeof(buf), "Hostname (%s) does not match any certificate, "
328 "do you want to continue?", client->getServerName());
329 buf[sizeof(buf) - 1] = '\0';
330 if (!msg->showMsgBox(UserMsgBox::M_YESNO, "hostname mismatch", buf))
331 throw AuthFailureException("hostname mismatch");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]332 }
333
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]334 if (status == 0) {
335 /* Everything is fine (hostname + verification) */
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]336 gnutls_x509_crt_deinit(crt);
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]337 return;
338 }
339
340 if (status & GNUTLS_CERT_INVALID)
341 vlog.debug("server certificate invalid");
342 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
343 vlog.debug("server cert signer not found");
344 if (status & GNUTLS_CERT_SIGNER_NOT_CA)
345 vlog.debug("server cert signer not CA");
346
Pierre Ossmane43e5e32017-09-01 11:15:31 +0200[diff] [blame]347 if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
348 throw AuthFailureException("The server certificate uses an insecure algorithm");
349
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]350 if ((status & (~allowed_errors)) != 0) {
351 /* No other errors are allowed */
352 vlog.debug("GNUTLS status of certificate verification: %u", status);
353 throw AuthFailureException("Invalid status of server certificate verification");
354 }
355
356 vlog.debug("Saved server certificates don't match");
357
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]358 if (gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &info)) {
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]359 /*
360 * GNUTLS doesn't correctly export gnutls_free symbol which is
361 * a function pointer. Linking with Visual Studio 2008 Express will
362 * fail when you call gnutls_free().
363 */
364#if WIN32
365 free(info.data);
366#else
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]367 gnutls_free(info.data);
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]368#endif
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]369 throw AuthFailureException("Could not find certificate to display");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]370 }
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]371
Adam Tkac68481c12011-02-09 14:15:09 +0000[diff] [blame]372 size_t out_size = 0;
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]373 char *out_buf = NULL;
374 char *certinfo = NULL;
375 int len = 0;
376
377 vlog.debug("certificate issuer unknown");
378
379 len = snprintf(NULL, 0, "This certificate has been signed by an unknown "
380 "authority:\n\n%s\n\nDo you want to save it and "
381 "continue?\n ", info.data);
382 if (len < 0)
383 AuthFailureException("certificate decoding error");
384
385 vlog.debug("%s", info.data);
386
387 certinfo = new char[len];
388 if (certinfo == NULL)
389 throw AuthFailureException("Out of memory");
390
391 snprintf(certinfo, len, "This certificate has been signed by an unknown "
392 "authority:\n\n%s\n\nDo you want to save it and "
393 "continue? ", info.data);
394
395 for (int i = 0; i < len - 1; i++)
396 if (certinfo[i] == ',' && certinfo[i + 1] == ' ')
397 certinfo[i] = '\n';
398
399 if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certificate issuer unknown",
400 certinfo)) {
401 delete [] certinfo;
402 throw AuthFailureException("certificate issuer unknown");
403 }
404
405 delete [] certinfo;
406
407 if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, NULL, &out_size)
408 == GNUTLS_E_SHORT_MEMORY_BUFFER)
409 AuthFailureException("Out of memory");
410
411 // Save cert
412 out_buf = new char[out_size];
413 if (out_buf == NULL)
414 AuthFailureException("Out of memory");
415
416 if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, out_buf, &out_size) < 0)
417 AuthFailureException("certificate issuer unknown, and certificate "
418 "export failed");
419
420 char *homeDir = NULL;
421 if (getvnchomedir(&homeDir) == -1)
422 vlog.error("Could not obtain VNC home directory path");
423 else {
424 FILE *f;
425 CharArray caSave(strlen(homeDir) + 1 + 19);
426 sprintf(caSave.buf, "%sx509_savedcerts.pem", homeDir);
427 delete [] homeDir;
428 f = fopen(caSave.buf, "a+");
429 if (!f)
430 msg->showMsgBox(UserMsgBox::M_OK, "certificate save failed",
431 "Could not save the certificate");
432 else {
433 fprintf(f, "%s\n", out_buf);
434 fclose(f);
435 }
436 }
437
438 delete [] out_buf;
439
440 gnutls_x509_crt_deinit(crt);
441 /*
442 * GNUTLS doesn't correctly export gnutls_free symbol which is
443 * a function pointer. Linking with Visual Studio 2008 Express will
444 * fail when you call gnutls_free().
445 */
446#if WIN32
447 free(info.data);
448#else
449 gnutls_free(info.data);
450#endif
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]451}
452