DRC | ff1e1ff | 2011-02-08 23:43:55 +0000 | [diff] [blame] | 1 | /* |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 2 | * Copyright (C) 2004 Red Hat Inc. |
| 3 | * Copyright (C) 2005 Martin Koegler |
| 4 | * Copyright (C) 2010 TigerVNC Team |
Adam Tkac | 27b2f77 | 2010-11-18 13:33:57 +0000 | [diff] [blame] | 5 | * Copyright (C) 2010 m-privacy GmbH |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 6 | * |
| 7 | * This is free software; you can redistribute it and/or modify |
| 8 | * it under the terms of the GNU General Public License as published by |
| 9 | * the Free Software Foundation; either version 2 of the License, or |
| 10 | * (at your option) any later version. |
| 11 | * |
| 12 | * This software is distributed in the hope that it will be useful, |
| 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 15 | * GNU General Public License for more details. |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License |
| 18 | * along with this software; if not, write to the Free Software |
| 19 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
| 20 | * USA. |
| 21 | */ |
| 22 | |
| 23 | #ifdef HAVE_CONFIG_H |
| 24 | #include <config.h> |
| 25 | #endif |
| 26 | |
Adam Tkac | 4395823 | 2010-07-21 09:06:59 +0000 | [diff] [blame] | 27 | #ifndef HAVE_GNUTLS |
| 28 | #error "This header should not be compiled without HAVE_GNUTLS defined" |
| 29 | #endif |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 30 | |
Adam Tkac | 27b2f77 | 2010-11-18 13:33:57 +0000 | [diff] [blame] | 31 | #include <stdlib.h> |
Adam Tkac | c4674db | 2011-01-19 14:11:16 +0000 | [diff] [blame] | 32 | #ifndef WIN32 |
Adam Tkac | 27b2f77 | 2010-11-18 13:33:57 +0000 | [diff] [blame] | 33 | #include <unistd.h> |
Adam Tkac | c4674db | 2011-01-19 14:11:16 +0000 | [diff] [blame] | 34 | #endif |
Adam Tkac | 27b2f77 | 2010-11-18 13:33:57 +0000 | [diff] [blame] | 35 | |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 36 | #include <rfb/CSecurityTLS.h> |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 37 | #include <rfb/SSecurityVeNCrypt.h> |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 38 | #include <rfb/CConnection.h> |
| 39 | #include <rfb/LogWriter.h> |
| 40 | #include <rfb/Exception.h> |
Adam Tkac | 27b2f77 | 2010-11-18 13:33:57 +0000 | [diff] [blame] | 41 | #include <rfb/UserMsgBox.h> |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 42 | #include <rdr/TLSInStream.h> |
| 43 | #include <rdr/TLSOutStream.h> |
Adam Tkac | 27b2f77 | 2010-11-18 13:33:57 +0000 | [diff] [blame] | 44 | #include <os/os.h> |
Adam Tkac | 179d2b1 | 2011-01-19 14:15:14 +0000 | [diff] [blame] | 45 | #include <os/print.h> |
Adam Tkac | 68481c1 | 2011-02-09 14:15:09 +0000 | [diff] [blame] | 46 | #include <os/tls.h> |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 47 | |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 48 | #include <gnutls/x509.h> |
| 49 | |
Adam Tkac | 68481c1 | 2011-02-09 14:15:09 +0000 | [diff] [blame] | 50 | /* |
| 51 | * GNUTLS 2.6.5 and older didn't have some variables defined so don't use them. |
| 52 | * GNUTLS 1.X.X defined LIBGNUTLS_VERSION_NUMBER so treat it as "old" gnutls as |
| 53 | * well |
| 54 | */ |
| 55 | #if (defined(GNUTLS_VERSION_NUMBER) && GNUTLS_VERSION_NUMBER < 0x020606) || \ |
| 56 | defined(LIBGNUTLS_VERSION_NUMBER) |
| 57 | #define WITHOUT_X509_TIMES |
DRC | b7ab54f | 2011-02-09 03:27:26 +0000 | [diff] [blame] | 58 | #endif |
| 59 | |
Adam Tkac | b486423 | 2011-02-09 15:38:37 +0000 | [diff] [blame] | 60 | /* Ancient GNUTLS... */ |
| 61 | #if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER) |
| 62 | #define WITHOUT_X509_TIMES |
| 63 | #endif |
| 64 | |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 65 | #define TLS_DEBUG |
| 66 | |
| 67 | using namespace rfb; |
| 68 | |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 69 | StringParameter CSecurityTLS::x509ca("x509ca", "X509 CA certificate", "", ConfViewer); |
| 70 | StringParameter CSecurityTLS::x509crl("x509crl", "X509 CRL file", "", ConfViewer); |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 71 | |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 72 | static LogWriter vlog("TLS"); |
| 73 | |
| 74 | #ifdef TLS_DEBUG |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 75 | static LogWriter vlog_raw("Raw TLS"); |
| 76 | |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 77 | static void debug_log(int level, const char* str) |
| 78 | { |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 79 | vlog_raw.debug(str); |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 80 | } |
| 81 | #endif |
| 82 | |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 83 | void CSecurityTLS::initGlobal() |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 84 | { |
| 85 | static bool globalInitDone = false; |
| 86 | |
| 87 | if (!globalInitDone) { |
| 88 | gnutls_global_init(); |
| 89 | |
| 90 | #ifdef TLS_DEBUG |
| 91 | gnutls_global_set_log_level(10); |
| 92 | gnutls_global_set_log_function(debug_log); |
| 93 | #endif |
| 94 | |
| 95 | globalInitDone = true; |
| 96 | } |
| 97 | } |
| 98 | |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 99 | CSecurityTLS::CSecurityTLS(bool _anon) : session(0), anon_cred(0), |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 100 | anon(_anon), fis(0), fos(0) |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 101 | { |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 102 | cafile = x509ca.getData(); |
| 103 | crlfile = x509crl.getData(); |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 104 | } |
| 105 | |
Adam Tkac | 27b2f77 | 2010-11-18 13:33:57 +0000 | [diff] [blame] | 106 | void CSecurityTLS::setDefaults() |
| 107 | { |
| 108 | char* homeDir = NULL; |
| 109 | |
Adam Tkac | af08172 | 2011-02-07 10:45:15 +0000 | [diff] [blame] | 110 | if (getvnchomedir(&homeDir) == -1) { |
| 111 | vlog.error("Could not obtain VNC home directory path"); |
Adam Tkac | 27b2f77 | 2010-11-18 13:33:57 +0000 | [diff] [blame] | 112 | return; |
| 113 | } |
| 114 | |
Adam Tkac | af08172 | 2011-02-07 10:45:15 +0000 | [diff] [blame] | 115 | int len = strlen(homeDir) + 1; |
Adam Tkac | 437b0c2 | 2011-02-07 10:46:16 +0000 | [diff] [blame] | 116 | CharArray caDefault(len + 11); |
| 117 | CharArray crlDefault(len + 12); |
| 118 | sprintf(caDefault.buf, "%sx509_ca.pem", homeDir); |
| 119 | sprintf(crlDefault.buf, "%s509_crl.pem", homeDir); |
Adam Tkac | 27b2f77 | 2010-11-18 13:33:57 +0000 | [diff] [blame] | 120 | delete [] homeDir; |
| 121 | |
Adam Tkac | f16a421 | 2011-02-07 10:47:07 +0000 | [diff] [blame] | 122 | if (!fileexists(caDefault.buf)) |
| 123 | x509ca.setDefaultStr(strdup(caDefault.buf)); |
| 124 | if (!fileexists(crlDefault.buf)) |
| 125 | x509crl.setDefaultStr(strdup(crlDefault.buf)); |
Adam Tkac | 27b2f77 | 2010-11-18 13:33:57 +0000 | [diff] [blame] | 126 | } |
| 127 | |
Adam Tkac | 44cdb13 | 2011-02-09 14:09:10 +0000 | [diff] [blame] | 128 | void CSecurityTLS::shutdown(bool needbye) |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 129 | { |
Adam Tkac | 44cdb13 | 2011-02-09 14:09:10 +0000 | [diff] [blame] | 130 | if (session && needbye) |
Adam Tkac | 6948ead | 2010-08-11 15:58:59 +0000 | [diff] [blame] | 131 | if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS) |
Adam Tkac | 44cdb13 | 2011-02-09 14:09:10 +0000 | [diff] [blame] | 132 | vlog.error("gnutls_bye failed"); |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 133 | |
| 134 | if (anon_cred) { |
| 135 | gnutls_anon_free_client_credentials(anon_cred); |
| 136 | anon_cred = 0; |
| 137 | } |
| 138 | |
| 139 | if (cert_cred) { |
| 140 | gnutls_certificate_free_credentials(cert_cred); |
| 141 | cert_cred = 0; |
| 142 | } |
| 143 | |
| 144 | if (session) { |
| 145 | gnutls_deinit(session); |
| 146 | session = 0; |
| 147 | |
| 148 | gnutls_global_deinit(); |
| 149 | } |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 150 | } |
| 151 | |
| 152 | |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 153 | CSecurityTLS::~CSecurityTLS() |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 154 | { |
Adam Tkac | 44cdb13 | 2011-02-09 14:09:10 +0000 | [diff] [blame] | 155 | shutdown(true); |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 156 | |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 157 | if (fis) |
| 158 | delete fis; |
| 159 | if (fos) |
| 160 | delete fos; |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 161 | |
| 162 | delete[] cafile; |
| 163 | delete[] crlfile; |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 164 | } |
| 165 | |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 166 | bool CSecurityTLS::processMsg(CConnection* cc) |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 167 | { |
| 168 | rdr::InStream* is = cc->getInStream(); |
| 169 | rdr::OutStream* os = cc->getOutStream(); |
| 170 | client = cc; |
| 171 | |
| 172 | initGlobal(); |
| 173 | |
| 174 | if (!session) { |
| 175 | if (!is->checkNoWait(1)) |
| 176 | return false; |
| 177 | |
| 178 | if (is->readU8() == 0) |
| 179 | return true; |
| 180 | |
Adam Tkac | 6948ead | 2010-08-11 15:58:59 +0000 | [diff] [blame] | 181 | if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS) |
| 182 | throw AuthFailureException("gnutls_init failed"); |
| 183 | |
| 184 | if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS) |
| 185 | throw AuthFailureException("gnutls_set_default_priority failed"); |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 186 | |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 187 | setParam(); |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 188 | |
| 189 | gnutls_transport_set_pull_function(session, rdr::gnutls_InStream_pull); |
| 190 | gnutls_transport_set_push_function(session, rdr::gnutls_OutStream_push); |
| 191 | gnutls_transport_set_ptr2(session, |
| 192 | (gnutls_transport_ptr) is, |
| 193 | (gnutls_transport_ptr) os); |
| 194 | } |
| 195 | |
| 196 | int err; |
| 197 | err = gnutls_handshake(session); |
| 198 | if (err != GNUTLS_E_SUCCESS && !gnutls_error_is_fatal(err)) |
| 199 | return false; |
| 200 | |
| 201 | if (err != GNUTLS_E_SUCCESS) { |
| 202 | vlog.error("TLS Handshake failed: %s\n", gnutls_strerror (err)); |
Adam Tkac | 44cdb13 | 2011-02-09 14:09:10 +0000 | [diff] [blame] | 203 | shutdown(false); |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 204 | throw AuthFailureException("TLS Handshake failed"); |
| 205 | } |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 206 | |
| 207 | checkSession(); |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 208 | |
| 209 | cc->setStreams(fis = new rdr::TLSInStream(is, session), |
| 210 | fos = new rdr::TLSOutStream(os, session)); |
| 211 | |
| 212 | return true; |
| 213 | } |
| 214 | |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 215 | void CSecurityTLS::setParam() |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 216 | { |
| 217 | static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; |
| 218 | static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, |
| 219 | GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; |
| 220 | |
| 221 | if (anon) { |
Adam Tkac | 6948ead | 2010-08-11 15:58:59 +0000 | [diff] [blame] | 222 | if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS) |
| 223 | throw AuthFailureException("gnutls_kx_set_priority failed"); |
| 224 | |
| 225 | if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS) |
| 226 | throw AuthFailureException("gnutls_anon_allocate_client_credentials failed"); |
| 227 | |
| 228 | if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred) != GNUTLS_E_SUCCESS) |
| 229 | throw AuthFailureException("gnutls_credentials_set failed"); |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 230 | |
| 231 | vlog.debug("Anonymous session has been set"); |
| 232 | } else { |
Adam Tkac | 6948ead | 2010-08-11 15:58:59 +0000 | [diff] [blame] | 233 | if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS) |
| 234 | throw AuthFailureException("gnutls_kx_set_priority failed"); |
| 235 | |
| 236 | if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) |
| 237 | throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 238 | |
| 239 | if (*cafile && gnutls_certificate_set_x509_trust_file(cert_cred,cafile,GNUTLS_X509_FMT_PEM) < 0) |
| 240 | throw AuthFailureException("load of CA cert failed"); |
| 241 | |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 242 | /* Load previously saved certs */ |
| 243 | char *homeDir = NULL; |
| 244 | int err; |
| 245 | if (getvnchomedir(&homeDir) == -1) |
| 246 | vlog.error("Could not obtain VNC home directory path"); |
| 247 | else { |
| 248 | CharArray caSave(strlen(homeDir) + 19 + 1); |
| 249 | sprintf(caSave.buf, "%sx509_savedcerts.pem", homeDir); |
| 250 | delete [] homeDir; |
| 251 | |
| 252 | err = gnutls_certificate_set_x509_trust_file(cert_cred, caSave.buf, |
| 253 | GNUTLS_X509_FMT_PEM); |
| 254 | if (err < 0) |
| 255 | vlog.debug("Failed to load saved server certificates from %s", caSave.buf); |
| 256 | } |
| 257 | |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 258 | if (*crlfile && gnutls_certificate_set_x509_crl_file(cert_cred,crlfile,GNUTLS_X509_FMT_PEM) < 0) |
| 259 | throw AuthFailureException("load of CRL failed"); |
| 260 | |
Adam Tkac | 6948ead | 2010-08-11 15:58:59 +0000 | [diff] [blame] | 261 | if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred) != GNUTLS_E_SUCCESS) |
| 262 | throw AuthFailureException("gnutls_credentials_set failed"); |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 263 | |
| 264 | vlog.debug("X509 session has been set"); |
| 265 | } |
| 266 | } |
| 267 | |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 268 | void CSecurityTLS::checkSession() |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 269 | { |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 270 | const unsigned allowed_errors = GNUTLS_CERT_INVALID | |
| 271 | GNUTLS_CERT_SIGNER_NOT_FOUND | |
| 272 | GNUTLS_CERT_SIGNER_NOT_CA; |
| 273 | unsigned int status; |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 274 | const gnutls_datum *cert_list; |
| 275 | unsigned int cert_list_size = 0; |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 276 | int err; |
DRC | ff1e1ff | 2011-02-08 23:43:55 +0000 | [diff] [blame] | 277 | gnutls_datum info; |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 278 | |
| 279 | if (anon) |
| 280 | return; |
| 281 | |
| 282 | if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) |
| 283 | throw AuthFailureException("unsupported certificate type"); |
| 284 | |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 285 | err = gnutls_certificate_verify_peers2(session, &status); |
| 286 | if (err != 0) { |
| 287 | vlog.error("server certificate verification failed: %s", gnutls_strerror(err)); |
| 288 | throw AuthFailureException("server certificate verification failed"); |
| 289 | } |
| 290 | |
| 291 | if (status & GNUTLS_CERT_REVOKED) |
| 292 | throw AuthFailureException("server certificate has been revoked"); |
| 293 | |
Adam Tkac | 68481c1 | 2011-02-09 14:15:09 +0000 | [diff] [blame] | 294 | #ifndef WITHOUT_X509_TIMES |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 295 | if (status & GNUTLS_CERT_NOT_ACTIVATED) |
| 296 | throw AuthFailureException("server certificate has not been activated"); |
| 297 | |
| 298 | if (status & GNUTLS_CERT_EXPIRED) { |
| 299 | vlog.debug("server certificate has expired"); |
| 300 | if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certificate has expired", |
| 301 | "The certificate of the server has expired, " |
| 302 | "do you want to continue?")) |
| 303 | throw AuthFailureException("server certificate has expired"); |
| 304 | } |
Adam Tkac | 68481c1 | 2011-02-09 14:15:09 +0000 | [diff] [blame] | 305 | #endif |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 306 | /* Process other errors later */ |
| 307 | |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 308 | cert_list = gnutls_certificate_get_peers(session, &cert_list_size); |
| 309 | if (!cert_list_size) |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 310 | throw AuthFailureException("empty certificate chain"); |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 311 | |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 312 | /* Process only server's certificate, not issuer's certificate */ |
| 313 | gnutls_x509_crt crt; |
| 314 | gnutls_x509_crt_init(&crt); |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 315 | |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 316 | if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) |
| 317 | throw AuthFailureException("decoding of certificate failed"); |
| 318 | |
| 319 | if (gnutls_x509_crt_check_hostname(crt, client->getServerName()) == 0) { |
| 320 | char buf[255]; |
| 321 | vlog.debug("hostname mismatch"); |
| 322 | snprintf(buf, sizeof(buf), "Hostname (%s) does not match any certificate, " |
| 323 | "do you want to continue?", client->getServerName()); |
| 324 | buf[sizeof(buf) - 1] = '\0'; |
| 325 | if (!msg->showMsgBox(UserMsgBox::M_YESNO, "hostname mismatch", buf)) |
| 326 | throw AuthFailureException("hostname mismatch"); |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 327 | } |
| 328 | |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 329 | if (status == 0) { |
| 330 | /* Everything is fine (hostname + verification) */ |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 331 | gnutls_x509_crt_deinit(crt); |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 332 | return; |
| 333 | } |
| 334 | |
| 335 | if (status & GNUTLS_CERT_INVALID) |
| 336 | vlog.debug("server certificate invalid"); |
| 337 | if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) |
| 338 | vlog.debug("server cert signer not found"); |
| 339 | if (status & GNUTLS_CERT_SIGNER_NOT_CA) |
| 340 | vlog.debug("server cert signer not CA"); |
| 341 | |
| 342 | if ((status & (~allowed_errors)) != 0) { |
| 343 | /* No other errors are allowed */ |
| 344 | vlog.debug("GNUTLS status of certificate verification: %u", status); |
| 345 | throw AuthFailureException("Invalid status of server certificate verification"); |
| 346 | } |
| 347 | |
| 348 | vlog.debug("Saved server certificates don't match"); |
| 349 | |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 350 | if (gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &info)) { |
Adam Tkac | 5d4c6ac | 2011-01-19 14:06:48 +0000 | [diff] [blame] | 351 | /* |
| 352 | * GNUTLS doesn't correctly export gnutls_free symbol which is |
| 353 | * a function pointer. Linking with Visual Studio 2008 Express will |
| 354 | * fail when you call gnutls_free(). |
| 355 | */ |
| 356 | #if WIN32 |
| 357 | free(info.data); |
| 358 | #else |
Adam Tkac | 27b2f77 | 2010-11-18 13:33:57 +0000 | [diff] [blame] | 359 | gnutls_free(info.data); |
Adam Tkac | 5d4c6ac | 2011-01-19 14:06:48 +0000 | [diff] [blame] | 360 | #endif |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 361 | throw AuthFailureException("Could not find certificate to display"); |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 362 | } |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 363 | |
Adam Tkac | 68481c1 | 2011-02-09 14:15:09 +0000 | [diff] [blame] | 364 | size_t out_size = 0; |
Adam Tkac | e32573a | 2011-02-09 14:13:41 +0000 | [diff] [blame] | 365 | char *out_buf = NULL; |
| 366 | char *certinfo = NULL; |
| 367 | int len = 0; |
| 368 | |
| 369 | vlog.debug("certificate issuer unknown"); |
| 370 | |
| 371 | len = snprintf(NULL, 0, "This certificate has been signed by an unknown " |
| 372 | "authority:\n\n%s\n\nDo you want to save it and " |
| 373 | "continue?\n ", info.data); |
| 374 | if (len < 0) |
| 375 | AuthFailureException("certificate decoding error"); |
| 376 | |
| 377 | vlog.debug("%s", info.data); |
| 378 | |
| 379 | certinfo = new char[len]; |
| 380 | if (certinfo == NULL) |
| 381 | throw AuthFailureException("Out of memory"); |
| 382 | |
| 383 | snprintf(certinfo, len, "This certificate has been signed by an unknown " |
| 384 | "authority:\n\n%s\n\nDo you want to save it and " |
| 385 | "continue? ", info.data); |
| 386 | |
| 387 | for (int i = 0; i < len - 1; i++) |
| 388 | if (certinfo[i] == ',' && certinfo[i + 1] == ' ') |
| 389 | certinfo[i] = '\n'; |
| 390 | |
| 391 | if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certificate issuer unknown", |
| 392 | certinfo)) { |
| 393 | delete [] certinfo; |
| 394 | throw AuthFailureException("certificate issuer unknown"); |
| 395 | } |
| 396 | |
| 397 | delete [] certinfo; |
| 398 | |
| 399 | if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, NULL, &out_size) |
| 400 | == GNUTLS_E_SHORT_MEMORY_BUFFER) |
| 401 | AuthFailureException("Out of memory"); |
| 402 | |
| 403 | // Save cert |
| 404 | out_buf = new char[out_size]; |
| 405 | if (out_buf == NULL) |
| 406 | AuthFailureException("Out of memory"); |
| 407 | |
| 408 | if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, out_buf, &out_size) < 0) |
| 409 | AuthFailureException("certificate issuer unknown, and certificate " |
| 410 | "export failed"); |
| 411 | |
| 412 | char *homeDir = NULL; |
| 413 | if (getvnchomedir(&homeDir) == -1) |
| 414 | vlog.error("Could not obtain VNC home directory path"); |
| 415 | else { |
| 416 | FILE *f; |
| 417 | CharArray caSave(strlen(homeDir) + 1 + 19); |
| 418 | sprintf(caSave.buf, "%sx509_savedcerts.pem", homeDir); |
| 419 | delete [] homeDir; |
| 420 | f = fopen(caSave.buf, "a+"); |
| 421 | if (!f) |
| 422 | msg->showMsgBox(UserMsgBox::M_OK, "certificate save failed", |
| 423 | "Could not save the certificate"); |
| 424 | else { |
| 425 | fprintf(f, "%s\n", out_buf); |
| 426 | fclose(f); |
| 427 | } |
| 428 | } |
| 429 | |
| 430 | delete [] out_buf; |
| 431 | |
| 432 | gnutls_x509_crt_deinit(crt); |
| 433 | /* |
| 434 | * GNUTLS doesn't correctly export gnutls_free symbol which is |
| 435 | * a function pointer. Linking with Visual Studio 2008 Express will |
| 436 | * fail when you call gnutls_free(). |
| 437 | */ |
| 438 | #if WIN32 |
| 439 | free(info.data); |
| 440 | #else |
| 441 | gnutls_free(info.data); |
| 442 | #endif |
Adam Tkac | 0e61c34 | 2010-07-21 09:23:25 +0000 | [diff] [blame] | 443 | } |
| 444 | |