Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_tigervnc / 3d2a84b9ea0c9428e8335b1a22d7e8263742cda0 / . / common / rfb / CSecurityTLS.cxx
blob: 30de37e5d34b8dbd5622bcd2b15d37b2b0baa726 [file] [log] [blame]
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame]1/*
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]2 * Copyright (C) 2004 Red Hat Inc.
3 * Copyright (C) 2005 Martin Koegler
4 * Copyright (C) 2010 TigerVNC Team
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]5 * Copyright (C) 2010 m-privacy GmbH
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]6 *
7 * This is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This software is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this software; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
20 * USA.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include <config.h>
25#endif
26
Adam Tkac43958232010-07-21 09:06:59 +0000[diff] [blame]27#ifndef HAVE_GNUTLS
28#error "This header should not be compiled without HAVE_GNUTLS defined"
29#endif
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]30
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]31#include <stdlib.h>
Adam Tkacc4674db2011-01-19 14:11:16 +0000[diff] [blame]32#ifndef WIN32
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]33#include <unistd.h>
Adam Tkacc4674db2011-01-19 14:11:16 +0000[diff] [blame]34#endif
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]35
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]36#include <rfb/CSecurityTLS.h>
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]37#include <rfb/SSecurityVeNCrypt.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]38#include <rfb/CConnection.h>
39#include <rfb/LogWriter.h>
40#include <rfb/Exception.h>
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]41#include <rfb/UserMsgBox.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]42#include <rdr/TLSInStream.h>
43#include <rdr/TLSOutStream.h>
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]44#include <os/os.h>
Adam Tkac68481c12011-02-09 14:15:09 +0000[diff] [blame]45#include <os/tls.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]46
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]47#include <gnutls/x509.h>
48
Adam Tkac68481c12011-02-09 14:15:09 +0000[diff] [blame]49/*
50 * GNUTLS 2.6.5 and older didn't have some variables defined so don't use them.
51 * GNUTLS 1.X.X defined LIBGNUTLS_VERSION_NUMBER so treat it as "old" gnutls as
52 * well
53 */
54#if (defined(GNUTLS_VERSION_NUMBER) && GNUTLS_VERSION_NUMBER < 0x020606) || \
55 defined(LIBGNUTLS_VERSION_NUMBER)
56#define WITHOUT_X509_TIMES
DRCb7ab54f2011-02-09 03:27:26 +0000[diff] [blame]57#endif
58
Adam Tkacb4864232011-02-09 15:38:37 +0000[diff] [blame]59/* Ancient GNUTLS... */
60#if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER)
61#define WITHOUT_X509_TIMES
62#endif
63
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]64using namespace rfb;
65
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame^]66StringParameter CSecurityTLS::X509CA("X509CA", "X509 CA certificate", "", ConfViewer);
67StringParameter CSecurityTLS::X509CRL("X509CRL", "X509 CRL file", "", ConfViewer);
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]68
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]69static LogWriter vlog("TLS");
Adam Tkac348269d2011-02-18 10:54:11 +0000[diff] [blame]70static LogWriter vlog_raw("RawTLS");
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]71
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]72static void debug_log(int level, const char* str)
73{
Pierre Ossmanad8609a2012-04-26 09:04:14 +0000[diff] [blame]74 vlog_raw.debug("[%d]: %s", level, str);
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]75}
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]76
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]77void CSecurityTLS::initGlobal()
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]78{
79 static bool globalInitDone = false;
80
81 if (!globalInitDone) {
82 gnutls_global_init();
83
Adam Tkac348269d2011-02-18 10:54:11 +0000[diff] [blame]84 /* 100 means debug log */
85 if (vlog_raw.getLevel() >= 100) {
86 gnutls_global_set_log_level(10);
87 gnutls_global_set_log_function(debug_log);
88 }
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]89
90 globalInitDone = true;
91 }
92}
93
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]94CSecurityTLS::CSecurityTLS(bool _anon) : session(0), anon_cred(0),
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]95 anon(_anon), fis(0), fos(0)
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]96{
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame^]97 cafile = X509CA.getData();
98 crlfile = X509CRL.getData();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]99}
100
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]101void CSecurityTLS::setDefaults()
102{
103 char* homeDir = NULL;
104
Adam Tkacaf081722011-02-07 10:45:15 +0000[diff] [blame]105 if (getvnchomedir(&homeDir) == -1) {
106 vlog.error("Could not obtain VNC home directory path");
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]107 return;
108 }
109
Adam Tkacaf081722011-02-07 10:45:15 +0000[diff] [blame]110 int len = strlen(homeDir) + 1;
Adam Tkac437b0c22011-02-07 10:46:16 +0000[diff] [blame]111 CharArray caDefault(len + 11);
112 CharArray crlDefault(len + 12);
113 sprintf(caDefault.buf, "%sx509_ca.pem", homeDir);
114 sprintf(crlDefault.buf, "%s509_crl.pem", homeDir);
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]115 delete [] homeDir;
116
Adam Tkacf16a4212011-02-07 10:47:07 +0000[diff] [blame]117 if (!fileexists(caDefault.buf))
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame^]118 X509CA.setDefaultStr(strdup(caDefault.buf));
Adam Tkacf16a4212011-02-07 10:47:07 +0000[diff] [blame]119 if (!fileexists(crlDefault.buf))
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame^]120 X509CRL.setDefaultStr(strdup(crlDefault.buf));
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]121}
122
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame]123void CSecurityTLS::shutdown(bool needbye)
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]124{
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame]125 if (session && needbye)
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]126 if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS)
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame]127 vlog.error("gnutls_bye failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]128
129 if (anon_cred) {
130 gnutls_anon_free_client_credentials(anon_cred);
131 anon_cred = 0;
132 }
133
134 if (cert_cred) {
135 gnutls_certificate_free_credentials(cert_cred);
136 cert_cred = 0;
137 }
138
139 if (session) {
140 gnutls_deinit(session);
141 session = 0;
142
143 gnutls_global_deinit();
144 }
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]145}
146
147
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]148CSecurityTLS::~CSecurityTLS()
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]149{
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame]150 shutdown(true);
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]151
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]152 if (fis)
153 delete fis;
154 if (fos)
155 delete fos;
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]156
157 delete[] cafile;
158 delete[] crlfile;
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]159}
160
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]161bool CSecurityTLS::processMsg(CConnection* cc)
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]162{
163 rdr::InStream* is = cc->getInStream();
164 rdr::OutStream* os = cc->getOutStream();
165 client = cc;
166
167 initGlobal();
168
169 if (!session) {
170 if (!is->checkNoWait(1))
171 return false;
172
Adam Tkacce6c8b02011-05-10 08:54:57 +0000[diff] [blame]173 if (is->readU8() == 0) {
174 rdr::U32 result = is->readU32();
175 CharArray reason;
176 if (result == secResultFailed || result == secResultTooMany)
177 reason.buf = is->readString();
178 else
179 reason.buf = strDup("Authentication failure (protocol error)");
180 throw AuthFailureException(reason.buf);
181 }
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]182
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]183 if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS)
184 throw AuthFailureException("gnutls_init failed");
185
186 if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)
187 throw AuthFailureException("gnutls_set_default_priority failed");
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]188
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]189 setParam();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]190 }
191
Pierre Ossmanfe48cd42012-07-03 14:43:38 +0000[diff] [blame]192 rdr::TLSInStream *tlsis = new rdr::TLSInStream(is, session);
193 rdr::TLSOutStream *tlsos = new rdr::TLSOutStream(os, session);
194
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]195 int err;
196 err = gnutls_handshake(session);
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]197 if (err != GNUTLS_E_SUCCESS) {
Pierre Ossmanfe48cd42012-07-03 14:43:38 +0000[diff] [blame]198 delete tlsis;
199 delete tlsos;
200
201 if (!gnutls_error_is_fatal(err))
202 return false;
203
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]204 vlog.error("TLS Handshake failed: %s\n", gnutls_strerror (err));
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame]205 shutdown(false);
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]206 throw AuthFailureException("TLS Handshake failed");
207 }
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]208
209 checkSession();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]210
Pierre Ossmanfe48cd42012-07-03 14:43:38 +0000[diff] [blame]211 cc->setStreams(fis = tlsis, fos = tlsos);
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]212
213 return true;
214}
215
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]216void CSecurityTLS::setParam()
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]217{
218 static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
219 static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
220 GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
221
222 if (anon) {
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]223 if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS)
224 throw AuthFailureException("gnutls_kx_set_priority failed");
225
226 if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
227 throw AuthFailureException("gnutls_anon_allocate_client_credentials failed");
228
229 if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred) != GNUTLS_E_SUCCESS)
230 throw AuthFailureException("gnutls_credentials_set failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]231
232 vlog.debug("Anonymous session has been set");
233 } else {
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]234 if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS)
235 throw AuthFailureException("gnutls_kx_set_priority failed");
236
237 if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
238 throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]239
240 if (*cafile && gnutls_certificate_set_x509_trust_file(cert_cred,cafile,GNUTLS_X509_FMT_PEM) < 0)
241 throw AuthFailureException("load of CA cert failed");
242
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]243 /* Load previously saved certs */
244 char *homeDir = NULL;
245 int err;
246 if (getvnchomedir(&homeDir) == -1)
247 vlog.error("Could not obtain VNC home directory path");
248 else {
249 CharArray caSave(strlen(homeDir) + 19 + 1);
250 sprintf(caSave.buf, "%sx509_savedcerts.pem", homeDir);
251 delete [] homeDir;
252
253 err = gnutls_certificate_set_x509_trust_file(cert_cred, caSave.buf,
254 GNUTLS_X509_FMT_PEM);
255 if (err < 0)
256 vlog.debug("Failed to load saved server certificates from %s", caSave.buf);
257 }
258
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]259 if (*crlfile && gnutls_certificate_set_x509_crl_file(cert_cred,crlfile,GNUTLS_X509_FMT_PEM) < 0)
260 throw AuthFailureException("load of CRL failed");
261
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]262 if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred) != GNUTLS_E_SUCCESS)
263 throw AuthFailureException("gnutls_credentials_set failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]264
265 vlog.debug("X509 session has been set");
266 }
267}
268
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]269void CSecurityTLS::checkSession()
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]270{
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]271 const unsigned allowed_errors = GNUTLS_CERT_INVALID |
272 GNUTLS_CERT_SIGNER_NOT_FOUND |
273 GNUTLS_CERT_SIGNER_NOT_CA;
274 unsigned int status;
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]275 const gnutls_datum *cert_list;
276 unsigned int cert_list_size = 0;
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]277 int err;
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame]278 gnutls_datum info;
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]279
280 if (anon)
281 return;
282
283 if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509)
284 throw AuthFailureException("unsupported certificate type");
285
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]286 err = gnutls_certificate_verify_peers2(session, &status);
287 if (err != 0) {
288 vlog.error("server certificate verification failed: %s", gnutls_strerror(err));
289 throw AuthFailureException("server certificate verification failed");
290 }
291
292 if (status & GNUTLS_CERT_REVOKED)
293 throw AuthFailureException("server certificate has been revoked");
294
Adam Tkac68481c12011-02-09 14:15:09 +0000[diff] [blame]295#ifndef WITHOUT_X509_TIMES
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]296 if (status & GNUTLS_CERT_NOT_ACTIVATED)
297 throw AuthFailureException("server certificate has not been activated");
298
299 if (status & GNUTLS_CERT_EXPIRED) {
300 vlog.debug("server certificate has expired");
301 if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certificate has expired",
302 "The certificate of the server has expired, "
303 "do you want to continue?"))
304 throw AuthFailureException("server certificate has expired");
305 }
Adam Tkac68481c12011-02-09 14:15:09 +0000[diff] [blame]306#endif
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]307 /* Process other errors later */
308
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]309 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
310 if (!cert_list_size)
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]311 throw AuthFailureException("empty certificate chain");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]312
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]313 /* Process only server's certificate, not issuer's certificate */
314 gnutls_x509_crt crt;
315 gnutls_x509_crt_init(&crt);
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]316
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]317 if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
318 throw AuthFailureException("decoding of certificate failed");
319
320 if (gnutls_x509_crt_check_hostname(crt, client->getServerName()) == 0) {
321 char buf[255];
322 vlog.debug("hostname mismatch");
323 snprintf(buf, sizeof(buf), "Hostname (%s) does not match any certificate, "
324 "do you want to continue?", client->getServerName());
325 buf[sizeof(buf) - 1] = '\0';
326 if (!msg->showMsgBox(UserMsgBox::M_YESNO, "hostname mismatch", buf))
327 throw AuthFailureException("hostname mismatch");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]328 }
329
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]330 if (status == 0) {
331 /* Everything is fine (hostname + verification) */
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]332 gnutls_x509_crt_deinit(crt);
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]333 return;
334 }
335
336 if (status & GNUTLS_CERT_INVALID)
337 vlog.debug("server certificate invalid");
338 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
339 vlog.debug("server cert signer not found");
340 if (status & GNUTLS_CERT_SIGNER_NOT_CA)
341 vlog.debug("server cert signer not CA");
342
343 if ((status & (~allowed_errors)) != 0) {
344 /* No other errors are allowed */
345 vlog.debug("GNUTLS status of certificate verification: %u", status);
346 throw AuthFailureException("Invalid status of server certificate verification");
347 }
348
349 vlog.debug("Saved server certificates don't match");
350
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]351 if (gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &info)) {
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]352 /*
353 * GNUTLS doesn't correctly export gnutls_free symbol which is
354 * a function pointer. Linking with Visual Studio 2008 Express will
355 * fail when you call gnutls_free().
356 */
357#if WIN32
358 free(info.data);
359#else
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]360 gnutls_free(info.data);
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]361#endif
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]362 throw AuthFailureException("Could not find certificate to display");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]363 }
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]364
Adam Tkac68481c12011-02-09 14:15:09 +0000[diff] [blame]365 size_t out_size = 0;
Adam Tkace32573a2011-02-09 14:13:41 +0000[diff] [blame]366 char *out_buf = NULL;
367 char *certinfo = NULL;
368 int len = 0;
369
370 vlog.debug("certificate issuer unknown");
371
372 len = snprintf(NULL, 0, "This certificate has been signed by an unknown "
373 "authority:\n\n%s\n\nDo you want to save it and "
374 "continue?\n ", info.data);
375 if (len < 0)
376 AuthFailureException("certificate decoding error");
377
378 vlog.debug("%s", info.data);
379
380 certinfo = new char[len];
381 if (certinfo == NULL)
382 throw AuthFailureException("Out of memory");
383
384 snprintf(certinfo, len, "This certificate has been signed by an unknown "
385 "authority:\n\n%s\n\nDo you want to save it and "
386 "continue? ", info.data);
387
388 for (int i = 0; i < len - 1; i++)
389 if (certinfo[i] == ',' && certinfo[i + 1] == ' ')
390 certinfo[i] = '\n';
391
392 if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certificate issuer unknown",
393 certinfo)) {
394 delete [] certinfo;
395 throw AuthFailureException("certificate issuer unknown");
396 }
397
398 delete [] certinfo;
399
400 if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, NULL, &out_size)
401 == GNUTLS_E_SHORT_MEMORY_BUFFER)
402 AuthFailureException("Out of memory");
403
404 // Save cert
405 out_buf = new char[out_size];
406 if (out_buf == NULL)
407 AuthFailureException("Out of memory");
408
409 if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, out_buf, &out_size) < 0)
410 AuthFailureException("certificate issuer unknown, and certificate "
411 "export failed");
412
413 char *homeDir = NULL;
414 if (getvnchomedir(&homeDir) == -1)
415 vlog.error("Could not obtain VNC home directory path");
416 else {
417 FILE *f;
418 CharArray caSave(strlen(homeDir) + 1 + 19);
419 sprintf(caSave.buf, "%sx509_savedcerts.pem", homeDir);
420 delete [] homeDir;
421 f = fopen(caSave.buf, "a+");
422 if (!f)
423 msg->showMsgBox(UserMsgBox::M_OK, "certificate save failed",
424 "Could not save the certificate");
425 else {
426 fprintf(f, "%s\n", out_buf);
427 fclose(f);
428 }
429 }
430
431 delete [] out_buf;
432
433 gnutls_x509_crt_deinit(crt);
434 /*
435 * GNUTLS doesn't correctly export gnutls_free symbol which is
436 * a function pointer. Linking with Visual Studio 2008 Express will
437 * fail when you call gnutls_free().
438 */
439#if WIN32
440 free(info.data);
441#else
442 gnutls_free(info.data);
443#endif
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]444}
445