diff options
| author | simon <root@simon.home> | 2017-04-20 21:08:23 +0100 |
|---|---|---|
| committer | simon <root@simon.home> | 2017-04-20 21:08:23 +0100 |
| commit | 6c312aaf5be2e1db3bb414d430ab9338d4efced6 (patch) | |
| tree | 0a425c051765728cb4fb53b9b180f5df5f97b6de /libvncclient | |
| parent | fc2899af7a3b402d5c689b0cc8527f965875b9e0 (diff) | |
| download | libtdevnc-6c312aaf5be2e1db3bb414d430ab9338d4efced6.tar.gz libtdevnc-6c312aaf5be2e1db3bb414d430ab9338d4efced6.zip | |
Added support for X509 server certificate verification as part of the handshake process.
Diffstat (limited to 'libvncclient')
| -rw-r--r-- | libvncclient/tls_gnutls.c | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/libvncclient/tls_gnutls.c b/libvncclient/tls_gnutls.c index b9ffe89..4a798f4 100644 --- a/libvncclient/tls_gnutls.c +++ b/libvncclient/tls_gnutls.c @@ -170,7 +170,7 @@ InitializeTLSSession(rfbClient* client, rfbBool anonTLS) static rfbBool SetTLSAnonCredential(rfbClient* client) { - gnutls_anon_client_credentials anonCred; + gnutls_anon_client_credentials_t anonCred; int ret; if ((ret = gnutls_anon_allocate_client_credentials(&anonCred)) < 0 || @@ -200,6 +200,21 @@ HandshakeTLS(rfbClient* client) continue; } rfbClientLog("TLS handshake failed: %s.\n", gnutls_strerror(ret)); + if (ret == GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR) { + gnutls_datum_t out; + unsigned status; + int type; + + type = gnutls_certificate_type_get((gnutls_session_t)client->tlsSession); + status = gnutls_session_get_verify_cert_status((gnutls_session_t)client->tlsSession); + + if (gnutls_certificate_verification_status_print(status, type, &out, 0)) + rfbClientLog("Certificate verification failed but could not determine reason"); + else { + rfbClientLog("Certificate verification failed: %s\n", out.data); + gnutls_free(out.data); + } + } FreeTLS(client); return FALSE; } @@ -212,6 +227,11 @@ HandshakeTLS(rfbClient* client) } rfbClientLog("TLS handshake done.\n"); + char *desc; + desc = gnutls_session_get_desc((gnutls_session_t)client->tlsSession); + rfbClientLog("Session info: %s\n", desc); + gnutls_free(desc); + return TRUE; } @@ -455,12 +475,11 @@ HandleVeNCryptAuth(rfbClient* client) FreeTLS(client); return FALSE; } + gnutls_session_set_verify_cert((gnutls_session_t)client->tlsSession, client->serverHost, 0); } if (!HandshakeTLS(client)) return FALSE; - /* TODO: validate certificate */ - /* We are done here. The caller should continue with client->subAuthScheme * to do actual sub authentication. */ |