summaryrefslogtreecommitdiffstats
path: root/libvncclient/tls_gnutls.c
diff options
context:
space:
mode:
authorsimon <root@simon.home>2017-04-20 21:08:23 +0100
committersimon <root@simon.home>2017-04-20 21:08:23 +0100
commit6c312aaf5be2e1db3bb414d430ab9338d4efced6 (patch)
tree0a425c051765728cb4fb53b9b180f5df5f97b6de /libvncclient/tls_gnutls.c
parentfc2899af7a3b402d5c689b0cc8527f965875b9e0 (diff)
downloadlibtdevnc-6c312aaf5be2e1db3bb414d430ab9338d4efced6.tar.gz
libtdevnc-6c312aaf5be2e1db3bb414d430ab9338d4efced6.zip
Added support for X509 server certificate verification as part of the handshake process.
Diffstat (limited to 'libvncclient/tls_gnutls.c')
-rw-r--r--libvncclient/tls_gnutls.c25
1 files changed, 22 insertions, 3 deletions
diff --git a/libvncclient/tls_gnutls.c b/libvncclient/tls_gnutls.c
index b9ffe89..4a798f4 100644
--- a/libvncclient/tls_gnutls.c
+++ b/libvncclient/tls_gnutls.c
@@ -170,7 +170,7 @@ InitializeTLSSession(rfbClient* client, rfbBool anonTLS)
static rfbBool
SetTLSAnonCredential(rfbClient* client)
{
- gnutls_anon_client_credentials anonCred;
+ gnutls_anon_client_credentials_t anonCred;
int ret;
if ((ret = gnutls_anon_allocate_client_credentials(&anonCred)) < 0 ||
@@ -200,6 +200,21 @@ HandshakeTLS(rfbClient* client)
continue;
}
rfbClientLog("TLS handshake failed: %s.\n", gnutls_strerror(ret));
+ if (ret == GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR) {
+ gnutls_datum_t out;
+ unsigned status;
+ int type;
+
+ type = gnutls_certificate_type_get((gnutls_session_t)client->tlsSession);
+ status = gnutls_session_get_verify_cert_status((gnutls_session_t)client->tlsSession);
+
+ if (gnutls_certificate_verification_status_print(status, type, &out, 0))
+ rfbClientLog("Certificate verification failed but could not determine reason");
+ else {
+ rfbClientLog("Certificate verification failed: %s\n", out.data);
+ gnutls_free(out.data);
+ }
+ }
FreeTLS(client);
return FALSE;
}
@@ -212,6 +227,11 @@ HandshakeTLS(rfbClient* client)
}
rfbClientLog("TLS handshake done.\n");
+ char *desc;
+ desc = gnutls_session_get_desc((gnutls_session_t)client->tlsSession);
+ rfbClientLog("Session info: %s\n", desc);
+ gnutls_free(desc);
+
return TRUE;
}
@@ -455,12 +475,11 @@ HandleVeNCryptAuth(rfbClient* client)
FreeTLS(client);
return FALSE;
}
+ gnutls_session_set_verify_cert((gnutls_session_t)client->tlsSession, client->serverHost, 0);
}
if (!HandshakeTLS(client)) return FALSE;
- /* TODO: validate certificate */
-
/* We are done here. The caller should continue with client->subAuthScheme
* to do actual sub authentication.
*/