Added support for X509 server certificate verification as part of the handshake process.

pull/3/head
simon 8 years ago
parent fc2899af7a
commit 6c312aaf5b

@ -170,7 +170,7 @@ InitializeTLSSession(rfbClient* client, rfbBool anonTLS)
static rfbBool static rfbBool
SetTLSAnonCredential(rfbClient* client) SetTLSAnonCredential(rfbClient* client)
{ {
gnutls_anon_client_credentials anonCred; gnutls_anon_client_credentials_t anonCred;
int ret; int ret;
if ((ret = gnutls_anon_allocate_client_credentials(&anonCred)) < 0 || if ((ret = gnutls_anon_allocate_client_credentials(&anonCred)) < 0 ||
@ -200,6 +200,21 @@ HandshakeTLS(rfbClient* client)
continue; continue;
} }
rfbClientLog("TLS handshake failed: %s.\n", gnutls_strerror(ret)); rfbClientLog("TLS handshake failed: %s.\n", gnutls_strerror(ret));
if (ret == GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR) {
gnutls_datum_t out;
unsigned status;
int type;
type = gnutls_certificate_type_get((gnutls_session_t)client->tlsSession);
status = gnutls_session_get_verify_cert_status((gnutls_session_t)client->tlsSession);
if (gnutls_certificate_verification_status_print(status, type, &out, 0))
rfbClientLog("Certificate verification failed but could not determine reason");
else {
rfbClientLog("Certificate verification failed: %s\n", out.data);
gnutls_free(out.data);
}
}
FreeTLS(client); FreeTLS(client);
return FALSE; return FALSE;
} }
@ -212,6 +227,11 @@ HandshakeTLS(rfbClient* client)
} }
rfbClientLog("TLS handshake done.\n"); rfbClientLog("TLS handshake done.\n");
char *desc;
desc = gnutls_session_get_desc((gnutls_session_t)client->tlsSession);
rfbClientLog("Session info: %s\n", desc);
gnutls_free(desc);
return TRUE; return TRUE;
} }
@ -455,12 +475,11 @@ HandleVeNCryptAuth(rfbClient* client)
FreeTLS(client); FreeTLS(client);
return FALSE; return FALSE;
} }
gnutls_session_set_verify_cert((gnutls_session_t)client->tlsSession, client->serverHost, 0);
} }
if (!HandshakeTLS(client)) return FALSE; if (!HandshakeTLS(client)) return FALSE;
/* TODO: validate certificate */
/* We are done here. The caller should continue with client->subAuthScheme /* We are done here. The caller should continue with client->subAuthScheme
* to do actual sub authentication. * to do actual sub authentication.
*/ */

Loading…
Cancel
Save