From 2d5636e8c8dca77c0c52924eb931a79ccf731911 Mon Sep 17 00:00:00 2001 From: Pierre Ossman Date: Tue, 3 Sep 2024 08:07:11 +0200 Subject: [PATCH] Fix reporting of some TLS errors These functions return a GnuTLS status, so we should use the correct exception for that so we get the proper error messages. --- common/rfb/CSecurityTLS.cxx | 27 +++++++++++++++------------ common/rfb/SSecurityTLS.cxx | 15 +++++---------- 2 files changed, 20 insertions(+), 22 deletions(-) diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx index eff215ab00..6eeb6a84d3 100644 --- a/common/rfb/CSecurityTLS.cxx +++ b/common/rfb/CSecurityTLS.cxx @@ -333,11 +333,12 @@ void CSecurityTLS::checkSession() if (fatal_status != 0) { std::string error; - if (gnutls_certificate_verification_status_print(fatal_status, - GNUTLS_CRT_X509, - &status_str, - 0) < 0) - throw Exception("Failed to get certificate error description"); + err = gnutls_certificate_verification_status_print(fatal_status, + GNUTLS_CRT_X509, + &status_str, + 0); + if (err != GNUTLS_E_SUCCESS) + throw rdr::TLSException("Failed to get certificate error description", err); error = (const char*)status_str.data; @@ -346,11 +347,12 @@ void CSecurityTLS::checkSession() throw Exception("Invalid server certificate: %s", error.c_str()); } - if (gnutls_certificate_verification_status_print(status, - GNUTLS_CRT_X509, - &status_str, - 0) < 0) - throw Exception("Failed to get certificate error description"); + err = gnutls_certificate_verification_status_print(status, + GNUTLS_CRT_X509, + &status_str, + 0); + if (err != GNUTLS_E_SUCCESS) + throw rdr::TLSException("Failed to get certificate error description", err); vlog.info("Server certificate errors: %s", status_str.data); @@ -367,8 +369,9 @@ void CSecurityTLS::checkSession() gnutls_x509_crt_t crt; gnutls_x509_crt_init(&crt); - if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) - throw Exception("decoding of certificate failed"); + err = gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER); + if (err != GNUTLS_E_SUCCESS) + throw rdr::TLSException("Failed to decode server certificate", err); if (gnutls_x509_crt_check_hostname(crt, client->getServerName()) == 0) { vlog.info("Server certificate doesn't match given server name"); diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx index 67dced6c0d..465126eb7e 100644 --- a/common/rfb/SSecurityTLS.cxx +++ b/common/rfb/SSecurityTLS.cxx @@ -299,16 +299,11 @@ void SSecurityTLS::setParams() gnutls_certificate_set_dh_params(cert_cred, dh_params); #endif - switch (gnutls_certificate_set_x509_key_file(cert_cred, X509_CertFile, X509_KeyFile, GNUTLS_X509_FMT_PEM)) { - case GNUTLS_E_SUCCESS: - break; - case GNUTLS_E_CERTIFICATE_KEY_MISMATCH: - throw Exception("Private key does not match certificate"); - case GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE: - throw Exception("Unsupported certificate type"); - default: - throw Exception("Error loading X509 certificate or key"); - } + ret = gnutls_certificate_set_x509_key_file(cert_cred, X509_CertFile, + X509_KeyFile, + GNUTLS_X509_FMT_PEM); + if (ret != GNUTLS_E_SUCCESS) + throw rdr::TLSException("Failed to load certificate and key", ret); ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred); if (ret != GNUTLS_E_SUCCESS)