You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
88 lines
3.4 KiB
88 lines
3.4 KiB
6 years ago
|
From 04a3fe9e8122166eb8f257396fd07314182d2fc2 Mon Sep 17 00:00:00 2001
|
||
|
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||
|
|
Date: Wed, 31 Jan 2018 11:27:10 +0000
|
||
|
|
Subject: [PATCH] Explicitly track whether x509 creds have been set
|
||
|
|
MIME-Version: 1.0
|
||
|
|
Content-Type: text/plain; charset=UTF-8
|
||
|
|
Content-Transfer-Encoding: 8bit
|
||
|
|
|
||
|
|
If we want to use the system trust DB, we can't rely on cred_x509_cacert
|
||
|
|
field being non-NULL. We must explicitly record whether the client app
|
||
|
|
has set the x509 credentials. We allow cacert to be missing if we are
|
||
|
|
built against a new enough GNUTLS.
|
||
|
|
|
||
|
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||
|
|
(cherry picked from commit abc27748c6ca309ec3c39fb6c84426a459f56c74)
|
||
|
|
---
|
||
|
|
src/vncconnection.c | 21 ++++++++++++++++++---
|
||
|
|
1 file changed, 18 insertions(+), 3 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/vncconnection.c b/src/vncconnection.c
|
||
|
|
index 35966c9..7fcbe89 100644
|
||
|
|
--- a/src/vncconnection.c
|
||
|
|
+++ b/src/vncconnection.c
|
||
|
|
@@ -217,6 +217,7 @@ struct _VncConnectionPrivate
|
||
|
|
char *cred_x509_cacrl;
|
||
|
|
char *cred_x509_cert;
|
||
|
|
char *cred_x509_key;
|
||
|
|
+ gboolean set_cred_x509;
|
||
|
|
gboolean want_cred_username;
|
||
|
|
gboolean want_cred_password;
|
||
|
|
gboolean want_cred_x509;
|
||
|
|
@@ -3528,7 +3529,7 @@ static gboolean vnc_connection_has_credentials(gpointer data)
|
||
|
|
return FALSE;
|
||
|
|
if (priv->want_cred_password && !priv->cred_password)
|
||
|
|
return FALSE;
|
||
|
|
- if (priv->want_cred_x509 && !priv->cred_x509_cacert)
|
||
|
|
+ if (priv->want_cred_x509 && !priv->set_cred_x509)
|
||
|
|
return FALSE;
|
||
|
|
return TRUE;
|
||
|
|
}
|
||
|
|
@@ -5122,6 +5123,7 @@ static void vnc_connection_close(VncConnection *conn)
|
||
|
|
priv->cred_password = NULL;
|
||
|
|
}
|
||
|
|
|
||
|
|
+ priv->set_cred_x509 = FALSE;
|
||
|
|
if (priv->cred_x509_cacert) {
|
||
|
|
g_free(priv->cred_x509_cacert);
|
||
|
|
priv->cred_x509_cacert = NULL;
|
||
|
|
@@ -5838,6 +5840,7 @@ static gboolean vnc_connection_set_credential_x509(VncConnection *conn,
|
||
|
|
{
|
||
|
|
VncConnectionPrivate *priv = conn->priv;
|
||
|
|
char *sysdir = g_strdup_printf("%s/pki", SYSCONFDIR);
|
||
|
|
+ int ret;
|
||
|
|
#ifndef WIN32
|
||
|
|
struct passwd *pw;
|
||
|
|
|
||
|
|
@@ -5852,9 +5855,19 @@ static gboolean vnc_connection_set_credential_x509(VncConnection *conn,
|
||
|
|
for (int i = 0 ; i < sizeof(dirs)/sizeof(dirs[0]) ; i++)
|
||
|
|
VNC_DEBUG("Searching for certs in %s", dirs[i]);
|
||
|
|
|
||
|
|
- if (vnc_connection_best_path(&priv->cred_x509_cacert, "CA", "cacert.pem",
|
||
|
|
- dirs, sizeof(dirs)/sizeof(dirs[0])) < 0)
|
||
|
|
+ ret = vnc_connection_best_path(&priv->cred_x509_cacert, "CA", "cacert.pem",
|
||
|
|
+ dirs, sizeof(dirs)/sizeof(dirs[0]));
|
||
|
|
+ /* With modern GNUTLS we can just allow the global GNUTLS trust database
|
||
|
|
+ * to be used to validate CA certificates if no specific cert is set
|
||
|
|
+ */
|
||
|
|
+ if (ret < 0) {
|
||
|
|
+#if GNUTLS_VERSION_NUMBER < 0x030000
|
||
|
|
+ VNC_DEBUG("No CA certificate provided and no global fallback");
|
||
|
|
return FALSE;
|
||
|
|
+#else
|
||
|
|
+ VNC_DEBUG("No CA certificate provided, using GNUTLS global trust");
|
||
|
|
+#endif
|
||
|
|
+ }
|
||
|
|
|
||
|
|
/* Don't mind failures of CRL */
|
||
|
|
vnc_connection_best_path(&priv->cred_x509_cacrl, "CA", "cacrl.pem",
|
||
|
|
@@ -5867,6 +5880,8 @@ static gboolean vnc_connection_set_credential_x509(VncConnection *conn,
|
||
|
|
vnc_connection_best_path(&priv->cred_x509_cert, name, "clientcert.pem",
|
||
|
|
dirs, sizeof(dirs)/sizeof(dirs[0]));
|
||
|
|
|
||
|
|
+ priv->set_cred_x509 = TRUE;
|
||
|
|
+
|
||
|
|
return TRUE;
|
||
|
|
}
|
||
|
|
|