rpms / gtk-vnc

Clone
Source Code
GIT

Blame SOURCES/0010-Explicitly-track-whether-x509-creds-have-been-set.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7-alt
  2.   SOURCES
  3.   0010-Explicitly-track-whether-x509-creds-have-been-set.patch
Blob History Raw
249a24 
From 04a3fe9e8122166eb8f257396fd07314182d2fc2 Mon Sep 17 00:00:00 2001
249a24 
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
249a24 
Date: Wed, 31 Jan 2018 11:27:10 +0000
249a24 
Subject: [PATCH] Explicitly track whether x509 creds have been set
249a24 
MIME-Version: 1.0
249a24 
Content-Type: text/plain; charset=UTF-8
249a24 
Content-Transfer-Encoding: 8bit
249a24
249a24 
If we want to use the system trust DB, we can't rely on cred_x509_cacert
249a24 
field being non-NULL. We must explicitly record whether the client app
249a24 
has set the x509 credentials. We allow cacert to be missing if we are
249a24 
built against a new enough GNUTLS.
249a24
249a24 
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
249a24 
(cherry picked from commit abc27748c6ca309ec3c39fb6c84426a459f56c74)
249a24 
---
249a24 
 src/vncconnection.c | 21 ++++++++++++++++++---
249a24 
 1 file changed, 18 insertions(+), 3 deletions(-)
249a24
249a24 
diff --git a/src/vncconnection.c b/src/vncconnection.c
249a24 
index 35966c9..7fcbe89 100644
249a24 
--- a/src/vncconnection.c
249a24 
+++ b/src/vncconnection.c
249a24 
@@ -217,6 +217,7 @@ struct _VncConnectionPrivate
249a24 
     char *cred_x509_cacrl;
249a24 
     char *cred_x509_cert;
249a24 
     char *cred_x509_key;
249a24 
+    gboolean set_cred_x509;
249a24 
     gboolean want_cred_username;
249a24 
     gboolean want_cred_password;
249a24 
     gboolean want_cred_x509;
249a24 
@@ -3528,7 +3529,7 @@ static gboolean vnc_connection_has_credentials(gpointer data)
249a24 
         return FALSE;
249a24 
     if (priv->want_cred_password && !priv->cred_password)
249a24 
         return FALSE;
249a24 
-    if (priv->want_cred_x509 && !priv->cred_x509_cacert)
249a24 
+    if (priv->want_cred_x509 && !priv->set_cred_x509)
249a24 
         return FALSE;
249a24 
     return TRUE;
249a24 
 }
249a24 
@@ -5122,6 +5123,7 @@ static void vnc_connection_close(VncConnection *conn)
249a24 
         priv->cred_password = NULL;
249a24 
     }
249a24
249a24 
+    priv->set_cred_x509 = FALSE;
249a24 
     if (priv->cred_x509_cacert) {
249a24 
         g_free(priv->cred_x509_cacert);
249a24 
         priv->cred_x509_cacert = NULL;
249a24 
@@ -5838,6 +5840,7 @@ static gboolean vnc_connection_set_credential_x509(VncConnection *conn,
249a24 
 {
249a24 
     VncConnectionPrivate *priv = conn->priv;
249a24 
     char *sysdir = g_strdup_printf("%s/pki", SYSCONFDIR);
249a24 
+    int ret;
249a24 
 #ifndef WIN32
249a24 
     struct passwd *pw;
249a24
249a24 
@@ -5852,9 +5855,19 @@ static gboolean vnc_connection_set_credential_x509(VncConnection *conn,
249a24 
     for (int i = 0 ; i < sizeof(dirs)/sizeof(dirs[0]) ; i++)
249a24 
         VNC_DEBUG("Searching for certs in %s", dirs[i]);
249a24
249a24 
-    if (vnc_connection_best_path(&priv->cred_x509_cacert, "CA", "cacert.pem",
249a24 
-                                 dirs, sizeof(dirs)/sizeof(dirs[0])) < 0)
249a24 
+    ret = vnc_connection_best_path(&priv->cred_x509_cacert, "CA", "cacert.pem",
249a24 
+                                   dirs, sizeof(dirs)/sizeof(dirs[0]));
249a24 
+    /* With modern GNUTLS we can just allow the global GNUTLS trust database
249a24 
+     * to be used to validate CA certificates if no specific cert is set
249a24 
+     */
249a24 
+    if (ret < 0) {
249a24 
+#if GNUTLS_VERSION_NUMBER < 0x030000
249a24 
+        VNC_DEBUG("No CA certificate provided and no global fallback");
249a24 
         return FALSE;
249a24 
+#else
249a24 
+        VNC_DEBUG("No CA certificate provided, using GNUTLS global trust");
249a24 
+#endif
249a24 
+    }
249a24
249a24 
     /* Don't mind failures of CRL */
249a24 
     vnc_connection_best_path(&priv->cred_x509_cacrl, "CA", "cacrl.pem",
249a24 
@@ -5867,6 +5880,8 @@ static gboolean vnc_connection_set_credential_x509(VncConnection *conn,
249a24 
     vnc_connection_best_path(&priv->cred_x509_cert, name, "clientcert.pem",
249a24 
                              dirs, sizeof(dirs)/sizeof(dirs[0]));
249a24
249a24 
+    priv->set_cred_x509 = TRUE;
249a24 
+
249a24 
     return TRUE;
249a24 
 }
249a24

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation