[glib-networking/mcatanzaro/identity: 1/2] gnutls: fail verification if identity is of unexpected type




commit 8fe1681b386c491db52ace1b2d9a09947e4568a4
Author: Michael Catanzaro <mcatanzaro redhat com>
Date:   Fri Jun 25 10:43:19 2021 -0500

    gnutls: fail verification if identity is of unexpected type
    
    We support GNetworkAddress, GNetworkService, and GInetSocketAddress. If
    we receive some other type of GSocketConnectable, we should fail with an
    error rather than fail to verify the identity.
    
    I doubt this check will be hit in practice, but better safe than sorry.

 tls/gnutls/gtlsconnection-gnutls.c | 10 ++++++++--
 tls/gnutls/gtlsdatabase-gnutls.c   | 12 ++++++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)
---
diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
index beb9534..3b574a5 100644
--- a/tls/gnutls/gtlsconnection-gnutls.c
+++ b/tls/gnutls/gtlsconnection-gnutls.c
@@ -1027,12 +1027,18 @@ g_tls_connection_gnutls_verify_chain (GTlsConnectionBase       *tls,
       addr = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (identity));
       hostname = free_hostname = g_inet_address_to_string (addr);
     }
+  else if (identity)
+    {
+      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+                   _("Cannot verify peer identity of unexpected type %s"), G_OBJECT_TYPE_NAME (identity));
+      errors |= G_TLS_CERTIFICATE_BAD_IDENTITY;
+    }
 
   ret = gnutls_certificate_verify_peers3 (priv->session, hostname, &gnutls_result);
   if (ret != 0)
-    errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
+    errors |= G_TLS_CERTIFICATE_GENERIC_ERROR;
   else
-    errors = g_tls_certificate_gnutls_convert_flags (gnutls_result);
+    errors |= g_tls_certificate_gnutls_convert_flags (gnutls_result);
 
   g_free (free_hostname);
   return errors;
diff --git a/tls/gnutls/gtlsdatabase-gnutls.c b/tls/gnutls/gtlsdatabase-gnutls.c
index af0becc..1bd1a8a 100644
--- a/tls/gnutls/gtlsdatabase-gnutls.c
+++ b/tls/gnutls/gtlsdatabase-gnutls.c
@@ -532,12 +532,24 @@ g_tls_database_gnutls_verify_chain (GTlsDatabase             *database,
       addr = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (identity));
       hostname = free_hostname = g_inet_address_to_string (addr);
     }
+
   if (hostname)
     {
       if (!gnutls_x509_crt_check_hostname (gnutls_chain->chain[0], hostname))
         result |= G_TLS_CERTIFICATE_BAD_IDENTITY;
       g_free (free_hostname);
     }
+  else if (identity)
+    {
+      /* If identity is NULL, then the application has requested that we not
+       * verify identity. But if the application passes an identity of a
+       * type we don't expect, then the application surely expects it to be
+       * used, so we'd better not fail silently.
+       */
+      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+                   _("Cannot verify peer identity of unexpected type %s"), G_OBJECT_TYPE_NAME (identity));
+      result |= G_TLS_CERTIFICATE_BAD_IDENTITY;
+    }
 
   certificate_chain_free (gnutls_chain);
   return result;


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]