Fix reporting of some TLS errors

These functions return a GnuTLS status, so we should use the correct exception for that so we get the proper error messages.
TigerVNC · Sep 4, 2024 · 2d5636e · 2d5636e
1 parent 455ad1c
commit 2d5636e
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 22 deletions.
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
@@ -333,11 +333,12 @@ void CSecurityTLS::checkSession()
     if (fatal_status != 0) {
       std::string error;
 
-      if (gnutls_certificate_verification_status_print(fatal_status,
-                                                       GNUTLS_CRT_X509,
-                                                       &status_str,
-                                                       0) < 0)
-        throw Exception("Failed to get certificate error description");
+      err = gnutls_certificate_verification_status_print(fatal_status,
+                                                         GNUTLS_CRT_X509,
+                                                         &status_str,
+                                                         0);
+      if (err != GNUTLS_E_SUCCESS)
+        throw rdr::TLSException("Failed to get certificate error description", err);
 
       error = (const char*)status_str.data;
 
@@ -346,11 +347,12 @@ void CSecurityTLS::checkSession()
       throw Exception("Invalid server certificate: %s", error.c_str());
     }
 
-    if (gnutls_certificate_verification_status_print(status,
-                                                     GNUTLS_CRT_X509,
-                                                     &status_str,
-                                                     0) < 0)
-      throw Exception("Failed to get certificate error description");
+    err = gnutls_certificate_verification_status_print(status,
+                                                       GNUTLS_CRT_X509,
+                                                       &status_str,
+                                                       0);
+    if (err != GNUTLS_E_SUCCESS)
+      throw rdr::TLSException("Failed to get certificate error description", err);
 
     vlog.info("Server certificate errors: %s", status_str.data);
 
@@ -367,8 +369,9 @@ void CSecurityTLS::checkSession()
   gnutls_x509_crt_t crt;
   gnutls_x509_crt_init(&crt);
 
-  if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
-    throw Exception("decoding of certificate failed");
+  err = gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER);
+  if (err != GNUTLS_E_SUCCESS)
+    throw rdr::TLSException("Failed to decode server certificate", err);
 
   if (gnutls_x509_crt_check_hostname(crt, client->getServerName()) == 0) {
     vlog.info("Server certificate doesn't match given server name");

diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
@@ -299,16 +299,11 @@ void SSecurityTLS::setParams()
     gnutls_certificate_set_dh_params(cert_cred, dh_params);
 #endif
 
-    switch (gnutls_certificate_set_x509_key_file(cert_cred, X509_CertFile, X509_KeyFile, GNUTLS_X509_FMT_PEM)) {
-    case GNUTLS_E_SUCCESS:
-      break;
-    case GNUTLS_E_CERTIFICATE_KEY_MISMATCH:
-      throw Exception("Private key does not match certificate");
-    case GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE:
-      throw Exception("Unsupported certificate type");
-    default:
-      throw Exception("Error loading X509 certificate or key");
-    }
+    ret = gnutls_certificate_set_x509_key_file(cert_cred, X509_CertFile,
+                                               X509_KeyFile,
+                                               GNUTLS_X509_FMT_PEM);
+    if (ret != GNUTLS_E_SUCCESS)
+      throw rdr::TLSException("Failed to load certificate and key", ret);
 
     ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred);
     if (ret != GNUTLS_E_SUCCESS)