mirrors
/
tigervnc
mirror of https://github.com/TigerVNC/tigervnc.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 37 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4138 Commits
15 Branches
Tree: ad0f0618fa
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ad0f0618fa'
${ noResults }
tigervnc/common/rfb/SSecurityTLS.cxx

SSecurityTLS.cxx 6.5KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244 
  1. /* 

  2.  * Copyright (C) 2004 Red Hat Inc.

  3.  * Copyright (C) 2005 Martin Koegler

  4.  * Copyright (C) 2010 TigerVNC Team

  5.  *    

  6.  * This is free software; you can redistribute it and/or modify

  7.  * it under the terms of the GNU General Public License as published by

  8.  * the Free Software Foundation; either version 2 of the License, or

  9.  * (at your option) any later version.

  10.  * 

  11.  * This software is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  14.  * GNU General Public License for more details.

  15.  * 

  16.  * You should have received a copy of the GNU General Public License

  17.  * along with this software; if not, write to the Free Software

  18.  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,

  19.  * USA.

  20.  */

  21. 

  22. #ifdef HAVE_CONFIG_H

  23. #include <config.h>

  24. #endif

  25. 

  26. #ifndef HAVE_GNUTLS

  27. #error "This source should not be compiled without HAVE_GNUTLS defined"

  28. #endif

  29. 

  30. #include <stdlib.h>

  31. 

  32. #include <rfb/SSecurityTLS.h>

  33. #include <rfb/SConnection.h>

  34. #include <rfb/LogWriter.h>

  35. #include <rfb/Exception.h>

  36. #include <rdr/TLSInStream.h>

  37. #include <rdr/TLSOutStream.h>

  38. #include <gnutls/x509.h>

  39. 

  40. #define DH_BITS 1024 /* XXX This should be configurable! */

  41. 

  42. using namespace rfb;

  43. 

  44. StringParameter SSecurityTLS::X509_CertFile

  45. ("X509Cert", "Path to the X509 certificate in PEM format", "", ConfServer);

  46. 

  47. StringParameter SSecurityTLS::X509_KeyFile

  48. ("X509Key", "Path to the key of the X509 certificate in PEM format", "", ConfServer);

  49. 

  50. static LogWriter vlog("TLS");

  51. 

  52. SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon)

  53.   : SSecurity(sc), session(NULL), dh_params(NULL), anon_cred(NULL),

  54.     cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL),

  55.     rawis(NULL), rawos(NULL)

  56. {

  57.   certfile = X509_CertFile.getData();

  58.   keyfile = X509_KeyFile.getData();

  59. 

  60.   if (gnutls_global_init() != GNUTLS_E_SUCCESS)

  61.     throw AuthFailureException("gnutls_global_init failed");

  62. }

  63. 

  64. void SSecurityTLS::shutdown()

  65. {

  66.   if (session) {

  67.     if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS) {

  68.       /* FIXME: Treat as non-fatal error */

  69.       vlog.error("TLS session wasn't terminated gracefully");

  70.     }

  71.   }

  72. 

  73.   if (dh_params) {

  74.     gnutls_dh_params_deinit(dh_params);

  75.     dh_params = 0;

  76.   }

  77. 

  78.   if (anon_cred) {

  79.     gnutls_anon_free_server_credentials(anon_cred);

  80.     anon_cred = 0;

  81.   }

  82. 

  83.   if (cert_cred) {

  84.     gnutls_certificate_free_credentials(cert_cred);

  85.     cert_cred = 0;

  86.   }

  87. 

  88.   if (rawis && rawos) {

  89.     sc->setStreams(rawis, rawos);

  90.     rawis = NULL;

  91.     rawos = NULL;

  92.   }

  93. 

  94.   if (tlsis) {

  95.     delete tlsis;

  96.     tlsis = NULL;

  97.   }

  98.   if (tlsos) {

  99.     delete tlsos;

  100.     tlsos = NULL;

  101.   }

  102. 

  103.   if (session) {

  104.     gnutls_deinit(session);

  105.     session = 0;

  106.   }

  107. }

  108. 

  109. 

  110. SSecurityTLS::~SSecurityTLS()

  111. {

  112.   shutdown();

  113. 

  114.   delete[] keyfile;

  115.   delete[] certfile;

  116. 

  117.   gnutls_global_deinit();

  118. }

  119. 

  120. bool SSecurityTLS::processMsg()

  121. {

  122.   vlog.debug("Process security message (session %p)", session);

  123. 

  124.   if (!session) {

  125.     rdr::InStream* is = sc->getInStream();

  126.     rdr::OutStream* os = sc->getOutStream();

  127. 

  128.     if (gnutls_init(&session, GNUTLS_SERVER) != GNUTLS_E_SUCCESS)

  129.       throw AuthFailureException("gnutls_init failed");

  130. 

  131.     if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)

  132.       throw AuthFailureException("gnutls_set_default_priority failed");

  133. 

  134.     try {

  135.       setParams(session);

  136.     }

  137.     catch(...) {

  138.       os->writeU8(0);

  139.       throw;

  140.     }

  141. 

  142.     os->writeU8(1);

  143.     os->flush();

  144. 

  145.     // Create these early as they set up the push/pull functions

  146.     // for GnuTLS

  147.     tlsis = new rdr::TLSInStream(is, session);

  148.     tlsos = new rdr::TLSOutStream(os, session);

  149. 

  150.     rawis = is;

  151.     rawos = os;

  152.   }

  153. 

  154.   int err;

  155.   err = gnutls_handshake(session);

  156.   if (err != GNUTLS_E_SUCCESS) {

  157.     if (!gnutls_error_is_fatal(err)) {

  158.       vlog.debug("Deferring completion of TLS handshake: %s", gnutls_strerror(err));

  159.       return false;

  160.     }

  161.     vlog.error("TLS Handshake failed: %s", gnutls_strerror (err));

  162.     shutdown();

  163.     throw AuthFailureException("TLS Handshake failed");

  164.   }

  165. 

  166.   vlog.debug("TLS handshake completed with %s",

  167.              gnutls_session_get_desc(session));

  168. 

  169.   sc->setStreams(tlsis, tlsos);

  170. 

  171.   return true;

  172. }

  173. 

  174. void SSecurityTLS::setParams(gnutls_session_t session)

  175. {

  176.   static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH";

  177. 

  178.   int ret;

  179.   char *prio;

  180.   const char *err;

  181. 

  182.   prio = (char*)malloc(strlen(Security::GnuTLSPriority) +

  183.                        strlen(kx_anon_priority) + 1);

  184.   if (prio == NULL)

  185.     throw AuthFailureException("Not enough memory for GnuTLS priority string");

  186. 

  187.   strcpy(prio, Security::GnuTLSPriority);

  188.   if (anon)

  189.     strcat(prio, kx_anon_priority);

  190. 

  191.   ret = gnutls_priority_set_direct(session, prio, &err);

  192. 

  193.   free(prio);

  194. 

  195.   if (ret != GNUTLS_E_SUCCESS) {

  196.     if (ret == GNUTLS_E_INVALID_REQUEST)

  197.       vlog.error("GnuTLS priority syntax error at: %s", err);

  198.     throw AuthFailureException("gnutls_set_priority_direct failed");

  199.   }

  200. 

  201.   if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)

  202.     throw AuthFailureException("gnutls_dh_params_init failed");

  203. 

  204.   if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)

  205.     throw AuthFailureException("gnutls_dh_params_generate2 failed");

  206. 

  207.   if (anon) {

  208.     if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)

  209.       throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");

  210. 

  211.     gnutls_anon_set_server_dh_params(anon_cred, dh_params);

  212. 

  213.     if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)

  214.         != GNUTLS_E_SUCCESS)

  215.       throw AuthFailureException("gnutls_credentials_set failed");

  216. 

  217.     vlog.debug("Anonymous session has been set");

  218. 

  219.   } else {

  220.     if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)

  221.       throw AuthFailureException("gnutls_certificate_allocate_credentials failed");

  222. 

  223.     gnutls_certificate_set_dh_params(cert_cred, dh_params);

  224. 

  225.     switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) {

  226.     case GNUTLS_E_SUCCESS:

  227.       break;

  228.     case GNUTLS_E_CERTIFICATE_KEY_MISMATCH:

  229.       throw AuthFailureException("Private key does not match certificate");

  230.     case GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE:

  231.       throw AuthFailureException("Unsupported certificate type");

  232.     default:

  233.       throw AuthFailureException("Error loading X509 certificate or key");

  234.     }

  235. 

  236.     if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred)

  237.         != GNUTLS_E_SUCCESS)

  238.       throw AuthFailureException("gnutls_credentials_set failed");

  239. 

  240.     vlog.debug("X509 session has been set");

  241. 

  242.   }

  243. 

  244. }