mirrors
/
tigervnc
mirror of https://github.com/TigerVNC/tigervnc.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 37 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3778 Commits
15 Branches
Tree: 6f2301d08e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6f2301d08e'
${ noResults }
tigervnc/common/rfb/SSecurityTLS.cxx

SSecurityTLS.cxx 6.2KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230 
  1. /* 

  2.  * Copyright (C) 2004 Red Hat Inc.

  3.  * Copyright (C) 2005 Martin Koegler

  4.  * Copyright (C) 2010 TigerVNC Team

  5.  *    

  6.  * This is free software; you can redistribute it and/or modify

  7.  * it under the terms of the GNU General Public License as published by

  8.  * the Free Software Foundation; either version 2 of the License, or

  9.  * (at your option) any later version.

  10.  * 

  11.  * This software is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  14.  * GNU General Public License for more details.

  15.  * 

  16.  * You should have received a copy of the GNU General Public License

  17.  * along with this software; if not, write to the Free Software

  18.  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,

  19.  * USA.

  20.  */

  21. 

  22. #ifdef HAVE_CONFIG_H

  23. #include <config.h>

  24. #endif

  25. 

  26. #ifndef HAVE_GNUTLS

  27. #error "This source should not be compiled without HAVE_GNUTLS defined"

  28. #endif

  29. 

  30. #include <stdlib.h>

  31. 

  32. #include <rfb/SSecurityTLS.h>

  33. #include <rfb/SConnection.h>

  34. #include <rfb/LogWriter.h>

  35. #include <rfb/Exception.h>

  36. #include <rdr/TLSInStream.h>

  37. #include <rdr/TLSOutStream.h>

  38. #include <gnutls/x509.h>

  39. 

  40. #define DH_BITS 1024 /* XXX This should be configurable! */

  41. 

  42. using namespace rfb;

  43. 

  44. StringParameter SSecurityTLS::X509_CertFile

  45. ("X509Cert", "Path to the X509 certificate in PEM format", "", ConfServer);

  46. 

  47. StringParameter SSecurityTLS::X509_KeyFile

  48. ("X509Key", "Path to the key of the X509 certificate in PEM format", "", ConfServer);

  49. 

  50. static LogWriter vlog("TLS");

  51. 

  52. SSecurityTLS::SSecurityTLS(bool _anon) : session(0), dh_params(0),

  53. 						 anon_cred(0), cert_cred(0),

  54. 						 anon(_anon), fis(0), fos(0)

  55. {

  56.   certfile = X509_CertFile.getData();

  57.   keyfile = X509_KeyFile.getData();

  58. 

  59.   if (gnutls_global_init() != GNUTLS_E_SUCCESS)

  60.     throw AuthFailureException("gnutls_global_init failed");

  61. }

  62. 

  63. void SSecurityTLS::shutdown()

  64. {

  65.   if (session) {

  66.     if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS) {

  67.       /* FIXME: Treat as non-fatal error */

  68.       vlog.error("TLS session wasn't terminated gracefully");

  69.     }

  70.   }

  71. 

  72.   if (dh_params) {

  73.     gnutls_dh_params_deinit(dh_params);

  74.     dh_params = 0;

  75.   }

  76. 

  77.   if (anon_cred) {

  78.     gnutls_anon_free_server_credentials(anon_cred);

  79.     anon_cred = 0;

  80.   }

  81. 

  82.   if (cert_cred) {

  83.     gnutls_certificate_free_credentials(cert_cred);

  84.     cert_cred = 0;

  85.   }

  86. 

  87.   if (session) {

  88.     gnutls_deinit(session);

  89.     session = 0;

  90.   }

  91. }

  92. 

  93. 

  94. SSecurityTLS::~SSecurityTLS()

  95. {

  96.   shutdown();

  97. 

  98.   if (fis)

  99.     delete fis;

  100.   if (fos)

  101.     delete fos;

  102. 

  103.   delete[] keyfile;

  104.   delete[] certfile;

  105. 

  106.   gnutls_global_deinit();

  107. }

  108. 

  109. bool SSecurityTLS::processMsg(SConnection *sc)

  110. {

  111.   rdr::InStream* is = sc->getInStream();

  112.   rdr::OutStream* os = sc->getOutStream();

  113. 

  114.   vlog.debug("Process security message (session %p)", session);

  115. 

  116.   if (!session) {

  117.     if (gnutls_init(&session, GNUTLS_SERVER) != GNUTLS_E_SUCCESS)

  118.       throw AuthFailureException("gnutls_init failed");

  119. 

  120.     if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)

  121.       throw AuthFailureException("gnutls_set_default_priority failed");

  122. 

  123.     try {

  124.       setParams(session);

  125.     }

  126.     catch(...) {

  127.       os->writeU8(0);

  128.       throw;

  129.     }

  130. 

  131.     os->writeU8(1);

  132.     os->flush();

  133.   }

  134. 

  135.   rdr::TLSInStream *tlsis = new rdr::TLSInStream(is, session);

  136.   rdr::TLSOutStream *tlsos = new rdr::TLSOutStream(os, session);

  137. 

  138.   int err;

  139.   err = gnutls_handshake(session);

  140.   if (err != GNUTLS_E_SUCCESS) {

  141.     delete tlsis;

  142.     delete tlsos;

  143. 

  144.     if (!gnutls_error_is_fatal(err)) {

  145.       vlog.debug("Deferring completion of TLS handshake: %s", gnutls_strerror(err));

  146.       return false;

  147.     }

  148.     vlog.error("TLS Handshake failed: %s", gnutls_strerror (err));

  149.     shutdown();

  150.     throw AuthFailureException("TLS Handshake failed");

  151.   }

  152. 

  153.   vlog.debug("Handshake completed");

  154. 

  155.   sc->setStreams(fis = tlsis, fos = tlsos);

  156. 

  157.   return true;

  158. }

  159. 

  160. void SSecurityTLS::setParams(gnutls_session_t session)

  161. {

  162.   static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH";

  163. 

  164.   int ret;

  165.   char *prio;

  166.   const char *err;

  167. 

  168.   prio = (char*)malloc(strlen(Security::GnuTLSPriority) +

  169.                        strlen(kx_anon_priority) + 1);

  170.   if (prio == NULL)

  171.     throw AuthFailureException("Not enough memory for GnuTLS priority string");

  172. 

  173.   strcpy(prio, Security::GnuTLSPriority);

  174.   if (anon)

  175.     strcat(prio, kx_anon_priority);

  176. 

  177.   ret = gnutls_priority_set_direct(session, prio, &err);

  178. 

  179.   free(prio);

  180. 

  181.   if (ret != GNUTLS_E_SUCCESS) {

  182.     if (ret == GNUTLS_E_INVALID_REQUEST)

  183.       vlog.error("GnuTLS priority syntax error at: %s", err);

  184.     throw AuthFailureException("gnutls_set_priority_direct failed");

  185.   }

  186. 

  187.   if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)

  188.     throw AuthFailureException("gnutls_dh_params_init failed");

  189. 

  190.   if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)

  191.     throw AuthFailureException("gnutls_dh_params_generate2 failed");

  192. 

  193.   if (anon) {

  194.     if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)

  195.       throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");

  196. 

  197.     gnutls_anon_set_server_dh_params(anon_cred, dh_params);

  198. 

  199.     if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)

  200.         != GNUTLS_E_SUCCESS)

  201.       throw AuthFailureException("gnutls_credentials_set failed");

  202. 

  203.     vlog.debug("Anonymous session has been set");

  204. 

  205.   } else {

  206.     if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)

  207.       throw AuthFailureException("gnutls_certificate_allocate_credentials failed");

  208. 

  209.     gnutls_certificate_set_dh_params(cert_cred, dh_params);

  210. 

  211.     switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) {

  212.     case GNUTLS_E_SUCCESS:

  213.       break;

  214.     case GNUTLS_E_CERTIFICATE_KEY_MISMATCH:

  215.       throw AuthFailureException("Private key does not match certificate");

  216.     case GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE:

  217.       throw AuthFailureException("Unsupported certificate type");

  218.     default:

  219.       throw AuthFailureException("Error loading X509 certificate or key");

  220.     }

  221. 

  222.     if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred)

  223.         != GNUTLS_E_SUCCESS)

  224.       throw AuthFailureException("gnutls_credentials_set failed");

  225. 

  226.     vlog.debug("X509 session has been set");

  227. 

  228.   }

  229. 

  230. }