mirrors
/
tigervnc
zrcadlo https://github.com/TigerVNC/tigervnc.git
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Úkoly 0 Vydání 37 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
2336 Revize
15 Větve
Strom: ad8609a2ed
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „ad8609a2ed“
${ noResults }
tigervnc/common/rfb/SSecurityTLS.cxx

SSecurityTLS.cxx 6.1KB
Surový Blame Historie

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225 
  1. /* 

  2.  * Copyright (C) 2004 Red Hat Inc.

  3.  * Copyright (C) 2005 Martin Koegler

  4.  * Copyright (C) 2010 TigerVNC Team

  5.  *    

  6.  * This is free software; you can redistribute it and/or modify

  7.  * it under the terms of the GNU General Public License as published by

  8.  * the Free Software Foundation; either version 2 of the License, or

  9.  * (at your option) any later version.

  10.  * 

  11.  * This software is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  14.  * GNU General Public License for more details.

  15.  * 

  16.  * You should have received a copy of the GNU General Public License

  17.  * along with this software; if not, write to the Free Software

  18.  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,

  19.  * USA.

  20.  */

  21. 

  22. #ifdef HAVE_CONFIG_H

  23. #include <config.h>

  24. #endif

  25. 

  26. #ifndef HAVE_GNUTLS

  27. #error "This source should not be compiled without HAVE_GNUTLS defined"

  28. #endif

  29. 

  30. #include <rfb/SSecurityTLS.h>

  31. #include <rfb/SConnection.h>

  32. #include <rfb/LogWriter.h>

  33. #include <rfb/Exception.h>

  34. #include <rdr/TLSInStream.h>

  35. #include <rdr/TLSOutStream.h>

  36. 

  37. #define DH_BITS 1024 /* XXX This should be configurable! */

  38. 

  39. using namespace rfb;

  40. 

  41. StringParameter SSecurityTLS::X509_CertFile

  42. ("x509cert", "specifies path to the x509 certificate in PEM format", "", ConfServer);

  43. 

  44. StringParameter SSecurityTLS::X509_KeyFile

  45. ("x509key", "specifies path to the key of the x509 certificate in PEM format", "", ConfServer);

  46. 

  47. static LogWriter vlog("TLS");

  48. static LogWriter vlog_raw("RawTLS");

  49. 

  50. static void debug_log(int level, const char* str)

  51. {

  52.   vlog.debug("[%d]: %s", level, str);

  53. }

  54. 

  55. void SSecurityTLS::initGlobal()

  56. {

  57.   static bool globalInitDone = false;

  58. 

  59.   if (!globalInitDone) {

  60.     if (gnutls_global_init() != GNUTLS_E_SUCCESS)

  61.       throw AuthFailureException("gnutls_global_init failed");

  62. 

  63.     /* 100 means debug log */

  64.     if (vlog_raw.getLevel() >= 100) {

  65.       gnutls_global_set_log_level(10);

  66.       gnutls_global_set_log_function(debug_log);

  67.     }

  68. 

  69.     globalInitDone = true;

  70.   }

  71. }

  72. 

  73. SSecurityTLS::SSecurityTLS(bool _anon) : session(0), dh_params(0),

  74. 						 anon_cred(0), cert_cred(0),

  75. 						 anon(_anon), fis(0), fos(0)

  76. {

  77.   certfile = X509_CertFile.getData();

  78.   keyfile = X509_KeyFile.getData();

  79. }

  80. 

  81. void SSecurityTLS::shutdown()

  82. {

  83.   if (session) {

  84.     if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS) {

  85.       /* FIXME: Treat as non-fatal error */

  86.       vlog.error("TLS session wasn't terminated gracefully");

  87.     }

  88.   }

  89. 

  90.   if (dh_params) {

  91.     gnutls_dh_params_deinit(dh_params);

  92.     dh_params = 0;

  93.   }

  94. 

  95.   if (anon_cred) {

  96.     gnutls_anon_free_server_credentials(anon_cred);

  97.     anon_cred = 0;

  98.   }

  99. 

  100.   if (cert_cred) {

  101.     gnutls_certificate_free_credentials(cert_cred);

  102.     cert_cred = 0;

  103.   }

  104. 

  105.   if (session) {

  106.     gnutls_deinit(session);

  107.     session = 0;

  108. 

  109.     gnutls_global_deinit();

  110.   }

  111. }

  112. 

  113. 

  114. SSecurityTLS::~SSecurityTLS()

  115. {

  116.   shutdown();

  117. 

  118.   if (fis)

  119.     delete fis;

  120.   if (fos)

  121.     delete fos;

  122. 

  123.   delete[] keyfile;

  124.   delete[] certfile;

  125. }

  126. 

  127. bool SSecurityTLS::processMsg(SConnection *sc)

  128. {

  129.   rdr::InStream* is = sc->getInStream();

  130.   rdr::OutStream* os = sc->getOutStream();

  131. 

  132.   vlog.debug("Process security message (session %p)", session);

  133. 

  134.   if (!session) {

  135.     initGlobal();

  136. 

  137.     if (gnutls_init(&session, GNUTLS_SERVER) != GNUTLS_E_SUCCESS)

  138.       throw AuthFailureException("gnutls_init failed");

  139. 

  140.     if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)

  141.       throw AuthFailureException("gnutls_set_default_priority failed");

  142. 

  143.     try {

  144.       setParams(session);

  145.     }

  146.     catch(...) {

  147.       os->writeU8(0);

  148.       throw;

  149.     }

  150. 

  151.     gnutls_transport_set_pull_function(session,rdr::gnutls_InStream_pull);

  152.     gnutls_transport_set_push_function(session,rdr::gnutls_OutStream_push);

  153.     gnutls_transport_set_ptr2(session,

  154. 			      (gnutls_transport_ptr)is,

  155. 			      (gnutls_transport_ptr)os);

  156.     os->writeU8(1);

  157.     os->flush();

  158.   }

  159. 

  160.   int err;

  161.   if ((err = gnutls_handshake(session)) != GNUTLS_E_SUCCESS) {

  162.     if (!gnutls_error_is_fatal(err)) {

  163.       vlog.debug("Deferring completion of TLS handshake: %s", gnutls_strerror(err));

  164.       return false;

  165.     }

  166.     vlog.error("TLS Handshake failed: %s", gnutls_strerror (err));

  167.     shutdown();

  168.     throw AuthFailureException("TLS Handshake failed");

  169.   }

  170. 

  171.   vlog.debug("Handshake completed");

  172. 

  173.   sc->setStreams(fis=new rdr::TLSInStream(is,session),

  174. 		 fos=new rdr::TLSOutStream(os,session));

  175. 

  176.   return true;

  177. }

  178. 

  179. void SSecurityTLS::setParams(gnutls_session session)

  180. {

  181.   static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };

  182.   static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,

  183. 				     GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };

  184. 

  185.   if (gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority)

  186.       != GNUTLS_E_SUCCESS)

  187.     throw AuthFailureException("gnutls_kx_set_priority failed");

  188. 

  189.   if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)

  190.     throw AuthFailureException("gnutls_dh_params_init failed");

  191. 

  192.   if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)

  193.     throw AuthFailureException("gnutls_dh_params_generate2 failed");

  194. 

  195.   if (anon) {

  196.     if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)

  197.       throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");

  198. 

  199.     gnutls_anon_set_server_dh_params(anon_cred, dh_params);

  200. 

  201.     if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)

  202.         != GNUTLS_E_SUCCESS)

  203.       throw AuthFailureException("gnutls_credentials_set failed");

  204. 

  205.     vlog.debug("Anonymous session has been set");

  206. 

  207.   } else {

  208.     if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)

  209.       throw AuthFailureException("gnutls_certificate_allocate_credentials failed");

  210. 

  211.     gnutls_certificate_set_dh_params(cert_cred, dh_params);

  212. 

  213.     if (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile,

  214.         GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)

  215.       throw AuthFailureException("load of key failed");

  216. 

  217.     if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred)

  218.         != GNUTLS_E_SUCCESS)

  219.       throw AuthFailureException("gnutls_credentials_set failed");

  220. 

  221.     vlog.debug("X509 session has been set");

  222. 

  223.   }

  224. 

  225. }