Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_tigervnc / 88c24edd8f7a793561104be50b6ecf2c85b42956 / . / common / rfb / SSecurityTLS.cxx
blob: 88145e8b20f38b1b84c2c37e6afba4c85c592c8d [file] [log] [blame]
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]1/*
2 * Copyright (C) 2004 Red Hat Inc.
3 * Copyright (C) 2005 Martin Koegler
4 * Copyright (C) 2010 TigerVNC Team
5 *
6 * This is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This software is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this software; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
19 * USA.
20 */
21
22#ifdef HAVE_CONFIG_H
23#include <config.h>
24#endif
25
Adam Tkacdf799702010-04-28 15:45:53 +0000[diff] [blame]26#ifndef HAVE_GNUTLS
27#error "This source should not be compiled without HAVE_GNUTLS defined"
28#endif
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]29
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]30#include <rfb/SSecurityTLS.h>
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]31#include <rfb/SConnection.h>
32#include <rfb/LogWriter.h>
33#include <rfb/Exception.h>
34#include <rdr/TLSInStream.h>
35#include <rdr/TLSOutStream.h>
36
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]37#define DH_BITS 1024 /* XXX This should be configurable! */
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]38
39using namespace rfb;
40
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]41StringParameter SSecurityTLS::X509_CertFile
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame]42("X509Cert", "Path to the X509 certificate in PEM format", "", ConfServer);
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]43
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]44StringParameter SSecurityTLS::X509_KeyFile
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame]45("X509Key", "Path to the key of the X509 certificate in PEM format", "", ConfServer);
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]46
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]47static LogWriter vlog("TLS");
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]48
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]49void SSecurityTLS::initGlobal()
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]50{
51 static bool globalInitDone = false;
52
53 if (!globalInitDone) {
54 if (gnutls_global_init() != GNUTLS_E_SUCCESS)
55 throw AuthFailureException("gnutls_global_init failed");
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]56 globalInitDone = true;
57 }
58}
59
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]60SSecurityTLS::SSecurityTLS(bool _anon) : session(0), dh_params(0),
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]61 anon_cred(0), cert_cred(0),
62 anon(_anon), fis(0), fos(0)
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]63{
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]64 certfile = X509_CertFile.getData();
65 keyfile = X509_KeyFile.getData();
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]66}
67
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]68void SSecurityTLS::shutdown()
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]69{
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]70 if (session) {
71 if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS) {
72 /* FIXME: Treat as non-fatal error */
73 vlog.error("TLS session wasn't terminated gracefully");
74 }
75 }
76
77 if (dh_params) {
78 gnutls_dh_params_deinit(dh_params);
79 dh_params = 0;
80 }
81
82 if (anon_cred) {
83 gnutls_anon_free_server_credentials(anon_cred);
84 anon_cred = 0;
85 }
86
87 if (cert_cred) {
88 gnutls_certificate_free_credentials(cert_cred);
89 cert_cred = 0;
90 }
91
92 if (session) {
93 gnutls_deinit(session);
94 session = 0;
95
96 gnutls_global_deinit();
97 }
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]98}
99
100
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]101SSecurityTLS::~SSecurityTLS()
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]102{
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]103 shutdown();
104
105 if (fis)
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]106 delete fis;
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]107 if (fos)
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]108 delete fos;
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]109
110 delete[] keyfile;
111 delete[] certfile;
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]112}
113
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]114bool SSecurityTLS::processMsg(SConnection *sc)
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]115{
116 rdr::InStream* is = sc->getInStream();
117 rdr::OutStream* os = sc->getOutStream();
118
119 vlog.debug("Process security message (session %p)", session);
120
121 if (!session) {
122 initGlobal();
123
124 if (gnutls_init(&session, GNUTLS_SERVER) != GNUTLS_E_SUCCESS)
125 throw AuthFailureException("gnutls_init failed");
126
127 if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)
128 throw AuthFailureException("gnutls_set_default_priority failed");
129
130 try {
131 setParams(session);
132 }
133 catch(...) {
134 os->writeU8(0);
135 throw;
136 }
137
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]138 os->writeU8(1);
139 os->flush();
140 }
141
Pierre Ossmanfe48cd42012-07-03 14:43:38 +0000[diff] [blame]142 rdr::TLSInStream *tlsis = new rdr::TLSInStream(is, session);
143 rdr::TLSOutStream *tlsos = new rdr::TLSOutStream(os, session);
144
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]145 int err;
Pierre Ossmanfe48cd42012-07-03 14:43:38 +0000[diff] [blame]146 err = gnutls_handshake(session);
147 if (err != GNUTLS_E_SUCCESS) {
148 delete tlsis;
149 delete tlsos;
150
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]151 if (!gnutls_error_is_fatal(err)) {
152 vlog.debug("Deferring completion of TLS handshake: %s", gnutls_strerror(err));
153 return false;
154 }
155 vlog.error("TLS Handshake failed: %s", gnutls_strerror (err));
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]156 shutdown();
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]157 throw AuthFailureException("TLS Handshake failed");
158 }
159
160 vlog.debug("Handshake completed");
161
Pierre Ossmanfe48cd42012-07-03 14:43:38 +0000[diff] [blame]162 sc->setStreams(fis = tlsis, fos = tlsos);
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]163
164 return true;
165}
166
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame^]167void SSecurityTLS::setParams(gnutls_session_t session)
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]168{
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame^]169 static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH";
170 static const char kx_priority[] = "NORMAL";
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]171
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame^]172 int ret;
173 const char *err;
174
175 ret = gnutls_priority_set_direct(session,
176 anon ? kx_anon_priority : kx_priority,
177 &err);
178 if (ret != GNUTLS_E_SUCCESS) {
179 if (ret == GNUTLS_E_INVALID_REQUEST)
180 vlog.error("GnuTLS priority syntax error at: %s", err);
181 throw AuthFailureException("gnutls_set_priority_direct failed");
182 }
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]183
184 if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
185 throw AuthFailureException("gnutls_dh_params_init failed");
186
187 if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
188 throw AuthFailureException("gnutls_dh_params_generate2 failed");
189
190 if (anon) {
191 if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
192 throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
193
194 gnutls_anon_set_server_dh_params(anon_cred, dh_params);
195
196 if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
197 != GNUTLS_E_SUCCESS)
198 throw AuthFailureException("gnutls_credentials_set failed");
199
200 vlog.debug("Anonymous session has been set");
201
202 } else {
203 if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
204 throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
205
206 gnutls_certificate_set_dh_params(cert_cred, dh_params);
207
208 if (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile,
209 GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
210 throw AuthFailureException("load of key failed");
211
212 if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred)
213 != GNUTLS_E_SUCCESS)
214 throw AuthFailureException("gnutls_credentials_set failed");
215
216 vlog.debug("X509 session has been set");
217
218 }
219
220}