Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_tigervnc / 44cdb1352a8f246f1898cf458dba6f75c3ba4d37 / . / common / rfb / CSecurityTLS.cxx
blob: c22fa2d98dfd2fd0005b84f91dc1a2c8c476ee26 [file] [log] [blame]
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame]1/*
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]2 * Copyright (C) 2004 Red Hat Inc.
3 * Copyright (C) 2005 Martin Koegler
4 * Copyright (C) 2010 TigerVNC Team
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]5 * Copyright (C) 2010 m-privacy GmbH
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]6 *
7 * This is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This software is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this software; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
20 * USA.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include <config.h>
25#endif
26
Adam Tkac43958232010-07-21 09:06:59 +0000[diff] [blame]27#ifndef HAVE_GNUTLS
28#error "This header should not be compiled without HAVE_GNUTLS defined"
29#endif
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]30
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]31#include <stdlib.h>
Adam Tkacc4674db2011-01-19 14:11:16 +0000[diff] [blame]32#ifndef WIN32
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]33#include <unistd.h>
Adam Tkacc4674db2011-01-19 14:11:16 +0000[diff] [blame]34#endif
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]35
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]36#include <rfb/CSecurityTLS.h>
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]37#include <rfb/SSecurityVeNCrypt.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]38#include <rfb/CConnection.h>
39#include <rfb/LogWriter.h>
40#include <rfb/Exception.h>
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]41#include <rfb/UserMsgBox.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]42#include <rdr/TLSInStream.h>
43#include <rdr/TLSOutStream.h>
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]44#include <os/os.h>
Adam Tkac179d2b12011-01-19 14:15:14 +0000[diff] [blame]45#include <os/print.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]46
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]47#include <gnutls/x509.h>
48
DRCb7ab54f2011-02-09 03:27:26 +0000[diff] [blame]49#if !defined(GNUTLS_VERSION_NUMBER) || (GNUTLS_VERSION_NUMBER < 0x020708)
DRCb7ab54f2011-02-09 03:27:26 +0000[diff] [blame]50#define GNUTLS_CERT_NOT_ACTIVATED 512
51#define GNUTLS_CERT_EXPIRED 1024
52#endif
53
54#if !defined(GNUTLS_VERSION_NUMBER) || (GNUTLS_VERSION_NUMBER < 0x020301)
55#define GNUTLS_CRT_PRINT_ONELINE 1
56#endif
57
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]58#define TLS_DEBUG
59
60using namespace rfb;
61
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]62StringParameter CSecurityTLS::x509ca("x509ca", "X509 CA certificate", "", ConfViewer);
63StringParameter CSecurityTLS::x509crl("x509crl", "X509 CRL file", "", ConfViewer);
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]64
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]65static LogWriter vlog("TLS");
66
67#ifdef TLS_DEBUG
68static void debug_log(int level, const char* str)
69{
70 vlog.debug(str);
71}
72#endif
73
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]74void CSecurityTLS::initGlobal()
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]75{
76 static bool globalInitDone = false;
77
78 if (!globalInitDone) {
79 gnutls_global_init();
80
81#ifdef TLS_DEBUG
82 gnutls_global_set_log_level(10);
83 gnutls_global_set_log_function(debug_log);
84#endif
85
86 globalInitDone = true;
87 }
88}
89
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]90CSecurityTLS::CSecurityTLS(bool _anon) : session(0), anon_cred(0),
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]91 anon(_anon), fis(0), fos(0)
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]92{
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]93 cafile = x509ca.getData();
94 crlfile = x509crl.getData();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]95}
96
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]97void CSecurityTLS::setDefaults()
98{
99 char* homeDir = NULL;
100
Adam Tkacaf081722011-02-07 10:45:15 +0000[diff] [blame]101 if (getvnchomedir(&homeDir) == -1) {
102 vlog.error("Could not obtain VNC home directory path");
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]103 return;
104 }
105
Adam Tkacaf081722011-02-07 10:45:15 +0000[diff] [blame]106 int len = strlen(homeDir) + 1;
Adam Tkac437b0c22011-02-07 10:46:16 +0000[diff] [blame]107 CharArray caDefault(len + 11);
108 CharArray crlDefault(len + 12);
109 sprintf(caDefault.buf, "%sx509_ca.pem", homeDir);
110 sprintf(crlDefault.buf, "%s509_crl.pem", homeDir);
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]111 delete [] homeDir;
112
Adam Tkacf16a4212011-02-07 10:47:07 +0000[diff] [blame]113 if (!fileexists(caDefault.buf))
114 x509ca.setDefaultStr(strdup(caDefault.buf));
115 if (!fileexists(crlDefault.buf))
116 x509crl.setDefaultStr(strdup(crlDefault.buf));
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]117}
118
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame^]119void CSecurityTLS::shutdown(bool needbye)
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]120{
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame^]121 if (session && needbye)
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]122 if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS)
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame^]123 vlog.error("gnutls_bye failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]124
125 if (anon_cred) {
126 gnutls_anon_free_client_credentials(anon_cred);
127 anon_cred = 0;
128 }
129
130 if (cert_cred) {
131 gnutls_certificate_free_credentials(cert_cred);
132 cert_cred = 0;
133 }
134
135 if (session) {
136 gnutls_deinit(session);
137 session = 0;
138
139 gnutls_global_deinit();
140 }
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]141}
142
143
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]144CSecurityTLS::~CSecurityTLS()
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]145{
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame^]146 shutdown(true);
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]147
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]148 if (fis)
149 delete fis;
150 if (fos)
151 delete fos;
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]152
153 delete[] cafile;
154 delete[] crlfile;
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]155}
156
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]157bool CSecurityTLS::processMsg(CConnection* cc)
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]158{
159 rdr::InStream* is = cc->getInStream();
160 rdr::OutStream* os = cc->getOutStream();
161 client = cc;
162
163 initGlobal();
164
165 if (!session) {
166 if (!is->checkNoWait(1))
167 return false;
168
169 if (is->readU8() == 0)
170 return true;
171
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]172 if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS)
173 throw AuthFailureException("gnutls_init failed");
174
175 if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)
176 throw AuthFailureException("gnutls_set_default_priority failed");
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]177
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]178 setParam();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]179
180 gnutls_transport_set_pull_function(session, rdr::gnutls_InStream_pull);
181 gnutls_transport_set_push_function(session, rdr::gnutls_OutStream_push);
182 gnutls_transport_set_ptr2(session,
183 (gnutls_transport_ptr) is,
184 (gnutls_transport_ptr) os);
185 }
186
187 int err;
188 err = gnutls_handshake(session);
189 if (err != GNUTLS_E_SUCCESS && !gnutls_error_is_fatal(err))
190 return false;
191
192 if (err != GNUTLS_E_SUCCESS) {
193 vlog.error("TLS Handshake failed: %s\n", gnutls_strerror (err));
Adam Tkac44cdb132011-02-09 14:09:10 +0000[diff] [blame^]194 shutdown(false);
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]195 throw AuthFailureException("TLS Handshake failed");
196 }
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]197
198 checkSession();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]199
200 cc->setStreams(fis = new rdr::TLSInStream(is, session),
201 fos = new rdr::TLSOutStream(os, session));
202
203 return true;
204}
205
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]206void CSecurityTLS::setParam()
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]207{
208 static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
209 static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
210 GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
211
212 if (anon) {
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]213 if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS)
214 throw AuthFailureException("gnutls_kx_set_priority failed");
215
216 if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
217 throw AuthFailureException("gnutls_anon_allocate_client_credentials failed");
218
219 if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred) != GNUTLS_E_SUCCESS)
220 throw AuthFailureException("gnutls_credentials_set failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]221
222 vlog.debug("Anonymous session has been set");
223 } else {
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]224 if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS)
225 throw AuthFailureException("gnutls_kx_set_priority failed");
226
227 if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
228 throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]229
230 if (*cafile && gnutls_certificate_set_x509_trust_file(cert_cred,cafile,GNUTLS_X509_FMT_PEM) < 0)
231 throw AuthFailureException("load of CA cert failed");
232
233 if (*crlfile && gnutls_certificate_set_x509_crl_file(cert_cred,crlfile,GNUTLS_X509_FMT_PEM) < 0)
234 throw AuthFailureException("load of CRL failed");
235
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]236 if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred) != GNUTLS_E_SUCCESS)
237 throw AuthFailureException("gnutls_credentials_set failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]238
239 vlog.debug("X509 session has been set");
240 }
241}
242
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]243void CSecurityTLS::checkSession()
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]244{
245 int status;
246 const gnutls_datum *cert_list;
247 unsigned int cert_list_size = 0;
248 unsigned int i;
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame]249 gnutls_datum info;
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]250
251 if (anon)
252 return;
253
254 if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509)
255 throw AuthFailureException("unsupported certificate type");
256
257 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
258 if (!cert_list_size)
259 throw AuthFailureException("unsupported certificate type");
260
261 status = gnutls_certificate_verify_peers(session);
262 if (status == GNUTLS_E_NO_CERTIFICATE_FOUND)
263 throw AuthFailureException("no certificate sent");
264
265 if (status < 0) {
266 vlog.error("X509 verify failed: %s\n", gnutls_strerror (status));
267 throw AuthFailureException("certificate verification failed");
268 }
269
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]270 if (status & GNUTLS_CERT_REVOKED) {
271 throw AuthFailureException("certificate has been revoked");
272 }
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]273
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]274 if (status & GNUTLS_CERT_NOT_ACTIVATED) {
275 throw AuthFailureException("certificate has not been activated");
276 }
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]277
278 for (i = 0; i < cert_list_size; i++) {
279 gnutls_x509_crt crt;
280 gnutls_x509_crt_init(&crt);
281
282 if (gnutls_x509_crt_import(crt, &cert_list[i],GNUTLS_X509_FMT_DER) < 0)
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]283 throw AuthFailureException("decoding of certificate failed");
284
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame]285 #if defined(GNUTLS_VERSION_NUMBER) && (GNUTLS_VERSION_NUMBER >= 0x010706)
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]286 if (gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &info)) {
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]287 /*
288 * GNUTLS doesn't correctly export gnutls_free symbol which is
289 * a function pointer. Linking with Visual Studio 2008 Express will
290 * fail when you call gnutls_free().
291 */
292#if WIN32
293 free(info.data);
294#else
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]295 gnutls_free(info.data);
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]296#endif
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]297 throw AuthFailureException("Could not find certificate to display");
298 }
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame]299 #endif
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]300
301 if (gnutls_x509_crt_check_hostname(crt, client->getServerName()) == 0) {
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]302 char buf[255];
303 sprintf(buf, "Hostname (%s) does not match any certificate, do you want to continue?", client->getServerName());
304 vlog.debug("hostname mismatch");
305 if(!msg->showMsgBox(UserMsgBox::M_YESNO, "hostname mismatch", buf))
306 throw AuthFailureException("hostname mismatch");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]307 }
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]308
309 if (status & GNUTLS_CERT_EXPIRED) {
310 vlog.debug("certificate has expired");
311 if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certficate has expired", "The certificate of the server has expired, do you want to continue?"))
312 throw AuthFailureException("certificate has expired");
313 }
314
315 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
316 size_t out_size;
317 char *homeDir = NULL;
318 char *out_buf = NULL;
319 char *certinfo = NULL;
320 int len = 0;
321
322 vlog.debug("certificate issuer unknown");
323
324 len = snprintf(NULL, 0, "This certificate has been signed by an unknown authority:\n\n%s\n\nDo you want to save it and continue?\n ", info.data);
325 if (len < 0)
326 AuthFailureException("certificate decoding error");
327
328 vlog.debug("%s", info.data);
329
330 certinfo = new char[len];
331 if (certinfo == NULL)
332 throw AuthFailureException("Out of memory");
333
334 snprintf(certinfo, len, "This certificate has been signed by an unknown authority:\n\n%s\n\nDo you want to save it and continue? ", info.data);
335
336 for (int i = 0; i < len - 1; i++)
337 if (certinfo[i] == ',' && certinfo[i + 1] == ' ')
338 certinfo[i] = '\n';
339
340 if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certificate issuer unknown",
341 certinfo)) {
342 delete [] certinfo;
343 throw AuthFailureException("certificate issuer unknown");
344 }
345 delete [] certinfo;
346
347 if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, NULL, &out_size)
348 == GNUTLS_E_SHORT_MEMORY_BUFFER)
349 AuthFailureException("Out of memory");
350
351 // Save cert
352 out_buf = new char[out_size];
353 if (out_buf == NULL)
354 AuthFailureException("Out of memory");
355
356 if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, out_buf, &out_size)
357 < 0)
358 AuthFailureException("certificate issuer unknown, and certificate "
359 "export failed");
Adam Tkacaf081722011-02-07 10:45:15 +0000[diff] [blame]360
361 if (getvnchomedir(&homeDir) == -1)
362 vlog.error("Could not obtain VNC home directory path");
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]363 else {
364 FILE *f;
Adam Tkac437b0c22011-02-07 10:46:16 +0000[diff] [blame]365 CharArray caSave(strlen(homeDir) + 1 + 19);
366 sprintf(caSave.buf, "%sx509_savedcerts.pem", homeDir);
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]367 delete [] homeDir;
368 f = fopen(caSave.buf, "a+");
369 if (!f)
370 msg->showMsgBox(UserMsgBox::M_OK, "certificate save failed",
371 "Could not save the certificate");
372 else {
373 fprintf(f, "%s\n", out_buf);
374 fclose(f);
375 }
376 }
377 delete [] out_buf;
378 } else if (status & GNUTLS_CERT_INVALID)
379 throw AuthFailureException("certificate not trusted");
380
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]381 gnutls_x509_crt_deinit(crt);
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]382 /*
383 * GNUTLS doesn't correctly export gnutls_free symbol which is
384 * a function pointer. Linking with Visual Studio 2008 Express will
385 * fail when you call gnutls_free().
386 */
387#if WIN32
388 free(info.data);
389#else
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]390 gnutls_free(info.data);
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]391#endif
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]392 }
393}
394