Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_tigervnc / 6a7f9082fd783a1b24387cef0755426e90a0402d / . / common / rfb / SSecurityTLS.cxx
blob: b9460223404dbec47da4c4691d14edd0e92f3315 [file] [log] [blame]
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]1/*
2 * Copyright (C) 2004 Red Hat Inc.
3 * Copyright (C) 2005 Martin Koegler
4 * Copyright (C) 2010 TigerVNC Team
5 *
6 * This is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This software is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this software; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
19 * USA.
20 */
21
22#ifdef HAVE_CONFIG_H
23#include <config.h>
24#endif
25
Adam Tkacdf799702010-04-28 15:45:53 +0000[diff] [blame]26#ifndef HAVE_GNUTLS
27#error "This source should not be compiled without HAVE_GNUTLS defined"
28#endif
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]29
Pierre Ossman27eb55e2015-01-29 13:31:06 +0100[diff] [blame]30#include <stdlib.h>
31
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]32#include <rfb/SSecurityTLS.h>
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]33#include <rfb/SConnection.h>
34#include <rfb/LogWriter.h>
35#include <rfb/Exception.h>
36#include <rdr/TLSInStream.h>
37#include <rdr/TLSOutStream.h>
38
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]39#define DH_BITS 1024 /* XXX This should be configurable! */
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]40
41using namespace rfb;
42
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]43StringParameter SSecurityTLS::X509_CertFile
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame]44("X509Cert", "Path to the X509 certificate in PEM format", "", ConfServer);
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]45
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]46StringParameter SSecurityTLS::X509_KeyFile
Pierre Ossman3d2a84b2014-09-17 16:45:35 +0200[diff] [blame]47("X509Key", "Path to the key of the X509 certificate in PEM format", "", ConfServer);
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]48
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]49static LogWriter vlog("TLS");
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]50
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]51SSecurityTLS::SSecurityTLS(bool _anon) : session(0), dh_params(0),
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]52 anon_cred(0), cert_cred(0),
53 anon(_anon), fis(0), fos(0)
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]54{
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]55 certfile = X509_CertFile.getData();
56 keyfile = X509_KeyFile.getData();
Pierre Ossman8aa4bc52016-08-23 17:02:58 +0200[diff] [blame]57
58 if (gnutls_global_init() != GNUTLS_E_SUCCESS)
59 throw AuthFailureException("gnutls_global_init failed");
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]60}
61
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]62void SSecurityTLS::shutdown()
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]63{
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]64 if (session) {
65 if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS) {
66 /* FIXME: Treat as non-fatal error */
67 vlog.error("TLS session wasn't terminated gracefully");
68 }
69 }
70
71 if (dh_params) {
72 gnutls_dh_params_deinit(dh_params);
73 dh_params = 0;
74 }
75
76 if (anon_cred) {
77 gnutls_anon_free_server_credentials(anon_cred);
78 anon_cred = 0;
79 }
80
81 if (cert_cred) {
82 gnutls_certificate_free_credentials(cert_cred);
83 cert_cred = 0;
84 }
85
86 if (session) {
87 gnutls_deinit(session);
88 session = 0;
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]89 }
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]90}
91
92
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]93SSecurityTLS::~SSecurityTLS()
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]94{
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]95 shutdown();
96
97 if (fis)
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]98 delete fis;
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]99 if (fos)
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]100 delete fos;
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]101
102 delete[] keyfile;
103 delete[] certfile;
Pierre Ossman8aa4bc52016-08-23 17:02:58 +0200[diff] [blame]104
105 gnutls_global_deinit();
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]106}
107
Adam Tkac21b61a52010-07-21 09:19:00 +0000[diff] [blame]108bool SSecurityTLS::processMsg(SConnection *sc)
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]109{
110 rdr::InStream* is = sc->getInStream();
111 rdr::OutStream* os = sc->getOutStream();
112
113 vlog.debug("Process security message (session %p)", session);
114
115 if (!session) {
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]116 if (gnutls_init(&session, GNUTLS_SERVER) != GNUTLS_E_SUCCESS)
117 throw AuthFailureException("gnutls_init failed");
118
119 if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)
120 throw AuthFailureException("gnutls_set_default_priority failed");
121
122 try {
123 setParams(session);
124 }
125 catch(...) {
126 os->writeU8(0);
127 throw;
128 }
129
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]130 os->writeU8(1);
131 os->flush();
132 }
133
Pierre Ossmanfe48cd42012-07-03 14:43:38 +0000[diff] [blame]134 rdr::TLSInStream *tlsis = new rdr::TLSInStream(is, session);
135 rdr::TLSOutStream *tlsos = new rdr::TLSOutStream(os, session);
136
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]137 int err;
Pierre Ossmanfe48cd42012-07-03 14:43:38 +0000[diff] [blame]138 err = gnutls_handshake(session);
139 if (err != GNUTLS_E_SUCCESS) {
140 delete tlsis;
141 delete tlsos;
142
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]143 if (!gnutls_error_is_fatal(err)) {
144 vlog.debug("Deferring completion of TLS handshake: %s", gnutls_strerror(err));
145 return false;
146 }
147 vlog.error("TLS Handshake failed: %s", gnutls_strerror (err));
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]148 shutdown();
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]149 throw AuthFailureException("TLS Handshake failed");
150 }
151
152 vlog.debug("Handshake completed");
153
Pierre Ossmanfe48cd42012-07-03 14:43:38 +0000[diff] [blame]154 sc->setStreams(fis = tlsis, fos = tlsos);
Adam Tkacdfe19cf2010-04-23 14:14:11 +0000[diff] [blame]155
156 return true;
157}
158
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame]159void SSecurityTLS::setParams(gnutls_session_t session)
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]160{
Pierre Ossman27eb55e2015-01-29 13:31:06 +0100[diff] [blame]161 static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH";
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]162
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame]163 int ret;
Pierre Ossman27eb55e2015-01-29 13:31:06 +0100[diff] [blame]164 char *prio;
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame]165 const char *err;
166
Pierre Ossman27eb55e2015-01-29 13:31:06 +0100[diff] [blame]167 prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
168 strlen(kx_anon_priority) + 1);
169 if (prio == NULL)
170 throw AuthFailureException("Not enough memory for GnuTLS priority string");
171
172 strcpy(prio, Security::GnuTLSPriority);
173 if (anon)
174 strcat(prio, kx_anon_priority);
175
176 ret = gnutls_priority_set_direct(session, prio, &err);
177
178 free(prio);
179
Pierre Ossman88c24ed2015-01-29 13:12:22 +0100[diff] [blame]180 if (ret != GNUTLS_E_SUCCESS) {
181 if (ret == GNUTLS_E_INVALID_REQUEST)
182 vlog.error("GnuTLS priority syntax error at: %s", err);
183 throw AuthFailureException("gnutls_set_priority_direct failed");
184 }
Adam Tkacf39671d2010-07-21 09:10:54 +0000[diff] [blame]185
186 if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
187 throw AuthFailureException("gnutls_dh_params_init failed");
188
189 if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
190 throw AuthFailureException("gnutls_dh_params_generate2 failed");
191
192 if (anon) {
193 if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
194 throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
195
196 gnutls_anon_set_server_dh_params(anon_cred, dh_params);
197
198 if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
199 != GNUTLS_E_SUCCESS)
200 throw AuthFailureException("gnutls_credentials_set failed");
201
202 vlog.debug("Anonymous session has been set");
203
204 } else {
205 if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
206 throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
207
208 gnutls_certificate_set_dh_params(cert_cred, dh_params);
209
210 if (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile,
211 GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
212 throw AuthFailureException("load of key failed");
213
214 if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred)
215 != GNUTLS_E_SUCCESS)
216 throw AuthFailureException("gnutls_credentials_set failed");
217
218 vlog.debug("X509 session has been set");
219
220 }
221
222}