| Adam Tkac | dfe19cf | 2010-04-23 14:14:11 +0000 | [diff] [blame] | 1 | /*
|
| 2 | * Copyright (C) 2005-2006 Martin Koegler
|
| 3 | * Copyright (C) 2006 OCCAM Financial Technology
|
| 4 | * Copyright (C) 2010 TigerVNC Team
|
| 5 | *
|
| 6 | * This is free software; you can redistribute it and/or modify
|
| 7 | * it under the terms of the GNU General Public License as published by
|
| 8 | * the Free Software Foundation; either version 2 of the License, or
|
| 9 | * (at your option) any later version.
|
| 10 | *
|
| 11 | * This software is distributed in the hope that it will be useful,
|
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
| 14 | * GNU General Public License for more details.
|
| 15 | *
|
| 16 | * You should have received a copy of the GNU General Public License
|
| 17 | * along with this software; if not, write to the Free Software
|
| 18 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
| 19 | * USA.
|
| 20 | */
|
| 21 | /*
|
| 22 | * SSecurityVeNCrypt
|
| 23 | */
|
| 24 |
|
| 25 | #ifdef HAVE_CONFIG_H
|
| 26 | #include <config.h>
|
| 27 | #endif
|
| 28 |
|
| Adam Tkac | df79970 | 2010-04-28 15:45:53 +0000 | [diff] [blame^] | 29 | #ifndef HAVE_GNUTLS
|
| 30 | #error "This source should not be compiled without HAVE_GNUTLS defined"
|
| 31 | #endif
|
| 32 |
|
| Adam Tkac | dfe19cf | 2010-04-23 14:14:11 +0000 | [diff] [blame] | 33 | #include <rfb/SSecurityVeNCrypt.h>
|
| 34 | #include <rfb/Exception.h>
|
| 35 | #include <rfb/LogWriter.h>
|
| 36 | #include <rdr/InStream.h>
|
| 37 | #include <rdr/OutStream.h>
|
| 38 | #include <rfb/SSecurityVncAuth.h>
|
| 39 | #include <rfb/SSecurityTLS.h>
|
| 40 |
|
| 41 | using namespace rfb;
|
| 42 | using namespace rdr;
|
| 43 | using namespace std;
|
| 44 |
|
| 45 | static LogWriter vlog("SVeNCrypt");
|
| 46 |
|
| 47 | StringParameter SSecurityVeNCrypt::X509_CertFile
|
| 48 | ("x509cert",
|
| 49 | "specifies path to the x509 certificate in PEM format",
|
| 50 | "", ConfServer);
|
| 51 |
|
| 52 | StringParameter SSecurityVeNCrypt::X509_KeyFile
|
| 53 | ("x509key",
|
| 54 | "specifies path to the key of the x509 certificate in PEM format",
|
| 55 | "", ConfServer);
|
| 56 |
|
| 57 | StringParameter SSecurityVeNCrypt::secTypesStr
|
| 58 | ("VeNCryptTypes",
|
| 59 | "Specify which security scheme to use for VeNCrypt connections (TLSNone, "
|
| 60 | "TLSVnc, TLSPlain, X509None, X509Vnc, X509Plain)",
|
| Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 61 | "TLSVnc,TLSPlain,X509Vnc,X509Plain");
|
| Adam Tkac | dfe19cf | 2010-04-23 14:14:11 +0000 | [diff] [blame] | 62 |
|
| 63 | SSecurityVeNCrypt::SSecurityVeNCrypt(void)
|
| 64 | {
|
| 65 | ssecurityStack = NULL;
|
| 66 | haveSentVersion = false;
|
| 67 | haveRecvdMajorVersion = false;
|
| 68 | haveRecvdMinorVersion = false;
|
| 69 | majorVersion = 0;
|
| 70 | minorVersion = 0;
|
| 71 | haveSentTypes = false;
|
| 72 | haveChosenType = false;
|
| 73 | chosenType = secTypeVeNCrypt;
|
| 74 | numTypes = 0;
|
| 75 | subTypes = NULL;
|
| 76 | }
|
| 77 |
|
| 78 | SSecurityVeNCrypt::~SSecurityVeNCrypt()
|
| 79 | {
|
| 80 | if (subTypes) {
|
| 81 | delete [] subTypes;
|
| 82 | subTypes = NULL;
|
| 83 | }
|
| 84 | }
|
| 85 |
|
| 86 | bool SSecurityVeNCrypt::processMsg(SConnection* sc)
|
| 87 | {
|
| 88 | rdr::InStream* is = sc->getInStream();
|
| 89 | rdr::OutStream* os = sc->getOutStream();
|
| 90 | rdr::U8 i;
|
| 91 |
|
| 92 | /* VeNCrypt initialization */
|
| 93 |
|
| 94 | /* Send the highest version we can support */
|
| 95 | if (!haveSentVersion) {
|
| 96 | os->writeU8(0);
|
| 97 | os->writeU8(2);
|
| 98 | haveSentVersion = true;
|
| 99 | os->flush();
|
| 100 |
|
| 101 | return false;
|
| 102 | }
|
| 103 |
|
| 104 | /* Receive back highest version that client can support (up to and including ours) */
|
| 105 | if (!haveRecvdMajorVersion) {
|
| 106 | majorVersion = is->readU8();
|
| 107 | haveRecvdMajorVersion = true;
|
| 108 |
|
| 109 | return false;
|
| 110 | }
|
| 111 |
|
| 112 | if (!haveRecvdMinorVersion) {
|
| 113 | minorVersion = is->readU8();
|
| 114 | haveRecvdMinorVersion = true;
|
| 115 |
|
| 116 | /* WORD value with major version in upper 8 bits and minor version in lower 8 bits */
|
| 117 | U16 Version = (((U16)majorVersion) << 8) | ((U16)minorVersion);
|
| 118 |
|
| 119 | switch (Version) {
|
| 120 | case 0x0000: /* 0.0 - The client cannot support us! */
|
| 121 | case 0x0001: /* 0.1 Legacy VeNCrypt, not supported */
|
| 122 | os->writeU8(0xFF); /* This is not OK */
|
| 123 | os->flush();
|
| 124 | throw AuthFailureException("The client cannot support the server's "
|
| 125 | "VeNCrypt version");
|
| 126 |
|
| 127 | case 0x0002: /* 0.2 */
|
| 128 | os->writeU8(0); /* OK */
|
| 129 | break;
|
| 130 |
|
| 131 | default:
|
| 132 | os->writeU8(0xFF); /* Not OK */
|
| 133 | os->flush();
|
| 134 | throw AuthFailureException("The client returned an unsupported VeNCrypt version");
|
| 135 | }
|
| 136 | }
|
| 137 |
|
| 138 | /*
|
| 139 | * send number of supported VeNCrypt authentication types (U8) followed
|
| 140 | * by authentication types (U32s)
|
| 141 | */
|
| 142 | if (!haveSentTypes) {
|
| 143 | list<U32> listSubTypes;
|
| 144 | SSecurityVeNCrypt::getSecTypes(&listSubTypes);
|
| 145 |
|
| 146 | numTypes = listSubTypes.size();
|
| 147 | subTypes = new U32[numTypes];
|
| 148 |
|
| 149 | for (i = 0; i < numTypes; i++) {
|
| 150 | subTypes[i] = listSubTypes.front();
|
| 151 | listSubTypes.pop_front();
|
| 152 | }
|
| 153 |
|
| 154 | if (numTypes) {
|
| 155 | os->writeU8(numTypes);
|
| 156 | for (i = 0; i < numTypes; i++)
|
| 157 | os->writeU32(subTypes[i]);
|
| 158 |
|
| 159 | os->flush();
|
| 160 | haveSentTypes = true;
|
| 161 | return false;
|
| 162 | } else
|
| 163 | throw AuthFailureException("There are no VeNCrypt sub-types to send to the client");
|
| 164 | }
|
| 165 |
|
| 166 | /* get type back from client (must be one of the ones we sent) */
|
| 167 | if (!haveChosenType) {
|
| 168 | is->check(4);
|
| 169 | chosenType = is->readU32();
|
| 170 |
|
| 171 | for (i = 0; i < numTypes; i++) {
|
| 172 | if (chosenType == subTypes[i]) {
|
| 173 | haveChosenType = true;
|
| 174 | break;
|
| 175 | }
|
| 176 | }
|
| 177 |
|
| 178 | if (!haveChosenType)
|
| 179 | chosenType = secTypeInvalid;
|
| 180 |
|
| 181 | /* Set up the stack according to the chosen type */
|
| 182 | switch(chosenType) {
|
| 183 | case secTypeTLSNone:
|
| 184 | case secTypeTLSVnc:
|
| 185 | case secTypeTLSPlain:
|
| 186 | case secTypeX509None:
|
| 187 | case secTypeX509Vnc:
|
| 188 | case secTypeX509Plain:
|
| 189 | ssecurityStack = SSecurityVeNCrypt::getSSecurityStack(chosenType);
|
| 190 | break;
|
| 191 | case secTypeInvalid:
|
| 192 | case secTypeVeNCrypt: /* This would cause looping */
|
| 193 | default:
|
| 194 | throw AuthFailureException("No valid VeNCrypt sub-type");
|
| 195 | }
|
| 196 |
|
| 197 | }
|
| 198 |
|
| 199 | /* continue processing the messages */
|
| 200 | return ssecurityStack->processMsg(sc);
|
| 201 | }
|
| 202 |
|
| 203 | SSecurityStack* SSecurityVeNCrypt::getSSecurityStack(int secType)
|
| 204 | {
|
| 205 | switch (secType) {
|
| 206 | case secTypeTLSNone:
|
| 207 | return new SSecurityStack(secTypeTLSNone, new SSecurityTLS());
|
| 208 | case secTypeTLSVnc:
|
| 209 | return new SSecurityStack(secTypeTLSVnc, new SSecurityTLS(), new SSecurityVncAuth());
|
| 210 | #if 0
|
| 211 | /* Following types are not implemented, yet */
|
| 212 | case secTypeTLSPlain:
|
| 213 | case secTypeX509None:
|
| 214 | case secTypeX509Vnc:
|
| 215 | case secTypeX509Plain:
|
| 216 | #endif
|
| 217 | default:
|
| 218 | throw Exception("Bug in the SSecurityVeNCrypt::getSSecurityStack");
|
| 219 | }
|
| 220 | }
|
| 221 |
|
| 222 | void SSecurityVeNCrypt::getSecTypes(list<U32>* secTypes)
|
| 223 | {
|
| 224 | CharArray types;
|
| 225 |
|
| 226 | types.buf = SSecurityVeNCrypt::secTypesStr.getData();
|
| 227 | list<U32> configured = SSecurityVeNCrypt::parseSecTypes(types.buf);
|
| 228 | list<U32>::iterator i;
|
| 229 | for (i = configured.begin(); i != configured.end(); i++)
|
| 230 | secTypes->push_back(*i);
|
| 231 | }
|
| 232 |
|
| 233 | U32 SSecurityVeNCrypt::secTypeNum(const char *name)
|
| 234 | {
|
| 235 | if (strcasecmp(name, "TLSNone") == 0)
|
| 236 | return secTypeTLSNone;
|
| 237 | if (strcasecmp(name, "TLSVnc") == 0)
|
| 238 | return secTypeTLSVnc;
|
| 239 | if (strcasecmp(name, "TLSPlain") == 0)
|
| 240 | return secTypeTLSPlain;
|
| 241 | if (strcasecmp(name, "X509None") == 0)
|
| 242 | return secTypeX509None;
|
| 243 | if (strcasecmp(name, "X509Vnc") == 0)
|
| 244 | return secTypeX509Vnc;
|
| 245 | if (strcasecmp(name, "X509Plain") == 0)
|
| 246 | return secTypeX509Plain;
|
| 247 |
|
| 248 | return secTypeInvalid;
|
| 249 | }
|
| 250 |
|
| 251 | char* SSecurityVeNCrypt::secTypeName(U32 num)
|
| 252 | {
|
| 253 | switch (num) {
|
| 254 | case secTypePlain:
|
| 255 | return "Plain";
|
| 256 | case secTypeTLSNone:
|
| 257 | return "TLSNone";
|
| 258 | case secTypeTLSVnc:
|
| 259 | return "TLSVnc";
|
| 260 | case secTypeTLSPlain:
|
| 261 | return "TLSPlain";
|
| 262 | case secTypeX509None:
|
| 263 | return "X509None";
|
| 264 | case secTypeX509Vnc:
|
| 265 | return "X509Vnc";
|
| 266 | case secTypeX509Plain:
|
| 267 | return "X509Plain";
|
| 268 | default:
|
| 269 | return "[unknown secType]";
|
| 270 | }
|
| 271 | }
|
| 272 |
|
| 273 | list<U32> SSecurityVeNCrypt::parseSecTypes(const char *secTypes)
|
| 274 | {
|
| 275 | list<U32> result;
|
| 276 | CharArray types(strDup(secTypes)), type;
|
| 277 | while (types.buf) {
|
| 278 | strSplit(types.buf, ',', &type.buf, &types.buf);
|
| 279 | int typeNum = SSecurityVeNCrypt::secTypeNum(type.buf);
|
| 280 | if (typeNum != secTypeInvalid)
|
| 281 | result.push_back(typeNum);
|
| 282 | }
|
| 283 | return result;
|
| 284 | }
|
| 285 |
|
| 286 |
|