Constantin Kaplinsky | a2adc8d | 2006-05-25 05:01:55 +0000 | [diff] [blame] | 1 | /* Copyright (C) 2002-2005 RealVNC Ltd. All Rights Reserved. |
Adam Tkac | df79970 | 2010-04-28 15:45:53 +0000 | [diff] [blame] | 2 | * Copyright (C) 2010 TigerVNC Team |
Constantin Kaplinsky | a2adc8d | 2006-05-25 05:01:55 +0000 | [diff] [blame] | 3 | * |
| 4 | * This is free software; you can redistribute it and/or modify |
| 5 | * it under the terms of the GNU General Public License as published by |
| 6 | * the Free Software Foundation; either version 2 of the License, or |
| 7 | * (at your option) any later version. |
| 8 | * |
| 9 | * This software is distributed in the hope that it will be useful, |
| 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | * GNU General Public License for more details. |
| 13 | * |
| 14 | * You should have received a copy of the GNU General Public License |
| 15 | * along with this software; if not, write to the Free Software |
| 16 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
| 17 | * USA. |
| 18 | */ |
Adam Tkac | df79970 | 2010-04-28 15:45:53 +0000 | [diff] [blame] | 19 | |
| 20 | #ifdef HAVE_CONFIG_H |
| 21 | #include <config.h> |
| 22 | #endif |
| 23 | |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 24 | #include <assert.h> |
| 25 | #include <stdlib.h> |
Constantin Kaplinsky | a2adc8d | 2006-05-25 05:01:55 +0000 | [diff] [blame] | 26 | #include <string.h> |
| 27 | #ifdef _WIN32 |
| 28 | #define strcasecmp _stricmp |
| 29 | #endif |
Adam Tkac | c210e8a | 2010-04-23 14:09:16 +0000 | [diff] [blame] | 30 | #include <rfb/CSecurityNone.h> |
Adam Tkac | 707d361 | 2010-07-20 15:16:10 +0000 | [diff] [blame] | 31 | #include <rfb/CSecurityStack.h> |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 32 | #include <rfb/CSecurityVeNCrypt.h> |
Adam Tkac | c210e8a | 2010-04-23 14:09:16 +0000 | [diff] [blame] | 33 | #include <rfb/CSecurityVncAuth.h> |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 34 | #include <rdr/Exception.h> |
| 35 | #include <rfb/LogWriter.h> |
Adam Tkac | b6eb399 | 2010-04-23 14:05:00 +0000 | [diff] [blame] | 36 | #include <rfb/Security.h> |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 37 | #include <rfb/SSecurityNone.h> |
Adam Tkac | 707d361 | 2010-07-20 15:16:10 +0000 | [diff] [blame] | 38 | #include <rfb/SSecurityStack.h> |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 39 | #include <rfb/SSecurityVncAuth.h> |
Adam Tkac | dfe19cf | 2010-04-23 14:14:11 +0000 | [diff] [blame] | 40 | #include <rfb/SSecurityVeNCrypt.h> |
Adam Tkac | 707d361 | 2010-07-20 15:16:10 +0000 | [diff] [blame] | 41 | #ifdef HAVE_GNUTLS |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 42 | #include <rfb/CSecurityTLS.h> |
Adam Tkac | 21b61a5 | 2010-07-21 09:19:00 +0000 | [diff] [blame] | 43 | #include <rfb/SSecurityTLS.h> |
Adam Tkac | df79970 | 2010-04-28 15:45:53 +0000 | [diff] [blame] | 44 | #endif |
Constantin Kaplinsky | a2adc8d | 2006-05-25 05:01:55 +0000 | [diff] [blame] | 45 | #include <rfb/util.h> |
| 46 | |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 47 | using namespace rdr; |
| 48 | using namespace rfb; |
| 49 | using namespace std; |
| 50 | |
| 51 | static LogWriter vlog("Security"); |
| 52 | |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 53 | UserPasswdGetter *CSecurity::upg = NULL; |
| 54 | |
Adam Tkac | fb99315 | 2010-08-12 14:17:28 +0000 | [diff] [blame^] | 55 | StringParameter Security::secTypesViewer |
Adam Tkac | a6578bf | 2010-04-23 14:07:41 +0000 | [diff] [blame] | 56 | ("SecurityTypes", |
| 57 | "Specify which security scheme to use (None, VncAuth)", |
Adam Tkac | fb99315 | 2010-08-12 14:17:28 +0000 | [diff] [blame^] | 58 | "VncAuth", ConfViewer); |
Adam Tkac | a6578bf | 2010-04-23 14:07:41 +0000 | [diff] [blame] | 59 | |
Adam Tkac | fb99315 | 2010-08-12 14:17:28 +0000 | [diff] [blame^] | 60 | StringParameter Security::secTypesServer |
| 61 | ("SecurityTypes", |
| 62 | "Specify which security scheme to use (None, VncAuth)", |
| 63 | "VncAuth", ConfServer); |
| 64 | |
| 65 | Security::Security(SecurityClassType secClassType) |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 66 | { |
Adam Tkac | fb99315 | 2010-08-12 14:17:28 +0000 | [diff] [blame^] | 67 | char *secTypesStr; |
| 68 | |
| 69 | switch (secClassType) { |
| 70 | case SecurityViewer: |
| 71 | secTypesStr = secTypesViewer.getData(); |
| 72 | break; |
| 73 | case SecurityServer: |
| 74 | secTypesStr = secTypesServer.getData(); |
| 75 | break; |
| 76 | }; |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 77 | |
| 78 | enabledSecTypes = parseSecTypes(secTypesStr); |
| 79 | |
| 80 | delete secTypesStr; |
| 81 | } |
| 82 | |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 83 | const std::list<rdr::U8> Security::GetEnabledSecTypes(void) |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 84 | { |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 85 | list<rdr::U8> result; |
| 86 | list<U32>::iterator i; |
| 87 | |
| 88 | for (i = enabledSecTypes.begin(); i != enabledSecTypes.end(); i++) |
| 89 | if (*i < 0x100) |
| 90 | result.push_back(*i); |
| 91 | |
| 92 | return result; |
| 93 | } |
| 94 | |
| 95 | const std::list<rdr::U32> Security::GetEnabledExtSecTypes(void) |
| 96 | { |
| 97 | list<rdr::U32> result; |
| 98 | list<U32>::iterator i; |
| 99 | |
| 100 | for (i = enabledSecTypes.begin(); i != enabledSecTypes.end(); i++) |
Adam Tkac | 95e2fe8 | 2010-08-12 13:54:59 +0000 | [diff] [blame] | 101 | if (*i != secTypeVeNCrypt) /* Do not include VeNCrypt type to avoid loops */ |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 102 | result.push_back(*i); |
| 103 | |
| 104 | return result; |
| 105 | } |
| 106 | |
| 107 | void Security::EnableSecType(U32 secType) |
| 108 | { |
| 109 | list<U32>::iterator i; |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 110 | |
| 111 | for (i = enabledSecTypes.begin(); i != enabledSecTypes.end(); i++) |
| 112 | if (*i == secType) |
| 113 | return; |
| 114 | |
| 115 | enabledSecTypes.push_back(secType); |
| 116 | } |
| 117 | |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 118 | bool Security::IsSupported(U32 secType) |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 119 | { |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 120 | list<U32>::iterator i; |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 121 | |
| 122 | for (i = enabledSecTypes.begin(); i != enabledSecTypes.end(); i++) |
| 123 | if (*i == secType) |
| 124 | return true; |
| 125 | |
| 126 | return false; |
| 127 | } |
| 128 | |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 129 | SSecurity* Security::GetSSecurity(U32 secType) |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 130 | { |
| 131 | if (!IsSupported(secType)) |
| 132 | goto bail; |
| 133 | |
| 134 | switch (secType) { |
| 135 | case secTypeNone: return new SSecurityNone(); |
| 136 | case secTypeVncAuth: return new SSecurityVncAuth(); |
Adam Tkac | a032593 | 2010-07-20 15:14:08 +0000 | [diff] [blame] | 137 | case secTypeVeNCrypt: return new SSecurityVeNCrypt(this); |
Adam Tkac | 707d361 | 2010-07-20 15:16:10 +0000 | [diff] [blame] | 138 | #ifdef HAVE_GNUTLS |
| 139 | case secTypeTLSNone: |
Adam Tkac | 21b61a5 | 2010-07-21 09:19:00 +0000 | [diff] [blame] | 140 | return new SSecurityStack(secTypeTLSNone, new SSecurityTLS(true)); |
Adam Tkac | 707d361 | 2010-07-20 15:16:10 +0000 | [diff] [blame] | 141 | case secTypeTLSVnc: |
Adam Tkac | 21b61a5 | 2010-07-21 09:19:00 +0000 | [diff] [blame] | 142 | return new SSecurityStack(secTypeTLSVnc, new SSecurityTLS(true), new SSecurityVncAuth()); |
Adam Tkac | 5bf73fb | 2010-07-21 09:08:24 +0000 | [diff] [blame] | 143 | case secTypeX509None: |
Adam Tkac | 21b61a5 | 2010-07-21 09:19:00 +0000 | [diff] [blame] | 144 | return new SSecurityStack(secTypeX509None, new SSecurityTLS(false)); |
Adam Tkac | 5bf73fb | 2010-07-21 09:08:24 +0000 | [diff] [blame] | 145 | case secTypeX509Vnc: |
Adam Tkac | 21b61a5 | 2010-07-21 09:19:00 +0000 | [diff] [blame] | 146 | return new SSecurityStack(secTypeX509None, new SSecurityTLS(false), new SSecurityVncAuth()); |
Adam Tkac | df79970 | 2010-04-28 15:45:53 +0000 | [diff] [blame] | 147 | #endif |
Adam Tkac | c210e8a | 2010-04-23 14:09:16 +0000 | [diff] [blame] | 148 | } |
| 149 | |
| 150 | bail: |
| 151 | throw Exception("Security type not supported"); |
| 152 | } |
| 153 | |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 154 | CSecurity* Security::GetCSecurity(U32 secType) |
Adam Tkac | c210e8a | 2010-04-23 14:09:16 +0000 | [diff] [blame] | 155 | { |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 156 | assert (CSecurity::upg != NULL); /* (upg == NULL) means bug in the viewer */ |
Adam Tkac | c210e8a | 2010-04-23 14:09:16 +0000 | [diff] [blame] | 157 | |
| 158 | if (!IsSupported(secType)) |
| 159 | goto bail; |
| 160 | |
| 161 | switch (secType) { |
| 162 | case secTypeNone: return new CSecurityNone(); |
Adam Tkac | b10489b | 2010-04-23 14:16:04 +0000 | [diff] [blame] | 163 | case secTypeVncAuth: return new CSecurityVncAuth(); |
Adam Tkac | a032593 | 2010-07-20 15:14:08 +0000 | [diff] [blame] | 164 | case secTypeVeNCrypt: return new CSecurityVeNCrypt(this); |
Adam Tkac | 707d361 | 2010-07-20 15:16:10 +0000 | [diff] [blame] | 165 | #ifdef HAVE_GNUTLS |
| 166 | case secTypeTLSNone: |
| 167 | return new CSecurityStack(secTypeTLSNone, "TLS with no password", |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 168 | new CSecurityTLS(true)); |
Adam Tkac | 707d361 | 2010-07-20 15:16:10 +0000 | [diff] [blame] | 169 | case secTypeTLSVnc: |
| 170 | return new CSecurityStack(secTypeTLSVnc, "TLS with VNCAuth", |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 171 | new CSecurityTLS(true), new CSecurityVncAuth()); |
Adam Tkac | f5f6a00 | 2010-07-21 09:09:19 +0000 | [diff] [blame] | 172 | case secTypeX509None: |
| 173 | return new CSecurityStack(secTypeX509None, "X509 with no password", |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 174 | new CSecurityTLS(false)); |
Adam Tkac | f5f6a00 | 2010-07-21 09:09:19 +0000 | [diff] [blame] | 175 | case secTypeX509Vnc: |
| 176 | return new CSecurityStack(secTypeX509None, "X509 with VNCAuth", |
Adam Tkac | 3c5be39 | 2010-07-21 09:27:34 +0000 | [diff] [blame] | 177 | new CSecurityTLS(false), new CSecurityVncAuth()); |
Adam Tkac | df79970 | 2010-04-28 15:45:53 +0000 | [diff] [blame] | 178 | #endif |
Adam Tkac | 1d15e2d | 2010-04-23 14:06:38 +0000 | [diff] [blame] | 179 | } |
| 180 | |
| 181 | bail: |
| 182 | throw Exception("Security type not supported"); |
| 183 | } |
| 184 | |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 185 | rdr::U32 rfb::secTypeNum(const char* name) |
Constantin Kaplinsky | a2adc8d | 2006-05-25 05:01:55 +0000 | [diff] [blame] | 186 | { |
| 187 | if (strcasecmp(name, "None") == 0) return secTypeNone; |
| 188 | if (strcasecmp(name, "VncAuth") == 0) return secTypeVncAuth; |
| 189 | if (strcasecmp(name, "Tight") == 0) return secTypeTight; |
| 190 | if (strcasecmp(name, "RA2") == 0) return secTypeRA2; |
| 191 | if (strcasecmp(name, "RA2ne") == 0) return secTypeRA2ne; |
| 192 | if (strcasecmp(name, "SSPI") == 0) return secTypeSSPI; |
Adam Tkac | dfe19cf | 2010-04-23 14:14:11 +0000 | [diff] [blame] | 193 | if (strcasecmp(name, "SSPIne") == 0) return secTypeSSPIne; |
| 194 | if (strcasecmp(name, "VeNCrypt") == 0) return secTypeVeNCrypt; |
Adam Tkac | b3e60c6 | 2010-07-20 15:10:59 +0000 | [diff] [blame] | 195 | |
| 196 | /* VeNCrypt subtypes */ |
Adam Tkac | 957a5ae | 2010-07-20 15:12:41 +0000 | [diff] [blame] | 197 | if (strcasecmp(name, "Plain") == 0) return secTypePlain; |
Adam Tkac | b3e60c6 | 2010-07-20 15:10:59 +0000 | [diff] [blame] | 198 | if (strcasecmp(name, "TLSNone") == 0) return secTypeTLSNone; |
| 199 | if (strcasecmp(name, "TLSVnc") == 0) return secTypeTLSVnc; |
Adam Tkac | 957a5ae | 2010-07-20 15:12:41 +0000 | [diff] [blame] | 200 | if (strcasecmp(name, "TLSPlain") == 0) return secTypeTLSPlain; |
Adam Tkac | b3e60c6 | 2010-07-20 15:10:59 +0000 | [diff] [blame] | 201 | if (strcasecmp(name, "X509None") == 0) return secTypeX509None; |
| 202 | if (strcasecmp(name, "X509Vnc") == 0) return secTypeX509Vnc; |
Adam Tkac | b3e60c6 | 2010-07-20 15:10:59 +0000 | [diff] [blame] | 203 | if (strcasecmp(name, "X509Plain") == 0) return secTypeX509Plain; |
Adam Tkac | b3e60c6 | 2010-07-20 15:10:59 +0000 | [diff] [blame] | 204 | |
Constantin Kaplinsky | a2adc8d | 2006-05-25 05:01:55 +0000 | [diff] [blame] | 205 | return secTypeInvalid; |
| 206 | } |
| 207 | |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 208 | const char* rfb::secTypeName(rdr::U32 num) |
Constantin Kaplinsky | a2adc8d | 2006-05-25 05:01:55 +0000 | [diff] [blame] | 209 | { |
| 210 | switch (num) { |
| 211 | case secTypeNone: return "None"; |
| 212 | case secTypeVncAuth: return "VncAuth"; |
| 213 | case secTypeTight: return "Tight"; |
| 214 | case secTypeRA2: return "RA2"; |
| 215 | case secTypeRA2ne: return "RA2ne"; |
| 216 | case secTypeSSPI: return "SSPI"; |
| 217 | case secTypeSSPIne: return "SSPIne"; |
Adam Tkac | dfe19cf | 2010-04-23 14:14:11 +0000 | [diff] [blame] | 218 | case secTypeVeNCrypt: return "VeNCrypt"; |
Adam Tkac | b3e60c6 | 2010-07-20 15:10:59 +0000 | [diff] [blame] | 219 | |
| 220 | /* VeNCrypt subtypes */ |
Adam Tkac | 957a5ae | 2010-07-20 15:12:41 +0000 | [diff] [blame] | 221 | case secTypePlain: return "Plain"; |
Adam Tkac | b3e60c6 | 2010-07-20 15:10:59 +0000 | [diff] [blame] | 222 | case secTypeTLSNone: return "TLSNone"; |
| 223 | case secTypeTLSVnc: return "TLSVnc"; |
Adam Tkac | b3e60c6 | 2010-07-20 15:10:59 +0000 | [diff] [blame] | 224 | case secTypeTLSPlain: return "TLSPlain"; |
| 225 | case secTypeX509None: return "X509None"; |
| 226 | case secTypeX509Vnc: return "X509Vnc"; |
| 227 | case secTypeX509Plain: return "X509Plain"; |
Constantin Kaplinsky | a2adc8d | 2006-05-25 05:01:55 +0000 | [diff] [blame] | 228 | default: return "[unknown secType]"; |
| 229 | } |
| 230 | } |
| 231 | |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 232 | std::list<rdr::U32> rfb::parseSecTypes(const char* types_) |
Constantin Kaplinsky | a2adc8d | 2006-05-25 05:01:55 +0000 | [diff] [blame] | 233 | { |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 234 | std::list<rdr::U32> result; |
Adam Tkac | d36b626 | 2009-09-04 10:57:20 +0000 | [diff] [blame] | 235 | CharArray types(strDup(types_)), type; |
Constantin Kaplinsky | a2adc8d | 2006-05-25 05:01:55 +0000 | [diff] [blame] | 236 | while (types.buf) { |
| 237 | strSplit(types.buf, ',', &type.buf, &types.buf); |
Adam Tkac | 0c77e51 | 2010-07-20 15:10:16 +0000 | [diff] [blame] | 238 | rdr::U32 typeNum = secTypeNum(type.buf); |
Constantin Kaplinsky | a2adc8d | 2006-05-25 05:01:55 +0000 | [diff] [blame] | 239 | if (typeNum != secTypeInvalid) |
| 240 | result.push_back(typeNum); |
| 241 | } |
| 242 | return result; |
| 243 | } |