Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_tigervnc / ff1e1ff941a103a54a0d16682b4cadcc08e7642c / . / common / rfb / CSecurityTLS.cxx
blob: 8f4910d2fd7c8d9492f82661f3abc959caaa46ae [file] [log] [blame]
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame^]1/*
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]2 * Copyright (C) 2004 Red Hat Inc.
3 * Copyright (C) 2005 Martin Koegler
4 * Copyright (C) 2010 TigerVNC Team
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]5 * Copyright (C) 2010 m-privacy GmbH
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]6 *
7 * This is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This software is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this software; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
20 * USA.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include <config.h>
25#endif
26
Adam Tkac43958232010-07-21 09:06:59 +0000[diff] [blame]27#ifndef HAVE_GNUTLS
28#error "This header should not be compiled without HAVE_GNUTLS defined"
29#endif
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]30
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame^]31#if !defined(GNUTLS_VERSION_NUMBER) || (GNUTLS_VERSION_NUMBER < 0x020708)
32#define GNUTLS_CERT_NOT_ACTIVATED 512
33#define GNUTLS_CERT_EXPIRED 1024
34#endif
35
36#if !defined(GNUTLS_VERSION_NUMBER) || (GNUTLS_VERSION_NUMBER < 0x020301)
37#define GNUTLS_CRT_PRINT_ONELINE 1
38#endif
39
40
41
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]42#include <stdlib.h>
Adam Tkacc4674db2011-01-19 14:11:16 +0000[diff] [blame]43#ifndef WIN32
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]44#include <unistd.h>
Adam Tkacc4674db2011-01-19 14:11:16 +0000[diff] [blame]45#endif
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]46
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]47#include <rfb/CSecurityTLS.h>
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]48#include <rfb/SSecurityVeNCrypt.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]49#include <rfb/CConnection.h>
50#include <rfb/LogWriter.h>
51#include <rfb/Exception.h>
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]52#include <rfb/UserMsgBox.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]53#include <rdr/TLSInStream.h>
54#include <rdr/TLSOutStream.h>
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]55#include <os/os.h>
Adam Tkac179d2b12011-01-19 14:15:14 +0000[diff] [blame]56#include <os/print.h>
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]57
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]58#include <gnutls/x509.h>
59
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]60#define TLS_DEBUG
61
62using namespace rfb;
63
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]64StringParameter CSecurityTLS::x509ca("x509ca", "X509 CA certificate", "", ConfViewer);
65StringParameter CSecurityTLS::x509crl("x509crl", "X509 CRL file", "", ConfViewer);
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]66
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]67static LogWriter vlog("TLS");
68
69#ifdef TLS_DEBUG
70static void debug_log(int level, const char* str)
71{
72 vlog.debug(str);
73}
74#endif
75
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]76void CSecurityTLS::initGlobal()
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]77{
78 static bool globalInitDone = false;
79
80 if (!globalInitDone) {
81 gnutls_global_init();
82
83#ifdef TLS_DEBUG
84 gnutls_global_set_log_level(10);
85 gnutls_global_set_log_function(debug_log);
86#endif
87
88 globalInitDone = true;
89 }
90}
91
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]92CSecurityTLS::CSecurityTLS(bool _anon) : session(0), anon_cred(0),
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]93 anon(_anon), fis(0), fos(0)
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]94{
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]95 cafile = x509ca.getData();
96 crlfile = x509crl.getData();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]97}
98
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]99void CSecurityTLS::setDefaults()
100{
101 char* homeDir = NULL;
102
Adam Tkacaf081722011-02-07 10:45:15 +0000[diff] [blame]103 if (getvnchomedir(&homeDir) == -1) {
104 vlog.error("Could not obtain VNC home directory path");
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]105 return;
106 }
107
Adam Tkacaf081722011-02-07 10:45:15 +0000[diff] [blame]108 int len = strlen(homeDir) + 1;
Adam Tkac437b0c22011-02-07 10:46:16 +0000[diff] [blame]109 CharArray caDefault(len + 11);
110 CharArray crlDefault(len + 12);
111 sprintf(caDefault.buf, "%sx509_ca.pem", homeDir);
112 sprintf(crlDefault.buf, "%s509_crl.pem", homeDir);
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]113 delete [] homeDir;
114
Adam Tkacf16a4212011-02-07 10:47:07 +0000[diff] [blame]115 if (!fileexists(caDefault.buf))
116 x509ca.setDefaultStr(strdup(caDefault.buf));
117 if (!fileexists(crlDefault.buf))
118 x509crl.setDefaultStr(strdup(crlDefault.buf));
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]119}
120
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]121void CSecurityTLS::shutdown()
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]122{
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]123 if (session)
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]124 if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS)
125 throw Exception("gnutls_bye failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]126
127 if (anon_cred) {
128 gnutls_anon_free_client_credentials(anon_cred);
129 anon_cred = 0;
130 }
131
132 if (cert_cred) {
133 gnutls_certificate_free_credentials(cert_cred);
134 cert_cred = 0;
135 }
136
137 if (session) {
138 gnutls_deinit(session);
139 session = 0;
140
141 gnutls_global_deinit();
142 }
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]143}
144
145
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]146CSecurityTLS::~CSecurityTLS()
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]147{
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]148 shutdown();
149
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]150 if (fis)
151 delete fis;
152 if (fos)
153 delete fos;
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]154
155 delete[] cafile;
156 delete[] crlfile;
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]157}
158
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]159bool CSecurityTLS::processMsg(CConnection* cc)
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]160{
161 rdr::InStream* is = cc->getInStream();
162 rdr::OutStream* os = cc->getOutStream();
163 client = cc;
164
165 initGlobal();
166
167 if (!session) {
168 if (!is->checkNoWait(1))
169 return false;
170
171 if (is->readU8() == 0)
172 return true;
173
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]174 if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS)
175 throw AuthFailureException("gnutls_init failed");
176
177 if (gnutls_set_default_priority(session) != GNUTLS_E_SUCCESS)
178 throw AuthFailureException("gnutls_set_default_priority failed");
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]179
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]180 setParam();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]181
182 gnutls_transport_set_pull_function(session, rdr::gnutls_InStream_pull);
183 gnutls_transport_set_push_function(session, rdr::gnutls_OutStream_push);
184 gnutls_transport_set_ptr2(session,
185 (gnutls_transport_ptr) is,
186 (gnutls_transport_ptr) os);
187 }
188
189 int err;
190 err = gnutls_handshake(session);
191 if (err != GNUTLS_E_SUCCESS && !gnutls_error_is_fatal(err))
192 return false;
193
194 if (err != GNUTLS_E_SUCCESS) {
195 vlog.error("TLS Handshake failed: %s\n", gnutls_strerror (err));
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]196 shutdown();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]197 throw AuthFailureException("TLS Handshake failed");
198 }
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]199
200 checkSession();
Adam Tkacb10489b2010-04-23 14:16:04 +0000[diff] [blame]201
202 cc->setStreams(fis = new rdr::TLSInStream(is, session),
203 fos = new rdr::TLSOutStream(os, session));
204
205 return true;
206}
207
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]208void CSecurityTLS::setParam()
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]209{
210 static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
211 static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
212 GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
213
214 if (anon) {
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]215 if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS)
216 throw AuthFailureException("gnutls_kx_set_priority failed");
217
218 if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
219 throw AuthFailureException("gnutls_anon_allocate_client_credentials failed");
220
221 if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred) != GNUTLS_E_SUCCESS)
222 throw AuthFailureException("gnutls_credentials_set failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]223
224 vlog.debug("Anonymous session has been set");
225 } else {
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]226 if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS)
227 throw AuthFailureException("gnutls_kx_set_priority failed");
228
229 if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
230 throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]231
232 if (*cafile && gnutls_certificate_set_x509_trust_file(cert_cred,cafile,GNUTLS_X509_FMT_PEM) < 0)
233 throw AuthFailureException("load of CA cert failed");
234
235 if (*crlfile && gnutls_certificate_set_x509_crl_file(cert_cred,crlfile,GNUTLS_X509_FMT_PEM) < 0)
236 throw AuthFailureException("load of CRL failed");
237
Adam Tkac6948ead2010-08-11 15:58:59 +0000[diff] [blame]238 if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred) != GNUTLS_E_SUCCESS)
239 throw AuthFailureException("gnutls_credentials_set failed");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]240
241 vlog.debug("X509 session has been set");
242 }
243}
244
Adam Tkac3c5be392010-07-21 09:27:34 +0000[diff] [blame]245void CSecurityTLS::checkSession()
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]246{
247 int status;
248 const gnutls_datum *cert_list;
249 unsigned int cert_list_size = 0;
250 unsigned int i;
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame^]251 gnutls_datum info;
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]252
253 if (anon)
254 return;
255
256 if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509)
257 throw AuthFailureException("unsupported certificate type");
258
259 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
260 if (!cert_list_size)
261 throw AuthFailureException("unsupported certificate type");
262
263 status = gnutls_certificate_verify_peers(session);
264 if (status == GNUTLS_E_NO_CERTIFICATE_FOUND)
265 throw AuthFailureException("no certificate sent");
266
267 if (status < 0) {
268 vlog.error("X509 verify failed: %s\n", gnutls_strerror (status));
269 throw AuthFailureException("certificate verification failed");
270 }
271
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]272 if (status & GNUTLS_CERT_REVOKED) {
273 throw AuthFailureException("certificate has been revoked");
274 }
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]275
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]276 if (status & GNUTLS_CERT_NOT_ACTIVATED) {
277 throw AuthFailureException("certificate has not been activated");
278 }
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]279
280 for (i = 0; i < cert_list_size; i++) {
281 gnutls_x509_crt crt;
282 gnutls_x509_crt_init(&crt);
283
284 if (gnutls_x509_crt_import(crt, &cert_list[i],GNUTLS_X509_FMT_DER) < 0)
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]285 throw AuthFailureException("decoding of certificate failed");
286
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame^]287 #if defined(GNUTLS_VERSION_NUMBER) && (GNUTLS_VERSION_NUMBER >= 0x010706)
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]288 if (gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &info)) {
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]289 /*
290 * GNUTLS doesn't correctly export gnutls_free symbol which is
291 * a function pointer. Linking with Visual Studio 2008 Express will
292 * fail when you call gnutls_free().
293 */
294#if WIN32
295 free(info.data);
296#else
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]297 gnutls_free(info.data);
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]298#endif
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]299 throw AuthFailureException("Could not find certificate to display");
300 }
DRCff1e1ff2011-02-08 23:43:55 +0000[diff] [blame^]301 #endif
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]302
303 if (gnutls_x509_crt_check_hostname(crt, client->getServerName()) == 0) {
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]304 char buf[255];
305 sprintf(buf, "Hostname (%s) does not match any certificate, do you want to continue?", client->getServerName());
306 vlog.debug("hostname mismatch");
307 if(!msg->showMsgBox(UserMsgBox::M_YESNO, "hostname mismatch", buf))
308 throw AuthFailureException("hostname mismatch");
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]309 }
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]310
311 if (status & GNUTLS_CERT_EXPIRED) {
312 vlog.debug("certificate has expired");
313 if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certficate has expired", "The certificate of the server has expired, do you want to continue?"))
314 throw AuthFailureException("certificate has expired");
315 }
316
317 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
318 size_t out_size;
319 char *homeDir = NULL;
320 char *out_buf = NULL;
321 char *certinfo = NULL;
322 int len = 0;
323
324 vlog.debug("certificate issuer unknown");
325
326 len = snprintf(NULL, 0, "This certificate has been signed by an unknown authority:\n\n%s\n\nDo you want to save it and continue?\n ", info.data);
327 if (len < 0)
328 AuthFailureException("certificate decoding error");
329
330 vlog.debug("%s", info.data);
331
332 certinfo = new char[len];
333 if (certinfo == NULL)
334 throw AuthFailureException("Out of memory");
335
336 snprintf(certinfo, len, "This certificate has been signed by an unknown authority:\n\n%s\n\nDo you want to save it and continue? ", info.data);
337
338 for (int i = 0; i < len - 1; i++)
339 if (certinfo[i] == ',' && certinfo[i + 1] == ' ')
340 certinfo[i] = '\n';
341
342 if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certificate issuer unknown",
343 certinfo)) {
344 delete [] certinfo;
345 throw AuthFailureException("certificate issuer unknown");
346 }
347 delete [] certinfo;
348
349 if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, NULL, &out_size)
350 == GNUTLS_E_SHORT_MEMORY_BUFFER)
351 AuthFailureException("Out of memory");
352
353 // Save cert
354 out_buf = new char[out_size];
355 if (out_buf == NULL)
356 AuthFailureException("Out of memory");
357
358 if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, out_buf, &out_size)
359 < 0)
360 AuthFailureException("certificate issuer unknown, and certificate "
361 "export failed");
Adam Tkacaf081722011-02-07 10:45:15 +0000[diff] [blame]362
363 if (getvnchomedir(&homeDir) == -1)
364 vlog.error("Could not obtain VNC home directory path");
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]365 else {
366 FILE *f;
Adam Tkac437b0c22011-02-07 10:46:16 +0000[diff] [blame]367 CharArray caSave(strlen(homeDir) + 1 + 19);
368 sprintf(caSave.buf, "%sx509_savedcerts.pem", homeDir);
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]369 delete [] homeDir;
370 f = fopen(caSave.buf, "a+");
371 if (!f)
372 msg->showMsgBox(UserMsgBox::M_OK, "certificate save failed",
373 "Could not save the certificate");
374 else {
375 fprintf(f, "%s\n", out_buf);
376 fclose(f);
377 }
378 }
379 delete [] out_buf;
380 } else if (status & GNUTLS_CERT_INVALID)
381 throw AuthFailureException("certificate not trusted");
382
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]383 gnutls_x509_crt_deinit(crt);
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]384 /*
385 * GNUTLS doesn't correctly export gnutls_free symbol which is
386 * a function pointer. Linking with Visual Studio 2008 Express will
387 * fail when you call gnutls_free().
388 */
389#if WIN32
390 free(info.data);
391#else
Adam Tkac27b2f772010-11-18 13:33:57 +0000[diff] [blame]392 gnutls_free(info.data);
Adam Tkac5d4c6ac2011-01-19 14:06:48 +0000[diff] [blame]393#endif
Adam Tkac0e61c342010-07-21 09:23:25 +0000[diff] [blame]394 }
395}
396