static rfbBool
HandshakeTLS(rfbClient* client)
{
int timeout = 15;
int ret;
while (timeout > 0 && (ret = gnutls_handshake((gnutls_session_t)client->tlsSession)) < 0)
{
if (!gnutls_error_is_fatal(ret))
{
rfbClientLog("TLS handshake blocking.\n");
sleep(1);
timeout--;
continue;
}
rfbClientLog("TLS handshake failed: %s.\n", gnutls_strerror(ret));
FreeTLS(client);
return FALSE;
}
if (timeout <= 0)
{
rfbClientLog("TLS handshake timeout.\n");
FreeTLS(client);
return FALSE;
}
rfbClientLog("TLS handshake done.\n");
return TRUE;
}
static rfbBool
HandshakeTLS(rfbClient* client)
{
int timeout = 15;
int ret;
return TRUE;
while (timeout > 0 && (ret = SSL_do_handshake(client->tlsSession)) < 0)
{
if (ret != -1)
{
rfbClientLog("TLS handshake blocking.\n");
sleep(1);
timeout--;
continue;
}
rfbClientLog("TLS handshake failed: -.\n");
FreeTLS(client);
return FALSE;
}
if (timeout <= 0)
{
rfbClientLog("TLS handshake timeout.\n");
FreeTLS(client);
return FALSE;
}
rfbClientLog("TLS handshake done.\n");
return TRUE;
}
static rfbBool
SetTLSAnonCredential(rfbClient* client)
{
gnutls_anon_client_credentials anonCred;
int ret;
if ((ret = gnutls_anon_allocate_client_credentials(&anonCred)) < 0 ||
(ret = gnutls_credentials_set((gnutls_session_t)client->tlsSession, GNUTLS_CRD_ANON, anonCred)) < 0)
{
FreeTLS(client);
rfbClientLog("Failed to create anonymous credentials: %s", gnutls_strerror(ret));
return FALSE;
}
rfbClientLog("TLS anonymous credential created.\n");
return TRUE;
}
void rfbClientCleanup(rfbClient* client) {
#ifdef LIBVNCSERVER_HAVE_LIBZ
#ifdef LIBVNCSERVER_HAVE_LIBJPEG
int i;
for ( i = 0; i < 4; i++ ) {
if (client->zlibStreamActive[i] == TRUE ) {
if (inflateEnd (&client->zlibStream[i]) != Z_OK &&
client->zlibStream[i].msg != NULL)
rfbClientLog("inflateEnd: %s\n", client->zlibStream[i].msg);
}
}
if ( client->decompStreamInited == TRUE ) {
if (inflateEnd (&client->decompStream) != Z_OK &&
client->decompStream.msg != NULL)
rfbClientLog("inflateEnd: %s\n", client->decompStream.msg );
}
if (client->jpegSrcManager)
free(client->jpegSrcManager);
#endif
#endif
FreeTLS(client);
while (client->clientData) {
rfbClientData* next = client->clientData->next;
free(client->clientData);
client->clientData = next;
}
if (client->sock >= 0)
close(client->sock);
if (client->listenSock >= 0)
close(client->listenSock);
free(client->desktopName);
free(client->serverHost);
if (client->destHost)
free(client->destHost);
if (client->clientAuthSchemes)
free(client->clientAuthSchemes);
free(client);
}
void rfbClientCleanup(rfbClient* client) {
#ifdef LIBVNCSERVER_HAVE_LIBZ
#ifdef LIBVNCSERVER_HAVE_LIBJPEG
struct rfbClientPrivate *priv;
int i;
priv = RFB_CLIENT_PRIV(client);
for ( i = 0; i < 4; i++ ) {
if (priv->zlibStreamActive[i] == TRUE ) {
if (inflateEnd (&priv->zlibStream[i]) != Z_OK &&
priv->zlibStream[i].msg != NULL)
rfbClientLog("inflateEnd: %s\n", priv->zlibStream[i].msg);
}
}
if ( priv->decompStreamInited == TRUE ) {
if (inflateEnd (&priv->decompStream) != Z_OK &&
priv->decompStream.msg != NULL)
rfbClientLog("inflateEnd: %s\n", priv->decompStream.msg );
}
if (priv->jpegSrcManager)
free(priv->jpegSrcManager);
#endif
#endif
FreeTLS(client);
if (client->sock >= 0)
close(client->sock);
if (client->listenSock >= 0)
close(client->listenSock);
free(client->desktopName);
free(client->serverHost);
if (client->destHost)
free(client->destHost);
if (client->clientAuthSchemes)
free(client->clientAuthSchemes);
free(client);
}
rfbBool
HandleVeNCryptAuth(rfbClient* client)
{
uint8_t major, minor, status;
uint32_t authScheme;
rfbBool anonTLS;
gnutls_certificate_credentials_t x509_cred = NULL;
int ret;
if (!InitializeTLS()) return FALSE;
/* Read VeNCrypt version */
if (!ReadFromRFBServer(client, (char *)&major, 1) ||
!ReadFromRFBServer(client, (char *)&minor, 1))
{
return FALSE;
}
rfbClientLog("Got VeNCrypt version %d.%d from server.\n", (int)major, (int)minor);
if (major != 0 && minor != 2)
{
rfbClientLog("Unsupported VeNCrypt version.\n");
return FALSE;
}
if (!WriteToRFBServer(client, (char *)&major, 1) ||
!WriteToRFBServer(client, (char *)&minor, 1) ||
!ReadFromRFBServer(client, (char *)&status, 1))
{
return FALSE;
}
if (status != 0)
{
rfbClientLog("Server refused VeNCrypt version %d.%d.\n", (int)major, (int)minor);
return FALSE;
}
if (!ReadVeNCryptSecurityType(client, &authScheme)) return FALSE;
if (!ReadFromRFBServer(client, (char *)&status, 1) || status != 1)
{
rfbClientLog("Server refused VeNCrypt authentication %d (%d).\n", authScheme, (int)status);
return FALSE;
}
client->subAuthScheme = authScheme;
/* Some VeNCrypt security types are anonymous TLS, others are X509 */
switch (authScheme)
{
case rfbVeNCryptTLSNone:
case rfbVeNCryptTLSVNC:
case rfbVeNCryptTLSPlain:
anonTLS = TRUE;
break;
default:
anonTLS = FALSE;
break;
}
/* Get X509 Credentials if it's not anonymous */
if (!anonTLS)
{
rfbCredential *cred;
if (!client->GetCredential)
{
rfbClientLog("GetCredential callback is not set.\n");
return FALSE;
}
cred = client->GetCredential(client, rfbCredentialTypeX509);
if (!cred)
{
rfbClientLog("Reading credential failed\n");
return FALSE;
}
x509_cred = CreateX509CertCredential(cred);
FreeX509Credential(cred);
if (!x509_cred) return FALSE;
}
/* Start up the TLS session */
if (!InitializeTLSSession(client, anonTLS)) return FALSE;
if (anonTLS)
{
if (!SetTLSAnonCredential(client)) return FALSE;
}
else
{
if ((ret = gnutls_credentials_set((gnutls_session_t)client->tlsSession, GNUTLS_CRD_CERTIFICATE, x509_cred)) < 0)
{
rfbClientLog("Cannot set x509 credential: %s.\n", gnutls_strerror(ret));
FreeTLS(client);
return FALSE;
}
}
if (!HandshakeTLS(client)) return FALSE;
/* TODO: validate certificate */
/* We are done here. The caller should continue with client->subAuthScheme
* to do actual sub authentication.
*/
return TRUE;
}
