Implement TLS and authentication for VeNCrypt
parent
2b9a886edd
commit
23bd46bef9
|
@ -1,3 +1,4 @@
|
||||||
build*
|
build*
|
||||||
subprojects
|
subprojects
|
||||||
.clang_complete
|
.clang_complete
|
||||||
|
.vscode
|
|
@ -79,3 +79,4 @@ void vnc_client_set_compression_level(struct vnc_client* self, int value);
|
||||||
void vnc_client_send_cut_text(struct vnc_client* self, const char* text,
|
void vnc_client_send_cut_text(struct vnc_client* self, const char* text,
|
||||||
size_t len);
|
size_t len);
|
||||||
void vnc_client_clear_av_frames(struct vnc_client* self);
|
void vnc_client_clear_av_frames(struct vnc_client* self);
|
||||||
|
rfbCredential* handle_vnc_authentication(struct _rfbClient *client, int credentialType);
|
|
@ -153,6 +153,9 @@ static void reset_all_contexts(struct open_h264* self)
|
||||||
|
|
||||||
struct open_h264* open_h264_create(rfbClient* client)
|
struct open_h264* open_h264_create(rfbClient* client)
|
||||||
{
|
{
|
||||||
|
// Use this to enable debug logs
|
||||||
|
// av_log_set_level(AV_LOG_DEBUG);
|
||||||
|
|
||||||
struct open_h264* self = calloc(1, sizeof(*self));
|
struct open_h264* self = calloc(1, sizeof(*self));
|
||||||
if (!self)
|
if (!self)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
|
@ -25,7 +25,7 @@
|
||||||
#include <gnutls/x509.h>
|
#include <gnutls/x509.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
|
|
||||||
static const char *rfbTLSPriority = "NORMAL:+DHE-DSS:+RSA:+DHE-RSA:+SRP";
|
static const char *rfbTLSPriority = "NORMAL:+DHE-DSS:+RSA:+DHE-RSA";
|
||||||
static const char *rfbAnonTLSPriority= "NORMAL:+ANON-DH";
|
static const char *rfbAnonTLSPriority= "NORMAL:+ANON-DH";
|
||||||
|
|
||||||
#define DH_BITS 1024
|
#define DH_BITS 1024
|
||||||
|
@ -112,12 +112,13 @@ verify_certificate_callback (gnutls_session_t session)
|
||||||
return GNUTLS_E_CERTIFICATE_ERROR;
|
return GNUTLS_E_CERTIFICATE_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!gnutls_x509_crt_check_hostname (cert, hostname))
|
// Certificate doesn't have a hostname
|
||||||
{
|
//if (!gnutls_x509_crt_check_hostname (cert, hostname))
|
||||||
rfbClientLog("The certificate's owner does not match hostname '%s'\n",
|
// {
|
||||||
hostname);
|
// rfbClientLog("The certificate's owner does not match hostname '%s'\n",
|
||||||
return GNUTLS_E_CERTIFICATE_ERROR;
|
// hostname);
|
||||||
}
|
// return GNUTLS_E_CERTIFICATE_ERROR;
|
||||||
|
// }
|
||||||
|
|
||||||
gnutls_x509_crt_deinit (cert);
|
gnutls_x509_crt_deinit (cert);
|
||||||
|
|
||||||
|
@ -337,6 +338,9 @@ FreeX509Credential(rfbCredential *cred)
|
||||||
static gnutls_certificate_credentials_t
|
static gnutls_certificate_credentials_t
|
||||||
CreateX509CertCredential(rfbCredential *cred)
|
CreateX509CertCredential(rfbCredential *cred)
|
||||||
{
|
{
|
||||||
|
// Use this to enable debug logs
|
||||||
|
//gnutls_global_set_log_level(GNUTLS_DEBUG_LEVEL);
|
||||||
|
|
||||||
gnutls_certificate_credentials_t x509_cred;
|
gnutls_certificate_credentials_t x509_cred;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
|
|
28
src/vnc.c
28
src/vnc.c
|
@ -249,6 +249,9 @@ struct vnc_client* vnc_client_create(void)
|
||||||
|
|
||||||
self->pts = NO_PTS;
|
self->pts = NO_PTS;
|
||||||
|
|
||||||
|
// Handle authentication
|
||||||
|
client->GetCredential = handle_vnc_authentication;
|
||||||
|
|
||||||
return self;
|
return self;
|
||||||
|
|
||||||
failure:
|
failure:
|
||||||
|
@ -256,6 +259,31 @@ failure:
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
rfbCredential* handle_vnc_authentication(struct _rfbClient *client, int credentialType) {
|
||||||
|
rfbCredential* creds = (rfbCredential*) malloc(sizeof(rfbCredential));
|
||||||
|
|
||||||
|
if (client->authScheme == rfbVeNCrypt && credentialType == rfbCredentialTypeX509) {
|
||||||
|
char* path = getenv("TLS_CA");
|
||||||
|
rfbClientLog("Using TLS CA certificate from env 'TLS_CA': %s", path);
|
||||||
|
|
||||||
|
creds->x509Credential.x509CACertFile = malloc(strlen(path) + 1);
|
||||||
|
strcpy(creds->x509Credential.x509CACertFile, path);
|
||||||
|
creds->x509Credential.x509CrlVerifyMode = rfbX509CrlVerifyAll;
|
||||||
|
} else if (client->authScheme == rfbVeNCrypt && credentialType == rfbCredentialTypeUser) {
|
||||||
|
const* username = getenv("VNC_USERNAME");
|
||||||
|
const* password = getenv("VNC_PASSWORD");
|
||||||
|
rfbClientLog("Using username and password for VNC authentication 'VNC_USERNAME', 'VNC_PASSWORD'");
|
||||||
|
|
||||||
|
creds->userCredential.password = malloc(strlen(password) + 1);
|
||||||
|
creds->userCredential.username = malloc(strlen(username) + 1);
|
||||||
|
strcpy(creds->userCredential.password, password);
|
||||||
|
strcpy(creds->userCredential.username, username);
|
||||||
|
} else {
|
||||||
|
|
||||||
|
}
|
||||||
|
return creds;
|
||||||
|
}
|
||||||
|
|
||||||
void vnc_client_destroy(struct vnc_client* self)
|
void vnc_client_destroy(struct vnc_client* self)
|
||||||
{
|
{
|
||||||
vnc_client_clear_av_frames(self);
|
vnc_client_clear_av_frames(self);
|
||||||
|
|
Loading…
Reference in New Issue