Implement TLS and authentication for VeNCrypt

2024-03-28 21:39:35 +01:00 · 2024-03-28 21:39:35 +01:00 · 23bd46bef9
parent 2b9a886edd
commit 23bd46bef9
5 changed files with 44 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 build*
 subprojects
 .clang_complete
 .vscode
--- a/include/vnc.h
+++ b/include/vnc.h
@ -79,3 +79,4 @@ void vnc_client_set_compression_level(struct vnc_client* self, int value);
 void vnc_client_send_cut_text(struct vnc_client* self, const char* text,
 		size_t len);
 void vnc_client_clear_av_frames(struct vnc_client* self);
 rfbCredential* handle_vnc_authentication(struct _rfbClient *client, int credentialType);
--- a/src/open-h264.c
+++ b/src/open-h264.c
@ -153,6 +153,9 @@ static void reset_all_contexts(struct open_h264* self)
 struct open_h264* open_h264_create(rfbClient* client)
 {
 	// Use this to enable debug logs
 	// av_log_set_level(AV_LOG_DEBUG);
 	struct open_h264* self = calloc(1, sizeof(*self));
 	if (!self)
 		return NULL;
--- a/src/tls_gnutls.c
+++ b/src/tls_gnutls.c
@ -25,7 +25,7 @@
 #include <gnutls/x509.h>
 #include <errno.h>
-static const char *rfbTLSPriority = "NORMAL:+DHE-DSS:+RSA:+DHE-RSA:+SRP";
+static const char *rfbTLSPriority = "NORMAL:+DHE-DSS:+RSA:+DHE-RSA";
 static const char *rfbAnonTLSPriority= "NORMAL:+ANON-DH";
 #define DH_BITS 1024
@ -112,12 +112,13 @@ verify_certificate_callback (gnutls_session_t session)
      return GNUTLS_E_CERTIFICATE_ERROR;
    }
-  if (!gnutls_x509_crt_check_hostname (cert, hostname))
+  // Certificate doesn't have a hostname
-    {
+  //if (!gnutls_x509_crt_check_hostname (cert, hostname))
-      rfbClientLog("The certificate's owner does not match hostname '%s'\n",
+  //  {
-              hostname);
+  //    rfbClientLog("The certificate's owner does not match hostname '%s'\n",
-      return GNUTLS_E_CERTIFICATE_ERROR;
+  //            hostname);
-    }
+  //    return GNUTLS_E_CERTIFICATE_ERROR;
  //  }
  gnutls_x509_crt_deinit (cert);
@ -337,6 +338,9 @@ FreeX509Credential(rfbCredential *cred)
 static gnutls_certificate_credentials_t
 CreateX509CertCredential(rfbCredential *cred)
 {
  // Use this to enable debug logs
  //gnutls_global_set_log_level(GNUTLS_DEBUG_LEVEL);
  gnutls_certificate_credentials_t x509_cred;
  int ret;
--- a/src/vnc.c
+++ b/src/vnc.c
@ -249,6 +249,9 @@ struct vnc_client* vnc_client_create(void)
 	self->pts = NO_PTS;
 	// Handle authentication
 	client->GetCredential = handle_vnc_authentication;
 	return self;
 failure:
@ -256,6 +259,31 @@ failure:
 	return NULL;
 }
 rfbCredential* handle_vnc_authentication(struct _rfbClient *client, int credentialType) {
 	rfbCredential* creds = (rfbCredential*) malloc(sizeof(rfbCredential));
 	if (client->authScheme == rfbVeNCrypt && credentialType == rfbCredentialTypeX509) {
 		char* path = getenv("TLS_CA");
 		rfbClientLog("Using TLS CA certificate from env 'TLS_CA': %s", path);
 		creds->x509Credential.x509CACertFile = malloc(strlen(path) + 1);
 		strcpy(creds->x509Credential.x509CACertFile, path);
 		creds->x509Credential.x509CrlVerifyMode = rfbX509CrlVerifyAll;
 	} else if (client->authScheme == rfbVeNCrypt && credentialType == rfbCredentialTypeUser) {
 		const* username = getenv("VNC_USERNAME");
 		const* password =  getenv("VNC_PASSWORD");
 		rfbClientLog("Using username and password for VNC authentication 'VNC_USERNAME', 'VNC_PASSWORD'");
    	creds->userCredential.password = malloc(strlen(password) + 1);
 		creds->userCredential.username = malloc(strlen(username) + 1);
 		strcpy(creds->userCredential.password, password);
 		strcpy(creds->userCredential.username, username);
 	} else {
 	}
 	return creds;
 }
 void vnc_client_destroy(struct vnc_client* self)
 {
 	vnc_client_clear_av_frames(self);