X-Git-Url: https://git.proxmox.com/?p=vncterm.git;a=blobdiff_plain;f=vncterm.c;h=be66a3eb92cf42f28dfbf8cc8d9456967cfaa372;hp=1ac0e3e0c3fcc61dfb5f4c7fb6d0392090e79e1e;hb=d13304af89d61b092e78efddcee3995340903573;hpb=e6d0212c1efc9ee64187dc1b398fcae3df3a526b diff --git a/vncterm.c b/vncterm.c index 1ac0e3e..be66a3e 100644 --- a/vncterm.c +++ b/vncterm.c @@ -169,7 +169,7 @@ static void vnc_debug_gnutls_log(int level, const char* str) { } #endif -#define DH_BITS 1024 +#define DH_BITS 2048 static gnutls_dh_params_t dh_params; typedef struct { @@ -256,7 +256,11 @@ tls_initialize_anon_cred(void) return NULL; } +#if GNUTLS_VERSION_NUMBER >= 0x030506 + gnutls_anon_set_server_known_dh_params(anon_cred, GNUTLS_SEC_PARAM_MEDIUM); +#else gnutls_anon_set_server_dh_params(anon_cred, dh_params); +#endif return anon_cred; } @@ -290,8 +294,13 @@ tls_initialize_x509_cred(void) gnutls_certificate_free_credentials(x509_cred); return NULL; } - +#if GNUTLS_VERSION_NUMBER >= 0x030506 + /* only available since GnuTLS 3.5.6, on previous versions see + * gnutls_certificate_set_dh_params(). */ + gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM); +#else gnutls_certificate_set_dh_params (x509_cred, dh_params); +#endif return x509_cred; } @@ -485,42 +494,10 @@ rfbVncAuthVencrypt(rfbClientPtr cl) return; } - /* optimize for speed */ - static const int cipher_priority_performance[] = { - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, 0 - }; - - if ((ret = gnutls_cipher_set_priority(sd->session, cipher_priority_performance)) < 0) { - rfbLog("gnutls_cipher_set_priority failed: %s\n", gnutls_strerror(ret)); - sd->session = NULL; - rfbCloseClient(cl); - return; - } - - static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0}; - static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0}; - if ((ret = gnutls_kx_set_priority(sd->session, use_x509 ? kx_x509 : kx_anon)) < 0) { - rfbLog("gnutls_kx_set_priority failed: %s\n", gnutls_strerror(ret)); - sd->session = NULL; - rfbCloseClient(cl); - return; - } - - static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 }; - if ((ret = gnutls_certificate_type_set_priority(sd->session, cert_type_priority)) < 0) { - rfbLog("gnutls_certificate_type_set_priority failed: %s\n", - gnutls_strerror(ret)); - sd->session = NULL; - rfbCloseClient(cl); - return; - } - - static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; - if ((ret = gnutls_protocol_set_priority(sd->session, protocol_priority)) < 0) { - rfbLog("gnutls_protocol_set_priority failed: %s\n", - gnutls_strerror(ret)); + static const char *priority_str_x509 = "NORMAL"; + static const char *priority_str_anon = "NORMAL:+ANON-ECDH:+ANON-DH"; + if ((ret = gnutls_priority_set_direct(sd->session, use_x509 ? priority_str_x509 : priority_str_anon, NULL)) < 0) { + rfbLog("gnutls_priority_set_direct failed: %s\n", gnutls_strerror(ret)); sd->session = NULL; rfbCloseClient(cl); return; @@ -2196,6 +2173,8 @@ new_client (rfbClientPtr client) return RFB_CLIENT_ACCEPT; } +static char *vncticket = NULL; + vncTerm * create_vncterm (int argc, char** argv, int maxx, int maxy) { @@ -2204,6 +2183,8 @@ create_vncterm (int argc, char** argv, int maxx, int maxy) rfbScreenInfoPtr screen = rfbGetScreen (&argc, argv, maxx, maxy, 8, 1, 1); screen->frameBuffer=(char*)calloc(maxx*maxy, 1); + char **passwds = calloc(sizeof(char**), 2); + vncTerm *vt = (vncTerm *)calloc (sizeof(vncTerm), 1); rfbColourMap *cmap =&screen->colourMap; @@ -2272,7 +2253,15 @@ create_vncterm (int argc, char** argv, int maxx, int maxy) //screen->autoPort = 1; - rfbRegisterSecurityHandler(&VncSecurityHandlerVencrypt); + if (vncticket) { + passwds[0] = vncticket; + passwds[1] = NULL; + + screen->authPasswdData = (void *)passwds; + screen->passwordCheck = rfbCheckPasswordByList; + } else { + rfbRegisterSecurityHandler(&VncSecurityHandlerVencrypt); + } rfbInitServer(screen); @@ -2322,20 +2311,26 @@ main (int argc, char** argv) if (!strcmp (argv[i], "-timeout")) { CHECK_ARGC (argc, argv, i); idle_timeout = atoi(argv[i+1]); - rfbPurgeArguments(&argc, &i, 2, argv); - } - if (!strcmp (argv[i], "-authpath")) { + rfbPurgeArguments(&argc, &i, 2, argv); i--; + } else if (!strcmp (argv[i], "-authpath")) { CHECK_ARGC (argc, argv, i); auth_path = argv[i+1]; - rfbPurgeArguments(&argc, &i, 2, argv); - } - if (!strcmp (argv[i], "-perm")) { + rfbPurgeArguments(&argc, &i, 2, argv); i--; + } else if (!strcmp (argv[i], "-perm")) { CHECK_ARGC (argc, argv, i); auth_perm = argv[i+1]; - rfbPurgeArguments(&argc, &i, 2, argv); + rfbPurgeArguments(&argc, &i, 2, argv); i--; + } else if (!strcmp (argv[i], "-notls")) { + rfbPurgeArguments(&argc, &i, 1, argv); i--; + if ((vncticket = getenv("PVE_VNC_TICKET")) == NULL) { + fprintf(stderr, "missing env PVE_VNC_TICKET (-notls)\n"); + exit(-1); + } } } + unsetenv("PVE_VNC_TICKET"); // do not expose this to child + #ifdef DEBUG rfbLogEnable (1); gnutls_global_set_log_level(10); @@ -2358,8 +2353,6 @@ main (int argc, char** argv) dimensions.ws_col = vt->width; dimensions.ws_row = vt->height; - setsid (); - setenv ("TERM", TERM, 1); pid = forkpty (&master, ptyname, NULL, &dimensions);