summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGernot Tenchio <gernot.tenchio@securepoint.de>2011-08-17 12:20:50 +0200
committerJohannes Schindelin <johannes.schindelin@gmx.de>2011-08-17 12:41:24 +0200
commita2a6e256998c23af2d91a4475aa6d65893bf5bb5 (patch)
tree822a2debaa452150df01563523075ea447a7e797
parent4aa35863676335917d2a25a7952031f0fba66dfb (diff)
downloadlibvncserver-a2a6e256998c23af2d91a4475aa6d65893bf5bb5.zip
libvncserver-a2a6e256998c23af2d91a4475aa6d65893bf5bb5.tar.gz
websockets: add GnuTLS and OpenSSL support
For now, only OpenSSL support is activated through configure, since GnuTLS is only used in LibVNCClient. [jes: separated this out from the commit adding encryption support, added autoconf support.] Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-rw-r--r--configure.ac187
-rw-r--r--libvncserver/Makefile.am13
-rw-r--r--libvncserver/rfbssl_gnutls.c286
-rw-r--r--libvncserver/rfbssl_openssl.c135
4 files changed, 527 insertions, 94 deletions
diff --git a/configure.ac b/configure.ac
index 029a600..79ce830 100644
--- a/configure.ac
+++ b/configure.ac
@@ -54,6 +54,99 @@ AM_CONDITIONAL(HAVE_MP3LAME, test "$HAVE_MP3LAME" = "true")
# before it seemed to be inside the with_jpeg conditional.
AC_CHECK_HEADER(thenonexistentheader.h, HAVE_THENONEXISTENTHEADER_H="true")
+# set some ld -R nonsense
+#
+uname_s=`(uname -s) 2>/dev/null`
+ld_minus_R="yes"
+if test "x$uname_s" = "xHP-UX"; then
+ ld_minus_R="no"
+elif test "x$uname_s" = "xOSF1"; then
+ ld_minus_R="no"
+elif test "x$uname_s" = "xDarwin"; then
+ ld_minus_R="no"
+fi
+
+# Check for OpenSSL
+
+AH_TEMPLATE(HAVE_LIBCRYPT, [libcrypt library present])
+AC_ARG_WITH(crypt,
+[ --without-crypt disable support for libcrypt],,)
+if test "x$with_crypt" != "xno"; then
+ AC_CHECK_FUNCS([crypt], HAVE_LIBC_CRYPT="true")
+ if test -z "$HAVE_LIBC_CRYPT"; then
+ AC_CHECK_LIB(crypt, crypt,
+ CRYPT_LIBS="-lcrypt"
+ [AC_DEFINE(HAVE_LIBCRYPT)], ,)
+ fi
+fi
+AC_SUBST(CRYPT_LIBS)
+
+# some OS's need both -lssl and -lcrypto on link line:
+AH_TEMPLATE(HAVE_LIBCRYPTO, [openssl libcrypto library present])
+AC_ARG_WITH(crypto,
+[ --without-crypto disable support for openssl libcrypto],,)
+
+AH_TEMPLATE(HAVE_LIBSSL, [openssl libssl library present])
+AC_ARG_WITH(ssl,
+[ --without-ssl disable support for openssl libssl]
+[ --with-ssl=DIR use openssl include/library files in DIR],,)
+
+if test "x$with_crypto" != "xno" -a "x$with_ssl" != "xno"; then
+ if test ! -z "$with_ssl" -a "x$with_ssl" != "xyes"; then
+ saved_CPPFLAGS="$CPPFLAGS"
+ saved_LDFLAGS="$LDFLAGS"
+ CPPFLAGS="$CPPFLAGS -I$with_ssl/include"
+ LDFLAGS="$LDFLAGS -L$with_ssl/lib"
+ if test "x$ld_minus_R" = "xno"; then
+ :
+ elif test "x$GCC" = "xyes"; then
+ LDFLAGS="$LDFLAGS -Xlinker -R$with_ssl/lib"
+ else
+ LDFLAGS="$LDFLAGS -R$with_ssl/lib"
+ fi
+ fi
+ AC_CHECK_LIB(crypto, RAND_file_name,
+ [AC_DEFINE(HAVE_LIBCRYPTO) HAVE_LIBCRYPTO="true"], ,)
+ if test ! -z "$with_ssl" -a "x$with_ssl" != "xyes"; then
+ if test "x$HAVE_LIBCRYPTO" != "xtrue"; then
+ CPPFLAGS="$saved_CPPFLAGS"
+ LDFLAGS="$saved_LDFLAGS"
+ fi
+ fi
+fi
+
+AH_TEMPLATE(HAVE_X509_PRINT_EX_FP, [open ssl X509_print_ex_fp available])
+if test "x$with_ssl" != "xno"; then
+ if test "x$HAVE_LIBCRYPTO" = "xtrue"; then
+ AC_CHECK_LIB(ssl, SSL_library_init,
+ SSL_LIBS="-lssl -lcrypto"
+ [AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,
+ -lcrypto)
+ else
+ AC_CHECK_LIB(ssl, SSL_library_init,
+ SSL_LIBS="-lssl"
+ [AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,)
+ fi
+fi
+AC_SUBST(SSL_LIBS)
+
+ if test "x$HAVE_LIBSSL" != "xtrue" -a "x$with_ssl" != "xno"; then
+ AC_MSG_WARN([
+==========================================================================
+*** The openssl encryption library libssl.so was not found. ***
+An x11vnc built this way will not support SSL encryption. To enable
+SSL install the necessary development packages (perhaps it is named
+something like libssl-dev) and run configure again.
+==========================================================================
+])
+ sleep 5
+ elif test "x$with_ssl" != "xno"; then
+ AC_CHECK_LIB(ssl, X509_print_ex_fp,
+ [AC_DEFINE(HAVE_X509_PRINT_EX_FP) HAVE_X509_PRINT_EX_FP="true"], , $SSL_LIBS
+ )
+ fi
+AM_CONDITIONAL(HAVE_LIBSSL, test "x$with_crypto" != "xno" -a "x$with_ssl" != "xno")
+
# Checks for X libraries
HAVE_X11="false"
AC_PATH_XTRA
@@ -296,98 +389,6 @@ configure again.
sleep 5
fi
-# set some ld -R nonsense
-#
-uname_s=`(uname -s) 2>/dev/null`
-ld_minus_R="yes"
-if test "x$uname_s" = "xHP-UX"; then
- ld_minus_R="no"
-elif test "x$uname_s" = "xOSF1"; then
- ld_minus_R="no"
-elif test "x$uname_s" = "xDarwin"; then
- ld_minus_R="no"
-fi
-
-
-
-AH_TEMPLATE(HAVE_LIBCRYPT, [libcrypt library present])
-AC_ARG_WITH(crypt,
-[ --without-crypt disable support for libcrypt],,)
-if test "x$with_crypt" != "xno"; then
- AC_CHECK_FUNCS([crypt], HAVE_LIBC_CRYPT="true")
- if test -z "$HAVE_LIBC_CRYPT"; then
- AC_CHECK_LIB(crypt, crypt,
- CRYPT_LIBS="-lcrypt"
- [AC_DEFINE(HAVE_LIBCRYPT)], ,)
- fi
-fi
-AC_SUBST(CRYPT_LIBS)
-
-# some OS's need both -lssl and -lcrypto on link line:
-AH_TEMPLATE(HAVE_LIBCRYPTO, [openssl libcrypto library present])
-AC_ARG_WITH(crypto,
-[ --without-crypto disable support for openssl libcrypto],,)
-
-AH_TEMPLATE(HAVE_LIBSSL, [openssl libssl library present])
-AC_ARG_WITH(ssl,
-[ --without-ssl disable support for openssl libssl]
-[ --with-ssl=DIR use openssl include/library files in DIR],,)
-
-if test "x$with_crypto" != "xno" -a "x$with_ssl" != "xno"; then
- if test ! -z "$with_ssl" -a "x$with_ssl" != "xyes"; then
- saved_CPPFLAGS="$CPPFLAGS"
- saved_LDFLAGS="$LDFLAGS"
- CPPFLAGS="$CPPFLAGS -I$with_ssl/include"
- LDFLAGS="$LDFLAGS -L$with_ssl/lib"
- if test "x$ld_minus_R" = "xno"; then
- :
- elif test "x$GCC" = "xyes"; then
- LDFLAGS="$LDFLAGS -Xlinker -R$with_ssl/lib"
- else
- LDFLAGS="$LDFLAGS -R$with_ssl/lib"
- fi
- fi
- AC_CHECK_LIB(crypto, RAND_file_name,
- [AC_DEFINE(HAVE_LIBCRYPTO) HAVE_LIBCRYPTO="true"], ,)
- if test ! -z "$with_ssl" -a "x$with_ssl" != "xyes"; then
- if test "x$HAVE_LIBCRYPTO" != "xtrue"; then
- CPPFLAGS="$saved_CPPFLAGS"
- LDFLAGS="$saved_LDFLAGS"
- fi
- fi
-fi
-
-AH_TEMPLATE(HAVE_X509_PRINT_EX_FP, [open ssl X509_print_ex_fp available])
-if test "x$with_ssl" != "xno"; then
- if test "x$HAVE_LIBCRYPTO" = "xtrue"; then
- AC_CHECK_LIB(ssl, SSL_library_init,
- SSL_LIBS="-lssl -lcrypto"
- [AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,
- -lcrypto)
- else
- AC_CHECK_LIB(ssl, SSL_library_init,
- SSL_LIBS="-lssl"
- [AC_DEFINE(HAVE_LIBSSL) HAVE_LIBSSL="true"], ,)
- fi
-fi
-AC_SUBST(SSL_LIBS)
-
- if test "x$HAVE_LIBSSL" != "xtrue" -a "x$with_ssl" != "xno"; then
- AC_MSG_WARN([
-==========================================================================
-*** The openssl encryption library libssl.so was not found. ***
-An x11vnc built this way will not support SSL encryption. To enable
-SSL install the necessary development packages (perhaps it is named
-something like libssl-dev) and run configure again.
-==========================================================================
-])
- sleep 5
- elif test "x$with_ssl" != "xno"; then
- AC_CHECK_LIB(ssl, X509_print_ex_fp,
- [AC_DEFINE(HAVE_X509_PRINT_EX_FP) HAVE_X509_PRINT_EX_FP="true"], , $SSL_LIBS
- )
- fi
-
if test "x$with_v4l" != "xno"; then
AC_CHECK_HEADER(linux/videodev.h,
[AC_DEFINE(HAVE_LINUX_VIDEODEV_H)],,)
@@ -720,7 +721,7 @@ if test "x$HAVE_B64" != "xtrue"; then
with_websockets=""
fi
if test "x$with_websockets" = "xyes"; then
- LIBS="$LIBS -lresolv"
+ LIBS="$LIBS -lresolv $SSL_LIBS"
AC_DEFINE(WITH_WEBSOCKETS)
fi
AM_CONDITIONAL(WITH_WEBSOCKETS, test "$with_websockets" = "yes")
diff --git a/libvncserver/Makefile.am b/libvncserver/Makefile.am
index bbc8feb..c1f89df 100644
--- a/libvncserver/Makefile.am
+++ b/libvncserver/Makefile.am
@@ -13,7 +13,18 @@ TIGHTVNCFILETRANSFERSRCS = tightvnc-filetransfer/rfbtightserver.c \
endif
if WITH_WEBSOCKETS
-WEBSOCKETSSRCS = websockets.c md5.c rfbssl_none.c
+
+if HAVE_LIBSSL
+WEBSOCKETSSSLSRCS = rfbssl_openssl.c
+else
+#if HAVE_GNUTLS
+#WEBSOCKETSSSLSRCS = rfbssl_gnutls.c
+#else
+WEBSOCKETSSSLSRCS = rfbssl_none.c
+#endif
+endif
+
+WEBSOCKETSSRCS = websockets.c md5.c $(WEBSOCKETSSSLSRCS)
endif
includedir=$(prefix)/include/rfb
diff --git a/libvncserver/rfbssl_gnutls.c b/libvncserver/rfbssl_gnutls.c
new file mode 100644
index 0000000..09cc89e
--- /dev/null
+++ b/libvncserver/rfbssl_gnutls.c
@@ -0,0 +1,286 @@
+/*
+ * rfbssl_gnutls.c - Secure socket funtions (gnutls version)
+ */
+
+/*
+ * Copyright (C) 2011 Gernot Tenchio
+ *
+ * This is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this software; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+ * USA.
+ */
+
+#include "rfbssl.h"
+#include <gnutls/gnutls.h>
+#include <errno.h>
+
+struct rfbssl_ctx {
+ char peekbuf[2048];
+ int peeklen;
+ int peekstart;
+ gnutls_session_t session;
+ gnutls_certificate_credentials_t x509_cred;
+ gnutls_dh_params_t dh_params;
+#ifdef I_LIKE_RSA_PARAMS_THAT_MUCH
+ gnutls_rsa_params_t rsa_params;
+#endif
+};
+
+void rfbssl_log_func(int level, const char *msg)
+{
+ rfbErr("SSL: %s", msg);
+}
+
+static void rfbssl_error(const char *msg, int e)
+{
+ rfbErr("%s: %s (%ld)\n", msg, gnutls_strerror(e), e);
+}
+
+static int rfbssl_init_session(struct rfbssl_ctx *ctx, int fd)
+{
+ gnutls_session_t session;
+ int ret;
+
+ if (!GNUTLS_E_SUCCESS == (ret = gnutls_init(&session, GNUTLS_SERVER))) {
+ /* */
+ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_priority_set_direct(session, "EXPORT", NULL))) {
+ /* */
+ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->x509_cred))) {
+ /* */
+ } else {
+ gnutls_session_enable_compatibility_mode(session);
+ gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)fd);
+ ctx->session = session;
+ }
+ return ret;
+}
+
+static int generate_dh_params(struct rfbssl_ctx *ctx)
+{
+ int ret;
+ if (GNUTLS_E_SUCCESS == (ret = gnutls_dh_params_init(&ctx->dh_params)))
+ ret = gnutls_dh_params_generate2(ctx->dh_params, 1024);
+ return ret;
+}
+
+#ifdef I_LIKE_RSA_PARAMS_THAT_MUCH
+static int generate_rsa_params(struct rfbssl_ctx *ctx)
+{
+ int ret;
+ if (GNUTLS_E_SUCCESS == (ret = gnutls_rsa_params_init(&ctx->rsa_params)))
+ ret = gnutls_rsa_params_generate2(ctx->rsa_params, 512);
+ return ret;
+}
+#endif
+
+struct rfbssl_ctx *rfbssl_init_global(char *key, char *cert)
+{
+ int ret = GNUTLS_E_SUCCESS;
+ struct rfbssl_ctx *ctx = NULL;
+
+ if (NULL == (ctx = malloc(sizeof(struct rfbssl_ctx)))) {
+ ret = GNUTLS_E_MEMORY_ERROR;
+ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_global_init())) {
+ /* */
+ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_certificate_allocate_credentials(&ctx->x509_cred))) {
+ /* */
+ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_certificate_set_x509_trust_file(ctx->x509_cred, cert, GNUTLS_X509_FMT_PEM))) {
+ /* */
+ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_certificate_set_x509_key_file(ctx->x509_cred, cert, key, GNUTLS_X509_FMT_PEM))) {
+ /* */
+ } else if (!GNUTLS_E_SUCCESS == (ret = generate_dh_params(ctx))) {
+ /* */
+#ifdef I_LIKE_RSA_PARAMS_THAT_MUCH
+ } else if (!GNUTLS_E_SUCCESS == (ret = generate_rsa_params(ctx))) {
+ /* */
+#endif
+ } else {
+ gnutls_global_set_log_function(rfbssl_log_func);
+ gnutls_global_set_log_level(1);
+ gnutls_certificate_set_dh_params(ctx->x509_cred, ctx->dh_params);
+ return ctx;
+ }
+
+ free(ctx);
+ return NULL;
+}
+
+int rfbssl_init(rfbClientPtr cl)
+{
+ int ret = -1;
+ struct rfbssl_ctx *ctx;
+ char *keyfile;
+ if (!(keyfile = cl->screen->sslkeyfile))
+ keyfile = cl->screen->sslcertfile;
+
+ if (NULL == (ctx = rfbssl_init_global(keyfile, cl->screen->sslcertfile))) {
+ /* */
+ } else if (GNUTLS_E_SUCCESS != (ret = rfbssl_init_session(ctx, cl->sock))) {
+ /* */
+ } else {
+ while (GNUTLS_E_SUCCESS != (ret = gnutls_handshake(ctx->session))) {
+ if (ret == GNUTLS_E_AGAIN)
+ continue;
+ break;
+ }
+ }
+
+ if (ret != GNUTLS_E_SUCCESS) {
+ rfbssl_error(__func__, ret);
+ } else {
+ cl->sslctx = (rfbSslCtx *)ctx;
+ rfbLog("%s protocol initialized\n", gnutls_protocol_get_name(gnutls_protocol_get_version(ctx->session)));
+ }
+ return ret;
+}
+
+static int rfbssl_do_read(rfbClientPtr cl, char *buf, int bufsize)
+{
+ struct rfbssl_ctx *ctx = (struct rfbssl_ctx *)cl->sslctx;
+ int ret;
+
+ while ((ret = gnutls_record_recv(ctx->session, buf, bufsize)) < 0) {
+ if (ret == GNUTLS_E_AGAIN) {
+ /* continue */
+ } else if (ret == GNUTLS_E_INTERRUPTED) {
+ /* continue */
+ } else {
+ break;
+ }
+ }
+
+ if (ret < 0) {
+ rfbssl_error(__func__, ret);
+ errno = EIO;
+ ret = -1;
+ }
+
+ return ret < 0 ? -1 : ret;
+}
+
+int rfbssl_write(rfbClientPtr cl, const char *buf, int bufsize)
+{
+ struct rfbssl_ctx *ctx = (struct rfbssl_ctx *)cl->sslctx;
+ int ret;
+
+ while ((ret = gnutls_record_send(ctx->session, buf, bufsize)) < 0) {
+ if (ret == GNUTLS_E_AGAIN) {
+ /* continue */
+ } else if (ret == GNUTLS_E_INTERRUPTED) {
+ /* continue */
+ } else {
+ break;
+ }
+ }
+
+ if (ret < 0)
+ rfbssl_error(__func__, ret);
+
+ return ret;
+}
+
+int rfbssl_peek(rfbClientPtr cl, char *buf, int bufsize)
+{
+ int ret = -1;
+ struct rfbssl_ctx *ctx = (struct rfbssl_ctx *)cl->sslctx;
+
+ if (ctx->peekstart) {
+ int spaceleft = sizeof(ctx->peekbuf) - ctx->peeklen - ctx->peekstart;
+ if (spaceleft < bufsize) {
+ memmove(ctx->peekbuf, ctx->peekbuf + ctx->peekstart, ctx->peeklen);
+ ctx->peekstart = 0;
+ }
+ }
+
+ /* If we have any peek data, simply return that. */
+ if (ctx->peeklen) {
+ if (bufsize > ctx->peeklen) {
+ /* more than we have, so we are trying to read the remaining
+ * bytes
+ **/
+ int required = bufsize - ctx->peeklen;
+ int total = ctx->peekstart + ctx->peeklen;
+ int n, avail = sizeof(ctx->peekbuf) - total;
+
+ if (required > avail)
+ required = avail;
+
+ if (!required) {
+ rfbErr("%s: no space left\n", __func__);
+ } else if ((n = rfbssl_do_read(cl, ctx->peekbuf + total, required)) < 0) {
+ rfbErr("%s: read error\n", __func__);
+ return n;
+ } else {
+ ctx->peeklen += n;
+ }
+ ret = ctx->peeklen;
+ } else {
+ /* simply return what we have */
+ ret = bufsize;
+ }
+ } else {
+ ret = bufsize;
+ if (ret > sizeof(ctx->peekbuf))
+ ret = sizeof(ctx->peekbuf);
+
+ if ((ret = rfbssl_do_read(cl, ctx->peekbuf, ret)) > 0)
+ ctx->peeklen = ret;
+ }
+
+ if (ret >= 0) {
+ memcpy(buf, ctx->peekbuf + ctx->peekstart, ret);
+ }
+
+ return ret;
+}
+
+int rfbssl_read(rfbClientPtr cl, char *buf, int bufsize)
+{
+ int ret;
+ struct rfbssl_ctx *ctx = (struct rfbssl_ctx *)cl->sslctx;
+
+ if (ctx->peeklen) {
+ /* If we have any peek data, simply return that. */
+ ret = bufsize < ctx->peeklen ? bufsize : ctx->peeklen;
+ memcpy (buf, ctx->peekbuf + ctx->peekstart, ret);
+ ctx->peeklen -= ret;
+ if (ctx->peeklen != 0)
+ ctx->peekstart += ret;
+ else
+ ctx->peekstart = 0;
+ } else {
+ ret = rfbssl_do_read(cl, buf, bufsize);
+ }
+
+ return ret;
+}
+
+int rfbssl_pending(rfbClientPtr cl)
+{
+ struct rfbssl_ctx *ctx = (struct rfbssl_ctx *)cl->sslctx;
+ int ret = ctx->peeklen;
+
+ if (ret <= 0)
+ ret = gnutls_record_check_pending(ctx->session);
+
+ return ret;
+}
+
+void rfbssl_destroy(rfbClientPtr cl)
+{
+ struct rfbssl_ctx *ctx = (struct rfbssl_ctx *)cl->sslctx;
+ gnutls_bye(ctx->session, GNUTLS_SHUT_WR);
+ gnutls_deinit(ctx->session);
+ gnutls_certificate_free_credentials(ctx->x509_cred);
+}
diff --git a/libvncserver/rfbssl_openssl.c b/libvncserver/rfbssl_openssl.c
new file mode 100644
index 0000000..cbd6865
--- /dev/null
+++ b/libvncserver/rfbssl_openssl.c
@@ -0,0 +1,135 @@
+/*
+ * rfbssl_openssl.c - Secure socket funtions (openssl version)
+ */
+
+/*
+ * Copyright (C) 2011 Gernot Tenchio
+ *
+ * This is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this software; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+ * USA.
+ */
+
+#include "rfbssl.h"
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+struct rfbssl_ctx {
+ SSL_CTX *ssl_ctx;
+ SSL *ssl;
+};
+
+static void rfbssl_error(void)
+{
+ char buf[1024];
+ unsigned long e = ERR_get_error();
+ rfbErr("%s (%ld)\n", ERR_error_string(e, buf), e);
+}
+
+int rfbssl_init(rfbClientPtr cl)
+{
+ char *keyfile;
+ int r, ret = -1;
+ struct rfbssl_ctx *ctx;
+
+ SSL_library_init();
+ SSL_load_error_strings();
+
+ if (cl->screen->sslkeyfile && *cl->screen->sslkeyfile) {
+ keyfile = cl->screen->sslkeyfile;
+ } else {
+ keyfile = cl->screen->sslcertfile;
+ }
+
+ if (NULL == (ctx = malloc(sizeof(struct rfbssl_ctx)))) {
+ rfbErr("OOM\n");
+ } else if (!cl->screen->sslcertfile || !cl->screen->sslcertfile[0]) {
+ rfbErr("SSL connection but no cert specified\n");
+ } else if (NULL == (ctx->ssl_ctx = SSL_CTX_new(TLSv1_server_method()))) {
+ rfbssl_error();
+ } else if (SSL_CTX_use_PrivateKey_file(ctx->ssl_ctx, keyfile, SSL_FILETYPE_PEM) <= 0) {
+ rfbErr("Unable to load private key file %s\n", keyfile);
+ } else if (SSL_CTX_use_certificate_file(ctx->ssl_ctx, cl->screen->sslcertfile, SSL_FILETYPE_PEM) <= 0) {
+ rfbErr("Unable to load certificate file %s\n", cl->screen->sslcertfile);
+ } else if (NULL == (ctx->ssl = SSL_new(ctx->ssl_ctx))) {
+ rfbErr("SSL_new failed\n");
+ rfbssl_error();
+ } else if (!(SSL_set_fd(ctx->ssl, cl->sock))) {
+ rfbErr("SSL_set_fd failed\n");
+ rfbssl_error();
+ } else {
+ while ((r = SSL_accept(ctx->ssl)) < 0) {
+ if (SSL_get_error(ctx->ssl, r) != SSL_ERROR_WANT_READ)
+ break;
+ }
+ if (r < 0) {
+ rfbErr("SSL_accept failed %d\n", SSL_get_error(ctx->ssl, r));
+ } else {
+ cl->sslctx = (rfbSslCtx *)ctx;
+ ret = 0;
+ }
+ }
+ return ret;
+}
+
+int rfbssl_write(rfbClientPtr cl, const char *buf, int bufsize)
+{
+ int ret;
+ struct rfbssl_ctx *ctx = (struct rfbssl_ctx *)cl->sslctx;
+
+ while ((ret = SSL_write(ctx->ssl, buf, bufsize)) <= 0) {
+ if (SSL_get_error(ctx->ssl, ret) != SSL_ERROR_WANT_WRITE)
+ break;
+ }
+ return ret;
+}
+
+int rfbssl_peek(rfbClientPtr cl, char *buf, int bufsize)
+{
+ int ret;
+ struct rfbssl_ctx *ctx = (struct rfbssl_ctx *)cl->sslctx;
+
+ while ((ret = SSL_peek(ctx->ssl, buf, bufsize)) <= 0) {
+ if (SSL_get_error(ctx->ssl, ret) != SSL_ERROR_WANT_READ)
+ break;
+ }
+ return ret;
+}
+
+int rfbssl_read(rfbClientPtr cl, char *buf, int bufsize)
+{
+ int ret;
+ struct rfbssl_ctx *ctx = (struct rfbssl_ctx *)cl->sslctx;
+
+ while ((ret = SSL_read(ctx->ssl, buf, bufsize)) <= 0) {
+ if (SSL_get_error(ctx->ssl, ret) != SSL_ERROR_WANT_READ)
+ break;
+ }
+ return ret;
+}
+
+int rfbssl_pending(rfbClientPtr cl)
+{
+ struct rfbssl_ctx *ctx = (struct rfbssl_ctx *)cl->sslctx;
+ return SSL_pending(ctx->ssl);
+}
+
+void rfbssl_destroy(rfbClientPtr cl)
+{
+ struct rfbssl_ctx *ctx = (struct rfbssl_ctx *)cl->sslctx;
+ if (ctx->ssl)
+ SSL_free(ctx->ssl);
+ if (ctx->ssl_ctx)
+ SSL_CTX_free(ctx->ssl_ctx);
+}
OpenPOWER on IntegriCloud