GithubFollow/One-KVM
1
0
Fork 0
mirror of https://github.com/mofeng-git/One-KVM.git synced 2025-12-12 01:00:29 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactoring of x509

Browse Source
This commit is contained in:
Devaev Maxim 2021-02-12 05:21:06 +03:00
parent a71f5269ae
commit 4760a0bdda
6 changed files with 36 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Makefile
View File

@ -173,6 +173,7 @@ run-vnc: testenv
cp /usr/share/kvmd/configs.default/kvmd/*.yaml /etc/kvmd \
&& cp /usr/share/kvmd/configs.default/kvmd/*passwd /etc/kvmd \
&& cp /usr/share/kvmd/configs.default/kvmd/main/$(if $(P),$(P),$(DEFAULT_PLATFORM)).yaml /etc/kvmd/main.yaml \
&& cp -a /testenv/.ssl /etc/kvmd/nginx/ssl \
&& cp /testenv/$(if $(P),$(P),$(DEFAULT_PLATFORM)).override.yaml /etc/kvmd/override.yaml \
&& $(if $(CMD),$(CMD),python -m kvmd.apps.vnc --run) \
"

4
kvmd/apps/__init__.py
View File

@ -586,6 +586,10 @@ def _get_config_scheme() -> Dict:
"tls": {
"ciphers": Option("ALL:@SECLEVEL=0", type=_make_ifarg(valid_ssl_ciphers, "")),
"timeout": Option(5.0, type=valid_float_f01),
"x509": {
"cert": Option("", type=_make_ifarg(valid_abs_file, "")),
"key": Option("", type=_make_ifarg(valid_abs_file, "")),
},
},
},

2
kvmd/apps/vnc/__init__.py
View File

@ -68,6 +68,8 @@ def main(argv: Optional[List[str]]=None) -> None:
tls_ciphers=config.server.tls.ciphers,
tls_timeout=config.server.tls.timeout,
x509_cert_path=config.server.tls.x509.cert,
x509_key_path=config.server.tls.x509.key,
desired_fps=config.desired_fps,
keymap_path=config.keymap,

32
kvmd/apps/vnc/rfb/__init__.py
View File

@ -42,7 +42,6 @@ from .encodings import RfbClientEncodings
from .crypto import rfb_make_challenge
from .crypto import rfb_encrypt_challenge
from .crypto import create_self_signed_cert_if_nonexistent, key_file_name, cert_file_name
from .stream import RfbClientStream
@ -53,12 +52,14 @@ class RfbClient(RfbClientStream): # pylint: disable=too-many-instance-attribute
# https://www.toptal.com/java/implementing-remote-framebuffer-server-java
# https://github.com/TigerVNC/tigervnc
def __init__(
def __init__( # pylint: disable=too-many-arguments
self,
reader: asyncio.StreamReader,
writer: asyncio.StreamWriter,
tls_ciphers: str,
tls_timeout: float,
x509_cert_path: str,
x509_key_path: str,
width: int,
height: int,
@ -71,6 +72,8 @@ class RfbClient(RfbClientStream): # pylint: disable=too-many-instance-attribute
self.__tls_ciphers = tls_ciphers
self.__tls_timeout = tls_timeout
self.__x509_cert_path = x509_cert_path
self.__x509_key_path = x509_key_path
self._width = width
self._height = height
@ -245,7 +248,7 @@ class RfbClient(RfbClientStream): # pylint: disable=too-many-instance-attribute
get_logger(0).info("[main] %s: Using %s security type", self._remote, sec_name)
await handler()
async def __handshake_security_vencrypt(self) -> None:
async def __handshake_security_vencrypt(self) -> None: # pylint: disable=too-many-branches
await self._write_struct("BB", 0, 2) # VeNCrypt 0.2
vencrypt_version = "%d.%d" % (await self._read_struct("BB"))
@ -256,21 +259,27 @@ class RfbClient(RfbClientStream): # pylint: disable=too-many-instance-attribute
await self._write_struct("B", 0)
if self.__none_auth_only:
auth_types = {1: ("VeNCrypt/None", False, self.__handshake_security_none)}
auth_types = {1: ("VeNCrypt/None", 0, self.__handshake_security_none)}
if self.__tls_ciphers:
auth_types[257] = ("VeNCrypt/TLSNone", True, self.__handshake_security_none)
if self.__x509_cert_path:
auth_types[260] = ("VeNCrypt/X509None", 2, self.__handshake_security_none)
auth_types[257] = ("VeNCrypt/TLSNone", 1, self.__handshake_security_none)
else:
auth_types = {256: ("VeNCrypt/Plain", False, self.__handshake_security_vencrypt_userpass)}
auth_types = {256: ("VeNCrypt/Plain", 0, self.__handshake_security_vencrypt_userpass)}
if self.__tls_ciphers:
auth_types[262] = ("VeNCrypt/X509Plain", True, self.__handshake_security_vencrypt_userpass)
if self.__x509_cert_path:
auth_types[262] = ("VeNCrypt/X509Plain", 2, self.__handshake_security_vencrypt_userpass)
auth_types[259] = ("VeNCrypt/TLSPlain", 1, self.__handshake_security_vencrypt_userpass)
if self.__vnc_passwds:
# Vinagre не умеет работать с VNC Auth через VeNCrypt, но это его проблемы,
# так как он своеобразно трактует рекомендации VeNCrypt.
# Подробнее: https://bugzilla.redhat.com/show_bug.cgi?id=692048
# Hint: используйте любой другой нормальный VNC-клиент.
auth_types[2] = ("VeNCrypt/VNCAuth", False, self.__handshake_security_vnc_auth)
auth_types[2] = ("VeNCrypt/VNCAuth", 0, self.__handshake_security_vnc_auth)
if self.__tls_ciphers:
auth_types[258] = ("VeNCrypt/TLSVNCAuth", True, self.__handshake_security_vnc_auth)
if self.__x509_cert_path:
auth_types[261] = ("VeNCrypt/X509VNCAuth", 2, self.__handshake_security_vnc_auth)
auth_types[258] = ("VeNCrypt/TLSVNCAuth", 1, self.__handshake_security_vnc_auth)
await self._write_struct("B" + "L" * len(auth_types), len(auth_types), *auth_types)
@ -285,8 +294,9 @@ class RfbClient(RfbClientStream): # pylint: disable=too-many-instance-attribute
assert self.__tls_ciphers, (self.__tls_ciphers, auth_name, tls, handler)
await self._write_struct("B", 1) # Ack
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
create_self_signed_cert_if_nonexistent(key_file_name, cert_file_name)
ssl_context.load_cert_chain(keyfile=key_file_name, certfile=cert_file_name)
if tls == 2:
assert self.__x509_cert_path
ssl_context.load_cert_chain(self.__x509_cert_path, (self.__x509_key_path or None))
ssl_context.set_ciphers(self.__tls_ciphers)
await self._start_tls(ssl_context, self.__tls_timeout)

35
kvmd/apps/vnc/rfb/crypto.py
View File

@ -26,14 +26,6 @@ from typing import List
import passlib.crypto.des
from OpenSSL import crypto, SSL
from socket import gethostname
from pprint import pprint
from time import gmtime, mktime
import os.path
key_file_name = "private_vnc.key"
cert_file_name = "self_signed_cert.crt"
# =====
def rfb_make_challenge() -> bytes:
@ -59,30 +51,3 @@ def _make_key(passwd: bytes) -> bytes:
btgt = btgt | (1 << 7 - index)
key.append(btgt)
return bytes(key)
def create_self_signed_cert_if_nonexistent(key_file, cert_file):
if os.path.isfile(key_file) and os.path.isfile(cert_file):
return
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.get_subject().C = "CA"
cert.get_subject().ST = "Toronto"
cert.get_subject().L = "Toronto"
cert.get_subject().O = "Company Ltd"
cert.get_subject().OU = "Company Ltd"
cert.get_subject().CN = gethostname()
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(100*365*24*60*60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.sign(key, 'sha256')
open(key_file, "wt").write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode('utf-8'))
open(cert_file, "wt").write(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8'))

8
kvmd/apps/vnc/server.py
View File

@ -79,6 +79,8 @@ class _Client(RfbClient): # pylint: disable=too-many-instance-attributes
writer: asyncio.StreamWriter,
tls_ciphers: str,
tls_timeout: float,
x509_cert_path: str,
x509_key_path: str,
desired_fps: int,
keymap_name: str,
@ -99,6 +101,8 @@ class _Client(RfbClient): # pylint: disable=too-many-instance-attributes
writer=writer,
tls_ciphers=tls_ciphers,
tls_timeout=tls_timeout,
x509_cert_path=x509_cert_path,
x509_key_path=x509_key_path,
vnc_passwds=list(vnc_credentials),
none_auth_only=none_auth_only,
**dataclasses.asdict(shared_params),
@ -406,6 +410,8 @@ class VncServer: # pylint: disable=too-many-instance-attributes
tls_ciphers: str,
tls_timeout: float,
x509_cert_path: str,
x509_key_path: str,
desired_fps: int,
keymap_path: str,
@ -456,6 +462,8 @@ class VncServer: # pylint: disable=too-many-instance-attributes
writer=writer,
tls_ciphers=tls_ciphers,
tls_timeout=tls_timeout,
x509_cert_path=x509_cert_path,
x509_key_path=x509_key_path,
desired_fps=desired_fps,
keymap_name=keymap_name,
symmap=symmap,