#951: add env var to make it possible to encrypt the first hello packet

git-svn-id: https://xpra.org/svn/Xpra/trunk@10336 3bb7dfac-3a0b-4e04-842a-767bc560f471
Xpra-org · Aug 18, 2015 · 9502078 · 9502078
1 parent 690f2f5
commit 9502078
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 3 deletions.
diff --git a/src/xpra/client/client_base.py b/src/xpra/client/client_base.py
@@ -23,7 +23,7 @@
 from xpra.scripts.config import InitExit
 from xpra.child_reaper import getChildReaper, reaper_cleanup
 from xpra.net.protocol import Protocol, get_network_caps, sanity_checks
-from xpra.net.crypto import ENCRYPTION_CIPHERS
+from xpra.net.crypto import ENCRYPTION_CIPHERS, ENCRYPT_FIRST_PACKET, DEFAULT_IV, DEFAULT_SALT, DEFAULT_ITERATIONS
 from xpra.version_util import version_compat_check, get_version_info, local_version
 from xpra.platform.features import GOT_PASSWORD_PROMPT_SUGGESTION
 from xpra.platform.info import get_name
@@ -234,6 +234,9 @@ def setup_connection(self, conn):
         self._protocol.receive_aliases.update(self._aliases)
         self._protocol.enable_default_encoder()
         self._protocol.enable_default_compressor()
+        if self.encryption and ENCRYPT_FIRST_PACKET:
+            password = self.get_encryption_key()
+            self._protocol.set_cipher_out(self.encryption, DEFAULT_IV, password, DEFAULT_SALT, DEFAULT_ITERATIONS)
         self.have_more = self._protocol.source_has_more
         if conn.timeout>0:
             self.timeout_add((conn.timeout + EXTRA_TIMEOUT) * 1000, self.verify_connected)

diff --git a/src/xpra/net/crypto.py b/src/xpra/net/crypto.py
@@ -9,7 +9,11 @@
 log = Logger("network", "crypto")
 
 ENABLE_CRYPTO = os.environ.get("XPRA_ENABLE_CRYPTO", "1")=="1"
+ENCRYPT_FIRST_PACKET = os.environ.get("XPRA_ENCRYPT_FIRST_PACKET", "0")=="1"
 
+DEFAULT_IV = os.environ.get("XPRA_CRYPTO_DEFAULT_IV", "0000000000000000")
+DEFAULT_SALT = os.environ.get("XPRA_CRYPTO_DEFAULT_SALT", "0000000000000000")
+DEFAULT_ITERATIONS = int(os.environ.get("XPRA_CRYPTO_DEFAULT_ITERATIONS", "1000"))
 
 AES, PBKDF2 = None, None
 ENCRYPTION_CIPHERS = []
@@ -38,7 +42,7 @@ def get_salt():
     return KEY_SALT or (get_hex_uuid()+get_hex_uuid())
 
 def get_iterations():
-    return 1000
+    return DEFAULT_ITERATIONS
 
 
 def new_cipher_caps(proto, cipher, encryption_key):

diff --git a/src/xpra/server/server_core.py b/src/xpra/server/server_core.py
@@ -34,7 +34,7 @@
 from xpra.os_util import load_binary_file, get_machine_id, get_user_uuid, SIGNAMES, Queue
 from xpra.version_util import version_compat_check, get_version_info, get_platform_info, get_host_info, local_version
 from xpra.net.protocol import Protocol, get_network_caps, sanity_checks
-from xpra.net.crypto import new_cipher_caps, ENCRYPTION_CIPHERS
+from xpra.net.crypto import new_cipher_caps, ENCRYPTION_CIPHERS, ENCRYPT_FIRST_PACKET, DEFAULT_IV, DEFAULT_SALT, DEFAULT_ITERATIONS
 from xpra.server.background_worker import stop_worker, get_worker
 from xpra.make_thread import make_thread
 from xpra.server.proxy import XpraProxy
@@ -149,7 +149,9 @@ def __init__(self):
 
         #Features:
         self.digest_modes = ("hmac", )
+        self.encryption = None
         self.encryption_keyfile = None
+        self.tcp_encryption = None
         self.tcp_encryption_keyfile = None
         self.password_file = None
         self.compression_level = 1
@@ -179,7 +181,9 @@ def init(self, opts):
         self.main_socket_path = ""
         self._socket_dir = opts.socket_dir or opts.socket_dirs[0]
         self._tcp_proxy = opts.tcp_proxy
+        self.encryption = opts.encryption
         self.encryption_keyfile = opts.encryption_keyfile
+        self.tcp_encryption = opts.tcp_encryption
         self.tcp_encryption_keyfile = opts.tcp_encryption_keyfile
         self.password_file = opts.password_file
         self.compression_level = opts.compression_level
@@ -447,13 +451,19 @@ def _new_connection(self, listener, *args):
         protocol.authenticator = None
         if socktype=="tcp":
             protocol.auth_class = self.tcp_auth_class
+            protocol.encryption = self.tcp_encryption
             protocol.keyfile = self.tcp_encryption_keyfile
         else:
             protocol.auth_class = self.auth_class
+            protocol.encryption = self.encryption
             protocol.keyfile = self.encryption_keyfile
         protocol.socket_type = socktype
         protocol.invalid_header = self.invalid_header
         protocol.receive_aliases.update(self._aliases)
+        netlog.info("socktype=%s, auth class=%s, encryption=%s, keyfile=%s", socktype, protocol.auth_class, protocol.encryption, protocol.keyfile)
+        if protocol.encryption and ENCRYPT_FIRST_PACKET:
+            password = self.get_encryption_key(None, protocol.keyfile)
+            protocol.set_cipher_in(protocol.encryption, DEFAULT_IV, password, DEFAULT_SALT, DEFAULT_ITERATIONS)
         protocol.start()
         self.timeout_add(SOCKET_TIMEOUT*1000, self.verify_connection_accepted, protocol)
         return True
@@ -874,6 +884,9 @@ def up(prefix, d):
             filtered_env['XPRA_ENCRYPTION_KEY'] = "*****"
 
         up("network",   get_network_caps())
+        up("network", {"encryption"     : self.encryption or "",
+                       "tcp-encryption" : self.tcp_encryption or "",
+                       })
         up("server",    get_server_info())
         up("threads",   self.get_thread_info(proto))
         up("env",       filtered_env)