From f39671def2af442dde86764445b20714acbba0b0 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Wed, 21 Jul 2010 09:10:54 +0000 Subject: [PATCH] [Cleanup] Merge SSecurityTLS and SSecurityX509 classes into SSecurityTLSBase class. git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@4107 3789f03b-4d11-0410-bbf8-ca57d06f2519 --- common/rfb/Makefile.am | 4 +- common/rfb/SSecurityTLS.cxx | 83 ------------------------ common/rfb/SSecurityTLS.h | 56 ---------------- common/rfb/SSecurityTLSBase.cxx | 109 +++++++++++++++++++++++++++----- common/rfb/SSecurityTLSBase.h | 18 +++++- common/rfb/SSecurityX509.cxx | 90 -------------------------- common/rfb/SSecurityX509.h | 61 ------------------ common/rfb/Security.cxx | 11 ++-- 8 files changed, 115 insertions(+), 317 deletions(-) delete mode 100644 common/rfb/SSecurityTLS.cxx delete mode 100644 common/rfb/SSecurityTLS.h delete mode 100644 common/rfb/SSecurityX509.cxx delete mode 100644 common/rfb/SSecurityX509.h diff --git a/common/rfb/Makefile.am b/common/rfb/Makefile.am index 260f4b6d..4aee2595 100644 --- a/common/rfb/Makefile.am +++ b/common/rfb/Makefile.am @@ -1,10 +1,10 @@ noinst_LTLIBRARIES = librfb.la VENCRYPT_HDRS = CSecurityTLS.h CSecurityTLSBase.h CSecurityX509.h \ - SSecurityTLS.h SSecurityTLSBase.h SSecurityX509.h + SSecurityTLSBase.h VENCRYPT_SRCS = CSecurityTLS.cxx CSecurityTLSBase.cxx CSecurityX509.cxx \ - SSecurityTLS.cxx SSecurityTLSBase.cxx SSecurityX509.cxx + SSecurityTLSBase.cxx HDRS = Blacklist.h CapsContainer.h CapsList.h CConnection.h \ CMsgHandler.h CMsgReader.h CMsgReaderV3.h CMsgWriter.h \ diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx deleted file mode 100644 index 52fc9cb8..00000000 --- a/common/rfb/SSecurityTLS.cxx +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (C) 2004 Red Hat Inc. - * Copyright (C) 2005 Martin Koegler - * Copyright (C) 2010 TigerVNC Team - * - * This is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This software is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this software; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, - * USA. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#ifndef HAVE_GNUTLS -#error "This source should not be compiled without HAVE_GNUTLS defined" -#endif - -#include -#include - -#define DH_BITS 1024 - -#undef TLS_DEBUG - -using namespace rfb; - -SSecurityTLS::SSecurityTLS() : dh_params(0), anon_cred(0) -{ -} - -SSecurityTLS::~SSecurityTLS() -{ - shutdown(); - if (dh_params) - gnutls_dh_params_deinit(dh_params); - if (anon_cred) - gnutls_anon_free_server_credentials(anon_cred); -} - -void SSecurityTLS::freeResources() -{ - if (dh_params) - gnutls_dh_params_deinit(dh_params); - dh_params = 0; - if (anon_cred) - gnutls_anon_free_server_credentials(anon_cred); - anon_cred = 0; -} - -void SSecurityTLS::setParams(gnutls_session session) -{ - static const int kx_priority[] = {GNUTLS_KX_ANON_DH, 0}; - gnutls_kx_set_priority(session, kx_priority); - - if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS) - throw AuthFailureException("gnutls_anon_allocate_server_credentials failed"); - - if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) - throw AuthFailureException("gnutls_dh_params_init failed"); - - if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS) - throw AuthFailureException("gnutls_dh_params_generate2 failed"); - - gnutls_anon_set_server_dh_params(anon_cred, dh_params); - - if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred) - != GNUTLS_E_SUCCESS) - throw AuthFailureException("gnutls_credentials_set failed"); - -} - diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h deleted file mode 100644 index 253ae84d..00000000 --- a/common/rfb/SSecurityTLS.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (C) 2004 Red Hat Inc. - * Copyright (C) 2005 Martin Koegler - * Copyright (C) 2010 TigerVNC Team - * - * This is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This software is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this software; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, - * USA. - */ - -#ifndef __S_SECURITY_TLS_H__ -#define __S_SECURITY_TLS_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#ifndef HAVE_GNUTLS -#error "This header should not be included without HAVE_GNUTLS defined" -#endif - -#include -#include - -namespace rfb { - - class SSecurityTLS : public SSecurityTLSBase { - public: - SSecurityTLS(); - virtual ~SSecurityTLS(); - virtual int getType() const {return secTypeTLSNone;} - protected: - virtual void freeResources(); - virtual void setParams(gnutls_session session); - - private: - static void initGlobal(); - - gnutls_dh_params dh_params; - gnutls_anon_server_credentials anon_cred; - }; - -} - -#endif /* __S_SECURITY_TLS_H__ */ diff --git a/common/rfb/SSecurityTLSBase.cxx b/common/rfb/SSecurityTLSBase.cxx index 6801210a..8b9cae78 100644 --- a/common/rfb/SSecurityTLSBase.cxx +++ b/common/rfb/SSecurityTLSBase.cxx @@ -34,10 +34,17 @@ #include #include +#define DH_BITS 1024 /* XXX This should be configurable! */ #define TLS_DEBUG using namespace rfb; +StringParameter SSecurityTLSBase::X509_CertFile +("x509cert", "specifies path to the x509 certificate in PEM format", "", ConfServer); + +StringParameter SSecurityTLSBase::X509_KeyFile +("x509key", "specifies path to the key of the x509 certificate in PEM format", "", ConfServer); + static LogWriter vlog("TLS"); #ifdef TLS_DEBUG @@ -64,30 +71,58 @@ void SSecurityTLSBase::initGlobal() } } -SSecurityTLSBase::SSecurityTLSBase() : session(0) +SSecurityTLSBase::SSecurityTLSBase(bool _anon) : session(0), dh_params(0), + anon_cred(0), cert_cred(0), + anon(_anon), fis(0), fos(0) { - fis=0; - fos=0; + certfile = X509_CertFile.getData(); + keyfile = X509_KeyFile.getData(); } void SSecurityTLSBase::shutdown() { - if(session) - ;//gnutls_bye(session, GNUTLS_SHUT_RDWR); -} + if (session) { + if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS) { + /* FIXME: Treat as non-fatal error */ + vlog.error("TLS session wasn't terminated gracefully"); + } + } + if (dh_params) { + gnutls_dh_params_deinit(dh_params); + dh_params = 0; + } + + if (anon_cred) { + gnutls_anon_free_server_credentials(anon_cred); + anon_cred = 0; + } + + if (cert_cred) { + gnutls_certificate_free_credentials(cert_cred); + cert_cred = 0; + } -SSecurityTLSBase::~SSecurityTLSBase() -{ if (session) { - //gnutls_bye(session, GNUTLS_SHUT_RDWR); gnutls_deinit(session); + session = 0; + + gnutls_global_deinit(); } - if(fis) +} + + +SSecurityTLSBase::~SSecurityTLSBase() +{ + shutdown(); + + if (fis) delete fis; - if(fos) + if (fos) delete fos; - /* FIXME: should be doing gnutls_global_deinit() at some point */ + + delete[] keyfile; + delete[] certfile; } bool SSecurityTLSBase::processMsg(SConnection *sc) @@ -130,10 +165,7 @@ bool SSecurityTLSBase::processMsg(SConnection *sc) return false; } vlog.error("TLS Handshake failed: %s", gnutls_strerror (err)); - gnutls_bye(session, GNUTLS_SHUT_RDWR); - freeResources(); - gnutls_deinit(session); - session = 0; + shutdown(); throw AuthFailureException("TLS Handshake failed"); } @@ -145,3 +177,48 @@ bool SSecurityTLSBase::processMsg(SConnection *sc) return true; } +void SSecurityTLSBase::setParams(gnutls_session session) +{ + static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; + static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, + GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; + + gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority); + + if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_dh_params_init failed"); + + if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_dh_params_generate2 failed"); + + if (anon) { + if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_anon_allocate_server_credentials failed"); + + gnutls_anon_set_server_dh_params(anon_cred, dh_params); + + if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred) + != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_credentials_set failed"); + + vlog.debug("Anonymous session has been set"); + + } else { + if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); + + gnutls_certificate_set_dh_params(cert_cred, dh_params); + + if (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, + GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS) + throw AuthFailureException("load of key failed"); + + if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred) + != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_credentials_set failed"); + + vlog.debug("X509 session has been set"); + + } + +} diff --git a/common/rfb/SSecurityTLSBase.h b/common/rfb/SSecurityTLSBase.h index b1f2d448..d8f3adb9 100644 --- a/common/rfb/SSecurityTLSBase.h +++ b/common/rfb/SSecurityTLSBase.h @@ -31,6 +31,7 @@ #endif #include +#include #include #include #include @@ -39,20 +40,31 @@ namespace rfb { class SSecurityTLSBase : public SSecurity { public: - SSecurityTLSBase(); + SSecurityTLSBase(bool _anon); virtual ~SSecurityTLSBase(); virtual bool processMsg(SConnection* sc); virtual const char* getUserName() const {return 0;} + virtual int getType() const { return anon ? secTypeTLSNone : secTypeX509None;} + + static StringParameter X509_CertFile; + static StringParameter X509_KeyFile; protected: void shutdown(); - virtual void freeResources()=0; - virtual void setParams(gnutls_session session)=0; + void setParams(gnutls_session session); private: static void initGlobal(); gnutls_session session; + gnutls_dh_params dh_params; + gnutls_anon_server_credentials anon_cred; + gnutls_certificate_credentials cert_cred; + char *keyfile, *certfile; + + int type; + bool anon; + rdr::InStream* fis; rdr::OutStream* fos; }; diff --git a/common/rfb/SSecurityX509.cxx b/common/rfb/SSecurityX509.cxx deleted file mode 100644 index 82a2b02b..00000000 --- a/common/rfb/SSecurityX509.cxx +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (C) 2005 Martin Koegler - * Copyright (C) 2010 TigerVNC Team - * - * This is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This software is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this software; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, - * USA. - */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#ifndef HAVE_GNUTLS -#error "This source should not be compiled without HAVE_GNUTLS defined" -#endif - -#include -#include - -#define DH_BITS 1024 - -using namespace rfb; - -StringParameter SSecurityX509::X509_CertFile -("x509cert", "specifies path to the x509 certificate in PEM format", "", ConfServer); - -StringParameter SSecurityX509::X509_KeyFile -("x509key", "specifies path to the key of the x509 certificate in PEM format", "", ConfServer); - -SSecurityX509::SSecurityX509() : dh_params(0), cert_cred(0) -{ - certfile = X509_CertFile.getData(); - keyfile = X509_KeyFile.getData(); -} - -SSecurityX509::~SSecurityX509() -{ - shutdown(); - if (dh_params) - gnutls_dh_params_deinit(dh_params); - if (cert_cred) - gnutls_certificate_free_credentials(cert_cred); - delete[] keyfile; - delete[] certfile; -} - -void SSecurityX509::freeResources() -{ - if (dh_params) - gnutls_dh_params_deinit(dh_params); - dh_params=0; - if (cert_cred) - gnutls_certificate_free_credentials(cert_cred); - cert_cred=0; -} - -void SSecurityX509::setParams(gnutls_session session) -{ - static const int kx_priority[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0}; - gnutls_kx_set_priority(session, kx_priority); - - if (gnutls_certificate_allocate_credentials(&cert_cred) < 0) - goto error; - if (gnutls_dh_params_init(&dh_params) < 0) - goto error; - if (gnutls_dh_params_generate2(dh_params, DH_BITS) < 0) - goto error; - gnutls_certificate_set_dh_params(cert_cred, dh_params); - if (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile,GNUTLS_X509_FMT_PEM) < 0) - throw AuthFailureException("load of key failed"); - if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred) < 0) - goto error; - return; - - error: - throw AuthFailureException("setParams failed"); -} - diff --git a/common/rfb/SSecurityX509.h b/common/rfb/SSecurityX509.h deleted file mode 100644 index 64fa6ec3..00000000 --- a/common/rfb/SSecurityX509.h +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (C) 2006 OCCAM Financial Technology - * Copyright (C) 2010 TigerVNC Team - * - * This is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This software is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this software; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, - * USA. - */ - -#ifndef __S_SECURITY_X509_H__ -#define __S_SECURITY_X509_H__ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#ifndef HAVE_GNUTLS -#error "This header should not be compiled without HAVE_GNUTLS defined" -#endif - -#include -#include - -namespace rfb { - - class SSecurityX509 : public SSecurityTLSBase { - public: - SSecurityX509(); - virtual ~SSecurityX509(); - virtual int getType() const { return secTypeX509None; } - - static StringParameter X509_CertFile; - static StringParameter X509_KeyFile; - - protected: - virtual void freeResources(); - virtual void setParams(gnutls_session session); - - private: - static void initGlobal(); - - gnutls_dh_params dh_params; - gnutls_certificate_credentials cert_cred; - char* keyfile; - char* certfile; - }; - -} - -#endif /* __S_SECURITY_TLS_H__ */ diff --git a/common/rfb/Security.cxx b/common/rfb/Security.cxx index 37ecc153..6462edcf 100644 --- a/common/rfb/Security.cxx +++ b/common/rfb/Security.cxx @@ -41,8 +41,7 @@ #ifdef HAVE_GNUTLS #include #include -#include -#include +#include #endif #include @@ -125,13 +124,13 @@ SSecurity* Security::GetSSecurity(U32 secType) case secTypeVeNCrypt: return new SSecurityVeNCrypt(this); #ifdef HAVE_GNUTLS case secTypeTLSNone: - return new SSecurityStack(secTypeTLSNone, new SSecurityTLS()); + return new SSecurityStack(secTypeTLSNone, new SSecurityTLSBase(true)); case secTypeTLSVnc: - return new SSecurityStack(secTypeTLSVnc, new SSecurityTLS(), new SSecurityVncAuth()); + return new SSecurityStack(secTypeTLSVnc, new SSecurityTLSBase(true), new SSecurityVncAuth()); case secTypeX509None: - return new SSecurityStack(secTypeX509None, new SSecurityX509()); + return new SSecurityStack(secTypeX509None, new SSecurityTLSBase(false)); case secTypeX509Vnc: - return new SSecurityStack(secTypeX509None, new SSecurityX509(), new SSecurityVncAuth()); + return new SSecurityStack(secTypeX509None, new SSecurityTLSBase(false), new SSecurityVncAuth()); #endif } -- 2.39.5