[Cleanup] Merge SSecurityTLS and SSecurityX509 classes into SSecurityTLSBase class.

git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@4107 3789f03b-4d11-0410-bbf8-ca57d06f2519

8 files changed, 115 insertions, 317 deletions

diff --git a/common/rfb/Makefile.am b/common/rfb/Makefile.am
index 260f4b6d..4aee2595 100644
--- a/common/rfb/Makefile.am
+++ b/common/rfb/Makefile.am
@@ -1,10 +1,10 @@
 noinst_LTLIBRARIES = librfb.la
 
 VENCRYPT_HDRS = CSecurityTLS.h CSecurityTLSBase.h CSecurityX509.h \
-	SSecurityTLS.h SSecurityTLSBase.h SSecurityX509.h
+	SSecurityTLSBase.h
 
 VENCRYPT_SRCS = CSecurityTLS.cxx CSecurityTLSBase.cxx CSecurityX509.cxx \
-	SSecurityTLS.cxx SSecurityTLSBase.cxx SSecurityX509.cxx
+	SSecurityTLSBase.cxx
 
 HDRS = Blacklist.h CapsContainer.h CapsList.h CConnection.h \
 	CMsgHandler.h CMsgReader.h CMsgReaderV3.h CMsgWriter.h \
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
deleted file mode 100644
index 52fc9cb8..00000000
--- a/common/rfb/SSecurityTLS.cxx
+++ /dev/null
@@ -1,83 +0,0 @@
-/* 
- * Copyright (C) 2004 Red Hat Inc.
- * Copyright (C) 2005 Martin Koegler
- * Copyright (C) 2010 TigerVNC Team
- *    
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- * 
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
- * USA.
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#ifndef HAVE_GNUTLS
-#error "This source should not be compiled without HAVE_GNUTLS defined"
-#endif
-
-#include <rfb/SSecurityTLS.h>
-#include <rfb/Exception.h>
-
-#define DH_BITS 1024
-
-#undef TLS_DEBUG
-
-using namespace rfb;
-
-SSecurityTLS::SSecurityTLS() : dh_params(0), anon_cred(0)
-{
-}
-
-SSecurityTLS::~SSecurityTLS()
-{
-  shutdown();
-  if (dh_params)
-    gnutls_dh_params_deinit(dh_params);
-  if (anon_cred)
-    gnutls_anon_free_server_credentials(anon_cred);
-}
-
-void SSecurityTLS::freeResources()
-{
-  if (dh_params)
-    gnutls_dh_params_deinit(dh_params);
-  dh_params = 0;
-  if (anon_cred)
-    gnutls_anon_free_server_credentials(anon_cred);
-  anon_cred = 0;
-}
-
-void SSecurityTLS::setParams(gnutls_session session)
-{
-  static const int kx_priority[] = {GNUTLS_KX_ANON_DH, 0};
-  gnutls_kx_set_priority(session, kx_priority);
-
-  if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
-    throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
-
-  if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
-    throw AuthFailureException("gnutls_dh_params_init failed");
-
-  if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
-    throw AuthFailureException("gnutls_dh_params_generate2 failed");
-
-  gnutls_anon_set_server_dh_params(anon_cred, dh_params);
-
-  if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred) 
-    != GNUTLS_E_SUCCESS)
-    throw AuthFailureException("gnutls_credentials_set failed");
-
-}
-
diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
deleted file mode 100644
index 253ae84d..00000000
--- a/common/rfb/SSecurityTLS.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/* 

- * Copyright (C) 2004 Red Hat Inc.

- * Copyright (C) 2005 Martin Koegler

- * Copyright (C) 2010 TigerVNC Team

- *    

- * This is free software; you can redistribute it and/or modify

- * it under the terms of the GNU General Public License as published by

- * the Free Software Foundation; either version 2 of the License, or

- * (at your option) any later version.

- * 

- * This software is distributed in the hope that it will be useful,

- * but WITHOUT ANY WARRANTY; without even the implied warranty of

- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

- * GNU General Public License for more details.

- * 

- * You should have received a copy of the GNU General Public License

- * along with this software; if not, write to the Free Software

- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,

- * USA.

- */

-

-#ifndef __S_SECURITY_TLS_H__

-#define __S_SECURITY_TLS_H__

-

-#ifdef HAVE_CONFIG_H

-#include <config.h>

-#endif

-

-#ifndef HAVE_GNUTLS

-#error "This header should not be included without HAVE_GNUTLS defined"

-#endif

-

-#include <rfb/SSecurityTLSBase.h>

-#include <rfb/SSecurityVeNCrypt.h>

-

-namespace rfb {

-

-  class SSecurityTLS : public SSecurityTLSBase {

-  public:

-    SSecurityTLS();

-    virtual ~SSecurityTLS();

-    virtual int getType() const {return secTypeTLSNone;}

-  protected:

-    virtual void freeResources();

-    virtual void setParams(gnutls_session session);

-

-  private:

-    static void initGlobal();

-

-    gnutls_dh_params dh_params;

-    gnutls_anon_server_credentials anon_cred;

-  };

-

-}

-

-#endif /* __S_SECURITY_TLS_H__ */

diff --git a/common/rfb/SSecurityTLSBase.cxx b/common/rfb/SSecurityTLSBase.cxx
index 6801210a..8b9cae78 100644
--- a/common/rfb/SSecurityTLSBase.cxx
+++ b/common/rfb/SSecurityTLSBase.cxx
@@ -34,10 +34,17 @@
 #include <rdr/TLSInStream.h>
 #include <rdr/TLSOutStream.h>
 
+#define DH_BITS 1024 /* XXX This should be configurable! */
 #define TLS_DEBUG
 
 using namespace rfb;
 
+StringParameter SSecurityTLSBase::X509_CertFile
+("x509cert", "specifies path to the x509 certificate in PEM format", "", ConfServer);
+
+StringParameter SSecurityTLSBase::X509_KeyFile
+("x509key", "specifies path to the key of the x509 certificate in PEM format", "", ConfServer);
+
 static LogWriter vlog("TLS");
 
 #ifdef TLS_DEBUG
@@ -64,30 +71,58 @@ void SSecurityTLSBase::initGlobal()
   }
 }
 
-SSecurityTLSBase::SSecurityTLSBase() : session(0)
+SSecurityTLSBase::SSecurityTLSBase(bool _anon) : session(0), dh_params(0),
+						 anon_cred(0), cert_cred(0),
+						 anon(_anon), fis(0), fos(0)
 {
-  fis=0;
-  fos=0;
+  certfile = X509_CertFile.getData();
+  keyfile = X509_KeyFile.getData();
 }
 
 void SSecurityTLSBase::shutdown()
 {
-  if(session)
-    ;//gnutls_bye(session, GNUTLS_SHUT_RDWR);
-}
+  if (session) {
+    if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS) {
+      /* FIXME: Treat as non-fatal error */
+      vlog.error("TLS session wasn't terminated gracefully");
+    }
+  }
 
+  if (dh_params) {
+    gnutls_dh_params_deinit(dh_params);
+    dh_params = 0;
+  }
+
+  if (anon_cred) {
+    gnutls_anon_free_server_credentials(anon_cred);
+    anon_cred = 0;
+  }
+
+  if (cert_cred) {
+    gnutls_certificate_free_credentials(cert_cred);
+    cert_cred = 0;
+  }
 
-SSecurityTLSBase::~SSecurityTLSBase()
-{
   if (session) {
-    //gnutls_bye(session, GNUTLS_SHUT_RDWR);
     gnutls_deinit(session);
+    session = 0;
+
+    gnutls_global_deinit();
   }
-  if(fis)
+}
+
+
+SSecurityTLSBase::~SSecurityTLSBase()
+{
+  shutdown();
+
+  if (fis)
     delete fis;
-  if(fos)
+  if (fos)
     delete fos;
-  /* FIXME: should be doing gnutls_global_deinit() at some point */
+
+  delete[] keyfile;
+  delete[] certfile;
 }
 
 bool SSecurityTLSBase::processMsg(SConnection *sc)
@@ -130,10 +165,7 @@ bool SSecurityTLSBase::processMsg(SConnection *sc)
       return false;
     }
     vlog.error("TLS Handshake failed: %s", gnutls_strerror (err));
-    gnutls_bye(session, GNUTLS_SHUT_RDWR);
-    freeResources();
-    gnutls_deinit(session);
-    session = 0;
+    shutdown();
     throw AuthFailureException("TLS Handshake failed");
   }
 
@@ -145,3 +177,48 @@ bool SSecurityTLSBase::processMsg(SConnection *sc)
   return true;
 }
 
+void SSecurityTLSBase::setParams(gnutls_session session)
+{
+  static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
+  static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
+				     GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
+
+  gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority);
+
+  if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
+    throw AuthFailureException("gnutls_dh_params_init failed");
+
+  if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
+    throw AuthFailureException("gnutls_dh_params_generate2 failed");
+
+  if (anon) {
+    if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
+      throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
+
+    gnutls_anon_set_server_dh_params(anon_cred, dh_params);
+
+    if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
+        != GNUTLS_E_SUCCESS)
+      throw AuthFailureException("gnutls_credentials_set failed");
+
+    vlog.debug("Anonymous session has been set");
+
+  } else {
+    if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
+      throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
+
+    gnutls_certificate_set_dh_params(cert_cred, dh_params);
+
+    if (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile,
+        GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
+      throw AuthFailureException("load of key failed");
+
+    if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred)
+        != GNUTLS_E_SUCCESS)
+      throw AuthFailureException("gnutls_credentials_set failed");
+
+    vlog.debug("X509 session has been set");
+
+  }
+
+}
diff --git a/common/rfb/SSecurityTLSBase.h b/common/rfb/SSecurityTLSBase.h
index b1f2d448..d8f3adb9 100644
--- a/common/rfb/SSecurityTLSBase.h
+++ b/common/rfb/SSecurityTLSBase.h
@@ -31,6 +31,7 @@
 #endif
 
 #include <rfb/SSecurity.h>
+#include <rfb/SSecurityVeNCrypt.h>
 #include <rdr/InStream.h>
 #include <rdr/OutStream.h>
 #include <gnutls/gnutls.h>
@@ -39,20 +40,31 @@ namespace rfb {
 
   class SSecurityTLSBase : public SSecurity {
   public:
-    SSecurityTLSBase();
+    SSecurityTLSBase(bool _anon);
     virtual ~SSecurityTLSBase();
     virtual bool processMsg(SConnection* sc);
     virtual const char* getUserName() const {return 0;}
+    virtual int getType() const { return anon ? secTypeTLSNone : secTypeX509None;}
+
+    static StringParameter X509_CertFile;
+    static StringParameter X509_KeyFile;
 
   protected:
     void shutdown();
-    virtual void freeResources()=0;
-    virtual void setParams(gnutls_session session)=0;
+    void setParams(gnutls_session session);
 
   private:
     static void initGlobal();
 
     gnutls_session session;
+    gnutls_dh_params dh_params;
+    gnutls_anon_server_credentials anon_cred;
+    gnutls_certificate_credentials cert_cred;
+    char *keyfile, *certfile;
+
+    int type;
+    bool anon;
+
     rdr::InStream* fis;
     rdr::OutStream* fos;
   };
diff --git a/common/rfb/SSecurityX509.cxx b/common/rfb/SSecurityX509.cxx
deleted file mode 100644
index 82a2b02b..00000000
--- a/common/rfb/SSecurityX509.cxx
+++ /dev/null
@@ -1,90 +0,0 @@
-/* 
- * Copyright (C) 2005 Martin Koegler
- * Copyright (C) 2010 TigerVNC Team
- *    
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- * 
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
- * USA.
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#ifndef HAVE_GNUTLS
-#error "This source should not be compiled without HAVE_GNUTLS defined"
-#endif
-
-#include <rfb/SSecurityX509.h>
-#include <rfb/Exception.h>
-
-#define DH_BITS 1024
-
-using namespace rfb;
-
-StringParameter SSecurityX509::X509_CertFile
-("x509cert", "specifies path to the x509 certificate in PEM format", "", ConfServer);
-
-StringParameter SSecurityX509::X509_KeyFile
-("x509key", "specifies path to the key of the x509 certificate in PEM format", "", ConfServer);
-
-SSecurityX509::SSecurityX509() : dh_params(0), cert_cred(0)
-{
-  certfile = X509_CertFile.getData();
-  keyfile = X509_KeyFile.getData();
-}
-
-SSecurityX509::~SSecurityX509()
-{
-  shutdown();
-  if (dh_params)
-    gnutls_dh_params_deinit(dh_params);
-  if (cert_cred)
-    gnutls_certificate_free_credentials(cert_cred);
-  delete[] keyfile;
-  delete[] certfile;
-}
-
-void SSecurityX509::freeResources()
-{
-  if (dh_params)
-    gnutls_dh_params_deinit(dh_params);
-  dh_params=0;
-  if (cert_cred)
-    gnutls_certificate_free_credentials(cert_cred);
-  cert_cred=0;
-}
-
-void SSecurityX509::setParams(gnutls_session session)
-{
-    static const int kx_priority[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
-    gnutls_kx_set_priority(session, kx_priority);
-
-    if (gnutls_certificate_allocate_credentials(&cert_cred) < 0)
-      goto error;
-    if (gnutls_dh_params_init(&dh_params) < 0)
-      goto error;
-    if (gnutls_dh_params_generate2(dh_params, DH_BITS) < 0)
-      goto error;
-    gnutls_certificate_set_dh_params(cert_cred, dh_params);
-    if (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile,GNUTLS_X509_FMT_PEM) < 0)
-      throw AuthFailureException("load of key failed");
-    if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred) < 0)
-      goto error;
-    return;
-
- error:
-    throw AuthFailureException("setParams failed");
-}
-
diff --git a/common/rfb/SSecurityX509.h b/common/rfb/SSecurityX509.h
deleted file mode 100644
index 64fa6ec3..00000000
--- a/common/rfb/SSecurityX509.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/* 

- * Copyright (C) 2006 OCCAM Financial Technology

- * Copyright (C) 2010 TigerVNC Team

- *    

- * This is free software; you can redistribute it and/or modify

- * it under the terms of the GNU General Public License as published by

- * the Free Software Foundation; either version 2 of the License, or

- * (at your option) any later version.

- * 

- * This software is distributed in the hope that it will be useful,

- * but WITHOUT ANY WARRANTY; without even the implied warranty of

- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

- * GNU General Public License for more details.

- * 

- * You should have received a copy of the GNU General Public License

- * along with this software; if not, write to the Free Software

- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,

- * USA.

- */

-

-#ifndef __S_SECURITY_X509_H__

-#define __S_SECURITY_X509_H__

-

-#ifdef HAVE_CONFIG_H

-#include <config.h>

-#endif

-

-#ifndef HAVE_GNUTLS

-#error "This header should not be compiled without HAVE_GNUTLS defined"

-#endif

-

-#include <rfb/SSecurityTLSBase.h>

-#include <rfb/SSecurityVeNCrypt.h>

-

-namespace rfb {

-

-  class SSecurityX509 : public SSecurityTLSBase {

-  public:

-    SSecurityX509();

-    virtual ~SSecurityX509();

-    virtual int getType() const { return secTypeX509None; }

-

-    static StringParameter X509_CertFile;

-    static StringParameter X509_KeyFile;

-

-  protected:

-    virtual void freeResources();

-    virtual void setParams(gnutls_session session);

-

-  private:

-    static void initGlobal();

-

-    gnutls_dh_params dh_params;

-    gnutls_certificate_credentials cert_cred;

-    char* keyfile;

-    char* certfile;

-  };

-

-}

-

-#endif /* __S_SECURITY_TLS_H__ */

diff --git a/common/rfb/Security.cxx b/common/rfb/Security.cxx
index 37ecc153..6462edcf 100644
--- a/common/rfb/Security.cxx
+++ b/common/rfb/Security.cxx
@@ -41,8 +41,7 @@
 #ifdef HAVE_GNUTLS
 #include <rfb/CSecurityTLS.h>
 #include <rfb/CSecurityX509.h>
-#include <rfb/SSecurityTLS.h>
-#include <rfb/SSecurityX509.h>
+#include <rfb/SSecurityTLSBase.h>
 #endif
 #include <rfb/util.h>
 
@@ -125,13 +124,13 @@ SSecurity* Security::GetSSecurity(U32 secType)
   case secTypeVeNCrypt: return new SSecurityVeNCrypt(this);
 #ifdef HAVE_GNUTLS
   case secTypeTLSNone:
-    return new SSecurityStack(secTypeTLSNone, new SSecurityTLS());
+    return new SSecurityStack(secTypeTLSNone, new SSecurityTLSBase(true));
   case secTypeTLSVnc:
-    return new SSecurityStack(secTypeTLSVnc, new SSecurityTLS(), new SSecurityVncAuth());
+    return new SSecurityStack(secTypeTLSVnc, new SSecurityTLSBase(true), new SSecurityVncAuth());
   case secTypeX509None:
-    return new SSecurityStack(secTypeX509None, new SSecurityX509());
+    return new SSecurityStack(secTypeX509None, new SSecurityTLSBase(false));
   case secTypeX509Vnc:
-    return new SSecurityStack(secTypeX509None, new SSecurityX509(), new SSecurityVncAuth());
+    return new SSecurityStack(secTypeX509None, new SSecurityTLSBase(false), new SSecurityVncAuth());
 #endif
   }