Skip to content

Commit

Permalink
CSecurityTLS: change the variable that x509 authentication CA and CRL…
Browse files Browse the repository at this point in the history
… file from global to local
  • Loading branch information
KangLin committed Aug 14, 2024
1 parent 9de4b19 commit c1a5df5
Show file tree
Hide file tree
Showing 11 changed files with 81 additions and 48 deletions.
7 changes: 6 additions & 1 deletion common/rfb/CConnection.h
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,12 @@ namespace rfb {
// case no user name will be retrieved.
virtual void getUserPasswd(bool secure, std::string* user,
std::string* password) = 0;

/*!
* Get x509 authentication CA and CRL file, the file format is pem.
* \param ca: certificate authority, the file format is pem.
* \param crl: certificate revocation list, the file format is pem.
*/
virtual int getX509File(std::string* ca, std::string* crl) = 0;
virtual bool showMsgBox(MsgBoxFlags flags, const char *title, const char *text) = 0;

// authSuccess() is called when authentication has succeeded.
Expand Down
42 changes: 12 additions & 30 deletions common/rfb/CSecurityTLS.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -48,30 +48,8 @@

using namespace rfb;

static const char* configdirfn(const char* fn);

StringParameter CSecurityTLS::X509CA("X509CA", "X509 CA certificate",
configdirfn("x509_ca.pem"),
ConfViewer);
StringParameter CSecurityTLS::X509CRL("X509CRL", "X509 CRL file",
configdirfn("x509_crl.pem"),
ConfViewer);

static LogWriter vlog("TLS");

static const char* configdirfn(const char* fn)
{
static char full_path[PATH_MAX];
const char* configdir;

configdir = os::getvncconfigdir();
if (configdir == nullptr)
return "";

snprintf(full_path, sizeof(full_path), "%s/%s", configdir, fn);
return full_path;
}

CSecurityTLS::CSecurityTLS(CConnection* cc_, bool _anon)
: CSecurity(cc_), session(nullptr),
anon_cred(nullptr), cert_cred(nullptr),
Expand Down Expand Up @@ -274,12 +252,17 @@ void CSecurityTLS::setParam()

if (gnutls_certificate_set_x509_system_trust(cert_cred) < 1)
vlog.error("Could not load system certificate trust store");

if (gnutls_certificate_set_x509_trust_file(cert_cred, X509CA, GNUTLS_X509_FMT_PEM) < 0)
vlog.error("Could not load user specified certificate authority");

if (gnutls_certificate_set_x509_crl_file(cert_cred, X509CRL, GNUTLS_X509_FMT_PEM) < 0)
vlog.error("Could not load user specified certificate revocation list");

std::string ca, crl;
int nRet = client->getX509File(&ca, &crl);
if(nRet)
throw AuthFailureException("Get X509 certificate file fail");
if(!ca.empty())
if (gnutls_certificate_set_x509_trust_file(cert_cred, ca.c_str(), GNUTLS_X509_FMT_PEM) < 0)
vlog.error("Could not load user specified certificate authority");
if(!crl.empty())
if (gnutls_certificate_set_x509_crl_file(cert_cred, crl.c_str(), GNUTLS_X509_FMT_PEM) < 0)
vlog.error("Could not load user specified certificate revocation list");

ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred);
if (ret != GNUTLS_E_SUCCESS)
Expand Down Expand Up @@ -461,7 +444,7 @@ void CSecurityTLS::checkSession()
"\n"
"Do you want to make an exception for this "
"server?", info.data);

if (!cc->showMsgBox(MsgBoxFlags::M_YESNO,
"Certificate is not yet valid",
text.c_str()))
Expand All @@ -480,7 +463,6 @@ void CSecurityTLS::checkSession()
"\n"
"Do you want to make an exception for this "
"server?", info.data);

if (!cc->showMsgBox(MsgBoxFlags::M_YESNO,
"Expired certificate",
text.c_str()))
Expand Down
3 changes: 0 additions & 3 deletions common/rfb/CSecurityTLS.h
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,6 @@ namespace rfb {
int getType() const override { return anon ? secTypeTLSNone : secTypeX509None; }
bool isSecure() const override { return !anon; }

static StringParameter X509CA;
static StringParameter X509CRL;

protected:
void shutdown();
void freeResources();
Expand Down
6 changes: 6 additions & 0 deletions tests/perf/decperf.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ class CConn : public rfb::CConnection {
void serverCutText(const char*) override;
virtual void getUserPasswd(bool secure, std::string *user, std::string *password) override;
virtual bool showMsgBox(rfb::MsgBoxFlags flags, const char *title, const char *text) override;
virtual int getX509File(std::string *ca, std::string *crl) override;

public:
double cpuTime;
Expand Down Expand Up @@ -181,6 +182,11 @@ void CConn::getUserPasswd(bool, std::string *, std::string *)
{
}

int CConn::getX509File(std::string *, std::string *)
{
return 0;
}

bool CConn::showMsgBox(rfb::MsgBoxFlags, const char *, const char *)
{
return true;
Expand Down
6 changes: 6 additions & 0 deletions tests/perf/encperf.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ class CConn : public rfb::CConnection {
void serverCutText(const char*) override;
virtual void getUserPasswd(bool secure, std::string *user, std::string *password) override;
virtual bool showMsgBox(rfb::MsgBoxFlags flags, const char *title, const char *text) override;
virtual int getX509File(std::string *ca, std::string *crl) override;

public:
double decodeTime;
Expand Down Expand Up @@ -285,6 +286,11 @@ void CConn::getUserPasswd(bool, std::string *, std::string *)
{
}

int CConn::getX509File(std::string *, std::string *)
{
return 0;
}

bool CConn::showMsgBox(rfb::MsgBoxFlags, const char *, const char *)
{
return true;
Expand Down
9 changes: 8 additions & 1 deletion vncviewer/CConn.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -615,4 +615,11 @@ bool CConn::showMsgBox(MsgBoxFlags flags, const char *title, const char *text)
void CConn::getUserPasswd(bool secure, std::string *user, std::string *password)
{
dlg.getUserPasswd(secure, user, password);
}
}

int CConn::getX509File(std::string *ca, std::string *crl)
{
*ca = ::X509CA;
*crl = ::X509CRL;
return 0;
}
10 changes: 4 additions & 6 deletions vncviewer/CConn.h
Original file line number Diff line number Diff line change
Expand Up @@ -44,14 +44,12 @@ class CConn : public rfb::CConnection

// Callback when socket is ready (or broken)
static void socketEvent(FL_SOCKET fd, void *data);
// UserMsgBox interface

// CConnection callback methods
virtual bool showMsgBox(rfb::MsgBoxFlags flags, const char *title, const char *text) override;

// UserPasswdGetter interface
virtual int getX509File(std::string *ca, std::string *crl) override;
virtual void getUserPasswd(bool secure, std::string *user, std::string *password) override;

// CConnection callback methods

void initDone() override;

void setDesktopSize(int w, int h) override;
Expand Down
8 changes: 4 additions & 4 deletions vncviewer/OptionsDialog.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -303,8 +303,8 @@ void OptionsDialog::loadOptions(void)
}

#ifdef HAVE_GNUTLS
caInput->value(CSecurityTLS::X509CA);
crlInput->value(CSecurityTLS::X509CRL);
caInput->value(::X509CA);
crlInput->value(::X509CRL);

handleX509(encX509Checkbox, this);
#endif
Expand Down Expand Up @@ -434,8 +434,8 @@ void OptionsDialog::storeOptions(void)
security.EnableSecType(secTypeX509Plain);
}

CSecurityTLS::X509CA.setParam(caInput->value());
CSecurityTLS::X509CRL.setParam(crlInput->value());
::X509CA.setParam(caInput->value());
::X509CRL.setParam(crlInput->value());
#endif

#ifdef HAVE_NETTLE
Expand Down
8 changes: 7 additions & 1 deletion vncviewer/UserDialog.h
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,18 @@ class UserDialog
~UserDialog();

// UserPasswdGetter callbacks

void getUserPasswd(bool secure, std::string* user,
std::string* password);

// UserMsgBox callbacks
bool showMsgBox(rfb::MsgBoxFlags flags, const char* title, const char* text);

void resetPassword();

private:
std::string savedUsername;
std::string savedPassword;

};

#endif
25 changes: 23 additions & 2 deletions vncviewer/parameters.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ using namespace std;

static LogWriter vlog("Parameters");

static const char* configdirfn(const char* fn);

IntParameter pointerEventInterval("PointerEventInterval",
"Time in milliseconds to rate-limit"
Expand All @@ -76,6 +77,13 @@ StringParameter passwordFile("PasswordFile",
"Password file for VNC authentication", "");
AliasParameter passwd("passwd", "Alias for PasswordFile", &passwordFile);

StringParameter X509CA("X509CA", "X509 CA certificate",
configdirfn("x509_ca.pem"),
ConfViewer);
StringParameter X509CRL("X509CRL", "X509 CRL file",
configdirfn("x509_crl.pem"),
ConfViewer);

BoolParameter autoSelect("AutoSelect",
"Auto select pixel format and encoding. "
"Default if PreferredEncoding and FullColor are not specified.",
Expand Down Expand Up @@ -175,8 +183,8 @@ static const char* IDENTIFIER_STRING = "TigerVNC Configuration file Version 1.0"
static VoidParameter* parameterArray[] = {
/* Security */
#ifdef HAVE_GNUTLS
&CSecurityTLS::X509CA,
&CSecurityTLS::X509CRL,
&X509CA,
&X509CRL,
#endif // HAVE_GNUTLS
&SecurityClient::secTypes,
/* Misc. */
Expand Down Expand Up @@ -221,6 +229,19 @@ static const struct EscapeMap {
{ '\r', 'r' },
{ '\\', '\\' } };

static const char* configdirfn(const char* fn)
{
static char full_path[PATH_MAX];
const char* configdir;

configdir = os::getvncconfigdir();
if (configdir == nullptr)
return "";

snprintf(full_path, sizeof(full_path), "%s/%s", configdir, fn);
return full_path;
}

static bool encodeValue(const char* val, char* dest, size_t destSize) {

size_t pos = 0;
Expand Down
5 changes: 5 additions & 0 deletions vncviewer/parameters.h
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,11 @@ extern rfb::BoolParameter dotWhenNoCursor;

extern rfb::StringParameter passwordFile;

#ifdef HAVE_GNUTLS
extern rfb::StringParameter X509CA;
extern rfb::StringParameter X509CRL;
#endif

extern rfb::BoolParameter autoSelect;
extern rfb::BoolParameter fullColour;
extern rfb::AliasParameter fullColourAlias;
Expand Down

0 comments on commit c1a5df5

Please sign in to comment.