From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>
Subject: [Qemu-devel] [PULL 8/9] ui: remove separate gnutls_session for websockets server
Date: Wed, 18 Mar 2015 14:17:45 +0100 [thread overview]
Message-ID: <1426684666-30629-9-git-send-email-kraxel@redhat.com> (raw)
In-Reply-To: <1426684666-30629-1-git-send-email-kraxel@redhat.com>
From: "Daniel P. Berrange" <berrange@redhat.com>
The previous change to the auth scheme handling guarantees we
can never have nested TLS sessions in the VNC websockets server.
Thus we can remove the separate gnutls_session instance.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/vnc-tls.c | 70 +++++++++++++++++++++++++-----------------------------------
ui/vnc-ws.c | 4 ++--
ui/vnc.c | 18 ++--------------
ui/vnc.h | 3 ---
4 files changed, 33 insertions(+), 62 deletions(-)
diff --git a/ui/vnc-tls.c b/ui/vnc-tls.c
index de1cb34..eddd39b 100644
--- a/ui/vnc-tls.c
+++ b/ui/vnc-tls.c
@@ -334,82 +334,77 @@ static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
int vnc_tls_client_setup(struct VncState *vs,
int needX509Creds) {
- VncStateTLS *tls;
-
VNC_DEBUG("Do TLS setup\n");
-#ifdef CONFIG_VNC_WS
- if (vs->websocket) {
- tls = &vs->ws_tls;
- } else
-#endif /* CONFIG_VNC_WS */
- {
- tls = &vs->tls;
- }
if (vnc_tls_initialize() < 0) {
VNC_DEBUG("Failed to init TLS\n");
vnc_client_error(vs);
return -1;
}
- if (tls->session == NULL) {
- if (gnutls_init(&tls->session, GNUTLS_SERVER) < 0) {
+ if (vs->tls.session == NULL) {
+ if (gnutls_init(&vs->tls.session, GNUTLS_SERVER) < 0) {
vnc_client_error(vs);
return -1;
}
- if (gnutls_set_default_priority(tls->session) < 0) {
- gnutls_deinit(tls->session);
- tls->session = NULL;
+ if (gnutls_set_default_priority(vs->tls.session) < 0) {
+ gnutls_deinit(vs->tls.session);
+ vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
- if (vnc_set_gnutls_priority(tls->session, needX509Creds) < 0) {
- gnutls_deinit(tls->session);
- tls->session = NULL;
+ if (vnc_set_gnutls_priority(vs->tls.session, needX509Creds) < 0) {
+ gnutls_deinit(vs->tls.session);
+ vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
if (needX509Creds) {
- gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs->vd);
+ gnutls_certificate_server_credentials x509_cred =
+ vnc_tls_initialize_x509_cred(vs->vd);
if (!x509_cred) {
- gnutls_deinit(tls->session);
- tls->session = NULL;
+ gnutls_deinit(vs->tls.session);
+ vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
- if (gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) {
- gnutls_deinit(tls->session);
- tls->session = NULL;
+ if (gnutls_credentials_set(vs->tls.session,
+ GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) {
+ gnutls_deinit(vs->tls.session);
+ vs->tls.session = NULL;
gnutls_certificate_free_credentials(x509_cred);
vnc_client_error(vs);
return -1;
}
if (vs->vd->tls.x509verify) {
VNC_DEBUG("Requesting a client certificate\n");
- gnutls_certificate_server_set_request (tls->session, GNUTLS_CERT_REQUEST);
+ gnutls_certificate_server_set_request(vs->tls.session,
+ GNUTLS_CERT_REQUEST);
}
} else {
- gnutls_anon_server_credentials_t anon_cred = vnc_tls_initialize_anon_cred();
+ gnutls_anon_server_credentials_t anon_cred =
+ vnc_tls_initialize_anon_cred();
if (!anon_cred) {
- gnutls_deinit(tls->session);
- tls->session = NULL;
+ gnutls_deinit(vs->tls.session);
+ vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
- if (gnutls_credentials_set(tls->session, GNUTLS_CRD_ANON, anon_cred) < 0) {
- gnutls_deinit(tls->session);
- tls->session = NULL;
+ if (gnutls_credentials_set(vs->tls.session,
+ GNUTLS_CRD_ANON, anon_cred) < 0) {
+ gnutls_deinit(vs->tls.session);
+ vs->tls.session = NULL;
gnutls_anon_free_server_credentials(anon_cred);
vnc_client_error(vs);
return -1;
}
}
- gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr_t)vs);
- gnutls_transport_set_push_function(tls->session, vnc_tls_push);
- gnutls_transport_set_pull_function(tls->session, vnc_tls_pull);
+ gnutls_transport_set_ptr(vs->tls.session, (gnutls_transport_ptr_t)vs);
+ gnutls_transport_set_push_function(vs->tls.session, vnc_tls_push);
+ gnutls_transport_set_pull_function(vs->tls.session, vnc_tls_pull);
}
return 0;
}
@@ -422,13 +417,6 @@ void vnc_tls_client_cleanup(struct VncState *vs)
vs->tls.session = NULL;
}
g_free(vs->tls.dname);
-#ifdef CONFIG_VNC_WS
- if (vs->ws_tls.session) {
- gnutls_deinit(vs->ws_tls.session);
- vs->ws_tls.session = NULL;
- }
- g_free(vs->ws_tls.dname);
-#endif /* CONFIG_VNC_WS */
}
diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
index 0fcce4e..5f9fcc4 100644
--- a/ui/vnc-ws.c
+++ b/ui/vnc-ws.c
@@ -26,12 +26,12 @@
static int vncws_start_tls_handshake(struct VncState *vs)
{
- int ret = gnutls_handshake(vs->ws_tls.session);
+ int ret = gnutls_handshake(vs->tls.session);
if (ret < 0) {
if (!gnutls_error_is_fatal(ret)) {
VNC_DEBUG("Handshake interrupted (blocking)\n");
- if (!gnutls_record_get_direction(vs->ws_tls.session)) {
+ if (!gnutls_record_get_direction(vs->tls.session)) {
qemu_set_fd_handler(vs->csock, vncws_tls_handshake_io,
NULL, vs);
} else {
diff --git a/ui/vnc.c b/ui/vnc.c
index 9994de1..cffb5b7 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1343,15 +1343,8 @@ long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
if (vs->tls.session) {
ret = vnc_client_write_tls(&vs->tls.session, data, datalen);
} else {
-#ifdef CONFIG_VNC_WS
- if (vs->ws_tls.session) {
- ret = vnc_client_write_tls(&vs->ws_tls.session, data, datalen);
- } else
-#endif /* CONFIG_VNC_WS */
#endif /* CONFIG_VNC_TLS */
- {
- ret = send(vs->csock, (const void *)data, datalen, 0);
- }
+ ret = send(vs->csock, (const void *)data, datalen, 0);
#ifdef CONFIG_VNC_TLS
}
#endif /* CONFIG_VNC_TLS */
@@ -1491,15 +1484,8 @@ long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
if (vs->tls.session) {
ret = vnc_client_read_tls(&vs->tls.session, data, datalen);
} else {
-#ifdef CONFIG_VNC_WS
- if (vs->ws_tls.session) {
- ret = vnc_client_read_tls(&vs->ws_tls.session, data, datalen);
- } else
-#endif /* CONFIG_VNC_WS */
#endif /* CONFIG_VNC_TLS */
- {
- ret = qemu_recv(vs->csock, data, datalen, 0);
- }
+ ret = qemu_recv(vs->csock, data, datalen, 0);
#ifdef CONFIG_VNC_TLS
}
#endif /* CONFIG_VNC_TLS */
diff --git a/ui/vnc.h b/ui/vnc.h
index aac9156..e19ac39 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -295,9 +295,6 @@ struct VncState
VncStateSASL sasl;
#endif
#ifdef CONFIG_VNC_WS
-#ifdef CONFIG_VNC_TLS
- VncStateTLS ws_tls;
-#endif /* CONFIG_VNC_TLS */
bool encode_ws;
bool websocket;
#endif /* CONFIG_VNC_WS */
--
1.8.3.1
next prev parent reply other threads:[~2015-03-18 13:17 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-18 13:17 [Qemu-devel] [PULL for-2.3 0/9] vnc patch queue Gerd Hoffmann
2015-03-18 13:17 ` [Qemu-devel] [PULL 1/9] vnc: Fix QMP change not to use funky error class Gerd Hoffmann
2015-03-18 13:17 ` [Qemu-devel] [PULL 2/9] ui: remove unused 'wiremode' variable in VncState struct Gerd Hoffmann
2015-03-18 13:17 ` [Qemu-devel] [PULL 3/9] ui: replace printf() calls with VNC_DEBUG Gerd Hoffmann
2015-03-18 13:17 ` [Qemu-devel] [PULL 4/9] ui: report error if user requests VNC option that is unsupported Gerd Hoffmann
2015-03-18 13:17 ` [Qemu-devel] [PULL 5/9] ui: split setup of VNC auth scheme into separate method Gerd Hoffmann
2015-03-18 13:17 ` [Qemu-devel] [PULL 6/9] ui: fix setup of VNC websockets auth scheme with TLS Gerd Hoffmann
2015-03-18 13:17 ` [Qemu-devel] [PULL 7/9] ui: enforce TLS when using websockets server Gerd Hoffmann
2015-03-18 13:17 ` Gerd Hoffmann [this message]
2015-03-18 13:17 ` [Qemu-devel] [PULL 9/9] ui: ensure VNC websockets server checks the ACL if requested Gerd Hoffmann
2015-03-19 13:03 ` [Qemu-devel] [PULL for-2.3 0/9] vnc patch queue Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1426684666-30629-9-git-send-email-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).