diff --git a/TeXmacs/progs/client/client-base.scm b/TeXmacs/progs/client/client-base.scm index 3b2b6446c2..adc6944959 100644 --- a/TeXmacs/progs/client/client-base.scm +++ b/TeXmacs/progs/client/client-base.scm @@ -179,7 +179,6 @@ (set-user-info "email" email)))) (with server (client-start server-name) (when (!= server -1) - (enter-secure-mode server) (client-remote-eval* server `(new-account ,pseudo ,name ,passwd ,email ,agreed) (lambda (msg) @@ -198,7 +197,6 @@ (ahash-set! client-active-connections server (list server-name pseudo)) (ahash-set! client-active-connections server-name server) (set! remote-client-list (client-active-servers)) - (enter-secure-mode server) (client-remote-eval* server `(remote-login ,pseudo ,passwd) wcb))))) (tm-define (client-login server-name pseudo passwd) diff --git a/TeXmacs/progs/prog/glue-symbols.scm b/TeXmacs/progs/prog/glue-symbols.scm index deed9761db..15108fb195 100644 --- a/TeXmacs/progs/prog/glue-symbols.scm +++ b/TeXmacs/progs/prog/glue-symbols.scm @@ -613,7 +613,6 @@ "client-stop" "client-read" "client-write" -"enter-secure-mode" "connection-start" "connection-status" "connection-write-string" diff --git a/devel/0131.md b/devel/0131.md new file mode 100644 index 0000000000..89300789dd --- /dev/null +++ b/devel/0131.md @@ -0,0 +1,114 @@ +# [0131] 移除 Openssl 插件及相关加密通信功能 + +## 1 相关文档 +- [dddd.md](dddd.md) - 任务文档模板 + +## 2 任务相关的代码文件 +- `src/Plugins/Openssl/openssl.cpp` +- `src/Plugins/Openssl/openssl.hpp` +- `src/System/Link/tm_link.cpp` +- `src/System/Link/tm_link.hpp` +- `src/System/Link/texmacs_client.cpp` +- `src/System/Link/client_server.hpp` +- `TeXmacs/progs/client/client-base.scm` +- `TeXmacs/progs/prog/glue-symbols.scm` +- `src/Scheme/Glue/glue_basic.lua` +- `xmake.lua` + +## 3 如何测试 + +### 3.1 确定性测试(单元测试) +``` +# 无新增单元测试,通过编译即可验证 +``` + +### 3.2 非确定性测试(文档验证) +``` +xmake b stem +``` + +## 4 如何提交 + +提交前执行以下最少步骤: + +```bash +# 编译验证 +xmake b stem +``` + +## 5 What + +移除 Openssl 插件及其在 socket 通信链路中的加密功能调用,包括: + +1. **Openssl 插件本身**:`src/Plugins/Openssl/` 目录下的 `openssl.cpp` 和 `openssl.hpp`,提供基于外部 `openssl` 命令行工具的 RSA 加密/解密、AES 加密/解密、密钥生成和哈希功能。 +2. **链路层加密逻辑**:`tm_link` 中基于 `secret` 成员变量的数据包加解密,以及 `secure_server` / `secure_client` 握手协议。 +3. **客户端安全模式入口**:`texmacs_client.cpp` 中的 `enter_secure_mode` 函数及 `client_server.hpp` 中的声明。 +4. **Scheme 层安全模式调用**:`client-base.scm` 中 `new-account` 和 `client-login-then` 函数对 `enter-secure-mode` 的调用。 +5. **Glue 绑定**:`glue_basic.lua` 中 `enter-secure-mode` 的 glue 定义,以及 `glue-symbols.scm` 中的对应符号。 +6. **构建系统引用**:`xmake.lua` 中对 `src/Plugins/Openssl/**.cpp` 的编译引用。 + +## 6 Why + +Mogan STEM 不使用 TeXmacs 的远程协作(client/server)功能,该功能依赖 Openssl 插件对 socket 通信进行 RSA+AES 加密。保留这部分代码会引入对外部 `openssl` 命令行工具的依赖,且相关功能在当前产品中无实际使用场景,属于死代码,应予以清理。 + +## 7 How + +### 7.1 分析结论 + +Openssl 插件的功能仅在 `tm_link` 的 socket 通信加密场景中被调用: + +- `secret_encode` / `secret_decode`:在 `write_packet` / `read_packet` 中对数据包进行 AES 加解密。 +- `secret_generate`:在 `secure_server` 中生成随机密钥。 +- `rsa_encode` / `rsa_decode` / `rsa_my_public_key` / `rsa_my_private_key`:在 `secure_server` / `secure_client` 中完成 RSA 密钥交换。 +- `enter_secure_mode` / `enter-secure-mode`:C++ 实现为 `enter_secure_mode`,Scheme 层通过 glue 调用。在 `client-base.scm` 的 `new-account` 和 `client-login-then` 中被调用。 + +因此,移除 Openssl 插件的同时,需要同步移除 `tm_link` 中的加密逻辑和 `texmacs_client` 中的安全模式入口。 + +### 7.2 修改步骤 + +#### 7.2.1 移除 Openssl 插件 + +- 删除 `src/Plugins/Openssl/openssl.cpp` +- 删除 `src/Plugins/Openssl/openssl.hpp` + +#### 7.2.2 移除 tm_link 中的加密逻辑 + +在 `src/System/Link/tm_link.hpp` 中: +- 移除 `string secret;` 成员变量。 +- 移除 `secure_server (string cmd)` 和 `secure_client ()` 方法声明。 + +在 `src/System/Link/tm_link.cpp` 中: +- 移除 `#include "../Plugins/Openssl/openssl.hpp"`。 +- 在 `write_packet` 中移除 `if (secret != "") s= secret_encode (s, secret);` 及其条件判断,直接写入原始数据。 +- 在 `read_packet` 中移除 `secure_server (message_receive (r));` 的分支(该分支处理以 `!` 开头的服务器握手包),以及 `if (secret != "") back= secret_decode (back, secret);` 的解密逻辑。 +- 删除 `secure_server` 和 `secure_client` 的方法实现。 + +#### 7.2.3 移除客户端安全模式入口 + +在 `src/System/Link/texmacs_client.cpp` 中: +- 移除 QTTEXMACS 版本的 `enter_secure_mode (int fd)` 函数实现。 +- 移除非 QTTEXMACS 版本的 `enter_secure_mode (int fd)` 函数实现。 + +在 `src/System/Link/client_server.hpp` 中: +- 移除 `void enter_secure_mode (int fd);` 声明。 + +#### 7.2.4 移除 Scheme 层安全模式调用 + +在 `TeXmacs/progs/client/client-base.scm` 中: +- 移除 `new-account` 函数中的 `(enter-secure-mode server)` 调用。 +- 移除 `client-login-then` 函数中的 `(enter-secure-mode server)` 调用。 + +#### 7.2.5 移除 Glue 绑定 + +Glue 代码(`build/glue/glue_basic.cpp` 等)由构建系统根据 lua 定义自动生成,**只需修改源定义文件**。 + +在 `src/Scheme/Glue/glue_basic.lua` 中: +- 移除 `enter-secure-mode` 的 glue 定义。 + +在 `TeXmacs/progs/prog/glue-symbols.scm` 中: +- 移除 `"enter-secure-mode"` 符号。 + +#### 7.2.6 更新构建系统 + +在 `xmake.lua` 中: +- 从 `add_files` 列表中移除 `"src/Plugins/Openssl/**.cpp"`。 diff --git a/src/Plugins/Openssl/openssl.cpp b/src/Plugins/Openssl/openssl.cpp deleted file mode 100644 index 6304145626..0000000000 --- a/src/Plugins/Openssl/openssl.cpp +++ /dev/null @@ -1,145 +0,0 @@ - -/****************************************************************************** - * MODULE : openssl.cpp - * DESCRIPTION: Functions for cryptography - * COPYRIGHT : (C) 2007 Joris van der Hoeven - ******************************************************************************* - * This software falls under the GNU general public license version 3 or later. - * It comes WITHOUT ANY WARRANTY WHATSOEVER. For details, see the file LICENSE - * in the root directory or . - ******************************************************************************/ - -#include "openssl.hpp" -#include "file.hpp" -#include "sys_utils.hpp" -#include "tm_file.hpp" - -/****************************************************************************** - * OpenSSL configuration - ******************************************************************************/ - -static string openssl_cmd; - -string -openssl (string args) { - if (openssl_cmd == "") openssl_cmd= get_env ("TM_OPENSSL"); - if (openssl_cmd == "") openssl_cmd= "openssl"; - // cout << "TeXmacs] " << (openssl_cmd * " " * args) << LF; - return eval_system (openssl_cmd * " " * args); -} - -string -openssl_rsa (string args) { - // return openssl ("rsautl " * args); - return openssl ("pkeyutl " * args); -} - -string -openssl_enc (string args) { - // return openssl ("aes-256-cbc " * args); - return openssl ("enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 " * args); -} - -/****************************************************************************** - * RSA encryption and decryption - ******************************************************************************/ - -void -rsa_initialize () { - url dir = url ("$TEXMACS_HOME_PATH") * "system/crypto"; - url priv= dir * "texmacs.private"; - url pub = dir * "texmacs.public"; - if (!exists (dir)) mkdir (dir); - if (!exists (priv)) - openssl ("genrsa -out " * as_string (priv) * " 2048 2> /dev/null"); - if (!exists (pub)) - openssl ("rsa -in " * as_string (priv) * " -pubout -out " * - as_string (pub) * " 2> /dev/null"); -} - -string -rsa_my_private_key () { - rsa_initialize (); - url dir = url ("$TEXMACS_HOME_PATH") * "system/crypto"; - url priv= dir * "texmacs.private"; - string private_key; - load_string (priv, private_key, true); - return private_key; -} - -string -rsa_my_public_key () { - rsa_initialize (); - url dir = url ("$TEXMACS_HOME_PATH") * "system/crypto"; - url priv= dir * "texmacs.public"; - string public_key; - load_string (priv, public_key, true); - return public_key; -} - -string -rsa_encode (string msg, string key) { - url _msg= url_temp (); - save_string (_msg, msg); - url _key= url_temp (); - save_string (_key, key); - string r= openssl_rsa ("-in " * as_string (_msg) * " -pubin -inkey " * - as_string (_key) * " -encrypt"); - remove (_msg); - remove (_key); - return r; -} - -string -rsa_decode (string msg, string key) { - url _msg= url_temp (); - save_string (_msg, msg); - url _key= url_temp (); - save_string (_key, key); - string r= openssl_rsa ("-in " * as_string (_msg) * " -inkey " * - as_string (_key) * " -decrypt"); - remove (_msg); - remove (_key); - return r; -} - -/****************************************************************************** - * AES encryption and decryption - ******************************************************************************/ - -string -secret_generate (int len) { - // return openssl ("rand -base64 " * as_string (len)); - return openssl ("rand " * as_string (len)); -} - -string -secret_encode (string msg, string key) { - url _msg= url_temp (); - save_string (_msg, msg); - url _key= url_temp (); - save_string (_key, key); - string r= openssl_enc ("-nosalt -in " * as_string (_msg) * " -pass file:" * - as_string (_key)); - remove (_msg); - remove (_key); - return r; -} - -string -secret_decode (string msg, string key) { - url _msg= url_temp (); - save_string (_msg, msg); - url _key= url_temp (); - save_string (_key, key); - string r= openssl_enc ("-nosalt -d -in " * as_string (_msg) * " -pass file:" * - as_string (_key)); - remove (_msg); - remove (_key); - return r; -} - -string -secret_hash (string msg) { - return secret_encode ("TeXmacs worgelt BlauwBilGorgels", msg); -} diff --git a/src/Plugins/Openssl/openssl.hpp b/src/Plugins/Openssl/openssl.hpp deleted file mode 100644 index 9153dcb9b2..0000000000 --- a/src/Plugins/Openssl/openssl.hpp +++ /dev/null @@ -1,26 +0,0 @@ - -/****************************************************************************** - * MODULE : openssl.hpp - * DESCRIPTION: Functions for cryptography - * COPYRIGHT : (C) 2007 Joris van der Hoeven - ******************************************************************************* - * This software falls under the GNU general public license version 3 or later. - * It comes WITHOUT ANY WARRANTY WHATSOEVER. For details, see the file LICENSE - * in the root directory or . - ******************************************************************************/ - -#ifndef TM_OPENSSL_H -#define TM_OPENSSL_H -#include "string.hpp" - -string rsa_my_private_key (); -string rsa_my_public_key (); -string rsa_encode (string msg, string key); -string rsa_decode (string msg, string key); - -string secret_generate (int len= 32); -string secret_encode (string msg, string key); -string secret_decode (string msg, string key); -string secret_hash (string msg); - -#endif // TM_OPENSSL_H diff --git a/src/Scheme/Glue/glue_basic.lua b/src/Scheme/Glue/glue_basic.lua index c46ffde47b..741aeb358a 100644 --- a/src/Scheme/Glue/glue_basic.lua +++ b/src/Scheme/Glue/glue_basic.lua @@ -1099,15 +1099,6 @@ function main() "string" } }, - { - scm_name = "enter-secure-mode", - cpp_name = "enter_secure_mode", - ret_type = "void", - arg_list = { - "int" - } - }, - -- connections to extern systems { scm_name = "connection-start", diff --git a/src/System/Link/client_server.hpp b/src/System/Link/client_server.hpp index 7161571f43..6d382a7912 100644 --- a/src/System/Link/client_server.hpp +++ b/src/System/Link/client_server.hpp @@ -24,6 +24,4 @@ void client_stop (int fd); string client_read (int fd); void client_write (int fd, string s); -void enter_secure_mode (int fd); - #endif // defined CLIENT_SERVER_H diff --git a/src/System/Link/texmacs_client.cpp b/src/System/Link/texmacs_client.cpp index fc9510b4a3..382ae03fde 100644 --- a/src/System/Link/texmacs_client.cpp +++ b/src/System/Link/texmacs_client.cpp @@ -76,13 +76,6 @@ client_write (int fd, string s) { client->write_packet (s, LINK_IN); } -void -enter_secure_mode (int fd) { - socket_link* client= the_clients[fd]; - if (client == NULL || !client->alive ()) return; - client->secure_client (); -} - #else // Non QT part typedef socket_link_rep* weak_socket_link; @@ -151,10 +144,4 @@ client_write (int fd, string s) { client->write_packet (s, LINK_IN); } -void -enter_secure_mode (int fd) { - weak_socket_link client= find_client (fd); - if (client == NULL || !client->alive) return; - client->secure_client (); -} #endif diff --git a/src/System/Link/tm_link.cpp b/src/System/Link/tm_link.cpp index c490a7b28d..e574470464 100644 --- a/src/System/Link/tm_link.cpp +++ b/src/System/Link/tm_link.cpp @@ -10,7 +10,6 @@ ******************************************************************************/ #include "tm_link.hpp" -#include "../Plugins/Openssl/openssl.hpp" #include "tm_timer.hpp" /****************************************************************************** @@ -44,7 +43,6 @@ message_receive (string& s) { void tm_link_rep::write_packet (string s, int channel) { - if (secret != "") s= secret_encode (s, secret); write ((as_string (N (s)) * "\n") * s, channel); } @@ -64,41 +62,7 @@ tm_link_rep::read_packet (int channel, int timeout, bool& success) { if (timeout > 0) listen (timeout); if (N (r) == n && (texmacs_time () - start >= timeout)) return ""; } - if (channel == LINK_OUT && N (r) > 0 && r[0] == '!') { - secure_server (message_receive (r)); - return ""; - } - else { - string back= message_receive (r); - if (secret != "") back= secret_decode (back, secret); - success= true; - return back; - } -} - -/****************************************************************************** - * Data encryption - ******************************************************************************/ - -void -tm_link_rep::secure_server (string client_public) { - if (secret != "") return; - string k= secret_generate (); - string s= rsa_encode (k, client_public); - write_packet (s, LINK_IN); - secret= k; -} - -void -tm_link_rep::secure_client () { - if (secret != "") return; - write ("!", LINK_IN); - write_packet (rsa_my_public_key (), LINK_IN); - bool success; - string r= read_packet (LINK_OUT, 10000, success); - if (!success) { - stop (); - return; - } - secret= rsa_decode (r, rsa_my_private_key ()); + string back= message_receive (r); + success = true; + return back; } diff --git a/src/System/Link/tm_link.hpp b/src/System/Link/tm_link.hpp index 92c1c88200..7f50e1f6d0 100644 --- a/src/System/Link/tm_link.hpp +++ b/src/System/Link/tm_link.hpp @@ -38,8 +38,7 @@ ******************************************************************************/ struct tm_link_rep : abstract_struct { - bool alive; // link is alive - string secret; // empty string or secret key for encrypted connections + bool alive; // link is alive command feed_cmd; // called when async data available @@ -58,8 +57,6 @@ struct tm_link_rep : abstract_struct { void write_packet (string s, int channel); bool complete_packet (int channel); string read_packet (int channel, int timeout, bool& success); - void secure_server (string cmd); - void secure_client (); void set_command (command _cmd) { feed_cmd= _cmd; } void apply_command () { diff --git a/xmake.lua b/xmake.lua index a814c9cea4..cb4a4628b4 100644 --- a/xmake.lua +++ b/xmake.lua @@ -807,7 +807,6 @@ target("libmogan") do "src/Plugins/Ghostscript/**.cpp", "src/Plugins/Ispell/**.cpp", "src/Plugins/Metafont/**.cpp", - "src/Plugins/Openssl/**.cpp", "src/Plugins/Tex/**.cpp", "src/Plugins/Xml/**.cpp", "src/Plugins/Html/**.cpp",