]>
Commit | Line | Data |
---|---|---|
8ecb08d7 DM |
1 | package PVE::Ticket; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use Crypt::OpenSSL::Random; | |
7 | use Crypt::OpenSSL::RSA; | |
8 | use MIME::Base64; | |
8ecb08d7 DM |
9 | use Digest::SHA; |
10 | use Time::HiRes qw(gettimeofday); | |
c4c8a33d | 11 | use URI::Escape; |
8ecb08d7 | 12 | |
21f36fed | 13 | use PVE::Exception qw(raise); |
8ecb08d7 DM |
14 | |
15 | Crypt::OpenSSL::RSA->import_random_seed(); | |
16 | ||
21f36fed TL |
17 | use constant HTTP_UNAUTHORIZED => 401; |
18 | ||
8ecb08d7 DM |
19 | sub assemble_csrf_prevention_token { |
20 | my ($secret, $username) = @_; | |
21 | ||
22 | my $timestamp = sprintf("%08X", time()); | |
23 | ||
db02e0e7 | 24 | my $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", $secret); |
8ecb08d7 DM |
25 | |
26 | return "$timestamp:$digest"; | |
27 | } | |
28 | ||
29 | sub verify_csrf_prevention_token { | |
30 | my ($secret, $username, $token, $min_age, $max_age, $noerr) = @_; | |
31 | ||
32 | if ($token =~ m/^([A-Z0-9]{8}):(\S+)$/) { | |
33 | my $sig = $2; | |
34 | my $timestamp = $1; | |
35 | my $ttime = hex($timestamp); | |
36 | ||
62fc2ad8 OB |
37 | my $digest; |
38 | if (length($sig) == 27) { | |
5fe1f60c TL |
39 | # detected sha1 csrf token from older proxy, fallback. FIXME: remove with 7.0 |
40 | $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret); | |
62fc2ad8 | 41 | } else { |
5fe1f60c | 42 | $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", $secret); |
62fc2ad8 | 43 | } |
8ecb08d7 DM |
44 | |
45 | my $age = time() - $ttime; | |
46 | return 1 if ($digest eq $sig) && ($age > $min_age) && | |
47 | ($age < $max_age); | |
48 | } | |
49 | ||
21f36fed TL |
50 | raise("Permission denied - invalid csrf token\n", code => HTTP_UNAUTHORIZED) |
51 | if !$noerr; | |
8ecb08d7 DM |
52 | |
53 | return undef; | |
54 | } | |
55 | ||
56 | # Note: data may not contain white spaces (verify fails in that case) | |
57 | sub assemble_rsa_ticket { | |
58 | my ($rsa_priv, $prefix, $data, $secret_data) = @_; | |
59 | ||
60 | my $timestamp = sprintf("%08X", time()); | |
61 | ||
62 | my $plain = "$prefix:"; | |
63 | ||
c4c8a33d WB |
64 | if (defined($data)) { |
65 | $data = uri_escape($data, ':'); | |
66 | $plain .= "$data:"; | |
67 | } | |
8ecb08d7 DM |
68 | |
69 | $plain .= $timestamp; | |
70 | ||
71 | my $full = defined($secret_data) ? "$plain:$secret_data" : $plain; | |
72 | ||
73 | my $ticket = $plain . "::" . encode_base64($rsa_priv->sign($full), ''); | |
74 | ||
75 | return $ticket; | |
76 | } | |
77 | ||
78 | sub verify_rsa_ticket { | |
79 | my ($rsa_pub, $prefix, $ticket, $secret_data, $min_age, $max_age, $noerr) = @_; | |
80 | ||
81 | if ($ticket && $ticket =~ m/^(\Q$prefix\E:\S+)::([^:\s]+)$/) { | |
82 | my $plain = $1; | |
83 | my $sig = $2; | |
84 | ||
85 | my $full = defined($secret_data) ? "$plain:$secret_data" : $plain; | |
86 | ||
87 | if ($rsa_pub->verify($full, decode_base64($sig))) { | |
88 | if ($plain =~ m/^\Q$prefix\E:(?:(\S+):)?([A-Z0-9]{8})$/) { | |
89 | my $data = $1; # Note: not all tickets contains data | |
90 | my $timestamp = $2; | |
91 | my $ttime = hex($timestamp); | |
92 | ||
93 | my $age = time() - $ttime; | |
94 | ||
c4c8a33d WB |
95 | if (defined($data)) { |
96 | $data = uri_unescape($data); | |
97 | } | |
98 | ||
8ecb08d7 DM |
99 | if (($age > $min_age) && ($age < $max_age)) { |
100 | if (defined($data)) { | |
101 | return wantarray ? ($data, $age) : $data; | |
102 | } else { | |
103 | return wantarray ? (1, $age) : 1; | |
104 | } | |
105 | } | |
106 | } | |
107 | } | |
108 | } | |
109 | ||
21f36fed TL |
110 | raise("permission denied - invalid $prefix ticket\n", code => HTTP_UNAUTHORIZED) |
111 | if !$noerr; | |
8ecb08d7 DM |
112 | |
113 | return undef; | |
114 | } | |
115 | ||
116 | sub assemble_spice_ticket { | |
117 | my ($secret, $username, $vmid, $node) = @_; | |
118 | ||
119 | my ($seconds, $microseconds) = gettimeofday; | |
120 | ||
121 | my $timestamp = sprintf("%08x", $seconds); | |
122 | ||
123 | my $randomstr = "PVESPICE:$timestamp:$username:$vmid:$node:$secret:" . | |
124 | ':' . sprintf("%08x", $microseconds) . | |
125 | ':' . sprintf("%08x", $$) . | |
126 | ':' . rand(1); | |
127 | ||
128 | # this should be used as one-time password | |
129 | # max length is 60 chars (spice limit) | |
130 | # we pass this to qemu set_pasword and limit lifetime there | |
131 | # keep this secret | |
132 | my $ticket = Digest::SHA::sha1_hex($randomstr); | |
133 | ||
134 | # Note: spice proxy connects with HTTP, so $proxyticket is exposed to public | |
135 | # we use a signature/timestamp to make sure nobody can fake such a ticket | |
136 | # an attacker can use this $proxyticket, but he will fail because $ticket is | |
137 | # private. | |
138 | # The proxy needs to be able to extract/verify the ticket | |
139 | # Note: data needs to be lower case only, because virt-viewer needs that | |
140 | # Note: RSA signature are too long (>=256 charaters) and make problems with remote-viewer | |
141 | ||
ffbc3c08 | 142 | my $plain = "pvespiceproxy:${timestamp}:${vmid}:" . lc($node); |
8ecb08d7 DM |
143 | |
144 | # produces 40 characters | |
145 | my $sig = unpack("H*", Digest::SHA::sha1($plain, $secret)); | |
146 | ||
147 | #my $sig = unpack("H*", $rsa_priv->sign($plain)); # this produce too long strings (512) | |
148 | ||
ffbc3c08 | 149 | my $proxyticket = "${plain}::${sig}"; |
8ecb08d7 DM |
150 | |
151 | return ($ticket, $proxyticket); | |
152 | } | |
153 | ||
154 | sub verify_spice_connect_url { | |
155 | my ($secret, $connect_str) = @_; | |
156 | ||
157 | # Note: we pass the spice ticket as 'host', so the | |
158 | # spice viewer connects with "$ticket:$port" | |
159 | ||
160 | return undef if !$connect_str; | |
161 | ||
162 | if ($connect_str =~m/^pvespiceproxy:([a-z0-9]{8}):(\d+):(\S+)::([a-z0-9]{40}):(\d+)$/) { | |
163 | my ($timestamp, $vmid, $node, $hexsig, $port) = ($1, $2, $3, $4, $5, $6); | |
164 | my $ttime = hex($timestamp); | |
165 | my $age = time() - $ttime; | |
166 | ||
167 | # use very limited lifetime - is this enough? | |
168 | return undef if !(($age > -20) && ($age < 40)); | |
169 | ||
170 | my $plain = "pvespiceproxy:$timestamp:$vmid:$node"; | |
171 | my $sig = unpack("H*", Digest::SHA::sha1($plain, $secret)); | |
172 | ||
173 | if ($sig eq $hexsig) { | |
174 | return ($vmid, $node, $port); | |
175 | } | |
176 | } | |
177 | ||
178 | return undef; | |
179 | } | |
180 | ||
181 | 1; |