]> git.proxmox.com Git - pve-qemu-kvm.git/blob - debian/patches/pve-auth.patch
projects / pve-qemu-kvm.git / blob
? search:


241cd79e9303682167e39441100ba8f94e24a895
[pve-qemu-kvm.git] / debian / patches / pve-auth.patch
1 Index: new/ui/vnc.c
2 ===================================================================
3 --- new.orig/ui/vnc.c 2012-11-21 11:25:33.000000000 +0100
4 +++ new/ui/vnc.c 2012-11-21 11:32:25.000000000 +0100
5 @@ -43,6 +43,125 @@
6 #include "vnc_keysym.h"
7 #include "d3des.h"
8
9 +static int pve_vmid = 0;
10 +
11 +void pve_auth_setup(int vmid) {
12 + pve_vmid = vmid;
13 +}
14 +
15 +static char *
16 +urlencode(char *buf, const char *value)
17 +{
18 + static const char *hexchar = "0123456789abcdef";
19 + char *p = buf;
20 + int i;
21 + int l = strlen(value);
22 + for (i = 0; i < l; i++) {
23 + char c = value[i];
24 + if (('a' <= c && c <= 'z') ||
25 + ('A' <= c && c <= 'Z') ||
26 + ('0' <= c && c <= '9')) {
27 + *p++ = c;
28 + } else if (c == 32) {
29 + *p++ = '+';
30 + } else {
31 + *p++ = '%';
32 + *p++ = hexchar[c >> 4];
33 + *p++ = hexchar[c & 15];
34 + }
35 + }
36 + *p = 0;
37 +
38 + return p;
39 +}
40 +
41 +int
42 +pve_auth_verify(const char *clientip, const char *username, const char *passwd)
43 +{
44 + struct sockaddr_in server;
45 +
46 + int sfd = socket(AF_INET, SOCK_STREAM, 0);
47 + if (sfd == -1) {
48 + perror("pve_auth_verify: socket failed");
49 + return -1;
50 + }
51 +
52 + struct hostent *he;
53 + if ((he = gethostbyname("localhost")) == NULL) {
54 + fprintf(stderr, "pve_auth_verify: error resolving hostname\n");
55 + goto err;
56 + }
57 +
58 + memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length);
59 + server.sin_family = AF_INET;
60 + server.sin_port = htons(85);
61 +
62 + if (connect(sfd, (struct sockaddr *)&server, sizeof(server))) {
63 + perror("pve_auth_verify: error connecting to server");
64 + goto err;
65 + }
66 +
67 + char buf[8192];
68 + char form[8192];
69 +
70 + char *p = form;
71 + p = urlencode(p, "username");
72 + *p++ = '=';
73 + p = urlencode(p, username);
74 +
75 + *p++ = '&';
76 + p = urlencode(p, "password");
77 + *p++ = '=';
78 + p = urlencode(p, passwd);
79 +
80 + *p++ = '&';
81 + p = urlencode(p, "path");
82 + *p++ = '=';
83 + char authpath[256];
84 + sprintf(authpath, "/vms/%d", pve_vmid);
85 + p = urlencode(p, authpath);
86 +
87 + *p++ = '&';
88 + p = urlencode(p, "privs");
89 + *p++ = '=';
90 + p = urlencode(p, "VM.Console");
91 +
92 + sprintf(buf, "POST /api2/json/access/ticket HTTP/1.1\n"
93 + "Host: localhost:85\n"
94 + "Connection: close\n"
95 + "PVEClientIP: %s\n"
96 + "Content-Type: application/x-www-form-urlencoded\n"
97 + "Content-Length: %zd\n\n%s\n", clientip, strlen(form), form);
98 + ssize_t len = strlen(buf);
99 + ssize_t sb = send(sfd, buf, len, 0);
100 + if (sb < 0) {
101 + perror("pve_auth_verify: send failed");
102 + goto err;
103 + }
104 + if (sb != len) {
105 + fprintf(stderr, "pve_auth_verify: partial send error\n");
106 + goto err;
107 + }
108 +
109 + len = recv(sfd, buf, sizeof(buf) - 1, 0);
110 + if (len < 0) {
111 + perror("pve_auth_verify: recv failed");
112 + goto err;
113 + }
114 +
115 + buf[len] = 0;
116 +
117 + //printf("DATA:%s\n", buf);
118 +
119 + shutdown(sfd, SHUT_RDWR);
120 +
121 + return strncmp(buf, "HTTP/1.1 200 OK", 15);
122 +
123 +err:
124 + shutdown(sfd, SHUT_RDWR);
125 + return -1;
126 +}
127 +
128 static VncDisplay *vnc_display; /* needed for info vnc */
129 static DisplayChangeListener *dcl;
130
131 @@ -1982,7 +2101,7 @@
132 vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
133 vnc_write_u8(vs, 0);
134 vnc_write_u16(vs, 1); /* number of rects */
135 - vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds),
136 + vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds),
137 ds_get_height(vs->ds), VNC_ENCODING_WMVi);
138 pixel_format_message(vs);
139 vnc_unlock_output(vs);
140 @@ -2892,7 +3011,7 @@
141 char *vnc_display_local_addr(DisplayState *ds)
142 {
143 VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
144 -
145 +
146 return vnc_socket_local_addr("%s:%s", vs->lsock);
147 }
148
149 @@ -2950,6 +3069,7 @@
150 tls = 1; /* Require TLS */
151 } else if (strncmp(options, "x509", 4) == 0) {
152 char *start, *end;
153 + tls = 1; /* Require TLS */
154 x509 = 1; /* Require x509 certificates */
155 if (strncmp(options, "x509verify", 10) == 0)
156 vs->tls.x509verify = 1; /* ...and verify client certs */
157 @@ -2970,8 +3090,10 @@
158 }
159 g_free(path);
160 } else {
161 - error_setg(errp, "No certificate path provided");
162 - goto fail;
163 + if (pve_tls_set_x509_creds_dir(vs) < 0) {
164 + error_setg(errp, "No certificate path provided");
165 + goto fail;
166 + }
167 }
168 #endif
169 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
170 @@ -3035,10 +3157,10 @@
171 vs->auth = VNC_AUTH_VENCRYPT;
172 if (x509) {
173 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
174 - vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
175 + vs->subauth = VNC_AUTH_VENCRYPT_X509PLAIN;
176 } else {
177 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
178 - vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
179 + vs->subauth = VNC_AUTH_VENCRYPT_TLSPLAIN;
180 }
181 } else {
182 #endif /* CONFIG_VNC_TLS */
183 Index: new/ui/vnc-auth-vencrypt.c
184 ===================================================================
185 --- new.orig/ui/vnc-auth-vencrypt.c 2012-11-21 11:11:22.000000000 +0100
186 +++ new/ui/vnc-auth-vencrypt.c 2012-11-21 11:26:06.000000000 +0100
187 @@ -25,7 +25,107 @@
188 */
189
190 #include "vnc.h"
191 +#include "qemu_socket.h"
192
193 +static int protocol_client_auth_plain(VncState *vs, uint8_t *data, size_t len)
194 +{
195 + const char *err = NULL;
196 + char username[256];
197 + char passwd[512];
198 +
199 + char clientip[256];
200 + clientip[0] = 0;
201 + struct sockaddr_in client;
202 + socklen_t addrlen = sizeof(client);
203 + if (getpeername(vs->csock, &client, &addrlen) == 0) {
204 + inet_ntop(client.sin_family, &client.sin_addr,
205 + clientip, sizeof(clientip));
206 + }
207 +
208 + if ((len != (vs->username_len + vs->password_len)) ||
209 + (vs->username_len >= (sizeof(username)-1)) ||
210 + (vs->password_len >= (sizeof(passwd)-1)) ) {
211 + err = "Got unexpected data length";
212 + goto err;
213 + }
214 +
215 + strncpy(username, (char *)data, vs->username_len);
216 + username[vs->username_len] = 0;
217 + strncpy(passwd, (char *)data + vs->username_len, vs->password_len);
218 + passwd[vs->password_len] = 0;
219 +
220 + VNC_DEBUG("AUTH PLAIN username: %s pw: %s\n", username, passwd);
221 +
222 + if (pve_auth_verify(clientip, username, passwd) == 0) {
223 + vnc_write_u32(vs, 0); /* Accept auth completion */
224 + start_client_init(vs);
225 + return 0;
226 + }
227 +
228 + err = "Authentication failed";
229 +err:
230 + if (err) {
231 + VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err);
232 + vnc_write_u32(vs, 1); /* Reject auth */
233 + if (vs->minor >= 8) {
234 + int elen = strlen(err);
235 + vnc_write_u32(vs, elen);
236 + vnc_write(vs, err, elen);
237 + }
238 + }
239 + vnc_flush(vs);
240 + vnc_client_error(vs);
241 +
242 + return 0;
243 +
244 +}
245 +
246 +static int protocol_client_auth_plain_start(VncState *vs, uint8_t *data, size_t len)
247 +{
248 + uint32_t ulen = read_u32(data, 0);
249 + uint32_t pwlen = read_u32(data, 4);
250 + const char *err = NULL;
251 +
252 + VNC_DEBUG("AUTH PLAIN START %u %u\n", ulen, pwlen);
253 +
254 + if (!ulen) {
255 + err = "No User name.";
256 + goto err;
257 + }
258 + if (ulen >= 255) {
259 + err = "User name too long.";
260 + goto err;
261 + }
262 + if (!pwlen) {
263 + err = "Password too short";
264 + goto err;
265 + }
266 + if (pwlen >= 511) {
267 + err = "Password too long.";
268 + goto err;
269 + }
270 +
271 + vs->username_len = ulen;
272 + vs->password_len = pwlen;
273 +
274 + vnc_read_when(vs, protocol_client_auth_plain, ulen + pwlen);
275 +
276 + return 0;
277 +err:
278 + if (err) {
279 + VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err);
280 + vnc_write_u32(vs, 1); /* Reject auth */
281 + if (vs->minor >= 8) {
282 + int elen = strlen(err);
283 + vnc_write_u32(vs, elen);
284 + vnc_write(vs, err, elen);
285 + }
286 + }
287 + vnc_flush(vs);
288 + vnc_client_error(vs);
289 +
290 + return 0;
291 +}
292
293 static void start_auth_vencrypt_subauth(VncState *vs)
294 {
295 @@ -37,6 +137,12 @@
296 start_client_init(vs);
297 break;
298
299 + case VNC_AUTH_VENCRYPT_TLSPLAIN:
300 + case VNC_AUTH_VENCRYPT_X509PLAIN:
301 + VNC_DEBUG("Start TLS auth PLAIN\n");
302 + vnc_read_when(vs, protocol_client_auth_plain_start, 8);
303 + break;
304 +
305 case VNC_AUTH_VENCRYPT_TLSVNC:
306 case VNC_AUTH_VENCRYPT_X509VNC:
307 VNC_DEBUG("Start TLS auth VNC\n");
308 Index: new/ui/vnc.h
309 ===================================================================
310 --- new.orig/ui/vnc.h 2012-11-21 11:11:22.000000000 +0100
311 +++ new/ui/vnc.h 2012-11-21 11:26:06.000000000 +0100
312 @@ -264,6 +264,8 @@
313 char challenge[VNC_AUTH_CHALLENGE_SIZE];
314 #ifdef CONFIG_VNC_TLS
315 int subauth; /* Used by VeNCrypt */
316 + int username_len;
317 + int password_len;
318 VncStateTLS tls;
319 #endif
320 #ifdef CONFIG_VNC_SASL
321 @@ -560,4 +562,6 @@
322 int vnc_zywrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h);
323 void vnc_zrle_clear(VncState *vs);
324
325 +int pve_auth_verify(const char *clientip, const char *username, const char *passwd);
326 +
327 #endif /* __QEMU_VNC_H */
328 Index: new/ui/vnc-tls.c
329 ===================================================================
330 --- new.orig/ui/vnc-tls.c 2012-11-21 11:11:22.000000000 +0100
331 +++ new/ui/vnc-tls.c 2012-11-21 11:26:06.000000000 +0100
332 @@ -302,6 +302,14 @@
333
334 static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
335 {
336 + /* optimize for speed */
337 + static const int ciphers[] = {
338 + GNUTLS_CIPHER_ARCFOUR_128,
339 + GNUTLS_CIPHER_AES_128_CBC,
340 + GNUTLS_CIPHER_3DES_CBC,
341 + 0
342 + };
343 +
344 static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
345 static const int protocols[] = {
346 GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
347 @@ -313,6 +321,11 @@
348 };
349 int rc;
350
351 + rc = gnutls_cipher_set_priority(s, ciphers);
352 + if (rc != GNUTLS_E_SUCCESS) {
353 + return -1;
354 + }
355 +
356 rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
357 if (rc != GNUTLS_E_SUCCESS) {
358 return -1;
359 @@ -449,6 +462,24 @@
360 return 0;
361 }
362
363 +int pve_tls_set_x509_creds_dir(VncDisplay *vd)
364 +{
365 + if (vnc_set_x509_credential(vd, "/etc/pve", "pve-root-ca.pem", &vd->tls.x509cacert, 0) < 0)
366 + goto cleanup;
367 + if (vnc_set_x509_credential(vd, "/etc/pve/local", "pve-ssl.pem", &vd->tls.x509cert, 0) < 0)
368 + goto cleanup;
369 + if (vnc_set_x509_credential(vd, "/etc/pve/local", "pve-ssl.key", &vd->tls.x509key, 0) < 0)
370 + goto cleanup;
371 +
372 + return 0;
373 +
374 + cleanup:
375 + g_free(vd->tls.x509cacert);
376 + g_free(vd->tls.x509cert);
377 + g_free(vd->tls.x509key);
378 + vd->tls.x509cacert = vd->tls.x509cacrl = vd->tls.x509cert = vd->tls.x509key = NULL;
379 + return -1;
380 +}
381
382 int vnc_tls_set_x509_creds_dir(VncDisplay *vd,
383 const char *certdir)
384 Index: new/ui/vnc-tls.h
385 ===================================================================
386 --- new.orig/ui/vnc-tls.h 2012-11-21 11:11:22.000000000 +0100
387 +++ new/ui/vnc-tls.h 2012-11-21 11:26:06.000000000 +0100
388 @@ -68,6 +68,8 @@
389
390 int vnc_tls_validate_certificate(VncState *vs);
391
392 +int pve_tls_set_x509_creds_dir(VncDisplay *vd);
393 +
394 int vnc_tls_set_x509_creds_dir(VncDisplay *vd,
395 const char *path);
396
397 Index: new/vl.c
398 ===================================================================
399 --- new.orig/vl.c 2012-11-21 11:25:23.000000000 +0100
400 +++ new/vl.c 2012-11-21 11:26:06.000000000 +0100
401 @@ -3319,6 +3319,7 @@
402 fprintf(stderr, "Invalid ID\n");
403 exit(1);
404 }
405 + pve_auth_setup(fairsched_id);
406 break;
407 case QEMU_OPTION_cpuunits:
408 cpuunits = atoi(optarg);
409 Index: new/console.h
410 ===================================================================
411 --- new.orig/console.h 2012-11-21 11:11:22.000000000 +0100
412 +++ new/console.h 2012-11-21 11:26:06.000000000 +0100
413 @@ -448,6 +448,7 @@
414 void cocoa_display_init(DisplayState *ds, int full_screen);
415
416 /* vnc.c */
417 +void pve_auth_setup(int vmid);
418 void vnc_display_init(DisplayState *ds);
419 void vnc_display_open(DisplayState *ds, const char *display, Error **errp);
420 void vnc_display_add_client(DisplayState *ds, int csock, int skipauth);
old QEMU for PVE