2 ===================================================================
3 --- new.orig/ui/vnc.c 2013-11-26 11:44:21.000000000 +0100
4 +++ new/ui/vnc.c 2013-11-26 11:44:30.000000000 +0100
6 #include "vnc_keysym.h"
9 +static int pve_vmid = 0;
11 +void pve_auth_setup(int vmid) {
16 +urlencode(char *buf, const char *value)
18 + static const char *hexchar = "0123456789abcdef";
21 + int l = strlen(value);
22 + for (i = 0; i < l; i++) {
24 + if (('a' <= c && c <= 'z') ||
25 + ('A' <= c && c <= 'Z') ||
26 + ('0' <= c && c <= '9')) {
28 + } else if (c == 32) {
32 + *p++ = hexchar[c >> 4];
33 + *p++ = hexchar[c & 15];
42 +pve_auth_verify(const char *clientip, const char *username, const char *passwd)
44 + struct sockaddr_in server;
46 + int sfd = socket(AF_INET, SOCK_STREAM, 0);
48 + perror("pve_auth_verify: socket failed");
53 + if ((he = gethostbyname("localhost")) == NULL) {
54 + fprintf(stderr, "pve_auth_verify: error resolving hostname\n");
58 + memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length);
59 + server.sin_family = AF_INET;
60 + server.sin_port = htons(85);
62 + if (connect(sfd, (struct sockaddr *)&server, sizeof(server))) {
63 + perror("pve_auth_verify: error connecting to server");
71 + p = urlencode(p, "username");
73 + p = urlencode(p, username);
76 + p = urlencode(p, "password");
78 + p = urlencode(p, passwd);
81 + p = urlencode(p, "path");
84 + sprintf(authpath, "/vms/%d", pve_vmid);
85 + p = urlencode(p, authpath);
88 + p = urlencode(p, "privs");
90 + p = urlencode(p, "VM.Console");
92 + sprintf(buf, "POST /api2/json/access/ticket HTTP/1.1\n"
93 + "Host: localhost:85\n"
94 + "Connection: close\n"
96 + "Content-Type: application/x-www-form-urlencoded\n"
97 + "Content-Length: %zd\n\n%s\n", clientip, strlen(form), form);
98 + ssize_t len = strlen(buf);
99 + ssize_t sb = send(sfd, buf, len, 0);
101 + perror("pve_auth_verify: send failed");
105 + fprintf(stderr, "pve_auth_verify: partial send error\n");
109 + len = recv(sfd, buf, sizeof(buf) - 1, 0);
111 + perror("pve_auth_verify: recv failed");
117 + //printf("DATA:%s\n", buf);
119 + shutdown(sfd, SHUT_RDWR);
121 + return strncmp(buf, "HTTP/1.1 200 OK", 15);
124 + shutdown(sfd, SHUT_RDWR);
128 static VncDisplay *vnc_display; /* needed for info vnc */
130 static int vnc_cursor_define(VncState *vs);
131 @@ -3155,6 +3274,7 @@
132 tls = 1; /* Require TLS */
133 } else if (strncmp(options, "x509", 4) == 0) {
135 + tls = 1; /* Require TLS */
136 x509 = 1; /* Require x509 certificates */
137 if (strncmp(options, "x509verify", 10) == 0)
138 vs->tls.x509verify = 1; /* ...and verify client certs */
139 @@ -3175,8 +3295,10 @@
143 - error_setg(errp, "No certificate path provided");
145 + if (pve_tls_set_x509_creds_dir(vs) < 0) {
146 + error_setg(errp, "No certificate path provided");
151 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
152 @@ -3240,10 +3362,10 @@
153 vs->auth = VNC_AUTH_VENCRYPT;
155 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
156 - vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
157 + vs->subauth = VNC_AUTH_VENCRYPT_X509PLAIN;
159 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
160 - vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
161 + vs->subauth = VNC_AUTH_VENCRYPT_TLSPLAIN;
164 #endif /* CONFIG_VNC_TLS */
165 Index: new/ui/vnc-auth-vencrypt.c
166 ===================================================================
167 --- new.orig/ui/vnc-auth-vencrypt.c 2013-11-26 10:50:23.000000000 +0100
168 +++ new/ui/vnc-auth-vencrypt.c 2013-11-26 11:47:41.000000000 +0100
172 #include "qemu/main-loop.h"
173 +#include "qemu/sockets.h"
175 +static int protocol_client_auth_plain(VncState *vs, uint8_t *data, size_t len)
177 + const char *err = NULL;
178 + char username[256];
181 + char clientip[256];
183 + struct sockaddr_in client;
184 + socklen_t addrlen = sizeof(client);
185 + if (getpeername(vs->csock, &client, &addrlen) == 0) {
186 + inet_ntop(client.sin_family, &client.sin_addr,
187 + clientip, sizeof(clientip));
190 + if ((len != (vs->username_len + vs->password_len)) ||
191 + (vs->username_len >= (sizeof(username)-1)) ||
192 + (vs->password_len >= (sizeof(passwd)-1)) ) {
193 + err = "Got unexpected data length";
197 + strncpy(username, (char *)data, vs->username_len);
198 + username[vs->username_len] = 0;
199 + strncpy(passwd, (char *)data + vs->username_len, vs->password_len);
200 + passwd[vs->password_len] = 0;
202 + VNC_DEBUG("AUTH PLAIN username: %s pw: %s\n", username, passwd);
204 + if (pve_auth_verify(clientip, username, passwd) == 0) {
205 + vnc_write_u32(vs, 0); /* Accept auth completion */
206 + start_client_init(vs);
210 + err = "Authentication failed";
213 + VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err);
214 + vnc_write_u32(vs, 1); /* Reject auth */
215 + if (vs->minor >= 8) {
216 + int elen = strlen(err);
217 + vnc_write_u32(vs, elen);
218 + vnc_write(vs, err, elen);
222 + vnc_client_error(vs);
228 +static int protocol_client_auth_plain_start(VncState *vs, uint8_t *data, size_t len)
230 + uint32_t ulen = read_u32(data, 0);
231 + uint32_t pwlen = read_u32(data, 4);
232 + const char *err = NULL;
234 + VNC_DEBUG("AUTH PLAIN START %u %u\n", ulen, pwlen);
237 + err = "No User name.";
241 + err = "User name too long.";
245 + err = "Password too short";
248 + if (pwlen >= 511) {
249 + err = "Password too long.";
253 + vs->username_len = ulen;
254 + vs->password_len = pwlen;
256 + vnc_read_when(vs, protocol_client_auth_plain, ulen + pwlen);
261 + VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err);
262 + vnc_write_u32(vs, 1); /* Reject auth */
263 + if (vs->minor >= 8) {
264 + int elen = strlen(err);
265 + vnc_write_u32(vs, elen);
266 + vnc_write(vs, err, elen);
270 + vnc_client_error(vs);
275 static void start_auth_vencrypt_subauth(VncState *vs)
278 start_client_init(vs);
281 + case VNC_AUTH_VENCRYPT_TLSPLAIN:
282 + case VNC_AUTH_VENCRYPT_X509PLAIN:
283 + VNC_DEBUG("Start TLS auth PLAIN\n");
284 + vnc_read_when(vs, protocol_client_auth_plain_start, 8);
287 case VNC_AUTH_VENCRYPT_TLSVNC:
288 case VNC_AUTH_VENCRYPT_X509VNC:
289 VNC_DEBUG("Start TLS auth VNC\n");
291 ===================================================================
292 --- new.orig/ui/vnc.h 2013-11-26 10:50:23.000000000 +0100
293 +++ new/ui/vnc.h 2013-11-26 11:44:30.000000000 +0100
295 char challenge[VNC_AUTH_CHALLENGE_SIZE];
296 #ifdef CONFIG_VNC_TLS
297 int subauth; /* Used by VeNCrypt */
302 #ifdef CONFIG_VNC_SASL
304 int vnc_zywrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h);
305 void vnc_zrle_clear(VncState *vs);
307 +int pve_auth_verify(const char *clientip, const char *username, const char *passwd);
309 #endif /* __QEMU_VNC_H */
310 Index: new/ui/vnc-tls.c
311 ===================================================================
312 --- new.orig/ui/vnc-tls.c 2013-11-26 10:50:23.000000000 +0100
313 +++ new/ui/vnc-tls.c 2013-11-26 11:44:30.000000000 +0100
316 static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
318 + /* optimize for speed */
319 + static const int ciphers[] = {
320 + GNUTLS_CIPHER_ARCFOUR_128,
321 + GNUTLS_CIPHER_AES_128_CBC,
322 + GNUTLS_CIPHER_3DES_CBC,
326 static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
327 static const int protocols[] = {
328 GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
333 + rc = gnutls_cipher_set_priority(s, ciphers);
334 + if (rc != GNUTLS_E_SUCCESS) {
338 rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
339 if (rc != GNUTLS_E_SUCCESS) {
345 +int pve_tls_set_x509_creds_dir(VncDisplay *vd)
347 + if (vnc_set_x509_credential(vd, "/etc/pve", "pve-root-ca.pem", &vd->tls.x509cacert, 0) < 0)
349 + if (vnc_set_x509_credential(vd, "/etc/pve/local", "pve-ssl.pem", &vd->tls.x509cert, 0) < 0)
351 + if (vnc_set_x509_credential(vd, "/etc/pve/local", "pve-ssl.key", &vd->tls.x509key, 0) < 0)
357 + g_free(vd->tls.x509cacert);
358 + g_free(vd->tls.x509cert);
359 + g_free(vd->tls.x509key);
360 + vd->tls.x509cacert = vd->tls.x509cacrl = vd->tls.x509cert = vd->tls.x509key = NULL;
364 int vnc_tls_set_x509_creds_dir(VncDisplay *vd,
366 Index: new/ui/vnc-tls.h
367 ===================================================================
368 --- new.orig/ui/vnc-tls.h 2013-11-26 10:50:23.000000000 +0100
369 +++ new/ui/vnc-tls.h 2013-11-26 11:44:30.000000000 +0100
372 int vnc_tls_validate_certificate(VncState *vs);
374 +int pve_tls_set_x509_creds_dir(VncDisplay *vd);
376 int vnc_tls_set_x509_creds_dir(VncDisplay *vd,
380 ===================================================================
381 --- new.orig/vl.c 2013-11-26 11:44:20.000000000 +0100
382 +++ new/vl.c 2013-11-26 11:44:30.000000000 +0100
383 @@ -3566,6 +3566,7 @@
384 fprintf(stderr, "Invalid ID\n");
387 + pve_auth_setup(fairsched_id);
389 case QEMU_OPTION_cpuunits:
390 cpuunits = atoi(optarg);
391 Index: new/include/ui/console.h
392 ===================================================================
393 --- new.orig/include/ui/console.h 2013-11-26 10:50:22.000000000 +0100
394 +++ new/include/ui/console.h 2013-11-26 11:44:30.000000000 +0100
396 void cocoa_display_init(DisplayState *ds, int full_screen);
399 +void pve_auth_setup(int vmid);
400 void vnc_display_init(DisplayState *ds);
401 void vnc_display_open(DisplayState *ds, const char *display, Error **errp);
402 void vnc_display_add_client(DisplayState *ds, int csock, bool skipauth);