src/PVE/Ticket.pm

   1 package PVE::Ticket;
   2
   3 use strict;
   4 use warnings;
   5
   6 use Crypt::OpenSSL::Random;
   7 use Crypt::OpenSSL::RSA;
   8 use MIME::Base64;
   9 use Digest::SHA;
  10 use Time::HiRes qw(gettimeofday);
  11
  12 use PVE::Exception qw(raise);
  13
  14 Crypt::OpenSSL::RSA->import_random_seed();
  15
  16 use constant HTTP_UNAUTHORIZED => 401;
  17
  18 sub assemble_csrf_prevention_token {
  19     my ($secret, $username) = @_;
  20
  21     my $timestamp = sprintf("%08X", time());
  22
  23     my $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
  24
  25     return "$timestamp:$digest";
  26 }
  27
  28 sub verify_csrf_prevention_token {
  29     my ($secret, $username, $token, $min_age, $max_age, $noerr) = @_;
  30
  31     if ($token =~ m/^([A-Z0-9]{8}):(\S+)$/) {
  32         my $sig = $2;
  33         my $timestamp = $1;
  34         my $ttime = hex($timestamp);
  35
  36         my $digest;
  37         if (length($sig) == 27) {
  38             # detected sha1 csrf token from older proxy, fallback. FIXME: remove with 7.0
  39             $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
  40         } else {
  41             $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", $secret);
  42         }
  43
  44         my $age = time() - $ttime;
  45         return 1 if ($digest eq $sig) && ($age > $min_age) &&
  46             ($age < $max_age);
  47     }
  48
  49     raise("Permission denied - invalid csrf token\n", code => HTTP_UNAUTHORIZED)
  50         if !$noerr;
  51
  52     return undef;
  53 }
  54
  55 # Note: data may not contain white spaces (verify fails in that case)
  56 sub assemble_rsa_ticket {
  57     my ($rsa_priv, $prefix, $data, $secret_data) = @_;
  58
  59     my $timestamp = sprintf("%08X", time());
  60
  61     my $plain = "$prefix:";
  62
  63     $plain .= "$data:" if defined($data);
  64
  65     $plain .= $timestamp;
  66
  67     my $full = defined($secret_data) ? "$plain:$secret_data" : $plain;
  68
  69     my $ticket = $plain . "::" . encode_base64($rsa_priv->sign($full), '');
  70
  71     return $ticket;
  72 }
  73
  74 sub verify_rsa_ticket {
  75     my ($rsa_pub, $prefix, $ticket, $secret_data, $min_age, $max_age, $noerr) = @_;
  76
  77     if ($ticket && $ticket =~ m/^(\Q$prefix\E:\S+)::([^:\s]+)$/) {
  78         my $plain = $1;
  79         my $sig = $2;
  80
  81         my $full = defined($secret_data) ? "$plain:$secret_data" : $plain;
  82
  83         if ($rsa_pub->verify($full, decode_base64($sig))) {
  84             if ($plain =~ m/^\Q$prefix\E:(?:(\S+):)?([A-Z0-9]{8})$/) {
  85                 my $data = $1; # Note: not all tickets contains data
  86                 my $timestamp = $2;
  87                 my $ttime = hex($timestamp);
  88
  89                 my $age = time() - $ttime;
  90
  91                 if (($age > $min_age) && ($age < $max_age)) {
  92                     if (defined($data)) {
  93                         return wantarray ? ($data, $age) : $data;
  94                     } else {
  95                         return wantarray ? (1, $age) : 1;
  96                     }
  97                 }
  98             }
  99         }
 100     }
 101
 102     raise("permission denied - invalid $prefix ticket\n", code => HTTP_UNAUTHORIZED)
 103         if !$noerr;
 104
 105     return undef;
 106 }
 107
 108 sub assemble_spice_ticket {
 109     my ($secret, $username, $vmid, $node) = @_;
 110
 111     my ($seconds, $microseconds) = gettimeofday;
 112
 113     my $timestamp = sprintf("%08x", $seconds);
 114
 115     my $randomstr = "PVESPICE:$timestamp:$username:$vmid:$node:$secret:" .
 116         ':' . sprintf("%08x", $microseconds) .
 117         ':' . sprintf("%08x", $$) .
 118         ':' . rand(1);
 119
 120     # this should be used as one-time password
 121     # max length is 60 chars (spice limit)
 122     # we pass this to qemu set_pasword and limit lifetime there
 123     # keep this secret
 124     my $ticket = Digest::SHA::sha1_hex($randomstr);
 125
 126     # Note: spice proxy connects with HTTP, so $proxyticket is exposed to public
 127     # we use a signature/timestamp to make sure nobody can fake such a ticket
 128     # an attacker can use this $proxyticket, but he will fail because $ticket is
 129     # private.
 130     # The proxy needs to be able to extract/verify the ticket
 131     # Note: data needs to be lower case only, because virt-viewer needs that
 132     # Note: RSA signature are too long (>=256 charaters) and make problems with remote-viewer
 133
 134     my $plain = "pvespiceproxy:${timestamp}:${vmid}:" . lc($node);
 135
 136     # produces 40 characters
 137     my $sig = unpack("H*", Digest::SHA::sha1($plain, $secret));
 138
 139     #my $sig =  unpack("H*", $rsa_priv->sign($plain)); # this produce too long strings (512)
 140
 141     my $proxyticket = "${plain}::${sig}";
 142
 143     return ($ticket, $proxyticket);
 144 }
 145
 146 sub verify_spice_connect_url {
 147     my ($secret, $connect_str) = @_;
 148
 149     # Note: we pass the spice ticket as 'host', so the
 150     # spice viewer connects with "$ticket:$port"
 151
 152     return undef if !$connect_str;
 153
 154     if ($connect_str =~m/^pvespiceproxy:([a-z0-9]{8}):(\d+):(\S+)::([a-z0-9]{40}):(\d+)$/) {
 155         my ($timestamp, $vmid, $node, $hexsig, $port) = ($1, $2, $3, $4, $5, $6);
 156         my $ttime = hex($timestamp);
 157         my $age = time() - $ttime;
 158
 159         # use very limited lifetime - is this enough?
 160         return undef if !(($age > -20) && ($age < 40));
 161
 162         my $plain = "pvespiceproxy:$timestamp:$vmid:$node";
 163         my $sig = unpack("H*", Digest::SHA::sha1($plain, $secret));
 164
 165         if ($sig eq $hexsig) {
 166             return ($vmid, $node, $port);
 167         }
 168     }
 169
 170     return undef;
 171 }
 172
 173 1;