[pve-qemu-kvm.git] / debian / patches / pve-auth.patch

Index: new/ui/vnc.c
===================================================================
--- new.orig/ui/vnc.c	2012-11-21 11:25:33.000000000 +0100
+++ new/ui/vnc.c	2012-11-21 11:32:25.000000000 +0100
@@ -43,6 +43,125 @@
 #include "vnc_keysym.h"
 #include "d3des.h"
 
+static int pve_vmid = 0;
+
+void pve_auth_setup(int vmid) {
+	pve_vmid = vmid;
+}
+
+static char *
+urlencode(char *buf, const char *value)
+{
+	static const char *hexchar = "0123456789abcdef";
+	char *p = buf;
+	int i;
+	int l = strlen(value);
+	for (i = 0; i < l; i++) {
+		char c = value[i];
+		if (('a' <= c && c <= 'z') ||
+		    ('A' <= c && c <= 'Z') ||
+		    ('0' <= c && c <= '9')) {
+			*p++ = c;
+		} else if (c == 32) {
+			*p++ = '+';
+		} else {
+			*p++ = '%';
+			*p++ = hexchar[c >> 4];
+			*p++ = hexchar[c & 15];
+		}
+	}
+	*p = 0;
+
+	return p;
+}
+
+int
+pve_auth_verify(const char *clientip, const char *username, const char *passwd)
+{
+	struct sockaddr_in server;
+
+	int sfd = socket(AF_INET, SOCK_STREAM, 0);
+	if (sfd == -1) {
+		perror("pve_auth_verify: socket failed");
+		return -1;
+	}
+
+	struct hostent *he;
+	if ((he = gethostbyname("localhost")) == NULL) {
+		fprintf(stderr, "pve_auth_verify: error resolving hostname\n");
+		goto err;
+	}
+
+	memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length);
+	server.sin_family = AF_INET;
+	server.sin_port = htons(85);
+
+	if (connect(sfd, (struct sockaddr *)&server, sizeof(server))) {
+		perror("pve_auth_verify: error connecting to server");
+		goto err;
+	}
+
+	char buf[8192];
+	char form[8192];
+
+	char *p = form;
+	p = urlencode(p, "username");
+	*p++ = '=';
+	p = urlencode(p, username);
+
+	*p++ = '&';
+	p = urlencode(p, "password");
+	*p++ = '=';
+	p = urlencode(p, passwd);
+
+ 	*p++ = '&';
+	p = urlencode(p, "path");
+	*p++ = '=';
+	char authpath[256];
+	sprintf(authpath, "/vms/%d", pve_vmid);
+	p = urlencode(p, authpath);
+
+ 	*p++ = '&';
+ 	p = urlencode(p, "privs");
+	*p++ = '=';
+ 	p = urlencode(p, "VM.Console");
+
+	sprintf(buf, "POST /api2/json/access/ticket HTTP/1.1\n"
+		"Host: localhost:85\n"
+		"Connection: close\n"
+		"PVEClientIP: %s\n"
+		"Content-Type: application/x-www-form-urlencoded\n"
+		"Content-Length: %zd\n\n%s\n", clientip, strlen(form), form);
+	ssize_t len = strlen(buf);
+	ssize_t sb = send(sfd, buf, len, 0);
+	if (sb < 0) {
+		perror("pve_auth_verify: send failed");
+		goto err;
+	}
+	if (sb != len) {
+		fprintf(stderr, "pve_auth_verify: partial send error\n");
+		goto err;
+	}
+
+	len = recv(sfd, buf, sizeof(buf) - 1, 0);
+	if (len < 0) {
+		perror("pve_auth_verify: recv failed");
+		goto err;
+	}
+
+	buf[len] = 0;
+
+	//printf("DATA:%s\n", buf);
+
+	shutdown(sfd, SHUT_RDWR);
+
+	return strncmp(buf, "HTTP/1.1 200 OK", 15);
+
+err:
+	shutdown(sfd, SHUT_RDWR);
+	return -1;
+}
+
 static VncDisplay *vnc_display; /* needed for info vnc */
 static DisplayChangeListener *dcl;
 
@@ -1982,7 +2101,7 @@
         vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
         vnc_write_u8(vs, 0);
         vnc_write_u16(vs, 1); /* number of rects */
-        vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds), 
+        vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds),
                                ds_get_height(vs->ds), VNC_ENCODING_WMVi);
         pixel_format_message(vs);
         vnc_unlock_output(vs);
@@ -2892,7 +3011,7 @@
 char *vnc_display_local_addr(DisplayState *ds)
 {
     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
-    
+
     return vnc_socket_local_addr("%s:%s", vs->lsock);
 }
 
@@ -2950,6 +3069,7 @@
             tls = 1; /* Require TLS */
         } else if (strncmp(options, "x509", 4) == 0) {
             char *start, *end;
+            tls = 1; /* Require TLS */
             x509 = 1; /* Require x509 certificates */
             if (strncmp(options, "x509verify", 10) == 0)
                 vs->tls.x509verify = 1; /* ...and verify client certs */
@@ -2970,8 +3090,10 @@
                 }
                 g_free(path);
             } else {
-                error_setg(errp, "No certificate path provided");
-                goto fail;
+		if (pve_tls_set_x509_creds_dir(vs) < 0) {
+                    error_setg(errp, "No certificate path provided");
+                    goto fail;
+		} 
             }
 #endif
 #if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
@@ -3035,10 +3157,10 @@
             vs->auth = VNC_AUTH_VENCRYPT;
             if (x509) {
                 VNC_DEBUG("Initializing VNC server with x509 password auth\n");
-                vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
+                vs->subauth = VNC_AUTH_VENCRYPT_X509PLAIN;
             } else {
                 VNC_DEBUG("Initializing VNC server with TLS password auth\n");
-                vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
+                vs->subauth = VNC_AUTH_VENCRYPT_TLSPLAIN;
             }
         } else {
 #endif /* CONFIG_VNC_TLS */
Index: new/ui/vnc-auth-vencrypt.c
===================================================================
--- new.orig/ui/vnc-auth-vencrypt.c	2012-11-21 11:11:22.000000000 +0100
+++ new/ui/vnc-auth-vencrypt.c	2012-11-21 11:26:06.000000000 +0100
@@ -25,7 +25,107 @@
  */
 
 #include "vnc.h"
+#include "qemu_socket.h"
 
+static int protocol_client_auth_plain(VncState *vs, uint8_t *data, size_t len)
+{
+	const char *err = NULL;
+	char username[256];
+	char passwd[512];
+
+	char clientip[256];
+	clientip[0] = 0;
+	struct sockaddr_in client;
+	socklen_t addrlen = sizeof(client);
+	if (getpeername(vs->csock, &client, &addrlen) == 0) {
+		inet_ntop(client.sin_family, &client.sin_addr,
+			  clientip, sizeof(clientip));
+	}
+
+	if ((len != (vs->username_len + vs->password_len)) ||
+	    (vs->username_len >= (sizeof(username)-1)) ||
+	    (vs->password_len >= (sizeof(passwd)-1))	) {
+		err = "Got unexpected data length";
+		goto err;
+	}
+
+	strncpy(username, (char *)data, vs->username_len);
+	username[vs->username_len] = 0;
+	strncpy(passwd, (char *)data + vs->username_len, vs->password_len);
+	passwd[vs->password_len] = 0;
+
+	VNC_DEBUG("AUTH PLAIN username: %s pw: %s\n", username, passwd);
+
+	if (pve_auth_verify(clientip, username, passwd) == 0) {
+		vnc_write_u32(vs, 0); /* Accept auth completion */
+		start_client_init(vs);
+		return 0;
+	}
+
+	err =  "Authentication failed";
+err:
+       if (err) {
+	       VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err);
+	       vnc_write_u32(vs, 1); /* Reject auth */
+	       if (vs->minor >= 8) {
+		       int elen = strlen(err);
+		       vnc_write_u32(vs, elen);
+		       vnc_write(vs, err, elen);
+	       }
+       }
+       vnc_flush(vs);
+       vnc_client_error(vs);
+
+       return 0;
+
+}
+
+static int protocol_client_auth_plain_start(VncState *vs, uint8_t *data, size_t len)
+{
+	uint32_t ulen = read_u32(data, 0);
+	uint32_t pwlen = read_u32(data, 4);
+	const char *err = NULL;
+
+	VNC_DEBUG("AUTH PLAIN START %u %u\n", ulen, pwlen);
+
+       if (!ulen) {
+	       err = "No User name.";
+	       goto err;
+       }
+       if (ulen >= 255) {
+	       err = "User name too long.";
+	       goto err;
+       }
+       if (!pwlen) {
+	       err = "Password too short";
+	       goto err;
+       }
+       if (pwlen >= 511) {
+	       err = "Password too long.";
+	       goto err;
+       }
+
+       vs->username_len = ulen;
+       vs->password_len = pwlen;
+
+       vnc_read_when(vs, protocol_client_auth_plain, ulen + pwlen);
+
+       return 0;
+err:
+       if (err) {
+	       VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err);
+	       vnc_write_u32(vs, 1); /* Reject auth */
+	       if (vs->minor >= 8) {
+		       int elen = strlen(err);
+		       vnc_write_u32(vs, elen);
+		       vnc_write(vs, err, elen);
+	       }
+       }
+       vnc_flush(vs);
+       vnc_client_error(vs);
+
+       return 0;
+}
 
 static void start_auth_vencrypt_subauth(VncState *vs)
 {
@@ -37,6 +137,12 @@
        start_client_init(vs);
        break;
 
+    case VNC_AUTH_VENCRYPT_TLSPLAIN:
+    case VNC_AUTH_VENCRYPT_X509PLAIN:
+       VNC_DEBUG("Start TLS auth PLAIN\n");
+       vnc_read_when(vs, protocol_client_auth_plain_start, 8);
+       break;
+
     case VNC_AUTH_VENCRYPT_TLSVNC:
     case VNC_AUTH_VENCRYPT_X509VNC:
        VNC_DEBUG("Start TLS auth VNC\n");
Index: new/ui/vnc.h
===================================================================
--- new.orig/ui/vnc.h	2012-11-21 11:11:22.000000000 +0100
+++ new/ui/vnc.h	2012-11-21 11:26:06.000000000 +0100
@@ -264,6 +264,8 @@
     char challenge[VNC_AUTH_CHALLENGE_SIZE];
 #ifdef CONFIG_VNC_TLS
     int subauth; /* Used by VeNCrypt */
+    int username_len;
+    int password_len;
     VncStateTLS tls;
 #endif
 #ifdef CONFIG_VNC_SASL
@@ -560,4 +562,6 @@
 int vnc_zywrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h);
 void vnc_zrle_clear(VncState *vs);
 
+int pve_auth_verify(const char *clientip, const char *username, const char *passwd);
+
 #endif /* __QEMU_VNC_H */
Index: new/ui/vnc-tls.c
===================================================================
--- new.orig/ui/vnc-tls.c	2012-11-21 11:11:22.000000000 +0100
+++ new/ui/vnc-tls.c	2012-11-21 11:26:06.000000000 +0100
@@ -302,6 +302,14 @@
 
 static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
 {
+    /* optimize for speed */
+    static const int ciphers[] = {
+	    GNUTLS_CIPHER_ARCFOUR_128,
+	    GNUTLS_CIPHER_AES_128_CBC,
+	    GNUTLS_CIPHER_3DES_CBC,
+	    0
+    };
+
     static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
     static const int protocols[] = {
         GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
@@ -313,6 +321,11 @@
     };
     int rc;
 
+    rc = gnutls_cipher_set_priority(s, ciphers);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+
     rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
     if (rc != GNUTLS_E_SUCCESS) {
         return -1;
@@ -449,6 +462,24 @@
     return 0;
 }
 
+int pve_tls_set_x509_creds_dir(VncDisplay *vd)
+{
+    if (vnc_set_x509_credential(vd, "/etc/pve", "pve-root-ca.pem", &vd->tls.x509cacert, 0) < 0)
+        goto cleanup;
+    if (vnc_set_x509_credential(vd, "/etc/pve/local", "pve-ssl.pem", &vd->tls.x509cert, 0) < 0)
+        goto cleanup;
+    if (vnc_set_x509_credential(vd, "/etc/pve/local", "pve-ssl.key", &vd->tls.x509key, 0) < 0)
+        goto cleanup;
+
+    return 0;
+
+ cleanup:
+    g_free(vd->tls.x509cacert);
+    g_free(vd->tls.x509cert);
+    g_free(vd->tls.x509key);
+    vd->tls.x509cacert = vd->tls.x509cacrl = vd->tls.x509cert = vd->tls.x509key = NULL;
+    return -1;
+}
 
 int vnc_tls_set_x509_creds_dir(VncDisplay *vd,
                                const char *certdir)
Index: new/ui/vnc-tls.h
===================================================================
--- new.orig/ui/vnc-tls.h	2012-11-21 11:11:22.000000000 +0100
+++ new/ui/vnc-tls.h	2012-11-21 11:26:06.000000000 +0100
@@ -68,6 +68,8 @@
 
 int vnc_tls_validate_certificate(VncState *vs);
 
+int pve_tls_set_x509_creds_dir(VncDisplay *vd);
+
 int vnc_tls_set_x509_creds_dir(VncDisplay *vd,
 			       const char *path);
 
Index: new/vl.c
===================================================================
--- new.orig/vl.c	2012-11-21 11:25:23.000000000 +0100
+++ new/vl.c	2012-11-21 11:26:06.000000000 +0100
@@ -3319,6 +3319,7 @@
 		    fprintf(stderr, "Invalid ID\n");
 		    exit(1);
 		}
+		pve_auth_setup(fairsched_id);
                 break;
             case QEMU_OPTION_cpuunits:
                 cpuunits = atoi(optarg);
Index: new/console.h
===================================================================
--- new.orig/console.h	2012-11-21 11:11:22.000000000 +0100
+++ new/console.h	2012-11-21 11:26:06.000000000 +0100
@@ -448,6 +448,7 @@
 void cocoa_display_init(DisplayState *ds, int full_screen);
 
 /* vnc.c */
+void pve_auth_setup(int vmid);
 void vnc_display_init(DisplayState *ds);
 void vnc_display_open(DisplayState *ds, const char *display, Error **errp);
 void vnc_display_add_client(DisplayState *ds, int csock, int skipauth);
Commit	Line	Data
4676c0af DM	1	Index: new/ui/vnc.c
4676c0af DM	2	===================================================================
e96de165 DM	3	--- new.orig/ui/vnc.c 2012-11-21 11:25:33.000000000 +0100
e96de165 DM	4	+++ new/ui/vnc.c 2012-11-21 11:32:25.000000000 +0100
2802c577	5	@@ -43,6 +43,125 @@
4676c0af DM	6	#include "vnc_keysym.h"
	7	#include "d3des.h"
	8
	9	+static int pve_vmid = 0;
	10	+
	11	+void pve_auth_setup(int vmid) {
	12	+ pve_vmid = vmid;
	13	+}
	14	+
	15	+static char *
	16	+urlencode(char buf, const char value)
	17	+{
	18	+ static const char *hexchar = "0123456789abcdef";
	19	+ char *p = buf;
	20	+ int i;
	21	+ int l = strlen(value);
	22	+ for (i = 0; i < l; i++) {
	23	+ char c = value[i];
	24	+ if (('a' <= c && c <= 'z') \|\|
	25	+ ('A' <= c && c <= 'Z') \|\|
	26	+ ('0' <= c && c <= '9')) {
	27	+ *p++ = c;
	28	+ } else if (c == 32) {
	29	+ *p++ = '+';
	30	+ } else {
	31	+ *p++ = '%';
	32	+ *p++ = hexchar[c >> 4];
	33	+ *p++ = hexchar[c & 15];
	34	+ }
	35	+ }
	36	+ *p = 0;
	37	+
	38	+ return p;
	39	+}
	40	+
	41	+int
	42	+pve_auth_verify(const char clientip, const char username, const char *passwd)
	43	+{
	44	+ struct sockaddr_in server;
	45	+
	46	+ int sfd = socket(AF_INET, SOCK_STREAM, 0);
	47	+ if (sfd == -1) {
	48	+ perror("pve_auth_verify: socket failed");
	49	+ return -1;
	50	+ }
	51	+
	52	+ struct hostent *he;
	53	+ if ((he = gethostbyname("localhost")) == NULL) {
	54	+ fprintf(stderr, "pve_auth_verify: error resolving hostname\n");
	55	+ goto err;
	56	+ }
	57	+
	58	+ memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length);
	59	+ server.sin_family = AF_INET;
	60	+ server.sin_port = htons(85);
	61	+
	62	+ if (connect(sfd, (struct sockaddr *)&server, sizeof(server))) {
	63	+ perror("pve_auth_verify: error connecting to server");
	64	+ goto err;
	65	+ }
	66	+
	67	+ char buf[8192];
	68	+ char form[8192];
	69	+
70	+ char *p = form;
71	+ p = urlencode(p, "username");
72	+ *p++ = '=';
73	+ p = urlencode(p, username);
74	+
75	+ *p++ = '&';
76	+ p = urlencode(p, "password");
77	+ *p++ = '=';
78	+ p = urlencode(p, passwd);
79	+
80	+ *p++ = '&';
81	+ p = urlencode(p, "path");
82	+ *p++ = '=';
83	+ char authpath[256];
84	+ sprintf(authpath, "/vms/%d", pve_vmid);
85	+ p = urlencode(p, authpath);
86	+
87	+ *p++ = '&';
88	+ p = urlencode(p, "privs");
89	+ *p++ = '=';
90	+ p = urlencode(p, "VM.Console");
91	+
92	+ sprintf(buf, "POST /api2/json/access/ticket HTTP/1.1\n"
93	+ "Host: localhost:85\n"
94	+ "Connection: close\n"
95	+ "PVEClientIP: %s\n"
96	+ "Content-Type: application/x-www-form-urlencoded\n"
97	+ "Content-Length: %zd\n\n%s\n", clientip, strlen(form), form);
98	+ ssize_t len = strlen(buf);
99	+ ssize_t sb = send(sfd, buf, len, 0);
100	+ if (sb < 0) {
101	+ perror("pve_auth_verify: send failed");
102	+ goto err;
103	+ }
104	+ if (sb != len) {
105	+ fprintf(stderr, "pve_auth_verify: partial send error\n");
106	+ goto err;
107	+ }
108	+
109	+ len = recv(sfd, buf, sizeof(buf) - 1, 0);
110	+ if (len < 0) {
111	+ perror("pve_auth_verify: recv failed");
112	+ goto err;
113	+ }
114	+
115	+ buf[len] = 0;
116	+
117	+ //printf("DATA:%s\n", buf);
118	+
119	+ shutdown(sfd, SHUT_RDWR);
120	+
121	+ return strncmp(buf, "HTTP/1.1 200 OK", 15);
122	+
123	+err:
124	+ shutdown(sfd, SHUT_RDWR);
125	+ return -1;
126	+}
127	+
128	static VncDisplay vnc_display; / needed for info vnc */
129	static DisplayChangeListener *dcl;
130
e96de165	131	@@ -1982,7 +2101,7 @@
4676c0af DM	132	vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
	133	vnc_write_u8(vs, 0);
	134	vnc_write_u16(vs, 1); /* number of rects */
	135	- vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds),
	136	+ vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds),
	137	ds_get_height(vs->ds), VNC_ENCODING_WMVi);
	138	pixel_format_message(vs);
	139	vnc_unlock_output(vs);
e96de165	140	@@ -2892,7 +3011,7 @@
4676c0af DM	141	char vnc_display_local_addr(DisplayState ds)
	142	{
	143	VncDisplay vs = ds ? (VncDisplay )ds->opaque : vnc_display;
	144	-
	145	+
	146	return vnc_socket_local_addr("%s:%s", vs->lsock);
	147	}
	148
e96de165	149	@@ -2950,6 +3069,7 @@
4676c0af DM	150	tls = 1; /* Require TLS */
	151	} else if (strncmp(options, "x509", 4) == 0) {
	152	char start, end;
	153	+ tls = 1; /* Require TLS */
	154	x509 = 1; /* Require x509 certificates */
	155	if (strncmp(options, "x509verify", 10) == 0)
	156	vs->tls.x509verify = 1; /* ...and verify client certs */
e96de165	157	@@ -2970,8 +3090,10 @@
4676c0af	158	}
07a7849d	159	g_free(path);
4676c0af	160	} else {
e96de165 DM	161	- error_setg(errp, "No certificate path provided");
e96de165 DM	162	- goto fail;
07a7849d	163	+ if (pve_tls_set_x509_creds_dir(vs) < 0) {
e96de165 DM	164	+ error_setg(errp, "No certificate path provided");
	165	+ goto fail;
	166	+ }
4676c0af DM	167	}
	168	#endif
	169	#if defined(CONFIG_VNC_TLS) \|\| defined(CONFIG_VNC_SASL)
e96de165	170	@@ -3035,10 +3157,10 @@
4676c0af DM	171	vs->auth = VNC_AUTH_VENCRYPT;
	172	if (x509) {
	173	VNC_DEBUG("Initializing VNC server with x509 password auth\n");
	174	- vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
	175	+ vs->subauth = VNC_AUTH_VENCRYPT_X509PLAIN;
	176	} else {
	177	VNC_DEBUG("Initializing VNC server with TLS password auth\n");
	178	- vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
	179	+ vs->subauth = VNC_AUTH_VENCRYPT_TLSPLAIN;
	180	}
	181	} else {
	182	#endif /* CONFIG_VNC_TLS */
	183	Index: new/ui/vnc-auth-vencrypt.c
	184	===================================================================
e96de165 DM	185	--- new.orig/ui/vnc-auth-vencrypt.c 2012-11-21 11:11:22.000000000 +0100
e96de165 DM	186	+++ new/ui/vnc-auth-vencrypt.c 2012-11-21 11:26:06.000000000 +0100
4676c0af DM	187	@@ -25,7 +25,107 @@
	188	*/
	189
	190	#include "vnc.h"
	191	+#include "qemu_socket.h"
	192
	193	+static int protocol_client_auth_plain(VncState vs, uint8_t data, size_t len)
	194	+{
	195	+ const char *err = NULL;
	196	+ char username[256];
	197	+ char passwd[512];
	198	+
	199	+ char clientip[256];
	200	+ clientip[0] = 0;
	201	+ struct sockaddr_in client;
	202	+ socklen_t addrlen = sizeof(client);
	203	+ if (getpeername(vs->csock, &client, &addrlen) == 0) {
07a7849d	204	+ inet_ntop(client.sin_family, &client.sin_addr,
4676c0af DM	205	+ clientip, sizeof(clientip));
	206	+ }
	207	+
	208	+ if ((len != (vs->username_len + vs->password_len)) \|\|
	209	+ (vs->username_len >= (sizeof(username)-1)) \|\|
	210	+ (vs->password_len >= (sizeof(passwd)-1)) ) {
	211	+ err = "Got unexpected data length";
	212	+ goto err;
	213	+ }
	214	+
	215	+ strncpy(username, (char *)data, vs->username_len);
	216	+ username[vs->username_len] = 0;
	217	+ strncpy(passwd, (char *)data + vs->username_len, vs->password_len);
	218	+ passwd[vs->password_len] = 0;
	219	+
	220	+ VNC_DEBUG("AUTH PLAIN username: %s pw: %s\n", username, passwd);
	221	+
	222	+ if (pve_auth_verify(clientip, username, passwd) == 0) {
	223	+ vnc_write_u32(vs, 0); /* Accept auth completion */
	224	+ start_client_init(vs);
	225	+ return 0;
	226	+ }
	227	+
	228	+ err = "Authentication failed";
	229	+err:
	230	+ if (err) {
	231	+ VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err);
	232	+ vnc_write_u32(vs, 1); /* Reject auth */
	233	+ if (vs->minor >= 8) {
	234	+ int elen = strlen(err);
	235	+ vnc_write_u32(vs, elen);
	236	+ vnc_write(vs, err, elen);
	237	+ }
	238	+ }
	239	+ vnc_flush(vs);
	240	+ vnc_client_error(vs);
	241	+
	242	+ return 0;
	243	+
	244	+}
	245	+
	246	+static int protocol_client_auth_plain_start(VncState vs, uint8_t data, size_t len)
	247	+{
	248	+ uint32_t ulen = read_u32(data, 0);
	249	+ uint32_t pwlen = read_u32(data, 4);
	250	+ const char *err = NULL;
	251	+
	252	+ VNC_DEBUG("AUTH PLAIN START %u %u\n", ulen, pwlen);
	253	+
	254	+ if (!ulen) {
	255	+ err = "No User name.";
	256	+ goto err;
	257	+ }
	258	+ if (ulen >= 255) {
	259	+ err = "User name too long.";
	260	+ goto err;
	261	+ }
	262	+ if (!pwlen) {
	263	+ err = "Password too short";
	264	+ goto err;
	265	+ }
	266	+ if (pwlen >= 511) {
	267	+ err = "Password too long.";
	268	+ goto err;
269	+ }
270	+
271	+ vs->username_len = ulen;
272	+ vs->password_len = pwlen;
273	+
274	+ vnc_read_when(vs, protocol_client_auth_plain, ulen + pwlen);
275	+
276	+ return 0;
277	+err:
278	+ if (err) {
279	+ VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err);
280	+ vnc_write_u32(vs, 1); /* Reject auth */
281	+ if (vs->minor >= 8) {
282	+ int elen = strlen(err);
283	+ vnc_write_u32(vs, elen);
284	+ vnc_write(vs, err, elen);
285	+ }
286	+ }
287	+ vnc_flush(vs);
288	+ vnc_client_error(vs);
289	+
290	+ return 0;
291	+}
292
293	static void start_auth_vencrypt_subauth(VncState *vs)
294	{
295	@@ -37,6 +137,12 @@
296	start_client_init(vs);
297	break;
298
299	+ case VNC_AUTH_VENCRYPT_TLSPLAIN:
300	+ case VNC_AUTH_VENCRYPT_X509PLAIN:
301	+ VNC_DEBUG("Start TLS auth PLAIN\n");
302	+ vnc_read_when(vs, protocol_client_auth_plain_start, 8);
303	+ break;
304	+
305	case VNC_AUTH_VENCRYPT_TLSVNC:
306	case VNC_AUTH_VENCRYPT_X509VNC:
307	VNC_DEBUG("Start TLS auth VNC\n");
308	Index: new/ui/vnc.h
309	===================================================================
e96de165 DM	310	--- new.orig/ui/vnc.h 2012-11-21 11:11:22.000000000 +0100
	311	+++ new/ui/vnc.h 2012-11-21 11:26:06.000000000 +0100
	312	@@ -264,6 +264,8 @@
4676c0af DM	313	char challenge[VNC_AUTH_CHALLENGE_SIZE];
	314	#ifdef CONFIG_VNC_TLS
	315	int subauth; /* Used by VeNCrypt */
	316	+ int username_len;
	317	+ int password_len;
	318	VncStateTLS tls;
	319	#endif
	320	#ifdef CONFIG_VNC_SASL
e96de165	321	@@ -560,4 +562,6 @@
07a7849d DM	322	int vnc_zywrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h);
	323	void vnc_zrle_clear(VncState *vs);
	324
	325	+int pve_auth_verify(const char clientip, const char username, const char *passwd);
	326	+
	327	#endif /* __QEMU_VNC_H */
4676c0af DM	328	Index: new/ui/vnc-tls.c
4676c0af DM	329	===================================================================
e96de165 DM	330	--- new.orig/ui/vnc-tls.c 2012-11-21 11:11:22.000000000 +0100
e96de165 DM	331	+++ new/ui/vnc-tls.c 2012-11-21 11:26:06.000000000 +0100
07a7849d	332	@@ -302,6 +302,14 @@
4676c0af	333
07a7849d DM	334	static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
07a7849d DM	335	{
4676c0af DM	336	+ /* optimize for speed */
	337	+ static const int ciphers[] = {
	338	+ GNUTLS_CIPHER_ARCFOUR_128,
	339	+ GNUTLS_CIPHER_AES_128_CBC,
	340	+ GNUTLS_CIPHER_3DES_CBC,
	341	+ 0
	342	+ };
	343	+
07a7849d DM	344	static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
	345	static const int protocols[] = {
	346	GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
	347	@@ -313,6 +321,11 @@
	348	};
	349	int rc;
4676c0af	350
07a7849d DM	351	+ rc = gnutls_cipher_set_priority(s, ciphers);
	352	+ if (rc != GNUTLS_E_SUCCESS) {
	353	+ return -1;
	354	+ }
	355	+
	356	rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
	357	if (rc != GNUTLS_E_SUCCESS) {
	358	return -1;
	359	@@ -449,6 +462,24 @@
4676c0af DM	360	return 0;
	361	}
	362
	363	+int pve_tls_set_x509_creds_dir(VncDisplay *vd)
	364	+{
	365	+ if (vnc_set_x509_credential(vd, "/etc/pve", "pve-root-ca.pem", &vd->tls.x509cacert, 0) < 0)
	366	+ goto cleanup;
	367	+ if (vnc_set_x509_credential(vd, "/etc/pve/local", "pve-ssl.pem", &vd->tls.x509cert, 0) < 0)
	368	+ goto cleanup;
	369	+ if (vnc_set_x509_credential(vd, "/etc/pve/local", "pve-ssl.key", &vd->tls.x509key, 0) < 0)
	370	+ goto cleanup;
	371	+
	372	+ return 0;
	373	+
	374	+ cleanup:
07a7849d DM	375	+ g_free(vd->tls.x509cacert);
	376	+ g_free(vd->tls.x509cert);
	377	+ g_free(vd->tls.x509key);
4676c0af DM	378	+ vd->tls.x509cacert = vd->tls.x509cacrl = vd->tls.x509cert = vd->tls.x509key = NULL;
	379	+ return -1;
	380	+}
	381
	382	int vnc_tls_set_x509_creds_dir(VncDisplay *vd,
	383	const char *certdir)
	384	Index: new/ui/vnc-tls.h
	385	===================================================================
e96de165 DM	386	--- new.orig/ui/vnc-tls.h 2012-11-21 11:11:22.000000000 +0100
e96de165 DM	387	+++ new/ui/vnc-tls.h 2012-11-21 11:26:06.000000000 +0100
4676c0af DM	388	@@ -68,6 +68,8 @@
	389
	390	int vnc_tls_validate_certificate(VncState *vs);
	391
	392	+int pve_tls_set_x509_creds_dir(VncDisplay *vd);
	393	+
	394	int vnc_tls_set_x509_creds_dir(VncDisplay *vd,
	395	const char *path);
	396
	397	Index: new/vl.c
	398	===================================================================
e96de165 DM	399	--- new.orig/vl.c 2012-11-21 11:25:23.000000000 +0100
	400	+++ new/vl.c 2012-11-21 11:26:06.000000000 +0100
	401	@@ -3319,6 +3319,7 @@
4676c0af DM	402	fprintf(stderr, "Invalid ID\n");
4676c0af DM	403	exit(1);
24565bc0 DM	404	}
	405	+ pve_auth_setup(fairsched_id);
	406	break;
	407	case QEMU_OPTION_cpuunits:
	408	cpuunits = atoi(optarg);
a023e148 DM	409	Index: new/console.h
a023e148 DM	410	===================================================================
e96de165 DM	411	--- new.orig/console.h 2012-11-21 11:11:22.000000000 +0100
	412	+++ new/console.h 2012-11-21 11:26:06.000000000 +0100
	413	@@ -448,6 +448,7 @@
a023e148 DM	414	void cocoa_display_init(DisplayState *ds, int full_screen);
	415
	416	/* vnc.c */
	417	+void pve_auth_setup(int vmid);
	418	void vnc_display_init(DisplayState *ds);
e96de165 DM	419	void vnc_display_open(DisplayState ds, const char display, Error **errp);
e96de165 DM	420	void vnc_display_add_client(DisplayState *ds, int csock, int skipauth);