Blame qemu-sasl-07-vnc-monitor-authinfo.patch

Daniel P. Berrange 42af21
This patch extends the 'info vnc' monitor output to include information
Daniel P. Berrange 42af21
about the VNC client authentication credentials.
Daniel P. Berrange 42af21
Daniel P. Berrange 42af21
For clients authenticated using SASL, this will output the username.
Daniel P. Berrange 42af21
Daniel P. Berrange 42af21
For clients authenticated using x509 certificates, this will output
Daniel P. Berrange 42af21
the x509 distinguished name.
Daniel P. Berrange 42af21
Daniel P. Berrange 42af21
Auth can be stacked, so both username & x509 dname may be shown.
Daniel P. Berrange 42af21
Daniel P. Berrange 42af21
    Server:
Daniel P. Berrange 42af21
         address: 0.0.0.0:5902
Daniel P. Berrange 42af21
            auth: vencrypt+x509+sasl
Daniel P. Berrange 42af21
    Client:
Daniel P. Berrange 42af21
         address: 10.33.6.67:38621
Daniel P. Berrange 42af21
      x509 dname: C=GB,O=ACME,L=London,ST=London,CN=localhost
Daniel P. Berrange 42af21
        username: admin
Daniel P. Berrange 42af21
    Client:
Daniel P. Berrange 42af21
         address: 10.33.6.63:38620
Daniel P. Berrange 42af21
      x509 dname: C=GB,O=ACME,L=London,ST=London,CN=localhost
Daniel P. Berrange 42af21
        username: admin
Daniel P. Berrange 42af21
Daniel P. Berrange 42af21
Daniel P. Berrange 42af21
Daniel P. Berrange 42af21
 vnc-tls.c |   17 +++++++++++++++++
Daniel P. Berrange 42af21
 vnc-tls.h |    3 +++
Daniel P. Berrange 42af21
 vnc.c     |   19 +++++++++++++++++--
Daniel P. Berrange 42af21
 3 files changed, 37 insertions(+), 2 deletions(-)
Daniel P. Berrange 42af21
Daniel P. Berrange 42af21
   Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Daniel P. Berrange 42af21
Daniel P. Berrange 42af21
diff -r 440be37a35ea vnc-tls.c
Daniel P. Berrange 42af21
--- a/vnc-tls.c	Fri Feb 20 11:46:26 2009 +0000
Daniel P. Berrange 42af21
+++ b/vnc-tls.c	Fri Feb 20 11:47:52 2009 +0000
Daniel P. Berrange 42af21
@@ -241,6 +241,22 @@ int vnc_tls_validate_certificate(struct 
Daniel P. Berrange 42af21
 	    return -1;
Daniel P. Berrange 42af21
 	}
Daniel P. Berrange 42af21
 
Daniel P. Berrange 42af21
+	if (i == 0) {
Daniel P. Berrange 42af21
+	    size_t dnameSize = 1024;
Daniel P. Berrange 42af21
+	    vs->tls.dname = qemu_malloc(dnameSize);
Daniel P. Berrange 42af21
+	requery:
Daniel P. Berrange 42af21
+	    if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) {
Daniel P. Berrange 42af21
+		if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
Daniel P. Berrange 42af21
+		    vs->tls.dname = qemu_realloc(vs->tls.dname, dnameSize);
Daniel P. Berrange 42af21
+		    goto requery;
Daniel P. Berrange 42af21
+		}
Daniel P. Berrange 42af21
+		gnutls_x509_crt_deinit (cert);
Daniel P. Berrange 42af21
+		VNC_DEBUG("Cannot get client distinguished name: %s",
Daniel P. Berrange 42af21
+			  gnutls_strerror (ret));
Daniel P. Berrange 42af21
+		return -1;
Daniel P. Berrange 42af21
+	    }
Daniel P. Berrange 42af21
+	}
Daniel P. Berrange 42af21
+
Daniel P. Berrange 42af21
 	gnutls_x509_crt_deinit (cert);
Daniel P. Berrange 42af21
     }
Daniel P. Berrange 42af21
 
Daniel P. Berrange 42af21
@@ -347,6 +363,7 @@ void vnc_tls_client_cleanup(struct VncSt
Daniel P. Berrange 42af21
 	vs->tls.session = NULL;
Daniel P. Berrange 42af21
     }
Daniel P. Berrange 42af21
     vs->tls.wiremode = VNC_WIREMODE_CLEAR;
Daniel P. Berrange 42af21
+    free(vs->tls.dname);
Daniel P. Berrange 42af21
 }
Daniel P. Berrange 42af21
 
Daniel P. Berrange 42af21
 
Daniel P. Berrange 42af21
diff -r 440be37a35ea vnc-tls.h
Daniel P. Berrange 42af21
--- a/vnc-tls.h	Fri Feb 20 11:46:26 2009 +0000
Daniel P. Berrange 42af21
+++ b/vnc-tls.h	Fri Feb 20 11:47:52 2009 +0000
Daniel P. Berrange 42af21
@@ -55,6 +55,9 @@ struct VncStateTLS {
Daniel P. Berrange 42af21
     /* Whether data is being TLS encrypted yet */
Daniel P. Berrange 42af21
     int wiremode;
Daniel P. Berrange 42af21
     gnutls_session_t session;
Daniel P. Berrange 42af21
+
Daniel P. Berrange 42af21
+    /* Client's Distinguished Name from the x509 cert */
Daniel P. Berrange 42af21
+    char *dname;
Daniel P. Berrange 42af21
 };
Daniel P. Berrange 42af21
 
Daniel P. Berrange 42af21
 int vnc_tls_client_setup(VncState *vs, int x509Creds);
Daniel P. Berrange 42af21
diff -r 440be37a35ea vnc.c
Daniel P. Berrange 42af21
--- a/vnc.c	Fri Feb 20 11:46:26 2009 +0000
Daniel P. Berrange 42af21
+++ b/vnc.c	Fri Feb 20 11:47:52 2009 +0000
Daniel P. Berrange 42af21
@@ -156,6 +156,21 @@ static void do_info_vnc_client(VncState 
Daniel P. Berrange 42af21
     term_puts("Client:\n");
Daniel P. Berrange 42af21
     term_puts(clientAddr);
Daniel P. Berrange 42af21
     free(clientAddr);
Daniel P. Berrange 42af21
+
Daniel P. Berrange 42af21
+#ifdef CONFIG_VNC_TLS
Daniel P. Berrange 42af21
+    if (client->tls.session &&
Daniel P. Berrange 42af21
+	client->tls.dname)
Daniel P. Berrange 42af21
+	term_printf("  x509 dname: %s\n", client->tls.dname);
Daniel P. Berrange 42af21
+    else
Daniel P. Berrange 42af21
+	term_puts("  x509 dname: none\n");
Daniel P. Berrange 42af21
+#endif
Daniel P. Berrange 42af21
+#ifdef CONFIG_VNC_SASL
Daniel P. Berrange 42af21
+    if (client->sasl.conn &&
Daniel P. Berrange 42af21
+	client->sasl.username)
Daniel P. Berrange 42af21
+	term_printf("    username: %s\n", client->sasl.username);
Daniel P. Berrange 42af21
+    else
Daniel P. Berrange 42af21
+	term_puts("    username: none\n");
Daniel P. Berrange 42af21
+#endif
Daniel P. Berrange 42af21
 }
Daniel P. Berrange 42af21
 
Daniel P. Berrange 42af21
 void do_info_vnc(void)
Daniel P. Berrange 42af21
@@ -1823,7 +1838,7 @@ static int protocol_client_auth(VncState
Daniel P. Berrange 42af21
     /* We only advertise 1 auth scheme at a time, so client
Daniel P. Berrange 42af21
      * must pick the one we sent. Verify this */
Daniel P. Berrange 42af21
     if (data[0] != vs->vd->auth) { /* Reject auth */
Daniel P. Berrange 42af21
-       VNC_DEBUG("Reject auth %d\n", (int)data[0]);
Daniel P. Berrange 42af21
+       VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
Daniel P. Berrange 42af21
        vnc_write_u32(vs, 1);
Daniel P. Berrange 42af21
        if (vs->minor >= 8) {
Daniel P. Berrange 42af21
            static const char err[] = "Authentication failed";
Daniel P. Berrange 42af21
@@ -1863,7 +1878,7 @@ static int protocol_client_auth(VncState
Daniel P. Berrange 42af21
 #endif /* CONFIG_VNC_SASL */
Daniel P. Berrange 42af21
 
Daniel P. Berrange 42af21
        default: /* Should not be possible, but just in case */
Daniel P. Berrange 42af21
-           VNC_DEBUG("Reject auth %d\n", vs->vd->auth);
Daniel P. Berrange 42af21
+           VNC_DEBUG("Reject auth %d server code bug\n", vs->vd->auth);
Daniel P. Berrange 42af21
            vnc_write_u8(vs, 1);
Daniel P. Berrange 42af21
            if (vs->minor >= 8) {
Daniel P. Berrange 42af21
                static const char err[] = "Authentication failed";