| |
| |
| |
| |
| @@ -241,6 +241,22 @@ int vnc_tls_validate_certificate(struct |
| return -1; |
| } |
| |
| + if (i == 0) { |
| + size_t dnameSize = 1024; |
| + vs->tls.dname = qemu_malloc(dnameSize); |
| + requery: |
| + if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) { |
| + if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { |
| + vs->tls.dname = qemu_realloc(vs->tls.dname, dnameSize); |
| + goto requery; |
| + } |
| + gnutls_x509_crt_deinit (cert); |
| + VNC_DEBUG("Cannot get client distinguished name: %s", |
| + gnutls_strerror (ret)); |
| + return -1; |
| + } |
| + } |
| + |
| gnutls_x509_crt_deinit (cert); |
| } |
| |
| @@ -347,6 +363,7 @@ void vnc_tls_client_cleanup(struct VncSt |
| vs->tls.session = NULL; |
| } |
| vs->tls.wiremode = VNC_WIREMODE_CLEAR; |
| + free(vs->tls.dname); |
| } |
| |
| |
| |
| |
| |
| |
| @@ -55,6 +55,9 @@ struct VncStateTLS { |
| /* Whether data is being TLS encrypted yet */ |
| int wiremode; |
| gnutls_session_t session; |
| + |
| + /* Client's Distinguished Name from the x509 cert */ |
| + char *dname; |
| }; |
| |
| int vnc_tls_client_setup(VncState *vs, int x509Creds); |
| |
| |
| |
| |
| @@ -156,6 +156,21 @@ static void do_info_vnc_client(VncState |
| term_puts("Client:\n"); |
| term_puts(clientAddr); |
| free(clientAddr); |
| + |
| +#ifdef CONFIG_VNC_TLS |
| + if (client->tls.session && |
| + client->tls.dname) |
| + term_printf(" x509 dname: %s\n", client->tls.dname); |
| + else |
| + term_puts(" x509 dname: none\n"); |
| +#endif |
| +#ifdef CONFIG_VNC_SASL |
| + if (client->sasl.conn && |
| + client->sasl.username) |
| + term_printf(" username: %s\n", client->sasl.username); |
| + else |
| + term_puts(" username: none\n"); |
| +#endif |
| } |
| |
| void do_info_vnc(void) |
| @@ -1823,7 +1838,7 @@ static int protocol_client_auth(VncState |
| /* We only advertise 1 auth scheme at a time, so client |
| * must pick the one we sent. Verify this */ |
| if (data[0] != vs->vd->auth) { /* Reject auth */ |
| - VNC_DEBUG("Reject auth %d\n", (int)data[0]); |
| + VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]); |
| vnc_write_u32(vs, 1); |
| if (vs->minor >= 8) { |
| static const char err[] = "Authentication failed"; |
| @@ -1863,7 +1878,7 @@ static int protocol_client_auth(VncState |
| #endif /* CONFIG_VNC_SASL */ |
| |
| default: /* Should not be possible, but just in case */ |
| - VNC_DEBUG("Reject auth %d\n", vs->vd->auth); |
| + VNC_DEBUG("Reject auth %d server code bug\n", vs->vd->auth); |
| vnc_write_u8(vs, 1); |
| if (vs->minor >= 8) { |
| static const char err[] = "Authentication failed"; |