render / rpms / qemu

Forked from rpms/qemu 9 months ago
Clone
Blob Blame History Raw
This patch extends the 'info vnc' monitor output to include information
about the VNC client authentication credentials.

For clients authenticated using SASL, this will output the username.

For clients authenticated using x509 certificates, this will output
the x509 distinguished name.

Auth can be stacked, so both username & x509 dname may be shown.

    Server:
         address: 0.0.0.0:5902
            auth: vencrypt+x509+sasl
    Client:
         address: 10.33.6.67:38621
      x509 dname: C=GB,O=ACME,L=London,ST=London,CN=localhost
        username: admin
    Client:
         address: 10.33.6.63:38620
      x509 dname: C=GB,O=ACME,L=London,ST=London,CN=localhost
        username: admin



 vnc-tls.c |   17 +++++++++++++++++
 vnc-tls.h |    3 +++
 vnc.c     |   19 +++++++++++++++++--
 3 files changed, 37 insertions(+), 2 deletions(-)

   Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff -r 440be37a35ea vnc-tls.c
--- a/vnc-tls.c	Fri Feb 20 11:46:26 2009 +0000
+++ b/vnc-tls.c	Fri Feb 20 11:47:52 2009 +0000
@@ -241,6 +241,22 @@ int vnc_tls_validate_certificate(struct 
 	    return -1;
 	}
 
+	if (i == 0) {
+	    size_t dnameSize = 1024;
+	    vs->tls.dname = qemu_malloc(dnameSize);
+	requery:
+	    if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) {
+		if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
+		    vs->tls.dname = qemu_realloc(vs->tls.dname, dnameSize);
+		    goto requery;
+		}
+		gnutls_x509_crt_deinit (cert);
+		VNC_DEBUG("Cannot get client distinguished name: %s",
+			  gnutls_strerror (ret));
+		return -1;
+	    }
+	}
+
 	gnutls_x509_crt_deinit (cert);
     }
 
@@ -347,6 +363,7 @@ void vnc_tls_client_cleanup(struct VncSt
 	vs->tls.session = NULL;
     }
     vs->tls.wiremode = VNC_WIREMODE_CLEAR;
+    free(vs->tls.dname);
 }
 
 
diff -r 440be37a35ea vnc-tls.h
--- a/vnc-tls.h	Fri Feb 20 11:46:26 2009 +0000
+++ b/vnc-tls.h	Fri Feb 20 11:47:52 2009 +0000
@@ -55,6 +55,9 @@ struct VncStateTLS {
     /* Whether data is being TLS encrypted yet */
     int wiremode;
     gnutls_session_t session;
+
+    /* Client's Distinguished Name from the x509 cert */
+    char *dname;
 };
 
 int vnc_tls_client_setup(VncState *vs, int x509Creds);
diff -r 440be37a35ea vnc.c
--- a/vnc.c	Fri Feb 20 11:46:26 2009 +0000
+++ b/vnc.c	Fri Feb 20 11:47:52 2009 +0000
@@ -156,6 +156,21 @@ static void do_info_vnc_client(VncState 
     term_puts("Client:\n");
     term_puts(clientAddr);
     free(clientAddr);
+
+#ifdef CONFIG_VNC_TLS
+    if (client->tls.session &&
+	client->tls.dname)
+	term_printf("  x509 dname: %s\n", client->tls.dname);
+    else
+	term_puts("  x509 dname: none\n");
+#endif
+#ifdef CONFIG_VNC_SASL
+    if (client->sasl.conn &&
+	client->sasl.username)
+	term_printf("    username: %s\n", client->sasl.username);
+    else
+	term_puts("    username: none\n");
+#endif
 }
 
 void do_info_vnc(void)
@@ -1823,7 +1838,7 @@ static int protocol_client_auth(VncState
     /* We only advertise 1 auth scheme at a time, so client
      * must pick the one we sent. Verify this */
     if (data[0] != vs->vd->auth) { /* Reject auth */
-       VNC_DEBUG("Reject auth %d\n", (int)data[0]);
+       VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
        vnc_write_u32(vs, 1);
        if (vs->minor >= 8) {
            static const char err[] = "Authentication failed";
@@ -1863,7 +1878,7 @@ static int protocol_client_auth(VncState
 #endif /* CONFIG_VNC_SASL */
 
        default: /* Should not be possible, but just in case */
-           VNC_DEBUG("Reject auth %d\n", vs->vd->auth);
+           VNC_DEBUG("Reject auth %d server code bug\n", vs->vd->auth);
            vnc_write_u8(vs, 1);
            if (vs->minor >= 8) {
                static const char err[] = "Authentication failed";