[pve-devel] r5412 - vncterm/pve2/vncpatches

svn-commits at proxmox.com svn-commits at proxmox.com
Fri Jan 21 12:40:52 CET 2011 

Author: dietmar
Date: 2011-01-21 12:40:51 +0100 (Fri, 21 Jan 2011)
New Revision: 5412

Modified:
   vncterm/pve2/vncpatches/patch2.diff
Log:
implement x509


Modified: vncterm/pve2/vncpatches/patch2.diff
===================================================================
--- vncterm/pve2/vncpatches/patch2.diff	2011-01-21 11:02:08 UTC (rev 5411)
+++ vncterm/pve2/vncpatches/patch2.diff	2011-01-21 11:40:51 UTC (rev 5412)
@@ -115,8 +115,8 @@
 Index: vnc/newterm/vncterm.c
 ===================================================================
 --- vnc.orig/newterm/vncterm.c	2011-01-20 13:41:18.000000000 +0100
-+++ vnc/newterm/vncterm.c	2011-01-21 10:24:41.000000000 +0100
-@@ -37,6 +37,173 @@
++++ vnc/newterm/vncterm.c	2011-01-21 12:41:08.000000000 +0100
+@@ -37,6 +37,211 @@
  #include "vncterm.h"
  #include "glyphs.h"
  
@@ -126,6 +126,8 @@
 +char *auth_path = "/";
 +char *auth_perm = "VM.Console";
 +
++int use_x509 = 1;
++
 +/* launch expernal script to verify credential */
 +int
 +pve_auth_verify(const char *username, const char *passwd)
@@ -141,7 +143,7 @@
 +
 +	sprintf(pwenv, "PVE_PW_TICKET=%s", passwd);
 +
-+	const char *script ="/usr/sbin/pveum";
++	const char *script = "/usr/sbin/pveum";
 +
 +	sigemptyset(&mask);
 +	sigaddset(&mask, SIGCHLD);
@@ -278,7 +280,7 @@
 +	int ret;
 +
 +	if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) {
-+		fprintf(stderr, "can't allocate credentials %s\n", gnutls_strerror(ret));
++		rfbLog("can't allocate credentials: %s\n", gnutls_strerror(ret));
 +		return NULL;
 +	}
 +
@@ -287,13 +289,51 @@
 +	return anon_cred;
 +}
 +
++static gnutls_certificate_credentials_t 
++tls_initialize_x509_cred(void)
++{
++	gnutls_certificate_credentials_t x509_cred;
++	int ret;
++
++	/* Paths to x509 certs/keys */
++	char *x509cacert = "/etc/pve/pve-root-ca.pem";
++	char *x509cert = "/etc/pve/local/pve-ssl.pem";
++	char *x509key = "/etc/pve/local/pve-ssl.key";
++
++
++	if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) {
++		rfbLog("can't allocate credentials: %s\n", gnutls_strerror(ret));
++		return NULL;
++	}
++
++	if ((ret = gnutls_certificate_set_x509_trust_file
++	     (x509_cred, x509cacert, GNUTLS_X509_FMT_PEM)) < 0) {
++		rfbLog("can't load CA certificate: %s\n", gnutls_strerror(ret));
++		gnutls_certificate_free_credentials(x509_cred);
++		return NULL;
++	}
++
++	if ((ret = gnutls_certificate_set_x509_key_file 
++	     (x509_cred, x509cert, x509key, GNUTLS_X509_FMT_PEM)) < 0) {
++		rfbLog("can't load certificate & key: %s\n", gnutls_strerror(ret));
++		gnutls_certificate_free_credentials(x509_cred);
++		return NULL;
++	}
++
++	gnutls_certificate_set_dh_params (x509_cred, dh_params);
++
++	return x509_cred;
++}
++
  /* define this for debugging */
  //#define DEBUG
  
-@@ -45,10 +212,275 @@
+@@ -44,11 +249,281 @@
+ 
  #define rfbSecTypeVencrypt  19
  #define rfbVencryptTlsPlain 259
- 
++#define rfbVencryptX509Plain 262
++
 +int rfbEncodeU32(char *buf, uint32_t value)
 +{
 +    buf[0] = (value >> 24) & 0xFF;
@@ -378,7 +418,7 @@
 +	rfbCloseClient(cl);
 +	return;
 +}
-+
+ 
  static void
  rfbVncAuthVencrypt(rfbClientPtr cl)
  {
@@ -390,14 +430,12 @@
 +	buf[0] = 0;
 +	buf[1] = 2;
 +
-+	printf("TEST1\n");
 +	if (rfbWriteExact(cl, buf, 2) < 0) {
 +            rfbLogPerror("rfbVncAuthVencrypt: write");
 +            rfbCloseClient(cl);
 +            return;
 +	}
-+
-+	printf("TEST2\n");
+ 
 +	int n = rfbReadExact(cl, buf, 2);
 +	if (n <= 0) {
 +		if (n == 0)
@@ -408,8 +446,6 @@
 +		return;
 +	}
 +
-+	printf("TEST3\n");
-+
 +	if (buf[0] != 0 || buf[1] != 2) {
 +		rfbLog("Unsupported VeNCrypt protocol %d.%d\n",
 +		       (int)buf[0], (int)buf[1]);
@@ -420,18 +456,17 @@
 +	}
 +
 +	/* Sending allowed auth */
-+	printf("TEST4\n");
++	int req_auth = use_x509 ? rfbVencryptX509Plain : rfbVencryptTlsPlain;
 +
 +	buf[0] = 0; /* Accept version */
 +	buf[1] = 1; /* number of sub auths */
-+	rfbEncodeU32(buf+2, rfbVencryptTlsPlain);
++	rfbEncodeU32(buf+2, req_auth);
 +	if (rfbWriteExact(cl, buf, 6) < 0) {
 +		rfbLogPerror("rfbVncAuthVencrypt: write");
 +		rfbCloseClient(cl);
 +		return;
 +	}
- 
-+	printf("TEST5\n");
++
 +	n = rfbReadExact(cl, buf, 4);
 +	if (n <= 0) {
 +		if (n == 0)
@@ -443,15 +478,13 @@
 +	}
 +
 +	int auth = rfbDecodeU32(buf, 0);
-+	printf("TEST6 %d\n", auth);
-+	if (auth != rfbVencryptTlsPlain) {
-+		buf[0] = 1; /* Reject version */
++	if (auth != req_auth) {
++		buf[0] = 1; /* Reject auth*/
 +		rfbWriteExact(cl, buf, 1);
 +		rfbCloseClient(cl);
 +		return;
 +	}
 +
-+	printf("TEST7\n");
 +	buf[0] = 1; /* Accept auth */
 +	if (rfbWriteExact(cl, buf, 1) < 0) {
 +		rfbLogPerror("rfbVncAuthVencrypt: write");
@@ -459,9 +492,6 @@
 +		return;
 +	}
 +
-+	printf("TEST8\n");
-+
-+
 +	tls_client_t *sd = calloc(1, sizeof(tls_client_t));
 +
 +	if (sd->session == NULL) {
@@ -494,7 +524,8 @@
 +		}
 +
 +		static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
-+		if ((ret = gnutls_kx_set_priority(sd->session, kx_anon)) < 0) {
++		static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
++		if ((ret = gnutls_kx_set_priority(sd->session, use_x509 ? kx_x509 : kx_anon)) < 0) {
 +			rfbLog("gnutls_kx_set_priority failed: %s\n", gnutls_strerror(ret));
 +			sd->session = NULL;
 +			rfbCloseClient(cl);
@@ -519,32 +550,47 @@
 +			return;
 +		}
 +
-+		gnutls_anon_server_credentials anon_cred;
++		if (use_x509) {
++			gnutls_certificate_server_credentials x509_cred;
++			
++			if (!(x509_cred = tls_initialize_x509_cred())) {
++				sd->session = NULL;
++				rfbCloseClient(cl);
++				return;
++			}
++ 
++			if (gnutls_credentials_set(sd->session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) {
++				sd->session = NULL;
++				gnutls_certificate_free_credentials(x509_cred);
++				rfbCloseClient(cl);
++				return;
++			}
++			
++		} else {
++			gnutls_anon_server_credentials anon_cred;
 +
-+		if (!(anon_cred = tls_initialize_anon_cred())) {
-+			sd->session = NULL;
-+			rfbCloseClient(cl);
-+			return;
-+		}
++			if (!(anon_cred = tls_initialize_anon_cred())) {
++				sd->session = NULL;
++				rfbCloseClient(cl);
++				return;
++			}
 +
-+		if ((ret = gnutls_credentials_set(sd->session, GNUTLS_CRD_ANON, anon_cred)) < 0) {
-+			rfbLog("gnutls_credentials_set failed: %s\n", gnutls_strerror(ret));
-+			gnutls_anon_free_server_credentials(anon_cred);
-+			sd->session = NULL;
-+			rfbCloseClient(cl);
-+			return;
++			if ((ret = gnutls_credentials_set(sd->session, GNUTLS_CRD_ANON, anon_cred)) < 0) {
++				rfbLog("gnutls_credentials_set failed: %s\n", gnutls_strerror(ret));
++				gnutls_anon_free_server_credentials(anon_cred);
++				sd->session = NULL;
++				rfbCloseClient(cl);
++				return;
++			}
 +		}
 +
 +		gnutls_transport_set_ptr(sd->session, (gnutls_transport_ptr_t)cl);
 +		gnutls_transport_set_push_function(sd->session, vnc_tls_push);
 +		gnutls_transport_set_pull_function(sd->session, vnc_tls_pull);
-+		printf("TEST 9\n");
 +	}
 +
 +
 +retry:
-+	printf("TEST 10 %p\n", cl);
-+
 +	if ((ret = gnutls_handshake(sd->session)) < 0) {
 +		if (!gnutls_error_is_fatal(ret)) {
 +			usleep(100000);
@@ -561,12 +607,10 @@
 +	cl->sock_write_fn = &vnc_tls_write;
 +
 +	vencrypt_subauth_plain(cl);
-+
-+	printf("TEST end\n");
  }
  
  static rfbSecurityHandler VncSecurityHandlerVencrypt = {
-@@ -1759,6 +2191,21 @@
+@@ -1759,6 +2234,21 @@
    time_t elapsed, cur_time;
    struct winsize dimensions;
  
@@ -588,7 +632,7 @@
    for (i = 1; i < argc; i++) {
      if (!strcmp (argv[i], "-c")) {
        command = argv[i+1];
-@@ -1784,6 +2231,8 @@
+@@ -1784,6 +2274,8 @@
  
  #ifdef DEBUG
    rfbLogEnable (1);

More information about the pve-devel mailing list