From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1LXd6W-0004Ix-7T for qemu-devel@nongnu.org; Thu, 12 Feb 2009 10:03:52 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1LXd6U-0004IH-V0 for qemu-devel@nongnu.org; Thu, 12 Feb 2009 10:03:51 -0500 Received: from [199.232.76.173] (port=37780 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1LXd6U-0004IB-Qb for qemu-devel@nongnu.org; Thu, 12 Feb 2009 10:03:50 -0500 Received: from mx1.redhat.com ([66.187.233.31]:33469) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1LXd6U-0007IL-65 for qemu-devel@nongnu.org; Thu, 12 Feb 2009 10:03:50 -0500 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1CF3nCm025671 for ; Thu, 12 Feb 2009 10:03:49 -0500 Received: from file.fab.redhat.com (file.fab.redhat.com [10.33.63.6]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1CF3ob0024948 for ; Thu, 12 Feb 2009 10:03:51 -0500 Received: from file.fab.redhat.com (localhost.localdomain [127.0.0.1]) by file.fab.redhat.com (8.13.1/8.13.1) with ESMTP id n1CF3mDW024105 for ; Thu, 12 Feb 2009 15:03:48 GMT Received: (from berrange@localhost) by file.fab.redhat.com (8.13.1/8.13.1/Submit) id n1CF3mZO024101 for qemu-devel@nongnu.org; Thu, 12 Feb 2009 15:03:48 GMT Date: Thu, 12 Feb 2009 15:03:48 +0000 From: "Daniel P. Berrange" Subject: Re: [Qemu-devel] PATCH: 5/7: Include auth credentials in 'info vnc' Message-ID: <20090212150348.GU9894@redhat.com> References: <20090212145302.GO9894@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090212145302.GO9894@redhat.com> Reply-To: "Daniel P. Berrange" , qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org This patch extends the 'info vnc' monitor output to include information about the VNC client authentication credentials. For clients authenticated using SASL, this will output the username. For clients authenticated using x509 certificates, this will output the x509 distinguished name. Auth can be stacked, so both username & x509 dname may be shown. (qemu) info vnc Server: active address: 0.0.0.0:5901 auth: vencrypt+x509+sasl Client: active address: 127.0.0.1:42956 x509 dname: C=GB,O=Red Hat,L=London,ST=London,CN=localhost username: test Signed-off-by: Daniel P. Berrange vnc-tls.c | 17 +++++++++++++++++ vnc-tls.h | 3 +++ vnc.c | 19 +++++++++++++++++-- 3 files changed, 37 insertions(+), 2 deletions(-) Daniel diff -r 122f8a90f465 vnc-tls.c --- a/vnc-tls.c Wed Feb 11 17:34:08 2009 +0000 +++ b/vnc-tls.c Wed Feb 11 17:34:11 2009 +0000 @@ -241,6 +241,22 @@ int vnc_tls_validate_certificate(struct return -1; } + if (i == 0) { + size_t dnameSize = 1024; + vs->tls.dname = qemu_malloc(dnameSize); + requery: + if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) { + if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { + vs->tls.dname = qemu_realloc(vs->tls.dname, dnameSize); + goto requery; + } + gnutls_x509_crt_deinit (cert); + VNC_DEBUG("Cannot get client distinguished name: %s", + gnutls_strerror (ret)); + return -1; + } + } + gnutls_x509_crt_deinit (cert); } @@ -346,6 +362,7 @@ void vnc_tls_client_cleanup(struct VncSt vs->tls.session = NULL; } vs->tls.wiremode = VNC_WIREMODE_CLEAR; + free(vs->tls.dname); } diff -r 122f8a90f465 vnc-tls.h --- a/vnc-tls.h Wed Feb 11 17:34:08 2009 +0000 +++ b/vnc-tls.h Wed Feb 11 17:34:11 2009 +0000 @@ -48,6 +48,9 @@ struct VncStateTLS { /* Whether data is being TLS encrypted yet */ int wiremode; gnutls_session_t session; + + /* Client's Distinguished Name from the x509 cert */ + char *dname; }; int vnc_tls_client_setup(VncState *vs, int x509Creds); diff -r 122f8a90f465 vnc.c --- a/vnc.c Wed Feb 11 17:34:08 2009 +0000 +++ b/vnc.c Wed Feb 11 17:34:11 2009 +0000 @@ -176,6 +176,21 @@ void do_info_vnc(void) term_puts("Client: active\n"); term_puts(clientAddr); free(clientAddr); + +#ifdef CONFIG_VNC_TLS + if (vnc_state->tls.session && + vnc_state->tls.dname) + term_printf(" x509 dname: %s\n", vnc_state->tls.dname); + else + term_puts(" x509 dname: none\n"); +#endif +#ifdef CONFIG_VNC_SASL + if (vnc_state->sasl.conn && + vnc_state->sasl.username) + term_printf(" username: %s\n", vnc_state->sasl.username); + else + term_puts(" username: none\n"); +#endif } } } @@ -1781,7 +1796,7 @@ static int protocol_client_auth(VncState /* We only advertise 1 auth scheme at a time, so client * must pick the one we sent. Verify this */ if (data[0] != vs->auth) { /* Reject auth */ - VNC_DEBUG("Reject auth %d\n", (int)data[0]); + VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]); vnc_write_u32(vs, 1); if (vs->minor >= 8) { static const char err[] = "Authentication failed"; @@ -1821,7 +1836,7 @@ static int protocol_client_auth(VncState #endif /* CONFIG_VNC_SASL */ default: /* Should not be possible, but just in case */ - VNC_DEBUG("Reject auth %d\n", vs->auth); + VNC_DEBUG("Reject auth %d server code bug\n", vs->auth); vnc_write_u8(vs, 1); if (vs->minor >= 8) { static const char err[] = "Authentication failed"; -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|