Commit 383c136f authored by Ariadne Conill's avatar Ariadne Conill 🐰
Browse files

main/xen: enable TLS over websockets (and require it) if X509 is enabled

parent a1ecc814
......@@ -3,7 +3,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.2.2
pkgrel=8
pkgrel=9
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86 x86_64"
......@@ -36,6 +36,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
fix-pod2man-choking.patch
qemu-xen-websocket.patch
qemu-xen-tls-websockets.patch
xenstored.initd
xenstored.confd
......@@ -168,6 +169,7 @@ e70b9128ffc2175cea314a533a7d8457 xsa56.patch
7de2cd11c10d6a554f3c81e0688c38b7 xsa58-4.2.patch
c1d1a415415b0192e5dae9032962bf61 fix-pod2man-choking.patch
af5c5e21e68ae27847e2307815c82f98 qemu-xen-websocket.patch
35bdea1d4e3ae2565edc7e40906efdd5 qemu-xen-tls-websockets.patch
95d8af17bf844d41a015ff32aae51ba1 xenstored.initd
b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd
ed262f15fb880badb53575539468646c xenconsoled.initd
......@@ -198,6 +200,7 @@ b6a5106848541972519cc529859d9ff3083c79367276c7031560fa4ce6f9f770 xsa57.patch
194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2 xsa58-4.2.patch
b4e7d43364a06b2cb04527db3e9567524bc489fef475709fd8493ebf1e62406d fix-pod2man-choking.patch
cc4bf76be2c87ba089f9e330f3f18419a8399920319e04f6a97be463ce1bfa1e qemu-xen-websocket.patch
435dd428d83acdfde58888532a1cece1e9075b2a2460fe3f6cd33c7d400f2715 qemu-xen-tls-websockets.patch
81d335946c81311c86e2f2112b773a568a5a530c0db9802b2fe559e71bb8b381 xenstored.initd
ea9171e71ab3d33061979bcf3bb737156192aa4b0be4d1234438ced75b6fdef3 xenstored.confd
93bea2eb90ea1b4628854c8141dd351bbd1fbc5959b12795447ea933ad025f01 xenconsoled.initd
......@@ -228,6 +231,7 @@ b4f43095163146a29ae258575bb03bd45f5a315d3cca7434a0b88c18eb1b6e1cf17ef13b4ac428a0
60813c01f6bb909da8748919df4d0ffa923baf4b7b55287e0bec3389fb83020158225182e112941c9e126b4df57e7b8724f2a69d0c1fa9ce3b37c0bdf1a49da4 xsa58-4.2.patch
ffb1113fcec0853b690c177655c7d1136388efdebf0d7f625b80481b98eadd3e9ef461442ced53e11acf0e347800a2b0a41e18b05065b5d04bffdd8a4e127cec fix-pod2man-choking.patch
5da25a997c69d737b6a43f460d54e34dccf3c94751990969c93e674ab3aaa34ddd41c2b2a7988aaa68a22abf1508705336d9a9ae3637147b0cf9036b9909daf8 qemu-xen-websocket.patch
11eaccc346440ff285552f204d491e3b31bda1665c3219ecae3061b5d55db9dec885af0c031fa19c67e87bbe238002b1911bbd5bfea2f2ba0d61e6b3d0c952c9 qemu-xen-tls-websockets.patch
792b062e8a16a2efd3cb4662d379d1500527f2a7ca9228d7831c2bd34f3b9141df949153ea05463a7758c3e3dd9a4182492ad5505fa38e298ecf8c99db77b4ee xenstored.initd
100cf4112f401f45c1e4e885a5074698c484b40521262f6268fad286498e95f4c51e746f0e94eb43a590bb8e813a397bb53801ccacebec9541020799d8d70514 xenstored.confd
12f981b2459c65d66e67ec0b32d0d19b95a029bc54c2a79138cfe488d3524a22e51860f755abfe25ddcdaf1b27f2ded59b6e350b9d5f8791193d00e2d3673137 xenconsoled.initd
......
--- xen-4.2.2.orig/tools/qemu-xen/ui/vnc-ws.c
+++ xen-4.2.2/tools/qemu-xen/ui/vnc-ws.c
@@ -20,7 +20,7 @@
#include "vnc.h"
-void vncws_handshake_read(void *opaque)
+static void vncws_handshake_read_impl(void *opaque)
{
VncState *vs = opaque;
uint8_t *handshake_end;
@@ -46,6 +46,78 @@
}
}
+#ifdef CONFIG_VNC_TLS
+static void vncws_tls_handshake_io(void *opaque);
+
+int vncws_tls_handshake(struct VncState *vs) {
+ int ret;
+
+ if ((ret = gnutls_handshake(vs->tls.session)) < 0) {
+ if (!gnutls_error_is_fatal(ret)) {
+ VNC_DEBUG("Handshake interrupted (blocking)\n");
+ if (!gnutls_record_get_direction(vs->tls.session))
+ qemu_set_fd_handler(vs->csock, vncws_tls_handshake_io, NULL, vs);
+ else
+ qemu_set_fd_handler(vs->csock, NULL, vncws_tls_handshake_io, vs);
+ return 0;
+ }
+ VNC_DEBUG("Handshake failed %s\n", gnutls_strerror(ret));
+ vnc_client_error(vs);
+ return -1;
+ }
+
+ if (vs->vd->tls.x509verify) {
+ if (vnc_tls_validate_certificate(vs) < 0) {
+ VNC_DEBUG("Client verification failed\n");
+ vnc_client_error(vs);
+ return -1;
+ } else {
+ VNC_DEBUG("Client verification passed\n");
+ }
+ }
+
+ VNC_DEBUG("Handshake done, switching to TLS data mode and waiting for HTTPS upgrade\n");
+ vs->tls.wiremode = VNC_WIREMODE_TLS;
+ qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read_impl, NULL, vs);
+
+ return 0;
+}
+
+static void vncws_tls_handshake_io(void *opaque) {
+ struct VncState *vs = (struct VncState *)opaque;
+
+ VNC_DEBUG("Handshake IO continues\n");
+ vncws_tls_handshake(vs);
+}
+
+#define NEED_X509_AUTH(vs) \
+ ((vs)->subauth == VNC_AUTH_VENCRYPT_X509NONE || \
+ (vs)->subauth == VNC_AUTH_VENCRYPT_X509VNC || \
+ (vs)->subauth == VNC_AUTH_VENCRYPT_X509PLAIN || \
+ (vs)->subauth == VNC_AUTH_VENCRYPT_X509SASL)
+#endif
+
+void vncws_handshake_read(void *opaque)
+{
+ VncState *vs = opaque;
+
+#ifdef CONFIG_VNC_TLS
+ if (!vs->vd->want_tls)
+ return vncws_handshake_read_impl(vs);
+
+ if (vnc_tls_client_setup(vs, NEED_X509_AUTH(vs)) < 0) {
+ VNC_DEBUG("Failed to setup TLS\n");
+ return 0;
+ }
+
+ if (vncws_tls_handshake(vs) < 0) {
+ VNC_DEBUG("Failed to start TLS handshake\n");
+ return 0;
+ }
+#else
+ vncws_handshake_read_impl(vs);
+#endif
+}
long vnc_client_read_ws(VncState *vs)
{
--- xen-4.2.2.orig/tools/qemu-xen/ui/vnc.c
+++ xen-4.2.2/tools/qemu-xen/ui/vnc.c
@@ -2897,6 +2897,9 @@
} else if (strncmp(options, "x509", 4) == 0) {
char *start, *end;
x509 = 1; /* Require x509 certificates */
+#ifdef CONFIG_VNC_WS
+ vs->want_tls = true;
+#endif
if (strncmp(options, "x509verify", 10) == 0)
vs->tls.x509verify = 1; /* ...and verify client certs */
--- xen-4.2.2.orig/tools/qemu-xen/ui/vnc.h
+++ xen-4.2.2/tools/qemu-xen/ui/vnc.h
@@ -157,6 +157,9 @@
bool lossy;
bool non_adaptive;
#ifdef CONFIG_VNC_TLS
+#ifdef CONFIG_VNC_WS
+ bool want_tls;
+#endif
int subauth; /* Used by VeNCrypt */
VncDisplayTLS tls;
#endif
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment