- 19 3月, 2012 1 次提交
-
-
由 Stefan Weil 提交于
This patch fixes warnings reported by splint: For variables which are packed in a single bit, a signed data type like 'int' does not make much sense. There is no obvious reason why the two values should be packed, so I removed the packing and changed the data type to bool because both are used as boolean values. v2: Some versions of gcc complain after this modification, for example gcc (Debian 4.4.5-8) 4.4.5): ui/vnc-auth-sasl.c: In function ‘vnc_sasl_client_cleanup’: ui/vnc-auth-sasl.c:34: error: suggest parentheses around assignment used as truth value Obviously, the compiler does not like code which does bool = unsigned = bool = 0 Splitting that code in three statements works. Cc: Anthony Liguori <aliguori@us.ibm.com> Signed-off-by: NStefan Weil <sw@weilnetz.de> Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
-
- 10 11月, 2011 1 次提交
-
-
由 Markus Armbruster 提交于
Fixes protocol_client_auth_sasl_mechname() not to crash when malloc() fails. Spotted by Coverity. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
-
- 02 11月, 2011 1 次提交
-
-
由 Stefan Weil 提交于
Please note that mechlist still uses malloc / strdup / free. Signed-off-by: NStefan Weil <sw@weilnetz.de> Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
-
- 21 8月, 2011 1 次提交
-
-
由 Anthony Liguori 提交于
qemu_malloc/qemu_free no longer exist after this commit. Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
-
- 24 7月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
The USES_X509_AUTH macro is defined in several VNC files, but not used in all of them. Remove the unused definition. * ui/vnc-auth-sasl.c: Remove USES_X509_AUTH macro Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
-
由 Daniel P. Berrange 提交于
A future patch will introduce a situation where different clients may have different authentication schemes set. When a new client arrives, copy the 'auth' and 'subauth' fields from VncDisplay into the client's VncState, and use the latter in all authentication functions. * ui/vnc.h: Add 'auth' and 'subauth' to VncState * ui/vnc-auth-sasl.c, ui/vnc-auth-vencrypt.c, ui/vnc.c: Make auth functions pull auth scheme from VncState instead of VncDisplay Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
-
- 13 1月, 2011 1 次提交
-
-
由 Blue Swirl 提交于
Fix a memory leak reported by cppcheck: [/src/qemu/ui/vnc-auth-sasl.c:448]: (error) Memory leak: mechname Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
-
- 27 7月, 2010 1 次提交
-
-
由 Corentin Chary 提交于
Move sdl, vnc, curses and cocoa UI into ui/ to cleanup the root directory. Also remove some unnecessary explicit targets from Makefile. aliguori: fix build when srcdir != objdir Signed-off-by: NCorentin Chary <corentincj@iksaif.net> Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
-
- 04 5月, 2010 1 次提交
-
-
由 Corentin Chary 提交于
cc1: warnings being treated as errors vnc-auth-sasl.c: In function ‘vnc_client_write_sasl’: vnc-auth-sasl.c:50: error: format ‘%d’ expects type ‘int’, but argument 4 has type ‘size_t’ vnc-auth-sasl.c:50: error: format ‘%d’ expects type ‘int’, but argument 5 has type ‘size_t’ make: *** [vnc-auth-sasl.o] Error 1 Signed-off-by: NCorentin Chary <corentincj@iksaif.net> Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
-
- 07 3月, 2009 3 次提交
-
-
由 aliguori 提交于
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6727 c046a42c-6fe2-441c-8c8c-71466251a162
-
由 aliguori 提交于
This patch introduces a generic internal API for access control lists to be used by network servers in QEMU. It adds support for checking these ACL in the VNC server, in two places. The first ACL is for the SASL authentication mechanism, checking the SASL username. This ACL is called 'vnc.username'. The second is for the TLS authentication mechanism, when x509 client certificates are turned on, checking against the Distinguished Name of the client. This ACL is called 'vnc.x509dname' The internal API provides for an ACL with the following characteristics - A unique name, eg vnc.username, and vnc.x509dname. - A default policy, allow or deny - An ordered series of match rules, with allow or deny policy If none of the match rules apply, then the default policy is used. There is a monitor API to manipulate the ACLs, which I'll describe via examples (qemu) acl show vnc.username policy: allow (qemu) acl policy vnc.username denya acl: policy set to 'deny' (qemu) acl allow vnc.username fred acl: added rule at position 1 (qemu) acl allow vnc.username bob acl: added rule at position 2 (qemu) acl allow vnc.username joe 1 acl: added rule at position 1 (qemu) acl show vnc.username policy: deny 0: allow fred 1: allow joe 2: allow bob (qemu) acl show vnc.x509dname policy: allow (qemu) acl policy vnc.x509dname deny acl: policy set to 'deny' (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=* acl: added rule at position 1 (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob acl: added rule at position 2 (qemu) acl show vnc.x509dname policy: deny 0: allow C=GB,O=ACME,L=London,CN=* 1: allow C=GB,O=ACME,L=Boston,CN=bob By default the VNC server will not use any ACLs, allowing access to the server if the user successfully authenticates. To enable use of ACLs to restrict user access, the ',acl' flag should be given when starting QEMU. The initial ACL activated will be a 'deny all' policy and should be customized using monitor commands. eg enable SASL auth and ACLs qemu .... -vnc localhost:1,sasl,acl The next patch will provide a way to load a pre-defined ACL when starting up Makefile | 6 + b/acl.c | 185 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ b/acl.h | 74 ++++++++++++++++++++++ configure | 18 +++++ monitor.c | 95 ++++++++++++++++++++++++++++ qemu-doc.texi | 49 ++++++++++++++ vnc-auth-sasl.c | 16 +++- vnc-auth-sasl.h | 7 ++ vnc-tls.c | 19 +++++ vnc-tls.h | 3 vnc.c | 21 ++++++ vnc.h | 3 12 files changed, 491 insertions(+), 5 deletions(-) Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6726 c046a42c-6fe2-441c-8c8c-71466251a162
-
由 aliguori 提交于
This patch adds the new SASL authentication protocol to the VNC server. It is enabled by setting the 'sasl' flag when launching VNC. SASL can optionally provide encryption via its SSF layer, if a suitable mechanism is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is not available, then it should be combined with the x509 VNC authentication protocol which provides encryption. eg, if using GSSAPI qemu -vnc localhost:1,sasl eg if using TLS/x509 for encryption qemu -vnc localhost:1,sasl,tls,x509 By default the Cyrus SASL library will look for its configuration in the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden by setting the SASL_CONF_PATH environment variable, eg to make it look in $HOME/.sasl2. NB unprivileged users may not have access to the full range of SASL mechanisms, since some of them require some administrative privileges to configure. The patch includes an example SASL configuration file which illustrates config for GSSAPI and Digest-MD5, though it should be noted that the latter is not really considered secure any more. Most of the SASL authentication code is located in a separate source file, vnc-auth-sasl.c. The main vnc.c file only contains minimal integration glue, specifically parsing of command line flags / setup, and calls to start the SASL auth process, to do encoding/decoding for data. There are several possible stacks for reading & writing of data, depending on the combo of VNC authentication methods in use - Clear. read/write straight to socket - TLS. read/write via GNUTLS helpers - SASL. encode/decode via SASL SSF layer, then read/write to socket - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS Hence, the vnc_client_read & vnc_client_write methods have been refactored a little. vnc_client_read: main entry point for reading, calls either - vnc_client_read_plain reading, with no intermediate decoding - vnc_client_read_sasl reading, with SASL SSF decoding These two methods, then call vnc_client_read_buf(). This decides whether to write to the socket directly or write via GNUTLS. The situation is the same for writing data. More extensive comments have been added in the code / patch. The vnc_client_read_sasl and vnc_client_write_sasl method implementations live in the separate vnc-auth-sasl.c file. The state required for the SASL auth mechanism is kept in a separate VncStateSASL struct, defined in vnc-auth-sasl.h and included in the main VncState. The configure script probes for SASL and automatically enables it if found, unless --disable-vnc-sasl was given to override it. Makefile | 7 Makefile.target | 5 b/qemu.sasl | 34 ++ b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++ b/vnc-auth-sasl.h | 67 +++++ configure | 34 ++ qemu-doc.texi | 97 ++++++++ vnc-auth-vencrypt.c | 12 vnc.c | 249 ++++++++++++++++++-- vnc.h | 31 ++ 10 files changed, 1129 insertions(+), 33 deletions(-) Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
-