This patch extends the 'info vnc' monitor output to include information
about the VNC client authentication credentials.
For clients authenticated using SASL, this will output the username.
For clients authenticated using x509 certificates, this will output
the x509 distinguished name.
Auth can be stacked, so both username & x509 dname may be shown.
Server:
address: 0.0.0.0:5902
auth: vencrypt+x509+sasl
Client:
address: 10.33.6.67:38621
x509 dname: C=GB,O=ACME,L=London,ST=London,CN=localhost
username: admin
Client:
address: 10.33.6.63:38620
x509 dname: C=GB,O=ACME,L=London,ST=London,CN=localhost
username: admin
vnc-tls.c | 17 +++++++++++++++++
vnc-tls.h | 3 +++
vnc.c | 19 +++++++++++++++++--
3 files changed, 37 insertions(+), 2 deletions(-)
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6725 c046a42c-6fe2-441c-8c8c-71466251a162
This patch adds the new SASL authentication protocol to the VNC server.
It is enabled by setting the 'sasl' flag when launching VNC. SASL can
optionally provide encryption via its SSF layer, if a suitable mechanism
is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is
not available, then it should be combined with the x509 VNC authentication
protocol which provides encryption.
eg, if using GSSAPI
qemu -vnc localhost:1,sasl
eg if using TLS/x509 for encryption
qemu -vnc localhost:1,sasl,tls,x509
By default the Cyrus SASL library will look for its configuration in
the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden
by setting the SASL_CONF_PATH environment variable, eg to make it look in
$HOME/.sasl2. NB unprivileged users may not have access to the full range
of SASL mechanisms, since some of them require some administrative privileges
to configure. The patch includes an example SASL configuration file which
illustrates config for GSSAPI and Digest-MD5, though it should be noted that
the latter is not really considered secure any more.
Most of the SASL authentication code is located in a separate source file,
vnc-auth-sasl.c. The main vnc.c file only contains minimal integration
glue, specifically parsing of command line flags / setup, and calls to
start the SASL auth process, to do encoding/decoding for data.
There are several possible stacks for reading & writing of data, depending
on the combo of VNC authentication methods in use
- Clear. read/write straight to socket
- TLS. read/write via GNUTLS helpers
- SASL. encode/decode via SASL SSF layer, then read/write to socket
- SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS
Hence, the vnc_client_read & vnc_client_write methods have been refactored
a little.
vnc_client_read: main entry point for reading, calls either
- vnc_client_read_plain reading, with no intermediate decoding
- vnc_client_read_sasl reading, with SASL SSF decoding
These two methods, then call vnc_client_read_buf(). This decides
whether to write to the socket directly or write via GNUTLS.
The situation is the same for writing data. More extensive comments
have been added in the code / patch. The vnc_client_read_sasl and
vnc_client_write_sasl method implementations live in the separate
vnc-auth-sasl.c file.
The state required for the SASL auth mechanism is kept in a separate
VncStateSASL struct, defined in vnc-auth-sasl.h and included in the
main VncState.
The configure script probes for SASL and automatically enables it
if found, unless --disable-vnc-sasl was given to override it.
Makefile | 7
Makefile.target | 5
b/qemu.sasl | 34 ++
b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++
b/vnc-auth-sasl.h | 67 +++++
configure | 34 ++
qemu-doc.texi | 97 ++++++++
vnc-auth-vencrypt.c | 12
vnc.c | 249 ++++++++++++++++++--
vnc.h | 31 ++
10 files changed, 1129 insertions(+), 33 deletions(-)
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
This patch refactors the existing TLS code to make the main VNC code
more managable. The code moves to two new files
- vnc-tls.c: generic helpers for TLS handshake & credential setup
- vnc-auth-vencrypt.c: the actual VNC TLS authentication mechanism.
The reason for this split is that there are other TLS based auth
mechanisms which we may like to use in the future. These can all
share the same vnc-tls.c routines. In addition this will facilitate
anyone who may want to port the vnc-tls.c file to allow for choice
of GNUTLS & NSS for impl.
The TLS state is moved out of the VncState struct, and into a separate
VncStateTLS struct, defined in vnc-tls.h. This is then referenced from
the main VncState. End size of the struct is the same, but it keeps
things a little more managable.
The vnc.h file gains a bunch more function prototypes, for functions
in vnc.c that were previously static, but now need to be accessed
from the separate auth code files.
The only TLS related code still in the main vl.c is the command line
argument handling / setup, and the low level I/O routines calling
gnutls_send/recv.
Makefile | 11
b/vnc-auth-vencrypt.c | 167 ++++++++++++++
b/vnc-auth-vencrypt.h | 33 ++
b/vnc-tls.c | 414 +++++++++++++++++++++++++++++++++++
b/vnc-tls.h | 70 ++++++
vnc.c | 581 +++-----------------------------------------------
vnc.h | 76 ++++--
7 files changed, 780 insertions(+), 572 deletions(-)
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6723 c046a42c-6fe2-441c-8c8c-71466251a162
This patch moves the definitions of VncState and VncDisplay structs
out into a vnc.h header file. This is to allow the code for TLS
and SASL auth mechanisms to be moved out of the main vnc.c file.
vnc.c | 109 ------------------------------------------------
vnc.h | 149 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
2 files changed, 148 insertions(+), 110 deletions(-)
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6722 c046a42c-6fe2-441c-8c8c-71466251a162
Each of the graphical frontends #include a .c file, for keymap code
resulting in duplicated definitions & duplicated compiled code. A
couple of small changes allowed this to be sanitized, so instead of
doing a #include "keymaps.c", duplicating all code, we can have a
shared keymaps.h file, and only compile code once. This allows the
next patch to move the VncState struct out into a header file without
causing clashing definitions.
Makefile | 9 +++++---
b/keymaps.h | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
curses.c | 3 --
curses_keys.h | 9 +++-----
keymaps.c | 45 ++++++++++++++++---------------------------
sdl.c | 3 --
sdl_keysym.h | 7 ++----
vnc.c | 5 +---
vnc_keysym.h | 7 ++----
9 files changed, 97 insertions(+), 51 deletions(-)
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6721 c046a42c-6fe2-441c-8c8c-71466251a162
The current 'info vnc' monitor output just displays the VNC server address
as provided by the -vnc command line flag. This isn't particularly useful
since it doesn't tell you what VNC is actually listening on. eg, if you
use '-vnc :1' it is useful to know whether this translated to '0.0.0.0:5901'
or chose IPv6 ':::5901'. It is also useful to know the address of the
client that is currently connected. It is also useful to know the active
authentication (if any).
This patch tweaks the monitor output to look like:
(qemu) info vnc
Server:
address: 0.0.0.0:5902
auth: vencrypt+x509
Client: none
And when 2 clients are connected
(qemu) info vnc
Server:
address: 0.0.0.0:5902
auth: vencrypt+x509
Client:
address: 10.33.6.67:38621
Client:
address: 10.33.6.63:38620
More data will be added to this later in the patch series...
The 'addr_to_string' helper method in this patch is overly generic
for the needs of this patch alone. This is because it will be re-used
by the later SASL patches in this series, where the flexibility is
important.
vnc.c | 137 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 127 insertions(+), 10 deletions(-)
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6720 c046a42c-6fe2-441c-8c8c-71466251a162
This patch was previously posted here:
http://lists.gnu.org/archive/html/qemu-devel/2009-02/msg00820.html
In the case where the TLS handshake does *not* block on I/O, QEMU
sends the next 'start sub-auth' message twice. This seriously confuses
the VNC client :-) Fortunately the chances of the handshake not blocking
are close to zero for a TCP socket, which is why it has not been noticed
thus far. Even with both client & server on localhost, I can only hit the
bug 1 time in 20.
NB, the diff context here is not too informative. If you look at the
full code you'll see that a few lines early we called vnc_start_tls()
which called vnc_continue_handshake() which called the method
start_auth_vencrypt_subauth(). Hence, fixing the bug, just involves
removing the 2nd bogus call to start_auth_vencrypt_subauth() as per
this patch.
vnc.c | 8 --------
1 file changed, 8 deletions(-)
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6719 c046a42c-6fe2-441c-8c8c-71466251a162
Refactor the monitor API and prepare it for decoupled terminals:
term_print functions are renamed to monitor_* and all monitor services
gain a new parameter (mon) that will once refer to the monitor instance
the output is supposed to appear on. However, the argument remains
unused for now. All monitor command callbacks are also extended by a mon
parameter so that command handlers are able to pass an appropriate
reference to monitor output services.
For the case that monitor outputs so far happen without clearly
identifiable context, the global variable cur_mon is introduced that
shall once provide a pointer either to the current active monitor (while
processing commands) or to the default one. On the mid or long term,
those use case will be obsoleted so that this variable can be removed
again.
Due to the broad usage of the monitor interface, this patch mostly deals
with converting users of the monitor API. A few of them are already
extended to pass 'mon' from the command handler further down to internal
functions that invoke monitor_printf.
At this chance, monitor-related prototypes are moved from console.h to
a new monitor.h. The same is done for the readline API.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6711 c046a42c-6fe2-441c-8c8c-71466251a162
Change structure associated with a display from VncState to a new structure
VncDisplay. Remove client specific fields from VncDisplay. Remove display
specific fields from VncState. Maintain a linked list of VncStates per
VncDisplay structure, update as necessary. When updates/resizes/copies come in
from the hardware, dispatch to all clients.
Signed-off-by: Brian Kress <kressb@moose.net>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6621 c046a42c-6fe2-441c-8c8c-71466251a162
[ As requested, broken out of the monitor rework series. ]
Avoid a segfault when the user issues 'change vnc' without having vnc
enabled on startup.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6616 c046a42c-6fe2-441c-8c8c-71466251a162
This patch adds zlib encoding support for VNC. It basically runs
the raw traffic through zlib, providing a pretty good compression
ratio.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6499 c046a42c-6fe2-441c-8c8c-71466251a162
Currently the send_framebuffer_update_raw and send_framebuffer_update_hextile
respectively send a send_framebuffer_update packet themselves. We need to reuse
send_framebuffer_update_raw for zlib encoding though, so let's move it out.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6498 c046a42c-6fe2-441c-8c8c-71466251a162
We will need to use buffer functions in code that will end up being
below the current buffer functions. In order to not introduce any
function stub defines, let's just move them up.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6497 c046a42c-6fe2-441c-8c8c-71466251a162
This patch enables the vnc server to understand fundamental tight extensions.
It changes from a "Hextile or not" scheme when sending framebuffer updates to
a "preferred encoding", namely the last one set.
While this is not perfect, as actually a list of "preferred encodings" should
be kept, it's good enough for now.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6496 c046a42c-6fe2-441c-8c8c-71466251a162
While running with debugging enabled, I found an #if testing for
an undefined value, not defined(value). This patch fixes that.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6495 c046a42c-6fe2-441c-8c8c-71466251a162
Now that we have nice defines for all sorts of constants, let's
use them!
This patch also takes the "feature variables", currently called has_*
into a single feature int. This way adding new features is a lot
easier and doesn't clutter the VncState struct.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6494 c046a42c-6fe2-441c-8c8c-71466251a162
The VNC protocol contains quite some constants, some of which are
currently hardcoded in the vnc.c code. This is not exactly pretty.
Let's move all those constants out to vnc.h, so they are clearly
separated. While at it, I also included other defines that will be
used later in this patch series.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6493 c046a42c-6fe2-441c-8c8c-71466251a162
this patch fixes a bug and improves the generic pixel conversion
function in vnc.c.
The bug is that when a new vnc client connects we need to reset the flag
has_WMVi but currently we don't.
The generic pixel conversion function is vnc_convert_pixel and currently
is not very efficient since uses the division and multiplication
operators.
To make it more efficient I changed to use bit shift operators instead.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6441 c046a42c-6fe2-441c-8c8c-71466251a162
This patch exploits the new DisplaySurface and PixelFormat structures in
vnc, making the code easier to read allowing further improvements.
Compared to the last version I fixed a bug that prevented the hextile
encoding from working properly.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6337 c046a42c-6fe2-441c-8c8c-71466251a162
This patch changes the DisplayState interface adding support for
multiple frontends at the same time (sdl and vnc) and implements most
of the benefit of the shared_buf patch without the added complexity.
Currently DisplayState is managed by sdl (or vnc) and sdl (or vnc) is
also responsible for allocating the data and setting the depth.
Vga.c (or another backend) will do any necessary conversion.
The idea is to change it so that is vga.c (or another backend) together
with console.c that fully manage the DisplayState interface allocating
data and setting the depth (either 16 or 32 bit, if the guest uses a
different resolution or is in text mode, vga.c (or another backend) is
in charge of doing the conversion seamlessly).
The other idea is that DisplayState supports *multiple* frontends
like sdl and vnc; each of them can register some callbacks to be called
when a display event occurs.
The interesting changes are:
- the new structures and related functions in console.h and console.c
in particular the following functions are very helpful to manage a
DisplaySurface:
qemu_create_displaysurface
qemu_resize_displaysurface
qemu_create_displaysurface_from
qemu_free_displaysurface
- console_select and qemu_console_resize in console.c
this two functions manage multiple consoles on a single host display
- moving code around in hw/vga.c
as for the shared_buf patch this is necessary to be able to handle a dynamic
DisplaySurface bpp
- changes to vga_draw_graphic in hw/vga.c
this is the place where the DisplaySurface buffer is shared with the
videoram, when possible;
Compared to the last version the only changes are:
- do not remove support to dpy_copy in cirrus_vga
- change the name of the displaysurface handling functions
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6336 c046a42c-6fe2-441c-8c8c-71466251a162
vnc_state->display is set to NULL after "change vnc none" but vnc_state itself
is still valid.
(James Ko)
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6010 c046a42c-6fe2-441c-8c8c-71466251a162
When using an existing unix socket like:
-vnc unix:/tmp/file1Y2nY2
qemu fails to bind a unix socket because the vnc call to unix_listen includes
the unix: prefix and stores that in the unix.sun_path. The fix is to not pass
in unix: for the filename (same way qemu-char.c does it).
Signed-off-by: Ryan Harper <ryanh@us.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5856 c046a42c-6fe2-441c-8c8c-71466251a162
VNC should not maintain modifer state upon reconnects With some window
managers/vnc clients it will only see a key down event for a modifier
followed by immediate disconnect(think Alt-F4), with a net effect of
subsequently connected clients operating as if the modifier was never
released.
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5851 c046a42c-6fe2-441c-8c8c-71466251a162
This allows among other things to capturing A/V of running
guests. Ad-hoc client that does this (via script that invokes ffmpeg)
can be found at:
http://repo.or.cz/w/qemu/malc.git?a=tree;f=vcap;hb=capture3
Thanks to Anthony Liguori for comments and review.
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5850 c046a42c-6fe2-441c-8c8c-71466251a162
The patch in r5531 which replaced a bunch of strncpy with pstrcpy causes
the x509 credentials from the -vnc parameter to be one character shorter
than entered meaning that there is currently no way to enter x509
certificates...
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5707 c046a42c-6fe2-441c-8c8c-71466251a162
This patch switches the vnc code ofer to the new socket helper
functions.
It adds support IPv6 support and for automatically allocating an unused
vnc display port. The latter is handled ising a to= option, specifying
the upper limit for the display number to try. Scanning is started at
the display number given in the display specification, i.e. this command
line:
-vnc localhost:7,to=11
will try displays 7 to 11 (inclusive).
There are also new "ipv4" and "ipv6" options to make qemu try only
the specified internet protocol version.
The display actually allocated can be queried using the "info vnc"
monitor command.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5696 c046a42c-6fe2-441c-8c8c-71466251a162
- some vectors can be declared as "const"
- test on CONFIG_VNC_TLS is done for two times while just one is enough.
(Carlo Bramini)
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5172 c046a42c-6fe2-441c-8c8c-71466251a162
This patch adds support for the ExtendedKeyEvent client message. This message
allows a client to send raw scan codes directly to the server. If the client
and server are using the same keymap, then it's unnecessary to use the '-k'
option with QEMU when this extension is supported.
This is extension is currently only implemented by gtk-vnc based clients
(gvncviewer, virt-manager, vinagre, etc.).
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5076 c046a42c-6fe2-441c-8c8c-71466251a162
Add idle field to DisplayState struct, so drivers can figure
the display is idle and take advantage of that.
The xen framebuffer driver will use this to communicate the
idle state to the guest, so it knows it can stop doing updates
to a virtual display which is invisible anyway.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5056 c046a42c-6fe2-441c-8c8c-71466251a162
'h' actually is the coordinate of bottom of the rectangle and not height.
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4571 c046a42c-6fe2-441c-8c8c-71466251a162
On a resize, vncviewer keeps the image in the upper-left part of the screen
unmodified and fills the right end of the lines with black colour. vnc.c keeps the first n bytes of the framebuffer unmodified instead - meaning that
the client's image doesn't match the image in framebuffer and checking
for dirty rows gives wrong results. We can either invalidate the whole
buffer or implement the same transformation as the client.
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4569 c046a42c-6fe2-441c-8c8c-71466251a162
If the client does not support the DesktopResize pseudo-encoding, then
vs->{width,height} may be smaller than ds->{width,height}. dirty_row is
sized according to vs->{width,height}, not ds->{width,height}.
This patch makes sure to bound the update region to vs->{width,height} to
avoid a possible SEGV.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Reported-by: Marcelo Tosatti <mtosatti@redhat.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4502 c046a42c-6fe2-441c-8c8c-71466251a162