47b0758f03
- Do not require qemu-common for qemu-img
- Explicitly own each of the firmware files
- remove firmwares for ppc and sparc. They should be provided by an
external package. Not that the packages exists for sparc in the
secondary arch repo as noarch, but they don't automatically get into
main repos. Unfortunately it's the best we can do right now.
- rollback a bit in time. Snapshot from avi's maint/2.6.30
- this requires the sasl patches to come back.
- with-patched-kernel comes back.
94 lines
3.0 KiB
Diff
94 lines
3.0 KiB
Diff
Index: qemu-kvm-0.10/qemu/vnc-tls.c
|
|
===================================================================
|
|
--- qemu-kvm-0.10.orig/qemu/vnc-tls.c
|
|
+++ qemu-kvm-0.10/qemu/vnc-tls.c
|
|
@@ -241,6 +241,22 @@ int vnc_tls_validate_certificate(struct
|
|
return -1;
|
|
}
|
|
|
|
+ if (i == 0) {
|
|
+ size_t dnameSize = 1024;
|
|
+ vs->tls.dname = qemu_malloc(dnameSize);
|
|
+ requery:
|
|
+ if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) {
|
|
+ if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
|
|
+ vs->tls.dname = qemu_realloc(vs->tls.dname, dnameSize);
|
|
+ goto requery;
|
|
+ }
|
|
+ gnutls_x509_crt_deinit (cert);
|
|
+ VNC_DEBUG("Cannot get client distinguished name: %s",
|
|
+ gnutls_strerror (ret));
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+
|
|
gnutls_x509_crt_deinit (cert);
|
|
}
|
|
|
|
@@ -347,6 +363,7 @@ void vnc_tls_client_cleanup(struct VncSt
|
|
vs->tls.session = NULL;
|
|
}
|
|
vs->tls.wiremode = VNC_WIREMODE_CLEAR;
|
|
+ free(vs->tls.dname);
|
|
}
|
|
|
|
|
|
Index: qemu-kvm-0.10/qemu/vnc-tls.h
|
|
===================================================================
|
|
--- qemu-kvm-0.10.orig/qemu/vnc-tls.h
|
|
+++ qemu-kvm-0.10/qemu/vnc-tls.h
|
|
@@ -55,6 +55,9 @@ struct VncStateTLS {
|
|
/* Whether data is being TLS encrypted yet */
|
|
int wiremode;
|
|
gnutls_session_t session;
|
|
+
|
|
+ /* Client's Distinguished Name from the x509 cert */
|
|
+ char *dname;
|
|
};
|
|
|
|
int vnc_tls_client_setup(VncState *vs, int x509Creds);
|
|
Index: qemu-kvm-0.10/qemu/vnc.c
|
|
===================================================================
|
|
--- qemu-kvm-0.10.orig/qemu/vnc.c
|
|
+++ qemu-kvm-0.10/qemu/vnc.c
|
|
@@ -156,6 +156,21 @@ static void do_info_vnc_client(VncState
|
|
term_puts("Client:\n");
|
|
term_puts(clientAddr);
|
|
free(clientAddr);
|
|
+
|
|
+#ifdef CONFIG_VNC_TLS
|
|
+ if (client->tls.session &&
|
|
+ client->tls.dname)
|
|
+ term_printf(" x509 dname: %s\n", client->tls.dname);
|
|
+ else
|
|
+ term_puts(" x509 dname: none\n");
|
|
+#endif
|
|
+#ifdef CONFIG_VNC_SASL
|
|
+ if (client->sasl.conn &&
|
|
+ client->sasl.username)
|
|
+ term_printf(" username: %s\n", client->sasl.username);
|
|
+ else
|
|
+ term_puts(" username: none\n");
|
|
+#endif
|
|
}
|
|
|
|
void do_info_vnc(void)
|
|
@@ -1823,7 +1838,7 @@ static int protocol_client_auth(VncState
|
|
/* We only advertise 1 auth scheme at a time, so client
|
|
* must pick the one we sent. Verify this */
|
|
if (data[0] != vs->vd->auth) { /* Reject auth */
|
|
- VNC_DEBUG("Reject auth %d\n", (int)data[0]);
|
|
+ VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
|
|
vnc_write_u32(vs, 1);
|
|
if (vs->minor >= 8) {
|
|
static const char err[] = "Authentication failed";
|
|
@@ -1863,7 +1878,7 @@ static int protocol_client_auth(VncState
|
|
#endif /* CONFIG_VNC_SASL */
|
|
|
|
default: /* Should not be possible, but just in case */
|
|
- VNC_DEBUG("Reject auth %d\n", vs->vd->auth);
|
|
+ VNC_DEBUG("Reject auth %d server code bug\n", vs->vd->auth);
|
|
vnc_write_u8(vs, 1);
|
|
if (vs->minor >= 8) {
|
|
static const char err[] = "Authentication failed";
|