aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWilliam Pitcock <nenolod@dereferenced.org>2013-07-01 21:10:27 -0500
committerWilliam Pitcock <nenolod@dereferenced.org>2013-07-01 21:10:27 -0500
commit383c136fdb31f8b98c917e979500e83cfbd5ed4c (patch)
tree6bd3ebdea2e6903c594a4733f416ef6ad7cda1dc
parenta1ecc814cdf66c5a2d7b92750cd1d927a05276ac (diff)
downloadaports-383c136fdb31f8b98c917e979500e83cfbd5ed4c.tar.bz2
aports-383c136fdb31f8b98c917e979500e83cfbd5ed4c.tar.xz
main/xen: enable TLS over websockets (and require it) if X509 is enabled
-rw-r--r--main/xen/APKBUILD6
-rw-r--r--main/xen/qemu-xen-tls-websockets.patch114
2 files changed, 119 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index cf005c05e7..73027ecfb7 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.2.2
-pkgrel=8
+pkgrel=9
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86 x86_64"
@@ -36,6 +36,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
fix-pod2man-choking.patch
qemu-xen-websocket.patch
+ qemu-xen-tls-websockets.patch
xenstored.initd
xenstored.confd
@@ -168,6 +169,7 @@ e70b9128ffc2175cea314a533a7d8457 xsa56.patch
7de2cd11c10d6a554f3c81e0688c38b7 xsa58-4.2.patch
c1d1a415415b0192e5dae9032962bf61 fix-pod2man-choking.patch
af5c5e21e68ae27847e2307815c82f98 qemu-xen-websocket.patch
+35bdea1d4e3ae2565edc7e40906efdd5 qemu-xen-tls-websockets.patch
95d8af17bf844d41a015ff32aae51ba1 xenstored.initd
b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd
ed262f15fb880badb53575539468646c xenconsoled.initd
@@ -198,6 +200,7 @@ b6a5106848541972519cc529859d9ff3083c79367276c7031560fa4ce6f9f770 xsa57.patch
194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2 xsa58-4.2.patch
b4e7d43364a06b2cb04527db3e9567524bc489fef475709fd8493ebf1e62406d fix-pod2man-choking.patch
cc4bf76be2c87ba089f9e330f3f18419a8399920319e04f6a97be463ce1bfa1e qemu-xen-websocket.patch
+435dd428d83acdfde58888532a1cece1e9075b2a2460fe3f6cd33c7d400f2715 qemu-xen-tls-websockets.patch
81d335946c81311c86e2f2112b773a568a5a530c0db9802b2fe559e71bb8b381 xenstored.initd
ea9171e71ab3d33061979bcf3bb737156192aa4b0be4d1234438ced75b6fdef3 xenstored.confd
93bea2eb90ea1b4628854c8141dd351bbd1fbc5959b12795447ea933ad025f01 xenconsoled.initd
@@ -228,6 +231,7 @@ b4f43095163146a29ae258575bb03bd45f5a315d3cca7434a0b88c18eb1b6e1cf17ef13b4ac428a0
60813c01f6bb909da8748919df4d0ffa923baf4b7b55287e0bec3389fb83020158225182e112941c9e126b4df57e7b8724f2a69d0c1fa9ce3b37c0bdf1a49da4 xsa58-4.2.patch
ffb1113fcec0853b690c177655c7d1136388efdebf0d7f625b80481b98eadd3e9ef461442ced53e11acf0e347800a2b0a41e18b05065b5d04bffdd8a4e127cec fix-pod2man-choking.patch
5da25a997c69d737b6a43f460d54e34dccf3c94751990969c93e674ab3aaa34ddd41c2b2a7988aaa68a22abf1508705336d9a9ae3637147b0cf9036b9909daf8 qemu-xen-websocket.patch
+11eaccc346440ff285552f204d491e3b31bda1665c3219ecae3061b5d55db9dec885af0c031fa19c67e87bbe238002b1911bbd5bfea2f2ba0d61e6b3d0c952c9 qemu-xen-tls-websockets.patch
792b062e8a16a2efd3cb4662d379d1500527f2a7ca9228d7831c2bd34f3b9141df949153ea05463a7758c3e3dd9a4182492ad5505fa38e298ecf8c99db77b4ee xenstored.initd
100cf4112f401f45c1e4e885a5074698c484b40521262f6268fad286498e95f4c51e746f0e94eb43a590bb8e813a397bb53801ccacebec9541020799d8d70514 xenstored.confd
12f981b2459c65d66e67ec0b32d0d19b95a029bc54c2a79138cfe488d3524a22e51860f755abfe25ddcdaf1b27f2ded59b6e350b9d5f8791193d00e2d3673137 xenconsoled.initd
diff --git a/main/xen/qemu-xen-tls-websockets.patch b/main/xen/qemu-xen-tls-websockets.patch
new file mode 100644
index 0000000000..8175676f78
--- /dev/null
+++ b/main/xen/qemu-xen-tls-websockets.patch
@@ -0,0 +1,114 @@
+--- xen-4.2.2.orig/tools/qemu-xen/ui/vnc-ws.c
++++ xen-4.2.2/tools/qemu-xen/ui/vnc-ws.c
+@@ -20,7 +20,7 @@
+
+ #include "vnc.h"
+
+-void vncws_handshake_read(void *opaque)
++static void vncws_handshake_read_impl(void *opaque)
+ {
+ VncState *vs = opaque;
+ uint8_t *handshake_end;
+@@ -46,6 +46,78 @@
+ }
+ }
+
++#ifdef CONFIG_VNC_TLS
++static void vncws_tls_handshake_io(void *opaque);
++
++int vncws_tls_handshake(struct VncState *vs) {
++ int ret;
++
++ if ((ret = gnutls_handshake(vs->tls.session)) < 0) {
++ if (!gnutls_error_is_fatal(ret)) {
++ VNC_DEBUG("Handshake interrupted (blocking)\n");
++ if (!gnutls_record_get_direction(vs->tls.session))
++ qemu_set_fd_handler(vs->csock, vncws_tls_handshake_io, NULL, vs);
++ else
++ qemu_set_fd_handler(vs->csock, NULL, vncws_tls_handshake_io, vs);
++ return 0;
++ }
++ VNC_DEBUG("Handshake failed %s\n", gnutls_strerror(ret));
++ vnc_client_error(vs);
++ return -1;
++ }
++
++ if (vs->vd->tls.x509verify) {
++ if (vnc_tls_validate_certificate(vs) < 0) {
++ VNC_DEBUG("Client verification failed\n");
++ vnc_client_error(vs);
++ return -1;
++ } else {
++ VNC_DEBUG("Client verification passed\n");
++ }
++ }
++
++ VNC_DEBUG("Handshake done, switching to TLS data mode and waiting for HTTPS upgrade\n");
++ vs->tls.wiremode = VNC_WIREMODE_TLS;
++ qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read_impl, NULL, vs);
++
++ return 0;
++}
++
++static void vncws_tls_handshake_io(void *opaque) {
++ struct VncState *vs = (struct VncState *)opaque;
++
++ VNC_DEBUG("Handshake IO continues\n");
++ vncws_tls_handshake(vs);
++}
++
++#define NEED_X509_AUTH(vs) \
++ ((vs)->subauth == VNC_AUTH_VENCRYPT_X509NONE || \
++ (vs)->subauth == VNC_AUTH_VENCRYPT_X509VNC || \
++ (vs)->subauth == VNC_AUTH_VENCRYPT_X509PLAIN || \
++ (vs)->subauth == VNC_AUTH_VENCRYPT_X509SASL)
++#endif
++
++void vncws_handshake_read(void *opaque)
++{
++ VncState *vs = opaque;
++
++#ifdef CONFIG_VNC_TLS
++ if (!vs->vd->want_tls)
++ return vncws_handshake_read_impl(vs);
++
++ if (vnc_tls_client_setup(vs, NEED_X509_AUTH(vs)) < 0) {
++ VNC_DEBUG("Failed to setup TLS\n");
++ return 0;
++ }
++
++ if (vncws_tls_handshake(vs) < 0) {
++ VNC_DEBUG("Failed to start TLS handshake\n");
++ return 0;
++ }
++#else
++ vncws_handshake_read_impl(vs);
++#endif
++}
+
+ long vnc_client_read_ws(VncState *vs)
+ {
+--- xen-4.2.2.orig/tools/qemu-xen/ui/vnc.c
++++ xen-4.2.2/tools/qemu-xen/ui/vnc.c
+@@ -2897,6 +2897,9 @@
+ } else if (strncmp(options, "x509", 4) == 0) {
+ char *start, *end;
+ x509 = 1; /* Require x509 certificates */
++#ifdef CONFIG_VNC_WS
++ vs->want_tls = true;
++#endif
+ if (strncmp(options, "x509verify", 10) == 0)
+ vs->tls.x509verify = 1; /* ...and verify client certs */
+
+--- xen-4.2.2.orig/tools/qemu-xen/ui/vnc.h
++++ xen-4.2.2/tools/qemu-xen/ui/vnc.h
+@@ -157,6 +157,9 @@
+ bool lossy;
+ bool non_adaptive;
+ #ifdef CONFIG_VNC_TLS
++#ifdef CONFIG_VNC_WS
++ bool want_tls;
++#endif
+ int subauth; /* Used by VeNCrypt */
+ VncDisplayTLS tls;
+ #endif