diff options
author | William Pitcock <nenolod@dereferenced.org> | 2013-07-01 21:10:27 -0500 |
---|---|---|
committer | William Pitcock <nenolod@dereferenced.org> | 2013-07-01 21:10:27 -0500 |
commit | 383c136fdb31f8b98c917e979500e83cfbd5ed4c (patch) | |
tree | 6bd3ebdea2e6903c594a4733f416ef6ad7cda1dc | |
parent | a1ecc814cdf66c5a2d7b92750cd1d927a05276ac (diff) | |
download | aports-383c136fdb31f8b98c917e979500e83cfbd5ed4c.tar.bz2 aports-383c136fdb31f8b98c917e979500e83cfbd5ed4c.tar.xz |
main/xen: enable TLS over websockets (and require it) if X509 is enabled
-rw-r--r-- | main/xen/APKBUILD | 6 | ||||
-rw-r--r-- | main/xen/qemu-xen-tls-websockets.patch | 114 |
2 files changed, 119 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index cf005c05e7..73027ecfb7 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen pkgver=4.2.2 -pkgrel=8 +pkgrel=9 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86 x86_64" @@ -36,6 +36,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g fix-pod2man-choking.patch qemu-xen-websocket.patch + qemu-xen-tls-websockets.patch xenstored.initd xenstored.confd @@ -168,6 +169,7 @@ e70b9128ffc2175cea314a533a7d8457 xsa56.patch 7de2cd11c10d6a554f3c81e0688c38b7 xsa58-4.2.patch c1d1a415415b0192e5dae9032962bf61 fix-pod2man-choking.patch af5c5e21e68ae27847e2307815c82f98 qemu-xen-websocket.patch +35bdea1d4e3ae2565edc7e40906efdd5 qemu-xen-tls-websockets.patch 95d8af17bf844d41a015ff32aae51ba1 xenstored.initd b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd ed262f15fb880badb53575539468646c xenconsoled.initd @@ -198,6 +200,7 @@ b6a5106848541972519cc529859d9ff3083c79367276c7031560fa4ce6f9f770 xsa57.patch 194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2 xsa58-4.2.patch b4e7d43364a06b2cb04527db3e9567524bc489fef475709fd8493ebf1e62406d fix-pod2man-choking.patch cc4bf76be2c87ba089f9e330f3f18419a8399920319e04f6a97be463ce1bfa1e qemu-xen-websocket.patch +435dd428d83acdfde58888532a1cece1e9075b2a2460fe3f6cd33c7d400f2715 qemu-xen-tls-websockets.patch 81d335946c81311c86e2f2112b773a568a5a530c0db9802b2fe559e71bb8b381 xenstored.initd ea9171e71ab3d33061979bcf3bb737156192aa4b0be4d1234438ced75b6fdef3 xenstored.confd 93bea2eb90ea1b4628854c8141dd351bbd1fbc5959b12795447ea933ad025f01 xenconsoled.initd @@ -228,6 +231,7 @@ b4f43095163146a29ae258575bb03bd45f5a315d3cca7434a0b88c18eb1b6e1cf17ef13b4ac428a0 60813c01f6bb909da8748919df4d0ffa923baf4b7b55287e0bec3389fb83020158225182e112941c9e126b4df57e7b8724f2a69d0c1fa9ce3b37c0bdf1a49da4 xsa58-4.2.patch ffb1113fcec0853b690c177655c7d1136388efdebf0d7f625b80481b98eadd3e9ef461442ced53e11acf0e347800a2b0a41e18b05065b5d04bffdd8a4e127cec fix-pod2man-choking.patch 5da25a997c69d737b6a43f460d54e34dccf3c94751990969c93e674ab3aaa34ddd41c2b2a7988aaa68a22abf1508705336d9a9ae3637147b0cf9036b9909daf8 qemu-xen-websocket.patch +11eaccc346440ff285552f204d491e3b31bda1665c3219ecae3061b5d55db9dec885af0c031fa19c67e87bbe238002b1911bbd5bfea2f2ba0d61e6b3d0c952c9 qemu-xen-tls-websockets.patch 792b062e8a16a2efd3cb4662d379d1500527f2a7ca9228d7831c2bd34f3b9141df949153ea05463a7758c3e3dd9a4182492ad5505fa38e298ecf8c99db77b4ee xenstored.initd 100cf4112f401f45c1e4e885a5074698c484b40521262f6268fad286498e95f4c51e746f0e94eb43a590bb8e813a397bb53801ccacebec9541020799d8d70514 xenstored.confd 12f981b2459c65d66e67ec0b32d0d19b95a029bc54c2a79138cfe488d3524a22e51860f755abfe25ddcdaf1b27f2ded59b6e350b9d5f8791193d00e2d3673137 xenconsoled.initd diff --git a/main/xen/qemu-xen-tls-websockets.patch b/main/xen/qemu-xen-tls-websockets.patch new file mode 100644 index 0000000000..8175676f78 --- /dev/null +++ b/main/xen/qemu-xen-tls-websockets.patch @@ -0,0 +1,114 @@ +--- xen-4.2.2.orig/tools/qemu-xen/ui/vnc-ws.c ++++ xen-4.2.2/tools/qemu-xen/ui/vnc-ws.c +@@ -20,7 +20,7 @@ + + #include "vnc.h" + +-void vncws_handshake_read(void *opaque) ++static void vncws_handshake_read_impl(void *opaque) + { + VncState *vs = opaque; + uint8_t *handshake_end; +@@ -46,6 +46,78 @@ + } + } + ++#ifdef CONFIG_VNC_TLS ++static void vncws_tls_handshake_io(void *opaque); ++ ++int vncws_tls_handshake(struct VncState *vs) { ++ int ret; ++ ++ if ((ret = gnutls_handshake(vs->tls.session)) < 0) { ++ if (!gnutls_error_is_fatal(ret)) { ++ VNC_DEBUG("Handshake interrupted (blocking)\n"); ++ if (!gnutls_record_get_direction(vs->tls.session)) ++ qemu_set_fd_handler(vs->csock, vncws_tls_handshake_io, NULL, vs); ++ else ++ qemu_set_fd_handler(vs->csock, NULL, vncws_tls_handshake_io, vs); ++ return 0; ++ } ++ VNC_DEBUG("Handshake failed %s\n", gnutls_strerror(ret)); ++ vnc_client_error(vs); ++ return -1; ++ } ++ ++ if (vs->vd->tls.x509verify) { ++ if (vnc_tls_validate_certificate(vs) < 0) { ++ VNC_DEBUG("Client verification failed\n"); ++ vnc_client_error(vs); ++ return -1; ++ } else { ++ VNC_DEBUG("Client verification passed\n"); ++ } ++ } ++ ++ VNC_DEBUG("Handshake done, switching to TLS data mode and waiting for HTTPS upgrade\n"); ++ vs->tls.wiremode = VNC_WIREMODE_TLS; ++ qemu_set_fd_handler2(vs->csock, NULL, vncws_handshake_read_impl, NULL, vs); ++ ++ return 0; ++} ++ ++static void vncws_tls_handshake_io(void *opaque) { ++ struct VncState *vs = (struct VncState *)opaque; ++ ++ VNC_DEBUG("Handshake IO continues\n"); ++ vncws_tls_handshake(vs); ++} ++ ++#define NEED_X509_AUTH(vs) \ ++ ((vs)->subauth == VNC_AUTH_VENCRYPT_X509NONE || \ ++ (vs)->subauth == VNC_AUTH_VENCRYPT_X509VNC || \ ++ (vs)->subauth == VNC_AUTH_VENCRYPT_X509PLAIN || \ ++ (vs)->subauth == VNC_AUTH_VENCRYPT_X509SASL) ++#endif ++ ++void vncws_handshake_read(void *opaque) ++{ ++ VncState *vs = opaque; ++ ++#ifdef CONFIG_VNC_TLS ++ if (!vs->vd->want_tls) ++ return vncws_handshake_read_impl(vs); ++ ++ if (vnc_tls_client_setup(vs, NEED_X509_AUTH(vs)) < 0) { ++ VNC_DEBUG("Failed to setup TLS\n"); ++ return 0; ++ } ++ ++ if (vncws_tls_handshake(vs) < 0) { ++ VNC_DEBUG("Failed to start TLS handshake\n"); ++ return 0; ++ } ++#else ++ vncws_handshake_read_impl(vs); ++#endif ++} + + long vnc_client_read_ws(VncState *vs) + { +--- xen-4.2.2.orig/tools/qemu-xen/ui/vnc.c ++++ xen-4.2.2/tools/qemu-xen/ui/vnc.c +@@ -2897,6 +2897,9 @@ + } else if (strncmp(options, "x509", 4) == 0) { + char *start, *end; + x509 = 1; /* Require x509 certificates */ ++#ifdef CONFIG_VNC_WS ++ vs->want_tls = true; ++#endif + if (strncmp(options, "x509verify", 10) == 0) + vs->tls.x509verify = 1; /* ...and verify client certs */ + +--- xen-4.2.2.orig/tools/qemu-xen/ui/vnc.h ++++ xen-4.2.2/tools/qemu-xen/ui/vnc.h +@@ -157,6 +157,9 @@ + bool lossy; + bool non_adaptive; + #ifdef CONFIG_VNC_TLS ++#ifdef CONFIG_VNC_WS ++ bool want_tls; ++#endif + int subauth; /* Used by VeNCrypt */ + VncDisplayTLS tls; + #endif |