From patchwork Thu Oct 7 11:15:20 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 67037 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [199.232.76.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 00E85B70A3 for ; Thu, 7 Oct 2010 22:16:44 +1100 (EST) Received: from localhost ([127.0.0.1]:58430 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1P3oSn-0000lU-MQ for incoming@patchwork.ozlabs.org; Thu, 07 Oct 2010 07:16:41 -0400 Received: from [140.186.70.92] (port=39176 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1P3oRb-0000kY-VR for qemu-devel@nongnu.org; Thu, 07 Oct 2010 07:15:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1P3oRZ-0006Xm-PD for qemu-devel@nongnu.org; Thu, 07 Oct 2010 07:15:27 -0400 Received: from mx1.redhat.com ([209.132.183.28]:4922) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1P3oRZ-0006XT-If for qemu-devel@nongnu.org; Thu, 07 Oct 2010 07:15:25 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o97BFPQM029039 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 7 Oct 2010 07:15:25 -0400 Received: from rincewind.home.kraxel.org (vpn1-5-214.ams2.redhat.com [10.36.5.214]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id o97BFMs6019979; Thu, 7 Oct 2010 07:15:23 -0400 Received: by rincewind.home.kraxel.org (Postfix, from userid 500) id C1872454B5; Thu, 7 Oct 2010 13:15:21 +0200 (CEST) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 7 Oct 2010 13:15:20 +0200 Message-Id: <1286450121-17153-3-git-send-email-kraxel@redhat.com> In-Reply-To: <1286450121-17153-1-git-send-email-kraxel@redhat.com> References: <1286450121-17153-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. Cc: Gerd Hoffmann Subject: [Qemu-devel] [PATCH 2/3] vnc: support password expire X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org This patch adds support for expiring passwords to vnc. It adds a new lifetime parameter to the vnc_display_password() function, which specifies the number of seconds the new password will be valid. Passing zero as lifetime maintains current behavior (password never expires). Signed-off-by: Gerd Hoffmann --- console.h | 2 +- monitor.c | 3 +-- ui/vnc.c | 15 ++++++++++++++- ui/vnc.h | 1 + 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/console.h b/console.h index aafb031..24670e5 100644 --- a/console.h +++ b/console.h @@ -368,7 +368,7 @@ void cocoa_display_init(DisplayState *ds, int full_screen); void vnc_display_init(DisplayState *ds); void vnc_display_close(DisplayState *ds); int vnc_display_open(DisplayState *ds, const char *display); -int vnc_display_password(DisplayState *ds, const char *password); +int vnc_display_password(DisplayState *ds, const char *password, int lifetime); void do_info_vnc_print(Monitor *mon, const QObject *data); void do_info_vnc(Monitor *mon, QObject **ret_data); char *vnc_display_local_addr(DisplayState *ds); diff --git a/monitor.c b/monitor.c index fbb678d..d82eb9e 100644 --- a/monitor.c +++ b/monitor.c @@ -966,11 +966,10 @@ static int do_quit(Monitor *mon, const QDict *qdict, QObject **ret_data) static int change_vnc_password(const char *password) { - if (vnc_display_password(NULL, password) < 0) { + if (vnc_display_password(NULL, password, 0) < 0) { qerror_report(QERR_SET_PASSWD_FAILED); return -1; } - return 0; } diff --git a/ui/vnc.c b/ui/vnc.c index 1ef0fc5..51aa9ca 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -2078,11 +2078,19 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len) unsigned char response[VNC_AUTH_CHALLENGE_SIZE]; int i, j, pwlen; unsigned char key[8]; + time_t now; if (!vs->vd->password || !vs->vd->password[0]) { VNC_DEBUG("No password configured on server"); goto reject; } + if (vs->vd->expires) { + time(&now); + if (vs->vd->expires < now) { + VNC_DEBUG("Password is expired"); + goto reject; + } + } memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE); @@ -2474,7 +2482,7 @@ void vnc_display_close(DisplayState *ds) #endif } -int vnc_display_password(DisplayState *ds, const char *password) +int vnc_display_password(DisplayState *ds, const char *password, int lifetime) { VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display; @@ -2492,6 +2500,11 @@ int vnc_display_password(DisplayState *ds, const char *password) if (vs->auth == VNC_AUTH_NONE) { vs->auth = VNC_AUTH_VNC; } + if (lifetime) { + vs->expires = time(NULL) + lifetime; + } else { + vs->expires = 0; + } } else { vs->auth = VNC_AUTH_NONE; } diff --git a/ui/vnc.h b/ui/vnc.h index 9619b24..4f895be 100644 --- a/ui/vnc.h +++ b/ui/vnc.h @@ -120,6 +120,7 @@ struct VncDisplay char *display; char *password; + time_t expires; int auth; bool lossy; #ifdef CONFIG_VNC_TLS