qemu vnc auth 4/4: XenD config for VNC TLS protocol

This patch adds support to XenD for configuring the previously added
TLS encryption and x509 certificate validation. At this time I have
only enabled this config to be done system-wide via
/etc/xen/xend-config.sxp. Since it requires the admin to add
certificates on the local FS, there's not much point in making it per
VM. The x509 certificates are located in /etc/xen/vnc. Since this
requires a special VNC client program (GTK-VNC,
virt-viewer/virt-manager or VeNCrypt viewer) the use of TLS is
disabled by default. Admins can enable it if they are using a suitable
client.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

3 files changed, 63 insertions, 1 deletions

diff --git a/tools/examples/xend-config.sxp b/tools/examples/xend-config.sxp
index 9dfd97471f..df1749f340 100644
--- a/tools/examples/xend-config.sxp
+++ b/tools/examples/xend-config.sxp
@@ -192,6 +192,36 @@
 # Empty string is no authentication.
 (vncpasswd '')
 
+# The VNC server can be told to negotiate a TLS session
+# to encryption all traffic, and provide x509 cert to
+# clients enalbing them to verify server identity. The
+# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
+# all support the VNC extension for TLS used in QEMU. The
+# TightVNC/RealVNC/UltraVNC clients do not.
+#
+# To enable this create x509 certificates / keys in the
+# directory /etc/xen/vnc
+#
+#  ca-cert.pem       - The CA certificate
+#  server-cert.pem   - The Server certificate signed by the CA
+#  server-key.pem    - The server private key
+#
+# and then uncomment this next line
+# (vnc-tls 1)
+
+# The certificate dir can be pointed elsewhere..
+#
+# (vnc-x509-cert-dir /etc/xen/vnc)
+
+# The server can be told to request & validate an x509
+# certificate from the client. Only clients with a cert
+# signed by the trusted CA will be able to connect. This
+# is more secure the password auth alone. Passwd auth can
+# used at the same time if desired. To enable client cert
+# checking uncomment this:
+#
+# (vnc-x509-verify 1)
+
 # The default keymap to use for the VM's virtual keyboard
 # when not specififed in VM's configuration
 #(keymap 'en-us')
diff --git a/tools/python/xen/xend/XendOptions.py b/tools/python/xen/xend/XendOptions.py
index 1c1177c945..8f2cca3b33 100644
--- a/tools/python/xen/xend/XendOptions.py
+++ b/tools/python/xen/xend/XendOptions.py
@@ -102,6 +102,15 @@ class XendOptions:
     """Default interface to listen for VNC connections on"""
     xend_vnc_listen_default = '127.0.0.1'
 
+    """Use of TLS mode in QEMU VNC server"""
+    xend_vnc_tls = 0
+
+    """x509 certificate directory for QEMU VNC server"""
+    xend_vnc_x509_cert_dir = "/etc/xen/vnc"
+
+    """Verify incoming client x509 certs"""
+    xend_vnc_x509_verify = 0
+
     """Default session storage path."""
     xend_domains_path_default = '/var/lib/xend/domains'
 
@@ -288,6 +297,16 @@ class XendOptions:
             return None
 
 
+    def get_vnc_tls(self):
+        return self.get_config_string('vnc-tls', self.xend_vnc_tls)
+
+    def get_vnc_x509_cert_dir(self):
+        return self.get_config_string('vnc-x509-cert-dir', self.xend_vnc_x509_cert_dir)
+
+    def get_vnc_x509_verify(self):
+        return self.get_config_string('vnc-x509-verify', self.xend_vnc_x509_verify)
+
+
 class XendOptionsFile(XendOptions):
 
     """Default path to the config file."""
diff --git a/tools/python/xen/xend/image.py b/tools/python/xen/xend/image.py
index b319703140..f84d0dca7d 100644
--- a/tools/python/xen/xend/image.py
+++ b/tools/python/xen/xend/image.py
@@ -17,7 +17,7 @@
 #============================================================================
 
 
-import os, string
+import os, os.path, string
 import re
 import math
 import time
@@ -227,6 +227,19 @@ class ImageHandler:
             else:
                 log.debug("No VNC passwd configured for vfb access")
 
+            if XendOptions.instance().get_vnc_tls():
+                vncx509certdir = XendOptions.instance().get_vnc_x509_cert_dir()
+                vncx509verify = XendOptions.instance().get_vnc_x509_verify()
+
+                if not os.path.exists(vncx509certdir):
+                    raise VmError("VNC x509 certificate dir %s does not exist" % vncx509certdir)
+
+                if vncx509verify:
+                    vncopts = vncopts + ",tls,x509verify=%s" % vncx509certdir
+                else:
+                    vncopts = vncopts + ",tls,x509=%s" % vncx509certdir
+
+
             vnclisten = vnc_config.get('vnclisten',
                                        XendOptions.instance().get_vnclisten_address())
             vncdisplay = vnc_config.get('vncdisplay', 0)