Changeset 58383 in vbox

Timestamp:

Oct 23, 2015 9:24:16 AM (10 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

103617

Message:

Main: an option to use VRDE auth library from VBoxSVC (not enabled)

Location:

trunk/src/VBox/Main

Files:

• Makefile.kmk (modified) (4 diffs)
• idl/VirtualBox.xidl (modified) (2 diffs)
• include/ConsoleImpl.h (modified) (1 diff)
• include/ConsoleVRDPServer.h (modified) (1 diff)
• include/MachineImpl.h (modified) (4 diffs)
• src-client/ConsoleVRDPServer.cpp (modified) (5 diffs)
• src-server/MachineImpl.cpp (modified) (4 diffs)

trunk/src/VBox/Main/Makefile.kmk

@@ -346 +346 @@
 VBoxSVC_SOURCES = \
         $(VBoxAPIWrap_0_OUTDIR)/VBoxAPI.d \
+        src-all/AuthLibrary.cpp \
         src-all/DisplayPNGUtil.cpp \
         src-all/DisplayResampleImage.cpp \
@@ -652 +653 @@
         $(if $(VBOX_WITH_EXTPACK),VBOX_WITH_EXTPACK,) \
         $(if $(VBOX_WITH_PCI_PASSTHROUGH),VBOX_WITH_PCI_PASSTHROUGH,) \
+        $(if $(VBOX_WITH_VRDEAUTH_IN_VBOXSVC),VBOX_WITH_VRDEAUTH_IN_VBOXSVC,) \
         $(if $(VBOX_WITH_VPX),VBOX_WITH_VPX,)
 ifdef VBOX_WITH_CRHGSMI
@@ -726 +728 @@
 VBoxC_SOURCES = \
         $(VBoxAPIWrap_0_OUTDIR)/VBoxAPI.d \
-        src-all/AuthLibrary.cpp \
         src-all/DisplayPNGUtil.cpp \
         src-all/DisplayResampleImage.cpp \
@@ -813 +814 @@
         src-client/EbmlWriter.cpp \
         src-client/VideoRec.cpp
+endif
+ifndef VBOX_WITH_VRDEAUTH_IN_VBOXSVC
+ VBoxC_SOURCES += \
+        src-all/AuthLibrary.cpp
 endif
 

trunk/src/VBox/Main/idl/VirtualBox.xidl

@@ -3601 +3601 @@
   <interface
     name="IInternalMachineControl" extends="$unknown"
-    uuid="ec36f437-ad4d-4512-94dd-f4c568143aa7"
+    uuid="cdbc59df-4f4d-4cf2-809c-917601355afc"
     internal="yes"
     wsmap="suppress"
@@ -3923 +3923 @@
       <param name="vmNetTx" type="unsigned long" dir="in">
         <desc>Network transmit rate for VM.</desc>
+      </param>
+    </method>
+
+    <method name="authenticateExternal">
+      <desc>
+        Verify credentials using the external auth library.
+      </desc>
+      <param name="authParams" type="wstring" dir="in" safearray="yes">
+        <desc>
+          The auth parameters, credentials, etc.
+        </desc>
+      </param>
+      <param name="result" type="wstring" dir="out">
+        <desc>
+          The authentification result.
+        </desc>
       </param>
     </method>

trunk/src/VBox/Main/include/ConsoleImpl.h

@@ -979 +979 @@
 
     friend struct VMTask;
+    friend class ConsoleVRDPServer;
 };
 

trunk/src/VBox/Main/include/ConsoleVRDPServer.h

@@ -245 +245 @@
 #endif /* VBOX_WITH_USB */
 
+#ifndef VBOX_WITH_VRDEAUTH_IN_VBOXSVC
     /* External authentication library context. The library is loaded in the
      * Authenticate method and unloaded at the object destructor.
      */
     AUTHLIBRARYCONTEXT mAuthLibCtx;
+#endif
 
     uint32_t volatile mu32AudioInputClientId;

trunk/src/VBox/Main/include/MachineImpl.h

@@ -19 +19 @@
 #define ____H_MACHINEIMPL
 
+#include "AuthLibrary.h"
 #include "VirtualBoxBase.h"
 #include "SnapshotImpl.h"
@@ -1260 +1261 @@
                                ULONG aVmNetRx,
                                ULONG aVmNetTx);
+    HRESULT authenticateExternal(const std::vector<com::Utf8Str> &aAuthParams,
+                                 com::Utf8Str &aResult);
 };
 
@@ -1408 +1411 @@
                                ULONG aVmNetRx,
                                ULONG aVmNetTx);
+    HRESULT authenticateExternal(const std::vector<com::Utf8Str> &aAuthParams,
+                                 com::Utf8Str &aResult);
 
 
@@ -1510 +1515 @@
 
     int miNATNetworksStarted;
+
+    AUTHLIBRARYCONTEXT mAuthLibCtx;
 };
 

trunk/src/VBox/Main/src-client/ConsoleVRDPServer.cpp

@@ -1362 +1362 @@
     mVRDPBindPort = -1;
 
+#ifndef VBOX_WITH_VRDEAUTH_IN_VBOXSVC
     RT_ZERO(mAuthLibCtx);
+#endif
 
     mu32AudioInputClientId = 0;
@@ -3004 +3006 @@
     }
 
+#ifndef VBOX_WITH_VRDEAUTH_IN_VBOXSVC
     AuthLibUnload(&mAuthLibCtx);
+#endif
 }
 
@@ -3124 +3128 @@
 
 AuthResult ConsoleVRDPServer::Authenticate(const Guid &uuid, AuthGuestJudgement guestJudgement,
-                                                const char *pszUser, const char *pszPassword, const char *pszDomain,
-                                                uint32_t u32ClientId)
+                                           const char *pszUser, const char *pszPassword, const char *pszDomain,
+                                           uint32_t u32ClientId)
 {
     LogFlowFunc(("uuid = %RTuuid, guestJudgement = %d, pszUser = %s, pszPassword = %s, pszDomain = %s, u32ClientId = %d\n",
                  uuid.raw(), guestJudgement, pszUser, pszPassword, pszDomain, u32ClientId));
 
+    AuthResult result = AuthResultAccessDenied;
+
+#ifdef VBOX_WITH_VRDEAUTH_IN_VBOXSVC
+    try
+    {
+        /* Init auth parameters. Order is important. */
+        SafeArray<BSTR> authParams;
+        Bstr("VRDEAUTH"          ).detachTo(authParams.appendedRaw());
+        Bstr(uuid.toUtf16()      ).detachTo(authParams.appendedRaw());
+        BstrFmt("%u", guestJudgement).detachTo(authParams.appendedRaw());
+        Bstr(pszUser             ).detachTo(authParams.appendedRaw());
+        Bstr(pszPassword         ).detachTo(authParams.appendedRaw());
+        Bstr(pszDomain           ).detachTo(authParams.appendedRaw());
+        BstrFmt("%u", u32ClientId).detachTo(authParams.appendedRaw());
+
+        Bstr authResult;
+        HRESULT hr = mConsole->mControl->AuthenticateExternal(ComSafeArrayAsInParam(authParams),
+                                                              authResult.asOutParam());
+        LogFlowFunc(("%Rhrc [%ls]\n", hr, authResult.raw()));
+
+        size_t cbPassword = RTUtf16Len((PRTUTF16)authParams[4]) * sizeof(RTUTF16);
+        if (cbPassword)
+            RTMemWipeThoroughly(authParams[4], cbPassword, 10 /* cPasses */);
+
+        if (SUCCEEDED(hr) && authResult == "granted")
+            result = AuthResultAccessGranted;
+    }
+    catch (std::bad_alloc)
+    {
+    }
+#else
     /*
      * Called only from VRDP input thread. So thread safety is not required.
@@ -3155 +3190 @@
     }
 
-    AuthResult result = AuthLibAuthenticate(&mAuthLibCtx,
-                                            uuid.raw(), guestJudgement,
-                                            pszUser, pszPassword, pszDomain,
-                                            u32ClientId);
+    result = AuthLibAuthenticate(&mAuthLibCtx,
+                                 uuid.raw(), guestJudgement,
+                                 pszUser, pszPassword, pszDomain,
+                                 u32ClientId);
+#endif /* !VBOX_WITH_VRDEAUTH_IN_VBOXSVC */
 
     switch (result)
@@ -3186 +3222 @@
              uuid.raw(), u32ClientId));
 
+#ifdef VBOX_WITH_VRDEAUTH_IN_VBOXSVC
+    try
+    {
+        /* Init auth parameters. Order is important. */
+        SafeArray<BSTR> authParams;
+        Bstr("VRDEAUTHDISCONNECT").detachTo(authParams.appendedRaw());
+        Bstr(uuid.toUtf16()      ).detachTo(authParams.appendedRaw());
+        BstrFmt("%u", u32ClientId).detachTo(authParams.appendedRaw());
+
+        Bstr authResult;
+        HRESULT hr = mConsole->mControl->AuthenticateExternal(ComSafeArrayAsInParam(authParams),
+                                                              authResult.asOutParam());
+        LogFlowFunc(("%Rhrc [%ls]\n", hr, authResult.raw())); NOREF(hr);
+    }
+    catch (std::bad_alloc)
+    {
+    }
+#else
     AuthLibDisconnect(&mAuthLibCtx, uuid.raw(), u32ClientId);
+#endif /* !VBOX_WITH_VRDEAUTH_IN_VBOXSVC */
 }
 

trunk/src/VBox/Main/src-server/MachineImpl.cpp

@@ -12332 +12332 @@
     HRESULT rc = S_OK;
 
+    RT_ZERO(mAuthLibCtx);
+
     /* create the machine client token */
     try
@@ -12679 +12681 @@
     unconst(mParent) = NULL;
     unconst(mPeer) = NULL;
+
+    AuthLibUnload(&mAuthLibCtx);
 
     LogFlowThisFuncLeave();
@@ -13549 +13553 @@
 }
 
+HRESULT SessionMachine::authenticateExternal(const std::vector<com::Utf8Str> &aAuthParams,
+                                             com::Utf8Str &aResult)
+{
+    AutoWriteLock alock(this COMMA_LOCKVAL_SRC_POS);
+
+    HRESULT hr = S_OK;
+
+    if (aAuthParams[0] == "VRDEAUTH" && aAuthParams.size() == 7)
+    {
+        enum VRDEAuthParams
+        {
+           parmUuid = 1,
+           parmGuestJudgement,
+           parmUser,
+           parmPassword,
+           parmDomain,
+           parmClientId
+        };
+
+        AuthResult result = AuthResultAccessDenied;
+
+        if (!mAuthLibCtx.hAuthLibrary)
+        {
+            /* Load the external authentication library. */
+            Bstr authLibrary;
+            mVRDEServer->COMGETTER(AuthLibrary)(authLibrary.asOutParam());
+
+            Utf8Str filename = authLibrary;
+
+            int rc = AuthLibLoad(&mAuthLibCtx, filename.c_str());
+            if (RT_FAILURE(rc))
+            {
+                hr = setError(E_FAIL,
+                              tr("Could not load the external authentication library '%s' (%Rrc)"),
+                              filename.c_str(), rc);
+            }
+        }
+
+        if (SUCCEEDED(hr))
+        {
+            Guid uuid(aAuthParams[parmUuid]);
+            AuthGuestJudgement guestJudgement = (AuthGuestJudgement)aAuthParams[parmGuestJudgement].toUInt32();
+            uint32_t u32ClientId = aAuthParams[parmClientId].toUInt32();
+
+            result = AuthLibAuthenticate(&mAuthLibCtx,
+                                         uuid.raw(), guestJudgement,
+                                         aAuthParams[parmUser].c_str(),
+                                         aAuthParams[parmPassword].c_str(),
+                                         aAuthParams[parmDomain].c_str(),
+                                         u32ClientId);
+        }
+
+        /* Hack: aAuthParams[parmPassword] is const but the code believes in writable memory. */
+        size_t cbPassword = aAuthParams[parmPassword].length();
+        if (cbPassword)
+        {
+            RTMemWipeThoroughly((void *)aAuthParams[parmPassword].c_str(), cbPassword, 10 /* cPasses */);
+            memset((void *)aAuthParams[parmPassword].c_str(), 'x', cbPassword);
+        }
+
+        if (result == AuthResultAccessGranted)
+            aResult = "granted";
+        else
+            aResult = "denied";
+
+        LogRel(("AUTH: VRDE authentification for user '%s' result '%s'\n",
+                aAuthParams[parmUser].c_str(), aResult.c_str()));
+    }
+    else if (aAuthParams[0] == "VRDEAUTHDISCONNECT" && aAuthParams.size() == 3)
+    {
+        enum VRDEAuthDisconnectParams
+        {
+           parmUuid = 1,
+           parmClientId
+        };
+
+        Guid uuid(aAuthParams[parmUuid]);
+        uint32_t u32ClientId = 0;
+        AuthLibDisconnect(&mAuthLibCtx, uuid.raw(), u32ClientId);
+    }
+    else
+    {
+        hr = E_INVALIDARG;
+    }
+
+    return hr;
+}
+
 // public methods only for internal purposes
 /////////////////////////////////////////////////////////////////////////////
@@ -14779 +14871 @@
 }
 
+HRESULT Machine::authenticateExternal(const std::vector<com::Utf8Str> &aAuthParams,
+                                             com::Utf8Str &aResult)
+{
+    NOREF(aAuthParams);
+    NOREF(aResult);
+    ReturnComNotImplemented();
+}
+
 HRESULT Machine::applyDefaults(const com::Utf8Str &aFlags)
 {